4 Jul
2015
4 Jul
'15
3:23 p.m.
Subject:
[44net] Gateway filtering?
From:
Steve L <kb9mwr(a)gmail.com>
Date:
07/03/2015 09:05 PM
To:
"44net(a)hamradio.ucsd.edu" <44net(a)hamradio.ucsd.edu>
A few hosts behind my gateway want to accept general inbound internet
connections.
As discussed earlier there is a lot of crap and the gateway I run is
off a residential internet connection. Combine that with some limited
bandwidth radio links.
I have been thinking about applying some IP blacklists using the ipset tool.
ex:https://github.com/trick77/ipset-blacklist
I am not super savvy on the more advanced functions of tcpip in the
Linux networking stack.
Since those in all the inbound packets from the internet are
encapsulated at UCSD, how can I apply blacklisting? Can I apply them
to the eth1 (wireless lan) output interface somehow?
Examples are especially helpful.
Thanks
Steve, kb9mwr
I use this a lot in the Dutch gateway. First, I have an ipset that is loaded with the
list of allocated addresses within 44.137.0.0/16. You don't need to do that when you
are behind the UCSD gateway, but we have a BGP-advertised /16 so we get a lot of
crap for addresses that are not allocated.
Then, there is an ipset that is loaded with addresses of persistent abusers like
shodan.io.
Finally, I have an ipset with those addresses for which the user has indicated that they
want to receive inbound connections from outside 44.0.0.0/8. This works in combination
with an iptables -m state --state ESTABLISHED,RELATED entry that passes the traffic
related to outgoing connections.
As a lot of hams are not interested in providing connectivity to the large internet, this
filter
removes a lot of incoming traffic that would otherwise be blocked further down the path.
(at their incoming firewall)
The use of these ipset filters in the firewall is quite simple:
# Drop traffic from abusers
$ipt -A amprifwd -m set --match-set Hackers src -j DROP
# Drop traffic for addresses not registered in DNS
$ipt -A amprifwd -m set ! --match-set PAnet dst -j DROP
# Allow related traffic
$ipt -A amprifwd -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop traffic to stations that don't want incoming from internet to HAMnet
$ipt -A amprifwd ! -s 44.0.0.0/8 -m set ! --match-set HAMnet dst -j DROP
# Drop invalid traffic (not related to existing connections) except TCP close-down
traffic
$ipt -A amprifwd -p tcp --tcp-flags ACK,FIN ACK,FIN -j ACCEPT
$ipt -A amprifwd -p tcp --tcp-flags RST RST -j ACCEPT
$ipt -A amprifwd -m state --state INVALID -j DROP
# Accept remaining traffic
$ipt -A amprifwd -j ACCEPT
Of course you need to apply this filter to the FORWARD chain for traffic incoming on your
tunnel interface and being forwarded to your radio interface.
You can write such a filter (without the ESTABLISHED,RELATED part) for traffic forwarded
outbound as well. E.g. to block traffic from nonregistered addresses.
When loading the ipsets, it is important to note that you cannot delete a set that is in
use in
iptables. So I use this method (in a script that reloads the sets e.g. after an address
update):
ipset create HAMnet bitmap:ip range 44.137.0.0/16 2>/dev/null
ipset create HAMnet_new bitmap:ip range 44.137.0.0/16
ipset flush HAMnet_new
grep '^44\.137\.' hamnet | cut -f1 | while read ip
do
ipset add HAMnet_new $ip || echo "Failed to insert $ip in HAMnet_new"
done
ipset swap HAMnet_new HAMnet
ipset destroy HAMnet_new 2>/dev/null
This creates a new set, loads it with the data, then swaps it with the currently used set
and
destroys that one. This operation is allowed while the set is in use, and of course is
preferred
over just flushing the set and loading it, as during that brief time the filter could drop
traffic.
Rob