Mohammad Norouzi wrote:
Hello
I am new to this mailing list, I have a problem with iptables
configuration
I have an iptables file with following content:
[I just briefed the content]
--------------------------
:PREROUTING ACCEPT [831:64633]
:POSTROUTING ACCEPT [20:1927]
:OUTPUT ACCEPT [11:1333]
-A POSTROUTING -s 192.168.0.1 -o eth1 -j MASQUERADE # LINE 1
-A PREROUTING -s 192.168.0.1 -p tcp -m mac --mac-source !
00:30:48:54:AA:5A -j DROP #LINE 2
------------------------------
at first it was just "LINE 1" but soon I figured out that some users
cloning the existing IPs and try to connect to the internet. so I
added the "LINE 2" to match their MAC Address and drop the packets if
it isnt original.
but now it seems that internet pages loading speed is diminished, I
think this action (adding line 2) caused checking packets too much
and that is why the it is slowed down.
False! It should work fine may be its just due to some other reason or
you are using slow processor ( i.e celeron)
my question is if there is another way to determine the cloned IPs and
drop them.
is REJECTING faster than DROP? if yes how to use REJECT option ?
Reject is the fast method, which tels the source that packet is
rejected. and DROP method will not alert the source.
any suggestion would be of a great help.
thank you very much in advance.
