Re: iptables rule to block when DNAT is used

To: List - Debian Security <debian-security@lists.debian.org>
Subject: Re: iptables rule to block when DNAT is used
From: Phillip Hofmeister <plhofmei@zionlth.org>
Date: Tue, 8 Apr 2003 23:10:19 -0400
Message-id: <[🔎] 20030409031019.GA25729@zionlth.org>
Mail-followup-to: List - Debian Security <debian-security@lists.debian.org>
In-reply-to: <[🔎] 87he98bpn5.fsf@saurus.asaurus.invalid>
References: <[🔎] 3E92201E.40303@hanaden.com> <[🔎] 87he98bpn5.fsf@saurus.asaurus.invalid>

On Tue, 08 Apr 2003 at 03:17:18PM -0700, Kevin Buhr wrote:
> 
> Also note that the mangle PREROUTING chain is run on all incoming
> packets before any other chain, so:
> 
>         iptables -t mangle -I PREROUTING -s badbox.evil -j DROP
> 
> should drop all packets from "badbox.evil" before any other rule is
> checked.  Do some testing before taking my word on it, though.

Just a quick security point.  A better policy is blocking everything and
explicitly allowing what you authorize.  All my tables and all my chains
in those tables have a default policy of DROP.

Regards,

-- 
Phil

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #2: Solar flares

Reply to:

References:
- iptables rule to block when DNAT is used
  - From: Hanasaki JiJi <hanasaki@hanaden.com>
- Re: iptables rule to block when DNAT is used
  - From: Kevin Buhr <buhr@telus.net>

Prev by Date: Re: Apache: How to prevent from accessing webdav through http?
Next by Date: Re: ssh X forwarding problem
Previous by thread: Re: iptables rule to block when DNAT is used
Next by thread: Re: Re: ssh X forwarding problem - iptables interaction??
Index(es):
- Date
- Thread