iptables POSTROUTING and FORWARD counters

rey · 05-12-2012, 10:12 AM

hello
i'm running a firewall/router, everything seems to work fine
with the nat MASQUERADE rules and other INPUT OUTPUT rules

however i have noted that the counters look like these:

table filter
Chain INPUT (policy ACCEPT 31 packets, 1612 bytes)

Chain FORWARD (policy ACCEPT 792K packets, 719M bytes)

Chain OUTPUT (policy ACCEPT 22 packets, 2504 bytes)

table nat
Chain POSTROUTING (policy ACCEPT 677 packets, 33892 bytes)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

table mangle
Chain FORWARD (policy ACCEPT 1000K packets, 889M bytes)

i have rules in place to filter INPUT and OUTPUT at the filter table, i want to know if they are being taken in account, given that counters, some of the rules are the good old SYN,ACK drop rules

additionally, please share security considerations for the nat table, i mean if it's enough that MASQUERADE rule alone and the drop rules at the filter table for security

thanks for your help

fukawi1 · 05-12-2012, 11:26 AM

Since you haven't given us much to work with, here are couple suggestions.

1) Remember that iptables compares a packet header against the rules sequentially.

Code:

iptables -A INPUT -p tcp --dport 80 -s x.x.x.x -j DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

In this case, packets matching the source IP x.x.x.x will never be compared against the second rule, because they are finished being processed at the point of the first rule.

2) Use "watch iptables -t $Table -nvL $Chain" and generate some relevant traffic to watch the packet/byte counters increasing to diagnose what rule is affecting that traffic.

3)

Quote:

additionally, please share security considerations for the nat table, i mean if it's enough that MASQUERADE rule alone and the drop rules at the filter table for security

The nat table isn't really a security thing. Sure there may be more or less secure ways of doing NAT, but no packet filtering takes place in the nat table.
This link has some good descriptions of the purposes of the tables/chains, targets/jumps, and different methods of matching packets.
I also recommend reading the man page, cover to cover, a few times..
And finally, also remember you can run "iptables -m $module --help" for info on additional options for iptables modules.

rey · 05-12-2012, 04:53 PM

yep i always put specific rules first and general rules last

thanks for the link i'll give it a read, i am looking for tips on how to
secure my router, i want to analyze all the traffic with snort and base
and make it the safest possible, i know this behavior obeys the fact that the
routed packets are being routed and forwarded and not coming in and out
the router's kernel, do you have any other links on how to use snort on
the forwarded traffic and i.e. block it with iptables on alerts??

thanks again!

rey · 05-12-2012, 07:09 PM

check this forward rules, the last one has captured a few counts

Code:

iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j add_recent

the add_recent chain uses the 'recent' extension to log that addresses,
i wonder why google gets logged there specially for INVALID packets

those are the sort of rules i'm looking for, not so common ones, aimed
to tighten the firewall