On 06.04.2009 17:18, Dennis J. wrote: > What does "deprecation of NAT filtering" entail exactly? # /sbin/iptables -V iptables v1.4.2 # /sbin/iptables -t nat -A OUTPUT -p tcp --dport 10000 -j DROP The "nat" table is not intended for filtering, hence the use of DROP is deprecated and will permanently be disabled in the next iptables release. Please adjust your scripts. # /sbin/iptables -L -nvx -t nat [...] Chain OUTPUT (policy ACCEPT 45827 packets, 3301166 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 # versus # /sbin/iptables -V iptables v1.4.3.1 # /sbin/iptables -t nat -A OUTPUT -p tcp --dport 10000 -j DROP iptables v1.4.3.1: The "nat" table is not intended for filtering, the use of DROP is therefore inhibited. Try `iptables -h' or 'iptables --help' for more information. # /sbin/iptables -L -nvx -t nat [...] Chain OUTPUT (policy ACCEPT 5115 packets, 415189 bytes) pkts bytes target prot opt in out source destination # Do not filter in the nat table and you will be fine. -- Eray -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html