network range

network range

[IT Clown]

Hi

How do you specifiy more than one netwrk range in a rule,
is it possible? 

i want to do the following:
iptables -A INPUT -s 10.0.0.0/8 169.254.0.0/16 -j DROP

Regards
_______________________________________________________
Herbalife Independent Distributor www.healthiest.co.za

Re: network range

[IT Clown]

How can i create a chaine and a rule that will block all
the non routed network ranges from entering the network
from the external interface incase someones trying to spoof
you?

when one 

On Sat, 03 Apr 2004 21:35:21 +0200
 "IT Clown" <iptables@mailbox.co.za> wrote:
> Hi
> 
> How do you specifiy more than one netwrk range in a rule,
> is it possible? 
> 
> i want to do the following:
> iptables -A INPUT -s 10.0.0.0/8 169.254.0.0/16 -j DROP
> 
> Regards
> _______________________________________________________
> Herbalife Independent Distributor www.healthiest.co.za
> 

_______________________________________________________
Herbalife Independent Distributor www.healthiest.co.za

RE: network range

[Rob Sterenborg]

> > How do you specifiy more than one netwrk range in a rule, is it 
> > possible?

No.

> > i want to do the following:
> > iptables -A INPUT -s 10.0.0.0/8 169.254.0.0/16 -j DROP

You can't ;).

> How can i create a chaine and a rule that will block all the 
> non routed network ranges from entering the network from the 
> external interface incase someones trying to spoof you?

Like this :

iptables -N spoof
iptables -A spoof -i <if_inet> -s 10.0.0.0/8 -j DROP
iptables -A spoof -i <if_inet> -s 169.254.0.0/16 -j DROP
...

iptables -A INPUT -j spoof
iptables -A FORWARD -j spoof


Gr,
Rob

Re: network range

[John A. Sullivan III]

On Sat, 2004-04-03 at 15:53, IT Clown wrote:
> How can i create a chaine and a rule that will block all
> the non routed network ranges from entering the network
> from the external interface incase someones trying to spoof
> you?
> 
> when one 
> 
> On Sat, 03 Apr 2004 21:35:21 +0200
>  "IT Clown" <iptables@mailbox.co.za> wrote:
> > Hi
> > 
> > How do you specifiy more than one netwrk range in a rule,
> > is it possible? 
> > 
> > i want to do the following:
> > iptables -A INPUT -s 10.0.0.0/8 169.254.0.0/16 -j DROP
Assume eth0 is public with IP address 1.1.1./241 and eth1 is private
with address 10.0.0.1/24.
I usually implement anti-spoofing in two steps.  For both public and
private interfaces I set up a rule to drop any packets from the address
bound to the interface if it appears on a different interface.  Thus:
iptables -t mangle -A PREROUTING -s 10.0.0.0/24 -i ! eth1 -j DROP
iptables -t mangle -A PREROUTING -s 1.1.1.0/24 -i ! eth0 -j DROP
This is to prevent someone from using my own addresses against me.

Then, for private interfaces only, I set up a separate set of rules to
restrict traffic through an interface to only addresses that live behind
those interfaces.  To the above example, let's add an indirect network
192.168.0.0/24 accessible through eth1 via the router at 10.0.0.5. 
Because I cannot use multiple source addresses in my rule, I set up a
separate user created chain with a drop rule at the end.  Any valid
traffic is returned so that it never hits the drop rule.  Thus:

iptables -t mangle -N MangleSpoof
iptables -t mangle -A PREROUTING -i eth1 -j MangleSpoof
iptables -t mangle -A MangleSpoof -s 10.0.0.0/24 -i eth1 -j RETURN
iptables -t mangle -A MangleSpoof -s 192.168.0.0/24 -i eth1 -j RETURN
iptables -t mangle -A MangleSpoof -j DROP

If I want to do antispoofing on 10.0.0.0/24 but not 192.168.0.0/24, then
I change the 192.168.0.0 rule to:
iptables -t mangle -A MangleSpoof -s 192.168.0.0/24 -j RETURN

Someone else may have a better way but that's how I do it. I use the
mangle table rather than filter so that I can drop bad packets ASAP. 
Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: network range

[John A. Sullivan III]

On Sat, 2004-04-03 at 15:53, IT Clown wrote:
> How can i create a chaine and a rule that will block all
> the non routed network ranges from entering the network
> from the external interface incase someones trying to spoof
> you?
> 
> when one 
> 
> On Sat, 03 Apr 2004 21:35:21 +0200
>  "IT Clown" <iptables@mailbox.co.za> wrote:
> > Hi
> > 
> > How do you specifiy more than one netwrk range in a rule,
> > is it possible? 
> > 
> > i want to do the following:
> > iptables -A INPUT -s 10.0.0.0/8 169.254.0.0/16 -j DROP
Assume eth0 is public with IP address 1.1.1./241 and eth1 is private
with address 10.0.0.1/24.
I usually implement anti-spoofing in two steps.  For both public and
private interfaces I set up a rule to drop any packets from the address
bound to the interface if it appears on a different interface.  Thus:
iptables -t mangle -A PREROUTING -s 10.0.0.0/24 -i ! eth1 -j DROP
iptables -t mangle -A PREROUTING -s 1.1.1.0/24 -i ! eth0 -j DROP
This is to prevent someone from using my own addresses against me.

Then, for private interfaces only, I set up a separate set of rules to
restrict traffic through an interface to only addresses that live behind
those interfaces.  To the above example, let's add an indirect network
192.168.0.0/24 accessible through eth1 via the router at 10.0.0.5. 
Because I cannot use multiple source addresses in my rule, I set up a
separate user created chain with a drop rule at the end.  Any valid
traffic is returned so that it never hits the drop rule.  Thus:

iptables -t mangle -N MangleSpoof
iptables -t mangle -A PREROUTING -i eth1 -j MangleSpoof
iptables -t mangle -A MangleSpoof -s 10.0.0.0/24 -i eth1 -j RETURN
iptables -t mangle -A MangleSpoof -s 192.168.0.0/24 -i eth1 -j RETURN
iptables -t mangle -A MangleSpoof -j DROP

If I want to do antispoofing on 10.0.0.0/24 but not 192.168.0.0/24, then
I change the 192.168.0.0 rule to:
iptables -t mangle -A MangleSpoof -s 192.168.0.0/24 -j RETURN

Someone else may have a better way but that's how I do it. I use the
mangle table rather than filter so that I can drop bad packets ASAP. 
Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net

Re: network range

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 1105 bytes --]

On Sat, Apr 03, 2004 at 05:03:04PM -0500, John A. Sullivan III wrote:
> On Sat, 2004-04-03 at 15:53, IT Clown wrote:
 --- snip ---
> I usually implement anti-spoofing in two steps.  For both public and
> private interfaces I set up a rule to drop any packets from the address
> bound to the interface if it appears on a different interface.  Thus:
> iptables -t mangle -A PREROUTING -s 10.0.0.0/24 -i ! eth1 -j DROP
> iptables -t mangle -A PREROUTING -s 1.1.1.0/24 -i ! eth0 -j DROP

Isn't that what rp_filter does ?

> This is to prevent someone from using my own addresses against me.
> 
 --- snip ---
> 
> Someone else may have a better way but that's how I do it. I use the
> mangle table rather than filter so that I can drop bad packets ASAP. 
> Good luck - John
> -- 
> John A. Sullivan III
> Chief Technology Officer
> Nexus Management
> +1 207-985-7880
> john.sullivan@nexusmgmt.com
> ---
> If you are interested in helping to develop a GPL enterprise class
> VPN/Firewall/Security device management console, please visit
> http://iscs.sourceforge.net
> 
> 
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: network range

[John A. Sullivan III]

rp_filter presents some issues when used with Free/Open/StrongSWAN, the
IPSec products.  This also gives a more finely grained control of the
process, e.g., the possibility of selectively anti-spoofing.  Finally,
because I have not used it (because of the VPN conflict), I'm not sure
if rp_filter applies to only INPUT traffic or also FORWARD traffic.  I'm
think the latter but I do not know authoritatively.

Thanks for the comment - John

On Sun, 2004-04-04 at 06:40, Alexander Samad wrote:
> On Sat, Apr 03, 2004 at 05:03:04PM -0500, John A. Sullivan III wrote:
> > On Sat, 2004-04-03 at 15:53, IT Clown wrote:
>  --- snip ---
> > I usually implement anti-spoofing in two steps.  For both public and
> > private interfaces I set up a rule to drop any packets from the address
> > bound to the interface if it appears on a different interface.  Thus:
> > iptables -t mangle -A PREROUTING -s 10.0.0.0/24 -i ! eth1 -j DROP
> > iptables -t mangle -A PREROUTING -s 1.1.1.0/24 -i ! eth0 -j DROP
> 
> Isn't that what rp_filter does ?
> 
> > This is to prevent someone from using my own addresses against me.
> > 
>  --- snip ---
> > 
> > Someone else may have a better way but that's how I do it. I use the
> > mangle table rather than filter so that I can drop bad packets ASAP. 
> > Good luck - John
> > -- 
> > John A. Sullivan III
> > Chief Technology Officer
> > Nexus Management
> > +1 207-985-7880
> > john.sullivan@nexusmgmt.com
> > ---
> > If you are interested in helping to develop a GPL enterprise class
> > VPN/Firewall/Security device management console, please visit
> > http://iscs.sourceforge.net
> > 
> > 
> > 
> > 
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com