|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Block martians with source address 127.0.0.1
From: Patrick Benson (benson
chello.se)
Date: Mon May 31 2004 - 17:15:11 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Bjørn Rasmussen wrote:
>
> Hi!
>
> I've firewall connected to the Internet via an ISDN-line. Sometimes
> martians arrive from the Internet with source address 127.0.0.1. I want
> to block these packets, but I don't find any way to set up the rules to
> accomplish this.
>
> Normally I use "fwbuilder" to set up my rules, but since the martians
> were not blocked by the spoofing-rules generated by "fwbuilder", I tried
> a simple test using iptables-commands directly.
>
> I added these rules as the only ones to the input chain on my
> LAN-interface:
>
> iptables -A INPUT -i eth0 -s 127.0.0.1 -j LOG
> iptables -A INPUT -i eth0 -s 127.0.0.1 -j DROP
> iptables -A INPUT -i eth0 -s -j LOG
> iptables -A INPUT -i eth0 -s -j DROP
>
> >From a client on my LAN, I used the command "nmap -e <LAN-interface on
> client> -S 127.0.0.1 <ip-addr. of firewalls LAN-interfac>" to spoof the
> localhost address.
>
> The kernel on the firewall logs these packets as martians which it
> should do, but my rules will not log or block these packets. Anybody
> who knows how to do it? Is it possible? I guess there are situations
> were malicious persons could at least perform a DoS-attack?
Björn,
You may want to take a look at Shorewall: http://shorewall.net/
which uses the BOGON feature:
http://shorewall.net/Documentation.htm#Bogons
You can process the packets normally, silently drop them or log then
drop.
A complete list of BOGONS can be found at:
http://www.completewhois.com/bogons/index.htm
Regards,
Patrick
--
Patrick Benson
Stockholm, Sweden
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]