Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks
Source: nixCraft
Spoofing and bad address attack tries to fool the server and try to claim that packets had come from local address/network.
Following IP/netwok address are know to open this kind of attack:
Incoming source IP address is your servers IP address
Bad incoming address from following ranges:
- 0.0.0.0/8
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 192.168.0.0/16
- 224.0.0.0/3
- Your own internal server/network ip address/ranges.
Following small shell script tries to prevent this kind of attacks:
#!/bin/bash INT_IF="eth1" # connected to internet SERVER_IP="202.54.10.20" # server IP LAN_RANGE="192.168.1.0/24" # your LAN IP range # Add your spoofed IP range/IPs here SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3" IPT="/sbin/iptables" # path to iptables # default action, can be DROP or REJECT ACTION="DROP" # Drop packet that claiming from our own server on WAN port $IPT -A INPUT -i $INT_IF -s $SERVER_IP -j $ACTION $IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION # Drop packet that claiming from our own internal LAN on WAN port $IPT -A INPUT -i $INT_IF -s $LAN_RANGE -j $ACTION $IPT -A OUTPUT -o $INT_IF -s $LAN_RANGE -j $ACTION ## Drop all spoofed for ip in $SPOOF_IPS do $IPT -A INPUT -i $INT_IF -s $ip -j $ACTION $IPT -A OUTPUT -o $INT_IF -s $ip -j $ACTION done ## add or call your rest of script below to customize iptables ##
Save and close the file. Call above script from your own iptables script. Add following line to your /etc/sysctl.conf file
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
The net.ipv4.conf.all.rp_filter=1 entry enables source address verification which is inbuilt into Linux kernel itself and last two lines logs all such spoofed packets in log file.