In message <Pine.OSF.email@example.com> you write
> Anyone know how to properly filter packet floods using iptables w/ nat?
You're doing fine, except the connection tracking code marks the `no
flags' TCP packets as invalid, and the NAT code drops them.
Note that filtering packet floods makes no sense unless your bandwidth
behind the box is < the bandwidth in front.
> Also if I happen to have a bunch of interfaces that are not supposed to
> get any routing and/or nat from this box, tracking connections on them
> seems to be waste of resources to me - there probably is no way to turn
> connection tracking off for some interface pairs?
The only time it makes sense to suppress connection tracking by
interface is when no traffic coming in that interface ever goes to the
`interesting' interface. That's actually quite rare.
-- Hacking time. - To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to firstname.lastname@example.org
This archive was generated by hypermail 2b29 : Thu Nov 30 2000 - 21:00:29 EST