What is the destination of the spoofed source ip packet in terms of the netfilter chains?

Question

Good day every one.

Let's assume next configuration: we have a router with a public IP address 1.2.3.4 (external interface - wan).

If for some reason the router receives a packet with a spoofed source IP address which is the same as the public address of our external interface, in terms of netfilter subsystem, what chain this packet will be assigned to?

Destination IP address of this packet can be anything, internal lan/another external address.

Will this packet be considered as the output packet of the router itself (OUTPUT chain) or the forwarded packet (FORWARD chain)?

Answer 1

If the arbitrary destination address is not the same as the router and the routing system of your router made the decision (based on the destination address of the packet) to forward it, then the the packet will move through the FORWARD chain of the filter table.

To get a packet into the OUTPUT chain, your router must have created the packet by itself. In ancient times with ipchains, the behavior was different. If you don't try fancy stuff with iptables, such as NFQUEUEing the spoofed packet to userspace and writing your own tool which routes the packet from userspace (from the kernel's point of view: generating a new packet), the packet you are talking about should never end up in the OUTPUT chain.

Note that the rp_filter (reverse path filter) of your kernel might already drop the spoofed packet before it reaches the FORWARD chain of the filter table.

Also note: some people prefer to implement their spoofing protection rules before the routing decision was made, i.e. in the PREROUTING chain of the raw table.