LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-12-2012, 10:12 AM   #1
rey
Member
 
Registered: Sep 2011
Posts: 49

Rep: Reputation: Disabled
iptables POSTROUTING and FORWARD counters


hello
i'm running a firewall/router, everything seems to work fine
with the nat MASQUERADE rules and other INPUT OUTPUT rules

however i have noted that the counters look like these:

table filter
Chain INPUT (policy ACCEPT 31 packets, 1612 bytes)

Chain FORWARD (policy ACCEPT 792K packets, 719M bytes)

Chain OUTPUT (policy ACCEPT 22 packets, 2504 bytes)


table nat
Chain POSTROUTING (policy ACCEPT 677 packets, 33892 bytes)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

table mangle
Chain FORWARD (policy ACCEPT 1000K packets, 889M bytes)


i have rules in place to filter INPUT and OUTPUT at the filter table, i want to know if they are being taken in account, given that counters, some of the rules are the good old SYN,ACK drop rules

additionally, please share security considerations for the nat table, i mean if it's enough that MASQUERADE rule alone and the drop rules at the filter table for security

thanks for your help

Last edited by rey; 05-12-2012 at 10:13 AM.
 
Old 05-12-2012, 11:26 AM   #2
fukawi1
Member
 
Registered: Apr 2009
Location: Melbourne
Distribution: Fedora & CentOS
Posts: 854

Rep: Reputation: 193Reputation: 193
Since you haven't given us much to work with, here are couple suggestions.

1) Remember that iptables compares a packet header against the rules sequentially.
Code:
iptables -A INPUT -p tcp --dport 80 -s x.x.x.x -j DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
In this case, packets matching the source IP x.x.x.x will never be compared against the second rule, because they are finished being processed at the point of the first rule.

2) Use "watch iptables -t $Table -nvL $Chain" and generate some relevant traffic to watch the packet/byte counters increasing to diagnose what rule is affecting that traffic.

3)
Quote:
additionally, please share security considerations for the nat table, i mean if it's enough that MASQUERADE rule alone and the drop rules at the filter table for security
The nat table isn't really a security thing. Sure there may be more or less secure ways of doing NAT, but no packet filtering takes place in the nat table.
This link has some good descriptions of the purposes of the tables/chains, targets/jumps, and different methods of matching packets.
I also recommend reading the man page, cover to cover, a few times..
And finally, also remember you can run "iptables -m $module --help" for info on additional options for iptables modules.
 
Old 05-12-2012, 04:53 PM   #3
rey
Member
 
Registered: Sep 2011
Posts: 49

Original Poster
Rep: Reputation: Disabled
yep i always put specific rules first and general rules last


thanks for the link i'll give it a read, i am looking for tips on how to
secure my router, i want to analyze all the traffic with snort and base
and make it the safest possible, i know this behavior obeys the fact that the
routed packets are being routed and forwarded and not coming in and out
the router's kernel, do you have any other links on how to use snort on
the forwarded traffic and i.e. block it with iptables on alerts??

thanks again!
 
Old 05-12-2012, 07:09 PM   #4
rey
Member
 
Registered: Sep 2011
Posts: 49

Original Poster
Rep: Reputation: Disabled
check this forward rules, the last one has captured a few counts

Code:
iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j add_recent
the add_recent chain uses the 'recent' extension to log that addresses,
i wonder why google gets logged there specially for INVALID packets

those are the sort of rules i'm looking for, not so common ones, aimed
to tighten the firewall
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables postrouting SNAT not working - what am I doing wrong? web_janitor Linux - Networking 19 03-18-2024 12:01 PM
Can't zero-out counters in iptables didooofidooo Linux - Security 5 02-25-2010 02:51 PM
iptables --list does not show pre or postrouting rules thllgo Linux - Software 2 01-28-2010 10:25 AM
iptables counters? matthewa Linux - Security 1 09-27-2005 11:07 PM
Iptables postrouting question phatboyz Linux - Networking 8 01-31-2005 01:58 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration