Re: How to block fragmented UDP packets
- From: Pascal Hambourg <boite-a-spam@xxxxxxxxxxxxxxx>
- Date: Wed, 24 Jan 2007 13:18:35 +0100
Hello,
tomek@xxxxxxxxxx a écrit :
Thanks google i read that using u32 module i can stop fragmented udp
packets. I have router with nat and conntrack and I cannot manage
bandwidth of these packets so I decided to cut them.
Conntrack does reassembly before the packet enters the PREROUTING chains, so fragmentation should not be a problem. Packets may be fragmented again after the FORWARD chains when the packet size is bigger than the output interface MTU and reassembled again before the nat/POSTROUTING chain (NAT needs to work on complete IP datagrams), so you will see fragments only in the mangle/POSTROUTING chain.
I found the rule:
iptables -m u32 --u32 "3&0x20=0x20"
or
|iptables -m u32 --u32 "3&0x20>>5=1"
or
||"4&0x3FFF=1:0x3FFF"
but none works.
These are not valid iptables commands : no command, no chain.
.
- References:
- How to block fragmented UDP packets
- From: tomek
- How to block fragmented UDP packets
- Prev by Date: Re: Router--IPCOP--Switch--LAN
- Next by Date: Adding new SCSI Hard disk
- Previous by thread: How to block fragmented UDP packets
- Next by thread: network load balancing & multicast mac-address
- Index(es):
Relevant Pages
|
