Re: Block martians with source address 127.0.0.1
From: Ross Vandegrift (ross_at_willow.seitz.com)
Date: 05/31/04
- Previous message: Slack Traq: "Re: Block martians with source address 127.0.0.1"
- Maybe in reply to: Cedric Blancher: "Re: Block martians with source address 127.0.0.1"
- Next in thread: Bjørn Rasmussen: "Re: Block martians with source address 127.0.0.1"
- Reply: Bjørn Rasmussen: "Re: Block martians with source address 127.0.0.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 31 May 2004 12:14:20 -0400 To: Bj?rn Rasmussen <bjoernr@sensewave.com>
On Mon, May 31, 2004 at 12:55:52PM +0200, Bj?rn Rasmussen wrote:
> I added these rules as the only ones to the input chain on my
> LAN-interface:
>
> iptables -A INPUT -i eth0 -s 127.0.0.1 -j LOG
> iptables -A INPUT -i eth0 -s 127.0.0.1 -j DROP
> iptables -A INPUT -i eth0 -s -j LOG
> iptables -A INPUT -i eth0 -s -j DROP
I'd change the source address to 127/8 - the whole class A is no-go for
external traffic.
> >From a client on my LAN, I used the command "nmap -e <LAN-interface on
> client> -S 127.0.0.1 <ip-addr. of firewalls LAN-interfac>" to spoof the
> localhost address.
>
> The kernel on the firewall logs these packets as martians which it
> should do, but my rules will not log or block these packets. Anybody
> who knows how to do it? Is it possible? I guess there are situations
> were malicious persons could at least perform a DoS-attack?
Two things could be going on:
1) You have rp_filter turned on, which causes the kernel to ignore any
incoming packets not addressed to that box, or not originating on a connected
network.
2) You've probably stuck the above rules to kill martians on the external
interface, but when you test from an internal host, packets will arrive via
the internal interface, and therefore bypass your iptables rules. Try adding
those rules to the other ethernet interface as well.
-- Ross Vandegrift ross@willow.seitz.com "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37
- Previous message: Slack Traq: "Re: Block martians with source address 127.0.0.1"
- Maybe in reply to: Cedric Blancher: "Re: Block martians with source address 127.0.0.1"
- Next in thread: Bjørn Rasmussen: "Re: Block martians with source address 127.0.0.1"
- Reply: Bjørn Rasmussen: "Re: Block martians with source address 127.0.0.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
