Help: How to Prevent Source Address Spoofing - Networking

This is a discussion on Help: How to Prevent Source Address Spoofing - Networking ; Hello, I use ADSL to link the Internet, so my ip address is not static, it's dynamic. However, I wanna use iptables to prevent source address spoofing which source address of packets is from my ip address. How to accomplish ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Help: How to Prevent Source Address Spoofing

  1. Help: How to Prevent Source Address Spoofing

    Hello,

    I use ADSL to link the Internet, so my ip address is not static, it's
    dynamic. However, I wanna use iptables to prevent source address spoofing
    which source address of packets is from my ip address.

    How to accomplish it?

    Thank you very much~

    Regards,

    Amy Lee

  2. Re: Help: How to Prevent Source Address Spoofing

    Amy Lee wrote:
    > Hello,
    >
    > I use ADSL to link the Internet, so my ip address is not static, it's
    > dynamic. However, I wanna use iptables to prevent source address spoofing
    > which source address of packets is from my ip address.
    >
    > How to accomplish it?
    >
    > Thank you very much~
    >
    > Regards,
    >
    > Amy Lee


    Your question is not clear. The source address of all the IP packets
    that you send should be the correct one. You cannot stop other machines
    spoofing your IP address but the internet will route all packets
    destined for your IP address to you.

    Which packets do you want to filter out?

    Robert

  3. Re: Help: How to Prevent Source Address Spoofing

    On Sun, 27 Jan 2008 14:09:17 +0000, Robert Harris wrote:

    > Amy Lee wrote:
    >> Hello,
    >>
    >> I use ADSL to link the Internet, so my ip address is not static, it's
    >> dynamic. However, I wanna use iptables to prevent source address spoofing
    >> which source address of packets is from my ip address.
    >>
    >> How to accomplish it?
    >>
    >> Thank you very much~
    >>
    >> Regards,
    >>
    >> Amy Lee

    >
    > Your question is not clear. The source address of all the IP packets
    > that you send should be the correct one. You cannot stop other machines
    > spoofing your IP address but the internet will route all packets
    > destined for your IP address to you.
    >
    > Which packets do you want to filter out?
    >
    > Robert

    Thank you. I wanna filter out the packets send to my machine but which is
    from my ip address.

    Amy Lee

  4. Re: Help: How to Prevent Source Address Spoofing

    Amy Lee wrote:
    > On Sun, 27 Jan 2008 14:09:17 +0000, Robert Harris wrote:
    >
    >> Amy Lee wrote:
    >>> Hello,
    >>>
    >>> I use ADSL to link the Internet, so my ip address is not static, it's
    >>> dynamic. However, I wanna use iptables to prevent source address spoofing
    >>> which source address of packets is from my ip address.
    >>>
    >>> How to accomplish it?
    >>>
    >>> Thank you very much~
    >>>
    >>> Regards,
    >>>
    >>> Amy Lee

    >> Your question is not clear. The source address of all the IP packets
    >> that you send should be the correct one. You cannot stop other machines
    >> spoofing your IP address but the internet will route all packets
    >> destined for your IP address to you.
    >>
    >> Which packets do you want to filter out?
    >>
    >> Robert

    > Thank you. I wanna filter out the packets send to my machine but which is
    > from my ip address.
    >
    > Amy Lee


    Ah. Well you should add your iptables rule at the time when DHCP has
    allocated your computer an IP address. On my system (Debian etch), that
    would mean adding a little script to the directory:

    /etc/dhcp3/dhclient-exit-hooks.d

    where $new_ip_address will contain your new IP address. The script
    should drop all packets with source and destination both the same as
    $new_ip_address

    Robert

  5. Re: Help: How to Prevent Source Address Spoofing

    On Sun, 27 Jan 2008 15:36:52 +0000, Robert Harris wrote:

    > Amy Lee wrote:
    >> On Sun, 27 Jan 2008 14:09:17 +0000, Robert Harris wrote:
    >>
    >>> Amy Lee wrote:
    >>>> Hello,
    >>>>
    >>>> I use ADSL to link the Internet, so my ip address is not static, it's
    >>>> dynamic. However, I wanna use iptables to prevent source address spoofing
    >>>> which source address of packets is from my ip address.
    >>>>
    >>>> How to accomplish it?
    >>>>
    >>>> Thank you very much~
    >>>>
    >>>> Regards,
    >>>>
    >>>> Amy Lee
    >>> Your question is not clear. The source address of all the IP packets
    >>> that you send should be the correct one. You cannot stop other machines
    >>> spoofing your IP address but the internet will route all packets
    >>> destined for your IP address to you.
    >>>
    >>> Which packets do you want to filter out?
    >>>
    >>> Robert

    >> Thank you. I wanna filter out the packets send to my machine but which is
    >> from my ip address.
    >>
    >> Amy Lee

    >
    > Ah. Well you should add your iptables rule at the time when DHCP has
    > allocated your computer an IP address. On my system (Debian etch), that
    > would mean adding a little script to the directory:
    >
    > /etc/dhcp3/dhclient-exit-hooks.d
    >
    > where $new_ip_address will contain your new IP address. The script
    > should drop all packets with source and destination both the same as
    > $new_ip_address
    >
    > Robert

    Thank you. But my OS is RHEL 3, it seems that I can't find the directory.

    Regards,

    Amy

  6. Re: Help: How to Prevent Source Address Spoofing

    Amy Lee wrote:
    > On Sun, 27 Jan 2008 15:36:52 +0000, Robert Harris wrote:
    >
    >> Amy Lee wrote:
    >>> On Sun, 27 Jan 2008 14:09:17 +0000, Robert Harris wrote:
    >>>
    >>>> Amy Lee wrote:
    >>>>> Hello,
    >>>>>
    >>>>> I use ADSL to link the Internet, so my ip address is not static, it's
    >>>>> dynamic. However, I wanna use iptables to prevent source address spoofing
    >>>>> which source address of packets is from my ip address.
    >>>>>
    >>>>> How to accomplish it?
    >>>>>
    >>>>> Thank you very much~
    >>>>>
    >>>>> Regards,
    >>>>>
    >>>>> Amy Lee
    >>>> Your question is not clear. The source address of all the IP packets
    >>>> that you send should be the correct one. You cannot stop other machines
    >>>> spoofing your IP address but the internet will route all packets
    >>>> destined for your IP address to you.
    >>>>
    >>>> Which packets do you want to filter out?
    >>>>
    >>>> Robert
    >>> Thank you. I wanna filter out the packets send to my machine but which is
    >>> from my ip address.
    >>>
    >>> Amy Lee

    >> Ah. Well you should add your iptables rule at the time when DHCP has
    >> allocated your computer an IP address. On my system (Debian etch), that
    >> would mean adding a little script to the directory:
    >>
    >> /etc/dhcp3/dhclient-exit-hooks.d
    >>
    >> where $new_ip_address will contain your new IP address. The script
    >> should drop all packets with source and destination both the same as
    >> $new_ip_address
    >>
    >> Robert

    > Thank you. But my OS is RHEL 3, it seems that I can't find the directory.
    >
    > Regards,
    >
    > Amy

    I really don't know that system too well. Try:

    man dhclient

    which should tell you where to look for things.

    Robert

  7. Re: Help: How to Prevent Source Address Spoofing

    Robert Harris wrote:
    > Amy Lee wrote:
    >> On Sun, 27 Jan 2008 15:36:52 +0000, Robert Harris wrote:
    >>
    >>> Amy Lee wrote:
    >>>> On Sun, 27 Jan 2008 14:09:17 +0000, Robert Harris wrote:
    >>>>
    >>>>> Amy Lee wrote:
    >>>>>> Hello,
    >>>>>>
    >>>>>> I use ADSL to link the Internet, so my ip address is not static, it's
    >>>>>> dynamic. However, I wanna use iptables to prevent source address spoofing
    >>>>>> which source address of packets is from my ip address.
    >>>>>>
    >>>>>> How to accomplish it?
    >>>>>>
    >>>>>> Thank you very much~
    >>>>>>
    >>>>>> Regards,
    >>>>>>
    >>>>>> Amy Lee
    >>>>> Your question is not clear. The source address of all the IP packets
    >>>>> that you send should be the correct one. You cannot stop other machines
    >>>>> spoofing your IP address but the internet will route all packets
    >>>>> destined for your IP address to you.
    >>>>>
    >>>>> Which packets do you want to filter out?
    >>>>>
    >>>>> Robert
    >>>> Thank you. I wanna filter out the packets send to my machine but which is
    >>>> from my ip address.
    >>>>
    >>>> Amy Lee
    >>> Ah. Well you should add your iptables rule at the time when DHCP has
    >>> allocated your computer an IP address. On my system (Debian etch), that
    >>> would mean adding a little script to the directory:
    >>>
    >>> /etc/dhcp3/dhclient-exit-hooks.d
    >>>
    >>> where $new_ip_address will contain your new IP address. The script
    >>> should drop all packets with source and destination both the same as
    >>> $new_ip_address
    >>>
    >>> Robert

    >> Thank you. But my OS is RHEL 3, it seems that I can't find the directory.
    >>
    >> Regards,
    >>
    >> Amy

    > I really don't know that system too well. Try:
    >
    > man dhclient
    >
    > which should tell you where to look for things.
    >
    > Robert


    or man dhcpcd ...

  8. Re: Help: How to Prevent Source Address Spoofing

    On 2008-01-27, Amy Lee wrote:
    > Hello,


    Moin moin,

    > I use ADSL to link the Internet, so my ip address is not static, it's
    > dynamic. However, I wanna use iptables to prevent source address spoofing
    > which source address of packets is from my ip address.
    >
    > How to accomplish it?


    Actually i don't think you need to. By default the Linux kernel does
    prevent that kind of thing anyways - check if
    sysctl -a|grep \.rp_filter
    is on (i.e. set to 1).

    After a quick google for linux, rp_filter and forwarding i found these to
    be helpful descriptions for it:

    "# When using IPv4 packet forwarding, you will also get the
    # rp_filter, which automatically rejects incoming packets if the
    # routing table entry for their source address doesn't match the
    # network interface they're arriving on"

    "The rp_filter variable sets up a reverse patch (rp) filter on the
    specific interface. What this means, is quite simple. All it does, is to
    validate that the actual source address used by packets correlates
    properly with our routing table, and that packets with this specific
    source IP address are supposed to get their replies back through that
    interface again."

    Zap

+ Reply to Thread