>> iptables -t mangle -A PREROUTING -i ! eth1 -s >> 2xx.xx.xxx.224/255.255.255.240 -j DROP > >If you support 2.6.x kernels, I'd suggest to use the raw table instead: >thus the unnecessary load on conntrack could be avoided. > Why use this sort of replacement for rp_filter anyway? What's bad with rp_filter? (Apart from the problem with asymmetric routing, as is mentioned in net/ipv4/*.) Jan Engelhardt -- | Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen, | Am Fassberg, 37077 Goettingen, www.gwdg.de
