The iptables firewalls I've seen put anti-spoofing rules in the filter/INPUT and filter/FORWARD chains. The documentation that this is where filtering is best done. However, if you put them in one of the PREROUTING chains, you would not have to duplicate the N calls to them (one call per interface usually), since that is common to the path to INPUT and FORWARD. Is there a problem in doing that (e.g. put them in the nat/PREROUTING chain)?
