Drop packets with low IP Time to Live field value

Drop packets with low IP Time to Live field value

[Jorge Agrelo]

Hi Folks

Anybody can help to write an iptables rule to drop/reject packets 
with a TTL of 1 or 0 ?

Regards
**********************************
CTO: Eng. Jorge Agrelo O.
WEb: www.novadevices.com
E-Mail: jagrelo@novadevices.com
Phone: (593-2) 225-7711 ext. 105
Av. Brasil N45-08 y Condor, Quito Ecuador
**********************************

Re: Drop packets with low IP Time to Live field value

[Jason Opperisano]

On Fri, 2004-12-24 at 13:30, Jorge Agrelo wrote:
> Hi Folks
> 
> Anybody can help to write an iptables rule to drop/reject packets 
> with a TTL of 1 or 0 ?

coupla things:  if your routing firewall receives a packet with a TTL =
1 that is not destined for itself, it will drop the packet and reply to
the sender with an ICMP Time Exceeded, TTL expired in transit (type 11
code 0).

there is no "valid" way to receive a packet with a TTL of 0.  for that
matter, unless the attacker is on the same segment as you, it's pretty
tough to receive an "invalid" packet with a TTL of 0; unless the
attacker controls every router between himself and you.

this has nothing to do with netfilter or firewalling--it is part of
standard routing.

that all being said--use the ttl match:

  iptables [...] -m ttl --ttl-eq 1 [...]
  iptables [...] -m ttl --ttl-lt 1 [...]

i don't condone the use of the above.

-j

--
"Homer no function beer well without."
	--The Simpsons

Re: Drop packets with low IP Time to Live field value

[Chris Brenton]

On Fri, 2004-12-24 at 13:56, Jason Opperisano wrote:
>
> this has nothing to do with netfilter or firewalling--it is part of
> standard routing.

Agreed. TTL of 0 should never happen unless the upstream router has gone
rogue or has been compromised.

> that all being said--use the ttl match:
> 
>   iptables [...] -m ttl --ttl-eq 1 [...]
>   iptables [...] -m ttl --ttl-lt 1 [...]
> 
> i don't condone the use of the above.

I've rejected TTL's of 5 or less with a host unreachable for many years
and have never had a problem. Its a great way to detect, and usually
prevent, tools such as Firewalk and TCPTrace. 

The lowest starting TTL you will see in the wild today is 32. Even then,
that's only certain networking hardware as most OS's are 64 or higher.
Given that most hosts are 14-18 hops away from each other on the
Internet, filtering TTL's or 5 or less should cause zero problems with
legitimate traffic.

HTH,
Chris

Re: Drop packets with low IP Time to Live field value

[Nick Drage]

On Fri, Dec 24, 2004 at 09:08:12PM -0500, Chris Brenton wrote:
> On Fri, 2004-12-24 at 13:56, Jason Opperisano wrote:

> > that all being said--use the ttl match:
> > 
> >   iptables [...] -m ttl --ttl-eq 1 [...]
> >   iptables [...] -m ttl --ttl-lt 1 [...]
> > 
> > i don't condone the use of the above.
> 
> I've rejected TTL's of 5 or less with a host unreachable for many
> years and have never had a problem. Its a great way to detect, and
> usually prevent, tools such as Firewalk and TCPTrace. 

Just to back up Chris, I've done a similar thing and never had an issue
- and it does mean traceroutes and packets from similar software just
get eaten.

-- 
I love getting older. You're happier, you're more well-adjusted, you have
more money... and there is one very important thing you realize as you get
older: People in their 20's don't know a damn thing about ANYTHING. The
only thing that people in their 20's are good for is looking better than
people in their 30's and 40's. So if you're in your 20's, you can strike a
pose, but shut the f*** up! - Jim David

One Nic; Multiple Subnets

[Mike]

I've been looking through the monthly archives of this list, but I
can't find the needle in the haystack.  I saw this question answered
before, and I'm hoping I'll see it again.  :-)

I have an old slackware routerbox that only has room for 2 nics.
Right now there are two nics. in it and they are set up like so:

eth0 --> Internet (Dynamic IP: Assigned by ISP)
eth1 --> Lan  (Gateway Interface:  192.168.1.1)

I will soon be joining some computers from another LAN into the one
mentioned above.
I will need to set up security measures so that the new computers will
not be hacked or viewed by the other users on the LAN.

Even though I've only got one C-Class subnet (192.168.1.1 - 255), I
want to create 2 or more "virtual" subnets to reside in this address
range.

How do I create the multiple subnets?
Do I need to use route command or ipsec.?
And what would the iptables rule look like, where Subnet "B" rejects
all packets coming from Subnet "A"?

Is this even close? ---
$IPTABLES -t filter FORWARD -A -i eth1 -s 192.168.1.2/150
--to-destination 192.168.1.151/253 -j DENY

Thank you for your time and help.

Mike

Re: One Nic; Multiple Subnets

[Jason Opperisano]

On Mon, 2004-12-27 at 11:38, Mike wrote:
> I've been looking through the monthly archives of this list, but I
> can't find the needle in the haystack.  I saw this question answered
> before, and I'm hoping I'll see it again.  :-)
> 
> I have an old slackware routerbox that only has room for 2 nics.
> Right now there are two nics. in it and they are set up like so:
> 
> eth0 --> Internet (Dynamic IP: Assigned by ISP)
> eth1 --> Lan  (Gateway Interface:  192.168.1.1)
> 
> I will soon be joining some computers from another LAN into the one
> mentioned above.
> I will need to set up security measures so that the new computers will
> not be hacked or viewed by the other users on the LAN.
> 
> Even though I've only got one C-Class subnet (192.168.1.1 - 255), I
> want to create 2 or more "virtual" subnets to reside in this address
> range.
> 
> How do I create the multiple subnets?
> Do I need to use route command or ipsec.?
> And what would the iptables rule look like, where Subnet "B" rejects
> all packets coming from Subnet "A"?
> 
> Is this even close? ---
> $IPTABLES -t filter FORWARD -A -i eth1 -s 192.168.1.2/150
> --to-destination 192.168.1.151/253 -j DENY
> 
> Thank you for your time and help.
> 
> Mike

without physical separation--you have no security.

this may be a stretch, but if the internal switch supports VLANs--you
could VLAN the switch, and create a trunk on eth1 of the linux router. 
that would give some semblance of separation between the two subnets,
but it's still only virtual.  but it's better than plugging all your
machines into that same layer 2 broadcast domain and thinking you can
segment machines from each other.

-j

--
"Here we have an ordinary square.
 Whoa! Slow down egghead!"
	--The Simpsons

Re: One Nic; Multiple Subnets

[John A. Sullivan III]

I'm afraid I do not have time to answer in depth today but I'll try to
point you in the right direction.

On Mon, 2004-12-27 at 11:38, Mike wrote:
> I've been looking through the monthly archives of this list, but I
> can't find the needle in the haystack.  I saw this question answered
> before, and I'm hoping I'll see it again.  :-)
> 
> I have an old slackware routerbox that only has room for 2 nics.
> Right now there are two nics. in it and they are set up like so:
> 
> eth0 --> Internet (Dynamic IP: Assigned by ISP)
> eth1 --> Lan  (Gateway Interface:  192.168.1.1)
> 
> I will soon be joining some computers from another LAN into the one
> mentioned above.
> I will need to set up security measures so that the new computers will
> not be hacked or viewed by the other users on the LAN.
> 
> Even though I've only got one C-Class subnet (192.168.1.1 - 255), I
> want to create 2 or more "virtual" subnets to reside in this address
> range.
> 
> How do I create the multiple subnets?
You can break them into distinct subnets with subnet masking and bind
multiple addresses to the same NIC using iproute2 (the "ip" command).
> Do I need to use route command or ipsec.?
> And what would the iptables rule look like, where Subnet "B" rejects
> all packets coming from Subnet "A"?
> 
> Is this even close? ---
> $IPTABLES -t filter FORWARD -A -i eth1 -s 192.168.1.2/150
> --to-destination 192.168.1.151/253 -j DENY
You've got the basic idea but both your syntax and your grasp of some
fundamental issues seems weak.  I would suggest a tour of Oskar
Andreasson's iptables tutorial (you can find the link on the netfilter
web site (http://www.netfilter.org).  You can also find some slide shows
on using iptables and iproute2 in the training section of the ISCS
network security management project page at http://iscs.sourceforge.net
You may also want to brush up on subnet masking.

I apologize that this isn't a cook book solution but it sounds like you
might be benefited by a little more information besides just the
recipe.  Good luck - John
<snip>
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevel.com

Re: One Nic; Multiple Subnets

[Mike]

John,

Thanks for the prompt reply.
I'd like not to be weak on the fundamentals so I'll start down the
path by way of your suggested links.
It sounds like the situation would be much less complicated if I could
simply throw another NIC in the routerbox.  An inexpensive mobo,cpu,
and RAM combo. may save alotta headaches in this endeavor.

Best regards.

Mike


On Mon, 27 Dec 2004 12:01:42 -0500, John A. Sullivan III
<jsullivan@opensourcedevelopmentcorp.com> wrote:
> I'm afraid I do not have time to answer in depth today but I'll try to
> point you in the right direction.
> 
> On Mon, 2004-12-27 at 11:38, Mike wrote:
> > I've been looking through the monthly archives of this list, but I
> > can't find the needle in the haystack.  I saw this question answered
> > before, and I'm hoping I'll see it again.  :-)
> >
> > I have an old slackware routerbox that only has room for 2 nics.
> > Right now there are two nics. in it and they are set up like so:
> >
> > eth0 --> Internet (Dynamic IP: Assigned by ISP)
> > eth1 --> Lan  (Gateway Interface:  192.168.1.1)
> >
> > I will soon be joining some computers from another LAN into the one
> > mentioned above.
> > I will need to set up security measures so that the new computers will
> > not be hacked or viewed by the other users on the LAN.
> >
> > Even though I've only got one C-Class subnet (192.168.1.1 - 255), I
> > want to create 2 or more "virtual" subnets to reside in this address
> > range.
> >
> > How do I create the multiple subnets?
> You can break them into distinct subnets with subnet masking and bind
> multiple addresses to the same NIC using iproute2 (the "ip" command).
> > Do I need to use route command or ipsec.?
> > And what would the iptables rule look like, where Subnet "B" rejects
> > all packets coming from Subnet "A"?
> >
> > Is this even close? ---
> > $IPTABLES -t filter FORWARD -A -i eth1 -s 192.168.1.2/150
> > --to-destination 192.168.1.151/253 -j DENY
> You've got the basic idea but both your syntax and your grasp of some
> fundamental issues seems weak.  I would suggest a tour of Oskar
> Andreasson's iptables tutorial (you can find the link on the netfilter
> web site (http://www.netfilter.org).  You can also find some slide shows
> on using iptables and iproute2 in the training section of the ISCS
> network security management project page at http://iscs.sourceforge.net
> You may also want to brush up on subnet masking.
> 
> I apologize that this isn't a cook book solution but it sounds like you
> might be benefited by a little more information besides just the
> recipe.  Good luck - John
> <snip>
> --
> John A. Sullivan III
> Open Source Development Corporation
> Financially sustainable open source development
> http://www.opensourcedevel.com
> 
>

Re: One Nic; Multiple Subnets

[Mike]

Jason,
Thanks for the reply.
Sounds like a second nic. is really what's needed here.
John Sullivan suggested it could be done using iptables in combination
with iproute2; but I'm not sure I could manage it well.  I'm
challenged enough by iptables, itself.

I'm thinkin' new mobo/cpu/ram combo. for $150 from newegg.com  :-)

Best regards.

Mike


On Mon, 27 Dec 2004 11:52:42 -0500, Jason Opperisano <opie@817west.com> wrote:
> On Mon, 2004-12-27 at 11:38, Mike wrote:
> > I've been looking through the monthly archives of this list, but I
> > can't find the needle in the haystack.  I saw this question answered
> > before, and I'm hoping I'll see it again.  :-)
> >
> > I have an old slackware routerbox that only has room for 2 nics.
> > Right now there are two nics. in it and they are set up like so:
> >
> > eth0 --> Internet (Dynamic IP: Assigned by ISP)
> > eth1 --> Lan  (Gateway Interface:  192.168.1.1)
> >
> > I will soon be joining some computers from another LAN into the one
> > mentioned above.
> > I will need to set up security measures so that the new computers will
> > not be hacked or viewed by the other users on the LAN.
> >
> > Even though I've only got one C-Class subnet (192.168.1.1 - 255), I
> > want to create 2 or more "virtual" subnets to reside in this address
> > range.
> >
> > How do I create the multiple subnets?
> > Do I need to use route command or ipsec.?
> > And what would the iptables rule look like, where Subnet "B" rejects
> > all packets coming from Subnet "A"?
> >
> > Is this even close? ---
> > $IPTABLES -t filter FORWARD -A -i eth1 -s 192.168.1.2/150
> > --to-destination 192.168.1.151/253 -j DENY
> >
> > Thank you for your time and help.
> >
> > Mike
> 
> without physical separation--you have no security.
> 
> this may be a stretch, but if the internal switch supports VLANs--you
> could VLAN the switch, and create a trunk on eth1 of the linux router.
> that would give some semblance of separation between the two subnets,
> but it's still only virtual.  but it's better than plugging all your
> machines into that same layer 2 broadcast domain and thinking you can
> segment machines from each other.
> 
> -j
> 
> --
> "Here we have an ordinary square.
>  Whoa! Slow down egghead!"
>         --The Simpsons
> 
>

Re: One Nic; Multiple Subnets

[Mike]

Martijn,

Thanks for your help.
I've definitely decided to go down the "2-nic" path and make life simpler.
Now of course I'm wondering if I should buy some better equipment to
run a strong ethereal/snort combo. on the routerbox.  I'm way overdue
on intrusion detection and network usage.

Any suggestions on the level of hardware required to run ethereal and
snort on a routerbox.

Best regards.

Mike




On Tue, 28 Dec 2004 13:35:35 +0100 (CET), Martijn Lievaart <m@rtij.nl> wrote:
> Mike said:
> > Jason,
> > Thanks for the reply.
> > Sounds like a second nic. is really what's needed here.
> > John Sullivan suggested it could be done using iptables in combination
> > with iproute2; but I'm not sure I could manage it well.  I'm
> > challenged enough by iptables, itself.
> >
> > I'm thinkin' new mobo/cpu/ram combo. for $150 from newegg.com  :-)
> 
> YES! make it as simple as possible. Do it like this:
> 
> * Add another nic, eth2 (I assume you want the new mobo because you cannot
> add another nic to the current setup, right? Otherwise, just add another
> nic and you're set).
> * Give the new nic 192.168.2.1/24, add all new hosts on this second subnet.
> * Make sure the nets can only access the Internet, not eachother.
> (from memory, may not be 100% correct)
>   -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>   -A FORWARD -i eth1 -o eth0 -j ACCEPT
>   -A FORWARD -i eth2 -o eth0 -j ACCEPT
>   -A FORWARD -m limit --limit "10/s" -j LOG --log-prefix "Invalid forward: "
>   -A FORWARD -j DROP
> 
> Obviously, you also have to add the relevant MASQ, INPUT and OUTPUT rules,
> but those should not be wildly different from what you have now.
> 
> HTH,
> M4
> 
>