Egress filters

Egress filters

[Martin Mares]

Hello, world!\n

I would like to set up an egress filter, which would process all outgoing
packets just before they hit the network interface (especially after all
NATing takes place).

Is there any table/chain for that?

				Have a nice fortnight
-- 
Martin `MJ' Mares                          <mj@ucw.cz>   http://mj.ucw.cz/
Faculty of Math and Physics, Charles University, Prague, Czech Rep., Earth
int random(void) { return 4; /* Random number chosen by a fair dice roll. */ }

Re: Egress filters

[Marek Kierdelewicz]

>Hello, world!\n

Hi,

>I would like to set up an egress filter, which would process all
>outgoing packets just before they hit the network interface (especially
>after all NATing takes place).
>Is there any table/chain for that?

Look here:
http://jengelh.medozas.de/images/nf-packet-flow.png

Mangle table postrouting chain is an appropriate place. Filtering would
take place before nat table postrouting chain (nat table is consulted
only for the first packet of the flow).

best regards,
Marek Kierdelewicz

Re: Egress filters

[Martin Mares]

Hi!

> Mangle table postrouting chain is an appropriate place. Filtering would
> take place before nat table postrouting chain (nat table is consulted
> only for the first packet of the flow).

I know that, but I want to hook my rules _after_ the nat table postrouting
chain. (I want to catch packets with private source address which are not
NATed due to misconfiguration of my complex NAT setup.)

				Have a nice fortnight
-- 
Martin `MJ' Mares                          <mj@ucw.cz>   http://mj.ucw.cz/
Faculty of Math and Physics, Charles University, Prague, Czech Rep., Earth
"Oh no, not again!"  -- The bowl of petunias

Re: Egress filters

[Marek Kierdelewicz]

Hi,

>I know that, but I want to hook my rules _after_ the nat table
>postrouting chain. (I want to catch packets with private source address
>which are not NATed due to misconfiguration of my complex NAT setup.)

Some time ago you could simply add DROP at the end of nat postrouting
chain, but this option is off the table.

You can add rule connmarking traffic to 0x10 at the end of nat
postrouting chain and drop everything with that connmark in filter
forward chain. First packet of the filtered flows would get trough but
everything would be axed.

Best regards,
Marek Kierdelewicz

Re: Egress filters

[Marek Kierdelewicz]

>First packet of the filtered flows would get trough but
>everything would be axed.

First packet of the filtered flows would get trough but
everything ELSE would be axed.

Best regards,
Marek Kierdelewicz

Re: Egress filters

[Martin Mares]

Hi!

> You can add rule connmarking traffic to 0x10 at the end of nat
> postrouting chain and drop everything with that connmark in filter
> forward chain. First packet of the filtered flows would get trough but
> everything would be axed.

That's a neat trick, but still I believe there should be a simple way
how to do egress filtering.

Would a patch adding a POSTROUTING chain to the raw table, positioned
after all other chains, be welcome?

				Have a nice fortnight
-- 
Martin `MJ' Mares                          <mj@ucw.cz>   http://mj.ucw.cz/
Faculty of Math and Physics, Charles University, Prague, Czech Rep., Earth
"Please try to fit your code to 80 columns. That's decimal 80." -- A. Morton