IP Spoofing

The best information comes straight from the IP Chains How To:

IP spoofing is a technique where a host sends out packets which claim to be from another host.  Since packet filtering makes decisions based on this source address, IP spoofing is used to fool packet filters. It is also used to hide the identity of attackers using SYN attacks, Teardrop, Ping of Death and the like (don't worry if you don't know what they are).

The best way to protect from IP spoofing is called Source Address Verification, and it is done by the routing code, and not firewalling at all.  Look for a file called rp_filter by doing this:

    ls -l /proc/sys/net/ipv4/conf/all/rp_filter [Enter]

If this exists, then turning on Source Address Verification at every boot is the right solution for you.  To do that, insert the following lines in your init script (for Redhat based distributions use /etc/rc.d/rc.sysinit script)immediately after /proc is mounted:
 

# This is the best method: turn on Source Address Verification and get
# spoof protection on all current and future interfaces.
       if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
         echo -n "Setting up IP spoofing protection..."
         for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
             echo 1 > $f
         done
         echo "done."
       else
         echo PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED.
         echo "CONTROL-D will exit from this shell and continue system startup."
         echo
         # Start a single user shell on the console
         /sbin/sulogin $CONSOLE
       fi

If you cannot do this, you can manually insert rules to protect every interface.  This requires knowledge of each interface.  The 2.1 kernels automatically reject packets claiming to come from the 127.* addresses (reserved for the local loopback interface, lo).