2.2. Blocking Spoofed Addresses

Problem

You want to prevent remote hosts from pretending to be local to your network.

Solution

For a single machine, to prevent remote hosts from pretending to be that machine, use the following:

For iptables:

# iptables -A INPUT -i external_interface -s your_IP_address -j REJECT

For ipchains:

# ipchains -A input -i external_interface -s your_IP_address -j REJECT

If you have a Linux machine acting as a firewall for your internal network (say, 192.168.0.*) with two network interfaces, one internal and one external, and you want to prevent remote machines from spoofing internal IP addresses to the external interface, use the following:

For iptables:

# iptables -A INPUT -i external_interface -s 192.168.0.0/24 -j REJECT

Drop Versus Reject

The Linux firewall can refuse packets in two manners. iptables calls them DROP and REJECT, while ipchains uses the terminology DENY and REJECT. DROP (or DENY) simply swallows the packet, never to be seen again, and emits no response. REJECT, in contrast, responds to the packet with a friendly message back to the sender, something like “Hello, I have rejected your packet.”

DROP and REJECT have pros and cons. In general, REJECT is more compliant with standards: hosts are supposed to send rejection notices. Used within your network, rejects make things easier to debug if problems occur. DROP gives a bit more security, but it’s hard to say how much, and it increases the risk of other network-related problems for you. A DROP ...

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Linux Security Cookbook by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

2.2. Blocking Spoofed Addresses

Problem

Solution

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly