[opensuse] iptables: is PREROUTING nat before or after PREROUTING filter?
Hi, I have fairly enough of certain probes and am planning to completely block all known networks from China as well as from Gaza/.ps. Respective CSV files are available. The more interesting question is, where do I put the rules as intelligently as possible? I want to block the IPs for INPUT (to the fw host itself) as well as for FORWARD, but simply pushing the rules twice, once into each chain, appears a huge waste of mem to me (those are quite a couple of rules...). I was thinking of pushing the rules into PREROUTING but the question is if PREROUTING filter comes before or after PREROUTING nat, because in PREROUTING nat I already have the forwarding rules for the port NAT. -S -- (o_ Stefan Gofferje | SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface
Stefan Gofferje wrote:
Hi,
I have fairly enough of certain probes and am planning to completely block all known networks from China as well as from Gaza/.ps. Respective CSV files are available.
The more interesting question is, where do I put the rules as intelligently as possible? I want to block the IPs for INPUT (to the fw host itself) as well as for FORWARD, but simply pushing the rules twice, once into each chain, appears a huge waste of mem to me (those are quite a couple of rules...).
Do you need the memory for anything else ? :-) -- Per Jessen, Zürich (3.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/24/2014 09:07 AM, Per Jessen wrote:
Stefan Gofferje wrote:
The more interesting question is, where do I put the rules as intelligently as possible? I want to block the IPs for INPUT (to the fw host itself) as well as for FORWARD, but simply pushing the rules twice, once into each chain, appears a huge waste of mem to me (those are quite a couple of rules...).
Do you need the memory for anything else ? :-)
Well, those are REALLY many rules! We're talking about several hundred networks here! As the fw is running in a VM, I'd like to not waste mem. Besides, I'd also like to find the most elegant solution :). -S -- (o_ Stefan Gofferje | SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface
Stefan Gofferje wrote:
Well, those are REALLY many rules! We're talking about several hundred networks here! As the fw is running in a VM, I'd like to not waste mem.
Many years ago, the IPv4 network went through a process of aggregation to greatly reduce routing tables. This means networks in China should be under one large group. That's where you should start the process. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/24/2014 02:13 PM, James Knott wrote:
Stefan Gofferje wrote:
Well, those are REALLY many rules! We're talking about several hundred networks here! As the fw is running in a VM, I'd like to not waste mem.
Many years ago, the IPv4 network went through a process of aggregation to greatly reduce routing tables. This means networks in China should be under one large group. That's where you should start the process.
Guys, the question was which chain comes first in the packet path! And I get the data among others from here: http://www.okean.com/thegoods.html -S -- (o_ Stefan Gofferje | SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface
On Mon, Mar 24, 2014 at 4:46 PM, Stefan Gofferje
On 03/24/2014 02:13 PM, James Knott wrote:
Stefan Gofferje wrote:
Well, those are REALLY many rules! We're talking about several hundred networks here! As the fw is running in a VM, I'd like to not waste mem.
Many years ago, the IPv4 network went through a process of aggregation to greatly reduce routing tables. This means networks in China should be under one large group. That's where you should start the process.
Guys, the question was which chain comes first in the packet path!
http://netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html#ss3... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Andrey Borzenkov
-
James Knott
-
Per Jessen
-
Stefan Gofferje