[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Is this even POSSIBLE?

Hello, let me clear, sometimes code is better than chat,

First of all, you must reduce all your rules ever, the worst thing to do with netfilter is create 1 match rule for each ip or port.

Below is a complete firewall with all your desires plus, a small honey pot with 10 minutes dinamic block list,

The log-drop chains set made logging keeping 1 log per second control to avoid kill your syslog server, please
send all your logs to other host ! 

Adjust to you world, but keep this in mind: After rule set loaded it never will be modified, only lists are modified,

Use default port services to detect scanners, and systematically drop their packets.

Hope that it solve your questions




#######################################CREATING BLOCK IP LIST
ipset create BLOCKIPLIST hash:net family inet hashsize 1024 maxelem 65536
ipset add BLOCKIPLIST 10.0.0.0/8
ipset add BLOCKIPLIST 127.0.0.0/8
ipset add BLOCKIPLIST 192.168.0.0/16
ipset add BLOCKIPLIST 172.16.0.0/12

#######################################CREATING BLOCK PORT LIST
ipset create BLOCKPORTS bitmap:port range 0-65535
ipset add BLOCKPORTS 1
ipset add BLOCKPORTS 7
ipset add BLOCKPORTS 22
ipset add BLOCKPORTS 23
ipset add BLOCKPORTS 135
ipset add BLOCKPORTS 136
ipset add BLOCKPORTS 137
ipset add BLOCKPORTS 138
ipset add BLOCKPORTS 139
ipset add BLOCKPORTS 445
ipset add BLOCKPORTS 1433
ipset add BLOCKPORTS 1701
ipset add BLOCKPORTS 3128
ipset add BLOCKPORTS 8080
ipset add BLOCKPORTS 8081
ipset add BLOCKPORTS 3389

#######################################CREATING ALLOW IP LIST
ipset create ALLOWIPLIST hash:net family inet hashsize 1024 maxelem 65536
ipset add ALLOWIPLIST 8.8.8.8/32
ipset add ALLOWIPLIST 39.48.55.1/32

#######################################CREATING ALLOWED PORT LIST
ipset create ALLOWPORTS bitmap:port range 0-65535
ipset add ALLOWPORTS 80
ipset add ALLOWPORTS 443
ipset add ALLOWPORTS 47122 #SSH FAKE

#######################################CREATING TAR PIT
create TARPIT hash:ip family inet hashsize 1024 maxelem 65536 timeout 600

####################################### CREATING LOG-DROP-RULESET
iptables -N LOGDROP_100
iptables -A LOGDROP_100 -m limit --limit 1/sec -j LOG --log-prefix " ::LOGDROP_100:: "
iptables -A LOGDROP_100 -j DROP

####################################### CREATING LOG-TARPIT-RULESET
iptables -N LOGTARPIT_100
iptables -A LOGTARPIT_100 -m limit --limit 1/sec -j LOG --log-prefix " ::LOGDROP_100:: "
iptables -A LOGTARPIT_100 -j  SET --add-set TARPIT src
iptables -A LOGTARPIT_100 -j DROP

####################################### CREATING LOG-ALLOW-RULESET
iptables -N LOGALLOW_100
iptables -A LOGALLOW_100 -m limit --limit 1/sec -j LOG --log-prefix " ::LOGALLOW_100:: "
iptables -A LOGALLOW_100 -m state --state NEW -j ACCEPT

####################################### CREATING IN FLOW RULESET
iptables -N INFLOW_100
iptables -A INFLOW_100 -m state --state RELATED,ESTABLISHED -j ACCEPT
#
iptables -A INFLOW_100 -m set --match-set ALLOWIPLIST src -j LOGALLOW_100
iptables -A INFLOW_100 -m set --match-set ALLOWPORT dst -j LOGALLOW_100
#
iptables -A INFLOW_100 -m set --match-set BLOCKIPLIST src -j LOGDROP_100
iptables -A INFLOW_100 -m set --match-set BLOCKPORT dst -j LOGTARPIT_100
#
iptables -A INFLOW_100 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOGDROP_100
#
iptables -A INFLOW_100 -m state --state INVALID -j DROP

###################################### RESTRICTING FLOW
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

iptables -A INPUT -i eth0 -j INFLOW_100
iptables -A FORWARD -i eth0 -j INFLOW_100

#THIS AVOID UNRECHEABLE MESSAGES TO OTHERS IS USEFULL 
iptables -A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 3 -j DROP

De: linux_forum1 <linux_forum1@protonmail.com>
Enviado: sexta-feira, 7 de janeiro de 2022 06:22
Para: Willian Pires <willian_pires@hotmail.com>
Cc: Dan Ritter <dsr@randomstring.org>; debian-firewall@lists.debian.org <debian-firewall@lists.debian.org>
Assunto: RE: Is this even POSSIBLE?
 
Hello William, thanks for the reply!

ipset would be nice, but it doesn't solve the logging issue.

I have about 30 rules like the ones below that need to be logged and dropped if matched with iptables. (Both in INPUT and FORWARD)

 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
 -s 169.254.0.0/16 -j DROP
 -s 172.16.0.0/12 -j DROP
 -s 192.0.2.0/24 -j DROP

As I understand it there are two ways to log and drop packets that matched a specific rule in iptables.

1.)  Separate LOG and DROP rules, for each IP, but this is inefficient.

-A INPUT -j Block
-A FORWARD -j Block

-A Block -s 169.254.0.0/16 -j LOG
-A Block -s 169.254.0.0/16 -j DROP
-A Block -s 172.16.0.0/12 -j LOG
-A Block -s 172.16.0.0/12 -j DROP

2.) The only other way, create separate chains for bad IPs and LOG/DROP, then jump in between. But Dan Ritter says this is problematic, because bad IPs are not dropped in Block chain, but only after jumping to the Logger chain.

-N Block
-N Logger
-A INPUT -j Block
-A FORWARD -j Block

-A Block -s 169.254.0.0/16 -j Logger
-A Block -s 172.16.0.0/12 -j Logger
-A Block -s 192.0.2.0/24 -j Logger

-A Logger -j LOG
-A Logger -j DROP

I have been searching for 48h, but there is no other way to log and drop packets.




‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, January 7th, 2022 at 6:20 AM, Willian Pires <willian_pires@hotmail.com> wrote:
Sorry, try ipset to create a list and combine it with appropriated netfilter rule to blocke networks in one rule, instead use 1 rule per class.





Sent from my Galaxy



-------- Original message --------
From: linux_forum1 <linux_forum1@protonmail.com>
Date: 1/6/22 17:11 (GMT-03:00)
To: Dan Ritter <dsr@randomstring.org>
Cc: debian-firewall@lists.debian.org
Subject: Re: Is this even POSSIBLE?



Hello Dan!

Thank you so much for the reply!

Yes that helps a lot, but I have 2 follow up questions if you don't mind haha.

1.) When you say " -A INPUT -j Block puts the chain in order", you mean that at this point iptables will look for any rules appended to the Block chain, no matter where they are? This would make sense cz then the order wouldn't matter and you can jump to a chain in the beginning, whose rules are defined at the bottom for example.

2.) I want to log when one of these rules gets matched.
(It's 30 - 40 rules in total)

-A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A Block -s 169.254.0.0/16 -j DROP
-A Block -s 172.16.0.0/12 -j DROP
-A Block -s 192.0.2.0/24 -j DROP
.
.

This is my solution:

 -A INPUT -j Block
 -A FORWARD -j Block

-A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j Logger
-A Block -s 169.254.0.0/16 -j Logger
-A Block -s 172.16.0.0/12 -j Logger
-A Block -s 192.0.2.0/24 -j Logger

Then in Logger it gets logged and dropped.

I considered this, but was told the above is better.

-A INPUT -j Block
-A FORWARD -j Block

-A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG
-A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A Block -s 169.254.0.0/16 -j LOG
-A Block -s 169.254.0.0/16 -j DROP
-A Block -s 172.16.0.0/12 -j LOG
-A Block -s 172.16.0.0/12 -j DROP
.
.

Is there a better way? Thanks again.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Thursday, January 6th, 2022 at 7:26 PM, Dan Ritter <dsr@randomstring.org> wrote:

> linux_forum1 wrote:
>
> > Hello, I have 2 questions if that's OK.
> >
> > INPUT DROP
> >
> > FORWARD DROP
> >
> > OUTPUT DROP
> >
> > -N Block
> >
> > -N Logger
> >
> > -A INPUT -j Block
> >
> > -A Block -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j Logger
> >
> > -A Logger -j LOG --log-level 4
> >
> > -A Logger -j DROP
> >
> > -A INPUT -i lo -j ACCEPT
> >
> > -A OUTPUT -o lo -j ACCEPT
> >
> > There will be more rules in Block, but I just want to understand the logic.
> >
> > 1.) How is -A INPUT -j Block possible before there are any rules appended to Block, does that mean iptables first searches and assembles all rules that belong to custom chains regardless of order? Same for Logger.
>
> Everything has an order. You can turn on line numbers and see
>
> the order.
>
> Creating a chain (Block, Logger) does not put it into order.
>
> The jump (-j) to Block, from INPUT, places the chain in order.
>
> I note that you don't have a rule in Block to actually drop
>
> packets, and you do have a rule in Logger that drops packets.
>
> That seems... problematic to me.
>
> > 2.)
> >
> > Would this be OK to log and drop all rules in in Block?
> >
> > I am worried because there are four jumps, INPUT -> Block -> Logger -> LOG -> Logger -> DROP
>
> In general, you can jump as many times as you like as long as
>
> you don't go in a circle. Note that -j LOG continues processing
>
> on the next rule in order, unlike ACCEPT, DROP and REJECT. If a chain
>
> ends without ACCEPT, DROP or REJECT happening, then when it ends
>
> execution picks up at the next statement in order following the
>
> jump to that chain.
>
> Does that help?
>
> -dsr-


Reply to: