Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ANSWERED] iptables: Questions regarding the raw table
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
GhostTyper
Tux's lil' helper
Tux's lil' helper


Joined: 03 Apr 2004
Posts: 83
Location: Germany; BW

PostPosted: Sat Sep 29, 2018 3:41 am    Post subject: [ANSWERED] iptables: Questions regarding the raw table Reply with quote

I can read all over the internet that the iptables raw table is only there to specify if connection tracking should not be applied. However, when a rules destination in the raw table is -j DROP for instance, then the packet gets dropped and everything seems to work fine.

I have the following set of questions regarding this topic:
  • Will the connection tracking get confused when I -j DROP a packet in the raw table? One could assume that the kernel checks for the DROP destination at first, when reaching mangle/PREROUTING when dropping a packet according to "the internet" is allowed at first and therefore it would get connection tracked.
  • Would the use of the -j SYNPROXY destination in the raw table work?
  • Would the use of a final destination like -j ACCEPT in the raw table also lead to connection tracking?
  • Will the use of the -j NOTRACK stop the evaluation of the following rules in the raw table?
My aim is to use iptables with the highest possible performance, because I need to setup a Linux router which needs to guard a 10 GbE internet connection. My hope is that dropping a packet in the raw table without first specifying -j NOTRACK and then dropping the packet at a later stage will work just fine. I'm aware of the challenge that I can't use connection tracking modules in the raw table. My aim is to use it as a first defense line with some generic hashlimit, SYNPROXY and DROP rules.

Disclaimer: I also posted this question here: https://serverfault.com/questions/933200/iptables-questions-regarding-the-raw-table.


Last edited by GhostTyper on Sat Sep 29, 2018 8:55 pm; edited 1 time in total
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1791

PostPosted: Sat Sep 29, 2018 5:23 am    Post subject: Reply with quote

Generally, the way the rule operate in a first come first serve order in regards to accept/drop, so it goes until it finds the first rule that matches (from top down). Now from my understand on the raw table, it is more of used to skip the connection tracking.

This site may be able to give you more information and hopefully be more clearer.
https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture
Back to top
View user's profile Send private message
GhostTyper
Tux's lil' helper
Tux's lil' helper


Joined: 03 Apr 2004
Posts: 83
Location: Germany; BW

PostPosted: Sat Sep 29, 2018 5:42 am    Post subject: Reply with quote

Oh, hello again. :)

Well, this time I googled indeed.

The nearest or "best" explanation I found was this: https://unix.stackexchange.com/questions/243079/netfilter-iptables-why-not-using-the-raw-table

However, this only makes me suggest that I can drop packets there. But I don't know if for instance SYNPROXY is working there. And it is quite hard to test this, because if it doesn't work the connection may just be accepted and would be hard to distinguish between the working or nonworking SYNPROXY rule, etc.
Back to top
View user's profile Send private message
GhostTyper
Tux's lil' helper
Tux's lil' helper


Joined: 03 Apr 2004
Posts: 83
Location: Germany; BW

PostPosted: Sat Sep 29, 2018 1:05 pm    Post subject: Reply with quote

According to the answer here: https://serverfault.com/questions/933200/iptables-questions-regarding-the-raw-table

My conclusion is:

The raw table can be used as an early defence line against attacks near line rate.

Please answer here or on serverfault if you find some problems with the answers on serverfault. I will start implementing my rules and also start testing them in 2 weeks. I will also keep you updated, if I run into any problems regarding those answers.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum