>> I want to block anything coming in from the Internet claiming to come >> from 10/8, or 172.16/12 or 192.168/16. > You should be able to easily do this with a few EBTables rules. Yup - I was off putting together something similar to what you did and just now saw your reply. It all tested good. I'll paste it in below: # # ebtables rules for bridging # echo "ebtables rules" echo " Directing anything between the Internet and private IP Addresses to the bogus_ip chain" $EBTABLES -A FORWARD -i $INET_IFACE -p IPv4 --ip-src 10.0.0.0/8 -j bogus_ip $EBTABLES -A FORWARD -i $INET_IFACE -p IPv4 --ip-src 172.16.0.0/12 -j bogus_ip $EBTABLES -A FORWARD -i $INET_IFACE -p IPv4 --ip-src 192.168.0.0/16 -j bogus_ip $EBTABLES -A FORWARD -i $INET_IFACE -p IPv4 --ip-dst 10.0.0.0/8 -j bogus_ip $EBTABLES -A FORWARD -i $INET_IFACE -p IPv4 --ip-dst 172.16.0.0/12 -j bogus_ip $EBTABLES -A FORWARD -i $INET_IFACE -p IPv4 --ip-dst 192.168.0.0/16 -j bogus_ip $EBTABLES -A INPUT -i $INET_IFACE -p IPv4 --ip-src 10.0.0.0/8 -j bogus_ip $EBTABLES -A INPUT -i $INET_IFACE -p IPv4 --ip-src 172.16.0.0/12 -j bogus_ip $EBTABLES -A INPUT -i $INET_IFACE -p IPv4 --ip-src 192.168.0.0/16 -j bogus_ip $EBTABLES -A INPUT -i $INET_IFACE -p IPv4 --ip-dst 10.0.0.0/8 -j bogus_ip $EBTABLES -A INPUT -i $INET_IFACE -p IPv4 --ip-dst 172.16.0.0/12 -j bogus_ip $EBTABLES -A INPUT -i $INET_IFACE -p IPv4 --ip-dst 192.168.0.0/16 -j bogus_ip # # Set up the bogus_ip chain to log and drop packets to/from private IP addresses # echo "Setting up the bogus_ip chain to LOG and DROP spoofed packets" $EBTABLES -A bogus_ip --log-prefix " spoofed packet" $EBTABLES -A bogus_ip -j DROP I might see if I can do this with one set of rules in the PREROUTING chain. > I don't think you are being too paranoid, but > I think you should be aware of something I have > run in to in my own testing. . . . Yup - I noticed similar behavior. So this is how I'll handle it. eth0 gets an IP Address of 1.2.3.6 during normal bootup. And then when I do the brctl stuff, br0 gets 1.2.3.2. That way there's never a conflict between the physical and logical. All the physical interfaces have unique addresses so I can route based on the address when it makes sense, or bridge based on the interface when that makes sense. I'm feeling lots better about all this. Hopefully this discussion can help others out there. - Greg _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc