From mboxrd@z Thu Jan 1 00:00:00 1970 From: gabrix Subject: Re: netfilter Digest, Vol 29, Issue 2 Date: Mon, 04 Dec 2006 16:04:36 +0100 Message-ID: <45743904.40405@gabrix.ath.cx> References: <20061204142236.6E87B1BF83@mail.gabrix.ath.cx> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <20061204142236.6E87B1BF83@mail.gabrix.ath.cx> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1" To: netfilter@lists.netfilter.org netfilter-request@lists.netfilter.org wrote: > Send netfilter mailing list submissions to > netfilter@lists.netfilter.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.netfilter.org/mailman/listinfo/netfilter > or, via email, send a message with subject or body 'help' to > netfilter-request@lists.netfilter.org > > You can reach the person managing the list at > netfilter-owner@lists.netfilter.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of netfilter digest..." > > > Today's Topics: > > 1. How to block a DNS DoS attack? ( Eduardo Fern?ndez ) > 2. Re: How to block a DNS DoS attack? (Martijn Lievaart) > 3. Re: -i interface filter not working for firewall > (Martijn Lievaart) > 4. Re: How to block a DNS DoS attack? (Elvir Kuric) > 5. Re: ip routing after changing mac address to a virtual one > (Martijn Lievaart) > 6. Traffic auditing per user (Joris Dobbelsteen) > 7. T/TCP connections not NATed (Frederik Deweerdt) > 8. Multiple Mac Addresses as Source (Syed AbuBakr) > 9. Re: Multiple Mac Addresses as Source (Pascal Hambourg) > 10. Re: -i interface filter not working for firewall (victor oliveira= ) > 11. Re: -i interface filter not working for firewall (Pascal Hambourg= ) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 2 Dec 2006 21:56:56 +0100 > From: " Eduardo Fern?ndez " > Subject: How to block a DNS DoS attack? > To: "Netfilter Mailing List" > Message-ID: > > Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed > > Hi! > > Some computers in my network are flooding the dns server with mx > queries generated by some virus, at a rate of 2/second or so. I can't > use the string match as suggested before because of my kernel version. > I can't forbid MX queries in the server because there could be valid > queries, so the only way to match the virus is the speed or number of > queries. I've tried the following to match only the virus but not the > normal clients (people surfing the web mainly): > > iptables -A INPUT -p udp -d server_ip --dport 53 -m limit --limit > 40/minute --limit-burst 2000 -j ACCEPT > > But it doesn't work. Any ideas? > > Thanks a bunch! > > > > ------------------------------ > > Message: 2 > Date: Sun, 03 Dec 2006 16:26:04 +0100 > From: Martijn Lievaart > Subject: Re: How to block a DNS DoS attack? > To: " Eduardo Fern?ndez " > Cc: Netfilter Mailing List > Message-ID: <4572EC8C.7020600@rtij.nl> > Content-Type: text/plain; charset=3Diso-8859-1; format=3Dflowed > > Eduardo Fern=E1ndez wrote: > > =20 >> Hi! >> >> Some computers in my network are flooding the dns server with mx >> queries generated by some virus, at a rate of 2/second or so. I can't >> use the string match as suggested before because of my kernel version. >> I can't forbid MX queries in the server because there could be valid >> queries, so the only way to match the virus is the speed or number of >> queries. I've tried the following to match only the virus but not the >> normal clients (people surfing the web mainly): >> >> iptables -A INPUT -p udp -d server_ip --dport 53 -m limit --limit >> 40/minute --limit-burst 2000 -j ACCEPT >> >> But it doesn't work. Any ideas? >> =20 > > > I don't know why this doesn't work, but I would probably take a whole=20 > different route. As you say you could have matched with the string=20 > match, you can write a tcpdump capture expression for those packets. =20 > Feed the output to a short script that extracts the IP address and adds= =20 > a rule to deny any traffic to that IP address. This has the added=20 > advantage that it breaks functionality on the client, so people will=20 > complain. This makes it easier to spot the infected machiens. And maybe= =20 > slow the rate of spreading, who knows. > > If those addresses are assigned by DHCP, make sure to clear the blocks=20 > occasionally. Any (still) infected machine will simply readd itself in=20 > no time. > > Obviously, you hav to make sure that you add an address only once. This= =20 > also means that adding and deleting IPAs should probably coordinated=20 > with a lock, though you may get away without. > > Something along these lines (untested): > > # iptables -N VDROP > # iptables -I INPUT -j VDROP > # mkdir /var/state/sumtin > # tcpdump -n -i | sed -P=20 > 's/^.*(\d+\.\d+\.\d+\.\d+).*/\1/' | while read ip; do > > if [ ! -f /var/state/sumtin/$ip ]; then touch /var/state/sumtin/$ip= ;=20 > iptables -A VDROP -s $ip; fi > > done > > (The ipset match is better suited for this, but if you don't have=20 > string, you probably don't have ipset.) > > BTW, you probably get better results with the limit match if you use a=20 > shorter time and a lower limit. > > HTH, > M4 > > > > > ------------------------------ > > Message: 3 > Date: Sun, 03 Dec 2006 17:08:09 +0100 > From: Martijn Lievaart > Subject: Re: -i interface filter not working for firewall > To: victor oliveira > Cc: netfilter@lists.netfilter.org > Message-ID: <4572F669.1000206@rtij.nl> > Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed > > victor oliveira wrote: > > =20 >> My problem is the following: I am able to connect from my machine to >> the firewall using both eth2 and eth3. However, note that the INPUT >> default is DROP, and the only rule on the INPUT SHOULD be filtering >> and only allowing connections to the eth2 and not the eth3 >> interface... >> =20 > > > You rules are a bit messy, but it should probably work. Are you sure yo= u=20 > connect through eth3? You do say it is from the same machine, if you ar= e=20 > connected to eth2 and address the ip addres of eth3, you still come in=20 > through eth2. > > HTH, > M4 > > > > > ------------------------------ > > Message: 4 > Date: Sun, 3 Dec 2006 13:34:23 -0800 (PST) > From: Elvir Kuric > Subject: Re: How to block a DNS DoS attack? > To: Eduardo "Fern=E1ndez" , Netfilter Mailing > List > Message-ID: <414919.97581.qm@web56213.mail.re3.yahoo.com> > Content-Type: text/plain; charset=3Diso-8859-1 > > Hi Eduardo,=20 > > I suggest you to check link below > > http://www-128.ibm.com/developerworks/linux/library/l-fw/?n-l-4191 > > Hope this helps. > > Regards=20 > > Elvir Kuric > --- Eduardo Fern=E1ndez wrote: > > =20 >> Hi! >> >> Some computers in my network are flooding the dns >> server with mx >> queries generated by some virus, at a rate of >> 2/second or so. I can't >> use the string match as suggested before because of >> my kernel version. >> I can't forbid MX queries in the server because >> there could be valid >> queries, so the only way to match the virus is the >> speed or number of >> queries. I've tried the following to match only the >> virus but not the >> normal clients (people surfing the web mainly): >> >> iptables -A INPUT -p udp -d server_ip --dport 53 -m >> limit --limit >> 40/minute --limit-burst 2000 -j ACCEPT >> >> But it doesn't work. Any ideas? >> >> Thanks a bunch! >> >> >> =20 > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around=20 > http://mail.yahoo.com=20 > > > > ------------------------------ > > Message: 5 > Date: Sun, 03 Dec 2006 23:03:54 +0100 > From: Martijn Lievaart > Subject: Re: ip routing after changing mac address to a virtual one > To: first last > Cc: netfilter@lists.netfilter.org > Message-ID: <457349CA.9060006@rtij.nl> > Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed > > first last wrote: > > =20 >> Hi Mike, >> >> Yes, eth1 gets its IP address from DHCP server. DHCP >> server always gives me the same IP address because it >> knows my MAC address. So I only can get a different IP >> address by changing my MAC address. >> =20 >> >> =20 > > [ Please don't toppost ] > > Try to shutdown the interface, change the MAC, then bring the interface= =20 > back up. Masquerading is a bit strange and I'm not completely sure what= =20 > will work when. However, this way, it should definately work. > > HTH, > M4 > > > > > ------------------------------ > > Message: 6 > Date: Mon, 4 Dec 2006 00:11:17 +0100 > From: "Joris Dobbelsteen" > Subject: Traffic auditing per user > To: > Message-ID: > <73427AD314CC364C8DF0FFF9C4D693FF544D@nehemiah.joris2k.local> > Content-Type: text/plain; charset=3D"us-ascii" > > I'm looking for a solution to audit network traffic usage per user. > After a long enough search I was not able to find a solution that suite= d > my needs. > > It must fit the following requirements: > * The traffic must be logged on a uid basis. > * Some traffic should not be counted, which is protocol (i.e. non-IP) > and IP address based (i.e. no local network). > * Of course not have a dramatic effect on performance > > Hopefully its not to hard for me, thus the tool has some (decent) > instructions/documentation. > Further I want to keep using my stock application. The platform is > Ubuntu 6.06 LTS, and I prefer to have the packages from the > repositories, rather than my own complications. Mostly for reasons of > testing and maintenance. > > I would guess this is not directly a netfilter question, but it should > be close enough. > > - Joris > > > > ------------------------------ > > Message: 7 > Date: Mon, 4 Dec 2006 08:23:55 +0000 > From: Frederik Deweerdt > Subject: T/TCP connections not NATed > To: netfilter@lists.netfilter.org > Message-ID: <20061204082355.GF3136@slug> > Content-Type: text/plain; charset=3Dus-ascii > > Hi, > > We're trying to use a home brewed T/TCP stack in addition to Linux plai= n > SNAT. Everything works as expected, except for the first packet, which > is not NATed. Communication is as follows: > > C S > 1. SYN* > 2. DATA > 3. SYN/ACK* > 4. ACK* > 5. REST_OF_COM* > > [*] The packet is NATed > > > Our hypothesis du jour, is that packet #2 is not NATed because it is > not currently part of a connection from netfilter point of view. Hence > my questions: > - Does our hypothesis seem you reasonable? > - If yes, is it possible to tell NAT to ignore the connection > tracking informations, and NAT all the packets getting out of > a given interface > - If not, what do you reckon could be the cause for having the > #2 packet not NATed? > > Thanks, > Frederik > > > > ------------------------------ > > Message: 8 > Date: Mon, 4 Dec 2006 17:06:23 +0500 > From: "Syed AbuBakr" > Subject: Multiple Mac Addresses as Source > To: netfilter@lists.netfilter.org > Message-ID: > <7e53eda20612040406g714db122s34870004374153df@mail.gmail.com> > Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed > > Hi...! > > I want to use multiple mac addresses as source for my rules, well they > r in hundreds. if i make a file of these mac addresses and give it's > path instead of writing hundreds of rules.so my question is that is > their any way to input them as a file.or file path? > > regards > Ali > > > > ------------------------------ > > Message: 9 > Date: Mon, 04 Dec 2006 13:18:22 +0100 > From: Pascal Hambourg > Subject: Re: Multiple Mac Addresses as Source > To: netfilter@lists.netfilter.org > Message-ID: <4574120E.8040407@plouf.fr.eu.org> > Content-Type: text/plain; charset=3DISO-8859-15; format=3Dflowed > > Hello, > > Syed AbuBakr a =E9crit : > =20 >> I want to use multiple mac addresses as source for my rules, well they >> r in hundreds. if i make a file of these mac addresses and give it's >> path instead of writing hundreds of rules.so my question is that is >> their any way to input them as a file.or file path? >> =20 > > Check ipset. > > > > > ------------------------------ > > Message: 10 > Date: Mon, 4 Dec 2006 10:41:41 -0300 > From: "victor oliveira" > Subject: Re: -i interface filter not working for firewall > To: "Martijn Lievaart" > Cc: netfilter@lists.netfilter.org > Message-ID: > > Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed > > eth2 and eth3 are both connected to the same switch, and are not > virtual. Each with a different IP. > eth2 has the IP 10.10.1.8 and eth3 has the ip 10.10.1.9. > I=B4m using for testing a putty application from another machine, also > connected to the same switch. > I know it should be working but it is not. > Furthermore, I tested the mangle rules for multiple tables and it only > works without the -i option. > My "solution" was to change to different subdomains and just not use > the -i restriction... > any thoughts ? > > On 12/3/06, Martijn Lievaart wrote: > =20 >> victor oliveira wrote: >> >> =20 >>> My problem is the following: I am able to connect from my machine to >>> the firewall using both eth2 and eth3. However, note that the INPUT >>> default is DROP, and the only rule on the INPUT SHOULD be filtering >>> and only allowing connections to the eth2 and not the eth3 >>> interface... >>> =20 >> You rules are a bit messy, but it should probably work. Are you sure y= ou >> connect through eth3? You do say it is from the same machine, if you a= re >> connected to eth2 and address the ip addres of eth3, you still come in >> through eth2. >> >> HTH, >> M4 >> >> >> =20 > > > > =20 it can sound a silly question: Giving an ipmasq -v i have seen what rules ipmasq use .There is this in particular: $IPT -A INPUT -j ACCEPT -i eth0 -d 192.168.0.2/32 This rule on its own from my point of view accept any traffic,any packet destined to 192.168.0.2 opening the entire system to the world , am i wrong ????