On Fri, 2007-07-27 at 15:32 +0530, Ganesan Natarajan wrote: > Hi, > My requirement is before giving the packets to user space > application(even before routing) I need to filter the packets. This > has to be done for all packets irrespective of particular protocol. > > so I am using the the mangle table with PREROUTING chain to filter as > well as to queue the packets using the DROP, QUEUE targets of > "iptables". But in man pages it is specified that the filter rules > should not be added into mangle table. > > Is there any issues if I proceed with that? > > Ganesan > We have been doing something very similar in the open source ISCS network security management project (http://iscs.sourceforge.net). Although the bulk of the tens of thousands of access control rules we create for complex internal and micro-perimeter security are added to our filter table, we handle malicious packet checks (spoofs, ping floods, malformed packets, etc.) in the mangle table. Seems to be working fine for us! - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx Financially sustainable open source development http://www.opensourcedevel.com
