Strange behaviour of REDIRECT/ipt_recent

Strange behaviour of REDIRECT/ipt_recent

[Sven Geggus]

Hi there,

the following rule works fine so far
(redirect any connection to a given IP to Port 22):

iptables -t nat -A PREROUTING  -p tcp ! --dport 22 -d $SSHIP -j REDIRECT \
--to-port 22

But now I need to restrict Connections to 3 accesses per minute to prevent
DOS-Attacken by means of Portscans:

iptables -A INPUT -i eth0 -p tcp -d $SSHIP -m state --state NEW -m recent \
--set --name SSH
iptables -A INPUT -i eth0 -p tcp -d $SSHIP -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 --rttl --name SSH -j REJECT \
--reject-with tcp-reset

Unfortunately this does not work as expected :(

It just works on port 22 but not on any other port.

I suspect that the redirect rule may change the destination IP to the
default IP of eth0, but I would consider this to be a bug.

Can you confirm this? workarounds?

Sven

P.S.: Please CC me in the reply, because I am not subscribed to the list.

-- 
wenn ping auf localhost nicht funktioniert, solltest Du zuerst TCP/IP
de- und neuinstallieren.
                            (Mario Arndt in de.comm.protocols.tcp-ip)
/me is giggls@ircnet, http://sven.gegg.us/ on the Web

Re: Strange behaviour of REDIRECT/ipt_recent

[/dev/rob0]

On Thursday 22 September 2005 16:18, Sven Geggus wrote:
> the following rule works fine so far
> (redirect any connection to a given IP to Port 22):
>
> iptables -t nat -A PREROUTING  -p tcp ! --dport 22 -d $SSHIP -j \
> REDIRECT --to-port 22
>
> But now I need to restrict Connections to 3 accesses per minute to
> prevent DOS-Attacken by means of Portscans:
>
> iptables -A INPUT -i eth0 -p tcp -d $SSHIP -m state --state NEW \
> -m recent --set --name SSH

You changed the destination IP in the REDIRECT rule. I can only guess 
that $SSHIP is not the primary IP of eth0.

> I suspect that the redirect rule may change the destination IP to the
> default IP of eth0, but I would consider this to be a bug.

Why guess? From "man iptables":
   REDIRECT
      ...redirects the packet to the machine itself by changing
      the destination IP to the primary address of the incoming
      interface  (locally-generated  packets are mapped  to the
      127.0.0.1 address).

You're getting the intended (documented) behaviour. Perhaps you will 
want to mangle/MARK these packets before REDIRECT.

This whole exercise seems odd to me. Why force all TCP into one port? 
Your sshd is sure to complain about all the non-SSH protocol traffic 
it's getting. </dev/lightbulb comes on> Are you trying to ssh from 
sites with brain-dead restrictive firewalls? And you don't know in 
advance which ports they might allow out?

If so I see the sense in it. Consider, however, the possibility that 
these sites are allowing NO direct traffic out. It is possible to 
create the illusion of Internet access by using proxy servers. Their 
proxy won't handle your SSH.

Have you talked to the site administrator[s]? I know, most of them 
wouldn't know what you're talking about, and you would frighten them. 
But, you seem to be deliberately doing something which goes against 
their security policy. If you hit their proxy servers with your SSH 
traffic, they might come seeking YOU.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Strange behaviour of REDIRECT/ipt_recent

[Sorin Panca]

Sven Geggus wrote:
> Hi there,
> 
> the following rule works fine so far
> (redirect any connection to a given IP to Port 22):
> 
> iptables -t nat -A PREROUTING  -p tcp ! --dport 22 -d $SSHIP -j REDIRECT \
> --to-port 22
> 
> But now I need to restrict Connections to 3 accesses per minute to prevent
> DOS-Attacken by means of Portscans:
> 
> iptables -A INPUT -i eth0 -p tcp -d $SSHIP -m state --state NEW -m recent \
> --set --name SSH
> iptables -A INPUT -i eth0 -p tcp -d $SSHIP -m state --state NEW -m recent \
> --update --seconds 60 --hitcount 4 --rttl --name SSH -j REJECT \
> --reject-with tcp-reset
> 
> Unfortunately this does not work as expected :(
> 
> It just works on port 22 but not on any other port.
> 
> I suspect that the redirect rule may change the destination IP to the
> default IP of eth0, but I would consider this to be a bug.
> 
> Can you confirm this? workarounds?
> 
> Sven
> 
> P.S.: Please CC me in the reply, because I am not subscribed to the list.
> 
if you want to access your ssh server from behind a transparent squid
proxy, try https (443) and messenger's ports. for yahoo it is 5050. i
did that successfully. i build a ssh tunnel and routed my default gw in
it. it worked like magic.
but beware to add a static route to your previos default gateway,
otherwise you will lose the connection to your sshd server host.
if there are some LANs behind the squid transparent proxy that you need
too access, set static routes for that too. you can put the script to
set up routes and iptables forwarding rules (if you want to be the
gateway for your friends in pain, and have them make you the default
gateway - you will need to set some bandwidth management for them) in
pppd config directory.