As a security best practice, configure your host machines to use IPv4 reverse path filtering. Reverse path filtering protects against spoofed source addresses by causing the system to discard packets with source addresses that have no route or if the route does not point towards the originating interface.

Configure your system to use reverse-path filtering whenever possible. Depending on the system role, reverse-path filtering might cause legitimate traffic to be discarded. In such cases, you might need to use a more permissive mode or deactivate reverse-path filtering altogether.

Procedure

  1. Run the # grep [01] /proc/sys/net/ipv4/conf/*/rp_filter|egrep "default|all" command on the host system to check whether the system uses IPv4 reverse path filtering.
  2. Configure the host system to use IPv4 reverse path filtering.
    1. Open the /etc/sysctl.conf file to configure the host system.
    2. If the values are not set to 1, add the following entries to the file or update the existing entries accordingly. Set the value to 1.
      net.ipv4.conf.all.rp_filter=1 
      net.ipv4.conf.default.rp_filter=1 
      
    3. Save the changes and close the file.
    4. Run # sysctl -p to apply the configuration.