Spoofing and bad address attack tries to fool the server and try to claim that packets had come from local address/network.
Following IP/netwok address are know to open this kind of attack:
Incoming source IP address is your servers IP address
Bad incoming address from following ranges:
=> 0.0.0.0/8
=> 127.0.0.0/8
=> 10.0.0.0/8
=> 172.16.0.0/12
=> 192.168.0.0/16
=> 192.168.0.0/16
=> 224.0.0.0/3 etc
=> Your own internal server/network ip address/ranges.
Following small shell script tries to prevent this kind of attack:
#!/bin/bash INT_IF="eth1" # connected to internet SERVER_IP="202.54.10.20" # server IP LAN_RANGE="192.168.1.0/24" # your LAN IP range # Add your IP range/IPs here, SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3" IPT="/sbin/iptables" # path to iptables # default action, can be DROP or REJECT ACTION="DROP" # Drop packet that claiming from our own server $IPT -A INPUT -i $INT_IF -s $SERVER_IP -j $ACTION $IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION # Drop packet that claiming from our own internal LAN $IPT -A INPUT -i $INT_IF -s $LAN_RANGE -j $ACTION $IPT -A OUTPUT -o $INT_IF -s $LAN_RANGE -j $ACTION for ip in $SPOOF_IPS do $IPT -A INPUT -i $INT_IF -s $ip -j $ACTION $IPT -A OUTPUT -o $INT_IF -s $ip -j $ACTION done
Save and close the file. Call above script from your own iptables script. Add following line to your /etc/sysctl.conf
net.ipv4.conf.all.rp_filter = 1
This entry enables source address verification which is inbuilt into Linux kernel itself.
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 15 comments… read them below or add one }
Hi,
How to configure squid as a direct connection?
I would like to following option enable through squid
1. Username password security with individual site Blocking security.
2. FTP, SMTP, POP3 etc.. protocol and port configure.
3. Cache configuration
4. log maintenance of internet usage, bad site request, downloading, uploading with user name.
5. firewall configuration to block intruders.(Apart from local user nobody outside the LAN can use our port and connection to the internet
6. Antivirus : Clamav
Prerak
You are using Red hat Linux…..????
- iptables -A INPUT -s -j DROP
+ iptables -A INPUT -s $ip -j DROP
Ash,
PHP treated $ip as PHP variable. But now it is fixed.
Appreciate your post.
Address 127.0.0.0/8 is used by server mail or other server like dns or /etc/hosts. And if was blocked the server no running, how solve it?
I think that the following code:,
# Original code – Start
SERVER_IP=”202.54.10.20”
# Add your IP range/IPs here,
SPOOF_IPS=”0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3”
iptables -A INPUT -s $SERVER_IP -j DROP
for ip in $SPOOF_IPS
do
iptables -A INPUT -s $ip -j DROP
done
# Original Code – End
, can be re-written as :-
# Suggested Code – Start
PUBLICIF=eth0
SERVER_IP=202.54.10.20
# Add your IP range/IPs here,
SPOOF_IPS=”$SERVER_IP 0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 224.0.0.0/3″
for ip in $SPOOF_IPS
do
iptables -A INPUT -i $PUBLICIF -s $ip -j DROP
done
# Suggested code – Stop
Please correct me if I am wrong, but IMHO, if we DROP packets without mentioning the interface then legitimate connections originating from the same server on loopback (lo) will also get dropped.
Thanks.
Sorry. This line:-
SPOOF_IPS=”$SERVER_IP 0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16
Should not contain $SERVER_IP and should instead be:-
SPOOF_IPS=”0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16
Yes we need to be remove $SERVER_IP from SPOOF_IPS other wise server also block and we do not have any access to server
Gunjan,
The script has been updated to only filter on public interface. This should fix the issue.
It is impossible to spoof your address if your Linux computer is behind NAT enabled router such as Cisco.
This script is more useful on *Linux based router* as packet filtering is one defense against IP spoofing attacks. The Linux gateway to a network usually performs ingress filtering, which is blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine. Ideally the Linux gateway would also perform egress filtering on outgoing packets, which is blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network performing filtering from launching IP spoofing attacks against external machines.
I hope this will help someone.
I had to comment out:
$IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION
this wouldn’t allow SSH connections out
What about when the computer doesn’t have a LAN address, like those directly connected to Internet ?
And why manually specify IPtables path when you can use §`which iptables`§ instead ?
Hello,
Please if you can guide me about how can i identify if someone spoofing to my ip ? Which logs should i check ?
How do you “call this script from iptables”. What does that mean?