The reason (that I understand) to not filter in the prerouting table is not all connections will go through this chain. Only connections that are establishing themselves will travel though here. Once a packet's routing has been determined that same rule will apply to all other packets from that same session and will skip the nat table all together. I believe the same goes for the mangle table but I could be wrong. The filter table however will always be checked against all packets. This is where you want to put your filter rules for packets destined for itself (INPUT) or being routed though it (FORWARD) or generated from the box itself (OUTPUT.)
----- Original Message ----- From: "Karl Fischer" <[EMAIL PROTECTED]> To: "Netfilter mailing list" <[EMAIL PROTECTED]> Sent: Monday, April 29, 2002 3:17 AM Subject: filtering in PREROUTING CHAINS > > general question > > Hi All, > > I remember reading something about filtering in PREROUTING CHAINS, > however, unfortunately I can't find it anymore ... > > Somebody said that it's not recommended to filter in PREROUTING, > it's recommended to filter in input/forward instead ... > > Is there any truth in it? > Any reason? > > Many thanks > > - Karl
