> Yeah its Drops the packets in PREROUTING, however not Dropping the > same while tries with FOWARD. > here are my PREROUTING rules (1st one is of POSTROUTING) I think someone already asked this, but I can't remember if I ever saw an answer. How are you testing that netfilter is not dropping the packets with the FORWARD rules enabled? From the netfilter machine itself? From a machine behind the netfilter machine? Remember--packets generated locally by the netfilter machine *never* traverse the FORWARD chain. I notice that you are transparently redirecting to a squid proxy on the same machine as netfilter. If your tests of the FORWARD rules are from a machine behind netfilter, but you are trying to hit those blocked IP's with a web browser--the request for those web sites are locally generated by the squid proxy on the netfilter machine (see above). The answer: If you're trying to block port 80 access to those IP's, and are using a transparent redirect to a squid proxy on the same machine as netfilter--your DROP rules need to be in the OUTPUT chain; not the FORWARD chain. Alternatively, you could just use squid to block access to the domain/URL/content-type...but that's a different mailing list... -j
