[linux] rp_filter a anti spoofing
Martin Mosny
mmosny na postel.sk
Pondělí Červenec 8 11:24:20 CEST 2002
Hello all,
Monday, July 8, 2002, 11:00:42 AM, you wrote:
VŠ> Mohol by mi niekto znaly problematiky vysvetlit ze preco vo vecsine
VŠ> iptables scriptov nachadzajucich na internete je rp_filter zapnuty a zaroven
VŠ> je v scriptoch
It stands fot "Reverse Path". If packets come in on a
different interface to the one they use to leave, then they are
discarded.
resp:
(networking/ip-sysctl.txt):
rp_filter - INTEGER
2 - do source validation by reversed path, as specified in RFC1812
Recommended option for single homed hosts and stub network
routers. Could cause troubles for complicated (not loop free)
networks running a slow unreliable protocol (sort of RIP),
or using static routes.
1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
that look as sourced at a directly connected interface, but
were input from another interface.
0 - No source validation.
Takze z toho by ti malo byt jasne, co to ten rp_filter je. To ze su
pridane dalsie pravidla, len si "ZABETONUJES" nastavenia, aby ti na
INETERNET_IFACE nehodili pakety z dole uvedenych IP adries (vid
nizsie).
(Use of most of these special use prefixes open up significant opportunities
for anonymity and ambiguity.)
VŠ> $IPTABLES -A spoof -s 127.0.0.0/8 -j DROP
VŠ> $IPTABLES -A spoof -d 127.0.0.0/8 -j DROP
VŠ> $IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918
VŠ> $IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918
VŠ> $IPTABLES -A spoof -s 10.0.0.0/8 -j DROP #RFC1918
VŠ> $IPTABLES -A spoof -s 96.0.0.0/4 -j DROP
In todays network, it is prudent to control access. In the case of these
special use prefixes, it is generally a good idea to filter them so they
do not propagate. After all, you don't want someone else's use of these
prefixes to taint your environment. All of these address classes should be
invalid as source addresses (except where negotiated in advance), and very
few should be permitted as destination addresses (Multicast for example,
should be permitted as a destination, just not as a source).
neviem, ci ti to pomoze, ale dufam ze aspon trosku :)
--
Martin (m0s)
Další informace o konferenci linux