From: "John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com>
To: IT Clown <iptables@mailbox.co.za>
Cc: netfilter@lists.netfilter.org
Subject: Re: network range
Date: Sat, 03 Apr 2004 17:03:04 -0500 [thread overview]
Message-ID: <1081029737.24410.2.camel@localhost> (raw)
In-Reply-To: <web-275929490@mail01.infosat.net>
On Sat, 2004-04-03 at 15:53, IT Clown wrote:
> How can i create a chaine and a rule that will block all
> the non routed network ranges from entering the network
> from the external interface incase someones trying to spoof
> you?
>
> when one
>
> On Sat, 03 Apr 2004 21:35:21 +0200
> "IT Clown" <iptables@mailbox.co.za> wrote:
> > Hi
> >
> > How do you specifiy more than one netwrk range in a rule,
> > is it possible?
> >
> > i want to do the following:
> > iptables -A INPUT -s 10.0.0.0/8 169.254.0.0/16 -j DROP
Assume eth0 is public with IP address 1.1.1./241 and eth1 is private
with address 10.0.0.1/24.
I usually implement anti-spoofing in two steps. For both public and
private interfaces I set up a rule to drop any packets from the address
bound to the interface if it appears on a different interface. Thus:
iptables -t mangle -A PREROUTING -s 10.0.0.0/24 -i ! eth1 -j DROP
iptables -t mangle -A PREROUTING -s 1.1.1.0/24 -i ! eth0 -j DROP
This is to prevent someone from using my own addresses against me.
Then, for private interfaces only, I set up a separate set of rules to
restrict traffic through an interface to only addresses that live behind
those interfaces. To the above example, let's add an indirect network
192.168.0.0/24 accessible through eth1 via the router at 10.0.0.5.
Because I cannot use multiple source addresses in my rule, I set up a
separate user created chain with a drop rule at the end. Any valid
traffic is returned so that it never hits the drop rule. Thus:
iptables -t mangle -N MangleSpoof
iptables -t mangle -A PREROUTING -i eth1 -j MangleSpoof
iptables -t mangle -A MangleSpoof -s 10.0.0.0/24 -i eth1 -j RETURN
iptables -t mangle -A MangleSpoof -s 192.168.0.0/24 -i eth1 -j RETURN
iptables -t mangle -A MangleSpoof -j DROP
If I want to do antispoofing on 10.0.0.0/24 but not 192.168.0.0/24, then
I change the 192.168.0.0 rule to:
iptables -t mangle -A MangleSpoof -s 192.168.0.0/24 -j RETURN
Someone else may have a better way but that's how I do it. I use the
mangle table rather than filter so that I can drop bad packets ASAP.
Good luck - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
next prev parent reply other threads:[~2004-04-03 22:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-03 19:35 network range IT Clown
2004-04-03 20:53 ` IT Clown
2004-04-03 21:32 ` Rob Sterenborg
2004-04-03 22:02 ` John A. Sullivan III
2004-04-03 22:03 ` John A. Sullivan III [this message]
2004-04-04 10:40 ` Alexander Samad
2004-04-05 11:07 ` John A. Sullivan III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1081029737.24410.2.camel@localhost \
--to=jsullivan@opensourcedevelopmentcorp.com \
--cc=iptables@mailbox.co.za \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox