Implement dynamic firewall using iptable

Implement dynamic firewall using iptable

Author: Daniel Robbins (drobbins@gentoo.org) Compile: ideal prevent attacks ipdropipdrop: explanation tcplimithost-tcplimituser-outblockResourcesAbout the author firewall is a very important network security tools, but if you need to How do you implement fast and complicated dynamic modifications when firewall rules? This will be a very easy task if you use this article introduced Daniel Robbins. You can use these scripts to enhance your network security and real-time response to network attacks, and make your own creative design based on this script. It is best to understand the benefits of the dynamic firewall's script to see their applications in actual applications. Suppose I am an ISP system administrator. I have recently set up Linux-based firewall to protect my customers and internal systems to prevent external malware attacks. To achieve the system I use the new Linux2.4 kernel IPTables tool to implement, the firewall allows the customer and the internal server to establish a connection to the Internet, and also enable new connections from Internet to internal systems such as web servers, FTP servers, etc. . Because I use the default to reject any service, only the permissible service is open, so the connection from Internet to non-public services such as Squid, Samba service is rejected. At present, I have already had a firewall system that meets the safety needs, which provides good protection for all users of ISP. The work of the firewall just started was good, but some bad things happened. Bob - an attacker attacked my network, which used the method of using garbage datagram to flood my ISP network to conduct DOS attacks on my customers. Unfortunately Bob has carefully studied my firewall, knowing that although I protect internal services but 25 ports and 80 ports are open to send and receive EMAI and open WWW services. Bob decided to attack my Email and WWW servers. I found a serious congestion in my line after 1-2 minutes of BOB started attack. Look at TCPDUMP I found that this is an attack on BOB. And I got its attack source address. Now I need to block these IP addresses from connecting to my public server. Let me discuss a simple and convenient solution. Blocking I will immediately take action, load my firewall startup script and use VI to edit the IPTables rules to block the source address of these BOB's malicious attack data. About one minute later I found the location of adding a new DROP rule in the firewall launch script, I immediately add new rules and restart the firewall. Soon firewall played a role, Bob's attack has been contained. It seems that I successfully defeated Bob's attack, but the network on duty sounded again, it turned out that the customer discovered the network unavailable complaint call. But even worse is a few minutes, I noticed that my Internet connection line began to block severe blocking. I carefully see that BOB uses a new IP address to attack actions. I have to change the firewall startup script again to prevent it from attacking. I have been exhausted behind Bob's buttocks. What's the problem? Although I have established a functionally fully equipped firewall system and quickly discovering the cause of the problem, I can't adjust my firewall rules in the first time to respond to Bob attacks. When the network is attacked, the passive panic quickly responds to the attack, and modifies the firewall rule configuration script is not only huge, but also low efficiency. IPDROP If you can create a special "ipdrop" script, it is designed to easily insert a rule to block the specified IP, then it will be very easy to work above. This script blocks an IP will be very easy to work, only a few seconds can be realized.

And by this script can also prevent errors that are easily occurring when manually adding rules. Therefore, blocking BOB attack will become determined to determine its attack source address. Then pass the following command: # ipdrop 129.24.8.1 on

IP 129.24.8.1 Drop ON.

IPDROP scripts will immediately block 129.24.8.1. By using this script, you can significantly improve your defense capabilities. Below is the implementation of IPDROP scripts: The ipdrop Bash Script

#! / bin / bash

Source /usr/local/share/dynfw.sh

Args 2 $ # "$ {0} ipaddr {on / off}" "Drops Packets to / from ipaddr. Good for Obnoxious Networks / Hosts / DOS"

IF ["$ 2" == "on"]

THEN

#rules will be appended or inserted as Normal

Append = "- a"

INSERT = "- i"

REC_CHECK IPDROP $ 1 "$ 1 already blocked" on

Record IPDROP $ 1

Elif ["$ 2" == "OFF"]

THEN

#rules will be deleted inStead

Append = "- d"

INSERT = "- D"

REC_CHECK IPDROP $ 1 "$ 1 not currently blocked" off "OFF

Unrecord IPDROP $ 1

Else

Echo "error: /" OFF / "OR /" ON / "Expected as Second Argument"

EXIT 1

Fi

#Block Outside IP Address That's Causeing Problems

# Attacker's incoming TCP Connections Will Take a Minute or So Time OUT,

#reducing dos effect.

Iptables $ INSERT INPUT -S $ 1 -J DROP

iptables $ INSERT OUTPUT -D $ 1 -J DROP

Iptables $ INSERT Forward -D $ 1 -J Drop

Iptables $ INSERT Forward-$ 1 -J Drop

Echo "ip $ {1} Drop $ {2}."

IPDROP: Interpretation of the last four lines of content from the above script source code can see the actual command is inserted into the appropriate rule in the firewall table. It can be seen that the value of the $ INSERT variable depends on the "ON" or "OFF" mode in the command line parameter. The specific rule will be properly inserted or deleted when the IPTables line is executed. Now let's take a look at these rules itself, they can play with any type of firewall, even on systems that do not deploy firewalls. The required conditions are merely the kernel that supports the Linux2.4 version of iptables. We blocked the attack datagram from malicious IP (first iptables statement), blocking the datagram to malicious attack IP (second iptables statement), and turn off the data forwarding of the IP (last two iptables tools ). Once these rules play a role system, any datagram that meets these conditions will be discarded. Another thing to note is that "REC_CHECK", "Unrecord", "Record", and "Args" are called in the script. These are special Bash functions defined in "DynfW.sh". "Record" function implements the IP record that will be blocked in the file /root/.dynfw-ipdrop file, and "unrecord" is removed from the file / ROOT /.DYNFW-IPDROP. The "REC_CHECK" function is to output an error message when it is discovered to re-block a blocked IP address or cancel a certain IP address that has not been blocked and stops the script execution. "ARGS" function implements the correctness of the command line parameter and implements the print script help command. Document DYNFW-1.0.tar.gz contains all of these tools, see the final resource section of the article. TCPLIMIT If you need to limit a particular TCP-based network service (for example, when a serious load is generated on the end system), the TCPLIMIT script can help you achieve this, this script uses TCP ports, one rate value And "on" or "OFF" as parameters: # tcplimit 873 5 minute on

Port 873 New Connection Limit (5 / minute, Burst = 5).

TCPLIMIT uses iptables' "State" modules (which should be made to open this option or load module in the kernel) to implement only specific number of connection requests in a certain period of time. In this example, the firewall will limit only 5 newly connected to my RSYNC server per minute (Port 873). Of course, you can choose timeout / hour / hour as needed. TCPLimit provides a very good way to limit the use of non-critical services - such a large number of non-critical data does not destroy the server. TCPLimit is used in the example above to set the limitations of RSYNC to prevent Tsync data from occupying all bandwidths of the Internet connection. Where connection service restriction information is recorded in file / ROOT /.DYNFW-TCPLIMIT. If you want to close this limit, you only need to type the following command:

# TCPLIMIT 873 5 minute off

Port 873 New Connection Limit OFF.

TCPLIMIT is achieved by creating a new rule chain in the Filter table. This new rule chain will reject all datagrams that exceed the specified restriction, and insert a rule into the INPUT rule chain, which will all go to the target port (873 port in this case) to this New rule chain. The new rules chain only affects new over-limit connectors without affecting established connections. When TCPLIMIT definitions are turned off, the Input rules and new rules will be deleted. As IPDROP, TCPLIMIT can work with any type of firewall. Host-tcplimit host-tcplimit and tcplimit are very similar, but it is limited to the number of TCP connections from a particular port on a server from a specific IP. Host-Tcplimit is very useful when preventing a particular person from abuse your network resources. For example, you maintain a CVS server, one day, suddenly found a special new developer appeared, he seems to have built a script to update its resources every ten minutes. Take a large number of network resources. Then you send him a letter to indicate the mistake of his behavior. But you receive the following reply: hi guys!

I'm real excited to be part of your development project. I Just Set Up A

Script to Update My Local Copy of The Code Every Ten Minutes. I'm About To

Leave ON A Two-Week Cruise, But When I Get Back, My Sources Will Be Totally

Up-to-date and i'll be ready to help out! I'm heading out the door now ... See

You in Two weeks!

Sincerely,

Mr. Newbie

For this case, you can solve the problem with Host-TCPLimit:

# host-tcplimit 1.1.1.1 2401 1 day on

Mr. NEWBIE (IP address is 1.1.1.1) is limited to only a CVS connection per day to save network bandwidth. User-Outblock last, is also the most interesting in these firewall scripts is User-Outblock. This script provides an ideal way to implement a user to log in to the system through SSH or Telnet but not allowing it to create an outward connection through the command line command. Below is an example occasion of app USER-OUTBLOCK. Suppose a special family has an account in our ISP. Mom and Dad use the graphical Email client program to read their own letters, occasionally surf the Internet, but their son is a keen Hacker molecule, and he often uses its shell access to make some naughty for other machines. thing. One day you found him with a number of systems to establish an SSH connection, and found that the target address belongs to the Pakistani military website. You want to help this child to go forward, so you have taken the following action: First, you check your own system and make sure you remove the Suid bit of all and network-related programs, such as SSH:

# chmod u-s / usr / bin / ssh

Now he attempts to use any and network-related processes will have its own UID. You can now use user-outblock to block outward TCP connections issued by this UID (assuming its UID 2049):

# User-outblock 2049 on

Uid 2049 block on.

Now he can only log in to the system to read his own letters, but he can't use your server to establish an SSH connection. Resource

Since dynamic these firewall scripts are found to be very useful, they package them (DYNFW-1.0.Tar.gz) for download installation. To install, you only need to decompress the package and run the install.sh file. This script will install a shared Bash script as /usr/local/share/Dynfw.sh, and install the dynamic firewall script to / usr / local / sbin directory. If you want to install in other scripts, you only need to perform the latest version of DynfW before performing install.sh: # export prefix = / usr.

TCPDUMP is a very important detection tool for the underlying IP report, using it to verify that the firewall is working properly.