* Spoofed ip's
@ 2003-02-11 7:25 deff
2003-02-11 15:56 ` uniplex
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: deff @ 2003-02-11 7:25 UTC (permalink / raw)
To: netfilter
Hello everyone.
I set up a firewall that filters out, logs, and drops packets
originating from spoofed ip addresses.
The definition here of a spoofed ip is :
a) A non-routable ip
b) A ip thats not destined for us ( shouldn't get past router anyway )
c) A local ip
d) the loop back ip
Originally the firewall only filtered 172.16.0.0/12, 192.168.0.0/16,
10.0.0.0/8 and 127.0.0.1 addresses.
Then i took a look at Firestarter's iptables script and saw that it also
filters out other addresses.
Could anyone please check the rules below and tell me if the the source
ip'ss are valid. I'm seeing an incredible amount of these ip's
attempting to get through .
To me it looks like i'm blocking out the whole internet, but that makes
me wonder why firestarter does it .
thanks ,
Cillié
______________________CUT____________________________
iptables --append spoofed_ip --source 1.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 2.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 5.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 7.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 23.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 27.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 31.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 36.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 37.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 39.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 41.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 42.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 58.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 59.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 60.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 69.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 70.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 72.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 73.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 74.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 75.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 76.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 77.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 78.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 79.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 82.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 83.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 84.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 85.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 86.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 87.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 89.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 90.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 91.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 92.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 93.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 94.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 95.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 96.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 97.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 98.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 99.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 100.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 101.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 102.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 103.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 104.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 105.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 106.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 107.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 108.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 109.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 110.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 111.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 112.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 113.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 114.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 115.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 116.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 117.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 118.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 119.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 120.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 121.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 122.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 123.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 124.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 125.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 126.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 128.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 128.66.0.0/16 --jump spoof_log
iptables --append spoofed_ip --source 192.168.0.0/16 --jump spoof_log
iptables --append spoofed_ip --source 172.16.0.0/12 --jump spoof_log
iptables --append spoofed_ip --source 221.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 197.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 222.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 223.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 240.0.0.0/4 --jump spoof_log
______________________CUT___________________________
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Spoofed ip's
2003-02-11 7:25 Spoofed ip's deff
@ 2003-02-11 15:56 ` uniplex
2003-02-12 1:28 ` Arnt Karlsen
2003-02-11 17:09 ` Athan
` (2 subsequent siblings)
3 siblings, 1 reply; 7+ messages in thread
From: uniplex @ 2003-02-11 15:56 UTC (permalink / raw)
To: deff; +Cc: netfilter
deff wrote:
> Hello everyone.
>
> I set up a firewall that filters out, logs, and drops packets
> originating from spoofed ip addresses.
>
> The definition here of a spoofed ip is :
> a) A non-routable ip
> b) A ip thats not destined for us ( shouldn't get past router anyway )
> c) A local ip
> d) the loop back ip
>
> Originally the firewall only filtered 172.16.0.0/12, 192.168.0.0/16,
> 10.0.0.0/8 and 127.0.0.1 addresses.
>
> Then i took a look at Firestarter's iptables script and saw that it also
> filters out other addresses.
>
> Could anyone please check the rules below and tell me if the the source
> ip'ss are valid. I'm seeing an incredible amount of these ip's
> attempting to get through .
>
> To me it looks like i'm blocking out the whole internet, but that makes
> me wonder why firestarter does it .
>
> thanks ,
> Cillié
>
Would something like this look a little better for you?
RESERVED_NET="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8
10.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8
39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8
69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 74.0.0.0/8
75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 81.0.0.0/8
82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8
94.0.0.0/8 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8
100.0.0.0/8 101.0.0.0/8 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8
106.0.0.0/8 107.0.0.0/8 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8
112.0.0.0/8 113.0.0.0/8 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8
118.0.0.0/8 119.0.0.0/8 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8
124.0.0.0/8 125.0.0.0/8 126.0.0.0/8 127.0.0.0/8 172.16.0.0/12
192.168.0.0/16 197.0.0.0/8 201.0.0.0/8 219.0.0.0/8 220.0.0.0/8
220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/4 240.0.0.0/8
240.0.0.0/5 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8
246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8
252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"
for NET in $RESERVED_NET, do
iptables --append spoofed_ip --source $NET -jump spoof_log
done
> ______________________CUT____________________________
>
>
> iptables --append spoofed_ip --source 1.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 2.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 5.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 7.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 23.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 27.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 31.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 36.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 37.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 39.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 41.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 42.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 58.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 59.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 60.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 69.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 70.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 72.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 73.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 74.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 75.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 76.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 77.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 78.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 79.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 82.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 83.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 84.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 85.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 86.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 87.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 89.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 90.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 91.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 92.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 93.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 94.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 95.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 96.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 97.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 98.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 99.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 100.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 101.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 102.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 103.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 104.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 105.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 106.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 107.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 108.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 109.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 110.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 111.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 112.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 113.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 114.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 115.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 116.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 117.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 118.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 119.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 120.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 121.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 122.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 123.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 124.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 125.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 126.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 128.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 128.66.0.0/16 --jump spoof_log
> iptables --append spoofed_ip --source 192.168.0.0/16 --jump spoof_log
> iptables --append spoofed_ip --source 172.16.0.0/12 --jump spoof_log
> iptables --append spoofed_ip --source 221.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 197.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 222.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 223.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 240.0.0.0/4 --jump spoof_log
>
> ______________________CUT___________________________
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Spoofed ip's
2003-02-11 7:25 Spoofed ip's deff
2003-02-11 15:56 ` uniplex
@ 2003-02-11 17:09 ` Athan
2003-02-11 19:22 ` Gastón Franco
2003-02-12 8:56 ` Adam D. Barratt
3 siblings, 0 replies; 7+ messages in thread
From: Athan @ 2003-02-11 17:09 UTC (permalink / raw)
To: deff; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1293 bytes --]
On Tue, Feb 11, 2003 at 09:25:50AM +0200, deff wrote:
> Could anyone please check the rules below and tell me if the the source
> ip'ss are valid. I'm seeing an incredible amount of these ip's
> attempting to get through .
Check them using whois:
15:34:49 0$ whois 1.0.0.0
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
NetRange: 1.0.0.0 - 1.255.255.255
CIDR: 1.0.0.0/8
NetName: RESERVED-9
NetHandle: NET-1-0-0-0-1
Parent:
NetType: IANA Reserved
Comment:
RegDate:
Updated: 2002-09-12
OrgTechHandle: IANA-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-823-9358
OrgTechEmail: res-ip@iana.org
# ARIN WHOIS database, last updated 2003-02-10 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
So, yes, that one shouldn't be getting used at all.
-Ath
--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Spoofed ip's
2003-02-11 7:25 Spoofed ip's deff
2003-02-11 15:56 ` uniplex
2003-02-11 17:09 ` Athan
@ 2003-02-11 19:22 ` Gastón Franco
2003-02-12 8:56 ` Adam D. Barratt
3 siblings, 0 replies; 7+ messages in thread
From: Gastón Franco @ 2003-02-11 19:22 UTC (permalink / raw)
To: deff; +Cc: netfilter
Hi .!
The list of networks reserved by IANA.
can be found at:
http://www.iana.org/assignments/ipv4-address-space
( for additional information see RFC3330 )
deff wrote:
> Hello everyone.
>
> I set up a firewall that filters out, logs, and drops packets
> originating from spoofed ip addresses.
>
> The definition here of a spoofed ip is :
> a) A non-routable ip
> b) A ip thats not destined for us ( shouldn't get past router anyway )
> c) A local ip
> d) the loop back ip
>
> Originally the firewall only filtered 172.16.0.0/12, 192.168.0.0/16,
> 10.0.0.0/8 and 127.0.0.1 addresses.
>
> Then i took a look at Firestarter's iptables script and saw that it also
> filters out other addresses.
>
> Could anyone please check the rules below and tell me if the the source
> ip'ss are valid. I'm seeing an incredible amount of these ip's
> attempting to get through .
>
> To me it looks like i'm blocking out the whole internet, but that makes
> me wonder why firestarter does it .
>
> thanks ,
> Cillié
>
> ______________________CUT____________________________
>
> iptables --append spoofed_ip --source 1.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 2.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 5.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 7.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 23.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 27.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 31.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 36.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 37.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 39.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 41.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 42.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 58.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 59.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 60.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 69.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 70.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 72.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 73.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 74.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 75.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 76.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 77.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 78.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 79.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 82.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 83.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 84.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 85.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 86.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 87.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 89.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 90.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 91.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 92.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 93.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 94.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 95.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 96.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 97.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 98.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 99.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 100.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 101.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 102.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 103.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 104.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 105.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 106.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 107.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 108.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 109.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 110.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 111.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 112.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 113.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 114.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 115.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 116.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 117.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 118.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 119.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 120.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 121.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 122.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 123.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 124.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 125.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 126.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 128.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 128.66.0.0/16 --jump spoof_log
> iptables --append spoofed_ip --source 192.168.0.0/16 --jump spoof_log
> iptables --append spoofed_ip --source 172.16.0.0/12 --jump spoof_log
> iptables --append spoofed_ip --source 221.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 197.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 222.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 223.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 240.0.0.0/4 --jump spoof_log
>
> ______________________CUT___________________________
--
---------------------------------------------------------
ArCERT
Te:(54-11) 43439001 int.514 Fax:(54-11) 4343-7458
e-mail: gfranco@arcert.gov.ar http://www.arcert.gov.ar
Av.R. Saenz Peña 511 Of 514 Cap.Fed. - Argentina
---------------------------------------------------------
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Spoofed ip's
2003-02-11 15:56 ` uniplex
@ 2003-02-12 1:28 ` Arnt Karlsen
2003-02-12 8:51 ` Adam D. Barratt
0 siblings, 1 reply; 7+ messages in thread
From: Arnt Karlsen @ 2003-02-12 1:28 UTC (permalink / raw)
To: netfilter
On Tue, 11 Feb 2003 15:56:32 +0000,
uniplex <uniplex@maximum-linux.net> wrote in message
<3E491D30.1000909@maximum-linux.net>:
>
> Would something like this look a little better for you?
>
> RESERVED_NET="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8
> 10.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8
> 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8
> 69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 74.0.0.0/8
> 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 81.0.0.0/8
> 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8
> 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8
> 94.0.0.0/8 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8
> 100.0.0.0/8 101.0.0.0/8 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8
> 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 108.0.0.0/8 109.0.0.0/8
> 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 114.0.0.0/8
> 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8
> 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8
> 125.0.0.0/8 126.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16
> 197.0.0.0/8 201.0.0.0/8 219.0.0.0/8 220.0.0.0/8 220.0.0.0/8
> 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/4 240.0.0.0/8
> 240.0.0.0/5 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8
> 245.0.0.0/8 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8
> 250.0.0.0/8 251.0.0.0/8 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8
> 255.0.0.0/8"
..some of these above are redundant, and some (wintendos?) need
255.255.255.255/32, play with 'ipcalc -bnmp 0.0.0.0/1' upwards.
..you may also want to distinguish between reserved and private
nets, 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16, and loopback
127.0.0.0/8 and the "outcasts" 224.0.0.0/4 and 240.0.0.0/4. ;-)
> for NET in $RESERVED_NET, do
# ..or, if the above comma fails on you:
for NET in $RESERVED_NET ; do # ;-)
> iptables --append spoofed_ip --source $NET -jump spoof_log
> done
>
..sed, seq, awk, etc magic, anyone? ;-)
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Spoofed ip's
2003-02-12 1:28 ` Arnt Karlsen
@ 2003-02-12 8:51 ` Adam D. Barratt
0 siblings, 0 replies; 7+ messages in thread
From: Adam D. Barratt @ 2003-02-12 8:51 UTC (permalink / raw)
To: netfilter
Arnt Karlsen wrote, Wednesday, February 12, 2003 1:28 AM:
> On Tue, 11 Feb 2003 15:56:32 +0000,
> uniplex <uniplex@maximum-linux.net> wrote in message
> <3E491D30.1000909@maximum-linux.net>:
>
> >
> > Would something like this look a little better for you?
> >
> > RESERVED_NET="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8
[...]
> ..some of these above are redundant, and some (wintendos?) need
> 255.255.255.255/32, play with 'ipcalc -bnmp 0.0.0.0/1' upwards.
More to the point, and even worse, some of them are *wrong*.
At a quick glance, 69/8, 81/8, 82/8, 219/8, 220/8 and 221/8 are *not*
reserved. Some of them haven't been for nearly two years now.
Adam
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Spoofed ip's
2003-02-11 7:25 Spoofed ip's deff
` (2 preceding siblings ...)
2003-02-11 19:22 ` Gastón Franco
@ 2003-02-12 8:56 ` Adam D. Barratt
3 siblings, 0 replies; 7+ messages in thread
From: Adam D. Barratt @ 2003-02-12 8:56 UTC (permalink / raw)
To: netfilter
deff wrote, Tuesday, February 11, 2003 7:25 AM:
[...]
> Then i took a look at Firestarter's iptables script and saw that
> it also filters out other addresses.
> Could anyone please check the rules below and tell me if the
> the source ip'ss are valid. I'm seeing an incredible amount of
> these ip's attempting to get through .
> To me it looks like i'm blocking out the whole internet, but that
> makes me wonder why firestarter does it .
If you're going to bother doing this, at least do it properly. Don't use
someone else's list, as some of them are outdated and therefore, as in this
case, *wrong*.
At a quick glance, 69/8, 81/8, 82/8, 219/8, 220/8 and 221/8 are *not*
reserved. Some of them haven't been for nearly two years now.
http://www.iana.org/assignments/ipv4-address-space is the official
reference, which is kept up-to-date, and should be checked every so often
(alternatively, one could subscribe to the bogon announcement list).
Adam
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2003-02-12 8:56 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-02-11 7:25 Spoofed ip's deff
2003-02-11 15:56 ` uniplex
2003-02-12 1:28 ` Arnt Karlsen
2003-02-12 8:51 ` Adam D. Barratt
2003-02-11 17:09 ` Athan
2003-02-11 19:22 ` Gastón Franco
2003-02-12 8:56 ` Adam D. Barratt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox