Re: iptables: identify host with DSL/Fritzbox
Hi Stephen,
Stephen Gran <sgran@debian.org> writes:
> This one time, at band camp, Sebastian Rose said:
>> Unfortunately a rule like
>>
>> iptable -I MYCHAIN 1 -i eth+ -m mac --mac-source 00:03:6a:a7:cf:01 -j ACCEPT
>>
>> does not work, since my MAC address is not the one which reaches the
>> server, right?
>
> Correct, it will see the MAC address of the switch or router that is the
> server's next hop.
:-(
>> I have the usual DSL access to the internet here:
>>
>> my_PC ---> Fritzbox ---> Internet ---> Server
>>
>> which means I have a new IP all 24 hours.
>>
>> Is there a way to identify my PC for iptables?
>
> If your IP address is static, just add it in the usual way. I'm
> assuming that it's dynamic, or you wouldn't be asking, though :)
Right. It's not static - that would've been easy :-)
> I'd do something like tracking your current IP address with a state
> file by looking it up every time you are about to change something -
> you delete the entry that was in the state file, add the entry from DNS
> now, and then add the current IP to the state file. This relies on you
> setting up something like dyndns to work.
How would my IP enter that state file? If I got you right, you mean to
have the state file placed somewhere on the server, and my program
reading it from time to time?
But how would my IP enter that state file?
I think I'll skip all that and just concentrate on the way the IP's
`points' are increased and decreased again. It's not very likely that I
give the wrong password/username for any of the services more then 10
times in two weeks.
But locking an attacker after 10 tries should be early enough, wouldn't
it (presumed relative secure usernames/passwords)?
Now the IPs are extracted from logfile lines matching regular
expressions. Each regular expression assigns a certain amount of
`points' to the IP. Once the IP's points reach a maximum (say 100
points), an iptables rule is added.
By now, I have no good way to _decrease_ the points again. All IPs are
granted access again after two weeks (configurable), if no new points
are added during that time span.
It would be better, to have different tactics for several groups of
IPs. AFAIK IPs like mine, dynamic ones, are reassigned all 24 hours in
germany (Telekom). Maybe a second thread (or process) could do a
`whois' for all IPs tracked, and assign the IPs an appropriate
expiration date.
This leads to the question: is there a way to be certain, that an IP is
a dynamic one?
I noticed, that the `whois' for dynamic IPs has no `[Admin-C]'
section. Could I depend on this fact?
Together with a better stagger of points/denies, I'd rule out myself for
24 hours in the worsed case (which is too much).
Maybe:
Could I run a second shhd too? That one would use the same certificate
and different port and config. It would allow just one special user with
a long and akward name and password.
That user could log in and remove certain rules from the iptables chain
again. I would do this by writing the IP to a special root-only file and
send a signal to the process to make it read that file line by line,
remove the iptables rules for IPs found and delete the IP-objects.
As you see, there's a lot I'll to think/read about :) ....
Thanks for your reply.
Regards,
--
Sebastian Rose, EMMA STIL - mediendesign, Niemeyerstr.6, 30449 Hannover
Tel.: +49 (0)511 - 36 58 472
Fax: +49 (0)1805 - 233633 - 11044
mobil: +49 (0)173 - 83 93 417
Http: www.emma-stil.de
Reply to: