Preventing IP Spoofing through IPTABLES
 

Hello Friends,


I am creating a firewall and with the help of iptables i want to prevent IP Spoofing . Also some tricks of iptables that can help me in preventing from some intruders and attacks.

thanx for the same.
bye and good time,
Ankur.
om shanti.

As far as I know, preventing spoofing with iptables is really limited to blocking IANA reserved IP addresses or blocking access to IPs that shouldn't be sending traffic over a certain interface (for example, suddenly seeing traffic from your external DNS server on the internal interface should set off alarms). The sysctl rp_filter setting can help with this somewhat, at least in detecting and denying traffic with impossible routes. tcp_wrappers also has a setting 'PARANOID' that will reject traffic whose hostname and IP address don't agree. Some indivdual daemons (like SSHd) have some built-in spoofing protections as well.

So, one could set up rules like that only with a machine that has more than one network interface?

You can do it on a machine with one interface -- just drop all outgoing traffic that doesn't have the correct source IP. Note that machines with one ethernet interface may still have multiple IP addresses, so you need to take that into consideration if it applies to you.

Can you specify what you mean? I have a linux computer with iptables behind a NAT router. It has one interface with one internal IP address. Also, I don't understand how one interface can have multiple IP addresses (maybe you didn't mean at the same time?)

# Setting up IP spoofing protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi

I'm not exactly sure what that is.

I'm not really a linux newbie, but then again I'm not real experienced with linux either - somewhere in the middle I guess. Anyway, I use Webmin to configure iptables, and that's in plain english...

Here's how my current ruleset goes in english:

Incoming[list=1][*]Accept anything from interface lo[*]accept anything with state of connection related or established[*]accept all icmp[*]rules dealing with services running[*]deny and log everything else[/list=1]

The ruleset is similar for the outgoing chain as well. Is there a way to set up IP spoofing protection using Webmin (or rules)?

My reply is part of your shell script in which you setup the IP-Tables at runtime.

Peter

That would just be an example for a firewall in front of a network. However, the same principle applies for the firewall on a single host. There are types of traffic that you should never see under normal conditions. For example traffic coming into the external interface that has your own IP or the loopback address as the source. You also shouldn't normally see IANA reserved IPs for a source address, as internet routers shouldn't forward packets with invalid addresses. Occasionally it can happen if a router is mis-configured or if you are on a shared subscriber line like cable and your ISP assigns reserved IPs. In most cases though it's an indication that spoofing is occurring, so it's a good idea to block IPs in those ranges.

With regards to how a machine could get an invalid IP or more than 1 IP, both of these are trivial. Using the ifconfig command you can assign whatever IP you like and with IP aliases you can assign as many as you like (I've heard of systems with several thousand IPs assigned to a single interface.