On Monday 2008-06-09 11:09, Patrick McHardy wrote: >> >> > > I've tried that for a day, to no avail: >> > > .. >> > > My nat rules currently look like this: >> > > >> > > iptables -t nat -A PREROUTING -m state --state INVALID -j LOG >> > > iptables -t nat -A PREROUTING -m state --state INVALID -j DROP >> > > >> > These rules need to go in mangle, that nat table is only >> > traversed for the first packet of a connection. >> >> These rules should go into filter, because that's what "filter" >> is for... filtering. > > As you are well aware, there is no PREROUTING chain in filter. > So I'm guessing you're trying to pull me into a discussion > about that, in an irritating way. > I overlooked that. In that case, it has to be done in INPUT/FORWARD then. -t filter -A INPUT -m conntrack --ctstate INVALID -j LOG (and DROP) -t filter -A FORWARD -m conntrack --ctstate INVALID -j LOG (and DROP) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
