IPTables/Netfilter Recent Module
|
Updated: Fri, 21 Mar 2003 21:53:30 -0500
|
Wrote myself a module which I called 'recent' to track seen IP addresses and be able to match against
them using some criteria. What this lets me do is basically build up a temporary 'bad-guy' list for
when people attempt to port scan me and whatnot and then I use the match to drop everything coming
from them for a given amount of time. There is also an ipt_recent
mailing list and
CVSWeb access to the code.
|
Releases
|
Updated: Mon, 31 Mar 2003 16:13:21 -0500
|
The Netfilter CVS repository generally has a pretty up-to-date
version of my module in the patch-o-matic area. This is the official repository and has the latest
releases.
The --rsource/--rdest options have had some pretty odd behaviour in the past that I've finally fixed.
They're much more intuitive now and instead of being per-table based they work for the current rule.
Makes a heck of alot more sense and is more flexible as well I believe.
The current released version
is available here, and is currently running on my firewall:
ipt_recent-0.3.1.tar.gz
This is a tarball of the current files. A patch against what is currently is:
ipt_recent-0.3.1-netfilter_update.patch
If you run into any problems or bugs with this version please let me know so I can take care
of them.
|
Changelog
|
Updated: Fri, 21 Mar 2003 21:55:44 -0500
|
You can check out the latest version as well as look at older releases
by picking the appropriate tag over at the
CVS repository.
|
Examples
|
Updated: Sun, 08 Sep 2002 00:15:12 -0400
|
Example #1:
# iptables -A FORWARD -m recent --rcheck --seconds 60 -j DROP
# iptables -A FORWARD -i eth0 -d 127.0.0.0/8 -m recent --set -j DROP
Here we are making a 'bad guy' out of anyone who tries to send data to
127.0.0.0/8 on our eth0 interface (which should never legitimately
happen). The first packet will make it past the first rule and then
be caught by the second rule and that address will be put into the
recent list and the packet dropped.
Any subsequent packets for the next 60 seconds that show up from that
address will be dropped, regardless of destination address, destiation
port, etc.
Example #2:
# iptables -A FORWARD -m recent --update --seconds 60 -j DROP
# iptables -A FORWARD -i eth0 -d 127.0.0.0/8 -m recent --set -j DROP
(The author's favorite method)
This is identical to example #1 except that for every subsequent packet
received from this source address the 'last seen' status will be updated
in the table. Therefore there must be a 'quiet time' of 60 seconds
before another packet from this address will even be considered.
It is the author's intent that all 'DROP' rules be replaced by:
'-m recent --set -j DROP'
and that a:
'-m recent --update --seconds 60 -j DROP'
rule be added very early on in the rule set, though following any:
'--match state --state ! NEW,INVALID -j ACCEPT'
rules. If the '--update' rule is before this check for ! NEW,INVALID
packets then ESTABLISHED connection or those in the process of becoming
ESTABLISHED could be disrupted by a malicious person who can modify
his/her source address.
Example #3:
# iptables -A FORWARD -d 192.168.1.1/32 -p tcp --dport 25 -m recent --set --rsource --name SMTP_RELAY_IN -j ACCEPT
# iptables -A FORWARD -d 192.168.1.1/32 -p tcp --dport 113 -m recent --rcheck --rsource --seconds 15 --name SMTP_RELAY_OUT -j ACCEPT
# iptables -A FORWARD -s 192.168.1.1/32 -p tcp --dport 25 -m recent --set --rdest --name SMTP_RELAY_OUT -j ACCEPT
# iptables -A FORWARD -s 192.168.1.1/32 -p tcp --dport 113 -m recent --rcheck --rdest --seconds 15 --name SMTP_RELAY_IN -j ACCEPT
This set of rules can be used to allow auth requests to/from your mail server to go through when there
is an associated SMTP connection. It's possible someone could write a conntrack module for this too but
that seems kind of excessive, especially when there are a number of other places where this kind of a
setup could be desirable (ie: for IRC). Unfortunately this won't work all the time because there are
some incorrectly configured systems out there where the auth request will actually come from a different
IP address than the SMTP connection was made to, not much that can be done there. This example also
shows how you can set it up so that people have to, say, send a 'special' packet of some kind to be
allowed to connect to some internal machine. Very neat idea.
|
|