Re: SV: IP Spoofing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thank you, I did it using config option in /etc/sysctl.conf


On 8/20/18 3:02 PM, André Paulsberg-Csibi (IBM Consultant) wrote:

"Normally" it is not done with FireWall (IP-tables) , but with "kernel RPF"

https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.kernel.rpf.html

You can still do it with te FireWall instead , but to assist it is helpful to know some more about the "network" you have behind the firewall and how many interfaces and subnets .

For basic info , it is quite simple , and I would suggest making a "NOT" rule after state rules to DENY any network not matching your IP range ( typically you would have just one interface and only need ONE rule )


Best regards
André Paulsberg-Csibi
Senior Network Engineer
IBM Services AS


Sensitivity: Internal

-----Opprinnelig melding-----
Fra: netfilter-owner@xxxxxxxxxxxxxxx <netfilter-owner@xxxxxxxxxxxxxxx> På vegne av Stefanie Leisestreichler
Sendt: mandag 20. august 2018 14.36
Til: netfilter@xxxxxxxxxxxxxxx
Emne: IP Spoofing

Hi.

This is my firewall script. I want to block IP spoofing.
Could you please advice or reference to any valid and recommended source how to implement it?
Kernel: Linux asterisk-2018 4.15.0-32-generic #35-Ubuntu SMP Fri Aug 10
17:58:07 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux.

Thanks.

# Generated by iptables-save v1.6.1 on Mon Aug 20 14:22:20 2018 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [9:796] :ICMPALL - [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec --limit-burst 3 -j DROP -A INPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5061 -j ACCEPT -A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 5060:5061 -j ACCEPT -A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT -A INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m iprange --src-range 192.168.1.1-192.168.2.255 -m tcp --dport 80 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ICMPALL -A INPUT -m limit --limit 10/min -j LOG --log-prefix "[netfilter] "
-A ICMPALL -p icmp -f -j DROP
-A ICMPALL -p icmp -m icmp --icmp-type 0 -j ACCEPT -A ICMPALL -p icmp -m icmp --icmp-type 3 -j ACCEPT -A ICMPALL -p icmp -m icmp --icmp-type 4 -j ACCEPT -A ICMPALL -p icmp -m icmp --icmp-type 8 -j ACCEPT -A ICMPALL -p icmp -m icmp --icmp-type 11 -j ACCEPT -A ICMPALL -p icmp -j DROP
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux