[Gllug] iptables - a quick question

Robert J. McKay robert at mckay.com
Thu Nov 29 15:04:59 UTC 2001


On Thu, 29 Nov 2001, will wrote:

> tet at accucard.com wrote:
> 
> >>>You are, of course, setting firewall rules to detect incoming packets 
> >>>with spoofed local addresses.
> >>>
> >>How is this possible?  How do you detect a spoofed IP?
> >>
> > 
> > It's a firewall, so you have two network interfaces, one to the outside
> > world, one to your internal network. If packets come in on the externally
> > connected interface claiming to have a source IP from your internal
> > network, then they're obviously spoofed, and should be blocked.

> I only have one nic as the PC is my workstation.  Is it possible to 
> spoof an IP as 127.0.0.1, or localhost accross the Internet?  One of the 
> enterprise (!starship) techs suggested that the linux kernel would not 
> allow a packet to be sent out with a source IP of 127.0.0.1.

There may be some truth to this although it could be that it could be got
to work by changing some confiiguration options. Specifically I was unable
send packets by binding to the loopback device I also tried /sbin/ifconfig
lo down and putting another device (dummy0) up on 127.0.0.1 and that also
failed but I'm not convinced the lo device was truely gone. In any event I
was able to send spoofed packets from 127.0.0.1 using SOCK_RAW and that
worked fine.  

Regards,

Robert McKay.


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list