Re: netfilter, nat & packet floods?

From: Rusty Russell (rusty@linuxcare.com.au)
Date: Wed Nov 29 2000 - 22:02:47 EST


In message <Pine.OSF.4.10.10011291413570.17011-100000@safiiri.hut.fi> you write
:
> On Tue, 28 Nov 2000, Rusty Russell wrote:
>
> > In message <Pine.OSF.4.10.10011262257160.5186-100000@smaragdi.hut.fi> you w
rite
> > :
> > > Anyone know how to properly filter packet floods using iptables w/ nat?
> >
> > You're doing fine, except the connection tracking code marks the `no
> > flags' TCP packets as invalid, and the NAT code drops them.
>
> Hmm... drops them when? and does that mean I'd actually need to use the
> DROPPED table to -j LOG ... them?

Connection tracking fails to track them, then the NAT code drops them
before traversing the NAT table.

You could drop them in mangle, but there's little point.

> rp_filter # conflicts w/ fwmark?
> ip_conntrack
> mangle
> routing
> ? nat # existing connections "skip" the rules here as they've already
> filter # passed them...
>
> ... and any of those steps may drop packets, right? any steps missed?

NAT occurs before routing, and rp_filter is part of routing.

> > Note that filtering packet floods makes no sense unless your bandwidth
> > behind the box is < the bandwidth in front.
>
> Well packet floods tend to flood the connection tracking tables too.

Sure, it'll start discarding things, but that's OK, as long as it
discards the right ones. Are you having trouble getting real
connections in/out?

> If I want to avoid "crap" from flooding the connection tracking tables,
> is there any real difference between using PREROUTING from nat/mangle?
> - a) when we wouldn't need the mangle table otherwise,
> - b) when mangle table is used to route things like port 80 elsewhere?

mangle is used to alter TOS and fwmark at the moment.

Rusty.

--
Hacking time.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org



This archive was generated by hypermail 2b29 : Thu Nov 30 2000 - 21:00:29 EST