Spoofed ip's

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Spoofed ip's
@ 2003-02-11  7:25 deff
  2003-02-11 15:56 ` uniplex
                   ` (3 more replies)
  0 siblings, 4 replies; 7+ messages in thread
From: deff @ 2003-02-11  7:25 UTC (permalink / raw)
  To: netfilter


Hello everyone. 

I set up a firewall that filters out, logs, and drops packets
originating from spoofed ip addresses. 

The definition here of a spoofed ip is :
a) A non-routable ip 
b) A ip thats not destined for us ( shouldn't get past router anyway ) 
c) A local ip 
d) the loop back ip 

Originally the firewall only filtered 172.16.0.0/12, 192.168.0.0/16, 
10.0.0.0/8 and 127.0.0.1 addresses. 

Then i took a look at Firestarter's iptables script and saw that it also
filters out other addresses. 

Could anyone please check the rules below and tell me if the the source 
ip'ss are valid. I'm seeing an incredible amount of these ip's
attempting to get through . 

To me it looks like i'm blocking out the whole internet, but that makes
me wonder why firestarter does it . 

thanks ,
Cilli√©

______________________CUT____________________________


iptables --append spoofed_ip --source 1.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 2.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 5.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 7.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 23.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 27.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 31.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 36.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 37.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 39.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 41.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 42.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 58.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 59.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 60.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 69.0.0.0/8 --jump spoof_log  
iptables --append spoofed_ip --source 70.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 72.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 73.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 74.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 75.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 76.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 77.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 78.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 79.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 82.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 83.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 84.0.0.0/8 --jump spoof_log
iptables --append spoofed_ip --source 85.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 86.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 87.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 89.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 90.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 91.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 92.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 93.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 94.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 95.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 96.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 97.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 98.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 99.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 100.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 101.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 102.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 103.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 104.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 105.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 106.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 107.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 108.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 109.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 110.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 111.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 112.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 113.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 114.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 115.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 116.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 117.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 118.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 119.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 120.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 121.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 122.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 123.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 124.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 125.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 126.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 128.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 128.66.0.0/16 --jump spoof_log 
iptables --append spoofed_ip --source 192.168.0.0/16 --jump spoof_log 
iptables --append spoofed_ip --source 172.16.0.0/12 --jump spoof_log 
iptables --append spoofed_ip --source 221.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 197.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 222.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 223.0.0.0/8 --jump spoof_log 
iptables --append spoofed_ip --source 240.0.0.0/4 --jump spoof_log 

______________________CUT___________________________





^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Spoofed ip's
  2003-02-11  7:25 Spoofed ip's deff
@ 2003-02-11 15:56 ` uniplex
  2003-02-12  1:28   ` Arnt Karlsen
  2003-02-11 17:09 ` Athan
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 7+ messages in thread
From: uniplex @ 2003-02-11 15:56 UTC (permalink / raw)
  To: deff; +Cc: netfilter

deff wrote:
> Hello everyone. 
> 
> I set up a firewall that filters out, logs, and drops packets
> originating from spoofed ip addresses. 
> 
> The definition here of a spoofed ip is :
> a) A non-routable ip 
> b) A ip thats not destined for us ( shouldn't get past router anyway ) 
> c) A local ip 
> d) the loop back ip 
> 
> Originally the firewall only filtered 172.16.0.0/12, 192.168.0.0/16, 
> 10.0.0.0/8 and 127.0.0.1 addresses. 
> 
> Then i took a look at Firestarter's iptables script and saw that it also
> filters out other addresses. 
> 
> Could anyone please check the rules below and tell me if the the source 
> ip'ss are valid. I'm seeing an incredible amount of these ip's
> attempting to get through . 
> 
> To me it looks like i'm blocking out the whole internet, but that makes
> me wonder why firestarter does it . 
> 
> thanks ,
> CilliÃ©
> 

Would something like this look a little better for you?

RESERVED_NET="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 
10.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 
39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 
69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 74.0.0.0/8 
75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 81.0.0.0/8 
82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 
94.0.0.0/8 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 
100.0.0.0/8 101.0.0.0/8 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 
106.0.0.0/8 107.0.0.0/8 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 
112.0.0.0/8 113.0.0.0/8 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 
118.0.0.0/8 119.0.0.0/8 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 
124.0.0.0/8 125.0.0.0/8 126.0.0.0/8 127.0.0.0/8 172.16.0.0/12 
192.168.0.0/16 197.0.0.0/8 201.0.0.0/8 219.0.0.0/8 220.0.0.0/8 
220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/4 240.0.0.0/8 
240.0.0.0/5 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 
246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 
252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"

for NET in $RESERVED_NET, do
	iptables --append spoofed_ip --source $NET -jump spoof_log
done


> ______________________CUT____________________________
> 
> 
> iptables --append spoofed_ip --source 1.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 2.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 5.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 7.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 23.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 27.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 31.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 36.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 37.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 39.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 41.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 42.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 58.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 59.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 60.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 69.0.0.0/8 --jump spoof_log  
> iptables --append spoofed_ip --source 70.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 72.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 73.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 74.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 75.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 76.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 77.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 78.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 79.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 82.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 83.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 84.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 85.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 86.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 87.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 89.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 90.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 91.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 92.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 93.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 94.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 95.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 96.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 97.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 98.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 99.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 100.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 101.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 102.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 103.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 104.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 105.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 106.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 107.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 108.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 109.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 110.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 111.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 112.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 113.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 114.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 115.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 116.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 117.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 118.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 119.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 120.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 121.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 122.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 123.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 124.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 125.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 126.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 128.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 128.66.0.0/16 --jump spoof_log 
> iptables --append spoofed_ip --source 192.168.0.0/16 --jump spoof_log 
> iptables --append spoofed_ip --source 172.16.0.0/12 --jump spoof_log 
> iptables --append spoofed_ip --source 221.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 197.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 222.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 223.0.0.0/8 --jump spoof_log 
> iptables --append spoofed_ip --source 240.0.0.0/4 --jump spoof_log 
> 
> ______________________CUT___________________________
> 
> 
> 
> 
> 
> 




^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Spoofed ip's
  2003-02-11 15:56 ` uniplex
@ 2003-02-12  1:28   ` Arnt Karlsen
  2003-02-12  8:51     ` Adam D. Barratt
  0 siblings, 1 reply; 7+ messages in thread
From: Arnt Karlsen @ 2003-02-12  1:28 UTC (permalink / raw)
  To: netfilter

On Tue, 11 Feb 2003 15:56:32 +0000, 
uniplex <uniplex@maximum-linux.net> wrote in message 
<3E491D30.1000909@maximum-linux.net>:

> 
>  Would something like this look a little better for you?
> 
>  RESERVED_NET="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 
>  10.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 
>  39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 
>  69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 74.0.0.0/8 
>  75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 81.0.0.0/8 
>  82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 
>  88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 
>  94.0.0.0/8 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 
>  100.0.0.0/8 101.0.0.0/8 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8
>  105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 108.0.0.0/8 109.0.0.0/8
>  110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 114.0.0.0/8
>  115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8
>  120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8
>  125.0.0.0/8 126.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16
>  197.0.0.0/8 201.0.0.0/8 219.0.0.0/8 220.0.0.0/8 220.0.0.0/8
>  221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/4 240.0.0.0/8
>  240.0.0.0/5 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8
>  245.0.0.0/8 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8
>  250.0.0.0/8 251.0.0.0/8 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8
>  255.0.0.0/8"

..some of these above are redundant, and some (wintendos?) need
255.255.255.255/32, play with 'ipcalc -bnmp 0.0.0.0/1' upwards. 

..you may also want to distinguish between reserved and private 
nets, 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16, and loopback 
127.0.0.0/8 and the "outcasts" 224.0.0.0/4 and 240.0.0.0/4.  ;-)

>  for NET in $RESERVED_NET, do

# ..or, if the above comma fails on you: 
   for NET in $RESERVED_NET ; do  # ;-)

>  	iptables --append spoofed_ip --source $NET -jump spoof_log
>  done
> 

..sed, seq, awk, etc magic, anyone?  ;-)

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Spoofed ip's
  2003-02-12  1:28   ` Arnt Karlsen
@ 2003-02-12  8:51     ` Adam D. Barratt
  0 siblings, 0 replies; 7+ messages in thread
From: Adam D. Barratt @ 2003-02-12  8:51 UTC (permalink / raw)
  To: netfilter

Arnt Karlsen wrote, Wednesday, February 12, 2003 1:28 AM:

> On Tue, 11 Feb 2003 15:56:32 +0000,
> uniplex <uniplex@maximum-linux.net> wrote in message
> <3E491D30.1000909@maximum-linux.net>:
>
> >
> >  Would something like this look a little better for you?
> >
> >  RESERVED_NET="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8
[...]
> ..some of these above are redundant, and some (wintendos?) need
> 255.255.255.255/32, play with 'ipcalc -bnmp 0.0.0.0/1' upwards.

More to the point, and even worse, some of them are *wrong*.

At a quick glance, 69/8, 81/8, 82/8, 219/8, 220/8 and 221/8 are *not*
reserved. Some of them haven't been for nearly two years now.

Adam



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Spoofed ip's
  2003-02-11  7:25 Spoofed ip's deff
  2003-02-11 15:56 ` uniplex
@ 2003-02-11 17:09 ` Athan
  2003-02-11 19:22 ` Gastón Franco
  2003-02-12  8:56 ` Adam D. Barratt
  3 siblings, 0 replies; 7+ messages in thread
From: Athan @ 2003-02-11 17:09 UTC (permalink / raw)
  To: deff; +Cc: netfilter

[-- Attachment #1: Type: text/plain, Size: 1293 bytes --]

On Tue, Feb 11, 2003 at 09:25:50AM +0200, deff wrote:
> Could anyone please check the rules below and tell me if the the source 
> ip'ss are valid. I'm seeing an incredible amount of these ip's
> attempting to get through . 

  Check them using whois:

15:34:49 0$ whois 1.0.0.0

OrgName:    Internet Assigned Numbers Authority 
OrgID:      IANA
Address:    4676 Admiralty Way, Suite 330
City:       Marina del Rey
StateProv:  CA
PostalCode: 90292-6695
Country:    US

NetRange:   1.0.0.0 - 1.255.255.255 
CIDR:       1.0.0.0/8 
NetName:    RESERVED-9
NetHandle:  NET-1-0-0-0-1
Parent:     
NetType:    IANA Reserved
Comment:    
RegDate:    
Updated:    2002-09-12

OrgTechHandle: IANA-ARIN
OrgTechName:   Internet Corporation for Assigned Names and Number 
OrgTechPhone:  +1-310-823-9358
OrgTechEmail:  res-ip@iana.org

# ARIN WHOIS database, last updated 2003-02-10 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.

So, yes, that one shouldn't be getting used at all.

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Spoofed ip's
  2003-02-11  7:25 Spoofed ip's deff
  2003-02-11 15:56 ` uniplex
  2003-02-11 17:09 ` Athan
@ 2003-02-11 19:22 ` Gastón Franco
  2003-02-12  8:56 ` Adam D. Barratt
  3 siblings, 0 replies; 7+ messages in thread
From: Gastón Franco @ 2003-02-11 19:22 UTC (permalink / raw)
  To: deff; +Cc: netfilter

Hi .!
The  list of networks reserved by IANA.
can be found at:
http://www.iana.org/assignments/ipv4-address-space

( for additional information see RFC3330 )


deff wrote:

> Hello everyone.
>
> I set up a firewall that filters out, logs, and drops packets
> originating from spoofed ip addresses.
>
> The definition here of a spoofed ip is :
> a) A non-routable ip
> b) A ip thats not destined for us ( shouldn't get past router anyway )
> c) A local ip
> d) the loop back ip
>
> Originally the firewall only filtered 172.16.0.0/12, 192.168.0.0/16,
> 10.0.0.0/8 and 127.0.0.1 addresses.
>
> Then i took a look at Firestarter's iptables script and saw that it also
> filters out other addresses.
>
> Could anyone please check the rules below and tell me if the the source
> ip'ss are valid. I'm seeing an incredible amount of these ip's
> attempting to get through .
>
> To me it looks like i'm blocking out the whole internet, but that makes
> me wonder why firestarter does it .
>
> thanks ,
> CilliÃ©
>
> ______________________CUT____________________________
>
> iptables --append spoofed_ip --source 1.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 2.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 5.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 7.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 23.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 27.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 31.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 36.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 37.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 39.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 41.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 42.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 58.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 59.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 60.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 69.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 70.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 72.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 73.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 74.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 75.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 76.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 77.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 78.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 79.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 82.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 83.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 84.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 85.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 86.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 87.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 89.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 90.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 91.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 92.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 93.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 94.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 95.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 96.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 97.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 98.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 99.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 100.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 101.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 102.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 103.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 104.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 105.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 106.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 107.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 108.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 109.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 110.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 111.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 112.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 113.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 114.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 115.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 116.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 117.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 118.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 119.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 120.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 121.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 122.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 123.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 124.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 125.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 126.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 128.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 128.66.0.0/16 --jump spoof_log
> iptables --append spoofed_ip --source 192.168.0.0/16 --jump spoof_log
> iptables --append spoofed_ip --source 172.16.0.0/12 --jump spoof_log
> iptables --append spoofed_ip --source 221.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 197.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 222.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 223.0.0.0/8 --jump spoof_log
> iptables --append spoofed_ip --source 240.0.0.0/4 --jump spoof_log
>
> ______________________CUT___________________________

--
---------------------------------------------------------
                     ArCERT
 Te:(54-11) 43439001 int.514    Fax:(54-11) 4343-7458
 e-mail: gfranco@arcert.gov.ar  http://www.arcert.gov.ar
 Av.R. Saenz Peña 511 Of 514    Cap.Fed. - Argentina
---------------------------------------------------------




^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Spoofed ip's
  2003-02-11  7:25 Spoofed ip's deff
                   ` (2 preceding siblings ...)
  2003-02-11 19:22 ` Gastón Franco
@ 2003-02-12  8:56 ` Adam D. Barratt
  3 siblings, 0 replies; 7+ messages in thread
From: Adam D. Barratt @ 2003-02-12  8:56 UTC (permalink / raw)
  To: netfilter

deff wrote, Tuesday, February 11, 2003 7:25 AM:
[...]
> Then i took a look at Firestarter's iptables script and saw that
> it also filters out other addresses.

> Could anyone please check the rules below and tell me if the
> the source ip'ss are valid. I'm seeing an incredible amount of
> these ip's attempting to get through .

> To me it looks like i'm blocking out the whole internet, but that
> makes me wonder why firestarter does it .

If you're going to bother doing this, at least do it properly. Don't use
someone else's list, as some of them are outdated and therefore, as in this
case, *wrong*.

At a quick glance, 69/8, 81/8, 82/8, 219/8, 220/8 and 221/8 are *not*
reserved. Some of them haven't been for nearly two years now.

http://www.iana.org/assignments/ipv4-address-space is the official
reference, which is kept up-to-date, and should be checked every so often
(alternatively, one could subscribe to the bogon announcement list).

Adam

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2003-02-12  8:56 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-02-11  7:25 Spoofed ip's deff
2003-02-11 15:56 ` uniplex
2003-02-12  1:28   ` Arnt Karlsen
2003-02-12  8:51     ` Adam D. Barratt
2003-02-11 17:09 ` Athan
2003-02-11 19:22 ` Gastón Franco
2003-02-12  8:56 ` Adam D. Barratt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox