[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables and INVALID packet filtering.

My information about PREROUTING vs INPUT is not correct. I was talking about the FORWARD chain...
Sorry to confuse you.

PREROUTING is meant for rules that need to be applied before a routing decision is made like the nat table.
So based on what you are trying to accomplish.  If you want to apply anti spoofing measures that fit in the PREROUTING chain then it makes most sense to put them there.
Local ip ranges on public interfaces can be stopped in PREROUTING before it hits the INPUT or FORWARD chain.


2013/4/4 David Dejaeghere <david.dejaeghere@gmail.com>
Hi Daniel,
 I said "should" because i am unsure of your intensions.

Regarding your anti-spoof rules. What are you intentions?
I have not seen your first line before but I would be able to give you better advice if i know exactly what you are trying to prevent.
Same goes for your question with INPUT vs PREROUTING.
Rules in the INPUT chain are ment to filter traffic going to the host itself where the PREROUTING chain is to filter traffic being routed through your host.

How familiar are you with iptables?


2013/4/4 Daniel Curtis <sidetripping@gmail.com>
Hi David.

Should be fine? So, you are not 100 percent sure? Okay, just
kidding (but who knows?) ;-)

Listen David, I have one more question regarding to antispoof.
As we know, typical rule can look, more or less, this way;

> iptables -A INPUT -s -j DROP etc.

But recently I came across on pretty strange rule also for
antispoof. This rule, concerns 'nat' table and PREROUTING chain;

> iptables -t nat -I PREROUTING 1 -i xx -s -j DROP

So, what do you think? Using PREROUTING chain is good for
antispoof or it is better to use rule mentioned above (INPUT chain)?

Reply to: