From queszama at yahoo.in Wed Dec 21 12:43:11 2016 From: queszama at yahoo.in (Zama Ques) Date: Wed, 21 Dec 2016 12:43:11 +0000 (UTC) Subject: Iptables to prevent Ip Spoofing References: <2080694958.585051.1482324191029.ref@mail.yahoo.com> Message-ID: <2080694958.585051.1482324191029@mail.yahoo.com> Hi , We had the following iptables rules to prevent ?Source IP spoofing - A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofedsource IP"-A INPUT -s 255.0.0.0/8 -j DROP -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP" -A INPUT -s 0.0.0.0/8 -j DROP We want to add the following further rules /sbin/iptables-t INPUT -A PREROUTING -s 224.0.0.0/3 -j DROP /sbin/iptables -t INPUT -A PREROUTING -s 169.254.0.0/16 -j DROP /sbin/iptables -t INPUT -A PREROUTING -s 240.0.0.0/5 -j DROP As per our understanding any packets with above source IP should be considered as invalid . These ranges are as follows IPv4Multicast Address Space : 224.0.0.0 Reserved Space : 240.0.0.0 Automatic Private IP Addressing : 169.254.0.0/16 Since we are going to implement it in production , I want to do proper analysis before implementing it so that we don't drop valid packets.?Also , what about implementing these kernel level parameters which enables source address verification .?net.ipv4.conf.all.rp_filter=1net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 Please suggest .? ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From queszama at yahoo.in Mon Dec 26 09:17:10 2016 From: queszama at yahoo.in (Zama Ques) Date: Mon, 26 Dec 2016 09:17:10 +0000 (UTC) Subject: Iptables rules to prevent IP Spoofing References: <1989409868.2329896.1482743830310.ref@mail.yahoo.com> Message-ID: <1989409868.2329896.1482743830310@mail.yahoo.com> | favorite | We had following below?iptables?rules that exist in our web front-end boxes to prevent IP Spoofing: -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP" -A INPUT -s 255.0.0.0/8 -j DROP -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP" -A INPUT -s 0.0.0.0/8 -j DROP We want to add below rules now to further harden?IP Spoofing prevention -A INPUT -s 224.0.0.0/3 -j LOG --log-prefix "Spoofed source IP" -A INPUT -s 255.0.0.0/8 -j DROP -A INPUT ?s 169.254.0.0/16 -j LOG --log-prefix "Spoofed source IP" -A INPUT -s 169.254.0.0/16 -j DROP -A INPUT ?s 240.0.0.0/5 -j LOG --log-prefix "Spoofed source IP" -A INPUT -s 240.0.0.0/5 -j DROP Do you suggest adding above rules in a production box running Apache httpd as a reverse proxy? This production box is behind a F5 load balancer.Also, do we need to enable the below kernel parameters for the above rules to work effectively? net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 | -------------- next part -------------- An HTML attachment was scrubbed... URL: