Spoofing and bad address attack tries to fool the server and try to claim that packets had come from local address/network.
Incoming source IP address is your servers IP address
Bad incoming address from following ranges:
- 0.0.0.0/8
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 192.168.0.0/16
- 224.0.0.0/3
- Your own internal server/network ip address/ranges.
Following small shell script tries to prevent this kind of attacks:
#!/bin/bash
INT_IF="eth1" # connected to internet
SERVER_IP="202.54.10.20" # server IP
LAN_RANGE="192.168.1.0/24" # your LAN IP range
# Add your spoofed IP range/IPs here
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
IPT="/sbin/iptables" # path to iptables
# default action, can be DROP or REJECT
ACTION="DROP"
# Drop packet that claiming from our own server on WAN port
$IPT -A INPUT -i $INT_IF -s $SERVER_IP -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION
# Drop packet that claiming from our own internal LAN on WAN port
$IPT -A INPUT -i $INT_IF -s $LAN_RANGE -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $LAN_RANGE -j $ACTION
## Drop all spoofed
for ip in $SPOOF_IPS
do
$IPT -A INPUT -i $INT_IF -s $ip -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $ip -j $ACTION
done
## add or call your rest of script below to customize iptables ##
Save and close the file. Call above script from your own iptables script. Add following line to your /etc/sysctl.conf file
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
The net.ipv4.conf.all.rp_filter=1 entry enables source address
verification which is inbuilt into Linux kernel itself and last two
lines logs all such spoofed packets in log file.
No comments:
Post a Comment