> Date: Tue, 28 Oct 2003 09:59:16 -0500 (EST) > From: "Robert P. J. Day" <rpjday@xxxxxxxxxxxxxx> > > i'd like to find a short, efficient way to filter incoming packets with > bogus source addresses, but i don't see an elegant way of doing it. > > as we all know, there are a number of clearly bogus source addresses on > incoming packets: > > - broadcast > - your own IP address > - any of the private class A, B or C addresses > - class D addresses > > and on and on. so it's natural to want to discard them and, just for fun, > log them as well. > > for elegance, i can create a user-defined chain called, say, > "reject_bad_source_addresses" to which i jump with every incoming packet. > this user-defined chain will test for all of the bad source addresses, one > at a time, and DROP/REJECT each one. however, if i want to log all of > these rejections, i'd have to double the number of rules in this chain, > so that each test would first LOG that packet, then be followed by a > second rule to DROP it. kind of a pain. > > if i could rewrite the rules all backwards, i could have the > user-defined chain full of ACCEPT rules, and only terminate the chain with > a rule for LOG, followed by one for DROP. but i don't see how that's > possible. Here's what my firewall generator produces (for a complex system description). Perhaps it will give you some ideas? Or perhaps you see a flaw? I've excerpted just the relevant stuff. This is machine generated output, so perhaps it is not the prettiest... # # filter/FORWARD - packets received and routed for transmission # -A FORWARD -j logdropresvd -s 0/8 -A FORWARD -j logdropresvd -d 0/8 -A FORWARD -j logdropresvd -s 169.254/16 -A FORWARD -j logdropresvd -d 169.254/16 -A FORWARD -j logdropresvd -s 192.0.2/24 -A FORWARD -j logdropresvd -d 192.0.2/24 -A FORWARD -j logdropspoof -s 127/8 -A FORWARD -j logdropspoof -d 127/8 -A FORWARD -j logdropspoof -s 10/8 -A FORWARD -j logdropspoof -d 10/8 -A FORWARD -j logdropspoof -s 176.16/12 -A FORWARD -j logdropspoof -d 176.16/12 -A FORWARD -j forward_eth2 -i eth2 -A FORWARD -j forward_eth1 -i eth1 -A FORWARD -j forward_eth3 -i eth3 -A FORWARD -j forward_eth0 -i eth0 # # filter/INPUT - packets received and routed to me # -A INPUT -j ACCEPT -i lo -A INPUT -j logdropresvd -s 0/8 -A INPUT -j logdropresvd -d 0/8 -A INPUT -j logdropresvd -s 169.254/16 -A INPUT -j logdropresvd -d 169.254/16 -A INPUT -j logdropresvd -s 192.0.2/24 -A INPUT -j logdropresvd -d 192.0.2/24 -A INPUT -j logdropspoof -s 127/8 -A INPUT -j logdropspoof -d 127/8 -A INPUT -j logdropspoof -s 10/8 -A INPUT -j logdropspoof -d 10/8 -A INPUT -j logdropspoof -s 176.16/12 -A INPUT -j logdropspoof -d 176.16/12 -A INPUT -j input_eth2 -i eth2 -A INPUT -j input_eth1 -i eth1 -A INPUT -j input_eth3 -i eth3 -A INPUT -j input_eth0 -i eth0 # # filter/OUTPUT - packets generated by me for transmission # -A OUTPUT -j ACCEPT -o lo -A OUTPUT -j logdropresvd -s 0/8 -A OUTPUT -j logdropresvd -d 0/8 -A OUTPUT -j logdropresvd -s 169.254/16 -A OUTPUT -j logdropresvd -d 169.254/16 -A OUTPUT -j logdropresvd -s 192.0.2/24 -A OUTPUT -j logdropresvd -d 192.0.2/24 -A OUTPUT -j logdropspoof -s 127/8 -A OUTPUT -j logdropspoof -d 127/8 -A OUTPUT -j logdropspoof -s 10/8 -A OUTPUT -j logdropspoof -d 10/8 -A OUTPUT -j logdropspoof -s 176.16/12 -A OUTPUT -j logdropspoof -d 176.16/12 -A OUTPUT -j output_eth2 -o eth2 -A OUTPUT -j output_eth1 -o eth1 -A OUTPUT -j output_eth3 -o eth3 -A OUTPUT -j output_eth0 -o eth0 # # Accept established connections, log/drop invalid ones, return for new ones # -A checkstate -j ACCEPT -m state --state ESTABLISHED,RELATED -A checkstate -j RETURN -m state --state NEW -A checkstate -j LOG -p tcp --log-ip-options --log-tcp-options --log-prefix "TCP-INVALID " -A checkstate -j DROP -p tcp -A checkstate -j LOG -p udp --log-ip-options --log-prefix "UDP-INVALID " -A checkstate -j DROP -p udp -A checkstate -j LOG -p icmp --log-ip-options --log-prefix "ICMP-INVALID " -A checkstate -j DROP -p icmp -A checkstate -j LOG --log-ip-options --log-prefix "INVALID " -A checkstate -j DROP # # filter/forward_eth0 - packets received on interface eth0 destined for retransmission # -A forward_eth0 -j logdrop1918 -s 192.168/16 -A forward_eth0 -j logdropmulti -s 224/3 -A forward_eth0 -j logdropmulti -d 224/3 -A forward_eth0 -j logdropspoof -s 1.2.3.33 -A forward_eth0 -j logdropspoof -s 1.2.3.41 -A forward_eth0 -j checkstate -A forward_eth0 -j forward_eth0_eth1_tcp -o eth1 -p tcp -A forward_eth0 -j DROP # # tcp packets from forward_eth0_eth1 # -A forward_eth0_eth1_tcp -j ACCEPT -p tcp -m multiport -d 1.2.3.42 --dports http,https -A forward_eth0_eth1_tcp -j ACCEPT -p tcp -m multiport -d 1.2.3.43 --dports http,https,smtp,smtps,submission,imaps -A forward_eth0_eth1_tcp -j DROP # # filter/forward_eth1 - packets received on interface eth1 destined for retransmission # -A forward_eth1 -j logdrop1918 -s 192.168/16 -A forward_eth1 -j logdropmulti -s 224/3 -A forward_eth1 -j logdropmulti -d 224/3 -A forward_eth1 -j logdropspoof -s 1.2.3.33 -A forward_eth1 -j logdropspoof -s 1.2.3.41 -A forward_eth1 -j checkstate -A forward_eth1 -j forward_eth1_eth0 -o eth0 -A forward_eth1 -j DROP # # filter/forward_eth1_eth0 - packets forwarded from eth1 to eth0 # -A forward_eth1_eth0 -j ACCEPT -p udp -A forward_eth1_eth0 -j ACCEPT -p tcp -A forward_eth1_eth0 -j forward_eth1_eth0_icmp -p icmp -A forward_eth1_eth0 -j DROP [snip] # # Log and drop RFC1918 net # -A logdrop1918 -j LOG --log-ip-options --log-prefix "INET-RFC1918 " -A logdrop1918 -j DROP # # Log and drop MULTI net # -A logdropmulti -j LOG --log-ip-options --log-prefix "INET-MULTI " -A logdropmulti -j DROP # # Log and drop reserved nets # -A logdropresvd -j LOG --log-ip-options --log-prefix "INET-RESVD " -A logdropresvd -j DROP # # Log and drop spoof attempt # -A logdropspoof -j LOG --log-ip-options --log-prefix "ANTI-SPOOF " -A logdropspoof -j DROP [snip]
