Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

Spoofing and bad address attack tries to fool the server and try to claim that packets had come from local address/network.

Following IP/netwok address are know to open this kind of attack:

ADVERTISEMENTS

Incoming source IP address is your servers IP address

Bad incoming address from following ranges:

  • 0.0.0.0/8
  • 127.0.0.0/8
  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
  • 192.168.0.0/16
  • 224.0.0.0/3
  • Your own internal server/network ip address/ranges.

Following small shell script tries to prevent this kind of attacks:

#!/bin/bash
 
INT_IF="eth1" # connected to internet
SERVER_IP="202.54.10.20" # server IP
LAN_RANGE="192.168.1.0/24" # your LAN IP range
 
# Add your spoofed IP range/IPs here
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
 
IPT="/sbin/iptables" # path to iptables
 
# default action, can be DROP or REJECT
ACTION="DROP"
 
# Drop packet that claiming from our own server on WAN port
$IPT -A INPUT -i $INT_IF -s $SERVER_IP -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION
 
# Drop packet that claiming from our own internal LAN on WAN port
$IPT -A INPUT -i $INT_IF -s $LAN_RANGE -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $LAN_RANGE -j $ACTION
 
## Drop all spoofed
for ip in $SPOOF_IPS
do
 $IPT -A INPUT -i $INT_IF -s $ip -j $ACTION
 $IPT -A OUTPUT -o $INT_IF -s $ip -j $ACTION
done
## add or call your rest of script below to customize iptables ##

Save and close the file. Call above script from your own iptables script. Add following line to your /etc/sysctl.conf file
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1

The net.ipv4.conf.all.rp_filter=1 entry enables source address verification which is inbuilt into Linux kernel itself and last two lines logs all such spoofed packets in log file.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
21 comments… add one
  • Prerak Doshi Nov 23, 2006 @ 7:30

    Hi,
    How to configure squid as a direct connection?
    I would like to following option enable through squid
    1. Username password security with individual site Blocking security.
    2. FTP, SMTP, POP3 etc.. protocol and port configure.
    3. Cache configuration
    4. log maintenance of internet usage, bad site request, downloading, uploading with user name.
    5. firewall configuration to block intruders.(Apart from local user nobody outside the LAN can use our port and connection to the internet
    6. Antivirus : Clamav

  • 🐧 nixCraft Nov 23, 2006 @ 9:20

    Prerak

    You are using Red hat Linux…..????

  • Ash Dec 28, 2006 @ 16:38

    – iptables -A INPUT -s -j DROP
    + iptables -A INPUT -s $ip -j DROP

  • 🐧 nixCraft Dec 28, 2006 @ 18:04

    Ash,

    PHP treated $ip as PHP variable. But now it is fixed.

    Appreciate your post.

  • budi Aug 6, 2007 @ 23:39

    Address 127.0.0.0/8 is used by server mail or other server like dns or /etc/hosts. And if was blocked the server no running, how solve it?

  • Muhammad Kamran Azeem Apr 10, 2008 @ 16:16

    I think that the following code:,

    # Original code – Start
    SERVER_IP=”202.54.10.20”
    # Add your IP range/IPs here,
    SPOOF_IPS=”0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3”
    iptables -A INPUT -s $SERVER_IP -j DROP
    for ip in $SPOOF_IPS
    do
    iptables -A INPUT -s $ip -j DROP
    done
    # Original Code – End

    , can be re-written as :-

    # Suggested Code – Start
    PUBLICIF=eth0
    SERVER_IP=202.54.10.20
    # Add your IP range/IPs here,
    SPOOF_IPS=”$SERVER_IP 0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 224.0.0.0/3″
    for ip in $SPOOF_IPS
    do
    iptables -A INPUT -i $PUBLICIF -s $ip -j DROP
    done

    # Suggested code – Stop

    Please correct me if I am wrong, but IMHO, if we DROP packets without mentioning the interface then legitimate connections originating from the same server on loopback (lo) will also get dropped.

    Thanks.

    • Cody Jul 26, 2014 @ 12:52

      lo is a different interface and is not related to outgoing packets. That’s why it is called the loopback interface. lo should always be accepted for INPUT and OUTPUT. That’s regardless of state; indeed, it is for local connections only (and by local I mean 127.0.0.0/8). Not allowing lo is going to break a lot of services and otherwise cause unexpected results.

  • Muhammad Kamran Azeem Apr 10, 2008 @ 17:29

    Sorry. This line:-
    SPOOF_IPS=”$SERVER_IP 0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16

    Should not contain $SERVER_IP and should instead be:-

    SPOOF_IPS=”0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16

  • Gunjan Jul 9, 2008 @ 6:35

    Yes we need to be remove $SERVER_IP from SPOOF_IPS other wise server also block and we do not have any access to server

  • 🐧 nixCraft Jul 9, 2008 @ 11:21

    Gunjan,

    The script has been updated to only filter on public interface. This should fix the issue.

  • kwik Aug 4, 2008 @ 19:20

    It is impossible to spoof your address if your Linux computer is behind NAT enabled router such as Cisco.

    This script is more useful on *Linux based router* as packet filtering is one defense against IP spoofing attacks. The Linux gateway to a network usually performs ingress filtering, which is blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine. Ideally the Linux gateway would also perform egress filtering on outgoing packets, which is blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network performing filtering from launching IP spoofing attacks against external machines.

    I hope this will help someone.

  • Shoelaces Nov 5, 2011 @ 3:35

    I had to comment out:
    $IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION

    this wouldn’t allow SSH connections out

  • Jouni "Rautamiekka" Järvinen Aug 6, 2012 @ 13:07

    What about when the computer doesn’t have a LAN address, like those directly connected to Internet ?

  • Jouni "Rautamiekka" Järvinen Aug 6, 2012 @ 14:20

    And why manually specify IPtables path when you can use §`which iptables`§ instead ?

  • shahzaib Jan 21, 2013 @ 11:46

    Hello,

    Please if you can guide me about how can i identify if someone spoofing to my ip ? Which logs should i check ?

  • chadwick Mar 12, 2013 @ 5:30

    How do you “call this script from iptables”. What does that mean?

  • RealityBoy Aug 30, 2013 @ 11:36

    How do you “call this script from iptables”. What does that mean?

  • Bharath Sep 26, 2013 @ 9:26

    hi, my Linux Email Server(centos 5.7) is giving IP Address Spoofing in N/W.
    am not running any proxy server in that. kept firewall off. now port 25 smtp is giving ip address spoofing with server’s public ip.

    please advice.

  • Cody Jul 26, 2014 @ 12:57

    Something comes to mind (and I admit I’ve been awake since 2 this morning, but…):

    /sbin/iptables -A OUTPUT -o eth1 -s 202.54.10.20 -j DROP

    seems highly suspect to me. If eth1 is the interface connected to the Internet that also has the IP 202.54.10.20 bound to it, then you’re blocking outgoing traffic. Note the OUTPUT chain. The point of blocking spoofed packets and in particular the specific public IP(s) the server (or depending on network: firewall, …) is incoming packets. Outgoing packets would naturally have your node’s IP address, after all (unless we’re talking spoofing and/or not wanting your traffic forwarded by routers, potentially even your ISP’s router [like your default gateway]). It is hosts that are NOT you that are claiming to be you. Your server SHOULD send outbound as its IP (NOT to itself) but should not be sending packets TO itself FROM its IP (that should be blocked).

  • Popescu Valentin Dec 21, 2015 @ 22:34

    I also have same issue, I think it blocks all output from server to internet

  • Le Toi Aug 6, 2016 @ 13:05

    Hi,
    Why do you want to block all out going traffic with this rule ?
    $IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.