On Tue, 28 Nov 2000, Rusty Russell wrote:
> In message <Pine.OSF.email@example.com> you write
> > Anyone know how to properly filter packet floods using iptables w/ nat?
> You're doing fine, except the connection tracking code marks the `no
> flags' TCP packets as invalid, and the NAT code drops them.
Hmm... drops them when? and does that mean I'd actually need to use the
DROPPED table to -j LOG ... them?
Now as I see it the packets traverse the tables something like this:
rp_filter # conflicts w/ fwmark?
? nat # existing connections "skip" the rules here as they've already
filter # passed them...
... and any of those steps may drop packets, right? any steps missed?
> Note that filtering packet floods makes no sense unless your bandwidth
> behind the box is < the bandwidth in front.
Well packet floods tend to flood the connection tracking tables too.
If I want to avoid "crap" from flooding the connection tracking tables,
is there any real difference between using PREROUTING from nat/mangle?
- a) when we wouldn't need the mangle table otherwise,
- b) when mangle table is used to route things like port 80 elsewhere?
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to firstname.lastname@example.org
This archive was generated by hypermail 2b29 : Thu Nov 30 2000 - 21:00:29 EST