This has more then likely been asked by a million people with a million different answers but here goes. I was wondering if it is possible for iptables to filter by a domain name? I would like to restrict port 80 connects to .nz domains only and all others are stealthed. The solution does not need to be very fast, handle more then one high level domain or any other ports and is not for commercial usage. Any solutions?
I was wondering if it is possible for iptables to filter by a domain name?
I would like to restrict port 80 connects to .nz domains only and all others are stealthed.
Forward outgoing connections to port 80 through Squid (known as Transparent Proxying) and then get Squid to block access to the sites that you require. Cheers Philip Murray Systems Engineer - Open2view.com webmaster(a)open2view.com
At 17:27 26/04/2004, you wrote:
I was wondering if it is possible for iptables to filter by a domain name?
I would like to restrict port 80 connects to .nz domains only and all others are stealthed.
Forward outgoing connections to port 80 through Squid (known as Transparent Proxying) and then get Squid to block access to the sites that you require.
Thanks, will that work for incoming connections as well? and will it stealth the connection? idea is to silence the port scanning kiddies.
Cheers
Philip Murray Systems Engineer - Open2view.com webmaster(a)open2view.com
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
* DrWho? <x_files_(a)ihug.co.nz> [2004-04-26 12:19]:
At 17:27 26/04/2004, you wrote:
Who is "you"? Can you configure your mailer for proper attribution, please?
Forward outgoing connections to port 80 through Squid (known as Transparent Proxying) and then get Squid to block access to the sites that you require.
Thanks, will that work for incoming connections as well? and will it stealth the connection? idea is to silence the port scanning kiddies.
Well, you can put the proxy in place of the webserver, and proxy to a backend webserver that never communicates with anyone except via the proxy -- which is called reverse proxying --, and then you could filter incoming connections this way. But no, obviously neither of these will "stealth" the ports. -- Regards, Aristotle "If you can't laugh at yourself, you don't take life seriously enough."
At 22:33 26/04/2004, you wrote:
* DrWho? <x_files_(a)ihug.co.nz> [2004-04-26 12:19]:
At 17:27 26/04/2004, you wrote:
Who is "you"? Can you configure your mailer for proper attribution, please?
Not sure what you mean?
Forward outgoing connections to port 80 through Squid (known as Transparent Proxying) and then get Squid to block access to the sites that you require.
Thanks, will that work for incoming connections as well? and will it stealth the connection? idea is to silence the port scanning kiddies.
Well, you can put the proxy in place of the webserver, and proxy to a backend webserver that never communicates with anyone except via the proxy -- which is called reverse proxying --, and then you could filter incoming connections this way.
But no, obviously neither of these will "stealth" the ports.
I was thinking of something like that, but the non-stealthing is a down side. The idea is to save the DSL cap from being blown by un-needed offshore connections. It looks like some serious coding is in order for an iptables extension. The shame of it all is I can do just what I wont in windows using the Kerio firewall, but cannot find anything for Linux that will do it.
-- Regards, Aristotle
"If you can't laugh at yourself, you don't take life seriously enough." _______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
On Mon, Apr 26, 2004 at 11:52:08PM +1200, DrWho? wrote:
At 22:33 26/04/2004, you wrote:
^^^
* DrWho? <x_files_(a)ihug.co.nz> [2004-04-26 12:19]:
At 17:27 26/04/2004, you wrote:
^^^
Who is "you"? Can you configure your mailer for proper attribution, please?
Not sure what you mean?
He means that your mailer starts messages with "... YOU wrote", even when it is sending to a mailing list.
The idea is to save the DSL cap from being blown by un-needed offshore connections.
All incoming packets will count against your data cap, regardless of whether or not your machine accepts them. If you want an apache-only solution, you can do order deny, allow deny from all allow from .nz in a <Location> block, but that will mean that people in NZ whose dns returns anything other than .nz won't be able to get to it. Likewise machines with a .nz might actually be located overseas. John McPherson
If you want an apache-only solution, you can do
order deny, allow deny from all allow from .nz
in a <Location> block, but that will mean that people in NZ whose dns returns anything other than .nz won't be able to get to it. Likewise machines with a .nz might actually be located overseas.
This is overly flawed, see my previous post (but a simple solution non the least) - Drew
On Mon, Apr 26, 2004 at 11:52:08PM +1200, DrWho? wrote:
At 22:33 26/04/2004, you wrote:
^^^
* DrWho? <x_files_(a)ihug.co.nz> [2004-04-26 12:19]:
At 17:27 26/04/2004, you wrote:
^^^
Who is "you"? Can you configure your mailer for proper attribution, please?
Not sure what you mean?
He means that your mailer starts messages with "... YOU wrote", even when it is sending to a mailing list.
The idea is to save the DSL cap from being blown by un-needed offshore connections.
All incoming packets will count against your data cap, regardless of whether or not your machine accepts them.
True, but if the ports are stealthed then only the initial scan will be counted and no further traffic will come from the offending party.
If you want an apache-only solution, you can do
order deny, allow deny from all allow from .nz
in a <Location> block, but that will mean that people in NZ whose dns returns anything other than .nz won't be able to get to it. Likewise machines with a .nz might actually be located overseas.
I can live with that thanks, as 99% of the people who will need to access the site will be from xtra, ihug or paradise. Interesting the bit about the overseas hosting, as far as my cap is concerned if it is a .nz I concider that national traffic and it is IHUGS problem to filter that out from my international traffic.
John McPherson
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
DrWho? wrote:
I can live with that thanks, as 99% of the people who will need to access the site will be from xtra, ihug or paradise. Interesting the bit about the overseas hosting, as far as my cap is concerned if it is a .nz I concider that national traffic and it is IHUGS problem to filter that out from my international traffic.
Then you'd be mistaken. Traffic is calculated from the IP address, and not the hostname. It's up to you to verify the sites you visit whether they are overseas or not. Gavin Grieve
Forward outgoing connections to port 80 through Squid (known as Transparent Proxying) and then get Squid to block access to the sites that you require.
Thanks, will that work for incoming connections as well? and will it stealth the connection? idea is to silence the port scanning kiddies.
Well, you can put the proxy in place of the webserver, and proxy to a backend webserver that never communicates with anyone except via the proxy -- which is called reverse proxying --, and then you could filter incoming connections this way.
But no, obviously neither of these will "stealth" the ports.
I was thinking of something like that, but the non-stealthing is a down side.
The idea is to save the DSL cap from being blown by un-needed offshore connections.
It looks like some serious coding is in order for an iptables extension.
The shame of it all is I can do just what I wont in windows using the Kerio firewall, but cannot find anything for Linux that will do it.
You are doing things the most illogical and stupid way. you cant rely on DNS, the only fact you can rely on (mostly) is the IP at the other end.. What you do want to do is drop/deny all non nz ip ranges, allow only nz ipranges.. and this still may not save your adsl quota from people who want to keep poking international data down your adsl to be dropped on the floor. I have had my system setup with a national and international routing system.. its not easy.. and not 100%.. Most of the people that want this system are stupid kiddies who want to use p2p apps all month or run their own file trading system with only their unlimited national adsl connection. Is this you?
At 09:10 27/04/2004, you wrote:
Forward outgoing connections to port 80 through Squid (known as Transparent Proxying) and then get Squid to block access to the sites that you require.
Thanks, will that work for incoming connections as well? and will it stealth the connection? idea is to silence the port scanning kiddies.
Well, you can put the proxy in place of the webserver, and proxy to a backend webserver that never communicates with anyone except via the proxy -- which is called reverse proxying --, and then you could filter incoming connections this way.
But no, obviously neither of these will "stealth" the ports.
I was thinking of something like that, but the non-stealthing is a down side.
The idea is to save the DSL cap from being blown by un-needed offshore connections.
It looks like some serious coding is in order for an iptables extension.
The shame of it all is I can do just what I wont in windows using the Kerio firewall, but cannot find anything for Linux that will do it.
You are doing things the most illogical and stupid way. you cant rely on DNS, the only fact you can rely on (mostly) is the IP at the other end..
What you do want to do is drop/deny all non nz ip ranges, allow only nz ipranges.. and this still may not save your adsl quota from people who want to keep poking international data down your adsl to be dropped on the floor.
I have had my system setup with a national and international routing system.. its not easy.. and not 100%..
Most of the people that want this system are stupid kiddies who want to use p2p apps all month or run their own file trading system with only their unlimited national adsl connection. Is this you?
No, I wish to use it for an Apache server to look up booking details for a local clubs annual event from MySQL. As a said at the start I was not to concerned about how good the solution was, so if it drops someone from NZ who did not have a .nz at the end of a DNS record, so what. Also it does not have to be a commercial or production grade solution either so if it takes 5 seconds to figure out if the traffic is valid then I don't care.
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
The solution does not need to be very fast, handle more then one high level domain or any other ports and is not for commercial usage.
Any solutions?
http://www.wlug.org.nz/NationalOnlyTrafficFirewalling I am (slowly) working on a solution for people who do not have availability to the international/national junction at an ISP. Hope this helps, it needs testing if you are keen - Drew
My idea was to use a callback too hook port 80 and use a perl script to reverse lookup the ip address and look for .nz at the end and pass fail there after. It seems a simple idea, very slow and I do not know how it would go with recursive entry, but for what I wont it would do. Did you look at a similar idea first before filtering the subnets? At 19:30 26/04/2004, you wrote:
The solution does not need to be very fast, handle more then one high level domain or any other ports and is not for commercial usage.
Any solutions?
http://www.wlug.org.nz/NationalOnlyTrafficFirewalling
I am (slowly) working on a solution for people who do not have availability to the international/national junction at an ISP.
Hope this helps, it needs testing if you are keen
- Drew
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
My idea was to use a callback too hook port 80 and use a perl script to reverse lookup the ip address and look for .nz at the end and pass fail there after.
It seems a simple idea, very slow and I do not know how it would go with recursive entry, but for what I wont it would do.
IPTABLES = kernel (correct me if I'm wrong, Im used to IPFW) PERL = non kernel Performance would be the issue with that (especially if running on an XT :P) Also.. What about ihug.net ? What about companies that have PTR records to .com ie nz.microsoft.com ? I have tried the resolution issue, and had many problems on a NZ file based website. - Drew
DrWho? wrote:
My idea was to use a callback too hook port 80 and use a perl script to reverse lookup the ip address and look for .nz at the end and pass fail there after.
PAINFUL!! If you wanted it hidden you'd have do blackhole the port by default, sniff for attempted connections, look up the address, change firewalling on the fly.. and you're opening yourself up for a huge self-DoS if someone spoofs millions of random SYN packets at you. I believe there's a list of IP ranges that are allocated within New Zealand. configure your box to accept those and blackhole everything else. End of problem.
DrWho? wrote:
My idea was to use a callback too hook port 80 and use a perl script to reverse lookup the ip address and look for .nz at the end and pass fail there after.
PAINFUL!!
Yes using pearl does not seem a good idea, so I will have to code an extension for iptables. And after all, is not "have a go" the key part of the Linux experience?
If you wanted it hidden you'd have do blackhole the port by default, sniff for attempted connections, look up the address, change firewalling on the fly.. and you're opening yourself up for a huge self-DoS if someone spoofs millions of random SYN packets at you.
That seems to be the conclusion I have come to as well. The SYN attack risk could be reduced by making use of the counters and limiting the number of connection attempts to say 2 and then dropping them there after.
I believe there's a list of IP ranges that are allocated within New Zealand. configure your box to accept those and blackhole everything else. End of problem.
It just seems to be allot of effort for such a fundamental operation.. as I say windows users can do just what I wont to do with very little hassle!! dam frustrating!!
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
Yes using pearl does not seem a good idea...
Sorry to be picky, but it's PERL. (Practical Extraction and Reporting Language) After many years helping a CGI IRC channel based on PERL, the amount of times I see pearl, each time gets to me like bambo growing under my fingernails. Here's a quick history (it's always good to discover the background of a language before using it, IIR it is generally a accepted and great method of learning the languages style) URL: http://history.perl.org/PerlTimeline.html - Drew
* Drew Broadley <drew(a)corrupt.co.nz> [2004-04-27 01:18]:
Sorry to be picky, but it's PERL. (Practical Extraction and Reporting Language)
Sorry to be picky, but it's Perl, because it's only a backronym. You can expand it as Pathologically Eclective Rubbish Lister with Larry's blessing. :-) There's also "perl", for when you're referring to the binary that executes Perl. But there's no PERL. -- Regards, Aristotle "If you can't laugh at yourself, you don't take life seriously enough."
* Drew Broadley <drew(a)corrupt.co.nz> [2004-04-27 01:18]:
Sorry to be picky, but it's PERL. (Practical Extraction and Reporting Language)
Sorry to be picky, but it's Perl, because it's only a backronym. You can expand it as Pathologically Eclective Rubbish Lister with Larry's blessing. :-)
There's also "perl", for when you're referring to the binary that executes Perl.
But there's no PERL.
Filesystems which are pedantic about case are stupid. Humans which are pedantic about the case of an acronym are 100 times worse.
* OrIoN(a)CoKe.nEt.nZ <oRiOn(a)cOkE.NeT.Nz> [2004-04-27 03:21]:
FiLeSyStEmS WhIcH ArE PeDaNtIc aBoUt cAsE ArE StUpId. HuMaNs WhIcH ArE PeDaNtIc aBoUt tHe cAsE Of aN AcRoNyM ArE 100 TiMeS WoRsE.
i bEt yOu cArE AbOuT CaSe aS WeLl. -- ReGaRdS, ArIsToTlE "iF YoU CaN'T LaUgH At yOuRsElF, yOu dOn't tAkE LiFe sErIoUsLy eNoUgH."
Drew Broadley wrote:
When you refer to the language its PERL.
What's the difference between "perl" and "Perl"? One bit. Oh, you weren't talking ASCII? :-) Larry now uses "Perl" to signify the language proper and "perl" the implementation of it, i.e. the current interpreter. Hence Tom's quip that "Nothing but perl can parse Perl." You may or may not choose to follow this usage. For example, parallelism means "awk and perl" and "Python and Perl" look OK, while "awk and Perl" and "Python and perl" do not. But never write "PERL", because perl is not an acronym, apocryphal folklore and post-facto expansions notwithstanding. http://www.perldoc.com/perl5.8.0/pod/perlfaq1.html#What's-the-difference-between--perl--and--Perl-- -- Matthias
What's the difference between "perl" and "Perl"?
http://www.perldoc.com/perl5.8.0/pod/perlfaq1.html#What's-the-difference -between--perl--and--Perl-- Grr, I have always been taught to refer to PERL the language in general as PERL because of its acronym. Was this an update in documentation since the v5.8.0 release to refer to it as "Perl"? Well apologies, I should really waste some time in my life and get up to date on these things (it honestly wasn't something I thought would be so culturally critical to research into the language style) "Todays world has too many options, and things we once were are not anymore tomorrow" - Old Codger - Drew
* Drew Broadley <drew(a)corrupt.co.nz> [2004-04-27 05:08]:
Grr, I have always been taught to refer to PERL the language in general as PERL because of its acronym.
That can't have been by anyone actually part of the Perl community though.. as you would have been taught to refer to it as "Perl" long ago in places like clpm, Perlmonks, or one of the perl.org mailinglists.
Was this an update in documentation since the v5.8.0 release to refer to it as "Perl"?
No. It has been there for ages. Looking at CPAN, the first release which included the "never write PERL" bit is 5.005_03 (released Mar 28, 1999): http://search.cpan.org/dist/perl5.005_03/pod/perlfaq1.pod The previous version, 5.005_02 (released Aug 8, 1998), did not include it: http://search.cpan.org/dist/perl5.005_02/pod/perlfaq1.pod In other words, this bit has been in the FAQ since the end of 1998. -- Regards, Aristotle "If you can't laugh at yourself, you don't take life seriously enough."
One bit. Oh, you weren't talking ASCII? :-) Larry now uses "Perl" to signify the language proper and "perl" the implementation of it, i.e. the current interpreter. Hence Tom's quip that "Nothing but perl can parse Perl." You may or may not choose to follow this usage. For example, parallelism means "awk and perl" and "Python and Perl" look OK, while "awk and Perl" and "Python and perl" do not. But never write "PERL", because perl is not an acronym, apocryphal folklore and post-facto expansions notwithstanding.
Reading this again, it reminds me of PHP changing from "Personalised Home Page" to its current meaning! Why god WHY ? - Drew
Drew Broadley wrote:
Reading this again, it reminds me of PHP changing from "Personalised Home Page" to its current meaning!
ITYM PHP/FI, which stood for 'Personal Home Page / Forms Interpreter'. It then changed to just PHP (PHP: Hypertext Preprocessor) to drop the implication of limited personal use. Chairs Philip Murray Systems Engineer - Open2view.com webmaster(a)open2view.com
Reading this again, it reminds me of PHP changing from "Personalised Home Page" to its current meaning!
Why god WHY ?
The same reason that "RPM Package Manager" exists; because the project grew and found new uses.
Okay, that was generally a rant and not to be looked into any deeper/further. - Drew
* DrWho? <x_files_(a)ihug.co.nz> [2004-04-27 00:08]:
That seems to be the conclusion I have come to as well. The SYN attack risk could be reduced by making use of the counters and limiting the number of connection attempts to say 2 and then dropping them there after.
You're still susceptive to DoS, except it's now much easier, because you play "I can't hearing anything" as soon as someone starts singing. -- Regards, Aristotle "If you can't laugh at yourself, you don't take life seriously enough."
At 13:01 27/04/2004 A. Pagaltzis did say...
* DrWho? <x_files_(a)ihug.co.nz> [2004-04-27 00:08]:
That seems to be the conclusion I have come to as well. The SYN attack risk could be reduced by making use of the counters and limiting the number of connection attempts to say 2 and then dropping them there after.
You're still susceptive to DoS, except it's now much easier, because you play "I can't hearing anything" as soon as someone starts singing.
It would be safe to say that before an attack can be launched there will need to be an indication that something is there to be attacked in the first place, and if the system is fully stealthed then there will be no replies coming from the system from any port using any protocol so unless someone passes the IP address onto some one, or something just launches a random attack on a random address, both of which one can do nothing about any way, I can live with it. A DoS attack from a national or local IP will not effect my cap and if it brings the system down also no great loss. By structuring the chains in the correct sequence I can minimize the risk / effect of a DoS and can live with any performance hits as a result. After all this is not a production or commercial server! After all, no one really has any control over what incoming traffic they receive from upstream sources so there for concentrating on minimizing the out going is best one can do. Regards, Brett.
-- Regards, Aristotle
"If you can't laugh at yourself, you don't take life seriously enough." _______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
On Mon, 2004-04-26 at 21:25, DrWho? wrote:
My idea was to use a callback too hook port 80 and use a perl script to reverse lookup the ip address and look for .nz at the end and pass fail there after.
It's not production-ready since I just wrote it by hacking the example code that came with IPTables::IPv4::IPQueue apart, but here's the basics of how it's done. You'll need 'Userspace queueing via NETLINK' kernel module (ip_queue.ko) and the IPTables::IPv4::IPQueue and NetPacket::IP perl modules. First hook port 80 like this: iptables -A INPUT -p tcp --dst $me --dport 80 -j QUEUE And the perl script goes something like this: #! /usr/bin/perl use warnings; use strict; use IPTables::IPv4::IPQueue qw(:constants); use NetPacket::IP; use Socket; use constant TIMEOUT => 1_000_000 * 2; my ($queue, $msg, $ip, $host); $queue = new IPTables::IPv4::IPQueue(copy_mode => &IPQ_COPY_PACKET, copy_range => 2048) or die IPTables::IPv4::IPQueue->errstr; while (1) { $msg = $queue->get_message(TIMEOUT); if (!defined $msg) { next if IPTables::IPv4::IPQueue->errstr eq 'Timeout'; die IPTables::IPv4::IPQueue->errstr; } if ($msg->data_len()) { $ip = NetPacket::IP->decode($msg->payload()); $host = gethostbyaddr(inet_aton($ip->{src_ip}), AF_INET); #print "Packet from: ",$ip->{src_ip}," - $host ... "; if ($host =~ /\.nz$/) { #print "ACCEPT\n"; $queue->set_verdict($msg->packet_id, NF_ACCEPT); } else { #print "DROP\n"; $queue->set_verdict($msg->packet_id, NF_DROP); } } else { # no data? #print "Dropping empty packet: ",$msg->packet_id(),"\n"; $queue->set_verdict($msg->packet_id, NF_DROP); } } -- Colin Palmer <colinp(a)waikato.ac.nz> University of Waikato, ITS Division
I've just been to two of the Libraries where I delivered the installfest poster, explained what it was about, and they agreed to put the poster on display. A week later, neither of these libraries have it on display. Would WLUG members please check with their own local library if _any_ of them are displaying our poster, and if not, ask why?
At 11:19 27/04/2004, you wrote:
On Mon, 2004-04-26 at 21:25, DrWho? wrote:
My idea was to use a callback too hook port 80 and use a perl script to reverse lookup the ip address and look for .nz at the end and pass fail there after.
It's not production-ready since I just wrote it by hacking the example code that came with IPTables::IPv4::IPQueue apart, but here's the basics of how it's done.
You'll need 'Userspace queueing via NETLINK' kernel module (ip_queue.ko) and the IPTables::IPv4::IPQueue and NetPacket::IP perl modules.
First hook port 80 like this:
iptables -A INPUT -p tcp --dst $me --dport 80 -j QUEUE
I assume it will work if I just hook SYN requests? I will try it and see.
And the perl script goes something like this:
Thanks, I thought it should be possiable, even if it is slow and nasty<grin> Time for some kernel hacking.
#! /usr/bin/perl
use warnings; use strict; use IPTables::IPv4::IPQueue qw(:constants); use NetPacket::IP; use Socket;
use constant TIMEOUT => 1_000_000 * 2;
my ($queue, $msg, $ip, $host);
$queue = new IPTables::IPv4::IPQueue(copy_mode => &IPQ_COPY_PACKET, copy_range => 2048) or die IPTables::IPv4::IPQueue->errstr;
while (1) { $msg = $queue->get_message(TIMEOUT); if (!defined $msg) { next if IPTables::IPv4::IPQueue->errstr eq 'Timeout'; die IPTables::IPv4::IPQueue->errstr; } if ($msg->data_len()) { $ip = NetPacket::IP->decode($msg->payload()); $host = gethostbyaddr(inet_aton($ip->{src_ip}), AF_INET); #print "Packet from: ",$ip->{src_ip}," - $host ... "; if ($host =~ /\.nz$/) { #print "ACCEPT\n"; $queue->set_verdict($msg->packet_id, NF_ACCEPT); } else { #print "DROP\n"; $queue->set_verdict($msg->packet_id, NF_DROP); } } else { # no data? #print "Dropping empty packet: ",$msg->packet_id(),"\n"; $queue->set_verdict($msg->packet_id, NF_DROP); } }
-- Colin Palmer <colinp(a)waikato.ac.nz> University of Waikato, ITS Division
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
participants (13)
-
A. pAgAlTzIs -
A. Pagaltzis
-
Colin Palmer -
Craig Box -
Drew Broadley -
DrWho? -
Gavin Grieve -
John R. McPherson -
Kyle Carter -
Matthias Dallmeier -
orion@coke.net.nz -
Philip Murray -
zcat