Why are the following rules in raw prerouting iptables?
Unless I am mistaken, this would cause every packet to have to go through these CPU heavy rules. Shouldn’t these rules go into filter chain after conntrack, so that only new connections are checked? Not all packets for new and established connections like they would be in raw prerouting.
<rule priority="0" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo bm --string friendly-scanner -j sip_ddos</rule>
<rule priority="1" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo bm --string sundayddr -j sip_ddos</rule>
<rule priority="2" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo bm --string sipsak -j sip_ddos</rule>
<rule priority="3" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo bm --string iWar -j sip_ddos</rule>
<rule priority="4" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo bm --string sip-scan -j sip_ddos</rule>
<rule priority="5" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo kmp --string hinet.net -j sip_ddos</rule>
<rule priority="6" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo kmp --string sipcli -j sip_ddos</rule>
<rule priority="7" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo bm --string sipvicious -j sip_ddos</rule>