Re: netfilter, nat & packet floods?

From: Tuomas Heino (
Date: Wed Nov 29 2000 - 08:21:15 EST

On Tue, 28 Nov 2000, Rusty Russell wrote:

> In message <> you write
> :
> > Anyone know how to properly filter packet floods using iptables w/ nat?
> You're doing fine, except the connection tracking code marks the `no
> flags' TCP packets as invalid, and the NAT code drops them.

Hmm... drops them when? and does that mean I'd actually need to use the
DROPPED table to -j LOG ... them?

Now as I see it the packets traverse the tables something like this:

rp_filter # conflicts w/ fwmark?
? nat # existing connections "skip" the rules here as they've already
filter # passed them...

... and any of those steps may drop packets, right? any steps missed?

> Note that filtering packet floods makes no sense unless your bandwidth
> behind the box is < the bandwidth in front.

Well packet floods tend to flood the connection tracking tables too.
If I want to avoid "crap" from flooding the connection tracking tables,
is there any real difference between using PREROUTING from nat/mangle?
- a) when we wouldn't need the mangle table otherwise,
- b) when mangle table is used to route things like port 80 elsewhere?

To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to

This archive was generated by hypermail 2b29 : Thu Nov 30 2000 - 21:00:29 EST