[Shorewall-users] How to drop (or blacklist) an IP immediately

Thu, 19 Jul 2012 05:29:01 -0700 

Hi, I have type a "shorewall (4.5.4) drop x.x.x.x", an malware IP that
constantly tried to access my DNS, but the IP was not blocked
immediately.

> -A dynamic -s x.x.x.x/32 -j DROP
>  ....
> -A INPUT -i eth1 -j net2fw 
> -A net2fw -m conntrack --ctstate INVALID,NEW -j dynamic 
> -A net2fw -p tcp -j tcpflags 
> -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
> -A net2fw -p udp -m udp --dport 1194 -j ACCEPT 
> -A net2fw -d y.y.y.y/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
> -A net2fw -d y.y.y.y/32 -p tcp -m tcp --dport 22 -j ACCEPT 
> -A net2fw -d y.y.y.y/32 -p tcp -m multiport --dports 80,443 -j ACCEPT 
> -A net2fw ! -s x.x.x.x/32 -d y.y.y.y/32 -p tcp -m tcp --dport 53 -j ACCEPT 
> -A net2fw ! -s x.x.x.x/32 -d y.y.y.y/32 -p udp -m udp --dport 53 -j ACCEPT 

This probably happens because the connection is always active:

> # shorewall show connections |grep x.x.x.x
> ipv4     2 udp      17 178 src=x.x.x.x dst=y.y.y.y sport=80 dport=53 
> src=y.y.y.y dst=x.x.x.x sport=53 dport=80 [ASSURED] mark=0 secmark=0 use=2
> 
and the rule "dynamic" is applies only to new connections "conntrack
--ctstate INVALID,NEW"

In addition, the rule:

"-A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"

makes the connection to be accepted without meeting the rule would not
allow access to DNS:

"-A net2fw ! -s x.x.x.x/32 -d y.y.y.y/32 -p udp -m udp --dport 53 -j ACCEPT"

What am I doing wrong?

It's possible, after a shorewall drop IP, delete the alive connection
for the dropped IP?

Many thanks for reply

-- 
Dario Lesca - sip:[email protected]
(Inviato dal mio Fedora Linux)


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to