rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:iptables

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
doc:appunti:linux:sa:iptables [2014/04/16 17:11] – [Usare iptables per mitigare o bloccare un DNS Amplification Attack] niccolodoc:appunti:linux:sa:iptables [2020/11/23 15:27] – [Shorewall and DNAT onto a local host] niccolo
Line 40: Line 40:
 A web server is reachable from the internet onto a local host (**192.168.1.5**) via a DNAT rule, local hosts want to use the public address (**130.151.100.69**) to reach the d-natted server. Traffic will be masqueraded by the firewall with its address (**192.168.1.254**) on the local LAN (**eth0**, **192.168.1.0/24**): A web server is reachable from the internet onto a local host (**192.168.1.5**) via a DNAT rule, local hosts want to use the public address (**130.151.100.69**) to reach the d-natted server. Traffic will be masqueraded by the firewall with its address (**192.168.1.254**) on the local LAN (**eth0**, **192.168.1.0/24**):
  
-In ''**/etc/shorewall/interfaces**'':+In **/etc/shorewall/interfaces**:
  
 <code> <code>
Line 47: Line 47:
 </code> </code>
  
-In ''**/etc/shorewall/masq**'':+For Shorewall 5 we nedd a line in **/etc/shorewall/snat**: 
 + 
 +<code> 
 +#ACTION               SOURCE           DEST               PROTO  PORT  
 +SNAT(192.168.1.254)   192.168.1.0/24   eth0:192.168.1.5   tcp    www 
 +</code> 
 + 
 +Shorewall 4 instead requires a line in **/etc/shorewall/masq**:
  
 <code> <code>
Line 54: Line 61:
 </code> </code>
  
-In ''**/etc/shorewall/rules**'':+In **/etc/shorewall/rules**:
  
 <code> <code>
Line 60: Line 67:
 #                                                   PORT    DEST. #                                                   PORT    DEST.
 DNAT     loc     loc:192.168.1.5  tcp    www        -       130.151.100.69 DNAT     loc     loc:192.168.1.5  tcp    www        -       130.151.100.69
 +DNAT     net     loc:192.168.1.5  tcp    www        -       130.151.100.69
 </code> </code>
 +
 +Port translating from outside to inside is handled only in **/etc/shorewall/rules**, as usual.
 +===== Shorewall with router in local LAN =====
 +
 +Hosts in LAN#1 may access hosts in LAN#2 by just adding a static route to the **192.168.2.0/24 network** via the **192.168.1.10 gateway**, but it is very annoying to modify the routing table into several hosts.
 +
 +{{shorewall-router-in-lan.png?400|Shorewall with router in LAN}}
 +
 +You can instead make **two configurations** on the Shorewall firewall. First of all you add the static route into **/etc/network/interfaces**:
 +
 +<file>
 +auto eth1
 +iface eth1 inet static
 +    address 192.168.1.1
 +    netmask 255.255.255.0
 +    up   /sbin/route add -net 192.168.2.0/24 gw 192.168.1.10 || true
 +    down /sbin/route del -net 192.168.2.0/24 gw 192.168.1.10 || true
 +</file>
 +
 +then you have to add the **routeback** option for the **eth1** interfaces in the **/etc/shorewall/interfaces** file:
 +
 +<file>
 +loc    eth1    routeback
 +</file>
  
 ===== Iptables schema ===== ===== Iptables schema =====
Line 137: Line 169:
  
 <code> <code>
-iptables -I INPUT -p udp -m string --hex-string '|047A696E67047A6F6E6702636F027561|'+/sbin/iptables -I INPUT -p udp -m string --hex-string '|047A696E67047A6F6E6702636F027561|'
-    --algo bm --from 40 --to 56 -j DROP+    --algo bm --from 40 --to 56 -j DROP -m comment --comment "DROP DNS Q zing.zong.co.ua"
 </code> </code>
 +
 +Discorso diverso se si vuole **limitare il rate delle richieste DNS**, in questo modo si prevengono futuri attacchi, indipendentemente dal payload del pacchetto. Ecco uno script che imposta un limite di 4 richieste al secondo per ogni IP sorgente. Un singolo IP viene considerato whitelisted e non sottoposto al rate:
 +
 +<code bash>
 +#!/bin/sh
 +
 +limit="4/second"        # Trigger rule above this packet rate.
 +burst="20"              # Accept a burst of packets from good sources.
 +expire="60000"          # Keep the rule for msec.
 +
 +options="! -s 144.76.223.44 -p udp --dport 53 -m hashlimit --hashlimit-name DNS \
 +--hashlimit-above $limit --hashlimit-burst $burst --hashlimit-htable-expire $expire \
 +--hashlimit-mode srcip --hashlimit-srcmask 32"
 +
 +case "$1" in
 +    start)
 +        iptables -I INPUT $options -j DROP
 +        #iptables -I INPUT $options -j LOG --log-level debug
 +        ;;
 +    stop)
 +        iptables -D INPUT $options -j DROP
 +        #iptables -D INPUT $options -j LOG --log-level debug
 +        ;;
 +    *)
 +        echo "Usage: $(basename $0) {start|stop}"
 +        ;;
 +esac
 +</code>
 +
 +Nella tabella **''/proc/net/ipt_hashlimit/DNS''** troviamo:
 +
 +  - Conto alla rovescia per rimuovere la entry dalla tabella
 +  - Inirizzo_IP:porta sorgente
 +  - Inirizzo_IP:porta destinazione
 +  - Credito attuale
 +  - Credito massimo: es. (burst 20) * (costo 6400) = 128000
 +  - Costo: es. 6400 per 5/s, 8000 per 4/s, cioè 32000 / (n/s)
 +
doc/appunti/linux/sa/iptables.txt · Last modified: 2020/11/23 15:28 by niccolo