Home / server / Questions / 209658
Accepted
John
Asked: 2010-12-07 09:42:25 +0800 CST

iptables and blocking potentially impossible traffic

  • 772

I am working on some iptables firewall rules and have seen many examples that suggest the importance of blocking potentially impossible traffic from non-routable IP address spaces. This would include items from RFC 1918, RFC 1700, RFC 5735, RFC 3927, RFC 3068, RFC 2544, RFC 5737, RFC 3171, and RFC 919. Some examples include the following:

  • $CURRENT_IP
  • 0.0.0.0/8
  • 10.0.0.0/8
  • 127.0.0.0/8
  • 169.254.0.0/16
  • 172.16.0.0/12
  • 192.0.0.0/24
  • 192.0.2.0/24
  • 192.88.99.0/24
  • 192.168.0.0/16
  • 198.18.0.0/15
  • 198.51.100.0/24
  • 203.0.113.0/24
  • 224.0.0.0/4
  • 240.0.0.0/4
  • 255.255.255.255

Some of the examples indicate that you only need to worry about checking for this traffic if it is the source of the traffic. Example of:

$IPT -A ANTISPOOF -s 0.0.0.0/8 -m limit --limit 5/min --limit-burst 5 -j LOG --log-prefix "Denied Spoofed Source IP Address: "
$IPT -A ANTISPOOF -s 0.0.0.0/8 -j DROP

In other examples, a more aggressive stance is taken where they check for the source and destination for both input and output. Examples include:

iptables -A INPUT -d 172.0.0.0/8 -j DROP
iptables -A INPUT -s 172.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.0.0.0/8 -j DROP
iptables -A OUTPUT -s 172.0.0.0/8 -j DROP

I remain with the following questions:

  • Do I need to check for the source address of the IP ranges listed above in the bulleted list?
  • Do I need to check for the destination address of the IP ranges listed above in the bulleted list?
  • Is is important to create rules for the IP ranges listed above that would include both the INPUT and OUTPUT chains?
  • Are there any IP ranges that I have forgotten to check from that are missing from the bulleted list above?

Thanks in advance for your help with this.

firewall linux security iptables

2 Answers

  1. Best Answer

    Most of the above ruleset deals with what is typically called Bogon Filtering: http://en.wikipedia.org/wiki/Bogon_filtering - These are packets that are to/from unallocated areas of the address space.

    3 of those ranges, however, are RFC1918 private networks: http://en.wikipedia.org/wiki/Private_networks - Packets from these can still class as Bogons, but only if they're not legitimate. (Even a rose is a weed, if it's growing in the middle of a car park...)

    If this is a router you're working with, Consider the following:

    • The INPUT and OUTPUT chains deal with traffic destined to / from (respectively) some local process on the firewall itself. Most routed traffic won't touch these chains.
    • The FORWARD chain deals with traffic routed through the machine for some other destination.
    • Typically, you'll want to block inbound traffic from those source networks and outbound traffic to those destination networks. Have a look at the -i flag to iptables, which lets you limit a match to a given network adaptor.
      • I second topdog, though, in that trapping outbound traffic like this is probably not necessary. If it's your server, you should be in control of what it's sending.
    • Remember that your internal LAN probably uses one of the private address ranges. You probably still want to allow that traffic through.
    • 3 
  2. * Do I need to check for the source address of the IP ranges listed above in the bulleted list?

    Yes, you do not want your server trying to answer/sending packets to the listed addresses even though your isp/nsp should discard them.

    * Do I need to check for the destination address of the IP ranges listed above in the bulleted list?

    Yes, incoming packets would not get passed up to operating system but you want to block the attempts as close to the edge of you system/network.

    * Is is important to create rules for the IP ranges listed above that would include both the INPUT and OUTPUT chains?

    Yes, you do not want to be sending packets to the listed addresses. 

    * Are there any IP ranges that I have forgotten to check from that are missing from the bulleted list above?

    Yes, Your IP address should be denied incoming to you. You can get more aggressive by using ( http://www.team-cymru.org/Services/Bogons/ ) but you could be blocking legitimate sources as the remaining ipv4 address are allocated.

    The iptables hit count will help you determine which rules are working and logging will help with identifying the connections whether denied or accepted.

    • 1