Re: netfilter Digest, Vol 29, Issue 2

[gabrix <gabrix@gabrix.ath.cx>]

netfilter-request@lists.netfilter.org wrote:
> Send netfilter mailing list submissions to
> 	netfilter@lists.netfilter.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.netfilter.org/mailman/listinfo/netfilter
> or, via email, send a message with subject or body 'help' to
> 	netfilter-request@lists.netfilter.org
>
> You can reach the person managing the list at
> 	netfilter-owner@lists.netfilter.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of netfilter digest..."
>
>
> Today's Topics:
>
>    1. How to block a DNS DoS attack? ( Eduardo Fern?ndez )
>    2. Re: How to block a DNS DoS attack? (Martijn Lievaart)
>    3. Re: -i interface filter not working for firewall
>       (Martijn Lievaart)
>    4. Re: How to block a DNS DoS attack? (Elvir Kuric)
>    5. Re: ip routing after changing mac address to a virtual one
>       (Martijn Lievaart)
>    6. Traffic auditing per user (Joris Dobbelsteen)
>    7. T/TCP connections not NATed (Frederik Deweerdt)
>    8. Multiple Mac Addresses as Source (Syed AbuBakr)
>    9. Re: Multiple Mac Addresses as Source (Pascal Hambourg)
>   10. Re: -i interface filter not working for firewall (victor oliveira)
>   11. Re: -i interface filter not working for firewall (Pascal Hambourg)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 2 Dec 2006 21:56:56 +0100
> From: " Eduardo Fern?ndez " <eduardo@cmusanjuan.com>
> Subject: How to block a DNS DoS attack?
> To: "Netfilter Mailing List" <netfilter@lists.netfilter.org>
> Message-ID:
> 	<fedfc260612021256w7f94bb2eg3bb77e6bdd5c97d9@mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi!
>
> Some computers in my network are flooding the dns server with mx
> queries generated by some virus, at a rate of 2/second or so. I can't
> use the string match as suggested before because of my kernel version.
> I can't forbid MX queries in the server because there could be valid
> queries, so the only way to match the virus is the speed or number of
> queries. I've tried the following to match only the virus but not the
> normal clients (people surfing the web mainly):
>
> iptables -A INPUT -p udp -d server_ip --dport 53 -m limit --limit
> 40/minute --limit-burst 2000 -j ACCEPT
>
> But it doesn't work. Any ideas?
>
> Thanks a bunch!
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 03 Dec 2006 16:26:04 +0100
> From: Martijn Lievaart <m@rtij.nl>
> Subject: Re: How to block a DNS DoS attack?
> To: " Eduardo Fern?ndez " <eduardo@cmusanjuan.com>
> Cc: Netfilter Mailing List <netfilter@lists.netfilter.org>
> Message-ID: <4572EC8C.7020600@rtij.nl>
> Content-Type: text/plain; charset=iso-8859-1; format=flowed
>
> Eduardo Fernández wrote:
>
>   
>> Hi!
>>
>> Some computers in my network are flooding the dns server with mx
>> queries generated by some virus, at a rate of 2/second or so. I can't
>> use the string match as suggested before because of my kernel version.
>> I can't forbid MX queries in the server because there could be valid
>> queries, so the only way to match the virus is the speed or number of
>> queries. I've tried the following to match only the virus but not the
>> normal clients (people surfing the web mainly):
>>
>> iptables -A INPUT -p udp -d server_ip --dport 53 -m limit --limit
>> 40/minute --limit-burst 2000 -j ACCEPT
>>
>> But it doesn't work. Any ideas?
>>     
>
>
> I don't know why this doesn't work, but I would probably take a whole 
> different route. As you say you could have matched with the string 
> match, you can write a tcpdump capture expression for those packets.  
> Feed the output to a short script that extracts the IP address and adds 
> a rule to deny any traffic to that IP address. This has the added 
> advantage that it breaks functionality on the client, so people will 
> complain. This makes it easier to spot the infected machiens. And maybe 
> slow the rate of spreading, who knows.
>
> If those addresses are assigned by DHCP, make sure to clear the blocks 
> occasionally. Any (still) infected machine will simply readd itself in 
> no time.
>
> Obviously, you hav to make sure that you add an address only once. This 
> also means that adding and deleting IPAs should probably coordinated 
> with a lock, though you may get away without.
>
> Something along these lines (untested):
>
> # iptables -N VDROP
> # iptables -I INPUT -j VDROP
> # mkdir /var/state/sumtin
> # tcpdump -n -i <intf> <filter> | sed -P 
> 's/^.*(\d+\.\d+\.\d+\.\d+).*/\1/' | while read ip; do
>  >  if [ ! -f /var/state/sumtin/$ip ]; then touch /var/state/sumtin/$ip; 
> iptables -A VDROP -s $ip; fi
>  > done
>
> (The ipset match is better suited for this, but if you don't have 
> string, you probably don't have ipset.)
>
> BTW, you probably get better results with the limit match if you use a 
> shorter time and a lower limit.
>
> HTH,
> M4
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 03 Dec 2006 17:08:09 +0100
> From: Martijn Lievaart <m@rtij.nl>
> Subject: Re: -i interface filter not working for firewall
> To: victor oliveira <victor.oliveira@concretesolutions.com.br>
> Cc: netfilter@lists.netfilter.org
> Message-ID: <4572F669.1000206@rtij.nl>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> victor oliveira wrote:
>
>   
>> My problem is the following: I am able to connect from my machine to
>> the firewall using both eth2 and eth3. However, note that the INPUT
>> default is DROP, and the only rule on the INPUT SHOULD be filtering
>> and only allowing connections to the eth2 and not the eth3
>> interface...
>>     
>
>
> You rules are a bit messy, but it should probably work. Are you sure you 
> connect through eth3? You do say it is from the same machine, if you are 
> connected to eth2 and address the ip addres of eth3, you still come in 
> through eth2.
>
> HTH,
> M4
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Sun, 3 Dec 2006 13:34:23 -0800 (PST)
> From: Elvir Kuric <omasnjak@yahoo.com>
> Subject: Re: How to block a DNS DoS attack?
> To: Eduardo "Fernández" <eduardo@cmusanjuan.com>,  Netfilter Mailing
> 	List <netfilter@lists.netfilter.org>
> Message-ID: <414919.97581.qm@web56213.mail.re3.yahoo.com>
> Content-Type: text/plain; charset=iso-8859-1
>
> Hi Eduardo, 
>
> I suggest you to check link below
>
> http://www-128.ibm.com/developerworks/linux/library/l-fw/?n-l-4191
>
> Hope this helps.
>
> Regards 
>
> Elvir Kuric
> --- Eduardo Fernández <eduardo@cmusanjuan.com> wrote:
>
>   
>> Hi!
>>
>> Some computers in my network are flooding the dns
>> server with mx
>> queries generated by some virus, at a rate of
>> 2/second or so. I can't
>> use the string match as suggested before because of
>> my kernel version.
>> I can't forbid MX queries in the server because
>> there could be valid
>> queries, so the only way to match the virus is the
>> speed or number of
>> queries. I've tried the following to match only the
>> virus but not the
>> normal clients (people surfing the web mainly):
>>
>> iptables -A INPUT -p udp -d server_ip --dport 53 -m
>> limit --limit
>> 40/minute --limit-burst 2000 -j ACCEPT
>>
>> But it doesn't work. Any ideas?
>>
>> Thanks a bunch!
>>
>>
>>     
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
>
>
> ------------------------------
>
> Message: 5
> Date: Sun, 03 Dec 2006 23:03:54 +0100
> From: Martijn Lievaart <m@rtij.nl>
> Subject: Re: ip routing after changing mac address to a virtual one
> To: first last <doctor_konkord@yahoo.com>
> Cc: netfilter@lists.netfilter.org
> Message-ID: <457349CA.9060006@rtij.nl>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> first last wrote:
>
>   
>> Hi Mike,
>>
>> Yes, eth1 gets its IP address from DHCP server. DHCP
>> server always gives me the same IP address because it
>> knows my MAC address. So I only can get a different IP
>> address by changing my MAC address.
>>  
>>
>>     
>
> [ Please don't toppost ]
>
> Try to shutdown the interface, change the MAC, then bring the interface 
> back up. Masquerading is a bit strange and I'm not completely sure what 
> will work when. However, this way, it should definately work.
>
> HTH,
> M4
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 4 Dec 2006 00:11:17 +0100
> From: "Joris Dobbelsteen" <Joris@familiedobbelsteen.nl>
> Subject: Traffic auditing per user
> To: <netfilter@lists.netfilter.org>
> Message-ID:
> 	<73427AD314CC364C8DF0FFF9C4D693FF544D@nehemiah.joris2k.local>
> Content-Type: text/plain;	charset="us-ascii"
>
> I'm looking for a solution to audit network traffic usage per user.
> After a long enough search I was not able to find a solution that suited
> my needs.
>
> It must fit the following requirements:
> * The traffic must be logged on a uid basis.
> * Some traffic should not be counted, which is protocol (i.e. non-IP)
> and IP address based (i.e. no local network).
> * Of course not have a dramatic effect on performance
>
> Hopefully its not to hard for me, thus the tool has some (decent)
> instructions/documentation.
> Further I want to keep using my stock application. The platform is
> Ubuntu 6.06 LTS, and I prefer to have the packages from the
> repositories, rather than my own complications. Mostly for reasons of
> testing and maintenance.
>
> I would guess this is not directly a netfilter question, but it should
> be close enough.
>
> - Joris
>
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 4 Dec 2006 08:23:55 +0000
> From: Frederik Deweerdt <deweerdt@free.fr>
> Subject: T/TCP connections not NATed
> To: netfilter@lists.netfilter.org
> Message-ID: <20061204082355.GF3136@slug>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> We're trying to use a home brewed T/TCP stack in addition to Linux plain
> SNAT. Everything works as expected, except for the first packet, which
> is not NATed. Communication is as follows:
>
> 	C		S
> 1.	SYN*
> 2.	DATA
> 3.			SYN/ACK*
> 4.	ACK*
> 5.	REST_OF_COM*
>
> [*] The packet is NATed
>
>
> Our hypothesis du jour, is that packet #2 is not NATed because it is
> not currently part of a connection from netfilter point of view. Hence
> my questions:
> - Does our hypothesis seem you reasonable?
> 	- If yes, is it possible to tell NAT to ignore the connection
> 	tracking informations, and NAT all the packets getting out of
> 	a given interface
> 	- If not, what do you reckon could be the cause for having the
> 	#2 packet not NATed?
>
> Thanks,
> Frederik
>
>
>
> ------------------------------
>
> Message: 8
> Date: Mon, 4 Dec 2006 17:06:23 +0500
> From: "Syed AbuBakr" <syed.abubakr@gmail.com>
> Subject: Multiple Mac Addresses as Source
> To: netfilter@lists.netfilter.org
> Message-ID:
> 	<7e53eda20612040406g714db122s34870004374153df@mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi...!
>
> I want to use multiple mac addresses as source for my rules, well they
> r in hundreds. if i make a file of these mac addresses and give it's
> path instead of writing hundreds of rules.so my question is that is
> their any way to input them as a file.or file path?
>
> regards
> Ali
>
>
>
> ------------------------------
>
> Message: 9
> Date: Mon, 04 Dec 2006 13:18:22 +0100
> From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
> Subject: Re: Multiple Mac Addresses as Source
> To: netfilter@lists.netfilter.org
> Message-ID: <4574120E.8040407@plouf.fr.eu.org>
> Content-Type: text/plain; charset=ISO-8859-15; format=flowed
>
> Hello,
>
> Syed AbuBakr a écrit :
>   
>> I want to use multiple mac addresses as source for my rules, well they
>> r in hundreds. if i make a file of these mac addresses and give it's
>> path instead of writing hundreds of rules.so my question is that is
>> their any way to input them as a file.or file path?
>>     
>
> Check ipset.
> <http://www.netfilter.org/projects/ipset/index.html>
>
>
>
> ------------------------------
>
> Message: 10
> Date: Mon, 4 Dec 2006 10:41:41 -0300
> From: "victor oliveira" <victor.oliveira@concretesolutions.com.br>
> Subject: Re: -i interface filter not working for firewall
> To: "Martijn Lievaart" <m@rtij.nl>
> Cc: netfilter@lists.netfilter.org
> Message-ID:
> 	<b020b8120612040541w4b969840qc1d6abdef3db099b@mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> eth2 and eth3 are both connected to the same switch, and are not
> virtual. Each with a different IP.
> eth2 has the IP 10.10.1.8 and eth3 has the ip 10.10.1.9.
> I´m using for testing a putty application from another machine, also
> connected to the same switch.
> I know it should be working but it is not.
> Furthermore, I tested the mangle rules for multiple tables and it only
> works without the -i option.
> My "solution" was to change to different subdomains and just not use
> the -i restriction...
> any thoughts ?
>
> On 12/3/06, Martijn Lievaart <m@rtij.nl> wrote:
>   
>> victor oliveira wrote:
>>
>>     
>>> My problem is the following: I am able to connect from my machine to
>>> the firewall using both eth2 and eth3. However, note that the INPUT
>>> default is DROP, and the only rule on the INPUT SHOULD be filtering
>>> and only allowing connections to the eth2 and not the eth3
>>> interface...
>>>       
>> You rules are a bit messy, but it should probably work. Are you sure you
>> connect through eth3? You do say it is from the same machine, if you are
>> connected to eth2 and address the ip addres of eth3, you still come in
>> through eth2.
>>
>> HTH,
>> M4
>>
>>
>>     
>
>
>
>   
it can sound a silly question:
Giving an ipmasq -v i have seen what rules ipmasq use .There is this in
particular:
$IPT -A INPUT -j ACCEPT -i eth0 -d 192.168.0.2/32
This rule on its own from my point of view accept any traffic,any packet
destined to 192.168.0.2 opening the entire system to the world , am i
wrong ????