netfilter-request@xxxxxxxxxxxxxxxxxxx wrote: > Send netfilter mailing list submissions to > netfilter@xxxxxxxxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.netfilter.org/mailman/listinfo/netfilter > or, via email, send a message with subject or body 'help' to > netfilter-request@xxxxxxxxxxxxxxxxxxx > > You can reach the person managing the list at > netfilter-owner@xxxxxxxxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of netfilter digest..." > > > Today's Topics: > > 1. How to block a DNS DoS attack? ( Eduardo Fern?ndez ) > 2. Re: How to block a DNS DoS attack? (Martijn Lievaart) > 3. Re: -i interface filter not working for firewall > (Martijn Lievaart) > 4. Re: How to block a DNS DoS attack? (Elvir Kuric) > 5. Re: ip routing after changing mac address to a virtual one > (Martijn Lievaart) > 6. Traffic auditing per user (Joris Dobbelsteen) > 7. T/TCP connections not NATed (Frederik Deweerdt) > 8. Multiple Mac Addresses as Source (Syed AbuBakr) > 9. Re: Multiple Mac Addresses as Source (Pascal Hambourg) > 10. Re: -i interface filter not working for firewall (victor oliveira) > 11. Re: -i interface filter not working for firewall (Pascal Hambourg) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 2 Dec 2006 21:56:56 +0100 > From: " Eduardo Fern?ndez " <eduardo@xxxxxxxxxxxxxx> > Subject: How to block a DNS DoS attack? > To: "Netfilter Mailing List" <netfilter@xxxxxxxxxxxxxxxxxxx> > Message-ID: > <fedfc260612021256w7f94bb2eg3bb77e6bdd5c97d9@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hi! > > Some computers in my network are flooding the dns server with mx > queries generated by some virus, at a rate of 2/second or so. I can't > use the string match as suggested before because of my kernel version. > I can't forbid MX queries in the server because there could be valid > queries, so the only way to match the virus is the speed or number of > queries. I've tried the following to match only the virus but not the > normal clients (people surfing the web mainly): > > iptables -A INPUT -p udp -d server_ip --dport 53 -m limit --limit > 40/minute --limit-burst 2000 -j ACCEPT > > But it doesn't work. Any ideas? > > Thanks a bunch! > > > > ------------------------------ > > Message: 2 > Date: Sun, 03 Dec 2006 16:26:04 +0100 > From: Martijn Lievaart <m@xxxxxxx> > Subject: Re: How to block a DNS DoS attack? > To: " Eduardo Fern?ndez " <eduardo@xxxxxxxxxxxxxx> > Cc: Netfilter Mailing List <netfilter@xxxxxxxxxxxxxxxxxxx> > Message-ID: <4572EC8C.7020600@xxxxxxx> > Content-Type: text/plain; charset=iso-8859-1; format=flowed > > Eduardo Fernández wrote: > > >> Hi! >> >> Some computers in my network are flooding the dns server with mx >> queries generated by some virus, at a rate of 2/second or so. I can't >> use the string match as suggested before because of my kernel version. >> I can't forbid MX queries in the server because there could be valid >> queries, so the only way to match the virus is the speed or number of >> queries. I've tried the following to match only the virus but not the >> normal clients (people surfing the web mainly): >> >> iptables -A INPUT -p udp -d server_ip --dport 53 -m limit --limit >> 40/minute --limit-burst 2000 -j ACCEPT >> >> But it doesn't work. Any ideas? >> > > > I don't know why this doesn't work, but I would probably take a whole > different route. As you say you could have matched with the string > match, you can write a tcpdump capture expression for those packets. > Feed the output to a short script that extracts the IP address and adds > a rule to deny any traffic to that IP address. This has the added > advantage that it breaks functionality on the client, so people will > complain. This makes it easier to spot the infected machiens. And maybe > slow the rate of spreading, who knows. > > If those addresses are assigned by DHCP, make sure to clear the blocks > occasionally. Any (still) infected machine will simply readd itself in > no time. > > Obviously, you hav to make sure that you add an address only once. This > also means that adding and deleting IPAs should probably coordinated > with a lock, though you may get away without. > > Something along these lines (untested): > > # iptables -N VDROP > # iptables -I INPUT -j VDROP > # mkdir /var/state/sumtin > # tcpdump -n -i <intf> <filter> | sed -P > 's/^.*(\d+\.\d+\.\d+\.\d+).*/\1/' | while read ip; do > > if [ ! -f /var/state/sumtin/$ip ]; then touch /var/state/sumtin/$ip; > iptables -A VDROP -s $ip; fi > > done > > (The ipset match is better suited for this, but if you don't have > string, you probably don't have ipset.) > > BTW, you probably get better results with the limit match if you use a > shorter time and a lower limit. > > HTH, > M4 > > > > > ------------------------------ > > Message: 3 > Date: Sun, 03 Dec 2006 17:08:09 +0100 > From: Martijn Lievaart <m@xxxxxxx> > Subject: Re: -i interface filter not working for firewall > To: victor oliveira <victor.oliveira@xxxxxxxxxxxxxxxxxxxxxxxx> > Cc: netfilter@xxxxxxxxxxxxxxxxxxx > Message-ID: <4572F669.1000206@xxxxxxx> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > victor oliveira wrote: > > >> My problem is the following: I am able to connect from my machine to >> the firewall using both eth2 and eth3. However, note that the INPUT >> default is DROP, and the only rule on the INPUT SHOULD be filtering >> and only allowing connections to the eth2 and not the eth3 >> interface... >> > > > You rules are a bit messy, but it should probably work. Are you sure you > connect through eth3? You do say it is from the same machine, if you are > connected to eth2 and address the ip addres of eth3, you still come in > through eth2. > > HTH, > M4 > > > > > ------------------------------ > > Message: 4 > Date: Sun, 3 Dec 2006 13:34:23 -0800 (PST) > From: Elvir Kuric <omasnjak@xxxxxxxxx> > Subject: Re: How to block a DNS DoS attack? > To: Eduardo "Fernández" <eduardo@xxxxxxxxxxxxxx>, Netfilter Mailing > List <netfilter@xxxxxxxxxxxxxxxxxxx> > Message-ID: <414919.97581.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset=iso-8859-1 > > Hi Eduardo, > > I suggest you to check link below > > http://www-128.ibm.com/developerworks/linux/library/l-fw/?n-l-4191 > > Hope this helps. > > Regards > > Elvir Kuric > --- Eduardo Fernández <eduardo@xxxxxxxxxxxxxx> wrote: > > >> Hi! >> >> Some computers in my network are flooding the dns >> server with mx >> queries generated by some virus, at a rate of >> 2/second or so. I can't >> use the string match as suggested before because of >> my kernel version. >> I can't forbid MX queries in the server because >> there could be valid >> queries, so the only way to match the virus is the >> speed or number of >> queries. I've tried the following to match only the >> virus but not the >> normal clients (people surfing the web mainly): >> >> iptables -A INPUT -p udp -d server_ip --dport 53 -m >> limit --limit >> 40/minute --limit-burst 2000 -j ACCEPT >> >> But it doesn't work. Any ideas? >> >> Thanks a bunch! >> >> >> > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > > ------------------------------ > > Message: 5 > Date: Sun, 03 Dec 2006 23:03:54 +0100 > From: Martijn Lievaart <m@xxxxxxx> > Subject: Re: ip routing after changing mac address to a virtual one > To: first last <doctor_konkord@xxxxxxxxx> > Cc: netfilter@xxxxxxxxxxxxxxxxxxx > Message-ID: <457349CA.9060006@xxxxxxx> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > first last wrote: > > >> Hi Mike, >> >> Yes, eth1 gets its IP address from DHCP server. DHCP >> server always gives me the same IP address because it >> knows my MAC address. So I only can get a different IP >> address by changing my MAC address. >> >> >> > > [ Please don't toppost ] > > Try to shutdown the interface, change the MAC, then bring the interface > back up. Masquerading is a bit strange and I'm not completely sure what > will work when. However, this way, it should definately work. > > HTH, > M4 > > > > > ------------------------------ > > Message: 6 > Date: Mon, 4 Dec 2006 00:11:17 +0100 > From: "Joris Dobbelsteen" <Joris@xxxxxxxxxxxxxxxxxxxxx> > Subject: Traffic auditing per user > To: <netfilter@xxxxxxxxxxxxxxxxxxx> > Message-ID: > <73427AD314CC364C8DF0FFF9C4D693FF544D@xxxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="us-ascii" > > I'm looking for a solution to audit network traffic usage per user. > After a long enough search I was not able to find a solution that suited > my needs. > > It must fit the following requirements: > * The traffic must be logged on a uid basis. > * Some traffic should not be counted, which is protocol (i.e. non-IP) > and IP address based (i.e. no local network). > * Of course not have a dramatic effect on performance > > Hopefully its not to hard for me, thus the tool has some (decent) > instructions/documentation. > Further I want to keep using my stock application. The platform is > Ubuntu 6.06 LTS, and I prefer to have the packages from the > repositories, rather than my own complications. Mostly for reasons of > testing and maintenance. > > I would guess this is not directly a netfilter question, but it should > be close enough. > > - Joris > > > > ------------------------------ > > Message: 7 > Date: Mon, 4 Dec 2006 08:23:55 +0000 > From: Frederik Deweerdt <deweerdt@xxxxxxx> > Subject: T/TCP connections not NATed > To: netfilter@xxxxxxxxxxxxxxxxxxx > Message-ID: <20061204082355.GF3136@slug> > Content-Type: text/plain; charset=us-ascii > > Hi, > > We're trying to use a home brewed T/TCP stack in addition to Linux plain > SNAT. Everything works as expected, except for the first packet, which > is not NATed. Communication is as follows: > > C S > 1. SYN* > 2. DATA > 3. SYN/ACK* > 4. ACK* > 5. REST_OF_COM* > > [*] The packet is NATed > > > Our hypothesis du jour, is that packet #2 is not NATed because it is > not currently part of a connection from netfilter point of view. Hence > my questions: > - Does our hypothesis seem you reasonable? > - If yes, is it possible to tell NAT to ignore the connection > tracking informations, and NAT all the packets getting out of > a given interface > - If not, what do you reckon could be the cause for having the > #2 packet not NATed? > > Thanks, > Frederik > > > > ------------------------------ > > Message: 8 > Date: Mon, 4 Dec 2006 17:06:23 +0500 > From: "Syed AbuBakr" <syed.abubakr@xxxxxxxxx> > Subject: Multiple Mac Addresses as Source > To: netfilter@xxxxxxxxxxxxxxxxxxx > Message-ID: > <7e53eda20612040406g714db122s34870004374153df@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hi...! > > I want to use multiple mac addresses as source for my rules, well they > r in hundreds. if i make a file of these mac addresses and give it's > path instead of writing hundreds of rules.so my question is that is > their any way to input them as a file.or file path? > > regards > Ali > > > > ------------------------------ > > Message: 9 > Date: Mon, 04 Dec 2006 13:18:22 +0100 > From: Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> > Subject: Re: Multiple Mac Addresses as Source > To: netfilter@xxxxxxxxxxxxxxxxxxx > Message-ID: <4574120E.8040407@xxxxxxxxxxxxxxx> > Content-Type: text/plain; charset=ISO-8859-15; format=flowed > > Hello, > > Syed AbuBakr a écrit : > >> I want to use multiple mac addresses as source for my rules, well they >> r in hundreds. if i make a file of these mac addresses and give it's >> path instead of writing hundreds of rules.so my question is that is >> their any way to input them as a file.or file path? >> > > Check ipset. > <http://www.netfilter.org/projects/ipset/index.html> > > > > ------------------------------ > > Message: 10 > Date: Mon, 4 Dec 2006 10:41:41 -0300 > From: "victor oliveira" <victor.oliveira@xxxxxxxxxxxxxxxxxxxxxxxx> > Subject: Re: -i interface filter not working for firewall > To: "Martijn Lievaart" <m@xxxxxxx> > Cc: netfilter@xxxxxxxxxxxxxxxxxxx > Message-ID: > <b020b8120612040541w4b969840qc1d6abdef3db099b@xxxxxxxxxxxxxx> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > eth2 and eth3 are both connected to the same switch, and are not > virtual. Each with a different IP. > eth2 has the IP 10.10.1.8 and eth3 has the ip 10.10.1.9. > I´m using for testing a putty application from another machine, also > connected to the same switch. > I know it should be working but it is not. > Furthermore, I tested the mangle rules for multiple tables and it only > works without the -i option. > My "solution" was to change to different subdomains and just not use > the -i restriction... > any thoughts ? > > On 12/3/06, Martijn Lievaart <m@xxxxxxx> wrote: > >> victor oliveira wrote: >> >> >>> My problem is the following: I am able to connect from my machine to >>> the firewall using both eth2 and eth3. However, note that the INPUT >>> default is DROP, and the only rule on the INPUT SHOULD be filtering >>> and only allowing connections to the eth2 and not the eth3 >>> interface... >>> >> You rules are a bit messy, but it should probably work. Are you sure you >> connect through eth3? You do say it is from the same machine, if you are >> connected to eth2 and address the ip addres of eth3, you still come in >> through eth2. >> >> HTH, >> M4 >> >> >> > > > > it can sound a silly question: Giving an ipmasq -v i have seen what rules ipmasq use .There is this in particular: $IPT -A INPUT -j ACCEPT -i eth0 -d 192.168.0.2/32 This rule on its own from my point of view accept any traffic,any packet destined to 192.168.0.2 opening the entire system to the world , am i wrong ????
