Dynamic iptables firewall dynfw

Firewall is a very important network security tool, but how do you implement it when you need to quickly and complex dynamic modification of firewall rules? If you use the dynamic firewall script of Daniel Robbins described in this article, this will be a very easy task. You can use these scripts to enhance network security and respond to network attacks in real time, and perform your own creative design based on the script.
The best way to understand the benefits of dynamic firewall scripts is to look at their practical applications. Suppose I am a system administrator of an ISP. Recently I set up a Linux-based firewall to protect my customers and internal systems and prevent attacks from malicious external users. To implement this system, I use the iptables tool of the new version of Linux2.4 kernel. The firewall allows customers and internal servers to establish connections to the Internet, it also allows you to establish new connections from the Internet to public services of internal systems, such as web servers and ftp servers. Because I used a default Denial-of-Service Policy to only enable the Service, the connection from the Internet to non-public services, such as squid proxy services and samba services, is rejected. Currently, I have a fully functional firewall system that meets security requirements. It can provide good protection for all ISP users.
The firewall was working well in the first week, but some bad things happened later. Bob-an attacker attacked my network and used the method of using junk data packets to overwhelm my ISP network to launch Dos Attacks against my customers. Unfortunately, Bob has carefully studied my firewall, although I have protected internal services, both port 25 and port 80 are open to send and receive Emai and open www services. Bob decided to launch Dos attacks on my Email and WWW servers.
1-2 minutes after Bob started the attack, I found that my line experienced severe congestion. Using tcpdump, I found this was an attack by Bob. And I got the attack source address. Now I need to block these IP addresses from connecting to my public server. Next I will discuss a simple and convenient solution.

Block attacks

I took immediate action to load my firewall STARTUP script and use vi to edit iptables rules to block the datagram from the source address of the malicious attack data sent by Bob. About a minute later, I found the location where I added the new DROP rule in the firewall STARTUP script. I immediately added the new rule and restarted the firewall. Soon the firewall played a role and Bob's attack was blocked. Now it seems that I have successfully cracked Bob's attack, but soon the network duty phone rang again. It turns out that the customer called the complaint phone when the network was unavailable. But even worse, a few minutes later, I noticed that my Internet connection line began to experience severe congestion. I checked that Bob used a new IP address for attack. I had to modify the firewall STARTUP script again to prevent the attack. In this way, I have been exhausted by Bob's ass.
Where is the problem? Although I have built a fully functional firewall system that meets security requirements and quickly discovered the causes of network problems, however, I cannot immediately adjust my firewall rules to respond to Bob's attacks. When the network is attacked, the system quickly responds to the attack and changes the firewall rule configuration script, which is not only under great pressure, but also inefficient.

Ipdrop

If you can create a special "ipdrop" script, which is designed to easily insert a rule to block the specified IP address, the above work will be very easy. Blocking an IP address through this script is very easy, and it takes only a few seconds. This script also prevents errors that may occur when rules are manually added. Therefore, the attack that blocks Bob becomes the source address of the attack. Run the following command:

# Ipdrop 129.24.8.1 on
IP 129.24.8.1 drop on.
The ipdrop script immediately blocks 129.24.8.1. Using this script can significantly improve your defense capabilities. The following is the implementation of the ipdrop script:
The ipdrop bash script

#! /Bin/bash
Source/usr/local/share/dynfw. sh
Args 2 $ # "$ {0} IPADDR {on/off}" "Drops packets to/from IPADDR. Good for obnoxous networks/hosts/DoS"
If ["$2" = "on"]
Then
# Rules will be appended or inserted as normal
APPEND = "-"
INSERT = "-I"
Rec_check ipdrop $1 "$1 already blocked" on
Record ipdrop $1
Elif ["$2" = "off"]
Then
# Rules will be deleted instead
APPEND = "-D"
INSERT = "-D"
Rec_check ipdrop $1 "$1 not currently blocked" off
Unrecord ipdrop $1
Else
Echo "Error:" off "or" on "expected as second argument"
Exit 1
Fi
# Block outside IP address thats causing problems
# Attackers incoming TCP connections will take a minute or so to time out,
# Cing DoS upgrade tiveness.
Iptables $ insert input-s $1-j DROP
Iptables $ insert output-d $1-j DROP
Iptables $ insert forward-d $1-j DROP
Iptables $ insert forward-s $1-j DROP
Echo "IP $ {1} drop ${2 }."

Ipdrop: Explanation

From the last four lines of script source code, we can see that the actual command is to insert appropriate rules in the firewall table. The value of the $ INSERT variable depends on whether the "on" or "off" mode is used in the command line parameters. When the iptables row is executed, the specific rule will be properly inserted or deleted.
Now let's take a look at the functions of these rules. They can work with any type of firewall, even on systems without a firewall. Only the kernel of Linux2.4 of iptables is supported. We block attack data packets from malicious IP addresses (the first iptables statement), and block data packets from malicious IP addresses (the second iptables Statement ), disable data forwarding in any direction for the IP address (the last two iptables tools ). Once these rules work, the system will discard any datagram that meets these conditions.
Note that the script calls "rec_check", "unrecord", "record", and "args ". These are all special bash functions defined in "dynfw. sh. The "record" function records blocked IP addresses in the file/root /. dynfw-ipdrop file, while "unrecord" is to extract it from the file/root /. remove from dynfw-ipdrop. The "rec_check" function outputs an error message and stops script execution when it finds an attempt to re-block a blocked IP address or cancel an unblocked IP address. The "args" function ensures the correctness of command line parameters and prints script help commands. The dynfw-1.0.tar.gz file contains all these tools. For details, see the resource section at the end of the article.

Tcplimit

If you need to restrict the use of a special TCP-based network service (for example, when a severe load occurs on the terminal system), the tcplimit script can help you achieve this purpose, the script uses the TCP port, a rate value, and "on" or "off" as the parameter:

# Tcplimit 873 5 minute on
Port 873 new connection limit (5/minute, burst = 5) on.

Tcplimit uses the "state" module of iptables (this option should be enabled or loaded in the kernel) to allow only a certain number of connection requests to pass within a certain period of time. In this example, the firewall will allow only five new connections to my rsync server (port 873) per minute ). Of course, you can select the unit of time as per your needs.
Tcplimit provides a very good way to restrict the use of non-critical services-so that a large amount of data from non-critical services will not damage the server. In the preceding example, tcplimit is used to set the limit for using rsync to prevent tsync data from occupying all the bandwidth of Internet connections. The Connection Service restriction information is recorded in the file/root/. dynfw-tcplimit. To disable this restriction, enter the following command:

# Tcplimit 873 5 minute off
Port 873 new connection limit off.

Tcplimit is implemented by creating a new rule chain in the "filter" table. The new rule chain rejects all data packets that exceed the specified limit and inserts a rule into the INPUT rule chain, it directs all the new connection datagram to the target port (Port 873 in this example) to this new rule chain. The new rule chain will only affect new connections that exceed the limit, but will not affect established connections.
When the tcplimit rule is disabled, the INPUT rule and the new rule chain are deleted. Like ipdrop, tcplimit can work with any type of firewall.

Host-tcplimit

Host-tcplimit is very similar to tcplimit, But it limits the number of TCP connections from a specific IP address to a specific port on the server. Host-tcplimit is very useful in preventing a specific person from abusing your network resources. For example, if you maintain a CVS server and suddenly a special new developer appears one day, it seems that he has created a script to update its resources every 10 minutes. It occupies a large amount of network resources. Then you will send a letter to him indicating the error of his behavior. However, you received the following reply:

Hi guys!
Im really excited to be part of your development project. I just set up
Script to update my local copy of the code every ten minutes. Im about
Leave on a two-week cruise, but when I get back, my sources will be totally
Up-to-date and Ill be ready to help out! Im heading out the door now... see
You in two weeks!

Sincerely,
Mr. Newbie
In this case, using host-tcplimit can easily solve the problem:

# Host-tcplimit 1.1.1.1 2401 1 day on

At present, Mr. Newbie (IP address 1.1.1.1) is restricted to having only one CVS connection every day, thus saving network bandwidth.

User-outblock

The last one is also the most interesting of these firewall scripts: user-outblock. This script provides an ideal method to allow a user to log on to the system through SSH or telnet, but does not allow it to establish external connections through command line commands. The following is an example of a user-outblock application. Assume that a special household has an account in our ISP. Mom and Dad use a graphical email client program to read their emails and occasionally surf the Internet, but their son is a keen hacker, he often uses its shell access permission to do naughty things on other machines.
One day, you found that he established an ssh connection with several systems and found that the target address belongs to the Pakistani military website. You want to help the child go straight, so you have taken the following actions:
First, check your system and make sure that the suid bits of all network-related programs are removed, such as ssh:

# Chmod u-s/usr/bin/ssh
Any network-related process he attempts to use now will have his own UID. Now you can use user-outblock to block all external TCP connections sent by the UID (assuming the UID is 2049 ):

# User-outblock 2049 on
UID 2049 block on.

Now he can only log on to the system to read his letter, but he cannot use your server to establish an SSH connection.

Resources

* These firewall scripts are useful because they are found to be dynamic, so package them (http://www.vfocus.net/blog/archives/tools/dynfw-1.0.tar.gz) for download and installation.
To install the SDK, extract the package and run the install. sh file. This script will install a shared bash Script:/usr/local/share/dynfw. sh and install the dynamic firewall script in the/usr/local/sbin directory. If you want to install it in other scripts, you only need to execute the following before executing install. sh:
# Export PREFIX =/usr
You can alsoDynamic firewall scripts section to the Gentoo Linux Web siteDownload the latest version 1.0.1 of dynfw.

* Tcpdump is a very important tool for detecting IP address exchange at the underlying layer. It can be used to verify whether the firewall works normally.