RAW table supports the ability to filter only for input chain if you want. Use dst-address-type=local. That’s what input chain does, except RAW is before conn_track, and input is after.
If you completely use only RAW table and therefore your router is stateless, even a 20G multi-gigabit DDoS will not cause the router to crash or reboot. But start using conn_track and good luck on a DDoS attack.
But as others have stated, RAW table is meant for advanced users with in-depth understanding of iptables + various RFCs for best practices. Randomly using some “Drop the rest” rule will also break all traffic initiated to/by the router such as BGP peers etc. You need to truly understand the Netfilter packet flow and logic.
Hi Dark Nate,
Do you recommend then simply getting another MT router to act as stateless edge router that gets public IP and if so, how do you then feed the next router ( my current router ) with that connection so that internet still flows in both directions?? Do you create a LAN on the stateless router… ???
For home users? Stateful + stateless rules is fine on a single router. That’s what I do on my personal home router. It will die on 20G DDoS but I don’t have 20G internet bandwidth, so it doesn’t matter for home much.
For production, edge routers should be separated from distribution/core/access layer routers. Edge should always be stateless even if it’s a million dollar Juniper router, unless your plan is for it to die during Multi-gigabit DDoS which seems to be the preferred method of dying by these consultants/trainers etc. Not really about the OP personally but I’ve seen 10s of certified consultants from different countries all saying crazy shit about stateless vs stateful firewall on the network devices (routers, L3 switches etc).
Doing Traffic filtering on a switch by using Hardware ACLs before traffic reach the router can be a feasible way to firewall a router without loosing the high performance fast-path mode?
@chechito: it is an excellent way to filter the router, but you need an extra device to do that, and you should have a switch that supports an high number of rules. They are stateless rules and works at wire-speed.
remember…—> If you completely use only RAW table and therefore your router is stateless, even a 20G multi-gigabit DDoS will not cause the router to crash or reboot. But start using conn_track and good luck on a DDoS attack.
So I will ask once again how to setup a router in front of my current router that is stateless??
When it comes to DDOS attack: it is quite “cheap” (with regard to router’s resources) to mitigate those in raw. So that’s the way to go.
Things become interesting when DDOS first starts and appropriate raw rules are not yet in place. If device only does raw filtering, without connection tracking and what not, then device will live but passing those DDOS further down the line (possibly hitting a stateful firewall causing that box to struggle) if traffic is not blocked due to pre-existing rules. If same border router runs stateful firewall (as all SOHO routers do), then the box will die due to DDOS attack, but the devastating effect will likely be contained. When administrator recovers such device, he can add raw rules to mitigate attack (and everything should be pretty dandy, including device running raw rules and connection tracking).
As some argued in this thread it is possible to go with stateless firewall. I agree, but it’s much harder. For example, raw rule will treat every packet as independent piece. Which makes accepting return traffic quite a bit harder (because destination port will be just anything). So using ultimate “drop all” rule will need many preceeding accept rules where single “accept related” rule in stateful firewall will take care of many of raw rules.
You will quickly understand it is designed only for LAN/L2 filtering. It cannot be fully realised for internet origin or internet bound traffic.
forward - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)
Which part of home user vs production network do you not understand?
Edit:
And anav you should stop pretending to be a network engineer or anybody who’s actually work in networks at a corporate or SP level. Stick to your home labbing threads at best.
Using only stateless-ness on edge routers, ensures your router will never die during massive DDoS or even just massive traffic spikes. And also ensures you are dropping traffic before it never enters conn_track avoiding waste of resources.
DDoS protection should be done using FastNetMon + DDoS Scrubbing provider + BGP Blackholing community with your IP Transit provider
But RAW table is the only option in MikroTik because they refused to support nftables ingress hook (before packet assembly) and they refused to support XDP/DPDK (before sk_buff).
If you need a truly advanced end-to-end stateless firewall, you need a NOS and hardware that supports XDP/DPDK natively and hardware offloaded.
Thinking about that another approach can be using the newer 2116/2216 which have an integrated switching ASIC, supporting 512 / 1024 ACL respectively, in this cases we dont need adittional hardware having a resepctable ammount of ACL rules available
And in case of for example a CCR1072 adding a CRS 317 which is not too much expensive and supports 1024 ACL rules, to give a 1072 an extra breath running at fast-path
Thanks for the additional clarity DarkNate, it helped a lot.
Sadly or Gladly there will continue to be a plethora of non IT engineers reading your posts and asking questions, get use to it!
My intent is to add to my current setup a little something something, but not go overboard, will mull it over.
Ah that, yes. You can use it for strong, plain, basic filtering stateless, it is faster than RAW table (CPU). But you should be careful to keep in mind, it doesn’t have all the parameters and knobs available on iptables. As long as you know what you’re doing, it is a perfectly valid alternative to raw.
Personally, I’ve never seen RAW table causing CPU issues, so I never tried using the switch filters. For me, RAW works fine, even in 100G+ production networks, no one complained to me that RAW tables broke their network or affected line-rate routing.
Summary:
Question: Is running RAW only rules preferable to running Filter Input rules to protect said router that is NOT doing connection traffic?
Answer: Based on what I know and what others have confirmed, if you are not running connection tracking, then yes, it would be preferred to run a RAW firewall to protect the router. There was no negative feedback other than that it is an advanced function and should be used with care.
I disagree with your summary: this is not rocket science and the answer is very straightforward…
Stateful firewalls are capable of monitoring and detecting states of all traffic on a network to track and defend based on traffic patterns and flows. Stateless firewalls, however, only focus on individual packets, using preset rules to filter traffic.
As in all things the type of Firewall implemented varies with each vendor .. in the case of MikroTik Stateful Firewall is the best option for Router protection and “RAW” does have a roll to play especially when whitelisting IP’s that may otherwise be blocked by the Stateful Filter.
3rd generation FW is where all the current science takes everyone except MikroTik ….
