Re: Block martians with source address 127.0.0.1
From: Bjørn Rasmussen (bjoernr_at_sensewave.com)
Date: 06/01/04
- Previous message: Bjørn Rasmussen: "Re: Block martians with source address 127.0.0.1"
- Maybe in reply to: Cedric Blancher: "Re: Block martians with source address 127.0.0.1"
- Next in thread: Konstantin Gavrilenko: "Re: Block martians with source address 127.0.0.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: k.gavrilenko@arhont.com, "focus-linux@securityfocus.com" <focus-linux@securityfocus.com> Date: Tue, 01 Jun 2004 13:48:38 +0200
man, 31.05.2004 kl. 17.17 skrev Konstantin Gavrilenko:
> You should also drop some more addresses that can not come from the
> external interface. Following setup works fine for me:
>
> LOOPBACK="127.0.0.1/8"
> CLASS_A="10.0.0.0/8"
> CLASS_B="172.16.0.0/12"
> CLASS_C="192.168.0.0/16"
> CLASS_D="224.0.0.0/4"
> CLASS_E="240.0.0.0/5"
> DHCPNET="0.0.0.0/8"
> LLNET="169.254.0.0/16"
> TESTNET="192.0.2.0/24"
> BCAST_SRC="0.0.0.0"
> BCAST_DST="255.255.255.255"
>
> iptables -A INPUT -j extin_srcadrs-check
> iptables -A extin_srcadrs-check -i $EXT -s $LOOPBACK -j DROP
> iptables -A extin_srcadrs-check -i $EXT -s $CLASS_A -j DROP
> iptables -A extin_srcadrs-check -i $EXT -s $CLASS_B -j DROP
> iptables -A extin_srcadrs-check -i $EXT -s $CLASS_C -j DROP
> iptables -A extin_srcadrs-check -i $EXT -s $CLASS_D -j DROP
> iptables -A extin_srcadrs-check -i $EXT -s $CLASS_E -j DROP
> iptables -A extin_srcadrs-check -i $EXT -s $DHCPNET -j DROP
> iptables -A extin_srcadrs-check -i $EXT -s $LLNET -j DROP
> iptables -A extin_srcadrs-check -i $EXT -s $TESTNET -j DROP
> iptables -A extin_srcadrs-check -i $EXT -s $EXT_IPADDR -j DROP
> iptables -A extin_srcadrs-check -i $EXT -s $EXT_NET -j DROP
> iptables -A extin_srcadrs-check -i $EXT -s $EXT_BCAST -j DROP
> iptables -A extin_srcadrs-check -i $EXT -s $BCAST_SRC -j DROP
> iptables -A extin_srcadrs-check -i $EXT -s $BCAST_DST -j DROP
>
Thanks for your nice suggestions! I'll implement these rules at least
at firewalls were they may be routed :-)
And thanks list, for an overwhelming respons!
>
> kos
- Previous message: Bjørn Rasmussen: "Re: Block martians with source address 127.0.0.1"
- Maybe in reply to: Cedric Blancher: "Re: Block martians with source address 127.0.0.1"
- Next in thread: Konstantin Gavrilenko: "Re: Block martians with source address 127.0.0.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
