I'm testing this rule from remote machine and sending fragmented packet using hping3 utility. -f iptables option is not going to work if conntrack there. I don't know why it's so hard for iptable to block something like this. If I use tc filter then it works. But I wanted to block using iptables. -- Sent from my iPhone > On Dec 11, 2015, at 3:14 AM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote: > > Anton Danilov a écrit : >> Hello. >> Local originated packets aren't passed through raw/PREROUTING chain >> To test your rule you should use raw/OUTPUT chain. > > It may not work either, because packets are not fragmented yet in the > OUTPUT chain at least when conntrack is active (not sure when it isn't). -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
