iptables: Questions regarding the raw table

linux firewall iptables

I can read all over the internet that the iptables raw table is only there to specify if connection tracking should not be applied. However, when a rules destination in the raw table is -j DROP for instance, then the packet gets dropped and everything seems to work fine.

I have the following set of questions regarding this topic:

  • Will the connection tracking get confused when I -j DROP a packet in the raw table? One could assume that the kernel checks for the DROP destination at first, when reaching mangle/PREROUTING when dropping a packet according to "the internet" is allowed at first and therefore it would get connection tracked.
  • Would the use of the -j SYNPROXY destination in the raw table work?
  • Would the use of a final destination like -j ACCEPT in the raw table also lead to connection tracking?
  • Will the use of the -j NOTRACK stop the evaluation of the following rules in the raw table?

My aim is to use iptables with the highest possible performance, because I need to setup a Linux router which needs to guard a 10 GbE internet connection. My hope is that dropping a packet in the raw table without first specifying -j NOTRACK and then dropping the packet at a later stage will work just fine. I'm aware of the problem that I can't use connection tracking modules in the raw table. My aim is to use it as a first defense line with some generic hashlimit, SYNPROXY and DROP rules.


Netfilter packet flow diagram

This picture shows the flowing of packets in Linux kernel Netfilter subsystem, and is very useful in understanding how different rules affect network traffic.

Now to your questions:

Will the connection tracking get confused when I -j DROP a packet in the raw table?

When one drops a packet in raw table, the packet never reaches the conntrack module. This means that no connection tracking entry is created / consulted during packet's flow in the blocked direction.

However, there can be cases where a connection tracking entry is created when the traffic goes to the opposite direction. The conntrack knows this can happen and has for example INVALID state for those connections.

So, conntrack will not get "confused". However, you may encounter some unexpected behaviour due to different rules affecting packets on different directions for one connection.

Would the use of the -j SYNPROXY destination in the raw table work?

According to https://patchwork.ozlabs.org/patch/53494/ , the SYNPROXY target is designed to the PREROUTING chain of the RAW table. So, the answer is yes.

Would the use of a final destination like -j ACCEPT in the raw table also lead to connection tracking?

The ACCEPT is a "local" final destination, that is, when a packets hits an ACCEPT rule in a chain, it will leave current chain and go to the next chain according to the diagram.

So, it will lead to connection tracking, unless you enter the NOTRACK as the jump target.

Will the use of the -j NOTRACK stop the evaluation of the following rules in the raw table?

No, it is not a chain-terminating target.

Related

OpenVPN cannot Disable -ncp-disable Cipher Encryption
Converting an integer to a boxed enum type only known at runtime
Automatic start of a WebSphere Windows service
Can't find 301 redirect source
How to open dovecot backup on windows and save as *.eml
WDC WD40PURZ-85AKKY0 is missing smartclt attributes?
Calculate correlation with cor(), only for numerical columns
VLAN passthrough security
How to group mysql rows with same column value into one row?
Calling base class method in Python
Custom subdomain support with Cloudflare DNS and Netlify Pages
How can I copy a file from one Windows server to another in a script?