[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Anyone studying for Cisco certs?



On Fri, 16 May 2003 fiaid@quasi-sane.com wrote:

> That was a massively simplified explaination of the need for IP Spoof
> checking.

	So that leads to the obvious question, how does one do this with 
Linux/IPTables/IPChains?

Direct quote from IPChains Howto (applies to IPTables as well):

"The best way to protect from IP spoofing is called Source Address
Verification, and it is done by the routing code, and not firewalling at
all. Look for a file called /proc/sys/net/ipv4/conf/all/rp_filter. If this
exists, then turning on Source Address Verification at every boot is the
right solution for you. To do that, insert the following lines somewhere
in your init scripts, before any network interfaces are initialized:



# This is the best method: turn on Source Address Verification and get 
# spoof protection on all current and future interfaces. 

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
  echo -n "Setting up IP spoofing protection..."
  for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo 1 > $f
  done
  echo "done."
else
  echo PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED.
  echo "CONTROL-D will exit from this shell and continue system startup."
  echo
  # Start a single user shell on the console
  /sbin/sulogin $CONSOLE
fi



If you cannot do this, you can manually insert rules to protect every 
interface. This requires knowledge of each interface. The 2.1 kernels 
automatically reject packets claiming to come from the 127.* addresses 
(reserved for the local loopback interface, lo).

For example, say we have three interfaces, eth0, eth1 and ppp0. We can use 
ifconfig to tell us the address and netmask of the interfaces. Say eth0 
was attached to a network 192.168.1.0 with netmask 255.255.255.0, eth1 was 
attached to a network 10.0.0.0 with netmask 255.0.0.0, and ppp0 connected 
to the Internet (where any address except the reserved private IP 
addresses are allowed), we would insert the following rules:



# ipchains -A input -i eth0 -s ! 192.168.1.0/255.255.255.0 -j DENY
# ipchains -A input -i ! eth0 -s 192.168.1.0/255.255.255.0 -j DENY
# ipchains -A input -i eth1 -s ! 10.0.0.0/255.0.0.0 -j DENY
# ipchains -A input -i ! eth1 -s 10.0.0.0/255.0.0.0 -j DENY
# 

This approach is not as good as the Source Address Verification approach, 
because if your network changes, you have to change your firewalling rules 
to keep up.

If you are running a 2.0 series kernel, you might want to protect the 
loopback interface as well, using a rule like this:



# ipchains -A input -i ! lo -s 127.0.0.0/255.0.0.0 -j DENY
#
"


-- 
Richard H. Fifarek
rfifarek@silug.org



-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.