itdamager@cox.net
2003-Aug-28 00:35 UTC
[Shorewall-users] blacklisted hosts still being ''REDIRECT''ed
I''m using PortSentry to block hosts similar to the documents in the contrib area. I really wanted to see the original incoming requests so I''d know what port the remote host attempted to connect to since portsentry only sees everything coming from port 49999. I did this by simply changing the REDIRECT rules to REDIRECT:info and in portsentry.temp.block I made this somewhat kludgy yet very effective change to show me the original port (for anyone interested): BAD_PORT=`tail -20 /var/log/messages | grep $BAD_IP | grep REDIRECT | tail -n 1 | sed s/DF\ // | awk ''{print $18}'' | sed s/DPT=//` However, the reason for this message is, I keep seeing REDIRECT messages in my logs from hosts that are blacklisted. For instance: Aug 27 22:17:09 mybitch kernel: Shorewall:net_dnat:REDIRECT:IN=eth1 OUT= MAC=52:54:40:22:16:2c:00:03:6c:4b:34:70:08:00 SRC=218.15.192.64 DST=myextip LEN=314 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=31101 DPT=1026 LEN=294 cat /var/log/messages | grep 218.15.192.64 | grep REDIRECT | wc -l 114 So 114 REDIRECTS, yet cat /var/lib/shorewall/save | grep 218.15.192.64 shows: DROP all -- 218.15.192.64 0.0.0.0/0 The host was blacklisted on 8/23/2003. Which leads to my questions.. Why is this blacklisted host still being processed through the redirect rule? Is there something I can change in my setup to process the blacklist before the redirect rule? Thanks.
Ed.Greshko@greshko.com
2003-Aug-28 01:12 UTC
[Shorewall-users] blacklisted hosts still being ''REDIRECT''ed
On Thu, 28 Aug 2003 itdamager@cox.net wrote:> The host was blacklisted on 8/23/2003. > > Which leads to my questions.. > > Why is this blacklisted host still being processed through the redirect > rule? Is there something I can change in my setup to process the > blacklist before the redirect rule?If I remember correctly a blacklisted address will be dropped without going through any additional checks. Just curoius, did you enable "blacklist" on the interface? Ed -- SARS - The only virus not spread by Outlook http://www.shorewall.net/ for all your firewall needs
itdamager@cox.net
2003-Aug-28 01:28 UTC
[Shorewall-users] blacklisted hosts still being ''REDIRECT''ed
>Just curoius, did you enable "blacklist" on the interface?Yes, blacklist is enabled, among other options. interfaces: net eth1 detect dhcp,routefilter,norfc1918,tcpflags,logunclean,blacklist loc eth0 detect dhcp
Tom Eastep
2003-Aug-28 07:25 UTC
[Shorewall-users] blacklisted hosts still being ''REDIRECT''ed
On Thu, 2003-08-28 at 00:34, itdamager@cox.net wrote:> Which leads to my questions.. > > Why is this blacklisted host still being processed through the redirect rule?Because the REDIRECT rule in the ''nat'' table is processed before the blacklisting rules in the ''filter'' table. And please post in plain text and configure your mailer to fold long lines. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Aug-28 07:31 UTC
[Shorewall-users] blacklisted hosts still being ''REDIRECT''ed
On Thu, 2003-08-28 at 07:25, Tom Eastep wrote:> On Thu, 2003-08-28 at 00:34, itdamager@cox.net wrote: > > > Which leads to my questions.. > > > > Why is this blacklisted host still being processed through the redirect rule? > > Because the REDIRECT rule in the ''nat'' table is processed before the > blacklisting rules in the ''filter'' table.And recent versions of Shorewall log REDIRECT and NAT rules out of the ''nat'' table. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
IT Damager
2003-Aug-28 12:57 UTC
[Shorewall-users] blacklisted hosts still being ''REDIRECT''ed
> > > Why is this blacklisted host still being processed through > the redirect rule? > > > > Because the REDIRECT rule in the ''nat'' table is processed before the > > blacklisting rules in the ''filter'' table. > > And recent versions of Shorewall log REDIRECT and NAT rules out of the > ''nat'' table. > > -TomTom, forgive my ignorance (and my bad mailer), but to me it would make sense that blacklisted hosts would be completely ignored and never traverse any rules, nat or otherwise. Can you explain to me why this isn''t the case? Is there something I can do in my configuration to make blacklist always come first? Thanks
Tom Eastep
2003-Aug-28 13:36 UTC
[Shorewall-users] blacklisted hosts still being ''REDIRECT''ed
On Thu, 2003-08-28 at 12:56, IT Damager wrote:> Tom, forgive my ignorance (and my bad mailer), but to me it would make sense > that blacklisted hosts would be completely ignored and never traverse any > rules, nat or otherwise. Can you explain to me why this isn''t the case?Shorewall supports a BLACKLIST_DISPOSITION variable which can be set to "REJECT". The REJECT target is only available in the INPUT and FORWARD chains of the ''filter'' table (ref. "man iptables"). In order to not have to implement a different ruleset structure for BLACKLIST_DISPOSITION=DROP and BLACKLIST_DISPOSITION=REJECT, I chose to implement all blacklisting in the ''filter'' table which is traversed AFTER both the ''mangle'' table and the ''nat'' table. As I explained in my previous post, REDIRECT and DNAT rules add rules to the ''nat'' table and recent versions of Shorewall also log these rules out of that table.> Is > there something I can do in my configuration to make blacklist always come > first? >Do your own implementation of blacklisting using an extension script (probably /etc/shorewall/start) and enforce your form of blacklisting in the PREROUTING chain of the ''mangle'' table. The only choice for a disposition would be to DROP the packets. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net