[TheForge] off-topic: request

Terry L. Ridder [email protected]
Tue Jun 25 21:32:02 2002 

hello;

not that tall an order.

standard operating procedure is to drop any packets
which have any ip options set. that takes out most
ip spoofing since in order to spoof they need to use
source routing. there are few asymmetric routes in the
internet, so it is easy to determine if a packet would
go out the same interface it came in on, if it would
not the packet is dropped.

i am not entirely sure what you mean by 'major gateway'.

the average internet end user does not care what routers
and routes their packets take to get from their computer to
a remote computer. the routers and routes are pretty much
transparent to the end user. we are not blocking routers
we are blocking to remote endpoint.

currently, we are blocking all smtp traffic from most of
the far east. we are also blocking ports known to be targets
of the crackers and virus. typical ports would be
tcp/22, udp/22 ( ssh )
tcp/1433, udp/1433 ( ms-sql )

given the way the rules works it relatively easy to 'accept'
one particular computer while 'dropping' the rest of the ip
address block.

example:

192.168.10.0/24 is the ip range we want to block, but we
                want to accept 192.168.10.1/32.

using '--insert' instead of '--append' the rules are 'pushed'
down. so the rules are inserted in reverse order.

iptables --table nat --insert prerouting --source 192.168.10.0/24 \
--destination 0.0.0.0/0 --jump drop

iptables --table nat --insert prerouting --source 192.168.10.1/32 \
--destination 0.0.0.0/0 --jump accept

packets from 192.168.10.1/32 will be accepted while all other
packets from 192.168.10.0/24 will be dropped.


On Tue, 25 Jun 2002, Demon Buddha wrote:

"Terry L. Ridder" wrote:
terrylr>
terrylr> the goal is to block the spammers, crackers, virus,
terrylr> porn peddlers before they ever get into the network
terrylr> and also to prevent them from routing through the
terrylr> network. basically, isolate them from portions of
terrylr> the internet.
terrylr>

demon> 
demon> 	THis is a very tall order. IP can still be spoofed AFAIK,
demon> 	and you may be blocking a major gateway that will isolate
demon> 	a lot of legitimate traffic.  I could be wrong, and hope I
demon> 	am, but it seems you will do a lot of work only to find it
demon> 	promptly defeated.  Best luck in any event.
demon> 

-- 
Terry L. Ridder ><>