Questions on State and RAW Tables -- EARLY DROP ON RAW SAVE
CONNTRACKS EFFORTS? --
Clist
clist at uah.es
Tue Mar 15 13:12:33 CET 2005
Hello!
Dropping connecctions on RAW table prevents connections being tracked? or
maybe You have to send those packets to NOTRACK target and later drop them
on raw or filter tables...
I use to catch Intruders on filter tables for no allowed destinations and
remember them in ipt_recent lists, in order to drop subsecuent packets early
in the raw table to save processing connection tracking for those ip's.
Is that right?
On RAW table
# EARLY DROP
iptables -t raw -A PREROUTING -i eth0 -m recent --update --seconds 60 --name
OUTSIDERS -j DROP
..
..
..
# On FILTER table
# FIRST MATCH
...
...
# Chain for matching currenlty allowed network destinations...
-A ALLOWED_NETWORKS -d <allowed> -j ACCEPT
..
..
# Drop no allowed destinations and rememeber them for 1 minute
-A ALLOWED_NETWORKS -m recent --set --name OUTSIDERS -j DROP
I think dropping on RAW tables should prevent packets for being tracked on ct,
but im not sure.
Any ideas about this???
..Clist
--
-------------------------------------------------
Clister UAH
-------------------------------------------------
More information about the netfilter
mailing list