[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Anyone studying for Cisco certs?

To: silug-discuss@silug.org
Subject: Re: Anyone studying for Cisco certs?
From: greg <frog@intertek.net>
Date: 19 May 2003 11:42:26 -0500
In-Reply-To: <Pine.LNX.4.44.0305161054520.9619-100000@web1.lanscape.net>
Organization: Southern Illinois Linux Users Group
References: <Pine.LNX.4.44.0305161054520.9619-100000@web1.lanscape.net>
Reply-To: silug-discuss@silug.org
Sender: silug-discuss-owner@silug.org

What does the for f do?

On Fri, 2003-05-16 at 11:05, Richard Fifarek wrote:
> On Fri, 16 May 2003 fiaid@quasi-sane.com wrote:
> 
> > That was a massively simplified explaination of the need for IP Spoof
> > checking.
> 
> 	So that leads to the obvious question, how does one do this with 
> Linux/IPTables/IPChains?
> 
> Direct quote from IPChains Howto (applies to IPTables as well):
> 
> "The best way to protect from IP spoofing is called Source Address
> Verification, and it is done by the routing code, and not firewalling at
> all. Look for a file called /proc/sys/net/ipv4/conf/all/rp_filter. If this
> exists, then turning on Source Address Verification at every boot is the
> right solution for you. To do that, insert the following lines somewhere
> in your init scripts, before any network interfaces are initialized:
> 
> 
> 
> # This is the best method: turn on Source Address Verification and get 
> # spoof protection on all current and future interfaces. 
> 
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
>   echo -n "Setting up IP spoofing protection..."
>   for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
>       echo 1 > $f
>   done
>   echo "done."
> else
>   echo PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED.
>   echo "CONTROL-D will exit from this shell and continue system startup."
>   echo
>   # Start a single user shell on the console
>   /sbin/sulogin $CONSOLE
> fi
> 
> 
> 
> If you cannot do this, you can manually insert rules to protect every 
> interface. This requires knowledge of each interface. The 2.1 kernels 
> automatically reject packets claiming to come from the 127.* addresses 
> (reserved for the local loopback interface, lo).
> 
> For example, say we have three interfaces, eth0, eth1 and ppp0. We can use 
> ifconfig to tell us the address and netmask of the interfaces. Say eth0 
> was attached to a network 192.168.1.0 with netmask 255.255.255.0, eth1 was 
> attached to a network 10.0.0.0 with netmask 255.0.0.0, and ppp0 connected 
> to the Internet (where any address except the reserved private IP 
> addresses are allowed), we would insert the following rules:
> 
> 
> 
> # ipchains -A input -i eth0 -s ! 192.168.1.0/255.255.255.0 -j DENY
> # ipchains -A input -i ! eth0 -s 192.168.1.0/255.255.255.0 -j DENY
> # ipchains -A input -i eth1 -s ! 10.0.0.0/255.0.0.0 -j DENY
> # ipchains -A input -i ! eth1 -s 10.0.0.0/255.0.0.0 -j DENY
> # 
> 
> This approach is not as good as the Source Address Verification approach, 
> because if your network changes, you have to change your firewalling rules 
> to keep up.
> 
> If you are running a 2.0 series kernel, you might want to protect the 
> loopback interface as well, using a rule like this:
> 
> 
> 
> # ipchains -A input -i ! lo -s 127.0.0.0/255.0.0.0 -j DENY
> #
> "
> 
> 
> -- 
> Richard H. Fifarek
> rfifarek@silug.org
> 
> 
> 
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.



-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

Follow-Ups:
- Re: Anyone studying for Cisco certs?
  - From: fiaid@quasi-sane.com

References:
- Re: Anyone studying for Cisco certs?
  - From: Richard Fifarek <rfifarek@silug.org>

Prev by Date: Re: OT: Fantastic Sprint Deal
Next by Date: Re: [DISCUSS] Phone USF tax
Prev by thread: Re: Anyone studying for Cisco certs?
Next by thread: Re: Anyone studying for Cisco certs?
Index(es):
- Date
- Thread