[gentoo-user] iptables - do I need the nat table?

[gentoo-user] iptables - do I need the nat table?

[Tanstaafl]

Hello,

This is on a server box, and I am *not* doing NAT on it...

Do I even need the nat table? If not, I'd like to build the kernel
without NAT support, but if there's a good reason not to do that, I won't...

Thanks

-- 

Charles

[gentoo-user] Re: iptables - do I need the nat table?

[Kerin Millar]

On 10/04/2010 23:17, Tanstaafl wrote:
> Hello,
>
> This is on a server box, and I am *not* doing NAT on it...
>
> Do I even need the nat table? If not, I'd like to build the kernel
> without NAT support, but if there's a good reason not to do that, I won't...
>

If you will not be populating the nat table, you are free to build the 
kernel without CONFIG_NF_NAT and its associated options.

Cheers,

--Kerin

Re: [gentoo-user] Re: iptables - do I need the nat table?

[Tanstaafl]

On 2010-04-10 10:26 PM, Kerin Millar wrote:
> On 10/04/2010 23:17, Tanstaafl wrote:
>> This is on a server box, and I am *not* doing NAT on it...
>>
>> Do I even need the nat table? If not, I'd like to build the kernel
>> without NAT support, but if there's a good reason not to do that, I
>> won't...

> If you will not be populating the nat table, you are free to build the
> kernel without CONFIG_NF_NAT and its associated options.

Thanks Kerin...

Same question then for the raw table...

I'm a bit clueless when it comes to firewalls, and have no idea what
these numbers mean/do:

*raw
:PREROUTING ACCEPT [4911:886011]
:OUTPUT ACCEPT [4546:2818732]
COMMIT


-- 

Charles

Re: [gentoo-user] Re: iptables - do I need the nat table?

[Graham Murray]

Tanstaafl <tanstaafl@libertytrek.org> writes:

> I'm a bit clueless when it comes to firewalls, and have no idea what
> these numbers mean/do:
>
> *raw
> :PREROUTING ACCEPT [4911:886011]
> :OUTPUT ACCEPT [4546:2818732]
> COMMIT

The numbers are [packets:bytes] which match the rule or table
concerned. 

Re: [gentoo-user] Re: iptables - do I need the nat table?

[Tanstaafl]

On 2010-04-11 9:20 AM, Graham Murray wrote:
> Tanstaafl <tanstaafl@libertytrek.org> writes:
>> I'm a bit clueless when it comes to firewalls, and have no idea what
>> these numbers mean/do:
>>
>> *raw
>> :PREROUTING ACCEPT [4911:886011]
>> :OUTPUT ACCEPT [4546:2818732]
>> COMMIT

> The numbers are [packets:bytes] which match the rule or table
> concerned. 

Ok, so... I still don't know what they *mean*... ie, is this a hole in
my firewall? What is the raw table used for, in plain english?

More importantly though...

When I try to remove the nat and raw tables from my firewall, they don't
go away. I have always kept my rules in a separate file, and when I want
to make changes, I change the external file, then do iptables-restore <
/path/to/iptables-current.

(My rule set is very small, so this only takes a second or two, so its
not/never been a problem)

I've been doing it this way for a long time, and all other changes I
have ever made - eg, opening a certain port for a certain host - work
fine, but, when I comment out the raw and nat tables, then restore the
rules, then do iptables-save > path/to/iptables-current-dump, the
examined file still shows the raw and nat tables loaded... ???

Re: [gentoo-user] Re: iptables - do I need the nat table?

[stosss]

On Mon, Apr 12, 2010 at 8:31 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> On 2010-04-11 9:20 AM, Graham Murray wrote:
>> Tanstaafl <tanstaafl@libertytrek.org> writes:
>>> I'm a bit clueless when it comes to firewalls, and have no idea what
>>> these numbers mean/do:
>>>
>>> *raw
>>> :PREROUTING ACCEPT [4911:886011]
>>> :OUTPUT ACCEPT [4546:2818732]
>>> COMMIT
>
>> The numbers are [packets:bytes] which match the rule or table
>> concerned.
>
> Ok, so... I still don't know what they *mean*... ie, is this a hole in
> my firewall? What is the raw table used for, in plain english?
>
> More importantly though...
>
> When I try to remove the nat and raw tables from my firewall, they don't
> go away. I have always kept my rules in a separate file, and when I want
> to make changes, I change the external file, then do iptables-restore <
> /path/to/iptables-current.
>
> (My rule set is very small, so this only takes a second or two, so its
> not/never been a problem)
>
> I've been doing it this way for a long time, and all other changes I
> have ever made - eg, opening a certain port for a certain host - work
> fine, but, when I comment out the raw and nat tables, then restore the
> rules, then do iptables-save > path/to/iptables-current-dump, the
> examined file still shows the raw and nat tables loaded... ???
>
>

Here is a very useful book. I think he is the expert. He will answer email.

LINUX FIREWALLS
Attack Detection and Response with iptables, psad, and fwsnort
by Michael Rash

ISBN-10: 1-59327-141-7
ISBN-13: 978-1-59327-141-1

No Starch Press, Inc.
555 De Haro Street, Suite 250, San Francisco, CA 94107
phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.com

Librar y of Congress Cataloging-in-Publication Data

Rash, Michael.
Linux firewalls : attack detection and response with iptables, psad,
and fwsnort / Michael Rash.
p. cm.
Includes index.
ISBN-13: 978-1-59327-141-1
ISBN-10: 1-59327-141-7
1.  Computers--Access control.  2.  Firewalls (Computer security) 3.
Linux.  I.  Title.
QA76.9.A25R36 2007
005.8--dc22
2006026679

-- 
If we can but prevent the government from wasting the labours of the
people, under the pretence of taking care of them, they must become
happy. - Thomas Jefferson

Re: [gentoo-user] Re: iptables - do I need the nat table?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2323 bytes --]

On Monday 12 April 2010 13:31:09 Tanstaafl wrote:
> On 2010-04-11 9:20 AM, Graham Murray wrote:
> > Tanstaafl <tanstaafl@libertytrek.org> writes:
> >> I'm a bit clueless when it comes to firewalls, and have no idea what
> >> these numbers mean/do:
> >>
> >> *raw
> >>
> >> :PREROUTING ACCEPT [4911:886011]
> >> :OUTPUT ACCEPT [4546:2818732]
> >>
> >> COMMIT
> >
> > The numbers are [packets:bytes] which match the rule or table
> > concerned.
> 
> Ok, so... I still don't know what they *mean*... ie, is this a hole in
> my firewall? What is the raw table used for, in plain english?

I think the man page explains this in plain enough English:

"raw: 
This table is used mainly for configuring exemptions from connection tracking 
in combination with the NOTRACK target. It registers at the netfilter hooks 
with higher priority and is thus called before ip_conntrack, or any other IP 
tables. It provides the following built-in chains: PREROUTING (for packets 
arriving via any network interface) OUTPUT (for packets generated by local 
processes)"

So, as long as packets come and go you should see their count increase.

> More importantly though...
> 
> When I try to remove the nat and raw tables from my firewall, they don't
> go away. I have always kept my rules in a separate file, and when I want
> to make changes, I change the external file, then do iptables-restore <
> /path/to/iptables-current.
> 
> (My rule set is very small, so this only takes a second or two, so its
> not/never been a problem)
> 
> I've been doing it this way for a long time, and all other changes I
> have ever made - eg, opening a certain port for a certain host - work
> fine, but, when I comment out the raw and nat tables, then restore the
> rules, then do iptables-save > path/to/iptables-current-dump, the
> examined file still shows the raw and nat tables loaded... ???

You need to read the man pages, but in short if you have certain modules 
enabled in your kernel you will end up loading certain default tables.  I 
don't know how you have configured your kernel or your firewall (and I am no 
expert to offer detailed advice) but I am guessing that although you remove a 
rule or two you are not removing the modules that load these tables.

HTH.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]