Linux – iptables and blocking potentially impossible traffic

firewalliptableslinuxSecurity

I am working on some iptables firewall rules and have seen many examples that suggest the importance of blocking potentially impossible traffic from non-routable IP address spaces. This would include items from RFC 1918, RFC 1700, RFC 5735, RFC 3927, RFC 3068, RFC 2544, RFC 5737, RFC 3171, and RFC 919. Some examples include the following:

  • $CURRENT_IP
  • 0.0.0.0/8
  • 10.0.0.0/8
  • 127.0.0.0/8
  • 169.254.0.0/16
  • 172.16.0.0/12
  • 192.0.0.0/24
  • 192.0.2.0/24
  • 192.88.99.0/24
  • 192.168.0.0/16
  • 198.18.0.0/15
  • 198.51.100.0/24
  • 203.0.113.0/24
  • 224.0.0.0/4
  • 240.0.0.0/4
  • 255.255.255.255

Some of the examples indicate that you only need to worry about checking for this traffic if it is the source of the traffic. Example of:

$IPT -A ANTISPOOF -s 0.0.0.0/8 -m limit --limit 5/min --limit-burst 5 -j LOG --log-prefix "Denied Spoofed Source IP Address: "
$IPT -A ANTISPOOF -s 0.0.0.0/8 -j DROP

In other examples, a more aggressive stance is taken where they check for the source and destination for both input and output. Examples include:

iptables -A INPUT -d 172.0.0.0/8 -j DROP
iptables -A INPUT -s 172.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.0.0.0/8 -j DROP
iptables -A OUTPUT -s 172.0.0.0/8 -j DROP

I remain with the following questions:

  • Do I need to check for the source address of the IP ranges listed above in the bulleted list?
  • Do I need to check for the destination address of the IP ranges listed above in the bulleted list?
  • Is is important to create rules for the IP ranges listed above that would include both the INPUT and OUTPUT chains?
  • Are there any IP ranges that I have forgotten to check from that are missing from the bulleted list above?

Thanks in advance for your help with this.

Best Answer

Most of the above ruleset deals with what is typically called Bogon Filtering: http://en.wikipedia.org/wiki/Bogon_filtering - These are packets that are to/from unallocated areas of the address space.

3 of those ranges, however, are RFC1918 private networks: http://en.wikipedia.org/wiki/Private_networks - Packets from these can still class as Bogons, but only if they're not legitimate. (Even a rose is a weed, if it's growing in the middle of a car park...)

If this is a router you're working with, Consider the following:

  • The INPUT and OUTPUT chains deal with traffic destined to / from (respectively) some local process on the firewall itself. Most routed traffic won't touch these chains.
  • The FORWARD chain deals with traffic routed through the machine for some other destination.
  • Typically, you'll want to block inbound traffic from those source networks and outbound traffic to those destination networks. Have a look at the -i flag to iptables, which lets you limit a match to a given network adaptor.
    • I second topdog, though, in that trapping outbound traffic like this is probably not necessary. If it's your server, you should be in control of what it's sending.
  • Remember that your internal LAN probably uses one of the private address ranges. You probably still want to allow that traffic through.
Related Topic