________________________________ From: Tom Eastep <[email protected]> > > Please refer to the attached file (included so that the lines don't > get folded by my mailer). This is from net1-fw, but all of the net*-* > chains are similar. > > Note that multiple tcp ports, including port 80, are sent to chain > ~excl110. That chain returns on source IP matches to IPS_BL and POL_BL > then sends the rest to the IPS. Note that this occurs well before the > geoip rules.
I seem to be a bit confused with the different rule SECTIONS. I placed the NFQUEUE/IPS rule both within SECTION ALL and SECTION NEW. By doing so I now see that traffic is sent to the IPS before reaching the geoip rule in shorewall (because of the NFQUEUE rule in SECTION ALL). Considering the fact that the underlying IPS also has the same GeoIP rule, I still don't quite understand why there are matches for the geoip rule in Shorewall. I mean, if traffic goes first to the IPS with the same geoip rule then I shouldn't be seeing any geoip hits further down in the chain. I'm wondering if the geoip database isn't exactly the same (shorewall uses iptables/xtables-addons while the IPS uses libgeoip) but they should both be from maxmind community edition. This glitch could also be because I set "bypass" to NFQUEUE, and maybe some packets under certain conditions don't get blocked by the IPS and do get dropped further down. I'm not sure setting an NFQUEUE rule only in SECTION NEW is enough to make sure that all traffic is sent to the IPS for analysis. My goal is to: - REDIRECT all traffic with dest port 80 to a custom HTTP port for all KNOWN "banned" src IP addresses (previously detected and blacklisted). This HTTP port serves an informative web page with the client's IP address and IT contact info. This allows to help whitelist or at least detect false positives and correct the IPS or other rules (even GeoIP). - keep track of all offending IP addresses. I do that by ADDing the src IP addresses to specific ipsets. For GeoIP matches on the shorewall rule I use an ipset called GEO_BL. For GeoIP matches within the IPS I use the GEOIPS_BL ipset. For hosts that tried to access an unused port I use the POL_BL ipset. Addresses blocked by the IPS populate the IPS_BL ipset. - For all these ipsets I need to REDIRECT traffic to port 80 to the custom HTTP port I mentioned before. It needs to be done before anything else. In SECTION ALL I cannot define REDIRECT rules. So the only thing I could do (regarding GeoIP, for instance) is to start with: #REDIRECT:info:geoipinf net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] 62000 tcp 80 #REDIRECT:info:geoipinf net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] 62000 tcp 80 #REDIRECT:info:geoipinf net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] 62000 tcp 80 ADD(GEO_BL:src) net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all ADD(GEO_BL:src) net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all ADD(GEO_BL:src) net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all DROP net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all DROP net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all DROP net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all NFQUEUE(...)... I would not call NFQUEUE within SECTION ALL but only in SECTION NEW but somehow I noticed that by doing so some intrusion tests are not correctly blocked. This is what I have in SECTION NEW right after a few REJECT rules and before any ACCEPT rules: REDIRECT:info:blsinf net1:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL 62000 tcp 80 REDIRECT:info:blsinf net2:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL 62000 tcp 80 REDIRECT:info:blsinf net3:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL 62000 tcp 80 DROP net1:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL all DROP net2:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL all DROP net3:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL all REDIRECT:info:geoipinf net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] 62000 tcp 80 REDIRECT:info:geoipinf net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] 62000 tcp 80 REDIRECT:info:geoipinf net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] 62000 tcp 80 ADD(GEO_BL:src) net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all ADD(GEO_BL:src) net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all ADD(GEO_BL:src) net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all DROP net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all DROP net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all DROP net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all NFQUEUE(0:5,bypass) net1,net2,net3 all tcp,udp 22,21,80,443,3389,6502,61196,61197,61198 ...etc.. Which section or sections should the NFQUEUE rule be placed into? Thanks, Vieri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
