rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:iptables

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
doc:appunti:linux:sa:iptables [2014/04/16 17:11] – [Usare iptables per mitigare o bloccare un DNS Amplification Attack] niccolodoc:appunti:linux:sa:iptables [2020/11/23 15:28] (current) – [Shorewall and DNAT onto a local host] niccolo
Line 40: Line 40:
 A web server is reachable from the internet onto a local host (**192.168.1.5**) via a DNAT rule, local hosts want to use the public address (**130.151.100.69**) to reach the d-natted server. Traffic will be masqueraded by the firewall with its address (**192.168.1.254**) on the local LAN (**eth0**, **192.168.1.0/24**): A web server is reachable from the internet onto a local host (**192.168.1.5**) via a DNAT rule, local hosts want to use the public address (**130.151.100.69**) to reach the d-natted server. Traffic will be masqueraded by the firewall with its address (**192.168.1.254**) on the local LAN (**eth0**, **192.168.1.0/24**):
  
-In ''**/etc/shorewall/interfaces**'':+In **/etc/shorewall/interfaces**:
  
 <code> <code>
Line 47: Line 47:
 </code> </code>
  
-In ''**/etc/shorewall/masq**'':+For Shorewall 5 we nedd a line in **/etc/shorewall/snat**: 
 + 
 +<code> 
 +#ACTION               SOURCE           DEST               PROTO  PORT  
 +SNAT(192.168.1.254)   192.168.1.0/24   eth0:192.168.1.5   tcp    www 
 +</code> 
 + 
 +Shorewall 4 instead requires a line in **/etc/shorewall/masq**:
  
 <code> <code>
Line 54: Line 61:
 </code> </code>
  
-In ''**/etc/shorewall/rules**'':+In **/etc/shorewall/rules**:
  
 <code> <code>
Line 60: Line 67:
 #                                                   PORT    DEST. #                                                   PORT    DEST.
 DNAT     loc     loc:192.168.1.5  tcp    www        -       130.151.100.69 DNAT     loc     loc:192.168.1.5  tcp    www        -       130.151.100.69
 +DNAT     net     loc:192.168.1.5  tcp    www        -       130.151.100.69
 </code> </code>
 +
 +Mapping different port from outside to inside is handled only in **/etc/shorewall/rules**, as usual.
 +===== Shorewall with router in local LAN =====
 +
 +Hosts in LAN#1 may access hosts in LAN#2 by just adding a static route to the **192.168.2.0/24 network** via the **192.168.1.10 gateway**, but it is very annoying to modify the routing table into several hosts.
 +
 +{{shorewall-router-in-lan.png?400|Shorewall with router in LAN}}
 +
 +You can instead make **two configurations** on the Shorewall firewall. First of all you add the static route into **/etc/network/interfaces**:
 +
 +<file>
 +auto eth1
 +iface eth1 inet static
 +    address 192.168.1.1
 +    netmask 255.255.255.0
 +    up   /sbin/route add -net 192.168.2.0/24 gw 192.168.1.10 || true
 +    down /sbin/route del -net 192.168.2.0/24 gw 192.168.1.10 || true
 +</file>
 +
 +then you have to add the **routeback** option for the **eth1** interfaces in the **/etc/shorewall/interfaces** file:
 +
 +<file>
 +loc    eth1    routeback
 +</file>
  
 ===== Iptables schema ===== ===== Iptables schema =====
Line 137: Line 169:
  
 <code> <code>
-iptables -I INPUT -p udp -m string --hex-string '|047A696E67047A6F6E6702636F027561|'+/sbin/iptables -I INPUT -p udp -m string --hex-string '|047A696E67047A6F6E6702636F027561|'
-    --algo bm --from 40 --to 56 -j DROP+    --algo bm --from 40 --to 56 -j DROP -m comment --comment "DROP DNS Q zing.zong.co.ua"
 </code> </code>
 +
 +Discorso diverso se si vuole **limitare il rate delle richieste DNS**, in questo modo si prevengono futuri attacchi, indipendentemente dal payload del pacchetto. Ecco uno script che imposta un limite di 4 richieste al secondo per ogni IP sorgente. Un singolo IP viene considerato whitelisted e non sottoposto al rate:
 +
 +<code bash>
 +#!/bin/sh
 +
 +limit="4/second"        # Trigger rule above this packet rate.
 +burst="20"              # Accept a burst of packets from good sources.
 +expire="60000"          # Keep the rule for msec.
 +
 +options="! -s 144.76.223.44 -p udp --dport 53 -m hashlimit --hashlimit-name DNS \
 +--hashlimit-above $limit --hashlimit-burst $burst --hashlimit-htable-expire $expire \
 +--hashlimit-mode srcip --hashlimit-srcmask 32"
 +
 +case "$1" in
 +    start)
 +        iptables -I INPUT $options -j DROP
 +        #iptables -I INPUT $options -j LOG --log-level debug
 +        ;;
 +    stop)
 +        iptables -D INPUT $options -j DROP
 +        #iptables -D INPUT $options -j LOG --log-level debug
 +        ;;
 +    *)
 +        echo "Usage: $(basename $0) {start|stop}"
 +        ;;
 +esac
 +</code>
 +
 +Nella tabella **''/proc/net/ipt_hashlimit/DNS''** troviamo:
 +
 +  - Conto alla rovescia per rimuovere la entry dalla tabella
 +  - Inirizzo_IP:porta sorgente
 +  - Inirizzo_IP:porta destinazione
 +  - Credito attuale
 +  - Credito massimo: es. (burst 20) * (costo 6400) = 128000
 +  - Costo: es. 6400 per 5/s, 8000 per 4/s, cioè 32000 / (n/s)
 +
doc/appunti/linux/sa/iptables.1397661119.txt.gz · Last modified: by niccolo