Need clarification by example

[Rusty Russell]

In message <011c01bf9b3b$63952e00$640a0a0a@KEVIN> you write:
> Hack to suppress redirects:  I had figured this out myself but I was hoping
> there was something more elegant.  Guess not.

Hi Kevin,

	Catching it in the NAT code itself is on my mental TODO list.

> I assume the policys for INPUT and OUTPUT on the filter table default to
> ACCEPT.

Yep!

> Are the above set of rules considered adequate protection?
> 
> I thought at one point it was necessary to filter on the output chains to
> prevent spoofing (couldn't use rp_filter because it causes problems,
> especially on a system with 3 NICs).

Filtering spoofing out on input chains is possible: depends on how
complicated your routing is.  If you don't do asymmetric routing, it
should work.

Rusty.
--
Hacking time.