* [gentoo-doc-cvs] cvs commit: dynamic-iptables-firewalls.xml
@ 2005-07-13 9:58 Shyam Mani
0 siblings, 0 replies; 2+ messages in thread
From: Shyam Mani @ 2005-07-13 9:58 UTC (permalink / raw
To: gentoo-doc-cvs
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 8308 bytes --]
fox2mike 05/07/13 09:58:29
Added: xml/htdocs/doc/en/articles dynamic-iptables-firewalls.xml
Log:
#98620 - Common Threads - Dynamic iptables firewalls by drobbins - Initial Version. Thanks to Lukasz Damentko.
Revision Changes Path
1.1 xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml
file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml?rev=1.1&content-type=text/x-cvsweb-markup&cvsroot=gentoo
plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml?rev=1.1&content-type=text/plain&cvsroot=gentoo
Index: dynamic-iptables-firewalls.xml
===================================================================
<?xml version='1.0' encoding="UTF-8"?>
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml,v 1.1 2005/07/13 09:58:28 fox2mike Exp $ -->
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
<guide link="/doc/en/articles/dynamic-iptables-firewalls.xml">
<title>Dynamic iptables firewalls</title>
<author title="Author">
<mail link="drobbins@gentoo.org">Daniel Robbins</mail>
</author>
<author title="Editor">
<mail link="rane@gentoo.pl">Łukasz Damentko</mail>
</author>
<abstract>
Firewalls are good and fun, but what do you do when you need to make rapid,
complex changes to your firewall rules? Easy. Use Daniel Robbins' dynamic
firewall scripts that are demonstrated in this article. You can use these
scripts to increase your network security and responsiveness, and to inspire
your own creative designs.
</abstract>
<!-- The original version of this article was published on IBM developerWorks,
and is property of Westtech Information Services. This document is an updated
version of the original article, and contains various improvements made by the
Gentoo Linux Documentation team -->
<version>1.0</version>
<date>2005-07-13</date>
<chapter>
<title>Introduction</title>
<section>
<title>Flexible (and fun) network security</title>
<body>
<note>
The original version of this article was published on IBM developerWorks, and is
property of Westtech Information Services. This document is an updated version
of the original article, and contains various improvements made by the Gentoo
Linux Documentation team.
</note>
<p>
The best way to see the benefits of dynamic firewall scripts is to see them in
action. To do this, let's imagine that I'm a sysadmin at an ISP, and I've
recently set up a Linux-based firewall to protect my customers and internal
systems from malicious users on the Internet. To do this, my firewall uses the
new Linux 2.4 iptables stateful functionality to allow new outgoing connections
to be established by my customers and servers, and of course to allow new
incoming connections, but only to "public" services, such as web, ftp, ssh, and
SMTP. Since I used a deny-by-default design, any from-Internet connections to
non-public services, such as the squid proxy cache or Samba server, are
automatically rejected. So far, I have a pretty decent firewall that offers a
good level of protection for everyone at my ISP.
</p>
<p>
For the first week or so, the firewall works great, but then something ugly
happens: Bob, my arch-nemesis (who works at a competing ISP) decides that he
wants to flood my network with packets in an attempt to deny service to my
customers. Unfortunately, Bob has carefully studied my firewall and knows that
while I'm protecting many internal services, port 25 and 80 must be publicly
accessible so that I can receive mail and serve HTTP requests. Bob decides to
take advantage of this fact by launching a bandwidth-sucking attack against my
web and mail server.
</p>
<p>
About a minute or so after Bob begins his attack, I notice that my uplinks start
becoming saturated with packets. After taking a look at the situation with
<c>tcpdump</c> I determine that this is yet another Bob attack, and I figure out
what IP addresses he's using to launch it. Now that I have this information, all
that I need to do is block these IP addresses, and that should solve the problem
-- a simple solution, or so I think.
</p>
</body>
</section>
<section>
<title>Responding to an attack</title>
<body>
<p>
I quickly load my firewall setup script into vi and begin hacking away at my
iptables rules, modifying my firewall so that it'll block those evil incoming
Bob packets. After a minute or so, I find the exact place to make the
appropriate DROP rule additions, and I add them. Then, I start and stop the
firewall...ooops, made a bit of a mistake when I added the rules. I load up the
firewall scripts again, fix the problem, and thirty seconds later the firewall
has been tweaked to block Bob's attack of the month. At first, it seems like I
successfully thwarted the attack...until the helpdesk phones begin ringing.
Apparently, Bob was able to disrupt my network for about 10 minutes, and now my
customers are calling to find out what's going on. Even worse, after a few
minutes pass, I notice that our uplinks again start to become saturated. This
time, Bob appears to be using a brand-new set of IP addresses for his attacks.
In response, I begin feverishly hacking away at our firewall scripts, except
this time, I'm a bit panicky -- maybe my solution isn't so good after all.
</p>
<p>
Here's what went wrong in the above scenario. Although I had a decent firewall
in place and also quickly identified the cause of the network problem, I was
unable to modify the behavior of my firewall to respond to the threat in time.
Of course, when your network is under attack, you want to be able to respond
immediately, and being forced to hack away at your master firewall setup script
in a panicked state is not only stressful, but also very inefficient.
</p>
</body>
</section>
</chapter>
<chapter>
<title>Scripts</title>
<section>
<title>ipdrop</title>
<body>
<p>
It would be far better if I had a special <c>ipdrop</c> script that's
specifically designed to insert just the rules you need to block the IP address
that I specify. With such a script, blocking a firewall is no longer a
two-minute ordeal; instead, it takes five seconds. And since the script shields
me from the task of editing firewall rules by hand, it eliminates a major source
of errors. All that's left for me to do is to determine the IP address that I'd
like to block, and then type:
</p>
<pre caption="Dropping IP">
# <i>ipdrop 129.24.8.1 on</i>
IP 129.24.8.1 drop on.
</pre>
<p>
Immediately, the ipdrop script would block 129.24.8.1, Bob's current evil IP
address of the week. This script dramatically improves your defenses, because
now an IP block is a no-brainer. Now, let's take a look at my implementation of
the ipdrop script:
</p>
<pre caption="ipdrop script">
#!/bin/bash
source /usr/local/share/.sh
args 2 $# "${0} IPADDR {on/off}"
<comment># Drops packets to/from IPADDR. Good for obnoxious
networks/hosts/DoS"</comment>
if [ "$2" == "on" ]
then
<comment># Rules will be appended or inserted as normal</comment>
APPEND="-A"
INSERT="-I"
rec_check ipdrop $1 "$1 already blocked" on
record ipdrop $1
elif [ "$2" == "off" ]
then
<comment># Rules will be deleted instead</comment>
APPEND="-D"
INSERT="-D"
rec_check ipdrop $1 "$1 not currently blocked" off
unrecord ipdrop $1
else
echo "Error: \"off\" or \"on\" expected as second argument"
exit 1
fi
<comment># Block outside IP address that's causing problems</comment>
<comment># Attacker's incoming TCP connections will take a minute or so to time
out, reducing DoS effectiveness</comment>
iptables $INSERT INPUT -s $1 -j DROP
iptables $INSERT OUTPUT -d $1 -j DROP
iptables $INSERT FORWARD -d $1 -j DROP
iptables $INSERT FORWARD -s $1 -j DROP
echo "IP ${1} drop ${2}."
</pre>
</body>
</section>
<section>
<title>ipdrop: the explanation</title>
<body>
<p>
If you take a look at the last four highlighted lines, you'll see the actual
commands that insert the appropriate rules into the firewall tables. As you can
see, the definition of the $INSERT environment variable varies, depending on
whether we're running in "on" or "off" mode. When the iptables lines execute,
the particular rules will be inserted or deleted appropriately.
</p>
<p>
--
gentoo-doc-cvs@gentoo.org mailing list
^ permalink raw reply [flat|nested] 2+ messages in thread
* [gentoo-doc-cvs] cvs commit: dynamic-iptables-firewalls.xml
@ 2005-09-08 11:40 Shyam Mani
0 siblings, 0 replies; 2+ messages in thread
From: Shyam Mani @ 2005-09-08 11:40 UTC (permalink / raw
To: gentoo-doc-cvs
fox2mike 05/09/08 11:40:48
Modified: xml/htdocs/doc/en/articles dynamic-iptables-firewalls.xml
Log:
#101758 - Fix link to fixed dynfw ;) Thanks to rane for reporting.
Revision Changes Path
1.3 +4 -4 xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml
file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml?rev=1.3&content-type=text/x-cvsweb-markup&cvsroot=gentoo
plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml?rev=1.3&content-type=text/plain&cvsroot=gentoo
diff : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml.diff?r1=1.2&r2=1.3&cvsroot=gentoo
Index: dynamic-iptables-firewalls.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- dynamic-iptables-firewalls.xml 15 Aug 2005 23:16:06 -0000 1.2
+++ dynamic-iptables-firewalls.xml 8 Sep 2005 11:40:48 -0000 1.3
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding="UTF-8"?>
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml,v 1.2 2005/08/15 23:16:06 cam Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml,v 1.3 2005/09/08 11:40:48 fox2mike Exp $ -->
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
<guide link="/doc/en/articles/dynamic-iptables-firewalls.xml">
@@ -25,8 +25,8 @@
version of the original article, and contains various improvements made by the
Gentoo Linux Documentation team -->
-<version>1.0</version>
-<date>2005-07-13</date>
+<version>1.1</version>
+<date>2005-09-08</date>
<chapter>
<title>Introduction</title>
@@ -398,7 +398,7 @@
<p>
Because I've found these dynamic firewall scripts so helpful, I've put together
a neat little tarball (<uri
-link="http://www-128.ibm.com/developerworks/library/l-fw/dynfw-1.0.tar.gz">dynfw-1.0.tar.gz</uri>)
+link="/doc/en/articles/files/dynfw-1.0.1.tar.bz2">dynfw-1.0.1.tar.bz2</uri>)
that you can download and install on your machine.
</p>
--
gentoo-doc-cvs@gentoo.org mailing list
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-09-08 11:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-07-13 9:58 [gentoo-doc-cvs] cvs commit: dynamic-iptables-firewalls.xml Shyam Mani
-- strict thread matches above, loose matches on Subject: below --
2005-09-08 11:40 Shyam Mani
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox