On Fri, Jun 29, 2012 at 12:13 AM, rahul shrivastava <shrivastavaone@xxxxxxxxx> wrote: > my objective is to drop all fragmented packets on my system > following rules are used > > iptables -A INPUT -f -j DROP > iptables -A OUTPUT -f -j DROP > iptables -A FORWARD -f -j DROP > > above rules are not making any effect I would check whether your interface has offloading parameters enabled. I think it's possible for the NIC or driver to reassemble fragments before passing them up the stack to netfilter. $ sudo ethtool -k eth0 Offload parameters for eth0: rx-checksumming: on tx-checksumming: on scatter-gather: on tcp-segmentation-offload: off udp-fragmentation-offload: off generic-segmentation-offload: on generic-receive-offload: on large-receive-offload: off ntuple-filters: off receive-hashing: off GRO, LRO and possibly GSO could impact the case of detecting ICMP fragments. TSO and UFO might impact the detection of TCP and UDP fragments. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
