logging and droping bad tcp packets
Derick Anderson
danderson at vikus.com
Mon Oct 17 15:54:55 CEST 2005
> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org
> [mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of
> Seferovic Edvin
> Sent: Monday, October 17, 2005 9:45 AM
> To: netfilter at lists.netfilter.org
> Subject: RE: logging and droping bad tcp packets
>
> Hi and thank you for the answer Derick....
>
> I set it as
>
> Iptables -t mangle -A PREROUTING ..... -j DROP ... I suppose
> Ill keep the packages rather far away from the "real"
> iptables chains that are used for filtering... critics?
>
> Regards,
>
> Edvin Seferovic
Yes... =) Filtering should always be done in the filter table, not
mangle or nat. There have been many discussions regarding this in the
list if you would like more information on why. The bottom line is that
iptables is designed to filter in filter, and it works properly when
done that way.
Derick Anderson
More information about the netfilter
mailing list