On Sun, Feb 13, 2005 at 09:28:41AM +0300, Mikhail Zotov wrote: > Hello everybody, > > I have a Linux machine (with a static routable IP address) > connected to a windoops LAN. As is known, there is certain > "noise" in windoops networks, which can be silently dropped > by a rule like this: > > iptables -A INPUT -p udp --dport 135:139 -j DROP > > I have found that this "noise" can also be effectively blocked > by the following rule: > > iptables -A INPUT -d ! $IP.ADDRESS.OF.MY_BOX -j DROP > > I haven't noticed anything going wrong yet, still I'd like to > know: Does this rule have a (potential) drawback? Can it break > anything in case I have NFS or obtain IP address via DHCP or > in any other situation? > > A similar question goes for the case of a Linux router/gateway > protecting a LAN (with machines with routable IP addresses). > Can the following rules do any harm? > > iptables -A FORWARD -i $EXTERIOR_INTERFACE -d $LAN.BROADCAST -j DROP > iptables -A FORWARD -i $EXTERIOR_INTERFACE -d ! $LAN.IP.ADDRESSES.RANGE -j DROP you can also use the pkttype match to drop broadcast/multicast traffic, without having to calculate the broadcast address for every interface, and having another rule for the all-ones broadcast: -m pkttype --pkt-type broadcast -j DROP -m pkttype --pkt-type multicast -j DROP -j -- "Boy, if you want anything in this life, you have to work for it. Now be quiet while I listen for these lottery numbers." --The Simpsons