> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Seferovic Edvin > Sent: Monday, October 17, 2005 9:45 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: RE: logging and droping bad tcp packets > > Hi and thank you for the answer Derick.... > > I set it as > > Iptables -t mangle -A PREROUTING ..... -j DROP ... I suppose > Ill keep the packages rather far away from the "real" > iptables chains that are used for filtering... critics? > > Regards, > > Edvin Seferovic Yes... =) Filtering should always be done in the filter table, not mangle or nat. There have been many discussions regarding this in the list if you would like more information on why. The bottom line is that iptables is designed to filter in filter, and it works properly when done that way. Derick Anderson
