Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

Spoofing and bad address attack tries to fool the server and try to claim that packets had come from local address/network.

Following IP/netwok address are know to open this kind of attack:

Incoming source IP address is your servers IP address

Bad incoming address from following ranges:

  • Your own internal server/network ip address/ranges.

Following small shell script tries to prevent this kind of attacks:

INT_IF="eth1" # connected to internet 
SERVER_IP="" # server IP
LAN_RANGE="" # your LAN IP range 
# Add your spoofed IP range/IPs here
IPT="/sbin/iptables" # path to iptables
# default action, can be DROP or REJECT 
# Drop packet that claiming from our own server on WAN port
# Drop packet that claiming from our own internal LAN on WAN port
## Drop all spoofed 
for ip in $SPOOF_IPS
 $IPT -A INPUT -i $INT_IF -s $ip -j $ACTION
 $IPT -A OUTPUT -o $INT_IF -s $ip -j $ACTION
## add or call your rest of script below to customize iptables ##

Save and close the file. Call above script from your own iptables script. Add following line to your /etc/sysctl.conf file

The net.ipv4.conf.all.rp_filter=1 entry enables source address verification which is inbuilt into Linux kernel itself and last two lines logs all such spoofed packets in log file.

Leave a Reply

Next Post

psad: Linux Detect And Block Port Scan Attacks In Real Time

Sun Jul 13 , 2014
Q. How do I detect port scan attacks by analyzing Debian Linux firewall log files and block port scans in real time? How do I detect suspicious network traffic under Linux? A. A port scanner (such as nmap) is a piece of software designed to search a network host for open ports. […]