Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

10.5. Source Address Filtering

All IP packet headers contain the source and destination IP addresses and the type of IP protocol message; ICMP, UDP or TCP this packet contains. The only means of identification under the Internet Protocol - IP) is the source address in the IP packet header. This is a problem that opens the door to source address spoofing, where the sender may replaces its address with either a nonexistent address, or the address of some other site.
          
          # Refuse spoofed packets pretending to be from the external address.
          ipchains -A input  -i $EXTERNAL_INTERFACE -s $IPADDR -l -j DENY
          
          

Also, there are at least seven sets of source addresses you should refuse on your external interface in all cases. These are incoming packets claiming to be from:

  1. Your external IP address

  2. Class A private IP addresses

  3. Class B private IP addresses

  4. Class C private IP addresses

  5. Class D multicast addresses

  6. Class E reserved addresses

  7. The loopback interface

With the exception of your own IP address, blocking outgoing packets containing these source addresses protects you from possible configuration errors on your part.

Important: Don't forget to exclude your own IP address from outgoing packets blocked. By default I choose to exclude the Class C private IP addresses since it's the most used by the majority of people at this time. If you used another class instead of the Class C, then you must comment out the lines that refer to your class under the SPOOFING & BAD ADDRESSES section of the firewall. script file.

The rest of the rules used in the firewall scripts files are:

  • Accessing a Service from the Outside World

  • Offering a Service to the Outside World

  • Masquerading the Internal Machines

 
 
  Published under the terms of the Open Publication License Design by Interspire