Re: Block martians with source address 127.0.0.1

From: Ross Vandegrift (ross_at_willow.seitz.com)
Date: 05/31/04

  • Next message: Thomas Corriher: "Re: Block martians with source address 127.0.0.1"
    Date: Mon, 31 May 2004 12:14:20 -0400
    To: Bj?rn Rasmussen <bjoernr@sensewave.com>
    
    

    On Mon, May 31, 2004 at 12:55:52PM +0200, Bj?rn Rasmussen wrote:
    > I added these rules as the only ones to the input chain on my
    > LAN-interface:
    >
    > iptables -A INPUT -i eth0 -s 127.0.0.1 -j LOG
    > iptables -A INPUT -i eth0 -s 127.0.0.1 -j DROP
    > iptables -A INPUT -i eth0 -s -j LOG
    > iptables -A INPUT -i eth0 -s -j DROP

    I'd change the source address to 127/8 - the whole class A is no-go for
    external traffic.

    > >From a client on my LAN, I used the command "nmap -e <LAN-interface on
    > client> -S 127.0.0.1 <ip-addr. of firewalls LAN-interfac>" to spoof the
    > localhost address.
    >
    > The kernel on the firewall logs these packets as martians which it
    > should do, but my rules will not log or block these packets. Anybody
    > who knows how to do it? Is it possible? I guess there are situations
    > were malicious persons could at least perform a DoS-attack?

    Two things could be going on:

    1) You have rp_filter turned on, which causes the kernel to ignore any
    incoming packets not addressed to that box, or not originating on a connected
    network.

    2) You've probably stuck the above rules to kill martians on the external
    interface, but when you test from an internal host, packets will arrive via
    the internal interface, and therefore bypass your iptables rules. Try adding
    those rules to the other ethernet interface as well.

    -- 
    Ross Vandegrift
    ross@willow.seitz.com
    "The good Christian should beware of mathematicians, and all those who
    make empty prophecies. The danger already exists that the mathematicians
    have made a covenant with the devil to darken the spirit and to confine
    man in the bonds of Hell."
    	--St. Augustine, De Genesi ad Litteram, Book II, xviii, 37
    

  • Next message: Thomas Corriher: "Re: Block martians with source address 127.0.0.1"

    Relevant Pages

    • RE: [fw-wiz] Odd PIX / router behavior
      ... When you saw the original spoofed traffic, what kind of packets were ... My first thought was a misconfigured internal host too, ... 10.0.0.1 is the inside interface of the PIX. ...
      (Firewall-Wizards)
    • Re: PIX 501 - resolving internal host ip with public ip
      ... resolve to my internal host with the public IP address I have assigned ... You cannot do that with a PIX 501. ... PIX would have to accept packets on its inside interface that were ...
      (comp.dcom.sys.cisco)
    • Terminal Server Setup
      ... description GRE Tunnel Source Interface ... input packets with dribble condition detected ... output buffer failures, ... Serial1/0 is up, line protocol is up ...
      (comp.dcom.sys.cisco)
    • Re: Tuning ADSL lines on Ciscos roputer - LONG -
      ... Last clearing of "show interface" counters never ... minute input rate 0 bits/sec, ... input packets with dribble condition detected ... output buffer failures, ...
      (comp.dcom.sys.cisco)
    • Re: Terminal Server Setup
      ... description GRE Tunnel Source Interface ... input packets with dribble condition detected ... output buffer failures, ...
      (comp.dcom.sys.cisco)