Hi, On Fri, 1 Jul 2005, John A. Sullivan III wrote: > In our default configuration for the ISCS network security management > project (http://iscs.sourceforge.net), we generate rules to protect > against spoofing from both the outside and the inside (to ensure we are > good Internet citizens!). Although the rules are automatically > generated, they tend to look something like this: > > iptables -t mangle -A PREROUTING -i ! eth1 -s > 2xx.xx.xxx.224/255.255.255.240 -j DROP If you support 2.6.x kernels, I'd suggest to use the raw table instead: thus the unnecessary load on conntrack could be avoided. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
