Linux filtering / firewalling (netfilter/iptables stuff)

• http://ipp2p.org/
• http://l7-filter.sourceforge.net/
• http://iptables-tutorial.frozentux.net/iptables-tutorial.html
• Debian ipp2p+l7 patch cookbook
• py-htbstat - is a tool for collecting HTB kernel statistics, it allows to view graphs and perform basic analysis.
• FTester -- Firewall and IDS Testing tool

Click on picture below to see more ..

Logging is easy, just add the same rule but with a -j LOG –log-prefix SSHBRUTE or whatever you want. eg;

 iptables -A INPUT -m hashlimit -m tcp -p tcp –dport 22 –hashlimit \ 
           1/min –hashlimit-mode srcip –hashlimit-name ssh -m state \ 
           –state NEW -j LOG –log-prefix SSHBRUTE

As for permantely adding hosts, why? Poluting a firewall ruleset with a rule that isn’t going to be hit frequently is a waste. Which is why the hashlimit rule is perfect for this situation.

See also this.

### Catch SSH probes
iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0
       -m state --state NEW
       -m recent --rcheck --hitcount 3 --seconds 60 --name SSH_PROBERS
       -j LOG --log-prefix "Adaptive-FW SSH Prober: "

iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0
       -m state --state NEW
       -m recent --update --hitcount 3 --seconds 60 --name SSH_PROBERS
       -j DROP

iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0
       -m state --state NEW
       -m recent --set --name SSH_PROBERS
       -j ACCEPT

So, in the INPUT chain, you wouldn't use -o, and -d would be the IP on your external link.. in this example, ppp0.

What it does, is uses the ipt_recent module, tracking connections from a given IP. 3 incoming connections in 60 seconds will cause the remote host to be blocked. Of course, this affects normal logins too, so for known hosts, it pays to insert a rule beforehand that does a -j ACCEPT.

Modern times require you to know how much traffic each user on a system is generating. A lightweight and unobtrusive way to do it is:

iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
for interesting user in /etc/passwd #implementation dependent
do
        #mark all user packets with their uid
        iptables -A OUTPUT -t mangle -m owner --uid-owner $uid -j MARK --set-mark $uid
        iptables -A OUTPUT -t mangle -m owner --uid-owner $uid -j CONNMARK --save-mark
        #add rules to count packets
        iptables -A PREROUTING -t mangle -m mark --mark $uid -m comment --comment "count $user" 
        iptables -A POSTROUTING -t mangle -m mark --mark $uid -m comment --comment "count $user"
done

Integrating this with existing firewall rules is left as an excercise for the reader.

Observing counters is as easy as

watch "iptables -nvL PREROUTING -t mangle; echo; iptables -nvL POSTROUTING -t mangle"

Or you can parse them periodically and store values somewhere for further processing.

This method identifies which user caused some traffic only for the traffic that is initiated on the machine. Traffic that originates on a remote system is not caught. I haven't yet found a way to make this work for this case too.

Tested on rhel6.

Something like this (eth0 is the user's network):

 iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 1024: -m \
   connlimit --connlimit-above 5 -j SET --add-set p2p src
 
 iptables -t mangle -A FORWARD -o eth0 -p tcp -m multiport --sport \
   1024:65535 -m set --set p2p dst -j MARK --set-mark 60
 
 iptables -t mangle -A FORWARD -i eth0 -p tcp -m multiport --dport \
    1024:65535 -m set --set p2p src -j MARK --set-mark 60

You'll have to compile your kernel with ipset and connlimit support.

 > Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed.
 > Feb 23 14:26:19 gestor1 kernel: ip_conntrack: table full, dropping packet.

Not necessarily the answer you were looking for, but this is what connlimit was written for. Connlimit will limit the number of parallel TCP connections per host. Do something like:

iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 1024: \
         -m connlimit --connlimit-above 30 -j DROP

connlimit is not in the vanilla kernel at the minute; you need to patch with pom. You can download pom from http://ipset.netfilter.org/install.html, but you may need to patch pom first! See http://lists.netfilter.org/pipermail/netfilter-devel/2006-July/025090.html

Sometimes when a user runs some picture-gallery or forum software, your server gets more or less hacked: a hacker will start under the user with which your webserver runs ('www-run' for example) an ircbot. You can prevent this with this:

 iptables -I OUTPUT -m owner -p tcp --destination-port 6660:6669 --uid-owner nobody -j REJECT

This will not work if the hacker runs his/her irc-server on a different portnumber then the ones blocked.

Download here