2.1. Enabling Source Address Verification
Problem
You want to prevent remote hosts from spoofing incoming packets as if they had come from your local machine.
Solution
Turn on source address verification in the kernel. Place the following code into a system boot file (i.e., linked into the /etc/rc.d hierarchy) that executes before any network devices are enabled:
#!/bin/sh echo -n "Enabling source address verification..." echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter echo "done"
Or, to perform the same task after network devices are enabled:
#!/bin/sh CONF_DIR=/proc/sys/net/ipv4/conf CONF_FILE=rp_filter if [ -e ${CONF_DIR}/all/${CONF_FILE} ]; then echo -n "Setting up IP spoofing protection..." for f in ${CONF_DIR}/*/${CONF_FILE}; do echo 1 > $f done echo "done" fi
A quicker method may be to add this line to /etc/sysctl.conf:
net.ipv4.conf.all.rp_filter = 1
and run sysctl to reread the configuration immediately:
# sysctl -p
Discussion
Source address verification is a kernel-level feature that drops packets that appear to come from your internal network, but do not. Enabling this feature should be your first network-related security task. If your kernel does not support it, you can set up the same effect using firewall rules, but it takes more work. [Recipe 2.2]
See Also
sysctl(8). Source address verification is explained in the IPCHAINS-HOWTO at http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO-5.html#ss5.7.
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.