Home / server / Questions / 822726
In Process
Zama Ques
Asked: 2016-12-27 03:58:59 +0800 CST

Iptables rules to prevent IP Spoofing

  • 772

We had following below iptables rules that exist in our web front-end boxes to prevent IP Spoofing:

-A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 255.0.0.0/8 -j DROP
-A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 0.0.0.0/8 -j DROP

We want to add below rules now to further harden IP Spoofing prevention

 -A INPUT -s 224.0.0.0/3 -j LOG --log-prefix "Spoofed source IP"
 -A INPUT -s 255.0.0.0/8 -j DROP
 -A INPUT –s 169.254.0.0/16 -j LOG --log-prefix "Spoofed source IP"
 -A INPUT -s 169.254.0.0/16 -j DROP
 -A INPUT –s 240.0.0.0/5 -j LOG --log-prefix "Spoofed source IP"
 -A INPUT -s 240.0.0.0/5 -j DROP

Do you suggest adding above rules in a production box running Apache httpd as a reverse proxy? This production box is behind a F5 load balancer.

Also, do we need to enable the below kernel parameters for the above rules to work effectively?

           net.ipv4.conf.all.rp_filter=1
           net.ipv4.conf.all.log_martians=1
           net.ipv4.conf.default.log_martians=1
iptables ddos rhel6 spoofing

2 Answers

  1. The rules you've added are good example of "Cargo cult".

    Anti-spoofing measures are to be taken at gateways (routers); gateways are proper devices because they actually have routing information. Servers don't have this info typically. Often servers have just a single channel and default route towards it. If they happened to get a request they should serve it unless they have some ACLs ("those URLs are to be accessed from that IP range only" and so on). OTOH when servers have public and private networks and there's a policy to keep those networks separated, rpfilter can be used to achieve it automatically. Note, that nowadays netfilter has such extension as well, sysctl isn't the only way to implement it.

    IP spoofing it often used for DoS attacks. Attackers "inject" initiating packets to network using victim's IP-address as theirs source. Their purpose is to make your server respond sending answers to victim. Your server won't be able to find out if that was a spoofed IP in requests it's getting; it won't be any strange IP like 0.2.3.4 that your firewall rules are filtering out. If your server is getting spoofed requests from Internet, it's generally not the thing you can solve at the "last mile" unless you know exactly it's spoofed and typically you can only know that if your own public IPs are being used as source.

    Spoofing itself isn't a matter of "hey, look, they've used 0.2.3.4 source IP in requests, now we're all doomed unless we drop such packets".

    • 2

  2. The only issue that i see in this would be that if a request from 240.0.0.0 WAS legit, it would then block it not allowing it to reach the server.

    With IP Spoofing, its really difficult to know if it is a spoof or not since one can generate a legit address (speaking as a programmer).

    The only option that would be more "safe" would be to only block the specific addresses that are flooding your servers.

    • 0