netfilter IP spoof detection

Scott Ames scott_ames@yahoo.com
Mon, 26 Jun 2000 14:09:35 -0700 (PDT) 

Netfilter mailing list,

We have been doing some in-house testing with the 2.4
kernel and netfilter to see what happens when we spoof
IP packets.  We have rules set up to reject and log
spoofed packets but we are not seeing any output to
the log under certain circumstances.

Our rules look like this:

iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j LOG
--log-prefix "Spoof detected:"
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j
REJECT

eth0 is the external network card for the firewall. 
192.168.x.x is the IP address range for the internal
network.  192.168.1.1 is the IP address of eth1 on the
firewall machine.

When we spoof the source address of an external
machine to appear like the packet came from an
internal machine, the spoof is detected and logged.

When we spoof the source address of an external
machine to appear like the packet came from
192.168.1.1, the packet is still dropped but there is
no log entry.  Since the source address appears to
come from the firewall itself, we thought that maybe
netfilter was using the OUTPUT rules rather than the
FORWARD rules.  We had a single OUTPUT rule that just
accepts all packets.  Since the packet was blocked, it
appears that the OUTPUT rule did not get used.

We are running packet sniffers on both sides of the
firewall to verify which packets are passed/dropped.

To eliminate any possible side effects caused by
netfilter, we recompiled to kernel so that netfilter
was disabled.  When repeating the last test, the
packet was blocked.  From this we gather that
something in the kernel is blocking the packet before
it gets to netfilter.  We thought that this type of
behavior was controlled by
/proc/sys/net/ipv4/conf/all/rp_filter but rp_filter is
set to 0.

Can anyone please shed some light on this for us?

Thanks,

--
Scott Ames
Heimdall Linux, Inc.
3035 Harney Street, Suite 102
Omaha, NE, 68131

__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/