At least it's an easy fix
/etc/sysctl.conf is quite a short config file. I notice the following in my Linux Mint installation:
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
I wonder why these haven't been enabled by default for a distribution that is obviously intended as a domestic computer. (Also, it shouldn't say "the next two lines", it should say "the final two lines".)
There is this one too:
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
However, there is a comment that "Some network environments, however, require that these settings are disabled so review and enable them as needed."