Thursday, April 04, 2013

Re: iptables and INVALID packet filtering.

Hello,

Daniel Curtis a écrit :
>
> I would only ask about iptables (1.4.14-3.1) rule, which is responsible for
> filtering INVALID packets. If I decide to use this rule;
>
>>> iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Be aware that INVALID packets here means "packets in the INVALID state
with respect to connection tracking". It has nothing to do with, e.g.,
malformed packets.

> That's an example. By using this rule, iptables will also check tcp and udp
> protocols or should I use something like;

This rule applies to all protocols. That does not mean that connection
tracking can handle correctly all protocols. AFAIK, UDP packets cannot
be in the INVALID state (as there is no real stateful connection in UDP).

> But recently I came across on pretty strange rule also for
> antispoof. This rule, concerns 'nat' table and PREROUTING chain;
>
>> > iptables -t nat -I PREROUTING 1 -i xx -s 192.168.0.0/16 -j DROP
>
> So, what do you think? Using PREROUTING chain is good for
> antispoof or it is better to use rule mentioned above (INPUT chain)?

My opinion is that the chains of the nat table are not intended for, and
should not be used for filtering. They see only the first packet of a
new connection, i.e. in the NEW state, but not the other packets. If you
want to drop packets in a PREROUTING chain, use the mangle table instead.


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/515E059E.4080508@plouf.fr.eu.org

No comments:

Post a Comment