Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to use the Linux firewall to isolate local fraudulent addresses", the content is easy to understand, clear, hope to help you solve doubts, the following let the editor lead you to study and learn "how to use the Linux firewall to isolate local fraudulent addresses" this article.

Preface

Even for remote networks protected by intrusion detection and isolation systems, hackers are looking for ingenious ways to invade. IDS/IPS can't stop or reduce hacker attacks that want to take control of your network. Inappropriate configuration allows attackers to bypass all deployed security measures.

In this article, I will explain how security engineers or system administrators can avoid these attacks.

Almost all Linux distributions come with a built-in firewall to protect processes and applications running on Linux hosts. Most firewalls are designed according to the IDS/IPS solution, the main purpose of which is to detect and prevent malicious packets from gaining access to the network.

Linux firewalls usually have two interfaces: iptables and ipchains programs (LCTT). On systems that support systemd, the updated interface firewalld is used. Most people call these interfaces iptables firewalls or ipchains firewalls. Both interfaces are designed as packet filters. Iptables is a stateful firewall that makes decisions based on previous packages. Ipchains does not make decisions based on previous packages, it is designed as a stateless firewall.

In this article, we will focus on the iptables firewall that emerged after kernel 2.4.

With iptables Firewall, you can create policies or ordered rule sets that tell the kernel what to do with specific packets. In the kernel is the Netfilter framework. Netfilter is both the framework and the project name of the iptables firewall. As a framework, Netfilter allows iptables to hook up functions designed to manipulate packets. In a nutshell, iptables relies on the Netfilter framework to build functions such as filtering packet data.

Each iptables rule is applied to a chain in a table. An iptables chain is a set of rules that compare similar features in a package. Tables, such as nat or mangle, describe different functional directories. For example, the mangle table is used to modify package data. Therefore, specific rules for modifying packet data are applied here, while filtering rules are applied to the filter table because the filter table filters the packet data.

Iptables rules have a matching set and a goal such as Drop or Deny, which tells iptables what to do with a package to comply with the rules. Therefore, without goals and matching sets, iptables cannot process packages effectively. If a package matches a rule, the target points to a specific action to be taken. On the other hand, in order for iptables to process, each packet must match before it can be processed.

Now that we know how iptables Firewall works, let's look at how to use iptables Firewall to detect and reject or discard spoofed addresses.

Open source address verification

As a security engineer, the first step I take when dealing with remote spoofed addresses is to verify open source addresses in the kernel.

Source address verification is a kernel-level feature that discards packets disguised as coming from your network. This feature uses the reverse path filter method to check whether the source address of the received packet is reachable through the interface of the packet. (LCTT translation note: the source address of the arriving packet should be able to reverse from the network interface on which it arrived, as long as the source and destination addresses are reversed.)

You can use the following simple script to verify the open source address without manual operation:

#! / bin/sh# author: Michael K Aboagye# Program goal: open reverse path filtering # date: 7Universe 02Universe displays "enabling source address verification" echo-n "Enabling source address verification …" on the screen. # overwrite the value 0 to 1 to verify the open source address echo 1 > / proc/sys/net/ipv4/conf/default/rp_filterecho "completed"

The above script only displays the message Enabling source address verification and does not wrap when it is executed. The default value for reverse path filtering is 0, which means that there is no source authentication. Therefore, the second line simply overrides the default value of 0 to 1. 1 indicates that the kernel will verify the source address by confirming the reverse path.

Finally, you can use the following command to discard or reject spoofed addresses from remote hosts by selecting one of the DROP or REJECT targets. However, for security reasons, I recommend using the DROP target.

Replace the IP-address placeholder with your own IP address, as shown below. In addition, you must choose to use either REJECT or DROP, which cannot be used at the same time.

Iptables-An INPUT-I internal_interface-s IP_address-j REJECT / DROP iptables-An INPUT-I internal_interface-s 192.168.0.0Compact 16-j REJECT / DROP

This article only provides the basics of how to use iptables Firewall to avoid remote spoofing attacks.

Via: https://opensource.com/article/18/2/block-local-spoofed-addresses-using-linux-firewall

The above is all the contents of the article "how to use Linux Firewall to isolate Local spoofing addresses". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.