Shaul Karl wrote:
On Tue, Dec 28, 2004 at 10:24:07AM +0200, Shachar Shemesh wrote:
There is just one problem with this. When do we revert this operation, and how? While it's fairly easy to add new rules, it's more difficult to properly remove them.
Can you elaborate about the difficulties associated with how to remove
such rules? Isn't it iptables -R, or something similar? I must be
missing something fundamental here.
Removing a rule is actually very easy. The problems are:
a. How do you know WHEN to remove it. Remember you'll potentially have more than one rule to remove. This means keeping track on when each rule was added.
b. How do you account for the entire rule numbers moving around due to unexpected meddling with the rulebase. Think what happens if you have both portsentry AND portknocking installed. They both add rules that need to be expired...
c. How do you implement the actual alarm to remove the rules on time
The idea behind temprules is that it gives a solution. At the moment, this is not the most sophisticated solution in the world, but the important thing about this solution is that the interfaces to this solution need not change when the actual implementation of temprules changes.
In an nutshell
* You create a special table set for your expiring rules (trcreate
tablename numrotations)
* you add to your cron job to run "trrotate" once every base
frequency (trrotate tablename)
* Configure portknock/portsentry to run "tradd tablename <iptables
filter>" when something happens
* Incorporate into your rulebase calling "tablename" whenever you
want a decision on the dynamic rule
* put the actual actions to take into a table called <tablename>_ACTIONYou're done. Example configuration for portknocking:
Suppose you want to have SSH on the usual port and SMTP (with a special, relaying allowing version) on port 252. You want these ports available only if a port knocking sequence have first been issued. After this knocking happened, you want to allow connections to these ports for five minutes. Your sequence of operation will be something like this:
iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT # Never forget this rule! trcreate KNOCK 5 iptables -A INPUT -p tcp --dport 22 -j KNOCK iptables -A INPUT -p tcp --dport 252 -j KNOCK iptables -A KNOCK_ACTION -j ACCEPT
Configure portknock to run the following command on each successful port knocking:
tradd KNOCK -s <source address>
Now, all you have to do is make sure cron runs "trrotate KNOCK" once a minute, and you're done. There is some trade off between resolution and performance. At the moment, with the above configuration, each rule will live between 4 and 5 minutes. That's a bug. It should be between 5 and 6 minutes (alpha release or no alpha release?). In principle, you could instead have created the tables with "trcreate KNOCK 1" and run the cron every 5 minutes. Because of the aforementioned bug, this won't work right now. In the future, this will mean that each rule will leave between 5 and 10 minutes, instead of between 5 and 6. The trade off is that each packet that matches the base rules will have to traverse more tables.
Also of interest is how the ssh session will survive after the portknock rule is expired. At the point it is an established connection, and matches on the first rule.
In the future, I'm hoping of having one cron job handle all rules in the system. This means you don't have to install a cron job yourself. This will probably change the syntax of the "trcreate" command to also include the base resolution (i.e. - the above command will probably be "trcreate KNOCK 1 5").
I hope this makes things a little clearer. Now all I have to do is copy this email into the actual project's documentation page.... :-)
Shachar
-- Shachar Shemesh Lingnu Open Source Consulting ltd. http://www.lingnu.com/
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
