We had following below iptables rules that exist in our web front-end boxes to prevent IP Spoofing:
-A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 255.0.0.0/8 -j DROP
-A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 0.0.0.0/8 -j DROP
We want to add below rules now to further harden IP Spoofing prevention
-A INPUT -s 224.0.0.0/3 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 255.0.0.0/8 -j DROP
-A INPUT –s 169.254.0.0/16 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT –s 240.0.0.0/5 -j LOG --log-prefix "Spoofed source IP"
-A INPUT -s 240.0.0.0/5 -j DROP
Do you suggest adding above rules in a production box running Apache httpd as a reverse proxy? This production box is behind a F5 load balancer.
Also, do we need to enable the below kernel parameters for the above rules to work effectively?
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1