Re: regarding iptables and DROP - Kashif Ali Bukhari

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kashif Ali Bukhari <kbukhari@gmail.com>
To: Mohammad Norouzi <mnrz57@gmail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: regarding iptables and DROP
Date: Sun, 17 Jun 2007 02:20:46 +0500	[thread overview]
Message-ID: <4674542E.5090800@gmail.com> (raw)
In-Reply-To: <34b8543c0706160519g4c238ffdkc867eac3eff5990c@mail.gmail.com>

Mohammad Norouzi wrote:
> Hello
> I am new to this mailing list, I have a problem with iptables 
> configuration
>
> I have an iptables file with following content:
>
> [I just briefed the content]
> --------------------------
> :PREROUTING ACCEPT [831:64633]
> :POSTROUTING ACCEPT [20:1927]
> :OUTPUT ACCEPT [11:1333]
>
>
> -A POSTROUTING -s 192.168.0.1 -o eth1 -j MASQUERADE   # LINE 1
> -A PREROUTING  -s 192.168.0.1  -p tcp -m mac --mac-source !
> 00:30:48:54:AA:5A  -j DROP  #LINE 2
> ------------------------------
>
> at first it was just "LINE 1" but soon I figured out that some users
> cloning the existing IPs and try to connect to the internet. so I
> added the "LINE 2" to match their MAC Address and drop the packets if
> it isnt original.
>
> but now it seems that internet pages loading speed is diminished, I
> think this action (adding line 2) caused  checking packets too much
> and that is why the it is slowed down.
>

False! It should work fine may be its just due to some other reason or 
you are using slow processor ( i.e celeron)
> my question is if there is another way to determine the cloned IPs and
> drop them.
> is REJECTING faster than DROP? if yes how to use REJECT option ?
>
Reject is the fast method, which tels the source that packet is 
rejected. and DROP method will not alert the source.
> any suggestion would be of a great help.
>
> thank you very much in advance.
>
>
>

     prev parent reply	other threads:[~2007-06-16 21:20 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <34b8543c0706160514g966862cj31dddbdd9cbc7da9@mail.gmail.com>
2007-06-16 12:19 ` regarding iptables and DROP Mohammad Norouzi
2007-06-16 21:20   ` Kashif Ali Bukhari [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4674542E.5090800@gmail.com \
    --to=kbukhari@gmail.com \
    --cc=mnrz57@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.