<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:12px"><div id="yui_3_16_0_ym19_1_1482323704051_2739">Hi ,</div><div id="yui_3_16_0_ym19_1_1482323704051_2738"><br></div><div id="yui_3_16_0_ym19_1_1482323704051_2740">We had the following iptables rules to prevent  Source IP spoofing</div><div id="yui_3_16_0_ym19_1_1482323704051_2742"><br></div><div id="yui_3_16_0_ym19_1_1482323704051_2745"><br></div><div id="yui_3_16_0_ym19_1_1482323704051_2746">- A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed
source IP"</div><div dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2733">
-A INPUT -s 255.0.0.0/8 -j DROP<br id="yui_3_16_0_ym19_1_1482323704051_2734">
-A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"<br id="yui_3_16_0_ym19_1_1482323704051_2735">
-A INPUT -s 0.0.0.0/8 -j DROP<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D" id="yui_3_16_0_ym19_1_1482323704051_2736"><o:p id="yui_3_16_0_ym19_1_1482323704051_2737"></o:p></span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2733"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2733">We want to add the following further rules</div><div dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2733"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2733"><span style="font-family: Arial, sans-serif; font-size: 10pt; background-color: rgb(240, 240, 240);">/sbin/iptables
-t INPUT -A PREROUTING -s 224.0.0.0/3 -j DROP</span><br></div><div style="margin-top:12.0pt;background:#F0F0F0" dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2807"><span style="font-size: 10pt; font-family: Arial, sans-serif;" id="yui_3_16_0_ym19_1_1482323704051_2808">
/sbin/iptables -t INPUT -A PREROUTING -s 169.254.0.0/16 -j DROP<br id="yui_3_16_0_ym19_1_1482323704051_2810">
/sbin/iptables -t INPUT -A PREROUTING -s 240.0.0.0/5 -j DROP<o:p id="yui_3_16_0_ym19_1_1482323704051_2811"></o:p></span></div><div style="margin-top:12.0pt;background:#F0F0F0" dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2807"><span style="font-size: 10pt; font-family: Arial, sans-serif;" id="yui_3_16_0_ym19_1_1482323704051_2864">As per our understanding any packets with above source IP should be considered as invalid . These ranges are as follows</span></div><div style="margin-top:12.0pt;background:#F0F0F0" dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2807"><span style="font-size: 10pt; font-family: Arial, sans-serif;"><br></span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2891">IPv4
Multicast Address Space : 224.0.0.0<br id="yui_3_16_0_ym19_1_1482323704051_2892">
Reserved Space : 240.0.0.0<br id="yui_3_16_0_ym19_1_1482323704051_2893">
Automatic Private IP Addressing : 169.254.0.0/16<o:p id="yui_3_16_0_ym19_1_1482323704051_2894"></o:p></div><div style="margin-top:12.0pt;background:#F0F0F0" dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2807"><span style="font-size: 10pt; font-family: Arial, sans-serif;" id="yui_3_16_0_ym19_1_1482323704051_2915">Since we are going to implement it in production , I want to do proper analysis before implementing it so that we don't drop valid packets. </span></div><div style="margin-top:12.0pt;background:#F0F0F0" dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2807"><span style="font-size: 10pt; font-family: Arial, sans-serif;">Also , what about implementing these kernel level parameters which enables source address verification . </span></div><div style="margin-top:12.0pt;background:#F0F0F0" dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2807"><span style="background-color: rgb(255, 255, 255);" id="yui_3_16_0_ym19_1_1482323704051_2996">net.ipv4.conf.all.rp_filter=1</span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2997">
net.ipv4.conf.all.log_martians=1<br id="yui_3_16_0_ym19_1_1482323704051_2998">
net.ipv4.conf.default.log_martians=1<o:p id="yui_3_16_0_ym19_1_1482323704051_2999"></o:p></div><div dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2997"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2997">Please suggest . </div><div style="margin-top:12.0pt;background:#F0F0F0" dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2807"><span style="font-size: 10pt; font-family: Arial, sans-serif;"><br></span></div><div style="margin-top:12.0pt;background:#F0F0F0" dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2807"><span style="font-size: 10pt; font-family: Arial, sans-serif;"> </span></div><div style="margin-top:12.0pt;background:#F0F0F0" dir="ltr" id="yui_3_16_0_ym19_1_1482323704051_2807"><span style="font-size: 10pt; font-family: Arial, sans-serif;"><br></span></div></div></body></html>