Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am creating a firewall and with the help of iptables i want to prevent IP Spoofing . Also some tricks of iptables that can help me in preventing from some intruders and attacks.
thanx for the same.
bye and good time,
Ankur.
om shanti.
As far as I know, preventing spoofing with iptables is really limited to blocking IANA reserved IP addresses or blocking access to IPs that shouldn't be sending traffic over a certain interface (for example, suddenly seeing traffic from your external DNS server on the internal interface should set off alarms). The sysctl rp_filter setting can help with this somewhat, at least in detecting and denying traffic with impossible routes. tcp_wrappers also has a setting 'PARANOID' that will reject traffic whose hostname and IP address don't agree. Some indivdual daemons (like SSHd) have some built-in spoofing protections as well.
You can do it on a machine with one interface -- just drop all outgoing traffic that doesn't have the correct source IP. Note that machines with one ethernet interface may still have multiple IP addresses, so you need to take that into consideration if it applies to you.
Originally posted by btmiller ...just drop all outgoing traffic that doesn't have the correct source IP
Can you specify what you mean? I have a linux computer with iptables behind a NAT router. It has one interface with one internal IP address. Also, I don't understand how one interface can have multiple IP addresses (maybe you didn't mean at the same time?)
# Setting up IP spoofing protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi
I'm not really a linux newbie, but then again I'm not real experienced with linux either - somewhere in the middle I guess. Anyway, I use Webmin to configure iptables, and that's in plain english...
Here's how my current ruleset goes in english:
Incoming[list=1][*]Accept anything from interface lo[*]accept anything with state of connection related or established[*]accept all icmp[*]rules dealing with services running[*]deny and log everything else[/list=1]
The ruleset is similar for the outgoing chain as well. Is there a way to set up IP spoofing protection using Webmin (or rules)?
Originally posted by mikeheggy So, one could set up rules like that only with a machine that has more than one network interface?
That would just be an example for a firewall in front of a network. However, the same principle applies for the firewall on a single host. There are types of traffic that you should never see under normal conditions. For example traffic coming into the external interface that has your own IP or the loopback address as the source. You also shouldn't normally see IANA reserved IPs for a source address, as internet routers shouldn't forward packets with invalid addresses. Occasionally it can happen if a router is mis-configured or if you are on a shared subscriber line like cable and your ISP assigns reserved IPs. In most cases though it's an indication that spoofing is occurring, so it's a good idea to block IPs in those ranges.
With regards to how a machine could get an invalid IP or more than 1 IP, both of these are trivial. Using the ifconfig command you can assign whatever IP you like and with IP aliases you can assign as many as you like (I've heard of systems with several thousand IPs assigned to a single interface.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.