10.5. Source Address Filtering

All IP packet headers contain the source and destination IP addresses and the type of IP protocol message; ICMP, UDP or TCP this packet contains. The only means of identification under the Internet Protocol - IP) is the source address in the IP packet header. This is a problem that opens the door to source address spoofing, where the sender may replaces its address with either a nonexistent address, or the address of some other site.

          
          # Refuse spoofed packets pretending to be from the external address.
          ipchains -A input  -i $EXTERNAL_INTERFACE -s $IPADDR -l -j DENY
          
          

Also, there are at least seven sets of source addresses you should refuse on your external interface in all cases. These are incoming packets claiming to be from:

  1. Your external IP address

  2. Class A private IP addresses

  3. Class B private IP addresses

  4. Class C private IP addresses

  5. Class D multicast addresses

  6. Class E reserved addresses

  7. The loopback interface

With the exception of your own IP address, blocking outgoing packets containing these source addresses protects you from possible configuration errors on your part.

Important: Don't forget to exclude your own IP address from outgoing packets blocked. By default I choose to exclude the Class C private IP addresses since it's the most used by the majority of people at this time. If you used another class instead of the Class C, then you must comment out the lines that refer to your class under the SPOOFING & BAD ADDRESSES section of the firewall. script file.

The rest of the rules used in the firewall scripts files are: