6/28/13

Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

About Forum Howtos & FAQs Low graphics Shell Scripts RSS/Feed

nixcraft - insight into linux admin work

Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

by nixCraft on June 28, 2005 15 comments LAST UPDATED July 9, 2008 in Debian Linux, Gentoo Linux, Iptables Spoofing and bad address attack tries to fool the server and try to claim that packets had come from local address/network. Following IP/netwok address are know to open this kind of attack:

Incoming source IP address is your servers IP address

Bad incoming address from following ranges: => 0.0.0.0/8 => 127.0.0.0/8 => 10.0.0.0/8 => 172.16.0.0/12 => 192.168.0.0/16 => 192.168.0.0/16 => 224.0.0.0/3 etc => Your own internal server/network ip address/ranges. Following small shell script tries to prevent this kind of attack:
# ! / b i n / b a s h I N T _ I F = " e t h 1 "#c o n n e c t e dt oi n t e r n e t S E R V E R _ I P = " 2 0 2 . 5 4 . 1 0 . 2 0 "#s e r v e rI P L A N _ R A N G E = " 1 9 2 . 1 6 8 . 1 . 0 / 2 4 "#y o u rL A NI Pr a n g e #A d dy o u rI Pr a n g e / I P sh e r e , S P O O F _ I P S = " 0 . 0 . 0 . 0 / 81 2 7 . 0 . 0 . 0 / 81 0 . 0 . 0 . 0 / 81 7 2 . 1 6 . 0 . 0 / 1 21 9 2 . 1 6 8 . 0 . 0 / 1 62 2 4 . 0 . 0 . 0 / 3 "
www.cyberciti.biz/tips/linux-iptables-8-how-to-avoid-spoofing-and-bad-addresses-attack.html 1/10

6/28/13

Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

I P T = " / s b i n / i p t a b l e s "#p a t ht oi p t a b l e s #d e f a u l ta c t i o n ,c a nb eD R O Po rR E J E C T A C T I O N = " D R O P " #D r o pp a c k e tt h a tc l a i m i n gf r o mo u ro w ns e r v e r $ I P TAI N P U Ti$ I N T _ I Fs$ S E R V E R _ I Pj$ A C T I O N $ I P TAO U T P U To$ I N T _ I Fs$ S E R V E R _ I Pj$ A C T I O N #D r o pp a c k e tt h a tc l a i m i n gf r o mo u ro w ni n t e r n a lL A N $ I P TAI N P U Ti$ I N T _ I Fs$ L A N _ R A N G Ej$ A C T I O N $ I P TAO U T P U To$ I N T _ I Fs$ L A N _ R A N G Ej$ A C T I O N f o ri pi n$ S P O O F _ I P S d o $ I P TAI N P U Ti$ I N T _ I Fs$ i pj$ A C T I O N $ I P TAO U T P U To$ I N T _ I Fs$ i pj$ A C T I O N d o n e

Save and close the file. Call above script from your own iptables script. Add following line to your /etc/sysctl.conf
n e t . i p v 4 . c o n f . a l l . r p _ f i l t e r=1

This entry enables source address verification which is inbuilt into Linux kernel itself.
Tw eet 0 Like 2 3

StumbleUpon

If you would like to be kept up to date with our posts, you can follow us on Twitter, Facebook, Google+, or even by subscribing to our RSS Feed. Featured Articles: 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X Top 30 Nmap Command Examples For Sys/Network Admins 25 PHP Security Best Practices For Sys Admins 20 Linux System Monitoring Tools Every SysAdmin Should Know 20 Linux Server Hardening Security Tips Linux: 20 Iptables Examples For New SysAdmins Top 20 OpenSSH Server Best Security Practices Top 20 Nginx WebServer Best Security Practices 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors 15 Greatest Open Source Terminal Applications Of 2012 My 10 UNIX Command Line Mistakes Top 10 Open Source Web-Based Project Management Software Top 5 Email Client For Linux, Mac OS X, and Windows Users
www.cyberciti.biz/tips/linux-iptables-8-how-to-avoid-spoofing-and-bad-addresses-attack.html 2/10

6/28/13

Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

The Novice Guide To Buying A Linux Laptop { 15 comments read them below or add one } 1 Prerak Doshi November 23, 2006 at 7:30 am Hi, How to configure squid as a direct connection? I would like to following option enable through squid 1. Username password security with individual site Blocking security. 2. FTP, SMTP, POP3 etc.. protocol and port configure. 3. Cache configuration 4. log maintenance of internet usage, bad site request, downloading, uploading with user name. 5. firewall configuration to block intruders.(Apart from local user nobody outside the LAN can use our port and connection to the internet 6. Antivirus : Clamav Reply 2 nixcraft November 23, 2006 at 9:20 am Prerak You are using Red hat Linux..???? Reply 3 Ash December 28, 2006 at 4:38 pm - iptables -A INPUT -s -j DROP + iptables -A INPUT -s $ip -j DROP Reply 4 nixcraft December 28, 2006 at 6:04 pm Ash, PHP treated $ip as PHP variable. But now it is fixed. Appreciate your post. Reply 5 budi August 6, 2007 at 11:39 pm Address 127.0.0.0/8 is used by server mail or other server like dns or /etc/hosts. And if was blocked the server no running, how solve it? Reply 6 Muhammad Kamran Azeem April 10, 2008 at 4:16 pm
www.cyberciti.biz/tips/linux-iptables-8-how-to-avoid-spoofing-and-bad-addresses-attack.html 3/10

6/28/13

Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

I think that the following code:, # Original code Start SERVER_IP=202.54.10.20 # Add your IP range/IPs here, SPOOF_IPS=0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3 iptables -A INPUT -s $SERVER_IP -j DROP for ip in $SPOOF_IPS do iptables -A INPUT -s $ip -j DROP done # Original Code End , can be re-written as :# Suggested Code Start PUBLICIF=eth0 SERVER_IP=202.54.10.20 # Add your IP range/IPs here, SPOOF_IPS=$SERVER_IP 0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 224.0.0.0/3 for ip in $SPOOF_IPS do iptables -A INPUT -i $PUBLICIF -s $ip -j DROP done # Suggested code Stop Please correct me if I am wrong, but IMHO, if we DROP packets without mentioning the interface then legitimate connections originating from the same server on loopback (lo) will also get dropped. Thanks. Reply 7 Muhammad Kamran Azeem April 10, 2008 at 5:29 pm Sorry. This line:SPOOF_IPS=$SERVER_IP 0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 Should not contain $SERVER_IP and should instead be:SPOOF_IPS=0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 Reply 8 Gunjan July 9, 2008 at 6:35 am Yes we need to be remove $SERVER_IP from SPOOF_IPS other wise server also block and we do not have any access to server Reply
www.cyberciti.biz/tips/linux-iptables-8-how-to-avoid-spoofing-and-bad-addresses-attack.html 4/10

6/28/13

Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

9 vivek July 9, 2008 at 11:21 am Gunjan, The script has been updated to only filter on public interface. This should fix the issue. Reply 10 kwik August 4, 2008 at 7:20 pm It is impossible to spoof your address if your Linux computer is behind NAT enabled router such as Cisco. This script is more useful on *Linux based router* as packet filtering is one defense against IP spoofing attacks. The Linux gateway to a network usually performs ingress filtering, which is blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine. Ideally the Linux gateway would also perform egress filtering on outgoing packets, which is blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network performing filtering from launching IP spoofing attacks against external machines. I hope this will help someone. Reply 11 Shoelaces November 5, 2011 at 3:35 am I had to comment out: $IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION this wouldnt allow SSH connections out Reply 12 Jouni "Rautamiekka" Jrvinen August 6, 2012 at 1:07 pm What about when the computer doesnt have a LAN address, like those directly connected to Internet ? Reply 13 Jouni "Rautamiekka" Jrvinen August 6, 2012 at 2:20 pm And why manually specify IPtables path when you can use `which iptables` instead ? Reply 14 shahzaib January 21, 2013 at 11:46 am Hello, Please if you can guide me about how can i identify if someone spoofing to my ip ? Which logs should i check ? Reply 15 chadwick March 12, 2013 at 5:30 am
www.cyberciti.biz/tips/linux-iptables-8-how-to-avoid-spoofing-and-bad-addresses-attack.html 5/10

6/28/13

Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

How do you call this script from iptables. What does that mean? Reply Leave a Comment Name * E-mail * Website

You can use these HTML tags and attributes for your code and commands: <strong> <em> <ol> <li> <u> <ul> <blockquote> <pre> <a href="" title=""> Notify me of followup comments via e-mail. Security Question: What is 2 + 5 ? Solve the simple math so we know that you are a human and not a bot.
Submit

Tagged as: internal server, ip address ranges, iptables command, network ip address, servers, shell script, source ip address, spoofing, sysctl command Previous post: Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks Next post: Linux Iptables allow or block ICMP ping request

GET FREE LINUX TIPS

Sign up for our newsletter to get tutorials
[email protected] Sign Up

www.cyberciti.biz/tips/linux-iptables-8-how-to-avoid-spoofing-and-bad-addresses-attack.html

6/10

6/28/13

Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

nixCraft
Like 34,946 people like nixCraft.

F acebook social plugin

www.cyberciti.biz/tips/linux-iptables-8-how-to-avoid-spoofing-and-bad-addresses-attack.html

7/10

6/28/13

Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

Related Posts

Linux Iptables: How to specify a range of IP addresses or ports

www.cyberciti.biz/tips/linux-iptables-8-how-to-avoid-spoofing-and-bad-addresses-attack.html

8/10

6/28/13

Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

Linux Iptables block incoming access to selected or specific ip address

Linux Iptables block or open DNS / bind service port 53

Linux Iptables Block Outgoing Access To Selected or Specific IP Address / Port

Linux Iptables allow or block ICMP ping request

How Do I Run a Firewall Script As Soon As eth0 Interface Brings Up?

Protect Your Network from spamming, scanning, harvesting and dDoS attacks with DROP List
www.cyberciti.biz/tips/linux-iptables-8-how-to-avoid-spoofing-and-bad-addresses-attack.html 9/10

6/28/13

Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

How to setup Linux as a router for DSL, T1 line etc

How to: Linux Iptables block common attacks

Increase the maximum number of pseudo terminals ~ PTY on Linux for remote Login session

2004-2013 nixCraft. All rights reserved. Cannot be reproduced without written permission. Privacy Policy | Terms of Service | Questions or Comments | Copyright Info | Sitemap

www.cyberciti.biz/tips/linux-iptables-8-how-to-avoid-spoofing-and-bad-addresses-attack.html

10/10