Ask Your Question
4

iptables: Questions regarding the raw table

asked 2018-09-29 05:24:18 -0500

camillelola gravatar image

Hi Guys,

Recently I am facing a crazy problem, I can read all over the internet that the iptables raw table is only there to specify if connection tracking should not be applied. However, when a rules destination in the raw table is -j DROP for instance, then the packet gets dropped and everything seems to work fine.

I have the following set of questions regarding this topic:

  • Will the connection tracking get confused when I -j DROP a packet in the raw table? One could assume that the kernel checks for the DROP destination at first, when reaching mangle/PREROUTING when dropping a packet according to "the internet" is allowed at first and therefore it would get connection tracked.
  • Would the use of the -j SYNPROXY destination in the raw table work?
  • Would the use of a final destination like -j ACCEPT in the raw table also lead to connection tracking?
  • Will the use of the -j NOTRACK stop the evaluation of the following rules in the raw table?

My aim is to use iptables with the highest possible performance, because I need to setup a Linux router which needs to guard a 10 GbE internet connection. My hope is that dropping a packet in the raw table without first specifying -j NOTRACK and then dropping the packet at a later stage will work just fine. I'm aware of the problem that I can't use connection tracking modules in the raw table. My aim is to use it as a first defense line with some generic hashlimit, SYNPROXY and DROP rules.

Thanks & Regards

Camillelola

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
2

answered 2018-09-29 11:12:20 -0500

Panther gravatar image

updated 2018-09-29 14:11:52 -0500

IMO most of your rules belong in the filter table.

With that said, you can use filtering rules, including the -j FOO , in the raw table to reduce CPU cycles.

There is a very nice discussion on using the raw table, with cautions and examples, [here] .

If you need assistance with your rules, please pastebin all your rules for analysis otherwise we really can not determine the problem.

In addition consider using REJECT rather than DROP. DROP is no more secure. See [drop vs reject] for a discussion.

(http://www.chiark.greenend.org.uk/~pe...)

(https://unix.stackexchange.com/questi...)

edit flag offensive delete link more

Question Tools

1 follower

Stats

Asked: 2018-09-29 05:24:18 -0500

Seen: 120 times

Last updated: Sep 29 '18