Network Security: Detailed info on Re: IPTables Spoof Protection

Subject:	Re: IPTables Spoof Protection
Date:	Wed, 22 Sep 2004 16:34:14 -0700

You will not be able to turn on rp_filter.  The default route points
out one interface, this
makes the rp_filter only accept packets from the Internet via that interface.

Anti-spoofing rules would be:
for IFACE in eth0 eth1; do
   # True packets should route through lo
   iptables -A INPUT -i $IFACE -j DROP -s X.X.1.43 
   iptables -A INPUT -i $IFACE -j DROP -s X.X.4.43
   # Should not see localnet (localhost) traffic on eth interfaces
   iptables -A INPUT -i $IFACE -j DROP -s 127.0.0.0/8
   # Should not see RFC1918 addresses
   iptables -A INPUT -i $IFACE -j DROP -s 10.0.0.0/8
   iptables -A INPUT -i $IFACE -j DROP -s 192.168.0.0/16
   iptables -A INPUT -i $IFACE -j DROP -s 172.16.0.0/12
   # 224 and higher are multicast and experimental (Not normaly routed)
   iptables -A INPUT -i $IFACE -j DROP -s 224.0.0.0/3
done

do remember that one side will have asymetric routing.  (The interface
that does not have
the default route will not transmit any packets, unless they are
destined for the local LAN.)
There are ways to fix this, but it gets a bit complicated, as you will
need to use advanced
routing concepts and commands.  (You will need two routing tables and
a policy of
when to use which table.)

On Tue, 21 Sep 2004 06:34:37 -0400, duiober@netscape.net
<duiober@netscape.net> wrote:

Hello everyone,
i've a problem with a dual homed host and the configuration of spoof 
protection.

The host is a Linux box with two interfaces:
OS-Version     : Red Hat Linux release 9 (Shrike)
Kernel-Release : 2.4.20-24.9smp
CPU            : 0 - 1 Intel(R) Pentium(R) 4 CPU 2.80GHz
CPU            : 1 - 2 Intel(R) Pentium(R) 4 CPU 2.80GHz
Interface      : eth0 X.X.4.43  X.X.4.255 (public class B net)
Interface      : eth1 X.X.1.43  X.X.1.255 (public class B net)

           /---------------------------------------------\
          /       internet                                \
          |                                                |
           \                                              /
            ----------------------------------------------
              |                                       |
             router 1                               router 2
              |                                       |
              |                   ----------          |
           subnet X.X.1.x -- eth1-| server |-eth0 -- subnet X.X.4.x
                                  ----------

Extraction from the script:
...
IF_0=eth0
IF_1=eth1
...
HOST="`/bin/hostname`"
...
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
...
# spoof protection
${IPTABLES} -A INPUT -s $HOST -i $IF_0 -j DROP
${IPTABLES} -A INPUT -s $HOST -i $IF_1 -j DROP
...

Observed problems:
* Enabling "rp_filter" causes some of my ssh-connection to freese (no 
response,
   my computer is part of the internet); pinging both interfaces from a 
maschine in
   the internet fails, one of them is not reachable; pinging them from a host 
within
   the subnet is possible
* Enabling the input-firewall-rules has the effect of a delay of a few 
minutes(!)
   when starting the script.

The aim of the "firewall"-script is to protect the host against undesired 
connections.
I need an advice.



-- 
END OF LINE
       -MCP

<Prev in Thread]	Current Thread	[Next in Thread>
IPTables Spoof Protection, DuiOber Re: IPTables Spoof Protection, Robert Hajime Lanning <= IPTables, agflem RE: IPTables, Reinaldo Mayol Arnao Re: IPTables, Paul RE: IPTables, Mark E. Donaldson RE: IPTables, Jose Maria Lopez

Previous by Date:	Re: FORTIGATE, Kimberly McCollum
Next by Date:	PIX failover without using HSRP, steve ruben
Previous by Thread:	IPTables Spoof Protection, DuiOber
Next by Thread:	IPTables, agflem
Indexes:	[Date] [Thread] [Top] [All Lists]