Hi Daniel, I said "should" because i am unsure of your intensions.
Regarding your anti-spoof rules. What are you intentions? I have not seen your first line before but I would be able to give you better advice if i know exactly what you are trying to prevent. Same goes for your question with INPUT vs PREROUTING. Rules in the INPUT chain are ment to filter traffic going to the host itself where the PREROUTING chain is to filter traffic being routed through your host. How familiar are you with iptables? Regards, David 2013/4/4 Daniel Curtis <sidetripp...@gmail.com> > Hi David. > > Should be fine? So, you are not 100 percent sure? Okay, just > kidding (but who knows?) ;-) > > Listen David, I have one more question regarding to antispoof. > As we know, typical rule can look, more or less, this way; > > > iptables -A INPUT -s 0.0.0.0/8 -j DROP etc. > > But recently I came across on pretty strange rule also for > antispoof. This rule, concerns 'nat' table and PREROUTING chain; > > > iptables -t nat -I PREROUTING 1 -i xx -s 192.168.0.0/16 -j DROP > > So, what do you think? Using PREROUTING chain is good for > antispoof or it is better to use rule mentioned above (INPUT chain)? >
