On Sat, 2011-10-29 at 23:22 +0100, Andrew Beverley wrote: > On Sat, 2011-10-29 at 21:29 +0200, Jan Engelhardt wrote: > > On Saturday 2011-10-29 20:23, Andrew Beverley wrote: > > >> I can even add the following > > >> line to my server. (This is in the case I use port redirection. Then I > > >> use this line to make it an effective security enhancement): > > >> > > >> iptables -I PREROUTING -t raw -p udp --dport 500 -j DROP > > > > > >Yes, but the packets originating from the server will not pass through > > >the PREROUTING chain. > > > > > >> Besides, I designed my netfilter configuration to not differentiate > > >> between interfaces. I use the addrtype extension, works better. > > > > > >I like that, but remember that any packets leaving the server will only > > >traverse the OUTPUT and POSTROUTING chains. > > > > This is wrong information. > > > > Packets very well pass through PREROUTING even when they come from lo. > > Sorry, I meant locally generated packets leaving the server, in which > case I assume that they do not go through POSTROUTING? I mean PREROUTING :) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
