How to avoid IP Spoofing

#!/bin/bash
 
INT_IF="eth1" # connected to internet 
SERVER_IP="202.54.10.20" # server IP
LAN_RANGE="192.168.1.0/24" # your LAN IP range 
 
# Add your IP range/IPs here,  
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
 
IPT="/sbin/iptables" # path to iptables
 
# default action, can be DROP or REJECT 
ACTION="DROP"
 
# Drop packet that claiming from our own server
$IPT -A INPUT -i $INT_IF -s $SERVER_IP -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $SERVER_IP -j $ACTION
 
# Drop packet that claiming from our own internal LAN
$IPT -A INPUT -i $INT_IF -s $LAN_RANGE -j $ACTION
$IPT -A OUTPUT -o $INT_IF -s $LAN_RANGE -j $ACTION
 
for ip in $SPOOF_IPS
do
 $IPT -A INPUT -i $INT_IF -s $ip -j $ACTION
 $IPT -A OUTPUT -o $INT_IF -s $ip -j $ACTION
done

Save and close the file. Call above script from your own iptables script.
Add following line to your /etc/sysctl.conf
 
net.ipv4.conf.all.rp_filter = 1

Leave a Reply