Re: iptables and INVALID packet filtering.

To: David Dejaeghere <david.dejaeghere@gmail.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: iptables and INVALID packet filtering.
From: Daniel Curtis <sidetripping@gmail.com>
Date: Thu, 4 Apr 2013 16:55:06 +0200
Message-id: <[🔎] CAASvXNtKAbf06L7-AkUccL0knag7gQqywX_N-KUr6eV4jCX_+A@mail.gmail.com>
In-reply-to: <[🔎] CAO9DwO8BCTtU8Sw=yMLVa2BVT=r3d6KmuEBskM_46=r3meSduQ@mail.gmail.com>
References: <[🔎] CAASvXNseOJy8__QFKFir=nUmCGZDR47vFFYkeToCO3=PYp7sCw@mail.gmail.com> <[🔎] CAO9DwO8BCTtU8Sw=yMLVa2BVT=r3d6KmuEBskM_46=r3meSduQ@mail.gmail.com>

Hi David.

Should be fine? So, you are not 100 percent sure? Okay, just
kidding (but who knows?) ;-)

Listen David, I have one more question regarding to antispoof.

As we know, typical rule can look, more or less, this way;

> iptables -A INPUT -s 0.0.0.0/8 -j DROP etc.

But recently I came across on pretty strange rule also for
antispoof. This rule, concerns 'nat' table and PREROUTING chain;

> iptables -t nat -I PREROUTING 1 -i xx -s 192.168.0.0/16 -j DROP

So, what do you think? Using PREROUTING chain is good for
antispoof or it is better to use rule mentioned above (INPUT chain)?

Reply to:

Follow-Ups:
- Re: iptables and INVALID packet filtering.
  - From: David Dejaeghere <david.dejaeghere@gmail.com>

References:
- iptables and INVALID packet filtering.
  - From: Daniel Curtis <sidetripping@gmail.com>
- Re: iptables and INVALID packet filtering.
  - From: David Dejaeghere <david.dejaeghere@gmail.com>

Prev by Date: Re: iptables and INVALID packet filtering.
Next by Date: Re: iptables and INVALID packet filtering.
Previous by thread: Re: iptables and INVALID packet filtering.
Next by thread: Re: iptables and INVALID packet filtering.
Index(es):
- Date
- Thread