Re: netfilter, nat & packet floods?

From: Tuomas Heino (iheino@cc.hut.fi)
Date: Wed Nov 29 2000 - 08:21:15 EST


On Tue, 28 Nov 2000, Rusty Russell wrote:

> In message <Pine.OSF.4.10.10011262257160.5186-100000@smaragdi.hut.fi> you write
> :
> > Anyone know how to properly filter packet floods using iptables w/ nat?
>
> You're doing fine, except the connection tracking code marks the `no
> flags' TCP packets as invalid, and the NAT code drops them.

Hmm... drops them when? and does that mean I'd actually need to use the
DROPPED table to -j LOG ... them?

Now as I see it the packets traverse the tables something like this:

rp_filter # conflicts w/ fwmark?
ip_conntrack
mangle
routing
? nat # existing connections "skip" the rules here as they've already
filter # passed them...

... and any of those steps may drop packets, right? any steps missed?

> Note that filtering packet floods makes no sense unless your bandwidth
> behind the box is < the bandwidth in front.

Well packet floods tend to flood the connection tracking tables too.
If I want to avoid "crap" from flooding the connection tracking tables,
is there any real difference between using PREROUTING from nat/mangle?
- a) when we wouldn't need the mangle table otherwise,
- b) when mangle table is used to route things like port 80 elsewhere?

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org



This archive was generated by hypermail 2b29 : Thu Nov 30 2000 - 21:00:29 EST