[root@r102 a2d2-2firewall]# /sbin/iptables -L Chain INPUT (policy DROP) target prot opt source destination level3 all -- 192.168.11.183 anywhere level2 all -- 192.168.11.1 anywhere level3 all -- 192.168.16.179 anywhere level3 all -- 192.168.16.21 anywhere level3 all -- 192.168.11.222 anywhere level3 all -- 192.168.11.138 anywhere level3 all -- 192.168.11.197 anywhere level3 all -- 192.168.11.129 anywhere ACCEPT all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination level3 all -- 192.168.11.183 anywhere level2 all -- 192.168.11.1 anywhere level3 all -- 192.168.16.179 anywhere level3 all -- 192.168.16.21 anywhere level3 all -- 192.168.11.222 anywhere level3 all -- 192.168.11.138 anywhere level3 all -- 192.168.11.197 anywhere level3 all -- 192.168.11.129 anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere Chain level0 (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain level1 (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain level2 (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere limit: avg 50/sec burst 5 DROP all -- anywhere anywhere Chain level3 (14 references) target prot opt source destination ACCEPT all -- anywhere anywhere limit: avg 151/sec burst 5 DROP all -- anywhere anywherea Note: All routers are modified with all addresses,even if attack could not be coming from them. Hard to tell how ip addresses are getting spoofed.