From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.43)
	id 1Dse11-0000MP-GK
	for garchives@archives.gentoo.org; Wed, 13 Jul 2005 09:58:56 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j6D9vdWD024552;
	Wed, 13 Jul 2005 09:57:39 GMT
Received: from smtp.gentoo.org (smtp.gentoo.org [134.68.220.30])
	by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j6D9vcsP002130
	for <gentoo-doc-cvs@lists.gentoo.org>; Wed, 13 Jul 2005 09:57:39 GMT
Message-Id: <200507130957.j6D9vcsP002130@robin.gentoo.org>
Received: from lark.gentoo.osuosl.org ([140.211.166.177] helo=lark.gentoo.org)
	by smtp.gentoo.org with smtp (Exim 4.43)
	id 1Dse0j-0001nz-Sw
	for gentoo-doc-cvs@lists.gentoo.org; Wed, 13 Jul 2005 09:58:38 +0000
Received: by lark.gentoo.org (sSMTP sendmail emulation); Wed, 13 Jul 2005 09:58:29 +0000
From: "Shyam Mani" <fox2mike@lark.gentoo.org>
Date: Wed, 13 Jul 2005 09:58:29 +0000
To: gentoo-doc-cvs@lists.gentoo.org
Subject: [gentoo-doc-cvs] cvs commit: dynamic-iptables-firewalls.xml
Precedence: bulk
List-Post: <mailto:gentoo-doc-cvs@lists.gentoo.org>
List-Help: <mailto:gentoo-doc-cvs+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-doc-cvs+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-doc-cvs+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-doc-cvs.gentoo.org>
X-BeenThere: gentoo-doc-cvs@gentoo.org
Reply-to: docs-team@lists.gentoo.org
X-Archives-Salt: 85ccc914-f6a2-4fa3-bc6b-7d0166743c80
X-Archives-Hash: c3da0ce9ab95ad20e8fc2d4fefd075d8

fox2mike    05/07/13 09:58:29

  Added:       xml/htdocs/doc/en/articles dynamic-iptables-firewalls.xml
  Log:
  #98620 - Common Threads - Dynamic iptables firewalls by drobbins - Initial Version. Thanks to Lukasz Damentko.

Revision  Changes    Path
1.1                  xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml

file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml?rev=1.1&content-type=text/x-cvsweb-markup&cvsroot=gentoo
plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml?rev=1.1&content-type=text/plain&cvsroot=gentoo

Index: dynamic-iptables-firewalls.xml
===================================================================
<?xml version='1.0' encoding="UTF-8"?>
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/dynamic-iptables-firewalls.xml,v 1.1 2005/07/13 09:58:28 fox2mike Exp $ -->
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">

<guide link="/doc/en/articles/dynamic-iptables-firewalls.xml">
<title>Dynamic iptables firewalls</title>

<author title="Author">
  <mail link="drobbins@gentoo.org">Daniel Robbins</mail>
</author>
<author title="Editor">
  <mail link="rane@gentoo.pl">Łukasz Damentko</mail>
</author>

<abstract>
Firewalls are good and fun, but what do you do when you need to make rapid,
complex changes to your firewall rules? Easy. Use Daniel Robbins' dynamic
firewall scripts that are demonstrated in this article. You can use these
scripts to increase your network security and responsiveness, and to inspire
your own creative designs.
</abstract>

<!-- The original version of this article was published on IBM developerWorks,
and is property of Westtech Information Services. This document is an updated
version of the original article, and contains various improvements made by the
Gentoo Linux Documentation team -->

<version>1.0</version>
<date>2005-07-13</date>

<chapter>
<title>Introduction</title>
<section>
<title>Flexible (and fun) network security</title>
<body>

<note>
The original version of this article was published on IBM developerWorks, and is
property of Westtech Information Services. This document is an updated version
of the original article, and contains various improvements made by the Gentoo
Linux Documentation team.
</note>

<p>
The best way to see the benefits of dynamic firewall scripts is to see them in
action. To do this, let's imagine that I'm a sysadmin at an ISP, and I've
recently set up a Linux-based firewall to protect my customers and internal
systems from malicious users on the Internet. To do this, my firewall uses the
new Linux 2.4 iptables stateful functionality to allow new outgoing connections
to be established by my customers and servers, and of course to allow new
incoming connections, but only to "public" services, such as web, ftp, ssh, and
SMTP. Since I used a deny-by-default design, any from-Internet connections to
non-public services, such as the squid proxy cache or Samba server, are
automatically rejected. So far, I have a pretty decent firewall that offers a
good level of protection for everyone at my ISP.
</p>

<p>
For the first week or so, the firewall works great, but then something ugly
happens: Bob, my arch-nemesis (who works at a competing ISP) decides that he
wants to flood my network with packets in an attempt to deny service to my
customers. Unfortunately, Bob has carefully studied my firewall and knows that
while I'm protecting many internal services, port 25 and 80 must be publicly
accessible so that I can receive mail and serve HTTP requests. Bob decides to
take advantage of this fact by launching a bandwidth-sucking attack against my
web and mail server.
</p>

<p>
About a minute or so after Bob begins his attack, I notice that my uplinks start
becoming saturated with packets. After taking a look at the situation with
<c>tcpdump</c> I determine that this is yet another Bob attack, and I figure out
what IP addresses he's using to launch it. Now that I have this information, all
that I need to do is block these IP addresses, and that should solve the problem
-- a simple solution, or so I think.
</p>

</body>
</section>

<section>
<title>Responding to an attack</title>
<body>

<p>
I quickly load my firewall setup script into vi and begin hacking away at my
iptables rules, modifying my firewall so that it'll block those evil incoming
Bob packets. After a minute or so, I find the exact place to make the
appropriate DROP rule additions, and I add them. Then, I start and stop the
firewall...ooops, made a bit of a mistake when I added the rules. I load up the
firewall scripts again, fix the problem, and thirty seconds later the firewall
has been tweaked to block Bob's attack of the month. At first, it seems like I
successfully thwarted the attack...until the helpdesk phones begin ringing.
Apparently, Bob was able to disrupt my network for about 10 minutes, and now my
customers are calling to find out what's going on. Even worse, after a few
minutes pass, I notice that our uplinks again start to become saturated. This
time, Bob appears to be using a brand-new set of IP addresses for his attacks.
In response, I begin feverishly hacking away at our firewall scripts, except
this time, I'm a bit panicky -- maybe my solution isn't so good after all.
</p>

<p>
Here's what went wrong in the above scenario. Although I had a decent firewall
in place and also quickly identified the cause of the network problem, I was
unable to modify the behavior of my firewall to respond to the threat in time.
Of course, when your network is under attack, you want to be able to respond
immediately, and being forced to hack away at your master firewall setup script
in a panicked state is not only stressful, but also very inefficient.
</p>

</body>
</section>
</chapter>

<chapter>
<title>Scripts</title>
<section>
<title>ipdrop</title>
<body>

<p>
It would be far better if I had a special <c>ipdrop</c> script that's
specifically designed to insert just the rules you need to block the IP address
that I specify. With such a script, blocking a firewall is no longer a
two-minute ordeal; instead, it takes five seconds. And since the script shields
me from the task of editing firewall rules by hand, it eliminates a major source
of errors. All that's left for me to do is to determine the IP address that I'd
like to block, and then type:
</p>

<pre caption="Dropping IP">
# <i>ipdrop 129.24.8.1 on</i>
IP 129.24.8.1 drop on.
</pre>

<p>
Immediately, the ipdrop script would block 129.24.8.1, Bob's current evil IP
address of the week. This script dramatically improves your defenses, because
now an IP block is a no-brainer. Now, let's take a look at my implementation of
the ipdrop script:
</p>

<pre caption="ipdrop script">
#!/bin/bash

source /usr/local/share/.sh

args 2 $# "${0} IPADDR {on/off}" 

<comment># Drops packets to/from IPADDR. Good for obnoxious
networks/hosts/DoS"</comment>

if [ "$2" == "on" ] 
then
<comment># Rules will be appended or inserted as normal</comment>
 APPEND="-A"
  INSERT="-I"
  rec_check ipdrop $1 "$1 already blocked" on
  record ipdrop $1
elif [ "$2" == "off" ]
then
<comment># Rules will be deleted instead</comment>
 APPEND="-D"
  INSERT="-D"
  rec_check ipdrop $1 "$1 not currently blocked" off 
  unrecord ipdrop $1
else
  echo "Error: \"off\" or \"on\" expected as second argument"
  exit 1
fi  

<comment># Block outside IP address that's causing problems</comment>
<comment># Attacker's incoming TCP connections will take a minute or so to time
out, reducing DoS effectiveness</comment>

iptables $INSERT INPUT   -s $1 -j DROP
iptables $INSERT OUTPUT  -d $1 -j DROP
iptables $INSERT FORWARD -d $1 -j DROP
iptables $INSERT FORWARD -s $1 -j DROP

echo "IP ${1} drop ${2}."
</pre>

</body>
</section>

<section>
<title>ipdrop: the explanation</title>
<body>

<p>
If you take a look at the last four highlighted lines, you'll see the actual
commands that insert the appropriate rules into the firewall tables. As you can
see, the definition of the $INSERT environment variable varies, depending on
whether we're running in "on" or "off" mode. When the iptables lines execute,
the particular rules will be inserted or deleted appropriately.
</p>

<p>



-- 
gentoo-doc-cvs@gentoo.org mailing list