How to block local spoofed addresses using the Linux firewall

Here's how to protect your network from attackers using the iptables firewall.
339 readers like this.
unspoken blockers

Attackers are finding sophisticated ways to penetrate even remote networks that are protected by intrusion detection and prevention systems. No IDS/IPS can halt or minimize attacks by hackers who are determined to take over your network. Improper configuration allows attackers to bypass all implemented network security measures.

In this article, I will explain how security engineers or system administrators can prevent these attacks.

Almost all Linux distributions come with a built-in firewall to secure processes and applications running on the Linux host. Most firewalls are designed as IDS/IPS solutions, whose primary purpose is to detect and prevent malicious packets from gaining access to a network.

A Linux firewall usually comes with two interfaces: iptables and ipchains. Most people refer to these interfaces as the "iptables firewall" or the "ipchains firewall." Both interfaces are designed as packet filters. Iptables acts as a stateful firewall, making decisions based on previous packets. Ipchains does not make decisions based on previous packets; hence, it is designed as a stateless firewall.

In this article, we will focus on the iptables firewall, which comes with kernel version 2.4 and beyond.

With the iptables firewall, you can create policies, or ordered sets of rules, which communicate to the kernel how it should treat specific classes of packets. Inside the kernel is the Netfilter framework. Netfilter is both a framework and the project name for the iptables firewall. As a framework, Netfilter allows iptables to hook functions designed to perform operations on packets. In a nutshell, iptables relies on the Netfilter framework to build firewall functionality such as filtering packet data.

Each iptables rule is applied to a chain within a table. An iptables chain is a collection of rules that are compared against packets with similar characteristics, while a table (such as nat or mangle) describes diverse categories of functionality. For instance, a mangle table alters packet data. Thus, specialized rules that alter packet data are applied to it, and filtering rules are applied to the filter table because the filter table filters packet data.

Iptables rules have a set of matches, along with a target, such as Drop or Deny, that instructs iptables what to do with a packet that conforms to the rule. Thus, without a target and a set of matches, iptables can’t effectively process packets. A target simply refers to a specific action to be taken if a packet matches a rule. Matches, on the other hand, must be met by every packet in order for iptables to process them.

Now that we understand how the iptables firewall operates, let's look at how to use iptables firewall to detect and reject or drop spoofed addresses.

Turning on source address verification

The first step I, as a security engineer, take when I deal with spoofed addresses from remote hosts is to turn on source address verification in the kernel.

Source address verification is a kernel-level feature that drops packets pretending to come from your network. It uses the reverse path filter method to check whether the source of the received packet is reachable through the interface it came in.

To turn source address verification, utilize the simple shell script below instead of doing it manually:

#author’s name: Michael K Aboagye 
#purpose of program: to enable reverse path filtering
#date: 7/02/18
#displays “enabling source address verification” on the screen
echo -n "Enabling source address verification…"
#Overwrites the value 0 to 1 to enable source address verification
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo "completed"

The preceding script, when executed, displays the message Enabling source address verification without appending a new line. The default value of the reverse path filter is 0.0, which means no source validation. Thus, the second line simply overwrites the default value 0 to 1. 1 means that the kernel will validate the source by confirming the reverse path.

Finally, you can use the following command to drop or reject spoofed addresses from remote hosts by choosing either one of these targets: DROP or REJECT. However, I recommend using DROP for security reasons.

Replace the “IP-address” placeholder with your own IP address, as shown below. Also, you must choose to use either REJECT or DROP; the two targets don’t work together.

   iptables -A INPUT -i internal_interface -s IP_address -j REJECT / DROP  

    iptables -A INPUT -i internal_interface -s  -j REJECT/ DROP

This article provides only the basics of how to prevent spoofing attacks from remote hosts using the iptables firewall.



Which IP address? The computer or the router? What if you have a wifi extender? Do you enter both? That part at the end needs a little more explaining because what's confusing me is even if the router is 192.168.0.#, I've never seen the last number as "0" before and therefore have no clue how to interpret it.

Hello, thanks for asking. ** is just a network identifier. It is not usable.

In reply to by TheOuterLinux (not verified)

QUOTE Replace the “IP-address” placeholder with your own IP address UNQUOTE

You forget to also state 'and replace "internal_interface" with your own internal interface designation" (eg eth0 or whatever interface(s) is/are active)".

Otherwise you will get the error message

iptables v1.6.0: interface name `internal_interface' must be shorter than IFNAMSIZ (15)
Try `iptables -h' or 'iptables --help' for more information.

And do not forget this only secures IPv4 against spoofing -- if IPv6 is active, then that too needs similar protection.

First of all, you didn't explain what a spoofed address is. The iptables example that you've provided will block the whole internal network range (poor example). How does one identify a spoofed address? You didn't elaborate on this point either.

Moreover, as a security engineer, you should be aware that changing values under the /proc filesystem will not survive a system reboot, therefore always use "sysctl -w". Is there a reason you didn't configure the RP filter for IPv6?

Having said that, you may find the following article informative:

Hope this helps.

Thanks, Tomas! Your blog contains some good information. keep up the good work.

spoofed address simply means "IP packets with false/fake source IP address". There are several ways you can detect spoofed address but i prefer routing methods to detect or identify spoofed address although using netlog in non-routing methods too is effective.

Next time, I will 'dig' into details. Thanks for your concern.

In reply to by Tomas (not verified)

If you want to edit the rp_filter value, you should find the /etc/sysctl.conf file and add the referenced variable to that file:

echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf

then tell the system to reload that configuration file

sysctl -p

Once the system configuration file has the proper configuration value this setting will persist after a reboot.

While you're at it, you might want to make sure to disable source routes:
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0

the command 'sysctl -a' will give you a list of a bunch of tunable parameters and their current value.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.