What's wrong with this iptable rule?

Question

I run dnsmasq locally as a cache server, in the old days, I allow all INPUT packets from lo+, and set policy of INPUT to DROP:

-A INPUT -i lo+ -j ACCEPT

Now I decide to put this on the raw table to speed up rules matching,

-A PREROUTING -i lo+ -j ACCEPT

But that doesn't work as expected. Why? Since the packets get processed by the raw table first, then nat, then filter, why isn't that rule work the same as the old one?

score 2 · Accepted Answer · edited Apr 13 '17 at 12:13

2

See iptables port redirect not working for localhost.

PREROUTING isn't used by the loopback interface

I'd hazard this applies to every table regardless of the chain. Also, you should post the whole command line for a question instead of the tail snippet.

edited Apr 13 '17 at 12:13

Community

1

answered Nov 18 '12 at 06:05

Jeff Ferland

20,239
2
61
85

I didn't post all of them, 'cause I'm testing with only a few lines ;-P – daisy Nov 18 '12 at 06:13
@warl0ck I meant the full 'iptables...', not every rule. – Jeff Ferland Nov 18 '12 at 06:14
Oh, I'm editing the rules directy ... after iptables-save > XXX – daisy Nov 18 '12 at 06:14

What's wrong with this iptable rule?

1 Answers1