Hi everybody. I'm a newbie at linux and security. I have a problem as following: "using iptables to prevent IP spoofing". I have searched on the internet but until now I don't have exactly solution. Please help me.

Thanks in advance.

Regards.

Are you trying to achieve something more granular than what the rp_filter kernel parameter does? Unless you are, there really isn't any point to making iptables rules for this sort of thing IMHO.

In any case, an example might go like:This example would filter any outbound packets with a source IP address that doesn't belong to your LAN. Of course, this assumes the firewall's LAN interface is eth0 and the netblock is 192.168.1.0/24.

Another example:This example would filter any inbound packets on the WAN side with a source IP address matching an IP from your LAN. Of course, this assumes the firewall's WAN interface is eth1 and the netblock for the LAN is 192.168.1.0/24.

My teacher give me some advice as following:

Filtering at the Router:
- blocks private IP addresses on your downstream interface;
- blocks packets with source addresses in your internal range as;
- on the upstream interface, block source addresses outside of your valid range;
- rate-limiting incoming packets

If you know about this, please help me. Thank you very much.

P/S: until now, my solution is:

iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP
iptables -I INPUT -i eth0 -s 192.168.1.0/24 -j DROP

iptables -I FORWARD -i eth0 -s ! 127.0.0.0/8 -j DROP
iptables -I FORWARD -i eth0 -s ! 192.168.1.0/24 -j DROP

Please help me to improve it.

I already gave you two examples that take care of half of your requirements.

The ones you're missing are for filtering addresses in RFC 1918 ranges, and for doing rate limiting. The former should be easy for you to do, as it just requires copying and editing the rules you already have, while the latter needs more explanation as it's not clear what exactly should be limited (rate limiting all incoming packets would seem kind of weird). I'm willing to help you out as much as I can with this, but I won't do your homework for you, so I suggest you ask me specific questions instead.

I'd also recommend you test the rules you write, in order to detect problems. For example, you would have detected that the FORWARD rule for 127.0.0.0/8 you wrote wouldn't work properly, given that the packet would have already been filtered by the 192.168.1.0/24 rule (or would actually have a 192.168.1.0/24 source address). Be mindful of such conditions when using inverse matching. BTW, your 127.0.0.0/8 rule is strange, as the 127.0.0.0/8 netblock is for loopback interfaces.

I agree that we should not do your homework. The best thing for you would be to search LQ for firewall script threads (and HOWTOs) and try to understand those together with reading the indispensable http://www.frozentux.net/documents/iptables-tutorial/. When you've got an idea what you want post your ruleset for comments. (And as for filtering RFC 1918 address ranges the current list of bogons could easily be fetched from http://www.cymru.com/Documents/bogon-bn-nonagg.txt, just make sure you don't add rules for subnets in use.)