|
Paul W. Roach III on 3 Feb 2012 06:09:41 -0800
|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Quick & dirty IP blocking
|
- From: "Paul W. Roach III" <paul@isaroach.com>
- To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
- Subject: Re: [PLUG] Quick & dirty IP blocking
- Date: Fri, 3 Feb 2012 09:09:35 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=3VTFQbQ2AljJaCnLrIbQSQaaKJ3m3XUPKsZf7u18nK8=; b=E3IY3CTQqr2Yi8d62pdvJw/Yc+EzUUkS9iUqqY7qK2rflXTb+xTRgLTwcUvl2g902H 3ADxXVxfRX1zIY7f5zupjYb4F4S6DPmOUwnwgNUoToOtMsqCY7Gzvgopkxf9cKcr2oiC 8eNnTdH3FnTKAfnE5nhSLLoSbYHYfCecwCs9A=
- Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
- Sender: plug-bounces@lists.phillylinux.org
Definitely a cool tool! Something to consider:
Nullroutes don't affect incoming traffic, they affect outgoing traffic. This means that their packets will still hit you (and whatever service is on the other end of the port in question), but your replies will be nullrouted into the bit bucket.
If you have an exposed service that's vulnerable to a UDP attack, you're still exposed. Or if you had a vulnerability that could be triggered by any single packet or a stream that required no handshake or reply, TCP or otherwise.
This doesn't limit you from locking yourself out either, if you're in that subnet. The iptables equivalent would be:
If you wanted to ensure no return traffic to that destination left your box:
If you wanted to ensure (on most distros) that these rules survive reboot:
/etc/init.d/iptables save
Either with this or with nullrouting, you're just as (un)likely to lock yourself out, and you have the ability to filter the packets at the kernel before they hit the daemon on the other end of the port.
Do you have any data to suggest that routing is any more or less overhead than iptables? Both happen in the kernel, and netfilter is, in my experience, VERY efficient -- and is always running, whether you think it is or not. When you do /etc/init.d/iptables stop, or "turn off the service", it simply zeros out the rules. Every packet still traverses the tables and chains, as evidenced by this output from a machine with "iptables off"
[root@erwin ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 33M packets, 9042M bytes)
pkts bytes target prot opt in out source destination
...
Chain OUTPUT (policy ACCEPT 28M packets, 6744M bytes)
pkts bytes target prot opt in out source destination
Thanks,
-P
On Fri, Feb 3, 2012 at 3:05 AM, sean finney
<seanius@seanius.net> wrote:
neato, did not know about that :)
> addresses, and had added that to /etc/rc.local, after testing, so it
> will survive a reboot. I'm sure there's a better, ifcfg-related
> place to put it, but this worked for me. Unlike iptables or
one thing you might want to watch out for is that depending on your
distro / environment, restarting networking (or even just losing
your link for a moment) might lose that routing info on the live system.
for "traditional" debian/ubuntu networking (/etc/network/interfaces),
you could put in an "up" stanza in your config:
iface eth0 inet dhcp
up ip route add blackhole...
I think NetworkManager will may respect that on systems that
use /e/n/i. Don't know about RH/FC but would imagine they have
a similar type of hook action.
sean
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug