Re: Block martians with source address 127.0.0.1

• Previous message: Konstantin Gavrilenko: "Re: Block martians with source address 127.0.0.1"
• Maybe in reply to: Cedric Blancher: "Re: Block martians with source address 127.0.0.1"
• Next in thread: Kalevi Nyman: "Re: Block martians with source address 127.0.0.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 01 Jun 2004 00:15:11 +0200
To: focus-linux@securityfocus.com

Bjørn Rasmussen wrote:
>
> Hi!
>
> I've firewall connected to the Internet via an ISDN-line. Sometimes
> martians arrive from the Internet with source address 127.0.0.1. I want
> to block these packets, but I don't find any way to set up the rules to
> accomplish this.
>
> Normally I use "fwbuilder" to set up my rules, but since the martians
> were not blocked by the spoofing-rules generated by "fwbuilder", I tried
> a simple test using iptables-commands directly.
>
> I added these rules as the only ones to the input chain on my
> LAN-interface:
>
> iptables -A INPUT -i eth0 -s 127.0.0.1 -j LOG
> iptables -A INPUT -i eth0 -s 127.0.0.1 -j DROP
> iptables -A INPUT -i eth0 -s -j LOG
> iptables -A INPUT -i eth0 -s -j DROP
>
> >From a client on my LAN, I used the command "nmap -e <LAN-interface on
> client> -S 127.0.0.1 <ip-addr. of firewalls LAN-interfac>" to spoof the
> localhost address.
>
> The kernel on the firewall logs these packets as martians which it
> should do, but my rules will not log or block these packets. Anybody
> who knows how to do it? Is it possible? I guess there are situations
> were malicious persons could at least perform a DoS-attack?

Björn,

You may want to take a look at Shorewall: http://shorewall.net/

which uses the BOGON feature:
http://shorewall.net/Documentation.htm#Bogons

You can process the packets normally, silently drop them or log then
drop.

A complete list of BOGONS can be found at:
http://www.completewhois.com/bogons/index.htm

Regards,
Patrick

-- 
Patrick Benson
Stockholm, Sweden

• Previous message: Konstantin Gavrilenko: "Re: Block martians with source address 127.0.0.1"
• Maybe in reply to: Cedric Blancher: "Re: Block martians with source address 127.0.0.1"
• Next in thread: Kalevi Nyman: "Re: Block martians with source address 127.0.0.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Linux als Router ... # Enter all trusted network interfaces here. ... # which should be available to the internet and set FW_ROUTE to yes. ... space separated list of ports, ... # Packets to silently reject without log message. ... (de.comp.os.unix.linux.misc) Re: Ethernet issue: works one way but not another ... packets transmitted, 5 packets received, 0% packet loss ... (This is when connected directly to internet through ... FBSD, I have been working with BSDI at the isp I work for for the last ... As for my network topology, I have an internal network that goes ... (freebsd-questions) Re: Yet another thread on the legality of port scanning ... >> The normal means of communicating on the internet is via IP ... >> packets. ... hardware/software can't survive a port scan, ... > is an acceptable connection in the absence of explicit permission? ... (Security-Basics) No internet access from Cisco 1601R ... Serial port from the internet, but connecting a cross over cable to my ... input packets with dribble condition detected ... Serial0 is up, line protocol is up ... (comp.dcom.sys.cisco) Re: Destination address spoofing? ... > internet that will accept such packets and send them to the next hop. ... There are no ISP router that _should_ accept them, but I've seen packets ... > block out quick on tun0 from any to 192.168.0.0/16 ... You probably wont notice much if you dont use these kind of filtering, ... (comp.security.firewalls)