Re: Block martians with source address 127.0.0.1

From: Kalevi Nyman (kan_at_canit.se)
Date: 05/31/04

  • Next message: Slack Traq: "Re: Block martians with source address 127.0.0.1" 
    Date: Mon, 31 May 2004 19:21:28 +0200
To: Bjørn Rasmussen <bjoernr@sensewave.com>

    Add commands below to your table by wrting them on the command line and
    then use the command

    iptables-save > /etc/sysconfig/iptables

    or where you keep your table

    1. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    2. iptables -A INPUT -m state --state NEW -i eth0 -s 127.0.0.1 -j DROP

    1. If the state of a packet is a response to existing connection or
    related
           accept the package. Else drop. If an application on a remote machine
            wants to exechange packets with your computer it is allowed to do so
            if you initiated the communication and only then.

    2. An explicit command to drop any incoming packet that has the source
          address 127.0.0.1

    Regards:
    Kalevi Nyman 

    ---
Bjørn Rasmussen wrote:
>Hi!
>
>I've firewall connected to the Internet via an ISDN-line.  Sometimes
>martians arrive from the Internet with source address 127.0.0.1.  I want
>to block these packets, but I don't find any way to set up the rules to
>accomplish this.
>
>Normally I use "fwbuilder" to set up my rules, but since the martians
>were not blocked by the spoofing-rules generated by "fwbuilder", I tried
>a simple test using iptables-commands directly.
>
>I added these rules as the only ones to the input chain on my
>LAN-interface:
>
>iptables -A INPUT  -i eth0 -s 127.0.0.1 -j LOG
>iptables -A INPUT  -i eth0 -s 127.0.0.1 -j DROP
>iptables -A INPUT  -i eth0 -s -j LOG
>iptables -A INPUT  -i eth0 -s -j DROP
>
>>From a client on my LAN, I used the command "nmap -e <LAN-interface on
>client> -S 127.0.0.1 <ip-addr. of firewalls LAN-interfac>" to spoof the
>localhost address.
>
>The kernel on the firewall logs these packets as martians which it
>should do, but my rules will not log or block these packets.  Anybody
>who knows how to do it?  Is it possible?  I guess there are situations
>were malicious persons could at least perform a DoS-attack?
>
>
>Best regards
>Bjørn Rasmussen
>
>
>  
>
  • Next message: Slack Traq: "Re: Block martians with source address 127.0.0.1"

    Relevant Pages

    • Re: Cant ping router.
      ... default ECHO_RESPONSE packets. ... Ping response is just the same: ... the Unix ping command. ... the 'route change' command I gave you explicitly ...
      (comp.sys.acorn.networking)
    • exec tcpdump and tethereal
      ... I was looking at using tcpdump and tethereal from a script to read ... packets from a capture file. ... I tried to do this with the exec command ...
      (comp.lang.tcl)
    • Re: ncgi issue with binary file data
      ... Is the above command line specifically what you'd recommend? ... ASCII. ... The -s0 avoids truncating packets to a stupid default limit (IP ... You may also play with [encoding system] to view or change Tcl's idea ...
      (comp.lang.tcl)
    • Re: Port forwarding with iptables ???
      ... I did run those at the command line, but I didn't get any errors. ... I've tried just about any variant of those rules I could find on the Web or ... to see if any packets even were picked up by this ... Every time I sent a request to the port in question it ...
      (comp.os.linux.networking)
    • Re: Block martians with source address 127.0.0.1
      ... Sometimes> martians arrive from the Internet with source address 127.0.0.1. ... I want> to block these packets, but I don't find any way to set up the rules to> accomplish this. ... > Normally I use "fwbuilder" to set up my rules, but since the martians> were not blocked by the spoofing-rules generated by "fwbuilder", I tried> a simple test using iptables-commands directly. ... > The kernel on the firewall logs these packets as martians which it> should do, but my rules will not log or block these packets. ...
      (Focus-Linux)