help me

help me

[bash]

 Hello All,

I wanna dynamically block some ip's that load my router with --state NEW
packets (usually it's generated by very aggressive NetLook win
program). But there is a problem -m limit will block all my router's
user, and I wanna block just one ip :/

-- 
Biomechanica Artificial Sabotage Humanoid

Re: help me

[John A. Sullivan III]

On Wed, 2006-03-29 at 04:19 +0400, bash wrote:
>  Hello All,
> 
> I wanna dynamically block some ip's that load my router with --state NEW
> packets (usually it's generated by very aggressive NetLook win
> program). But there is a problem -m limit will block all my router's
> user, and I wanna block just one ip :/
I'm not entirely sure of what you want to do.  Why can you not match
source? If you want, match the one IP and send all traffic for that IP
to a user defined chain, e.g., :
iptables -A FORWARD -s 10.1.1.100 -j SpecialChain
iptables -A SpecialChain -j DOWHATEVERYOUWANT

If it is that you want to exempt certain addresses, send all the packets
to a user defined chain and return the exemptions, e.g., 

iptables -A FORWARD -j LimitChain
iptables -A LimitChain -m iprange --src-range 10.1.1.70-10.1.1.223 -j
RETURN
iptables -A LimitChain -j LOG, DROP, LIMIT, WHATEVERYOUWANTTODO
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: help me

[bash]

On Tue, 28 Mar 2006 20:50:51 -0500
"John A. Sullivan III" <jsullivan@opensourcedevel.com> wrote:

> On Wed, 2006-03-29 at 04:19 +0400, bash wrote:
> >  Hello All,
> > 
> > I wanna dynamically block some ip's that load my router with --state NEW
> > packets (usually it's generated by very aggressive NetLook win
> > program). But there is a problem -m limit will block all my router's
> > user, and I wanna block just one ip :/
> I'm not entirely sure of what you want to do.  Why can you not match
> source? If you want, match the one IP and send all traffic for that IP
> to a user defined chain, e.g., :
> iptables -A FORWARD -s 10.1.1.100 -j SpecialChain
> iptables -A SpecialChain -j DOWHATEVERYOUWANT
> 
> If it is that you want to exempt certain addresses, send all the packets
> to a user defined chain and return the exemptions, e.g., 
> 
> iptables -A FORWARD -j LimitChain
> iptables -A LimitChain -m iprange --src-range 10.1.1.70-10.1.1.223 -j
> RETURN
> iptables -A LimitChain -j LOG, DROP, LIMIT, WHATEVERYOUWANTTODO

The problem is that I don't know IP of this machine.... And anyone in
my net can run NetLook program... So i want that - if some-one in my net
exceed limit then iptables will block this ip dynamically.... 

-- 
Biomechanica Artificial Sabotage Humanoid

Re: help me (nfcan: addressed to exclusive sender for this address)

[Jim Laurino]

On 2006.03.28 22:29, bash - 0x62ash@gmail.com wrote:
> On Tue, 28 Mar 2006 20:50:51 -0500
> "John A. Sullivan III" <jsullivan@opensourcedevel.com> wrote:
> 
> > On Wed, 2006-03-29 at 04:19 +0400, bash wrote:
> > >  Hello All,
> > >
> > > I wanna dynamically block some ip's that load my router with --state NEW
> > > packets (usually it's generated by very aggressive NetLook win
> > > program). But there is a problem -m limit will block all my router's
> > > user, and I wanna block just one ip :/
> > I'm not entirely sure of what you want to do.  Why can you not match
> > source? If you want, match the one IP and send all traffic for that IP
> > to a user defined chain, e.g., :
> > iptables -A FORWARD -s 10.1.1.100 -j SpecialChain
> > iptables -A SpecialChain -j DOWHATEVERYOUWANT
> >
> > If it is that you want to exempt certain addresses, send all the packets
> > to a user defined chain and return the exemptions, e.g.,
> >
> > iptables -A FORWARD -j LimitChain
> > iptables -A LimitChain -m iprange --src-range 10.1.1.70-10.1.1.223 -j
> > RETURN
> > iptables -A LimitChain -j LOG, DROP, LIMIT, WHATEVERYOUWANTTODO
> 
> The problem is that I don't know IP of this machine.... And anyone in
> my net can run NetLook program... So i want that - if some-one in my net
> exceed limit then iptables will block this ip dynamically....

I am not an expert on this,
but for what it is worth:

Perhaps the rules used to detect
and limit brute force ssh attacks
could be adapted to your need.

Does NetLook have a predictable pattern?

You can find out about the ssh blocking rules
if you search the archives for 'brute force'.

Hope that helps.

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

Re: help me (nfcan: addressed to exclusive sender for this address)

[bash]

On Tue, 28 Mar 2006 23:22:26 -0500
Jim Laurino <nfcan.x.jimlaur@dfgh.net> wrote:

> I am not an expert on this,
> but for what it is worth:
> 
> Perhaps the rules used to detect
> and limit brute force ssh attacks
> could be adapted to your need.

You are talking about "recent" module... I don't know how I can use
it in my situation....
 
> Does NetLook have a predictable pattern?

Forget about NetLook...

My criteria for blocking is:
if rate of SYN packages from ONE source IP is greater then 3packets/sec
=> then block this IP

And i can't add rule "-m limit" per all source IP in my net,
because my net is big (~255^3)....

> You can find out about the ssh blocking rules
> if you search the archives for 'brute force'.
> 
> Hope that helps.



-- 
Biomechanica Artificial Sabotage Humanoid

RE: help me (nfcan: addressed to exclusive sender for this address)

[Rob Sterenborg]

>> I am not an expert on this,
>> but for what it is worth:
>> 
>> Perhaps the rules used to detect
>> and limit brute force ssh attacks
>> could be adapted to your need.
> 
> You are talking about "recent" module... I don't know how I can use
> it in my situation.... 
> 
>> Does NetLook have a predictable pattern?
> 
> Forget about NetLook...
> 
> My criteria for blocking is:
> if rate of SYN packages from ONE source IP is greater then
> 3packets/sec => then block this IP
> 
> And i can't add rule "-m limit" per all source IP in my net,
> because my net is big (~255^3)....

Wouldn't that look something like :

$ipt -A [INPUT|FORWARD] -i $IF_LAN -m state --state NEW -s $LAN_NET \
  -p tcp --syn -m limit --limit 3/sec -j ACCEPT

This would match NEW packets on your LAN interface with SYN set, coming
from any of your LAN IP's and not allowing more than 3 of these per
second. Of course, you'd also need a rule like this to allow the
complete connection :

$ipt -A [INPUT|FORWARD] -m state --state RELATED,ESTABLISHED -j ACCEPT

Or am I missing something ?


Gr,
Rob

Re: help me (nfcan: addressed to exclusive sender for this address)

[bash]

On Wed, 29 Mar 2006 20:28:53 +0200
"Rob Sterenborg" <rob@sterenborg.info> wrote:

> >> I am not an expert on this,
> >> but for what it is worth:
> >> 
> >> Perhaps the rules used to detect
> >> and limit brute force ssh attacks
> >> could be adapted to your need.
> > 
> > You are talking about "recent" module... I don't know how I can use
> > it in my situation.... 
> > 
> >> Does NetLook have a predictable pattern?
> > 
> > Forget about NetLook...
> > 
> > My criteria for blocking is:
> > if rate of SYN packages from ONE source IP is greater then
> > 3packets/sec => then block this IP
> > 
> > And i can't add rule "-m limit" per all source IP in my net,
> > because my net is big (~255^3)....
> 
> Wouldn't that look something like :
> 
> $ipt -A [INPUT|FORWARD] -i $IF_LAN -m state --state NEW -s $LAN_NET \
>   -p tcp --syn -m limit --limit 3/sec -j ACCEPT

If just ONE host from my $LAN_NET will exceed this limit, then ALL
hosts in $LAN_NET will not able to start new session... and this is
bad. I want to limit 3/sec per host, not for all net....

> This would match NEW packets on your LAN interface with SYN set, coming
> from any of your LAN IP's and not allowing more than 3 of these per
> second. Of course, you'd also need a rule like this to allow the
> complete connection :
> 
> $ipt -A [INPUT|FORWARD] -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> Or am I missing something ?
> 
> 
> Gr,
> Rob
> 
> 


-- 
Biomechanica Artificial Sabotage Humanoid

RE: help me (nfcan: addressed to exclusive sender for this address)

[Rob Sterenborg]

>> $ipt -A [INPUT|FORWARD] -i $IF_LAN -m state --state NEW -s $LAN_NET \
>>   -p tcp --syn -m limit --limit 3/sec -j ACCEPT
> 
> If just ONE host from my $LAN_NET will exceed this limit, then ALL
> hosts in $LAN_NET will not able to start new session... and this is
> bad. I want to limit 3/sec per host, not for all net....

Yes.. :-\
Maybe this post is of help then.
http://www.linux-noob.com/forums/index.php?showtopic=1829


Gr,
Rob

Re: help me (nfcan: addressed to exclusive sender for this address)

[bash]

On Thu, 30 Mar 2006 07:45:01 +0200
"Rob Sterenborg" <rob@sterenborg.info> wrote:

> >> $ipt -A [INPUT|FORWARD] -i $IF_LAN -m state --state NEW -s $LAN_NET \
> >>   -p tcp --syn -m limit --limit 3/sec -j ACCEPT
> > 
> > If just ONE host from my $LAN_NET will exceed this limit, then ALL
> > hosts in $LAN_NET will not able to start new session... and this is
> > bad. I want to limit 3/sec per host, not for all net....
> 
> Yes.. :-\
> Maybe this post is of help then.
> http://www.linux-noob.com/forums/index.php?showtopic=1829

I saw it... "-m recent" has only 1 second sampling... i cant handle
situaton of 3/sec and etc.....

I found "-m dstlimit" module which is handy, *but* for my situation i
wanna the same but with limit the packet rate on a per SOURCE ip....
inverted dstlimit :)

Any ideads? :/

-- 
Biomechanica Artificial Sabotage Humanoid