On Tuesday 2012-06-26 12:24, rahul shrivastava wrote: >this rule is not working for me Then you don't have any fragments. Remember that there may be defragmenter modules (nf_defrag_ipv4/ipv6) loaded. (And cease top-posting.) >if you know if provide me a rule to drop only fragmented packets > >On 6/21/12, Jan Engelhardt <jengelh@xxxxxxx> wrote: >> On Thursday 2012-06-21 12:46, rahul shrivastava wrote: >> >>>iptables -A INPUT -p icmp -i eth1 -m iprange --src-range >>>172.31.114.1-172.31.114.254 -m iprange --dst-range >>> 192.168.1.1-192.168.1.254 >>>-f -j DROP >>> >>>My abjective is to deny only fragmented packets with specified ip, >>> protocol >>>and interface and "-f" option doesnt seem to work >> >> I can guarantee you that -f matches fragments -- if there are any >> by the time the rule is executed. >> > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
