[Gllug] iptables - a quick question
Robert J. McKay
robert at mckay.com
Thu Nov 29 15:04:59 UTC 2001
On Thu, 29 Nov 2001, will wrote:
> tet at accucard.com wrote:
>
> >>>You are, of course, setting firewall rules to detect incoming packets
> >>>with spoofed local addresses.
> >>>
> >>How is this possible? How do you detect a spoofed IP?
> >>
> >
> > It's a firewall, so you have two network interfaces, one to the outside
> > world, one to your internal network. If packets come in on the externally
> > connected interface claiming to have a source IP from your internal
> > network, then they're obviously spoofed, and should be blocked.
> I only have one nic as the PC is my workstation. Is it possible to
> spoof an IP as 127.0.0.1, or localhost accross the Internet? One of the
> enterprise (!starship) techs suggested that the linux kernel would not
> allow a packet to be sent out with a source IP of 127.0.0.1.
There may be some truth to this although it could be that it could be got
to work by changing some confiiguration options. Specifically I was unable
send packets by binding to the loopback device I also tried /sbin/ifconfig
lo down and putting another device (dummy0) up on 127.0.0.1 and that also
failed but I'm not convinced the lo device was truely gone. In any event I
was able to send spoofed packets from 127.0.0.1 using SOCK_RAW and that
worked fine.
Regards,
Robert McKay.
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list