kaiwen wrote:
(3) [root@g webauth]# ip ro show table test2
prohibit 192.168.8.122
I expect ping from 192.168.8.122 to 192.168.250.197 to be drop, BUT is is
successful. Why?
Did I miss out anything? Please advice.
prohibit specifies the destination address, not the source. So the ping
from 192.168.8.122 to 192.168.250.197 will get through. Additionally,
the reply goes through OUTPUT, not PREROUTING, so it won't be marked and
dropped either. If you add your mark rule to the OUTPUT chain, then you
should see the reply being dropped.
I assume you are just using prohibit for testing: there is no point
marking a packet with iptables and then dropping it iproute2, when you
could just drop it with iptables in the first place.
--
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com
