-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I apologize for replying with HTML, but it would take me an extra half an hour to make a text version readable.
On 02/25/2017 05:13 AM, Vieri Di Paola wrote: > > ________________________________ > From: Tom Eastep <[email protected]> >> >> Please refer to the attached file (included so that the lines don't >> get folded by my mailer). This is from net1-fw, but all of the net*-* >> chains are similar. >> >> Note that multiple tcp ports, including port 80, are sent to chain >> ~excl110. That chain returns on source IP matches to IPS_BL and POL_BL >> then sends the rest to the IPS. Note that this occurs well before the >> geoip rules. > > > I seem to be a bit confused with the different rule SECTIONS. > > I placed the NFQUEUE/IPS rule both within SECTION ALL and SECTION NEW. By doing so I now see that traffic is sent to the IPS before reaching the geoip rule in shorewall (because of the NFQUEUE rule in SECTION ALL). Considering the fact that the underlying IPS also has the same GeoIP rule, I still don't quite understand why there are matches for the geoip rule in Shorewall. I mean, if traffic goes first to the IPS with the same geoip rule then I shouldn't be seeing any geoip hits further down in the chain. I'm wondering if the geoip database isn't exactly the same (shorewall uses iptables/xtables-addons while the IPS uses libgeoip) but they should both be from maxmind community edition. This glitch could also be because I set "bypass" to NFQUEUE, and maybe some packets under certain conditions don't get blocked by the IPS and do get dropped further down. > > I'm not sure setting an NFQUEUE rule only in SECTION NEW is enough to make sure that all traffic is sent to the IPS for analysis. It will not. > > > My goal is to: > - REDIRECT all traffic with dest port 80 to a custom HTTP port for all KNOWN "banned" src IP addresses (previously detected and blacklisted). This HTTP port serves an informative web page with the client's IP address and IT contact info. This allows to help whitelist or at least detect false positives and correct the IPS or other rules (even GeoIP). > > - keep track of all offending IP addresses. I do that by ADDing the src IP addresses to specific ipsets. For GeoIP matches on the shorewall rule I use an ipset called GEO_BL. For GeoIP matches within the IPS I use the GEOIPS_BL ipset. For hosts that tried to access an unused port I use the POL_BL ipset. Addresses blocked by the IPS populate the IPS_BL ipset. > - For all these ipsets I need to REDIRECT traffic to port 80 to the custom HTTP port I mentioned before. It needs to be done before anything else. > > In SECTION ALL I cannot define REDIRECT rules. > So the only thing I could do (regarding GeoIP, for instance) is to start with: > > #REDIRECT:info:geoipinf net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] 62000 tcp 80 > #REDIRECT:info:geoipinf net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] 62000 tcp 80 > #REDIRECT:info:geoipinf net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] 62000 tcp 80 > ADD(GEO_BL:src) net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all > ADD(GEO_BL:src) net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all > ADD(GEO_BL:src) net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all > DROP net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all > DROP net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all > DROP net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all > NFQUEUE(...)... > > I would not call NFQUEUE within SECTION ALL but only in SECTION NEW but somehow I noticed that by doing so some intrusion tests are not correctly blocked. You need to include NFQUEUE rules in the ESTABLISHED and RELATED sections as well as in the NEW section. > > > This is what I have in SECTION NEW right after a few REJECT rules and before any ACCEPT rules: > > REDIRECT:info:blsinf net1:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL 62000 tcp 80 > REDIRECT:info:blsinf net2:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL 62000 tcp 80 > REDIRECT:info:blsinf net3:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL 62000 tcp 80 > DROP net1:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL all > DROP net2:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL all > DROP net3:+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL all > > REDIRECT:info:geoipinf net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] 62000 tcp 80 > REDIRECT:info:geoipinf net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] 62000 tcp 80 > REDIRECT:info:geoipinf net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] 62000 tcp 80 > ADD(GEO_BL:src) net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all > ADD(GEO_BL:src) net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all > ADD(GEO_BL:src) net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all > DROP net1:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all > DROP net2:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all > DROP net3:!^[US,CA,EU,ES,PT,FR,DE,GB,IT,BE] all > > NFQUEUE(0:5,bypass) net1,net2,net3 all tcp,udp 22,21,80,443,3389,6502,61196,61197,61198 > ...etc.. > > Which section or sections should the NFQUEUE rule be placed into? > See above. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYsboZAAoJEJbms/JCOk0Q55IP/inhCLKpPYF7oigOvJV0/diM 5i8OMFTX87uqI3BVkT9pQ6KzHVtgvb/0DaL2mxkLNr9hHwJJ9i68DIn1GmUikYGs VABFvRgo6xoevtPoGNg48uTlIxbwlnzYkdHMSeqUZESA57SyAY+7YXXMJOLkyKET PgC5YoBItvm/YcULiD3jZgoQEXATyNUdXQvbyxo/X0BJ1G2K2Q2oQMUCmNQLl4lH oRw+d+lu9Rfalf1JLTTWiZUxDHNlfImWxb7iH8UYY/IpF4Yzt8EaoDeZSQBbtDnD RW7XLEseapYYurpS0zHzLmls8jTeq35IxOKdpL+pHHaepl6l/FMAT6oOmIud/13F Tv4LoBMrMQ3WXB07LFMQHTwQ3f27MxafywKBK+ZjKyuwDJJSE9rEMH6mZW52j3l6 oHOnUiEBCUI78ri51sxps1FVrjfYxS/DLvoCSJP/0fI1OWr/B+CA7CTkXH4AJvFu ZavkG1ynQGZWqVGzKvkmECRjbKSwx7bouvfQcztOBx4wxIVy3CCBArUJiOHLkV0w BVRfRu8sxC0rwt/993CSpxtpezM5xG+17wnkebQ81/DjfSC9A2oEa3BxN+f2nuff pUr8KvqNq2UTmYsCmw+TjjwFGZ7k5z69z3li8nqUC0jbt5aFoUKI1fOFZ6OXXZRr 6vrAdM+ToiW9iNZsAyn5 =YEn+ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
