Re: [PLUG] iptables question on redirection & circumvention reporting

brent timothy saner on 22 May 2017 13:10:51 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables question on redirection & circumvention reporting

From: brent timothy saner <brent.saner@gmail.com>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] iptables question on redirection & circumvention reporting
Date: Mon, 22 May 2017 16:10:32 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:openpgp:message-id:date:user-agent :mime-version:in-reply-to; bh=Y8rNElxWWogGSbSKRXtb/6UrfN0SJrlRUjJcZ14HXH8=; b=R6/L9bYeuSbAlZmM/gTaSVuTQo9HvWwpXh5yhGeb/RJMF+InvKskPuI16EmFQjUjjq LSfystZTRl3XKvM6yioVzQvb+gj0Qhp7gKPdtfKg6oHZinA7988Rpmp7ce8TtIEonccz 4/QNeRxeODVg+rCLt3EzF73xJ5PXpmHaarGaz8NI7YDjFeMUtntf4tVBV/8/+J2BIXUG mEjyXV6dYo1+HoMnoyXJPC+NbdUPWGdpP9IUAYB/7CONZV2R+ltvrxAoxJlBCU+v0UAx FWxnK76RErluLopZ704pf58d3AOzUqmWKxW6azTznx7nZEsFVlwVnk7cItbJgUsi3+Vs 7eeQ==
Openpgp: id=748231EBCBD808A14F5E85D28C004C2F93481F6B
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1

On 05/22/2017 03:41 PM, Thomas Delrue wrote:
> Hello,
> 
> I have an internal network with a couple tens-to-hundred devices on it.
> For internal reasons, everyone on the network should be using a specific
> set of DNS servers; for giggles, let's assume that the IP of those DNS
> servers are 10.0.0.2 & 10.0.0.3.
> On router for this network, we've set it so that it will use that
> particular DNS server to resolve domains and by default we use DHCP to
> tell all clients to use their gateway when resolving DNS queries, thus
> using 10.0.0.2 or 10.0.0.3.
> 
> However, I'm sure you feel where I'm going because there's always that
> one guy/gal who's a tad bit too clever for their own good:
> We've run some traces and figured out that some of the folks (these are
> people who are tech-savy, don't have access to the router but do have
> admin/root-powers on their own machines) have been setting their own
> machines to use a non-sanctioned DNS server (e.g. 8.8.8.8 for you
> google-people out there).
> 
> My question is twofold:
> 
> First: Is there a way, using iptables (or some other firewall), to
> intercept DNS requests to anything but 10.0.0.2 and 10.0.0.3 and
> redirect them to 10.0.0.2 or 10.0.0.3 in such a way that said users
> would /think/ they get a response from 8.8.8.8 (i.e. they fire off their
> request to 8.8.8.8) but they actually get a response from 10.0.0.2 or
> 10.0.0.3.
> 

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 10.0.0.2:53
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 10.0.0.2:53

> Second: If I wanted to figure out, on an ongoing basis (i.e. for future
> attempts), how many of these things are happening, when they are
> happening and who is using the non-sanctioned DNS server, so how would I
> generate a log of this? I would want genuine requests (to 10.0.0.2 or
> 10.0.0.3) to /not/ show up in the log and non-genuine requests (to port
> 53 on /anything but/ either 10.0.0.2 or 10.0.0.3) to show up with
> time-stamp and source IP.
> What would this look like?

here's where it gets hairy. you can definitely log with iptables but
once you start doing logchains (e.g.
https://www.svennd.be/creating-a-log-chain-for-iptables/ ), you'll
probably want something like Shorewall (http://shorewall.org/).

Your example below can be done with one line in /etc/shorewall{,6}/rules
(assuming you named your WAN zone as "wan" and your local zone as "lan"):

#ACTION       SRC DST          PROTO   DPRT    SPRT   ORIGDEST...
DNAT:Info:DNS wan lan:10.0.0.2 tcp,udp 53       -       -


If you only want the rule to apply to specific external DNS servers, you
can put those IPs for ORIGDEST.

trust me. shorewall actually makes iptables rules sane.

> 
> I was thinking about this and came up with something like this for
> iptables but don't know if it would work, so before I deploy/test this,
> I was wondering if there is anyone who would be able to tell me whether
> this would/could work or if this is a dumb thing to do...
> 
> iptables -N DNS_MANDATE
> # these two DNS servers are mandated
> iptables -A DNS_MANDATE -d 10.0.0.2 --dport 53 -j ALLOW
> iptables -A DNS_MANDATE -d 10.0.0.3 --dport 53 -j ALLOW
> # log anything that hasn't returned
> iptables -A DNS_MANDATE -j LOG --log-prefix "DNS Circumvention Attempt:"
> # rewrite and redirect
> ##### [ ??? what goes here to do the actual redirect ??? ] #####
> # We're done after the redirect, but let the redirect through
> iptables -A DNS_MANDATE -j RETURN # Is this the right thing to do?
> 
> # put this in the output chain?
> iptables -A OUTPUT -p tcp --dport 53 -j DNS_MANDATE
> iptables -A OUTPUT -p udp --dport 53 -j DNS_MANDATE
> 
> For extra credit: how would I do this using ip6tables (for servers with
> IPv6 addresses assigned)? Would it be massively different? What about
> netfilter/nftables?
> 
> 

pretty sure you'd just s/iptables/ip6tables/g the above, and replace
10.0.2.x with the appropriate IPv6 addresses.

or just use shorewall6. ;)

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] iptables question on redirection & circumvention reporting
  - From: Soren Harward <stharward@gmail.com>

References:
- [PLUG] iptables question on redirection & circumvention reporting
  - From: Thomas Delrue <delrue.thomas@gmail.com>

Prev by Date: [PLUG] iptables question on redirection & circumvention reporting
Next by Date: Re: [PLUG] iptables question on redirection & circumvention reporting
Previous by thread: [PLUG] iptables question on redirection & circumvention reporting
Next by thread: Re: [PLUG] iptables question on redirection & circumvention reporting
Index(es):
- Date
- Thread