[ANSWERED] iptables: Questions regarding the raw table

GhostTyper · Last edited by GhostTyper on Sat Sep 29, 2018 8:55 pm; edited 1 time in total

I can read all over the internet that the iptables raw table is only there to specify if connection tracking should not be applied. However, when a rules destination in the raw table is -j DROP for instance, then the packet gets dropped and everything seems to work fine.

I have the following set of questions regarding this topic:

Will the connection tracking get confused when I -j DROP a packet in the raw table? One could assume that the kernel checks for the DROP destination at first, when reaching mangle/PREROUTING when dropping a packet according to "the internet" is allowed at first and therefore it would get connection tracked.
Would the use of the -j SYNPROXY destination in the raw table work?
Would the use of a final destination like -j ACCEPT in the raw table also lead to connection tracking?
Will the use of the -j NOTRACK stop the evaluation of the following rules in the raw table?

My aim is to use iptables with the highest possible performance, because I need to setup a Linux router which needs to guard a 10 GbE internet connection. My hope is that dropping a packet in the raw table without first specifying -j NOTRACK and then dropping the packet at a later stage will work just fine. I'm aware of the challenge that I can't use connection tracking modules in the raw table. My aim is to use it as a first defense line with some generic hashlimit, SYNPROXY and DROP rules.

Disclaimer: I also posted this question here: https://serverfault.com/questions/933200/iptables-questions-regarding-the-raw-table.

ct85711 · Veteran Joined: 27 Sep 2005 Posts: 1791

Generally, the way the rule operate in a first come first serve order in regards to accept/drop, so it goes until it finds the first rule that matches (from top down). Now from my understand on the raw table, it is more of used to skip the connection tracking.

This site may be able to give you more information and hopefully be more clearer.
https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture

GhostTyper · Posted: Sat Sep 29, 2018 5:42 am Post subject:

Oh, hello again.

Well, this time I googled indeed.

The nearest or "best" explanation I found was this: https://unix.stackexchange.com/questions/243079/netfilter-iptables-why-not-using-the-raw-table

However, this only makes me suggest that I can drop packets there. But I don't know if for instance SYNPROXY is working there. And it is quite hard to test this, because if it doesn't work the connection may just be accepted and would be hard to distinguish between the working or nonworking SYNPROXY rule, etc.

GhostTyper · Posted: Sat Sep 29, 2018 1:05 pm Post subject:

According to the answer here: https://serverfault.com/questions/933200/iptables-questions-regarding-the-raw-table

My conclusion is:

The raw table can be used as an early defence line against attacks near line rate.

Please answer here or on serverfault if you find some problems with the answers on serverfault. I will start implementing my rules and also start testing them in 2 weeks. I will also keep you updated, if I run into any problems regarding those answers.