In message <Pine.OSF.4.10.10011262257160.5186-100000@smaragdi.hut.fi> you write : > Anyone know how to properly filter packet floods using iptables w/ nat? You're doing fine, except the connection tracking code marks the `no flags' TCP packets as invalid, and the NAT code drops them. Note that filtering packet floods makes no sense unless your bandwidth behind the box is < the bandwidth in front. > Also if I happen to have a bunch of interfaces that are not supposed to > get any routing and/or nat from this box, tracking connections on them > seems to be waste of resources to me - there probably is no way to turn > connection tracking off for some interface pairs? The only time it makes sense to suppress connection tracking by interface is when no traffic coming in that interface ever goes to the `interesting' interface. That's actually quite rare. Cheers, Rusty. -- Hacking time. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
