fox2mike 05/07/13 09:58:29 Added: xml/htdocs/doc/en/articles dynamic-iptables-firewalls.xml Log: #98620 - Common Threads - Dynamic iptables firewalls by drobbins - Initial Version. Thanks to Lukasz Damentko.
Revision Changes Path 1.1 xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml?rev=1.1&content-type=text/x-cvsweb-markup&cvsroot=gentoo plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml?rev=1.1&content-type=text/plain&cvsroot=gentoo Index: dynamic-iptables-firewalls.xml =================================================================== <?xml version='1.0' encoding="UTF-8"?> <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml,v 1.1 2005/07/13 09:58:28 fox2mike Exp $ --> <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> <guide link="/doc/en/articles/dynamic-iptables-firewalls.xml"> <title>Dynamic iptables firewalls</title> <author title="Author"> <mail link="[EMAIL PROTECTED]">Daniel Robbins</mail> </author> <author title="Editor"> <mail link="[EMAIL PROTECTED]">Åukasz Damentko</mail> </author> <abstract> Firewalls are good and fun, but what do you do when you need to make rapid, complex changes to your firewall rules? Easy. Use Daniel Robbins' dynamic firewall scripts that are demonstrated in this article. You can use these scripts to increase your network security and responsiveness, and to inspire your own creative designs. </abstract> <!-- The original version of this article was published on IBM developerWorks, and is property of Westtech Information Services. This document is an updated version of the original article, and contains various improvements made by the Gentoo Linux Documentation team --> <version>1.0</version> <date>2005-07-13</date> <chapter> <title>Introduction</title> <section> <title>Flexible (and fun) network security</title> <body> <note> The original version of this article was published on IBM developerWorks, and is property of Westtech Information Services. This document is an updated version of the original article, and contains various improvements made by the Gentoo Linux Documentation team. </note> <p> The best way to see the benefits of dynamic firewall scripts is to see them in action. To do this, let's imagine that I'm a sysadmin at an ISP, and I've recently set up a Linux-based firewall to protect my customers and internal systems from malicious users on the Internet. To do this, my firewall uses the new Linux 2.4 iptables stateful functionality to allow new outgoing connections to be established by my customers and servers, and of course to allow new incoming connections, but only to "public" services, such as web, ftp, ssh, and SMTP. Since I used a deny-by-default design, any from-Internet connections to non-public services, such as the squid proxy cache or Samba server, are automatically rejected. So far, I have a pretty decent firewall that offers a good level of protection for everyone at my ISP. </p> <p> For the first week or so, the firewall works great, but then something ugly happens: Bob, my arch-nemesis (who works at a competing ISP) decides that he wants to flood my network with packets in an attempt to deny service to my customers. Unfortunately, Bob has carefully studied my firewall and knows that while I'm protecting many internal services, port 25 and 80 must be publicly accessible so that I can receive mail and serve HTTP requests. Bob decides to take advantage of this fact by launching a bandwidth-sucking attack against my web and mail server. </p> <p> About a minute or so after Bob begins his attack, I notice that my uplinks start becoming saturated with packets. After taking a look at the situation with <c>tcpdump</c> I determine that this is yet another Bob attack, and I figure out what IP addresses he's using to launch it. Now that I have this information, all that I need to do is block these IP addresses, and that should solve the problem -- a simple solution, or so I think. </p> </body> </section> <section> <title>Responding to an attack</title> <body> <p> I quickly load my firewall setup script into vi and begin hacking away at my iptables rules, modifying my firewall so that it'll block those evil incoming Bob packets. After a minute or so, I find the exact place to make the appropriate DROP rule additions, and I add them. Then, I start and stop the firewall...ooops, made a bit of a mistake when I added the rules. I load up the firewall scripts again, fix the problem, and thirty seconds later the firewall has been tweaked to block Bob's attack of the month. At first, it seems like I successfully thwarted the attack...until the helpdesk phones begin ringing. Apparently, Bob was able to disrupt my network for about 10 minutes, and now my customers are calling to find out what's going on. Even worse, after a few minutes pass, I notice that our uplinks again start to become saturated. This time, Bob appears to be using a brand-new set of IP addresses for his attacks. In response, I begin feverishly hacking away at our firewall scripts, except this time, I'm a bit panicky -- maybe my solution isn't so good after all. </p> <p> Here's what went wrong in the above scenario. Although I had a decent firewall in place and also quickly identified the cause of the network problem, I was unable to modify the behavior of my firewall to respond to the threat in time. Of course, when your network is under attack, you want to be able to respond immediately, and being forced to hack away at your master firewall setup script in a panicked state is not only stressful, but also very inefficient. </p> </body> </section> </chapter> <chapter> <title>Scripts</title> <section> <title>ipdrop</title> <body> <p> It would be far better if I had a special <c>ipdrop</c> script that's specifically designed to insert just the rules you need to block the IP address that I specify. With such a script, blocking a firewall is no longer a two-minute ordeal; instead, it takes five seconds. And since the script shields me from the task of editing firewall rules by hand, it eliminates a major source of errors. All that's left for me to do is to determine the IP address that I'd like to block, and then type: </p> <pre caption="Dropping IP"> # <i>ipdrop 129.24.8.1 on</i> IP 129.24.8.1 drop on. </pre> <p> Immediately, the ipdrop script would block 129.24.8.1, Bob's current evil IP address of the week. This script dramatically improves your defenses, because now an IP block is a no-brainer. Now, let's take a look at my implementation of the ipdrop script: </p> <pre caption="ipdrop script"> #!/bin/bash source /usr/local/share/.sh args 2 $# "${0} IPADDR {on/off}" <comment># Drops packets to/from IPADDR. Good for obnoxious networks/hosts/DoS"</comment> if [ "$2" == "on" ] then <comment># Rules will be appended or inserted as normal</comment> APPEND="-A" INSERT="-I" rec_check ipdrop $1 "$1 already blocked" on record ipdrop $1 elif [ "$2" == "off" ] then <comment># Rules will be deleted instead</comment> APPEND="-D" INSERT="-D" rec_check ipdrop $1 "$1 not currently blocked" off unrecord ipdrop $1 else echo "Error: \"off\" or \"on\" expected as second argument" exit 1 fi <comment># Block outside IP address that's causing problems</comment> <comment># Attacker's incoming TCP connections will take a minute or so to time out, reducing DoS effectiveness</comment> iptables $INSERT INPUT -s $1 -j DROP iptables $INSERT OUTPUT -d $1 -j DROP iptables $INSERT FORWARD -d $1 -j DROP iptables $INSERT FORWARD -s $1 -j DROP echo "IP ${1} drop ${2}." </pre> </body> </section> <section> <title>ipdrop: the explanation</title> <body> <p> If you take a look at the last four highlighted lines, you'll see the actual commands that insert the appropriate rules into the firewall tables. As you can see, the definition of the $INSERT environment variable varies, depending on whether we're running in "on" or "off" mode. When the iptables lines execute, the particular rules will be inserted or deleted appropriately. </p> <p> -- [email protected] mailing list
