* regarding iptables and DROP
[not found] <34b8543c0706160514g966862cj31dddbdd9cbc7da9@mail.gmail.com>
@ 2007-06-16 12:19 ` Mohammad Norouzi
2007-06-16 21:20 ` Kashif Ali Bukhari
0 siblings, 1 reply; 2+ messages in thread
From: Mohammad Norouzi @ 2007-06-16 12:19 UTC (permalink / raw)
To: netfilter
Hello
I am new to this mailing list, I have a problem with iptables configuration
I have an iptables file with following content:
[I just briefed the content]
--------------------------
:PREROUTING ACCEPT [831:64633]
:POSTROUTING ACCEPT [20:1927]
:OUTPUT ACCEPT [11:1333]
-A POSTROUTING -s 192.168.0.1 -o eth1 -j MASQUERADE # LINE 1
-A PREROUTING -s 192.168.0.1 -p tcp -m mac --mac-source !
00:30:48:54:AA:5A -j DROP #LINE 2
------------------------------
at first it was just "LINE 1" but soon I figured out that some users
cloning the existing IPs and try to connect to the internet. so I
added the "LINE 2" to match their MAC Address and drop the packets if
it isnt original.
but now it seems that internet pages loading speed is diminished, I
think this action (adding line 2) caused checking packets too much
and that is why the it is slowed down.
my question is if there is another way to determine the cloned IPs and
drop them.
is REJECTING faster than DROP? if yes how to use REJECT option ?
any suggestion would be of a great help.
thank you very much in advance.
--
Regards,
Mohammad
--------------------------
see my blog: http://brainable.blogspot.com/
another in Persian: http://fekre-motefavet.blogspot.com/
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: regarding iptables and DROP
2007-06-16 12:19 ` regarding iptables and DROP Mohammad Norouzi
@ 2007-06-16 21:20 ` Kashif Ali Bukhari
0 siblings, 0 replies; 2+ messages in thread
From: Kashif Ali Bukhari @ 2007-06-16 21:20 UTC (permalink / raw)
To: Mohammad Norouzi; +Cc: netfilter
Mohammad Norouzi wrote:
> Hello
> I am new to this mailing list, I have a problem with iptables
> configuration
>
> I have an iptables file with following content:
>
> [I just briefed the content]
> --------------------------
> :PREROUTING ACCEPT [831:64633]
> :POSTROUTING ACCEPT [20:1927]
> :OUTPUT ACCEPT [11:1333]
>
>
> -A POSTROUTING -s 192.168.0.1 -o eth1 -j MASQUERADE # LINE 1
> -A PREROUTING -s 192.168.0.1 -p tcp -m mac --mac-source !
> 00:30:48:54:AA:5A -j DROP #LINE 2
> ------------------------------
>
> at first it was just "LINE 1" but soon I figured out that some users
> cloning the existing IPs and try to connect to the internet. so I
> added the "LINE 2" to match their MAC Address and drop the packets if
> it isnt original.
>
> but now it seems that internet pages loading speed is diminished, I
> think this action (adding line 2) caused checking packets too much
> and that is why the it is slowed down.
>
False! It should work fine may be its just due to some other reason or
you are using slow processor ( i.e celeron)
> my question is if there is another way to determine the cloned IPs and
> drop them.
> is REJECTING faster than DROP? if yes how to use REJECT option ?
>
Reject is the fast method, which tels the source that packet is
rejected. and DROP method will not alert the source.
> any suggestion would be of a great help.
>
> thank you very much in advance.
>
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-06-16 21:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <34b8543c0706160514g966862cj31dddbdd9cbc7da9@mail.gmail.com>
2007-06-16 12:19 ` regarding iptables and DROP Mohammad Norouzi
2007-06-16 21:20 ` Kashif Ali Bukhari
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox