Quote:
Originally Posted by manhtuan307
My teacher give me some advice as following:
Filtering at the Router:
- blocks private IP addresses on your downstream interface;
- blocks packets with source addresses in your internal range as;
- on the upstream interface, block source addresses outside of your valid range;
- rate-limiting incoming packets
If you know about this, please help me. Thank you very much.
P/S: until now, my solution is:
iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP
iptables -I INPUT -i eth0 -s 192.168.1.0/24 -j DROP
iptables -I FORWARD -i eth0 -s ! 127.0.0.0/8 -j DROP
iptables -I FORWARD -i eth0 -s ! 192.168.1.0/24 -j DROP
Please help me to improve it.
|
I already gave you two examples that take care of half of your requirements.
The ones you're missing are for filtering addresses in
RFC 1918 ranges, and for doing rate limiting. The former should be easy for you to do, as it just requires copying and editing the rules you already have, while the latter needs more explanation as it's not clear what exactly should be limited (rate limiting all incoming packets would seem kind of weird). I'm willing to help you out as much as I can with this, but I won't do your homework for you, so I suggest you ask me specific questions instead.
I'd also recommend you test the rules you write, in order to detect problems. For example, you would have detected that the FORWARD rule for 127.0.0.0/8 you wrote wouldn't work properly, given that the packet would have already been filtered by the 192.168.1.0/24 rule (or would actually have a 192.168.1.0/24 source address). Be mindful of such conditions when using inverse matching. BTW, your 127.0.0.0/8 rule is strange, as the 127.0.0.0/8 netblock is for loopback interfaces.