Brent Clark írta:
Hi all
Would please help me understand as to why you would do some dropping
in the PREROUTING as opposed to the filter of INPUT or FORWARD (e.g.)
It is not really nice, BUT...
the reason is:
You can filter all of these packets at one point no matter where they
coming from and going to....
Ive been browsing a few sites and I see sites like iptablesrocks.org
etc all have rules like so
A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
...
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
Just something I was thinking.
Kind Regards
Brent Clark
Swifty
