ipt_recent module and UDP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Is anybody doing any type of filtering using the ipt_recent module and UDP?

>
> Hello, I have a problem with UDP traffic and use of the 'recent' module.
> I've recently modified my firewall script to use the ipt_recent module to
> help block SSH dictionary attacks, as well as attacks on certain trigger
> ports targetted by vulnerability scanning scripts. An excerpt of my
> firewall script appears below.  Notice that I am using two ipt_recent
> lists, one for SSH and one for 'scram' ports used in vulnerability scans.
>
> One of the ports I watch is UDP 1434, a Microsoft SQL Server port
> targetted by the SQL Slammer worm.  When iptables detects a new connection
> to that port, it adds the source IP to the 'scram' list, and a rule near
> the top (just after allowing established/related) eliminates further
> traffic from that source IP until timeout.  However, if I don't specify
> "-p tcp" in that enforcement rule just after established/related, it
> appears that all UDP traffic (even from source IPs not in the list) are
> dropped by those enforcement rules.
>
> I'm expecting that traffic on UDP 1434 to hit the trigger, further traffic
> from that source IP gets blocked by the 'scram' enforcement rule, and all
> other UDP traffic (like NTP) passes through to the rest of the rules.
> What is happening is that all UDP traffic is dropped.
>
> What can I do to make this work?  I think it's more to do with UDP
> connection states rather than a bug, but I'm not sure how or if I can
> structure this to operate like I want.  (Previously I was using a ulogd
> custom plugin to dynamically add mangle table rules, and a forked thread
> to clear them after timeout.  It was goofy, but it worked.)
>
> I don't think the use of more than one list has anything to do with this,
> but I thought I should include it for completeness.  I know I'm using the
> new re-written ipt_recent.c module (kernel is 2.6.18.8).  Is this a bug or
> am I missing something silly?  Thanks very much in advance for your
> assistance, all constructive comments are appreciated.
>
> --Roger Venable
> --Ann Arbor, Michigan
>
> Kernel: Linux 2.6.18.8-0.1-default #1 SMP Fri Mar 2 13:51:59 UTC 2007 i686
> athlon i386 GNU/Linux
> iptables: v1.3.6
>
> # some rules not pertaining to this example were cut
> # (and IP addresses changed to protect the innocent)
>
> # default drop
> iptables -P OUTPUT  DROP
> iptables -P INPUT   DROP
> iptables -P FORWARD DROP
>
> # accept established / related
> iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # SCRAM rules
> # if '-p tcp' not specified here, all UDP traffic gets dropped
> # even from source addresses that are not in a 'recent' list
> iptables -A INPUT  -i eth0  -p tcp -m recent --update --seconds 60
> --hitcount 4 --name SSH  -j DROP
> iptables -A INPUT  -i eth0  -p tcp -m recent --update --seconds 3600
> --name SCRAM  -j DROP
>
> # <SNIP> more rules...
>
> # SSH
> # dictionary attacks get lost
> #
> iptables -N In_RULE_13
> iptables -A INPUT  -i eth0 -p tcp -m tcp  -d 192.168.1.68  --dport 22  -j
> In_RULE_13
> iptables -A INPUT  -i eth0 -p tcp -m tcp  -d 192.168.1.69  --dport 22  -j
> In_RULE_13
> iptables -A In_RULE_13  -j ULOG  --ulog-nlgroup 1 --ulog-prefix "SSH
> RECENT " --ulog-qthreshold 1
> iptables -A In_RULE_13 -m recent --name SSH --set -j ACCEPT
>
> # <SNIP> more rules...
>
> # scan triggers
> # when trigger ports hit by script kiddies, add to 'scram' recent table #
> iptables -N In_RULE_30
> iptables -A INPUT  -i eth0 -p tcp -m tcp  --dport 1023:1029  -j In_RULE_30
> iptables -A INPUT  -i eth0 -p tcp -m tcp  -m multiport  --dports
> 1433,3128,1761,12345,2967,37,5900  -j In_RULE_30
> iptables -A INPUT  -i eth0 -p udp -m udp  --dport 1025:1029  -j In_RULE_30
> iptables -A INPUT  -i eth0 -p udp -m udp  -m multiport  --dports 1434,500
> -j In_RULE_30
> iptables -A In_RULE_30  -j ULOG  --ulog-nlgroup 1 --ulog-prefix "SCRAM "
> --ulog-qthreshold 1
> iptables -A In_RULE_30 -m recent --name SCRAM --set -j DROP
>
> # <SNIP> more rules...
> # Here accept other UDP traffic, like NTP on UDP 123
>
> # So, Grim, you reap around here, do you?
> iptables -N RULE_36
> iptables -A OUTPUT  -j RULE_36
> iptables -A INPUT  -j RULE_36
> iptables -A RULE_36  -j ULOG  --ulog-nlgroup 1 --ulog-prefix "DEATH "
> --ulog-qthreshold 1
> iptables -A RULE_36  -j DROP
>
> # 601
>




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux