IP spoofing

IP spoofing

[Farshad]

Just a naive question:
using netfilter, is it possible to grab a packet and change its IP source address and then reinject it as if it has been sent from another source?

thanks!



_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!

RE: IP spoofing

[Daniel Chemko]

iptables -t nat POSTROUTING --source <my_bounced_ip> -o <outbound
interface> -p icmp -j SNAT --to-destination <my_bogus_ip>

-----Original Message-----
From: Farshad [mailto:farshadas@excite.com] 
Sent: Thursday, April 10, 2003 1:27 PM
To: netfilter@lists.netfilter.org
Subject: IP spoofing


Just a naive question:
using netfilter, is it possible to grab a packet and change its IP
source address and then reinject it as if it has been sent from another
source?

thanks!



_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!

Re: IP spoofing

[Peteris Krumins]

Thursday, April 10, 2003, 11:26:45 PM, you wrote:

F> Just a naive question:
F> using netfilter, is it possible to grab a packet and change
F> its IP source address and then reinject it as if it has been
F> sent from another source?

Yes it is possible.
You can use ip_queue - queue the packets to userspace, change whatever
you want, recalculate checksum yourself and reinject it back.

Tho, my tests indicate that if the link is too loaded and your code is
not fast enough (sometimes even with nop) the netlink socket overflows
causing packet drops.

I tried tuning the netlink socket increasing the buffer size, but
after some time it overflowed anyway.


P.Krumins

IP Spoofing

[Leandro Takashi Hirano]

Thanks for the port scanner help....

Now I would like to know about the IP Spoofing rule, how does it works?

-	iptables -A INPUT -s 192.168.1.0/24 -i ! eth0 -j DROP
-	iptables -A INPUT ! -s 192.168.1.0/24 -i eth0 -j DROP

I don´t know how can it block ip spoofing attack...

Takashi

Re: IP Spoofing

[Antony Stone]

On Wednesday 05 November 2003 7:31 pm, Leandro Takashi Hirano wrote:

> Thanks for the port scanner help....
>
> Now I would like to know about the IP Spoofing rule, how does it works?
>
> -	iptables -A INPUT -s 192.168.1.0/24 -i ! eth0 -j DROP

Any packet with a source address in the Class C range 192.168.1.x which does 
not come from eth0 will be DROPped.

> -	iptables -A INPUT ! -s 192.168.1.0/24 -i eth0 -j DROP

Any packet which comes from eth0 and has a source address other than the 
Class C  192.168.1.x will be DROPped.

> I don´t know how can it block ip spoofing attack...

These rules assume that eth0 is your internal network, and your internal 
network range is 192.168.1.0/24.

No packets with your own source address should come from outside (rule 1) and 
all packets from inside should have your own source address (rule 2).

Therefore these two rules stop people on the outside pretending that they 
live on your network, and people on the inside pretending that they don't.

Antony.

-- 

In Heaven, the police are British, the chefs are Italian, the beer is 
Belgian, the mechanics are German, the lovers are French, the entertainment 
is American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.
                                                     Please reply to the list;
                                                           please don't CC me.

Re: IP Spoofing

[David C. Hart]

[-- Attachment #1: Type: text/plain, Size: 1022 bytes --]

On Wed, 2003-11-05 at 14:51, Antony Stone wrote:
> On Wednesday 05 November 2003 7:31 pm, Leandro Takashi Hirano wrote:
> 
> > Now I would like to know about the IP Spoofing rule, how does it works?
> >
> > -	iptables -A INPUT -s 192.168.1.0/24 -i ! eth0 -j DROP
> 
> Any packet with a source address in the Class C range 192.168.1.x which does 
> not come from eth0 will be DROPped.

Funny I was similarly confused. What happens to packets from the LAN
given that they don't originate from eth0?
> 
> > I don´t know how can it block ip spoofing attack...
> 
> These rules assume that eth0 is your internal network, and your internal 
> network range is 192.168.1.0/24.
> 
> No packets with your own source address should come from outside (rule 1) and 
> all packets from inside should have your own source address (rule 2).
> 
> Therefore these two rules stop people on the outside pretending that they 
> live on your network, and people on the inside pretending that they don't.
> 
> Antony.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: IP Spoofing

[Antony Stone]

On Wednesday 05 November 2003 8:08 pm, David C. Hart wrote:

> On Wed, 2003-11-05 at 14:51, Antony Stone wrote:
> > On Wednesday 05 November 2003 7:31 pm, Leandro Takashi Hirano wrote:
> > > Now I would like to know about the IP Spoofing rule, how does it works?
> > >
> > > -	iptables -A INPUT -s 192.168.1.0/24 -i ! eth0 -j DROP
> >
> > Any packet with a source address in the Class C range 192.168.1.x which
> > does not come from eth0 will be DROPped.
>
> Funny I was similarly confused. What happens to packets from the LAN
> given that they don't originate from eth0?

> > These rules assume that eth0 is your internal network, and your internal
> > network range is 192.168.1.0/24.

Antony.

-- 

If you think you see a Heffalump in a trap,
make sure it isn't really a Bear with an empty honey jar stuck on his head.

Re: IP Spoofing

[Leandro Takashi Hirano]

Thanks Antony...

Do you have a script or something where I can find protection rules?



> On Wednesday 05 November 2003 7:31 pm, Leandro Takashi Hirano wrote:
>
>> Thanks for the port scanner help....
>>
>> Now I would like to know about the IP Spoofing rule, how does it
>> works?
>>
>> -	iptables -A INPUT -s 192.168.1.0/24 -i ! eth0 -j DROP
>
> Any packet with a source address in the Class C range 192.168.1.x which
> does  not come from eth0 will be DROPped.
>
>> -	iptables -A INPUT ! -s 192.168.1.0/24 -i eth0 -j DROP
>
> Any packet which comes from eth0 and has a source address other than the
>  Class C  192.168.1.x will be DROPped.
>
>> I don´t know how can it block ip spoofing attack...
>
> These rules assume that eth0 is your internal network, and your internal
>  network range is 192.168.1.0/24.
>
> No packets with your own source address should come from outside (rule
> 1) and  all packets from inside should have your own source address
> (rule 2).
>
> Therefore these two rules stop people on the outside pretending that
> they  live on your network, and people on the inside pretending that
> they don't.
>
> Antony.
>
> --
>
> In Heaven, the police are British, the chefs are Italian, the beer is
> Belgian, the mechanics are German, the lovers are French, the
> entertainment  is American, and everything is organised by the Swiss.
>
> In Hell, the police are German, the chefs are British, the beer is
> American,  the mechanics are French, the lovers are Swiss, the
> entertainment is Belgian,  and everything is organised by the Italians.
>                                                      Please reply to the
> list;
>                                                            please don't
> CC me.

Re: IP Spoofing

[Jeffrey Laramie]

David C. Hart wrote:

>On Wed, 2003-11-05 at 14:51, Antony Stone wrote:
>  
>
>>On Wednesday 05 November 2003 7:31 pm, Leandro Takashi Hirano wrote:
>>
>>    
>>
>>>Now I would like to know about the IP Spoofing rule, how does it works?
>>>
>>>-	iptables -A INPUT -s 192.168.1.0/24 -i ! eth0 -j DROP
>>>      
>>>
>>Any packet with a source address in the Class C range 192.168.1.x which does 
>>not come from eth0 will be DROPped.
>>    
>>
>
>Funny I was similarly confused. What happens to packets from the LAN
>given that they don't originate from eth0?
>  
>

In this setup the packets from the LAN have to enter from eth0 as Antony 
indicates. Eth1 would have to be the external interface. Keep in mind 
that these rules only affect traffic to and from the firewall host 
itself. Traffic between the LAN and the internet is handled on the 
FORWARD chain.

Jeff

Re: IP Spoofing

[Antony Stone]

On Wednesday 05 November 2003 8:19 pm, Leandro Takashi Hirano wrote:

> Thanks Antony...
>
> Do you have a script or something where I can find protection rules?

You tell us what protection you want and we can suggest some rules to do it.

There's no single "magic ruleset" for netfilter / iptables which "protects 
your network", otherwise every distribution would include it as standard.

It depends what you want to do.

A good starting point is:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $intIF -o $extIF -j ACCEPT

That will allow nothing in or out of the firewall machine itself, and will 
allow all access from your internal network to the Internet, blocking 
everything except reply packets from the Internet to your network.

I do not recommend that you simply implement the above rules before you 
understand what they are designed to do.

Check Oskar Andreasson's excellent tutorial for more information about this 
sort of configuration, or any of the other documentation at 
http://www.netfilter.org

Antony.

-- 

What I don't know far exceeds what I know, but unfortunately, it is far 
easier to write about what I know than about what I don't know.

 - Kevin Kelly, Out of Control
                                                     Please reply to the list;
                                                           please don't CC me.

RE: IP Spoofing

[bmcdowell]

This is similar (except FORWARD rather than INPUT) to what I do in my own environment.  In fact, I have layered firewalls that specify individual IPs.  Of course, my firewalls are bridges (bridge.sourceforge.net), so most of the traffic comes in one eth and goes out the other.

E.g.

iptables -A FORWARD -i eth0 -s 192.168.1.5 -j DROP
iptables -A FORWARD -i eth1 -s ! 192.168.1.5 -j DROP

...where 192.168.1.5 is the protected server, eth0 is in the DMZ and eth1 connects directly to said server.


Just chiming in again,

Bob

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of David C. Hart
Sent: Wednesday, November 05, 2003 2:08 PM
To: Antony Stone
Cc: Iptables Mailing List
Subject: Re: IP Spoofing


On Wed, 2003-11-05 at 14:51, Antony Stone wrote:
> On Wednesday 05 November 2003 7:31 pm, Leandro Takashi Hirano wrote:
> 
> > Now I would like to know about the IP Spoofing rule, how does it works?
> >
> > -	iptables -A INPUT -s 192.168.1.0/24 -i ! eth0 -j DROP
> 
> Any packet with a source address in the Class C range 192.168.1.x which does 
> not come from eth0 will be DROPped.

Funny I was similarly confused. What happens to packets from the LAN
given that they don't originate from eth0?
> 
> > I don´t know how can it block ip spoofing attack...
> 
> These rules assume that eth0 is your internal network, and your internal 
> network range is 192.168.1.0/24.
> 
> No packets with your own source address should come from outside (rule 1) and 
> all packets from inside should have your own source address (rule 2).
> 
> Therefore these two rules stop people on the outside pretending that they 
> live on your network, and people on the inside pretending that they don't.
> 
> Antony.

Re: IP Spoofing

[David C. Hart]

[-- Attachment #1: Type: text/plain, Size: 598 bytes --]

On Wed, 2003-11-05 at 15:26, Jeffrey Laramie wrote:
> >
> In this setup the packets from the LAN have to enter from eth0 as Antony 
> indicates. Eth1 would have to be the external interface. Keep in mind 
> that these rules only affect traffic to and from the firewall host 
> itself. Traffic between the LAN and the internet is handled on the 
> FORWARD chain.
> 
I just did a slap-the-head-"duh". We're not configured that way. Our
server, which also runs IPTables is fed from the router as a DMZ. The
clients are connected to the same router, a couple by a hub to the
uplink. Hmm.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: IP Spoofing

[Jeffrey Laramie]

David C. Hart wrote:

>On Wed, 2003-11-05 at 15:26, Jeffrey Laramie wrote:
>  
>
>>In this setup the packets from the LAN have to enter from eth0 as Antony 
>>indicates. Eth1 would have to be the external interface. Keep in mind 
>>that these rules only affect traffic to and from the firewall host 
>>itself. Traffic between the LAN and the internet is handled on the 
>>FORWARD chain.
>>
>>    
>>
>I just did a slap-the-head-"duh". We're not configured that way. Our
>server, which also runs IPTables is fed from the router as a DMZ. The
>clients are connected to the same router, a couple by a hub to the
>uplink. Hmm.
>
>  
>
In that configuration iptables does nothing for your LAN, only the 
server. If you can put a firewall box between the internet and the 
router that's the best choice. Otherwise you need: Internet -> Router -> 
Firewall -> Hub  -> LAN/DMZ

Jeff

Re: IP Spoofing

[Ted Kaczmarek]

I would add an input established on that as well, makes it easier to do
upgrades.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

I wish everyone did implicit DROP's, it would make the web a safer
place.

:-)



Ted


On Wed, 2003-11-05 at 15:39, Antony Stone wrote:
> On Wednesday 05 November 2003 8:19 pm, Leandro Takashi Hirano wrote:
> 
> > Thanks Antony...
> >
> > Do you have a script or something where I can find protection rules?
> 
> You tell us what protection you want and we can suggest some rules to do it.
> 
> There's no single "magic ruleset" for netfilter / iptables which "protects 
> your network", otherwise every distribution would include it as standard.
> 
> It depends what you want to do.
> 
> A good starting point is:
> 
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $intIF -o $extIF -j ACCEPT
> 
> That will allow nothing in or out of the firewall machine itself, and will 
> allow all access from your internal network to the Internet, blocking 
> everything except reply packets from the Internet to your network.
> 
> I do not recommend that you simply implement the above rules before you 
> understand what they are designed to do.
> 
> Check Oskar Andreasson's excellent tutorial for more information about this 
> sort of configuration, or any of the other documentation at 
> http://www.netfilter.org
> 
> Antony.

Re: IP Spoofing

[Antony Stone]

On Friday 07 November 2003 12:26 pm, Ted Kaczmarek wrote:

> I would add an input established on that as well, makes it easier to do
> upgrades.
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If you do that, you need to add some OUTPUT rules as well to specify what 
traffic you are happy to allow out from the firewall machine itself.

DNS is almost certain to be necessary, anything else depends on how you do 
your upgrades etc (ssh, cvs, rsync, http....)

Antony.

> On Wed, 2003-11-05 at 15:39, Antony Stone wrote:
> > On Wednesday 05 November 2003 8:19 pm, Leandro Takashi Hirano wrote:
> > > Thanks Antony...
> > >
> > > Do you have a script or something where I can find protection rules?
> >
> > You tell us what protection you want and we can suggest some rules to do
> > it.
> >
> > There's no single "magic ruleset" for netfilter / iptables which
> > "protects your network", otherwise every distribution would include it as
> > standard.
> >
> > It depends what you want to do.
> >
> > A good starting point is:
> >
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A FORWARD -i $intIF -o $extIF -j ACCEPT
> >
> > That will allow nothing in or out of the firewall machine itself, and
> > will allow all access from your internal network to the Internet,
> > blocking everything except reply packets from the Internet to your
> > network.
> >
> > I do not recommend that you simply implement the above rules before you
> > understand what they are designed to do.
> >
> > Check Oskar Andreasson's excellent tutorial for more information about
> > this sort of configuration, or any of the other documentation at
> > http://www.netfilter.org
> >
> > Antony.

-- 

The truth is rarely pure, and never simple.

 - Oscar Wilde
                                                     Please reply to the list;
                                                           please don't CC me.

Re: IP Spoofing

[David C. Hart]

[-- Attachment #1: Type: text/plain, Size: 1847 bytes --]

On Fri, 2003-11-07 at 07:26, Ted Kaczmarek wrote:
> I would add an input established on that as well, makes it easier to do
> upgrades.
> 
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Hi Ted:

If you have a moment, could you please explain (for the comparative IPT
nitwits - including me) what that does?
> 
> I wish everyone did implicit DROP's, it would make the web a safer
> place.

IBID

Thanks
> 
> :-)
> 
> 
> 
> Ted
> 
> 
> On Wed, 2003-11-05 at 15:39, Antony Stone wrote:
> > On Wednesday 05 November 2003 8:19 pm, Leandro Takashi Hirano wrote:
> > 
> > > Thanks Antony...
> > >
> > > Do you have a script or something where I can find protection rules?
> > 
> > You tell us what protection you want and we can suggest some rules to do it.
> > 
> > There's no single "magic ruleset" for netfilter / iptables which "protects 
> > your network", otherwise every distribution would include it as standard.
> > 
> > It depends what you want to do.
> > 
> > A good starting point is:
> > 
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A FORWARD -i $intIF -o $extIF -j ACCEPT
> > 
> > That will allow nothing in or out of the firewall machine itself, and will 
> > allow all access from your internal network to the Internet, blocking 
> > everything except reply packets from the Internet to your network.
> > 
> > I do not recommend that you simply implement the above rules before you 
> > understand what they are designed to do.
> > 
> > Check Oskar Andreasson's excellent tutorial for more information about this 
> > sort of configuration, or any of the other documentation at 
> > http://www.netfilter.org
> > 
> > Antony.
> 
> 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: IP Spoofing

[Antony Stone]

On Friday 07 November 2003 1:34 pm, David C. Hart wrote:

> On Fri, 2003-11-07 at 07:26, Ted Kaczmarek wrote:
> > I would add an input established on that as well, makes it easier to do
> > upgrades.
> >
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Hi Ted:
>
> If you have a moment, could you please explain (for the comparative IPT
> nitwits - including me) what that does?

Any packet which arrives at the machine running netfilter (because this rule 
is in the INPUT chain - if it were in the FORWARD chain then it would apply 
to any packet being routed through the machine running netfilter) which is 
part of an ESTABLISHED connection, or which is RELATED to and ESTABLISHED 
connection, is ACCEPTed.

What defines a connection as ESTABLISHED?

Basically, "is there an entry for it in the connection tracking table?"   
Entries get placed in this table when the first packet of a connection gets 
seen (this will only happen if you have an OUTPUT rule, or a FORWARD rule, 
allowing that first packet to be ACCEPTed).   After that, the reply and all 
other packets which are part of the same connection (which is defined by the 
source & destination IP plus the source & destination port numbers) will get 
matched by the rule above, no matter which other rule matched the first 
packet.

What defines a packet as RELATED?

Either, is it known to a connection tracking helper for a specific protocol 
which uses multiple connections (such as FTP), or, is it an ICMP packet in 
response to another packet, indicating a problem somewhere.

HTH

Antony.

-- 

If books were designed by Microsoft, the Anarchist's Cookbook would explode 
when you read it.

 - Mark W Schumann
                                                     Please reply to the list;
                                                           please don't CC me.

Re: IP Spoofing

[David C. Hart]

[-- Attachment #1: Type: text/plain, Size: 412 bytes --]

On Fri, 2003-11-07 at 08:56, Antony Stone wrote:

> Any packet which arrives at the machine running netfilter (because this rule 
> is in the INPUT chain - if it were in the FORWARD chain then it would apply 
> to any packet being routed through the machine running netfilter) which is 
> part of an ESTABLISHED connection, or which is RELATED to and ESTABLISHED 
> connection, is ACCEPTed.
> 
Thanks. 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: IP Spoofing

[Ted Kaczmarek]

It will allow sessions initiated from the host running iptables to allow
for connections to come back in that are in response to the packet the
host sends out.

If you don't allow the established related packets, you would have to
create a separate rule for each and every IP/Port pair you connect to,
that would allow those packets back in.

The tutorial's at http://iptables-tutorial.frozentux.net/ are some of
the best I have seen, you should add them to your list of reading along
with the other good links you have received.

Unfortunately explaining firewalls in simple terms is not possible.
If you really want to learn, some good materials would be Richard
Stephen TCP/IP Illustrated, you really need to know the protocol itself
before all the firewall technology will make sense.

Also keep in mind that a firewall running on a gateway device  is very
different than on a host.

As always, google is your friend.

Ted




On Fri, 2003-11-07 at 08:34, David C. Hart wrote:
> On Fri, 2003-11-07 at 07:26, Ted Kaczmarek wrote:
> > I would add an input established on that as well, makes it easier to do
> > upgrades.
> > 
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> Hi Ted:
> 
> If you have a moment, could you please explain (for the comparative IPT
> nitwits - including me) what that does?
> > 
> > I wish everyone did implicit DROP's, it would make the web a safer
> > place.
> 
> IBID
> 
> Thanks
> > 
> > :-)
> > 
> > 
> > 
> > Ted
> > 
> > 
> > On Wed, 2003-11-05 at 15:39, Antony Stone wrote:
> > > On Wednesday 05 November 2003 8:19 pm, Leandro Takashi Hirano wrote:
> > > 
> > > > Thanks Antony...
> > > >
> > > > Do you have a script or something where I can find protection rules?
> > > 
> > > You tell us what protection you want and we can suggest some rules to do it.
> > > 
> > > There's no single "magic ruleset" for netfilter / iptables which "protects 
> > > your network", otherwise every distribution would include it as standard.
> > > 
> > > It depends what you want to do.
> > > 
> > > A good starting point is:
> > > 
> > > iptables -P INPUT DROP
> > > iptables -P OUTPUT DROP
> > > iptables -P FORWARD DROP
> > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > iptables -A FORWARD -i $intIF -o $extIF -j ACCEPT
> > > 
> > > That will allow nothing in or out of the firewall machine itself, and will 
> > > allow all access from your internal network to the Internet, blocking 
> > > everything except reply packets from the Internet to your network.
> > > 
> > > I do not recommend that you simply implement the above rules before you 
> > > understand what they are designed to do.
> > > 
> > > Check Oskar Andreasson's excellent tutorial for more information about this 
> > > sort of configuration, or any of the other documentation at 
> > > http://www.netfilter.org
> > > 
> > > Antony.
> > 
> >