Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. User
filtering in mangle table
natrajputra at gmail
Jul 27, 2007, 3:02 AM
Post #1 of 3 (2485 views)
Permalink
Hi,
My requirement is before giving the packets to user space
application(even before routing) I need to filter the packets. This
has to be done for all packets irrespective of particular protocol.

so I am using the the mangle table with PREROUTING chain to filter as
well as to queue the packets using the DROP, QUEUE targets of
"iptables". But in man pages it is specified that the filter rules
should not be added into mangle table.

Is there any issues if I proceed with that?

Ganesan
Re: filtering in mangle table [ In reply to ]
jsullivan at opensourcedevel
Jul 27, 2007, 4:59 AM
Post #2 of 3 (2412 views)
Permalink
On Fri, 2007-07-27 at 15:32 +0530, Ganesan Natarajan wrote:
> Hi,
> My requirement is before giving the packets to user space
> application(even before routing) I need to filter the packets. This
> has to be done for all packets irrespective of particular protocol.
>
> so I am using the the mangle table with PREROUTING chain to filter as
> well as to queue the packets using the DROP, QUEUE targets of
> "iptables". But in man pages it is specified that the filter rules
> should not be added into mangle table.
>
> Is there any issues if I proceed with that?
>
> Ganesan
>
We have been doing something very similar in the open source ISCS
network security management project (http://iscs.sourceforge.net).
Although the bulk of the tens of thousands of access control rules we
create for complex internal and micro-perimeter security are added to
our filter table, we handle malicious packet checks (spoofs, ping
floods, malformed packets, etc.) in the mangle table. Seems to be
working fine for us! - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com
Re: filtering in mangle table [ In reply to ]
pascal.mail at plouf
Jul 28, 2007, 3:24 AM
Post #3 of 3 (2398 views)
Permalink
Hello,

Ganesan Natarajan a écrit :
> My requirement is before giving the packets to user space
> application(even before routing) I need to filter the packets.

Why even before routing ? (Yes, I'm curious)

> so I am using the the mangle table with PREROUTING chain to filter as
> well as to queue the packets using the DROP, QUEUE targets of
> "iptables". But in man pages it is specified that the filter rules
> should not be added into mangle table.

Built-in targets such as DROP and QUEUE can be used in any table and
chain. But target extensions may have limitations. For exemple the
REJECT target can be used only in the filter table, so it cannot be used
in the mangle table. Also, filtering in the nat table is not recommended
because the nat table does not see all packets but only packets in the
NEW state which are the first packet of a connection.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal