Anti spoofing

Posted on 2003-02-20
Medium Priority
Last Modified: 2008-02-07
I'm not sure about anti spoofing. Do we need both of these methods or one of them is enough ?

Technique 1
# enable kernel anti-spoofing
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
     echo 1 > $f

Technique 2
# Use iptables to block faked IPs
iptables -A INPUT -j drop-reserved -i $EXTIF -s
iptables -A INPUT -j drop-reserved -i $EXTIF -s
iptables -A INPUT -j drop-reserved -i $EXTIF -s
iptables -A INPUT -j drop-reserved -i $EXTIF -s
# ... and some more list

YES or NO answer is accepted,
but more explanation or links will be highly appreciated.

Question by:Kocil
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

BernhardBrueck earned 200 total points
ID: 7998541
Use both. Although they have same effects in commen there
are diferences.
1. Drops packets when they would't be routed at the aprticular interface. This blocks packets with a srcaddr from inside coming from an outside interface and vice versa.
This also disables spoofer from the inside attacking outside hosts (!)
2. Drops only packets only from the outside. But it can even drop packets which would be valid for 1 because of the known fact that some Networks are unasigned.

Hope tht helps,
  Bernhard Brueck

Author Comment

ID: 8016591
Thanks, but one more question.
Is the first technique ensure that Internal IP (10.x.x.x, 172.16-31.x.x, 192.x.x.x) will not leak to external network in case I accidentally turn on forwarding and forgot to masquarade ?


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question