# iptables: Flagging IP Addresses Not in Local Subnet

## wswartzendruber

Is there a way to flag IP addresses that don't belong to the machine's local subnet?

----------

## alex.blackbit

flag? you can use -j MARK --set-mark, if that's what you want.

----------

## wswartzendruber

 *alex.blackbit wrote:*   

> flag? you can use -j MARK --set-mark, if that's what you want.

 

Not that kind of flag.  I would like to be able to either ACCEPT or DROP based on whether the source (or destination) of a packet is on the interface's local subnet.

----------

## szczerb

Can't you just use --source and --destination?

----------

## wswartzendruber

 *szczerb wrote:*   

> Can't you just use --source and --destination?

 

I have a ThinkPad.  It's DHCP.  The criteria for packets on the local network change.  The goal is to use this to identify IP spoofs.

----------

## szczerb

Then I can't think of anything but a script run each time you bring up the interface...if I remember correctly, it can be easily done with baselayout but it's problematic with NM.

----------

## Hu

Which DHCP client are you using?  What triggers your laptop to acquire an address?

How would this identify any spoofing?

----------

## szczerb

http://en.wikipedia.org/wiki/IP_spoofing#Defense_against_spoofing

I guess that he's got one interface connected to an outside network and one to LAN and wants to drop all packets which originate on the outside network, but have source address as if they were from the LAN.

----------

## xtz

If this is the case, couldn't he filter the packets, based on the interface they come through?

----------

## szczerb

Exactly. He has to filter based on both the IP adress and the interface - that's the only way.

----------

## xtz

Ok, so if I can understand correctly - he wants to block traffic from:

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

coming on the interface, connecting him to the outside world?

----------

## suicideducky

Funny you should mention this, I was just configuring iptables yesterday and used these settings to do the job:

  iptables -I INPUT -i eth0 -s 10.0.0.0/8 -j DROP

  iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP

  iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP

  iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP

they are taken from the archlinux wiki page here: http://wiki.archlinux.org/index.php/Simple_stateful_firewall_HOWTO

----------

## xtz

Yeah, forgot to mention the last one, although I doubt you'll ever have packets, coming from this source  :Cool:  Please edit your first topic's subject, adding [solved] at the beginning, or at the end.

----------

## Hu

 *szczerb wrote:*   

> http://en.wikipedia.org/wiki/IP_spoofing#Defense_against_spoofing
> 
> I guess that he's got one interface connected to an outside network and one to LAN and wants to drop all packets which originate on the outside network, but have source address as if they were from the LAN.

 

As far as I know, the reverse path filter should handle this on its own.

Dropping bogus private addresses is a worthy addition, and goes beyond what the reverse path filter will do by default.

----------

## think4urs11

RPF can be tricky when you have a setup where asymetric routing can occur (satellite upllink or routing protcols in action) thus correct bogus filtering is a necessity.

In easiest case (FW to internet with two interfaces) something like '-i $ext-if -s $RFC3330 -j DROP'.

Nowadays even this can be problematic; e.g. my current ISP uses 10.x.y.z/8 IPs for their servers when using their lines. I cannot even connect to their homepage when i don't use their dns servers, as external dns servers resolve to their official ip while theirs resolve to some 10.x - and their webserver disallows their own customers to connect to the official ip.

----------

