[linux] rp_filter a anti spoofing

Martin Mosny mmosny na postel.sk
Pondělí Červenec 8 11:24:20 CEST 2002 

Hello all,

Monday, July 8, 2002, 11:00:42 AM, you wrote:

VŠ> Mohol by mi niekto znaly problematiky vysvetlit ze preco  vo vecsine
VŠ> iptables scriptov nachadzajucich na internete je rp_filter zapnuty a zaroven
VŠ> je v scriptoch

It stands fot "Reverse Path". If packets come in on a
different interface to the one they use to leave, then they are
discarded.


resp:

(networking/ip-sysctl.txt):
  
 rp_filter - INTEGER
        2 - do source validation by reversed path, as specified in RFC1812
            Recommended option for single homed hosts and stub network
            routers. Could cause troubles for complicated (not loop free)
            networks running a slow unreliable protocol (sort of RIP),
            or using static routes.

        1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
            that look as sourced at a directly connected interface, but
            were input from another interface.

        0 - No source validation.


Takze  z  toho  by ti malo byt jasne, co to ten rp_filter je. To ze su
pridane  dalsie  pravidla,  len  si  "ZABETONUJES" nastavenia, aby ti na
INETERNET_IFACE  nehodili  pakety  z  dole  uvedenych  IP  adries (vid
nizsie).

(Use of most of these special use prefixes open up significant opportunities
for anonymity and ambiguity.)

VŠ> $IPTABLES -A spoof -s 127.0.0.0/8 -j DROP
VŠ> $IPTABLES -A spoof -d 127.0.0.0/8 -j DROP
VŠ> $IPTABLES -A spoof -s 192.168.0.0/16 -j DROP            # RFC1918
VŠ> $IPTABLES -A spoof -s 172.16.0.0/12 -j DROP             # RFC1918
VŠ> $IPTABLES -A spoof -s 10.0.0.0/8 -j DROP                  #RFC1918
VŠ> $IPTABLES -A spoof -s 96.0.0.0/4 -j DROP

In todays network, it is prudent to control access. In the case of these
special use prefixes, it is generally a good idea to filter them so they
do not propagate. After all, you don't want someone else's use of these 
prefixes to taint your environment. All of these address classes should be 
invalid as source addresses (except where negotiated in advance), and very 
few should be permitted as destination addresses (Multicast for example, 
should be permitted as a destination, just not as a source).


neviem, ci ti to pomoze, ale dufam ze aspon trosku :)

-- 
Martin (m0s)

Další informace o konferenci linux