Hello. Local originated packets aren't passed through raw/PREROUTING chain (see this flowchart - https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg ). To test your rule you should use raw/OUTPUT chain. Also iptables has own match for fragmented packes. In your case this rule should looks like: iptables -t raw -I OUTPUT --fragment -j DROP. 2015-12-11 1:38 GMT+03:00 Satish Patel <satish.txt@xxxxxxxxx>: > We have iptables v1.4.21 running and i am trying to stop all > fragmented packet but following rules doesn't working what is wrong > here? > > > > iptables -t raw -A PREROUTING -m u32 ! --u32 "0x4&0x3fff=0x0" -m > comment --comment "Fragmented" -j DROP > > To test rules i am doing following: > > ping -M want -s 3000 192.168.1.1 > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Anton. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
