Add dynamic IP antispoofing rules to your nftables firewall with NetworkManager. Prevent spoofing of your computer’s network interfaces using dynamic nftables rules.
Why?
I while ago I wrote my article Migrate from iptables to nftables, in which I explained how to migrate from iptables to nftables and why. I guess many of you have noticed that I included a static antispoofing rule.
The computer on which I configured that firewall acts as a server, it only has that network interface and doesn’t change networks. So, configuring a static antispoofing rule on that computer, is very simple and very easy to mantain.
But, what happens when the computer it’s a laptop (for example)? I latop typically has two network interfaces, and may frequently switch between networks. Mantaining static antispoofing filtering rules in this scenario would be horrible.
What is IP spoofing?
Spoofing is the act of faking your identity in a digital environment to impersonate a trusted source. There are many types of spoofing: email spofing, web spoofing, caller ID spoofing, IP spoofing… For brevity, In this post, I will focus only on IP spoofing. Focusing on IP spoofing of our computer interfaces using dynamc rules with nftables and NetworkManager.
IP spoofing is a type of spoofing where an attacker creates IP packets with a false source IP address. This is possible because the design of the internet’s communication protocols, specifically TCP/IP, doesn’t always verify the source IP address of a packet.
Why is IP spoofing dangerous
IP spoofing is dangerous because it allows attackers to bypass security measures and launch powerful and stealthy attacks, for example:
DDoS
Attackers floods a server with an overwhelming amount of traffic. By using spoofed IP addresses, they make it nearly impossible to block the malicious traffic, since the packets may appear to come from different random IPs, trusted IPs, or, in our case, from legitimate IPs from our own machine.
Bypass authentication
Some systems rely on IP address authentication. If an attacker can spoof that IP, he will be able to access the “protected” resources.
Masking identity
By spoofing the source IP, an attacker remains anonymous thorough the attack. This makes incredibly difficult for sysadmins trace the attack back to its origin.
Adding dynamic IP spoofing rules to nftables to avoid IP spoofing
For this to work we need to have the “INPUT” table and the “filter” chanin created.
We create the script 10-nftables-antispoofing in /etc/NetworkManager/dispatcher.d/ (as root) with the following content (the script is self explainatory):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/usr/bin/env bash
# $1 = interface name
# $2 = connection status
delete_rules() {
local interface="$1"
local family="$2"
nft -a list ruleset | grep "iifname \"$interface\" $family" | while read -r line; do
handle=$(echo "$line" | sed -n 's/.* handle \([0-9]*\).*/\1/p')
if [ -n "$handle" ]; then
nft delete rule inet filter INPUT handle "$handle"
fi
done
}
# When an interface is connected or its configuration changed
if [ "$2" = "dhcp4-change" ]; then
ipv4=$(ip addr show $1 | awk '$1=="inet"{gsub("/.*","",$2); print $2; next}')
ipv6=$(ip addr show $1 | awk '$1=="inet6"{gsub("/.*","",$2); print $2; next}')
if [ -n "$ipv4" ]; then
delete_rules "$1" "ip" # Delete old antispoofing rules for the interface and family
nft add rule inet filter INPUT iifname "$1" ip saddr "$ipv4" drop # Add new antispoofing rules
fi
if [ -n "$ipv6" ]; then
delete_rules "$1" "ip6" # Delete old antispoofing rules for the interface and family
nft add rule inet filter INPUT iifname "$1" ip6 saddr "$ipv6" drop # Add new antispoofing rules
fi
fi
Scripts placed in /etc/NetworkManager/dispatcher.d/ should be named with a number (between 00 and 99) followed by a descriptive number. The naming convention it’s XX-name. NetworkManager executes these scripts in numerical order from lowest to highest.
We give execution permissions to the script:
sudo chmod +x /etc/NetworkManager/dispatcher.d/10-nftables-antispoofing
Now, the script will be executed automatically when we connect or disconnect a network interface or whe we change its configuration.
Enjoy! ;)