tproxy configure with connbytes - linux-kernel

I have a transparent proxy.
I want to redirect a rdp connection to local process, but from 3rd packet. that means I want to pass first and second packet and from 3rd packet until end redirect packets to local process.
I use code below to configure my tproxy.
But it does not work and no packets pass and no packets go to local process(50082).
Could you please help me? I don't know my mistake.
${ip} rule add fwmark 1 lookup 100
${ip} route add local 0.0.0.0/0 dev lo table 100
${iptables} -t mangle -N DIVERT
${iptables} -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
${iptables} -t mangle -A DIVERT -j MARK --set-mark 1
${iptables} -t mangle -A DIVERT -j ACCEPT
${iptables} -t mangle -A PREROUTING -p tcp --dport 3389 -m connbytes --connbytes 3: --connbytes-dir both --connbytes-mode packets -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50082
${iptables} -t mangle -A PREROUTING -p tcp --dport 3389 -m connbytes --connbytes 1:3 --connbytes-dir both --connbytes-mode packets -j ACCEPT

Related

is there a way to use cilium to rate limit tls connection establishment?

I want to do something like
sudo iptables -A INPUT -i eth0 -m state --state NEW -p tcp -m limit --limit 12/minute --dport 12871 -j ACCEPT
sudo iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 12871 -j DROP
https://askubuntu.com/questions/1095491/how-to-limit-connections-to-1-connect-on-5-seconds-iptables
but via cilium/natively on kubernetes
to protect my ingresses from falling over if many clients reconnect at the same time
I suppose you can, yes. This is done via the api-rate-limit configuration option that you will have to configure for your cilium-agent running on the node.
Your limit above will translate to:
--api-rate-limit endpoint-create=rate-limit:12/m
You can read more about this option here.

IPTables Script to block Concurrent Connections

We are using Suse Linux Enterprise Server 12. We need to block concurrent IP Addresses which is hitting our web server for more thatn 50 times per second and block that ip address for 10 minutes. Also it should distinguish attacker and genuine traffic and block attacker's IP forever. We have currently blocked using iptables , below is the rule.
iptables -I INPUT -p tcp --dport 443 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 443 -i eth0 -m state --state NEW -m recent --update --seconds 1 --hitcount 50 -j DROP
It will just block the IPAddress which exceeds 50 connections but wont blacklist the IPAddress. Please let us know if we have a script that will match all the scenarios which is metioned above. Please Help.
I tested this and it works really nice. If the behavior is detected, the IP is put into hold-down for 10 minutes and logged. You can verify it's operation by watching these files. /proc/net/xt_recent/NICE, /proc/net/xt_recent/NAUGHTY. You need to build a script to parse the log for bad IP's and commit them to a file that is loaded into iptables on startup if you want to blacklist permanently. That concept is already clear so no need for me to include it.
#flush and clear
iptables -F -t nat
iptables -F
iptables -X
#this is where naughty kids go
iptables -N GETCAUGHT
#you got added to the naughty list
iptables -A GETCAUGHT -m recent --name NAUGHTY --set #everyone here is bad
iptables -A GETCAUGHT -j LOG --log-prefix "iwasbad: " --log-level 4 #and it goes on your permanent record
#if you are on the NAUGHTY list you get a lump of coal
iptables -A INPUT -i eth0 -m recent --name NAUGHTY --rcheck --seconds 600 -j DROP #check everyone at the door
#though everyone starts out on the NICE list
iptables -A INPUT -i eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --name NICE --set #you seem nice
#but if you GETCAUGHT doing this you are naughty
iptables -A INPUT -i eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --name NICE --seconds 1 --hitcount 50 --update -j GETCAUGHT #that wasn't nice

How to whitelist IP addresses on Amazon Lightsail

I used Amazon Lightsail to deploy a wordpress site and it worked like a charm. Now I have the need to restrict the IP addresses that can access on port 80 to the ones associated to the Firewall from SiteLock, and I am looking for the best and cleanest solution.
It looks like in Lightsail simplified version of the world, I can only open a port for public access, or close it.
My only idea now is logging in via SSH and use iptables, but I wanted to understand if that's the only way I can do this, or there is something "smarter".
This is what I came out with, that actually works, but uses iptables which I am not sure is the best option, so the question is still open to get a better solution.
Since SiteLock website says these IP ranges are to be allowed in:
SiteLock Firewall IP Ranges
199.83.128.0/21
198.143.32.0/19
149.126.72.0/21
103.28.248.0/22
45.64.64.0/22
185.11.124.0/22
192.230.64.0/18
107.154.0.0/16
2a02:e980::/29
I created a script to allow them all, and then close all the rest with an explicit DROP rule
sudo iptables -A INPUT -p tcp -s 199.83.128.0/21 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 198.143.32.0/19 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 149.126.72.0/21 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 103.28.248.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 45.64.64.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 185.11.124.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 192.230.64.0/18 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 107.154.0.0/16 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 2a02:e980::/29 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 80 -j DROP
now, IPs can be whitelisted from AWS console itself. Go to your Lightsail instance in console, then networking. there you can choose ports to open, and to whitelist IP, check Restrict to IP. then enter whielisted IP or range and save.
reference: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-editing-firewall-rules

Gitlab pushing via https doesnt succed because of iptables

I installed the Gitlab-Omnibus bundle and opened iptables for port 80, 443, 9418 and temp. even for 22. Why doesn't pushing via https work? When I put iptables in default open for everything it works.
Here are my rules for 80, 443, 22 and 9418
# 1. Allow incoming HTTP
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 80 -j ACCEPT
# 2. Allow outgoing HTTP
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
# Allow incoming HTTPS
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 443 -j ACCEPT
# 10. Allow outgoing HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
# allow git
$IPTABLES -A OUTPUT -p tcp --dport 9418 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 9418 -j ACCEPT
#SSH: Client --> Server
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
The Result is:
Pushing to https://TLD/USER/REPO.git
POST git-receive-pack (448 bytes)
And then it just freezes. What do I need to open else?
I tried logging dropped packages but there is nothing with my ip?
I hope someone can help me..
Ok here are the rules for my logging:
#Logging
$IPTABLES -N LOGGING
$IPTABLES -A INPUT -j LOGGING
$IPTABLES -A OUTPUT -j LOGGING
$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j DROP
And here is the output:
# Generated by iptables-save v1.4.21 on Thu Nov 13 18:43:13 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOGGING - [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 37655 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 9418 -j ACCEPT
-A INPUT -j LOGGING
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -d 10.20.0.0/16 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 37655 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9418 -j ACCEPT
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
COMMIT
#Devices
DEV0=eth0
#internal network
INT_NET=xxx.xxx.0.0/16
INT_NET_SECURE=xxx.xxx.xxx.0/24
#external network
EXT_NET=xxx.xxx.xxx.0/24
#path iptables
IPTABLES=/sbin/iptables
#path modprobe
MODPROBE=/sbin/modprobe
case $1 in
start)
$0 stop
echo "start ip-package-filter"
# iptables-Modul
$MODPROBE ip_tables
# Connection-Tracking-Module
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat
#Standard-Policy - Deny everything except what we want
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#slows down icmp for too much packages
echo "5" >/proc/sys/net/ipv4/icmp_ratelimit
#Kills packages with source route option
echo "0">/proc/sys/net/ipv4/conf/$DEV0/accept_source_route
#Kills icmp forwarding
echo "0">/proc/sys/net/ipv4/conf/$DEV0/accept_redirects
#Kills spoofed packages
echo "1" > /proc/sys/net/ipv4/conf/$DEV0/rp_filter
#Kills packages from 0.X.X.X
echo "0" > /proc/sys/net/ipv4/conf/eth0/bootp_relay
# TCP-FIN-Timeout (DoS-Attack)
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
#TCP-SYN max 3 answers
echo 3 > /proc/sys/net/ipv4/tcp_retries1
#TCP-Package max 15x repetitions
echo 15 > /proc/sys/net/ipv4/tcp_retries2
#Loopback-Communication
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#ICMP: Client <--> Server
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
#DNS: Server --> DNS-Server
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
# Allow incoming HTTP
$IPTABLES -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# Allow incoming HTTPS
$IPTABLES -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
#SSH: Client --> Server (internal)
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 22 -m state --state NEW -j ACCEPT
#SSH: Client --> Server
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Update (apt)
$IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
#TeamDrive
$IPTABLES -A INPUT -p tcp --dport 37655 -m state --state NEW -j ACCEPT
#Git
$IPTABLES -A INPUT -p tcp --dport 9418 -m state --state NEW -j ACCEPT
#Connection-Tracking for INPUT and OUTPUT CHAIN
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Logging
$IPTABLES -N LOGGING
$IPTABLES -A INPUT -j LOGGING
$IPTABLES -A OUTPUT -j LOGGING
$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j DROP
echo "Firewall activated"
;;
stop)
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
;;
restart)
$0 start
;;
*)
echo "Usage: $0 {startwd|stop|restart}"
;;
esac

Squid+iptables: how do i allow https to pass-through and bypassing Squid?

Basically started with Squid and iptables today (google is your friend). This stuff is going to be the death of me.
I have Squid3 setup on Ubuntu 9.04 server as Transparent Proxy. It works sweetly when i use the proxy-box as my default gateway etc. The iptable rules for this setup was part of the tutorial. :P
I can unfortunately not access https sites (such as Gmail or anything on port 443 basically). This is because Squid dont like what it cannot cache, which in this case is the https traffic.
I would like to add an iptable rule so that i can basically access https sites and use Skype. Basically allow these types of traffic to pass through without going through Squid proxy? (bypassing it so to speak)
Would anyone perhaps know how to do this or have a link to any sources that would assist me in figuring it out?
Thank you.
After actually considering chewing through my own wrists and dreaming of IPs all night long + brute force googling/trying ANYTHING i could get my digital fingers on i managed to put something together that actually works. I dont know the technical reasons why, so if you can provide set explanations please do so! :D
PS: everything in the explanation is done via command line
PS: this is not a final solution, but its a working one in answer to my own question.
Here it is:
Step 1: Had to enable IP Forwarding on the box:
vim /etc/sysctl.conf
//find and uncomment the following
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1
Step 2: Add loop back rule (this is more for when all ports are covered, apparently many apps need it?
iptables -I INPUT -i lo -j ACCEPT
Step 3. Add rules for the bypassing of port 443: (eth1 is internet interface and x.x.x.x/eth0 is LAN interface)
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.x
Step 4. Then finally the rules making Squid transparent:(x.x.x.x is IP of LAN interface)
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination x.x.x.x:3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.x
That is wrong. Means that every packet TCP/UDP/etc that you send from your intern LAN to Internet will use as SOURCE IP the Private LAN IP (probably 192.178.x.x), instead of the Public IP.
May be that helps you:
PREROUTING == DestinationNAT -> From Internet to Intern LAN
POSTROUTING == SourceNAT -> From Intern LAN to Internet
iptables -t nat -A PREROUTING -i intern -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i intern -p tcp --dport 3128
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o extern -p tcp --dport 80
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i extern -p tcp --sport 80
iptables -A OUTPUT -j ACCEPT -m --state ESTABLISHED,RELATED -o intern -p tcp --sport 80
To bypasss 443 would be enough with:
iptables -I FORWARD -p tcp --dport 443 -j ACCEPT
And if your system/squid/firewall is also the router from your network to internet, do not forget:
iptables -t nat -A POSTROUTING -o extern -j SNAT --to-source Public_external_IP
For those explanations...
step #1 sets up the machine as a router. This is required for any Linux machine that is going to accept or forward IP traffic destined for machines other than itself. Without this the lowest levels of the networking stack will reject the traffic and NAT will not even get a chance to do its thing.
step #2 is not relevant to the problem being asked about. It may or may not be needed for the router operations unrelated to the proxying.
step #3 lets the machine relay port 443 normally as a router. The POSTROUTING rule could be made better by using MASQUERADE instead of SNAT.
step #4 both lines do the same thing in different ways. The first line may lead you to trouble in future if you dont know what the differences are between DNAT and REDIRECT. For simplicity use REDIRECT only.
Reading http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect could have saved you a lot of trouble.
There is also a critical mangle table rule missing from your setup which is explained on that wiki page.

Resources