[gentoo-doc-cvs] cvs commit: dynamic-iptables-firewalls.xml - gentoo-doc-cvs

From:	Shyam Mani <fox2mike@×××××××××××.org>
To:	gentoo-doc-cvs@l.g.o
Subject:	[gentoo-doc-cvs] cvs commit: dynamic-iptables-firewalls.xml
Date:	Wed, 13 Jul 2005 09:58:56
Message-Id:	`200507130957.j6D9vcsP002130@robin.gentoo.org`

1

fox2mike    05/07/13 09:58:29

2

3

  Added:       xml/htdocs/doc/en/articles dynamic-iptables-firewalls.xml

4

  Log:

5

  #98620 - Common Threads - Dynamic iptables firewalls by drobbins - Initial Version. Thanks to Lukasz Damentko.

6

7

Revision  Changes    Path

8

1.1                  xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml

9

10

file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml?rev=1.1&content-type=text/x-cvsweb-markup&cvsroot=gentoo

11

plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml?rev=1.1&content-type=text/plain&cvsroot=gentoo

12

13

Index: dynamic-iptables-firewalls.xml

14

===================================================================

15

<?xml version='1.0' encoding="UTF-8"?>

16

<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml,v 1.1 2005/07/13 09:58:28 fox2mike Exp $ -->

17

<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">

18

19

<guide link="/doc/en/articles/dynamic-iptables-firewalls.xml">

20

<title>Dynamic iptables firewalls</title>

21

22

<author title="Author">

23

  <mail link="drobbins@g.o">Daniel Robbins</mail>

24

</author>

25

<author title="Editor">

26

  <mail link="rane@××××××.pl">Łukasz Damentko</mail>

27

</author>

28

29

<abstract>

30

Firewalls are good and fun, but what do you do when you need to make rapid,

31

complex changes to your firewall rules? Easy. Use Daniel Robbins' dynamic

32

firewall scripts that are demonstrated in this article. You can use these

33

scripts to increase your network security and responsiveness, and to inspire

34

your own creative designs.

35

</abstract>

36

37

<!-- The original version of this article was published on IBM developerWorks,

38

and is property of Westtech Information Services. This document is an updated

39

version of the original article, and contains various improvements made by the

40

Gentoo Linux Documentation team -->

41

42

<version>1.0</version>

43

<date>2005-07-13</date>

44

45

<chapter>

46

<title>Introduction</title>

47

<section>

48

<title>Flexible (and fun) network security</title>

49

<body>

50

51

<note>

52

The original version of this article was published on IBM developerWorks, and is

53

property of Westtech Information Services. This document is an updated version

54

of the original article, and contains various improvements made by the Gentoo

55

Linux Documentation team.

56

</note>

57

58

<p>

59

The best way to see the benefits of dynamic firewall scripts is to see them in

60

action. To do this, let's imagine that I'm a sysadmin at an ISP, and I've

61

recently set up a Linux-based firewall to protect my customers and internal

62

systems from malicious users on the Internet. To do this, my firewall uses the

63

new Linux 2.4 iptables stateful functionality to allow new outgoing connections

64

to be established by my customers and servers, and of course to allow new

65

incoming connections, but only to "public" services, such as web, ftp, ssh, and

66

SMTP. Since I used a deny-by-default design, any from-Internet connections to

67

non-public services, such as the squid proxy cache or Samba server, are

68

automatically rejected. So far, I have a pretty decent firewall that offers a

69

good level of protection for everyone at my ISP.

70

</p>

71

72

<p>

73

For the first week or so, the firewall works great, but then something ugly

74

happens: Bob, my arch-nemesis (who works at a competing ISP) decides that he

75

wants to flood my network with packets in an attempt to deny service to my

76

customers. Unfortunately, Bob has carefully studied my firewall and knows that

77

while I'm protecting many internal services, port 25 and 80 must be publicly

78

accessible so that I can receive mail and serve HTTP requests. Bob decides to

79

take advantage of this fact by launching a bandwidth-sucking attack against my

80

web and mail server.

81

</p>

82

83

<p>

84

About a minute or so after Bob begins his attack, I notice that my uplinks start

85

becoming saturated with packets. After taking a look at the situation with

86

<c>tcpdump</c> I determine that this is yet another Bob attack, and I figure out

87

what IP addresses he's using to launch it. Now that I have this information, all

88

that I need to do is block these IP addresses, and that should solve the problem

89

-- a simple solution, or so I think.

90

</p>

91

92

</body>

93

</section>

94

95

<section>

96

<title>Responding to an attack</title>

97

<body>

98

99

<p>

100

I quickly load my firewall setup script into vi and begin hacking away at my

101

iptables rules, modifying my firewall so that it'll block those evil incoming

102

Bob packets. After a minute or so, I find the exact place to make the

103

appropriate DROP rule additions, and I add them. Then, I start and stop the

104

firewall...ooops, made a bit of a mistake when I added the rules. I load up the

105

firewall scripts again, fix the problem, and thirty seconds later the firewall

106

has been tweaked to block Bob's attack of the month. At first, it seems like I

107

successfully thwarted the attack...until the helpdesk phones begin ringing.

108

Apparently, Bob was able to disrupt my network for about 10 minutes, and now my

109

customers are calling to find out what's going on. Even worse, after a few

110

minutes pass, I notice that our uplinks again start to become saturated. This

111

time, Bob appears to be using a brand-new set of IP addresses for his attacks.

112

In response, I begin feverishly hacking away at our firewall scripts, except

113

this time, I'm a bit panicky -- maybe my solution isn't so good after all.

114

</p>

115

116

<p>

117

Here's what went wrong in the above scenario. Although I had a decent firewall

118

in place and also quickly identified the cause of the network problem, I was

119

unable to modify the behavior of my firewall to respond to the threat in time.

120

Of course, when your network is under attack, you want to be able to respond

121

immediately, and being forced to hack away at your master firewall setup script

122

in a panicked state is not only stressful, but also very inefficient.

123

</p>

124

125

</body>

126

</section>

127

</chapter>

128

129

<chapter>

130

<title>Scripts</title>

131

<section>

132

<title>ipdrop</title>

133

<body>

134

135

<p>

136

It would be far better if I had a special <c>ipdrop</c> script that's

137

specifically designed to insert just the rules you need to block the IP address

138

that I specify. With such a script, blocking a firewall is no longer a

139

two-minute ordeal; instead, it takes five seconds. And since the script shields

140

me from the task of editing firewall rules by hand, it eliminates a major source

141

of errors. All that's left for me to do is to determine the IP address that I'd

142

like to block, and then type:

143

</p>

144

145

<pre caption="Dropping IP">

146

# <i>ipdrop 129.24.8.1 on</i>

147

IP 129.24.8.1 drop on.

148

</pre>

149

150

<p>

151

Immediately, the ipdrop script would block 129.24.8.1, Bob's current evil IP

152

address of the week. This script dramatically improves your defenses, because

153

now an IP block is a no-brainer. Now, let's take a look at my implementation of

154

the ipdrop script:

155

</p>

156

157

<pre caption="ipdrop script">

158

#!/bin/bash

159

160

source /usr/local/share/.sh

161

162

args 2 $# "${0} IPADDR {on/off}" 

163

164

<comment># Drops packets to/from IPADDR. Good for obnoxious

165

networks/hosts/DoS"</comment>

166

167

if [ "$2" == "on" ] 

168

then

169

<comment># Rules will be appended or inserted as normal</comment>

170

 APPEND="-A"

171

  INSERT="-I"

172

  rec_check ipdrop $1 "$1 already blocked" on

173

  record ipdrop $1

174

elif [ "$2" == "off" ]

175

then

176

<comment># Rules will be deleted instead</comment>

177

 APPEND="-D"

178

  INSERT="-D"

179

  rec_check ipdrop $1 "$1 not currently blocked" off 

180

  unrecord ipdrop $1

181

else

182

  echo "Error: \"off\" or \"on\" expected as second argument"

183

  exit 1

184

fi

185

186

<comment># Block outside IP address that's causing problems</comment>

187

<comment># Attacker's incoming TCP connections will take a minute or so to time

188

out, reducing DoS effectiveness</comment>

189

190

iptables $INSERT INPUT   -s $1 -j DROP

191

iptables $INSERT OUTPUT  -d $1 -j DROP

192

iptables $INSERT FORWARD -d $1 -j DROP

193

iptables $INSERT FORWARD -s $1 -j DROP

194

195

echo "IP ${1} drop ${2}."

196

</pre>

197

198

</body>

199

</section>

200

201

<section>

202

<title>ipdrop: the explanation</title>

203

<body>

204

205

<p>

206

If you take a look at the last four highlighted lines, you'll see the actual

207

commands that insert the appropriate rules into the firewall tables. As you can

208

see, the definition of the $INSERT environment variable varies, depending on

209

whether we're running in "on" or "off" mode. When the iptables lines execute,

210

the particular rules will be inserted or deleted appropriately.

211

</p>

212

213

<p>

--

218

gentoo-doc-cvs@g.o mailing list

1	fox2mike 05/07/13 09:58:29
2
3	Added: xml/htdocs/doc/en/articles dynamic-iptables-firewalls.xml
4	Log:
5	#98620 - Common Threads - Dynamic iptables firewalls by drobbins - Initial Version. Thanks to Lukasz Damentko.
6
7	Revision Changes Path
8	1.1 xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml
9
10	file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml?rev=1.1&content-type=text/x-cvsweb-markup&cvsroot=gentoo
11	plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml?rev=1.1&content-type=text/plain&cvsroot=gentoo
12
13	Index: dynamic-iptables-firewalls.xml
14	===================================================================
15	<?xml version='1.0' encoding="UTF-8"?>
16	<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml,v 1.1 2005/07/13 09:58:28 fox2mike Exp $ -->
17	<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
18
19	<guide link="/doc/en/articles/dynamic-iptables-firewalls.xml">
20	<title>Dynamic iptables firewalls</title>
21
22	<author title="Author">
23	<mail link="drobbins@g.o">Daniel Robbins</mail>
24	</author>
25	<author title="Editor">
26	<mail link="rane@××××××.pl">Łukasz Damentko</mail>
27	</author>
28
29	<abstract>
30	Firewalls are good and fun, but what do you do when you need to make rapid,
31	complex changes to your firewall rules? Easy. Use Daniel Robbins' dynamic
32	firewall scripts that are demonstrated in this article. You can use these
33	scripts to increase your network security and responsiveness, and to inspire
34	your own creative designs.
35	</abstract>
36
37	<!-- The original version of this article was published on IBM developerWorks,
38	and is property of Westtech Information Services. This document is an updated
39	version of the original article, and contains various improvements made by the
40	Gentoo Linux Documentation team -->
41
42	<version>1.0</version>
43	<date>2005-07-13</date>
44
45	<chapter>
46	<title>Introduction</title>
47	<section>
48	<title>Flexible (and fun) network security</title>
49	<body>
50
51	<note>
52	The original version of this article was published on IBM developerWorks, and is
53	property of Westtech Information Services. This document is an updated version
54	of the original article, and contains various improvements made by the Gentoo
55	Linux Documentation team.
56	</note>
57
58	<p>
59	The best way to see the benefits of dynamic firewall scripts is to see them in
60	action. To do this, let's imagine that I'm a sysadmin at an ISP, and I've
61	recently set up a Linux-based firewall to protect my customers and internal
62	systems from malicious users on the Internet. To do this, my firewall uses the
63	new Linux 2.4 iptables stateful functionality to allow new outgoing connections
64	to be established by my customers and servers, and of course to allow new
65	incoming connections, but only to "public" services, such as web, ftp, ssh, and
66	SMTP. Since I used a deny-by-default design, any from-Internet connections to
67	non-public services, such as the squid proxy cache or Samba server, are
68	automatically rejected. So far, I have a pretty decent firewall that offers a
69	good level of protection for everyone at my ISP.
70	</p>
71
72	<p>
73	For the first week or so, the firewall works great, but then something ugly
74	happens: Bob, my arch-nemesis (who works at a competing ISP) decides that he
75	wants to flood my network with packets in an attempt to deny service to my
76	customers. Unfortunately, Bob has carefully studied my firewall and knows that
77	while I'm protecting many internal services, port 25 and 80 must be publicly
78	accessible so that I can receive mail and serve HTTP requests. Bob decides to
79	take advantage of this fact by launching a bandwidth-sucking attack against my
80	web and mail server.
81	</p>
82
83	<p>
84	About a minute or so after Bob begins his attack, I notice that my uplinks start
85	becoming saturated with packets. After taking a look at the situation with
86	<c>tcpdump</c> I determine that this is yet another Bob attack, and I figure out
87	what IP addresses he's using to launch it. Now that I have this information, all
88	that I need to do is block these IP addresses, and that should solve the problem
89	-- a simple solution, or so I think.
90	</p>
91
92	</body>
93	</section>
94
95	<section>
96	<title>Responding to an attack</title>
97	<body>
98
99	<p>
100	I quickly load my firewall setup script into vi and begin hacking away at my
101	iptables rules, modifying my firewall so that it'll block those evil incoming
102	Bob packets. After a minute or so, I find the exact place to make the
103	appropriate DROP rule additions, and I add them. Then, I start and stop the
104	firewall...ooops, made a bit of a mistake when I added the rules. I load up the
105	firewall scripts again, fix the problem, and thirty seconds later the firewall
106	has been tweaked to block Bob's attack of the month. At first, it seems like I
107	successfully thwarted the attack...until the helpdesk phones begin ringing.
108	Apparently, Bob was able to disrupt my network for about 10 minutes, and now my
109	customers are calling to find out what's going on. Even worse, after a few
110	minutes pass, I notice that our uplinks again start to become saturated. This
111	time, Bob appears to be using a brand-new set of IP addresses for his attacks.
112	In response, I begin feverishly hacking away at our firewall scripts, except
113	this time, I'm a bit panicky -- maybe my solution isn't so good after all.
114	</p>
115
116	<p>
117	Here's what went wrong in the above scenario. Although I had a decent firewall
118	in place and also quickly identified the cause of the network problem, I was
119	unable to modify the behavior of my firewall to respond to the threat in time.
120	Of course, when your network is under attack, you want to be able to respond
121	immediately, and being forced to hack away at your master firewall setup script
122	in a panicked state is not only stressful, but also very inefficient.
123	</p>
124
125	</body>
126	</section>
127	</chapter>
128
129	<chapter>
130	<title>Scripts</title>
131	<section>
132	<title>ipdrop</title>
133	<body>
134
135	<p>
136	It would be far better if I had a special <c>ipdrop</c> script that's
137	specifically designed to insert just the rules you need to block the IP address
138	that I specify. With such a script, blocking a firewall is no longer a
139	two-minute ordeal; instead, it takes five seconds. And since the script shields
140	me from the task of editing firewall rules by hand, it eliminates a major source
141	of errors. All that's left for me to do is to determine the IP address that I'd
142	like to block, and then type:
143	</p>
144
145	<pre caption="Dropping IP">
146	# <i>ipdrop 129.24.8.1 on</i>
147	IP 129.24.8.1 drop on.
148	</pre>
149
150	<p>
151	Immediately, the ipdrop script would block 129.24.8.1, Bob's current evil IP
152	address of the week. This script dramatically improves your defenses, because
153	now an IP block is a no-brainer. Now, let's take a look at my implementation of
154	the ipdrop script:
155	</p>
156
157	<pre caption="ipdrop script">
158	#!/bin/bash
159
160	source /usr/local/share/.sh
161
162	args 2 $# "${0} IPADDR {on/off}"
163
164	<comment># Drops packets to/from IPADDR. Good for obnoxious
165	networks/hosts/DoS"</comment>
166
167	if [ "$2" == "on" ]
168	then
169	<comment># Rules will be appended or inserted as normal</comment>
170	APPEND="-A"
171	INSERT="-I"
172	rec_check ipdrop $1 "$1 already blocked" on
173	record ipdrop $1
174	elif [ "$2" == "off" ]
175	then
176	<comment># Rules will be deleted instead</comment>
177	APPEND="-D"
178	INSERT="-D"
179	rec_check ipdrop $1 "$1 not currently blocked" off
180	unrecord ipdrop $1
181	else
182	echo "Error: \"off\" or \"on\" expected as second argument"
183	exit 1
184	fi
185
186	<comment># Block outside IP address that's causing problems</comment>
187	<comment># Attacker's incoming TCP connections will take a minute or so to time
188	out, reducing DoS effectiveness</comment>
189
190	iptables $INSERT INPUT -s $1 -j DROP
191	iptables $INSERT OUTPUT -d $1 -j DROP
192	iptables $INSERT FORWARD -d $1 -j DROP
193	iptables $INSERT FORWARD -s $1 -j DROP
194
195	echo "IP ${1} drop ${2}."
196	</pre>
197
198	</body>
199	</section>
200
201	<section>
202	<title>ipdrop: the explanation</title>
203	<body>
204
205	<p>
206	If you take a look at the last four highlighted lines, you'll see the actual
207	commands that insert the appropriate rules into the firewall tables. As you can
208	see, the definition of the $INSERT environment variable varies, depending on
209	whether we're running in "on" or "off" mode. When the iptables lines execute,
210	the particular rules will be inserted or deleted appropriately.
211	</p>
212
213	<p>
214
215
216
217	--
218	gentoo-doc-cvs@g.o mailing list

Gentoo Archives: gentoo-doc-cvs