From: "John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com>
To: IT Clown <iptables@mailbox.co.za>
Cc: netfilter@lists.netfilter.org
Subject: Re: network range
Date: Sat, 03 Apr 2004 17:03:04 -0500 [thread overview]
Message-ID: <1081029737.24410.2.camel@localhost> (raw)
In-Reply-To: <web-275929490@mail01.infosat.net>
On Sat, 2004-04-03 at 15:53, IT Clown wrote:
> How can i create a chaine and a rule that will block all
> the non routed network ranges from entering the network
> from the external interface incase someones trying to spoof
> you?
>
> when one
>
> On Sat, 03 Apr 2004 21:35:21 +0200
> "IT Clown" <iptables@mailbox.co.za> wrote:
> > Hi
> >
> > How do you specifiy more than one netwrk range in a rule,
> > is it possible?
> >
> > i want to do the following:
> > iptables -A INPUT -s 10.0.0.0/8 169.254.0.0/16 -j DROP
Assume eth0 is public with IP address 1.1.1./241 and eth1 is private
with address 10.0.0.1/24.
I usually implement anti-spoofing in two steps. For both public and
private interfaces I set up a rule to drop any packets from the address
bound to the interface if it appears on a different interface. Thus:
iptables -t mangle -A PREROUTING -s 10.0.0.0/24 -i ! eth1 -j DROP
iptables -t mangle -A PREROUTING -s 1.1.1.0/24 -i ! eth0 -j DROP
This is to prevent someone from using my own addresses against me.
Then, for private interfaces only, I set up a separate set of rules to
restrict traffic through an interface to only addresses that live behind
those interfaces. To the above example, let's add an indirect network
192.168.0.0/24 accessible through eth1 via the router at 10.0.0.5.
Because I cannot use multiple source addresses in my rule, I set up a
separate user created chain with a drop rule at the end. Any valid
traffic is returned so that it never hits the drop rule. Thus:
iptables -t mangle -N MangleSpoof
iptables -t mangle -A PREROUTING -i eth1 -j MangleSpoof
iptables -t mangle -A MangleSpoof -s 10.0.0.0/24 -i eth1 -j RETURN
iptables -t mangle -A MangleSpoof -s 192.168.0.0/24 -i eth1 -j RETURN
iptables -t mangle -A MangleSpoof -j DROP
If I want to do antispoofing on 10.0.0.0/24 but not 192.168.0.0/24, then
I change the 192.168.0.0 rule to:
iptables -t mangle -A MangleSpoof -s 192.168.0.0/24 -j RETURN
Someone else may have a better way but that's how I do it. I use the
mangle table rather than filter so that I can drop bad packets ASAP.
Good luck - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
next prev parent reply other threads:[~2004-04-03 22:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-03 19:35 network range IT Clown
2004-04-03 20:53 ` IT Clown
2004-04-03 21:32 ` Rob Sterenborg
2004-04-03 22:02 ` John A. Sullivan III
2004-04-03 22:03 ` John A. Sullivan III [this message]
2004-04-04 10:40 ` Alexander Samad
2004-04-05 11:07 ` John A. Sullivan III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1081029737.24410.2.camel@localhost \
--to=jsullivan@opensourcedevelopmentcorp.com \
--cc=iptables@mailbox.co.za \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.