Are there any IP and MAC spoofing scripts or rules I can look for to make sure it is enabled?

I have used Guarddog to setup a firewall and it is passing the various online firewall tests but I don't know much about anti-spoofing.

Suse 10.0

Are there any IP and MAC spoofing scripts or rules I can look for to make sure it is enabled?
MAC spoofing can be done by Iptables filtering by MAC address. You'll have to check your network setup though. If for instance you're directly connected to a changing ISP gateway or on a LAN segment with DHCP'ed hosts you most likely do not want that. For MAC/IP combo's that stay the same you could alternatively build a file with MAC/IP pairs and "arp -f ethersfile" to build a static arp table.

IP spoofing can be partially done by Iptables filtering for bogons. Bogons means the subnet isn't declared routable on the Internet aka LAN ranges. This script gets the bogon list from www.cymru.com (I guess the most stable source) and outputs a load of rules on stdout for the INPUT chain. I would recommend doing this as well for the OUTPUT chain. Note this doesn't define an in/output device nor protocols. Also make sure you precede these rules with ACCEPT rules if you have a LAN subnet in the bogon range. If you're going to log these before dropping please consider using a limit filter. Wee bash script (@all: BMG wrt improvements and comments):
What this code doesn't fix is spoofing IPs that for instance are used by Nmap decoy scanning, because those decoys should be live and reachable hosts. You could for instance use Iptables filtering by state (ESTABLISHED,RELATED) if you're not serving anything publicly and flag combo's (INVALID, XMAS, FIN etc, etc) to weed out less carefull scans. Again, if you're logging those before dropping, please consider using a limit filter and check out the LQ FAQ: Security references. It's got a section about Iptables filtering you might find interesting.

HTH

Thank you for your time. I have the following in my guarddog generated rc.firewall


What exactly is going on with above code?

I have no reference to INVALID, XMAS, OR FIN.

Also, I am not familiar with building an arp table and creating the IP:MAC file. Could you elaborate a little more on this. Thank you.

Also, would the following code work for anti-spoofing mac:

If so, should I also include a line for INPUT and OUTPUT as well? I'm a little confused. I haven't take any courses on this. Closest thing would be during the 1980s, MS DOS, BASIC, and tech school. I've only been using Linux about one month.

Incidentally, the Linux box is on a wireless PCI adapter. The wireless router is hardwired to an XP machine. In other words, the linux box is a remote wireless machine sitting in a different room than the wireless router. It uses Samba to access shared folders on the XP machine as well as it's printer.


EDIT: I see in the man pages for iptables that the OUTPUT won't work. Just INPUT, FORWARD chains for --mac source.

# Detect aborted TCP connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --tcp-flags RST RST -j logaborted
Any packet on the INPUT chain hitting this rule, that is recognised as part of an ongoing TCP connection, with TCP flags RESET, will be sent (j: jump) to the "logaborted" chain for further processing.


# Quickly allow anything that belongs to an already established connection.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Any packet on any of the INPUT,OUTPUT and FORWARD chains hitting this rule, that is recognised as part of an ongoing TCP connection, will pass this rule unchanged.


I have no reference to INVALID, XMAS, OR FIN.
INVALID is a filter away packets with an unusual set of TCP flags. Portscanners using XMAS or FIN scan can be filtered also looking for a set of TCP flags. Here's the XMAS filter: iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP


Also, I am not familiar with building an arp table and creating the IP:MAC file.
Query each connected ethernet interface on surrounding hosts in your LAN subnet for details (ifconfig -a) to get the IP/MAC combo. If you add hosts that use DHCP to get any IP addy use their FQDN, not IP.
Put the IP/MAC combo's in a plain textfile:
192.168.0.1 00:11:22:33:44:55
192.168.0.2 00:DA:BA:33:44:A0
192.168.0.3 00:FF:22:33:44:CB
...then load with "arp -f /location/of/your/textfile", and check with "arp -vne". Static entries will have the "M" flag added.


Also, would the following code work for anti-spoofing mac:
iptables -A FORWARD -s 192.168.0.2 -m mac --mac-source ! 00:11:22:33:44:55 -j DROP
It would not forward traffic if the IP/MAC combo doesn't match up, yes.
Consider MAC filtering on the AP a first priority before this though.


If so, should I also include a line for INPUT and OUTPUT as well? I'm a little confused.
On INPUT, yes, unless someone says PREROUTING would be better.