All IP packet headers contain the source and destination IP addresses and the type of IP protocol message; ICMP, UDP or TCP this
packet contains. The only means of identification under the Internet Protocol - IP) is the source address in the IP packet header. This is a problem that opens the door to source address spoofing, where the
sender may replaces its address with either a nonexistent address, or the address of some other site.
# Refuse spoofed packets pretending to be from the external address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -l -j DENY
|
Also, there are at least seven sets of source addresses you should refuse on your external interface in all cases.
These are incoming packets claiming to be from:
Your external IP address
Class A private IP addresses
Class B private IP addresses
Class C private IP addresses
Class D multicast addresses
Class E reserved addresses
The loopback interface
With the exception of your own
IP address, blocking outgoing packets containing these source addresses protects you from possible configuration errors on your part.
:
Don't forget to exclude your own IP address from outgoing packets blocked. By default I choose to exclude the Class C private IP addresses since it's the most used by the
majority of people at this time. If you used another class instead of the Class C, then you must comment out the lines that refer to your class under the SPOOFING & BAD ADDRESSES section of the firewall.
script file.
The rest of the rules used in the firewall scripts files are:
Accessing a Service from the Outside World
Offering a Service to the Outside World
Masquerading the Internal Machines