iptables antispoof protection

gabsik · 06-01-2006, 02:15 AM

I have a debian sarge 3.1 2.6 stable.To make my iptables script shorter i was wondering about the spoof protection in the /etc/network/option file.If activated does it protect from every IANA spoof address attack or i still need an extra protection in the iptables script with "all" IANA ips set ?This is my actual script.

Quote:

$ipt -t nat -A PREROUTING -i $INT -s 128.0.0.0/16 -j DROP
$ipt -t nat -A PREROUTING -i $INT -s 169.254.0.0/16 -j DROP
$ipt -t nat -A PREROUTING -i $INT -s 172.16.0.0/12 -j DROP
$ipt -t nat -A PREROUTING -i $INT -s 191.255.0.0/16 -j DROP
$ipt -t nat -A PREROUTING -i $INT -s 192.0.0.0/24 -j DROP
$ipt -t nat -A PREROUTING -i $INT -s 192.0.2.0/24 -j DROP
$ipt -t nat -A PREROUTING -i $INT -s 192.88.99.0/24 -j DROP
$ipt -t nat -A PREROUTING -i $INT -s 198.18.0.0/15 -j DROP
$ipt -t nat -A PREROUTING -i $INT -s 224.0.0.0/4 -j DROP
$ipt -t nat -A PREROUTING -i $INT -s 240.0.0.0/4 -j DROP

unSpawn · 06-01-2006, 07:55 AM

To make my iptables script shorter
What kind of reason is that?

i was wondering about the spoof protection in the /etc/network/option file. If activated does it protect from every IANA spoof address attack or i still need an extra protection in the iptables script with "all" IANA ips set ?
IIGC /etc/network/option seems deprecated in favour of "regular" sysctl.conf use. spoofprotect=yes sets / equals /proc/sys/net/ipv4/conf/default/rp_filter which does not equal filtering bogons, but should be used anyway.

This is my actual script.
If you would search for Cymru and bogons you'll have the whole list in ASCII text format. Now I found I had to manually strip non-bogon, non-IANA ranges belonging to AFRINIC, CISL-5, CVAD, SDSL, RIPE, APNIC and LACNIC. Undoubtedly incomplete due to broken ranges and updating, here's a script adapted to your chain naming. YMMV(VM):

Code:

wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.|^190\.)"|\
while read s; do echo "\$ipt -t nat -A PREROUTING -i \$INT -s $s -j DROP"; done

gabsik · 06-02-2006, 03:54 AM

Great help,thanks !!!

gabsik · 06-03-2006, 12:25 PM

Quote:

wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|\
egrep -ve "(^127\.|^192\.168\.|^41\.|^73\.|^76\.|^89\.|^90\.|^121\.|^122\.|^123\.|^124\.|^125\.|^126\.|^189\.| ^190\.)"|\
while read s; do echo "\$ipt -t nat -A PREROUTING -i \$INT -s $s -j DROP"; done

How can i add an ulog jump to this?I wrote an extra

Quote:

; do echo "\$ipt -t nat -A PREROUTING -i \$INT -s $s -j ULOG

"
but did not work , a bash help ?