Iptables rules to prevent IP Spoofing
Zama Ques
queszama at yahoo.in
Mon Dec 26 09:17:10 UTC 2016
|
favorite | We had following below iptables rules that exist in our web front-end boxes to prevent IP Spoofing: -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 255.0.0.0/8 -j DROP
-A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 0.0.0.0/8 -j DROP
We want to add below rules now to further harden IP Spoofing prevention -A INPUT -s 224.0.0.0/3 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 255.0.0.0/8 -j DROP
-A INPUT –s 169.254.0.0/16 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT –s 240.0.0.0/5 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 240.0.0.0/5 -j DROP
Do you suggest adding above rules in a production box running Apache httpd as a reverse proxy? This production box is behind a F5 load balancer.Also, do we need to enable the below kernel parameters for the above rules to work effectively? net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1 |
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/redhat-sysadmin-list/attachments/20161226/f6cfe472/attachment.htm>
More information about the redhat-sysadmin-list
mailing list