Universal thread: dynamic iptables firewall
Flexible (interesting) network security
President and CEO, Gentoo Technologies, Inc. 2001 in Daniel Robbins (DROBBINS@gentoo.org)
What do you do when you are very interesting, but what do you do when you need to quickly and complicate changes to firewall rules? Very simple. Please use the dynamic firewall script of Daniel Robbins present in this article. You can use these scripts to increase network security and responsiveness and inspire your own creative design.
The best way to understand the benefits of dynamic firewall scripts is to view them at runtime. To do this, let us assume that I am an ISP system administrator, recently I have established Linux-based firewalls to protect my customers and internal systems from the Internet malicious user attacks. To achieve this, my firewall uses new Linux 2.4 iptables with status feature to allow my client and server to establish new outgoing connections, of course, new access, but only "public" service, such as web, FTP, SSH and SMTP. Since I used the default denied design, any connection from the Internet to non-public services such as Squid Agent cache or Samba servers will be automatically rejected. Now, I have a very good firewall that provides very good protection for all customers of our company.
At around the first week, the firewall's work is very good, but after this happens: my biggest opponent Bob (he is working for another ISP, is our competitor) decided to use a lot of packet attacks My network, trying to stop me from providing services to customers. Worse, Bob has carefully studied my firewall. He knows that when I am protecting internal services, port 25 and 80 must be publicly visited so that I can receive mail and respond to HTTP requests. Bob decided to use this, he wants to attack my web and mail servers with a way of suction bandwidth.
After approximately BOB to attack a minute, I noticed that the packet gradually covered uplink. After viewing TCPDUMP, I determine that this is another attack that BOB implementation, I have calculated the IP address he used to initiate an attack. Now I have this information, what I need to do is to stop these IP addresses, I think this is probably solving the problem - very simple solution.
Response Attack I quickly use the VI to open the firewall setting script, and start changing the IPTables rules, modify the firewall so that it can prevent malicious entry packets issued by BOB. About one minute, I found the exact location to add a suitable DROP rule and add these rules. Then, I started the firewall, but I immediately stopped it ... Hey, I made a bad mistake when I added rules. I will load the firewall script again, correct the problem, after 30 seconds, will have a firewall to prevent all attacks initiated by BOB in this month. At first, it seems to succeed in defeating the attack ... until the phone ringtone of the Xunkai is ringing. Obviously, Bob has interrupted my network for about 10 minutes, and now my customers call to ask what happened. What's more, after a few minutes, I found that the uplink is still full. It seems that Bob uses a new set of IP addresses to implement attacks. I also make a response, start to modify the firewall script immediately, but this time I am panic - maybe my solution is not so perfect.
The following is the reason for the error in the above situation. Although I have a nice firewall, I quickly identify the cause of the network problem, but I can't modify the behavior of the firewall to make it possible to deal with threats. Of course, when the network is attacked, you want to be able to respond immediately, and forced to modify the main firewall setting script in an emergency state not only is very pressing, but also the efficiency is very low. IPDROP If there is a special design "ipdrop" script, it can insert the rules needed to block the IP address IP address, so much. With this script, prevent the firewall from being tortured for two minutes; it is just 5 seconds. Since this script allows you to edit the firewall rules manually, this eliminates the main root of the error. I have to do just determine the IP address to be blocked, then enter:
# ipdrop 129.24.8.1 ON
IP 129.24.8.1 Drop ON.
IPDROP scripts will immediately block 129.24.8.1, which is the current malicious IP address of Bob this week. This script significantly improves your defense, because it is now preventing IP. Now let's take a look at the implementation of the ipdrop script:
IPDROP BASH script
#! / bin / bash
Source /usr/local/share/dynfw.sh
Args 2 $ # "$ {0} ipaddr {on / off}" "Drops Packets to / from ipaddr. Good for Obnoxious
NetWorks / Hosts / DOS
IF ["$ 2" == "on"]
THEN
#rules will be appended or inserted as Normal
Append = "- a"
INSERT = "- i"
REC_CHECK IPDROP $ 1 "$ 1 already blocked" on
Record IPDROP $ 1
Elif ["$ 2" == "OFF"]
THEN
#rules will be deleted inStead
Append = "- d"
INSERT = "- D"
REC_CHECK IPDROP $ 1 "$ 1 not currently blocked" off "OFF
Unrecord IPDROP $ 1
Else
Echo "error: /" OFF / "OR /" ON / "Expected as Second Argument"
EXIT 1
Fi
#Block Outside IP Address That's Causeing Problems
# Attacker's incoming TCP Connections Will Take a Minute or So Time OUT,
#reducing dos effect.
Iptables $ INSERT INPUT -S $ 1 -J DROP
iptables $ INSERT OUTPUT -D $ 1 -J DROP
Iptables $ INSERT Forward -D $ 1 -J Drop
Iptables $ INSERT Forward-$ 1 -J Drop
Echo "ip $ {1} Drop $ {2}."
IPDROP: Note If you pay attention to the four lines that stand out, you will see the true command to insert the appropriate rule into the fire wall. It can be seen that the definition of the $ INSERT environment variable changes as the operation mode is "ON" or "OFF". When the IPTables line is executed, the specific rules are inserted or deleted. Now let's take a look at the function of the rules itself, the rules should work with any type of existing firewall or even in the system without a firewall; you need only the built-in iptables support in the 2.4 kernel. We block from malicious IP (the first iptables starting line) to enters the packet, prevent the header from going out the outgoing packet of malicious IP (the next line of iptables), and then close this special IP (last two The forwarding of iptables starting. Once these rules are in place, the system only discards any packets belonging to one of the categories.
Another short comment: You will also notice the call to "REC_CHECK", "Unrecord", "Record", and "Args". These are the Helper Bash function defined in "DynfW.sh". "Record" function will be blocked in the /root/.dynfw-ipdrop file, and "unrecord" removes the record from /Root/.dynfw-IPDROP. If you want to react with an IP that has been blocked, or unblock the currently unblosed IP, you can use the "REC_CHECK" function to discard the script with the error message. The "args" function is responsible for ensuring that we receive the correct number of command lines, which is also responsible for printing helpful usage information. I have created DYNFW-1.0.tar.gz containing all of these tools; for more information, see the reference part of this article.
TCPLIMIT If you need to limit the use of a specific TCP-based network service, you may be some service that will generate a large number of CPU loads on the terminal, then the next dynamic firewall script is very useful. This script is called "TCPLimit", which uses a TCP port, a rate, one ratio, and "on" or "OFF" as the argument:
# TCPLIMIT 873 5 minute on
Port 873 New Connection Limit (5 / minute, Burst = 5).
TCPLIMIT uses the new iptables "State" module (make sure that this module has been enabled in the kernel or has been loaded into this module) to allow only a certain number of newly entered connections in a particular time period. In this example, the firewall only allows 5 newly connected to the RSync server per minute (port 873) - if necessary, you can specify how many connections you want each second / minute / hour or every day.
TCPLIMIT provides a good way to restrict non-basic services - so the large amount of traffic on non-basic services will not interrupt the network or server. In the case I encountered, I use TCPLIMIT to set up the maximum upper limit using RSYNC to prevent too many Rsync connections from occupying my DSL line. Limiting the connection to the connection to record in /root/.dynfw-tcplimit, if I want to turn off new connection restrictions, just enter:
# TCPLIMIT 873 5 minute off
Port 873 New Connection Limit OFF.
TCPLIMIT is running a new chain in the Filter table. This new chain will reject all packets that exceed the specified limit. Then, a rule will insert into the INPUT chain, which will be sent to all the entry new connection information packages to the target port (873 in this example), which effectively limits the new entry connection, but It does not affect the packet in the established connection. When TCPLIMIT is turned off, the Input rule and the particular chain will be deleted. This is a wonderful thing, it truly embodies the importance of making careful and reliable scripts to manage firewall rules. Since IPBlock is used, the TCPLIMIT script will be compatible with any type of firewall, even without a firewall, as long as you enable the correct iptables function in the kernel.
Host-TCPLIMITHOST-TCPLIMIT is very similar to TCPLimit, but it limits some new TCP connections that come from a particular IP address and point to a specific TCP port on your server. Host-TCPLimit is especially suitable for preventing someone from abusing your network resources. For example, suppose you run the CVS server, and you find that a new developer seems to have a script to update its source using a repository every 10 minutes, which consumes a lot of excess network resources every day. However, when you send him an email to point out his error behavior, it will receive an entry message. The full text is as follows:
Hey, guy!
I am honored to participate in your development project. I just created a script.
Update a local copy of the code every 10 minutes. I will go out
Travel for two weeks, but after returning, I will get the latest source.
Code, I can cross! Now I have to go out ... two weeks
Goodbye!
Sincerely,
Newbie (novice)
For this situation, a simple host-tcplimit command can solve the problem:
# host-tcplimit 1.1.1.1 2401 1 day on
Now, Mr. Newbie (IP Address 1.1.1.1) can only have a CVS connection (port 2401) per day, which saves many network bandwidth.
The last one of the user-outblock may also be the most interesting one in all dynamic firewall scripts is User-Outblock. This script provides an ideal way that allows specific users Telnet or SSH to your system, but this user is not allowed to establish any new outgoing connection from the command line. The following example is suitable for use using user-outblock. Suppose there is a special family in my ISP owned account. Parents use graphical email clients to read their emails, occasionally surfing online, but their son hacker is a fanatic hacker. He often uses shell to visit some of the people's computer.
One day, you find that he has established SSH connections with some systems, and those systems seem to belong to Pakistan's armed forces - ah, God! You want to guide this young man to participate in more beneficial activities, so you should do the following:
First, the system should be checked to ensure that all the Suid bits in all network binary programs (such as SSH) are removed:
# chmod u-s / usr / bin / ssh
Now, he tries to use any process of interacting with the network belong to his own user ID. Now you can use user-outblock to block this user ID (hacker is 2049) all out of the TCP connection: # user-outblock 2049 on
Uid 2049 block on.
Now, he can log in and read the email, but you cannot use your server to create SSH connections and similar connections. Now, he can install the SSH client on your own personal computer. However, if you want to limit his home's personal computer to web, email, and out SSH connections (only to your server), establish such a dynamic firewall script is not too difficult.
Reference
Since I found these dynamic firewall scripts such as this, I have created a small Tarball (DYNFW-1.0.tar.gz) file, you can download it and install it on your machine. If you want to install, unwave Tarball, run the install.sh script. This script installs a shared Bash script to /usr/local/share/Dynfw.sh and installs the dynamic fire wall script to / usr / local / sbin. If you want to install them into / usr / share and / usr / sbin, just enter the following command before running install.sh: # export prefix = / usr
I also added the Dynamic Firewall Script Code section to the Gentoo Linux website, you can access this website to get the latest version of the TAR file. I have to continue to improve and add it to this collection to enable system administrators around the world to use real practical resources. There is already iptables in our kernel, you should start using it!
TCPDUMP is a must-have tool for studying low-level packet exchange and verifying whether the firewall is working properly. If you have not yet, I want to get it. If it is already, it should be used. If you have already used it ... you have a good! :) There are many excellent resources on the homepage of the Netfilter team, including the iptables source code, and Rusty's excellent work "Unreliable Guides". These works include basic network concepts HowTo, Netfilter (iptables) Howto, Nat HowTo, and Netfilter-made Netfilter to modify HOWTO. There is also a NetFilter FAQ and other content on the site. There are still many good NetFilter resources online; however, don't forget the basic knowledge. The Iptables Man page is very detailed and it is an example of the Mana page. You can now use advanced Linux routing and traffic control HOWTO. It shows how to use iptables to mark packets and then send packets using the Linux routing function based on these tags. You can use the Netfilter (iptables) mailing list and there is an application for Netfilter developers. Use these URLs to access the mailing list file.