This is similar (except FORWARD rather than INPUT) to what I do in my own environment. In fact, I have layered firewalls that specify individual IPs. Of course, my firewalls are bridges (bridge.sourceforge.net), so most of the traffic comes in one eth and goes out the other. E.g. iptables -A FORWARD -i eth0 -s 192.168.1.5 -j DROP iptables -A FORWARD -i eth1 -s ! 192.168.1.5 -j DROP ...where 192.168.1.5 is the protected server, eth0 is in the DMZ and eth1 connects directly to said server. Just chiming in again, Bob -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of David C. Hart Sent: Wednesday, November 05, 2003 2:08 PM To: Antony Stone Cc: Iptables Mailing List Subject: Re: IP Spoofing On Wed, 2003-11-05 at 14:51, Antony Stone wrote: > On Wednesday 05 November 2003 7:31 pm, Leandro Takashi Hirano wrote: > > > Now I would like to know about the IP Spoofing rule, how does it works? > > > > - iptables -A INPUT -s 192.168.1.0/24 -i ! eth0 -j DROP > > Any packet with a source address in the Class C range 192.168.1.x which does > not come from eth0 will be DROPped. Funny I was similarly confused. What happens to packets from the LAN given that they don't originate from eth0? > > > I don´t know how can it block ip spoofing attack... > > These rules assume that eth0 is your internal network, and your internal > network range is 192.168.1.0/24. > > No packets with your own source address should come from outside (rule 1) and > all packets from inside should have your own source address (rule 2). > > Therefore these two rules stop people on the outside pretending that they > live on your network, and people on the inside pretending that they don't. > > Antony.
