On Sat, Apr 03, 2004 at 05:03:04PM -0500, John A. Sullivan III wrote: > On Sat, 2004-04-03 at 15:53, IT Clown wrote: --- snip --- > I usually implement anti-spoofing in two steps. For both public and > private interfaces I set up a rule to drop any packets from the address > bound to the interface if it appears on a different interface. Thus: > iptables -t mangle -A PREROUTING -s 10.0.0.0/24 -i ! eth1 -j DROP > iptables -t mangle -A PREROUTING -s 1.1.1.0/24 -i ! eth0 -j DROP Isn't that what rp_filter does ? > This is to prevent someone from using my own addresses against me. > --- snip --- > > Someone else may have a better way but that's how I do it. I use the > mangle table rather than filter so that I can drop bad packets ASAP. > Good luck - John > -- > John A. Sullivan III > Chief Technology Officer > Nexus Management > +1 207-985-7880 > john.sullivan@xxxxxxxxxxxxx > --- > If you are interested in helping to develop a GPL enterprise class > VPN/Firewall/Security device management console, please visit > http://iscs.sourceforge.net > > > >
Attachment:
signature.asc
Description: Digital signature
