On Friday 07 June 2002 3:35 pm, patrick conlin wrote: > does one generally set the -P on their mangle table chains to DROP, even if > you're not using them for anything?
No. Mangle tables are for mangling. Nat tables are for address translating, and Filter tables are for filtering. DROP is a filter operation, therefore it belongs only in the filter tables. > usual procedure says set -P on all chains to DROP and allow what's > necessary, Yes, but that's just being being sloppy in their description and not saying "all chains in the filter table"... > but if you're not using your mangle table chains for anything > and you set -P to DROP (on the iptables -t mangle PREROUTING chain, for > example) all packets get dropped. Yes :-) The reason ? All packets have to pass through the mangle, nat and filter tables in order to traverse the entire system. If any one of those tables DROPsthe packet, that's it - it's DROPped ! > Just wondering how everyone else handles this. Don't try to filter using the mangle table :-) Antony.
