Iptables

Advanced..

Content

• Iptables

• Packet’s journey

• xtables

• Rules

• DHCP

• DHCP events

• Problem statement

• reference

Packet’s journey

Xtables

• “Xtables-addons is the successor to patch-o-matic(-ng). Likewise, it contains extensions that were not accepted in the main iptablespackage

• no patches (.diff files) or POM trees

• extensions built as modules

• no reboot, instant use – also perfect for development

Xtables cont..

• Download the xtables-addons

• Extract the tar file and edit the mconfig file to install the iptable module you want

• Just do configure ,make and make install as per INSTALL file

• Geoip,string,ipp2p,TARPIT,pknock

Rules• iptables -A PREROUTING -t nat -i eth0 --dst 204.215.46.78 -p tcp --dport 41234 -

j DNAT --to 10.12.12.1:3389 –j LOG –log-level 4

• iptables --table nat -A POSTROUTING -o eth0 --src 10.23.0.0/16 --dst125.11.158.211 -p tcp --dport 3389 -j SNAT --to-source 204.215.46.78

• Iptables --table filter -A INPUT -p tcp --src 10.10.11.11 --sport 1024:65535 --dst10.10.0.11 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

• Iptables --table filter -A OUTPUT -p tcp --src 10.10.0.11 --sport 22 --dst10.10.0.11 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

• iptables -A PREROUTING -t mangle -i eth0 --src 10.10.0.10/16 -p tcp --dport 443 -j MARK --set-mark 2

Rules cont..

• iptables -A INPUT -p tcp -m pknock --knockports4002,4001,4004 –strict --name SSH --time 10 --autoclose 60 --dport 22 -j ACCEPT

• iptables -A FORWARD -t mangle -m ipp2p --bit --kazaa --edk --dc –gnu –winmx --ares -j DROP

• iptables -A FORWARD -m geoip --src-cc CN --dst187.78.0.90/24 -j DROP

• Iptables -A BLACKLIST -p tcp -d 10.0.10.11 --sport 443 -m time --timestart 10:01 --timestop 07:59 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun -m string --string “facebook" --algo kmp -j DROP

DHCP

DHCP Events

• Commit

server has made a commitment of a certain lease to a client

• Release

client has released the server from its commitment

• Expiry

commitment expires

DHCP configuration

• on commit { set ClientIP = binary-to-ascii(10, 8, ".", leased-address); execute("/home/commitip",ClientIP); }

• on release { set ClientIP = binary-to-ascii(10, 8, ".", leased-address); execute("/home/releaseip",ClientIP); }

• on expiry { set ClientIP = binary-to-ascii(10, 8, ".", leased-address); execute("/etc/rc5.d/expiryip",ClientIP); }

• Jun 18 09:48:39 dhcp dhcpd: execute_statement argv[0] = /home/commitipJun 18 09:48:39 dhcp dhcpd: execute_statement argv[1] = 192.168.34.67

Scripts..

Commit

• #!/bin/bashiptables -L -n|grep -irw "$1"z=$?if [ $z -eq 0 ]thenecho "nothing to add" >> /tmp/errorelseiptables -I FORWARD 1 --src 0.0.0.0/0 --dst $1 -j ACCEPT

Expire

#!/bin/bashiptables -D FORWARD --src 0.0.0.0/0 --dst $1 -j ACCEPT

Reference

• http://www.linuxwizard.org/centos/xtables-addons-centos-6-iptables-geoip-filtering/

• http://www.ipp2p.org/docu_en.html

• https://github.com/tinti/xtables-addons/blob/master/extensions/pknock/libxt_pknock.man

• http://jpmens.net/2011/07/06/execute-a-script-when-isc-dhcp-hands-out-a-new-lease/

• Siju Thomas