>> You SHOULD NOT FILTER in tables other than the filter table (the >> first rule). > >> Using the mangle table you can alter packets in the FORWARD chain. >> In the filter table you cannot. >> In the mangle table you can filter packets, but you SHOUD NOT. > > Why one SHOULD NOT filter in the mangle chain? Are there any > philosophical reasons? Is it a sin? Does it make kernel angry? :-> > Performance? Yes, it will make your kernel yell at you, crash and then go up in flames. ;^P No, seriously, some people think otherwise because they haven't had problems (yet), but if you're going to filter in the nat or mangle table you may get unexpected results that would not have happened if you filtered in the filter table. When questions like these are asked I'd say that the OP doesn't really know what's going on regarding packet-flow and should stick to filtering in the filter chain. That's what that table is for. Gr, Rob
