From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Request for Comments / Opinions on temporarily blocking access...
Date: Tue, 31 May 2005 01:25:57 -0500 [thread overview]
Message-ID: <429C0375.60005@riverviewtech.net> (raw)
I'm considering (re)writing a firewall script for my home system (as a test before I deploy it at my clients) that would temporarily block access to various hosts, LAN and / or internet, that have tripped one or more filters. I would like this lists opinion on such a system as below:
iptables -t filter -A INPUT -j Bogon_Test
iptables -t filter -A INPUT -j SSH_Brute_Force
iptables -t filter -A INPUT -j Time_Out_Corner
iptables -t filter -A FORWARD -j Bogon_Test
iptables -t filter -A FORWARD -j SSH_Brute_Force
iptables -t filter -A FORWARD -j Proxy_Bypass_Attempt
iptables -t filter -A FORWARD -j Time_Out_Corner
iptables -t filter -A Bogon_Test ...
...
iptables -t filter -A Bogon_Test -j LOG
iptables -t filter -A Bogon_Test -m recent --name Time_Out_List --set --rsource
iptables -t filter -A Bogon_Test -m recent --name Time_Out_List --set --rdest
iptables -t filter -A Bogon_Test -j DROP
iptables -t filter -A SSH_Brute_Force ...
...
iptables -t filter -A SSH_Brute_Force -j LOG
iptables -t filter -A SSH_Brute_Force -m recent --name Time_Out_List --set --rsource
iptables -t filter -A SSH_Brute_Force -m recent --name Time_Out_List --set --rdest
iptables -t filter -A SSH_Brute_Force -j TARPIT
iptables -t filter -A Proxy_Bypass_Attempt
...
iptables -t filter -A Proxy_Bypass_Attempt -j LOG
iptables -t filter -A Proxy_Bypass_Attempt -m recent --name Time_Out_List --set --rsource
iptables -t filter -A Proxy_Bypass_Attempt -m recent --name Time_Out_List --set --rdest
iptables -t filter -A Proxy_Bypass_Attempt -j DROP
iptables -t filter -A Time_Out_Corner -m state --state NEW -m recent --name Time_Out_List --rcheck --rsource --seconds 60 --hitcount 1 -j DROP
iptables -t filter -A Time_Out_Corner -m state --state NEW -m recent --name Time_Out_List --rcheck --rdest --seconds 60 --hitcount 1 -j DROP
#iptables -t filter -A Time_Out_Corner -m recent --name Time_Out_List --rcheck --rsource --seconds 60 --hitcount 1 -j DROP
#iptables -t filter -A Time_Out_Corner -m recent --name Time_Out_List --rcheck --rdest --seconds 60 --hitcount 1 -j DROP
The idea I'm after is that any place you have a (sub) chain that does any checking in your firewall that could potentially LOG and DROP traffic I would like to add a recent set for source and / or destination address to the Time_Out_Corner recent list. This Time_Out_Corner recent list could then be checked to see if a specific source and / or destination IP has done any thing to trigger any of the checks and deny any NEW access to the system if it has. Optionally if you would rather disconnect any ongoing (not NEW) connections comment out the first two rules and uncomment the last two rules in the Time_Out_Corner table. To pull this off all traffic would need to pass through the Time_Out_Corner chain.
Grant. . . .
reply other threads:[~2005-05-31 6:25 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=429C0375.60005@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.