On Mon, Mar 25, 2002 at 07:49:08AM +0000, SB CH wrote: > When I command like this, > $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP > > it means > $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP and > $IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP together? > > As I know, when I DROP packets at prerouting chain, > some packets which travel INPUT and FORWARD chains are dropped.
That's correct. PREROUTING is all incoming packets, before the kernel makes the routing decision about them - whether they go to a local interface, or need to be forwarded elsewhere. So if you drop packets in PREROUTING (not recommended, filtering should be done in the filter table, not the mangle or nat table), then the rule(s) doing the dropping can catch packets destined for the local machine or to be forwarded along. -- Derrik Pates | Sysadmin, Douglas School | #linuxOS on EFnet [EMAIL PROTECTED] | District (dsdk12.net) | #linuxOS on OPN
