Subject: [44net] Gateway filtering? From: Steve L kb9mwr@gmail.com Date: 07/03/2015 09:05 PM
To: "44net@hamradio.ucsd.edu" 44net@hamradio.ucsd.edu
A few hosts behind my gateway want to accept general inbound internet connections.
As discussed earlier there is a lot of crap and the gateway I run is off a residential internet connection. Combine that with some limited bandwidth radio links.
I have been thinking about applying some IP blacklists using the ipset tool.
ex:https://github.com/trick77/ipset-blacklist
I am not super savvy on the more advanced functions of tcpip in the Linux networking stack.
Since those in all the inbound packets from the internet are encapsulated at UCSD, how can I apply blacklisting? Can I apply them to the eth1 (wireless lan) output interface somehow?
Examples are especially helpful.
Thanks
Steve, kb9mwr
I use this a lot in the Dutch gateway. First, I have an ipset that is loaded with the list of allocated addresses within 44.137.0.0/16. You don't need to do that when you are behind the UCSD gateway, but we have a BGP-advertised /16 so we get a lot of crap for addresses that are not allocated.
Then, there is an ipset that is loaded with addresses of persistent abusers like shodan.io.
Finally, I have an ipset with those addresses for which the user has indicated that they want to receive inbound connections from outside 44.0.0.0/8. This works in combination with an iptables -m state --state ESTABLISHED,RELATED entry that passes the traffic related to outgoing connections. As a lot of hams are not interested in providing connectivity to the large internet, this filter removes a lot of incoming traffic that would otherwise be blocked further down the path. (at their incoming firewall)
The use of these ipset filters in the firewall is quite simple:
# Drop traffic from abusers $ipt -A amprifwd -m set --match-set Hackers src -j DROP
# Drop traffic for addresses not registered in DNS $ipt -A amprifwd -m set ! --match-set PAnet dst -j DROP
# Allow related traffic $ipt -A amprifwd -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop traffic to stations that don't want incoming from internet to HAMnet $ipt -A amprifwd ! -s 44.0.0.0/8 -m set ! --match-set HAMnet dst -j DROP
# Drop invalid traffic (not related to existing connections) except TCP close-down traffic $ipt -A amprifwd -p tcp --tcp-flags ACK,FIN ACK,FIN -j ACCEPT $ipt -A amprifwd -p tcp --tcp-flags RST RST -j ACCEPT $ipt -A amprifwd -m state --state INVALID -j DROP
# Accept remaining traffic $ipt -A amprifwd -j ACCEPT
Of course you need to apply this filter to the FORWARD chain for traffic incoming on your tunnel interface and being forwarded to your radio interface. You can write such a filter (without the ESTABLISHED,RELATED part) for traffic forwarded outbound as well. E.g. to block traffic from nonregistered addresses.
When loading the ipsets, it is important to note that you cannot delete a set that is in use in iptables. So I use this method (in a script that reloads the sets e.g. after an address update):
ipset create HAMnet bitmap:ip range 44.137.0.0/16 2>/dev/null ipset create HAMnet_new bitmap:ip range 44.137.0.0/16 ipset flush HAMnet_new
grep '^44.137.' hamnet | cut -f1 | while read ip do ipset add HAMnet_new $ip || echo "Failed to insert $ip in HAMnet_new" done
ipset swap HAMnet_new HAMnet ipset destroy HAMnet_new 2>/dev/null
This creates a new set, loads it with the data, then swaps it with the currently used set and destroys that one. This operation is allowed while the set is in use, and of course is preferred over just flushing the set and loading it, as during that brief time the filter could drop traffic.
Rob
-
Rob Janssen