لطفا منتظر باشید ...
Recipe 2.1 Enabling Source Address Verification
2.1.1 Problem
You
want to prevent remote hosts from spoofing incoming packets as if
they had come from your local machine.
2.1.2 Solution
Turn on source address verification in the
kernel. Place the
following code into a system boot file (i.e., linked into the
/etc/rc.d hierarchy) that executes before any
network devices are enabled:
#!/bin/sh
echo -n "Enabling source address verification..."
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo "done"
Or, to perform the same task after network devices are enabled:
#!/bin/sh
CONF_DIR=/proc/sys/net/ipv4/conf
CONF_FILE=rp_filter
if [ -e ${CONF_DIR}/all/${CONF_FILE} ]; then
echo -n "Setting up IP spoofing protection..."
for f in ${CONF_DIR}/*/${CONF_FILE}; do
echo 1 > $f
done
echo "done"
fi
A quicker method may be to add this line to
/etc/sysctl.conf:
net.ipv4.conf.all.rp_filter = 1
and run sysctl to reread the configuration
immediately:
# sysctl -p
2.1.3 Discussion
Source address verification is a kernel-level feature that drops
packets that appear to come from your internal
network, but do not. Enabling this feature should be your first
network-related security task. If your kernel does not support it,
you can set up the same effect using firewall rules, but it takes
more work. [Recipe 2.2]
2.1.4 See Also
sysctl(8). Source address verification is explained in
the IPCHAINS-HOWTO at http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO-5l#ss5.7.
