Dynamic Deny rule

Dynamic Deny rule

[Mark Ryan]

I am trying to come up with a iptables rule that will deny ip certain ip
addresses that I can load/unload into a file.
 
To clarify...i run a ftp server and sometimes people screw around and I
want to ban them from logging in.  I need a way to add these ip's into a
'ban list'.  I don't want to add a new rule every time however with a
separate rule for each ip.
 
Is there a way to make a file such as 'banned_ips' and have a rule look
into that file to decide if the ip can log in or not?
 
Thanks,
Mark

Re: Dynamic Deny rule

[Michael J. Tubby B.Sc. (Hons) G8TIC]

Mark,

Why don't you make a user table called something like
"ftp_check" then add to the chain the IPs of people that you
want to ban from connecting, finishing up with a rules that
accepts everyone else...

You probably have a fairly common setup where incoming
packets on your public interface were first inspected for
protocol and vectored on to one of a number of user tables:

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j inet_icmp
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j inet_tcp
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j inet_udp


You probably (should) have a "tcp_allowed" chain for state matching,
something like this:

$IPTABLES -A tcp_allowed -p TCP --syn -j ACCEPT
$IPTABLES -A tcp_allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_allowed -p TCP -j DROP

which is where you send TCP sessions that you want to accept
(match address and port number), and hence your "inet_tcp" table
would look something like this:

$IPTABLES -A inet_tcp -p TCP -s 0/0 --dport 21 -j tcp_allowed    # FTP control
$IPTABLES -A inet_tcp -p TCP -s 0/0 --dport 25 -j tcp_allowed    # SMTP
$IPTABLES -A inet_tcp -p TCP -s 0/0 --dport 80 -j tcp_allowed    # Web
$IPTABLES -A inet_tcp -p TCP -s 0/0 --dport 22 -j tcp_allowed    # SSH

would change to use the new table for FTP control connections, so that 

$IPTABLES -A inet_tcp -p TCP -s 0/0 --dport 21 -j ftp_check        # FTP control
$IPTABLES -A inet_tcp -p TCP -s 0/0 --dport 25 -j tcp_allowed    # SMTP
$IPTABLES -A inet_tcp -p TCP -s 0/0 --dport 80 -j tcp_allowed    # Web
$IPTABLES -A inet_tcp -p TCP -s 0/0 --dport 22 -j tcp_allowed    # SSH

and your new "ftp_check" table would have something like:

$IPTABLES -A ftp_check -p TCP -s <banned #1> -j REJECT
$IPTABLES -A ftp_check -p TCP -s <banned #2> -j REJECT
$IPTABLES -A ftp_check -p TCP -s <banned #2> -j REJECT
$IPTABLES -A ftp_check -p TCP -s 0/0 -j tcp_allowed

Where you add the "banned IP addresses" before the last rule which
is effectively the policy "accept from everyone else" but isn't done
by a default table/chain policy because if we 'accept' the ip address in
this case we need to go back to the "tcp_allowed" chain.

NB. You need to ensure the last rule remains at the end so using
"insert" rather than "append" may well be appropriate.

You can now add/remove rules from the "ftp_check" table at will
without affecting the rest of your setup. You can also choose how
you "reject" the blacklisted ones you can ignore them with "-j DROP"
reject them as above, or use an extended form and reject them
with "host unreachable", "port unreachable" etc. etc.


Mike


----- Original Message ----- 
From: "Mark Ryan" <markryan@cfl.rr.com>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, January 04, 2003 3:26 PM
Subject: Dynamic Deny rule


> I am trying to come up with a iptables rule that will deny ip certain ip
> addresses that I can load/unload into a file.
>  
> To clarify...i run a ftp server and sometimes people screw around and I
> want to ban them from logging in.  I need a way to add these ip's into a
> 'ban list'.  I don't want to add a new rule every time however with a
> separate rule for each ip.
>  
> Is there a way to make a file such as 'banned_ips' and have a rule look
> into that file to decide if the ip can log in or not?
>  
> Thanks,
> Mark
> 
> 
> 
> 

Re: Dynamic Deny rule

[Bob Sully]

Mark:

Here's the excerpt from my script:

  # Refuse any connections to/from problem sites.
  #
  # /etc/firewall/firewall.banned contains a list of IPs
  # to block all access, both inbound and outbound.
  # The file should contain IP addresses with CIDR
  # netmask, one per line:
  #
  # NOTE: No comments are allowed in the file.
  #
  # 111.222.333.444/32            - To block a single IP address
  # 111.222.333.444/8             - To block a Class-A network
  # 111.222.333.444/16            - To block a Class-B network
  # 111.222.333.444/24            - To block a Class-C network
  #
  # The CIDR netmask number describes the number of bits
  # in the network portion of the address, and may be on
  # any boundary.
  #

  if [ -f /etc/firewall/firewall.banned ]; then
     while read BANNED; do
         iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BANNED -j DROP
         iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BANNED -j DROP
         iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BANNED -j DROP
         iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BANNED -j DROP
     done < /etc/firewall/firewall.banned
  fi

HTH...Bob


On Sat, 4 Jan 2003, Mark Ryan wrote:

> I am trying to come up with a iptables rule that will deny ip certain ip
> addresses that I can load/unload into a file.
>  
> To clarify...i run a ftp server and sometimes people screw around and I
> want to ban them from logging in.  I need a way to add these ip's into a
> 'ban list'.  I don't want to add a new rule every time however with a
> separate rule for each ip.
>  
> Is there a way to make a file such as 'banned_ips' and have a rule look
> into that file to decide if the ip can log in or not?
>  
> Thanks,
> Mark


-- 
________________________________________
Bob Sully - Simi Valley, California, USA
http://www.malibyte.net

"The waiting is the hardest part." - T. Petty

Re: Dynamic Deny rule

[Athan]

[-- Attachment #1: Type: text/plain, Size: 1627 bytes --]

On Sat, Jan 04, 2003 at 10:53:16AM -0800, Bob Sully wrote:
> Here's the excerpt from my script:
> 
>   # Refuse any connections to/from problem sites.
[snip]
> 
>   if [ -f /etc/firewall/firewall.banned ]; then
>      while read BANNED; do
>          iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BANNED -j DROP
>          iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BANNED -j DROP
>          iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BANNED -j DROP
>          iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BANNED -j DROP
>      done < /etc/firewall/firewall.banned
>   fi

  Given it reads the entire file each time, wouldn't you want to put
some sort of flush in there first?  Of course that's going to get rid of
all rules.  Just if you run this every time you're going to end up with
some entries in a lot of times.

  How about having the actual INPUT/OUTPUT chains jump to a userdefined
one at the end and you put these rules in that user-defined chain?  That
way you can flush *that* entire chain each time before adding the
current bans.

  Of course if you use a decent FTPd it's easy to ban by IP anyway, i.e.
proftpd:

        <Directory *>
                <Limit ALL>
                        Deny from 62.80.132.
                        Deny from .CXXXII.adsl.multi.fi
                </Limit>
        </Directory>

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: Dynamic Deny rule

[Bob Sully]

This file is only read once, at firewall startup or restart.  I check my 
logs pretty regularly, and any bad guys get put in the firewall.banned 
file on a daily basis.  

I actually have had no problems with ftp, as I run ProFTPd with only one 
incoming directory which has no read access and no write access anywhere 
else.

-- Bob --


On Sat, 4 Jan 2003, Athan wrote:

> On Sat, Jan 04, 2003 at 10:53:16AM -0800, Bob Sully wrote:
> > Here's the excerpt from my script:
> > 
> >   # Refuse any connections to/from problem sites.
> [snip]
> > 
> >   if [ -f /etc/firewall/firewall.banned ]; then
> >      while read BANNED; do
> >          iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BANNED -j DROP
> >          iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BANNED -j DROP
> >          iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BANNED -j DROP
> >          iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BANNED -j DROP
> >      done < /etc/firewall/firewall.banned
> >   fi
> 
>   Given it reads the entire file each time, wouldn't you want to put
> some sort of flush in there first?  Of course that's going to get rid of
> all rules.  Just if you run this every time you're going to end up with
> some entries in a lot of times.
> 
>   How about having the actual INPUT/OUTPUT chains jump to a userdefined
> one at the end and you put these rules in that user-defined chain?  That
> way you can flush *that* entire chain each time before adding the
> current bans.
> 
>   Of course if you use a decent FTPd it's easy to ban by IP anyway, i.e.
> proftpd:
> 
>         <Directory *>
>                 <Limit ALL>
>                         Deny from 62.80.132.
>                         Deny from .CXXXII.adsl.multi.fi
>                 </Limit>
>         </Directory>
> 
> -Ath
> 

-- 
________________________________________
Bob Sully - Simi Valley, California, USA
http://www.malibyte.net

"The waiting is the hardest part." - T. Petty

Re: Dynamic Deny rule

[Rob Sterenborg]

Athan wrote:
> On Sat, Jan 04, 2003 at 10:53:16AM -0800, Bob Sully wrote:
> 
>>Here's the excerpt from my script:
>>
>>  # Refuse any connections to/from problem sites.
> 
> [snip]
> 
>>  if [ -f /etc/firewall/firewall.banned ]; then
>>     while read BANNED; do
>>         iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BANNED -j DROP
>>         iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BANNED -j DROP
>>         iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BANNED -j DROP
>>         iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BANNED -j DROP
>>     done < /etc/firewall/firewall.banned
>>  fi

This way you'd have to reload the complete INPUT and OUTPUT rules over 
and over which is something I wouldn't do.

If you *are* going to use iptables for this, how about creating user 
BAN_IN and BAN_OUT chains.
Then let cron start a script every 5 minutes that clears the BAN chains 
and refills them with the values from the /etc/firewall/firewall.banned 
file.

Something like this (I didn't test this..) :

-----------

#!/bin/bash

EXT_IF="eth0"

# If a chain doesn't exist, "iptables -L" will output an error.
# Let's not display these errors..

IN=`iptables -L BAN_IN 2>&1|grep Chain|awk '{print $2}'`
OUT=`iptables -L BAN_OUT 2>&1|grep Chain|awk '{print $2}'`

if [ -f /etc/firewall/firewall.banned ]; then

   # Check to see if user chains exist ;
   # If they do : clear them.
   # If they don't : create and redirect the packets from the
   #   INPUT and OUTPUT chains to the BAN chains first.

   if [ -n "$IN" ] ; then
     iptables -F BAN_IN
   else
     iptables -N BAN_IN
     iptables -I INPUT 1 -j BAN_IN
   fi
   if [ -n "$OUT" ] ; then
     iptables -F BAN_OUT
   else
     iptables -N BAN_OUT
     iptables -I OUTPUT 1 -j BAN_OUT
   fi

   # Fill BAN chains.
   # Slightly modified from above...

   while read BAN_IP; do
     iptables -A BAN_IN -i $EXT_IF -s $BAN_IP -j DROP
     iptables -A BAN_OUT -o $EXT_IF -d $BAN_IP -j DROP
   done < /etc/firewall/firewall.banned

else

   # The ban file doesn't exist ; we don't need the chains.
   # Get rid of the BAN redirects in the INPUT and OUTPUT chains
   #   if we have them.

   L_IN=`iptables -L INPUT --line-numbers|grep BAN_IN|awk '{print $1}'`
   L_OUT=`iptables -L OUTPUT --line-numbers|grep BAN_OUT| \
            awk '{print $1}'`
   [ -n "$IN" ] && iptables -D INPUT $L_IN
   [ -n "$OUT" ] && iptables -D OUTPUT $L_OUT

   # Clear and get rid of the BAN chains if we have them.

   if [ -n "$IN" ] ; then
     iptables -F BAN_IN
     iptables -X BAN_IN
   fi
   if [ -n "$OUT" ] ; then
     iptables -F BAN_OUT
     iptables -X BAN_OUT
   fi

fi