[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables and INVALID packet filtering.

Hi Daniel,
 
 I said "should" because i am unsure of your intensions.

Regarding your anti-spoof rules. What are you intentions?
I have not seen your first line before but I would be able to give you better advice if i know exactly what you are trying to prevent.
Same goes for your question with INPUT vs PREROUTING.
 
Rules in the INPUT chain are ment to filter traffic going to the host itself where the PREROUTING chain is to filter traffic being routed through your host.

How familiar are you with iptables?

Regards,
 
David


2013/4/4 Daniel Curtis <sidetripping@gmail.com>
Hi David.

Should be fine? So, you are not 100 percent sure? Okay, just
kidding (but who knows?) ;-)

Listen David, I have one more question regarding to antispoof.
As we know, typical rule can look, more or less, this way;

> iptables -A INPUT -s 0.0.0.0/8 -j DROP etc.

But recently I came across on pretty strange rule also for
antispoof. This rule, concerns 'nat' table and PREROUTING chain;

> iptables -t nat -I PREROUTING 1 -i xx -s 192.168.0.0/16 -j DROP

So, what do you think? Using PREROUTING chain is good for
antispoof or it is better to use rule mentioned above (INPUT chain)?

Reply to: