vendredi 2 janvier 2015

iptables: using "conntrack" and "recent" modules to block unsolicited packets


When I only allow RELATED and ESTABLISHED packets, and DROP everything else, my firewall rules work perfectly and I have no problems:



### VARIANT A
-A INPUT -i wlan0 -m conntrack   --ctstate RELATED,ESTABLISHED       -j ACCEPT
-A INPUT -i wlan0                                                    -j   DROP


However, I want to go a step further and blacklist any IP which has sent me an "unsolicited" packet. I have modified my rule:



### VARIANT B
-A INPUT -i wlan0 -m recent --name PORTSCAN --update --seconds 3600  -j   DROP
-A INPUT -i wlan0 -m conntrack   --ctstate RELATED,ESTABLISHED       -j ACCEPT
-A INPUT -i wlan0 -m recent --name PORTSCAN --set                    -j   DROP


The rules work like this:



Rule 1: checks whether IP address is already blacklisted and drops it if yes
Rule 2: allows RELATED,ESTABLISHED packets
Rule 3: all other packets which fail RELATED,ESTABLISHED test are blacklisted


These rules work as intended in 99,9% of cases, but only on few websites do I have problems. The Stack Exchange websites are one such example. It looks as if stackexchange.com is sending me packets, which the conntrack module does not recognize as related or established. Therefore, these packets do not pass rule 2, and are blacklisted by rule 3.


This happens usually when I am in the editing mode (i.e. asking a question, or editing an existing question).


In such case, I have to flush the blacklist:



echo / >/proc/net/xt_recent/PORTSCAN


and then everything works again.


There could be two explanations for this problem:



a) the conntrack module is deficient, in that it does not recognize
   legitimate packets as being RELATED/ESTABLISHED
b) SE websites are indeed sending unsolicited packets


I believe that b is more likely to be true, because of following reasoning:


variant A of my iptables rules drops all packets which it does not recognize as RELATED/ESTABLISHED. Since everything works perfectly well, these packets were not needed for my session. These were indeed unsolicited packets, which were not supposed to be sent to me in the first place.


The variant B of my iptables rules just goes a step further in that it "punishes" the offending IP and adds it to the blacklist.


Q: How can I modify my iptables rules, so that it works with SE sites as well?


I would also appreciate comments regarding my analysis of the problem


here is my related post on meta.unix.stackexchange.com: stackexchange.com is sending me unsolicited packets (and consequently gets blocked by firewall)



Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)