Re: iptables rule to block when DNAT is used
On Tue, 08 Apr 2003 at 03:17:18PM -0700, Kevin Buhr wrote:
>
> Also note that the mangle PREROUTING chain is run on all incoming
> packets before any other chain, so:
>
> iptables -t mangle -I PREROUTING -s badbox.evil -j DROP
>
> should drop all packets from "badbox.evil" before any other rule is
> checked. Do some testing before taking my word on it, though.
Just a quick security point. A better policy is blocking everything and
explicitly allowing what you authorize. All my tables and all my chains
in those tables have a default policy of DROP.
Regards,
--
Phil
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #2: Solar flares
Reply to: