Linux – iptables: what the difference between filter and mangle

iprouteiptableslinuxrouting

I am using iptables to to mark the package and want to route based on the marks.

First I added the ip rule:

sudo ip rule add fwmark 1 prohibit

(The "prohibit" is just for test, I will change it to some route table later.)

Then I began to mark the packages:

sudo iptables -A OUTPUT -d 192.168.1.0/24 -j MARK --set-mark 1

But the computer can still access the 192.168.1.0/24 networks.

After a long time's googling and struggling, I tried:

sudo iptables -t mangle -A OUTPUT -d 192.168.1.0/24 -j MARK --set-mark 1

It works and the connection was blocked.

In the first case, the default table of filter is used. So my question is what is the difference between mangle table and filter table? Which one should be used in what cases? As my understanding, all these tables will be consulted before the routing policy, then why the filter table doesn't work properly?

Best Answer

mangle is for mangling (modifying) packets, while filter is intended to just filter packets.

A consequence of this, is that in LOCAL_OUT, after traversing the tables and getting the filtering decision, mangle may try to redo the routing decision, assuming the filtering decision is not to drop or otherwise take control of the packet, by calling ip_route_me_harder, while filter just returns the filtering decision.

Details at net/ipv4/netfilter/iptable_mangle.c and net/ipv4/netfilter/iptable_filter.c.

Related Solutions

Linux – netfilter/iptables: why not using the raw table

From man iptables:

raw: This table is used mainly for configuring exemptions from connection
     tracking in combination with the NOTRACK target. It registers at the
     netfilter hooks with higher priority and is thus called before
     ip_conntrack, or any other IP tables.
     It  provides the following built-in chains:

     - PREROUTING (for packets arriving via any network interface)
     - OUTPUT (for packets generated by local processes)

Analysis:

So, the RAW table is before conntrack and it was designed with the objective to be used to set the NOTRACK mark on packets that you do not wish to track in netfilter.

The -j targets are not restricted only to NOTRACK, so yes, you con filter packets in the raw table with the benefits of less CPU/memory consumption.

Most often, servers don't need to keep track of all connections. You only need tracking if you need to filter packets in iptables based on previous established connections. On servers that only serve a simple purpose like with only port 80 (and maybe 21) open, don't require that. In those instances, you can disable connection tracking.

However, if you're trying to run a NAT router, things get slightly complicated. In order to NAT something, you need to keep track of those connections so you can deliver packets from the outside network to the internal network.

If a whole connection is set with NOTRACK, then you will not be able to track related connections either, conntrack and nat helpers will simply not work for untracked connections, nor will related ICMP errors do. You will have to open up for these manually in other words. When it comes to complex protocols such as FTP and SCTP and others, this can be very hard to manage.

Use cases:

One example would be if you have a heavily trafficked router that you want to firewall the incoming and outgoing traffic on, but not the routed traffic. Then, you could set the NOTRACK mark for ignore the forwarded traffic to save processing power.

Another example when NOTRACK can be used is if you have a highly trafficked web-server, you could then set up a rule that turns of tracking for port 80 on all the locally owned IP addresses, or the ones that are actually serving web traffic. You could then enjoy stateful tracking on all other services, except for web traffic which might save some processing power on an already overloaded system.

Example --> running-a-semi-stateless-linux-router-for-private-network

Conclusion: There isn't a strong reason to not to use the raw table, but there is some reasons to take care when using the NOTRACK target in the raw table.

Ip tables by route command and iptables’s table by iptables command, is the same

route command output gives you routing tables. In the simplest terms, routing tables tell the system how to handle IP packets which are going to a foreign IP address. Routing tables are especially useful, if the server has more than one network interface and connected to more than one network.

iptables command on the other hand does a totally different thing (sort of). It decides which incoming and (sometimes outgoing) packets will do so, depending on a set of rules (usually contained in /etc/sysconfig/iptables in current and well known linux distributons). I said sometimes outgoing because, this is a capability of iptables, but it is not used as often as blocking incoming packets. iptables, for the lack of a better term, is a server based firewall implementation. For instance, lets say you have a server that contains financial information and 3 subnets, lets say for the simplicity, one for finance people, one for HR People and last one for the techies. HR and techies, have no business, logging into finance server. You can configure iptables in a such a way that, any connection request coming from HR or techie subnets gets dropped/disconnected, while the requests coming from finance subnet gets connected. This is just one scenario. iptables are capable of filtering traffic in many, many more ways than this but all iptable functionality is not the subject matter suited for this site. If you are interested, there are myriad of documents available on the interwebs.

Best Answer

Related Solutions

Linux – netfilter/iptables: why not using the raw table

Ip tables by route command and iptables’s table by iptables command, is the same

Related Question