Help: How to Prevent Source Address Spoofing

Hello,

I use ADSL to link the Internet, so my ip address is not static, it's
dynamic. However, I wanna use iptables to prevent source address spoofing
which source address of packets is from my ip address.

How to accomplish it?

Thank you very much~

Regards,

Amy Lee

Amy Lee wrote:
> Hello,
>
> I use ADSL to link the Internet, so my ip address is not static, it's
> dynamic. However, I wanna use iptables to prevent source address spoofing
> which source address of packets is from my ip address.
>
> How to accomplish it?
>
> Thank you very much~
>
> Regards,
>
> Amy Lee

Your question is not clear. The source address of all the IP packets
that you send should be the correct one. You cannot stop other machines
spoofing your IP address but the internet will route all packets
destined for your IP address to you.

Which packets do you want to filter out?

Robert

On Sun, 27 Jan 2008 14:09:17 +0000, Robert Harris wrote:

> Amy Lee wrote:
>> Hello,
>>
>> I use ADSL to link the Internet, so my ip address is not static, it's
>> dynamic. However, I wanna use iptables to prevent source address spoofing
>> which source address of packets is from my ip address.
>>
>> How to accomplish it?
>>
>> Thank you very much~
>>
>> Regards,
>>
>> Amy Lee
>
> Your question is not clear. The source address of all the IP packets
> that you send should be the correct one. You cannot stop other machines
> spoofing your IP address but the internet will route all packets
> destined for your IP address to you.
>
> Which packets do you want to filter out?
>
> Robert
Thank you. I wanna filter out the packets send to my machine but which is
from my ip address.

Amy Lee

Amy Lee wrote:
> On Sun, 27 Jan 2008 14:09:17 +0000, Robert Harris wrote:
>
>> Amy Lee wrote:
>>> Hello,
>>>
>>> I use ADSL to link the Internet, so my ip address is not static, it's
>>> dynamic. However, I wanna use iptables to prevent source address spoofing
>>> which source address of packets is from my ip address.
>>>
>>> How to accomplish it?
>>>
>>> Thank you very much~
>>>
>>> Regards,
>>>
>>> Amy Lee
>> Your question is not clear. The source address of all the IP packets
>> that you send should be the correct one. You cannot stop other machines
>> spoofing your IP address but the internet will route all packets
>> destined for your IP address to you.
>>
>> Which packets do you want to filter out?
>>
>> Robert
> Thank you. I wanna filter out the packets send to my machine but which is
> from my ip address.
>
> Amy Lee

Ah. Well you should add your iptables rule at the time when DHCP has
allocated your computer an IP address. On my system (Debian etch), that
would mean adding a little script to the directory:

/etc/dhcp3/dhclient-exit-hooks.d

where $new_ip_address will contain your new IP address. The script
should drop all packets with source and destination both the same as
$new_ip_address

Robert

On Sun, 27 Jan 2008 15:36:52 +0000, Robert Harris wrote:

> Amy Lee wrote:
>> On Sun, 27 Jan 2008 14:09:17 +0000, Robert Harris wrote:
>>
>>> Amy Lee wrote:
>>>> Hello,
>>>>
>>>> I use ADSL to link the Internet, so my ip address is not static, it's
>>>> dynamic. However, I wanna use iptables to prevent source address spoofing
>>>> which source address of packets is from my ip address.
>>>>
>>>> How to accomplish it?
>>>>
>>>> Thank you very much~
>>>>
>>>> Regards,
>>>>
>>>> Amy Lee
>>> Your question is not clear. The source address of all the IP packets
>>> that you send should be the correct one. You cannot stop other machines
>>> spoofing your IP address but the internet will route all packets
>>> destined for your IP address to you.
>>>
>>> Which packets do you want to filter out?
>>>
>>> Robert
>> Thank you. I wanna filter out the packets send to my machine but which is
>> from my ip address.
>>
>> Amy Lee
>
> Ah. Well you should add your iptables rule at the time when DHCP has
> allocated your computer an IP address. On my system (Debian etch), that
> would mean adding a little script to the directory:
>
> /etc/dhcp3/dhclient-exit-hooks.d
>
> where $new_ip_address will contain your new IP address. The script
> should drop all packets with source and destination both the same as
> $new_ip_address
>
> Robert
Thank you. But my OS is RHEL 3, it seems that I can't find the directory.

Regards,

Amy

Amy Lee wrote:
> On Sun, 27 Jan 2008 15:36:52 +0000, Robert Harris wrote:
>
>> Amy Lee wrote:
>>> On Sun, 27 Jan 2008 14:09:17 +0000, Robert Harris wrote:
>>>
>>>> Amy Lee wrote:
>>>>> Hello,
>>>>>
>>>>> I use ADSL to link the Internet, so my ip address is not static, it's
>>>>> dynamic. However, I wanna use iptables to prevent source address spoofing
>>>>> which source address of packets is from my ip address.
>>>>>
>>>>> How to accomplish it?
>>>>>
>>>>> Thank you very much~
>>>>>
>>>>> Regards,
>>>>>
>>>>> Amy Lee
>>>> Your question is not clear. The source address of all the IP packets
>>>> that you send should be the correct one. You cannot stop other machines
>>>> spoofing your IP address but the internet will route all packets
>>>> destined for your IP address to you.
>>>>
>>>> Which packets do you want to filter out?
>>>>
>>>> Robert
>>> Thank you. I wanna filter out the packets send to my machine but which is
>>> from my ip address.
>>>
>>> Amy Lee
>> Ah. Well you should add your iptables rule at the time when DHCP has
>> allocated your computer an IP address. On my system (Debian etch), that
>> would mean adding a little script to the directory:
>>
>> /etc/dhcp3/dhclient-exit-hooks.d
>>
>> where $new_ip_address will contain your new IP address. The script
>> should drop all packets with source and destination both the same as
>> $new_ip_address
>>
>> Robert
> Thank you. But my OS is RHEL 3, it seems that I can't find the directory.
>
> Regards,
>
> Amy
I really don't know that system too well. Try:

man dhclient

which should tell you where to look for things.

Robert

Robert Harris wrote:
> Amy Lee wrote:
>> On Sun, 27 Jan 2008 15:36:52 +0000, Robert Harris wrote:
>>
>>> Amy Lee wrote:
>>>> On Sun, 27 Jan 2008 14:09:17 +0000, Robert Harris wrote:
>>>>
>>>>> Amy Lee wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I use ADSL to link the Internet, so my ip address is not static, it's
>>>>>> dynamic. However, I wanna use iptables to prevent source address spoofing
>>>>>> which source address of packets is from my ip address.
>>>>>>
>>>>>> How to accomplish it?
>>>>>>
>>>>>> Thank you very much~
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Amy Lee
>>>>> Your question is not clear. The source address of all the IP packets
>>>>> that you send should be the correct one. You cannot stop other machines
>>>>> spoofing your IP address but the internet will route all packets
>>>>> destined for your IP address to you.
>>>>>
>>>>> Which packets do you want to filter out?
>>>>>
>>>>> Robert
>>>> Thank you. I wanna filter out the packets send to my machine but which is
>>>> from my ip address.
>>>>
>>>> Amy Lee
>>> Ah. Well you should add your iptables rule at the time when DHCP has
>>> allocated your computer an IP address. On my system (Debian etch), that
>>> would mean adding a little script to the directory:
>>>
>>> /etc/dhcp3/dhclient-exit-hooks.d
>>>
>>> where $new_ip_address will contain your new IP address. The script
>>> should drop all packets with source and destination both the same as
>>> $new_ip_address
>>>
>>> Robert
>> Thank you. But my OS is RHEL 3, it seems that I can't find the directory.
>>
>> Regards,
>>
>> Amy
> I really don't know that system too well. Try:
>
> man dhclient
>
> which should tell you where to look for things.
>
> Robert

or man dhcpcd ...

On 2008-01-27, Amy Lee <(E-Mail Removed)> wrote:
> Hello,

Moin moin,

> I use ADSL to link the Internet, so my ip address is not static, it's
> dynamic. However, I wanna use iptables to prevent source address spoofing
> which source address of packets is from my ip address.
>
> How to accomplish it?

Actually i don't think you need to. By default the Linux kernel does
prevent that kind of thing anyways - check if
sysctl -a|grep \.rp_filter
is on (i.e. set to 1).

After a quick google for linux, rp_filter and forwarding i found these to
be helpful descriptions for it:

"# When using IPv4 packet forwarding, you will also get the
# rp_filter, which automatically rejects incoming packets if the
# routing table entry for their source address doesn't match the
# network interface they're arriving on"

"The rp_filter variable sets up a reverse patch (rp) filter on the
specific interface. What this means, is quite simple. All it does, is to
validate that the actual source address used by packets correlates
properly with our routing table, and that packets with this specific
source IP address are supposed to get their replies back through that
interface again."

Zap