Escolar Documentos
Profissional Documentos
Cultura Documentos
Aplicações Iptables PDF
Aplicações Iptables PDF
Home
2003 by Antonio Batista
Apresentao
:: Objetivos Estratgia <antonio@CintraBatista.net>
:: Dados do Autor
Onde buscar este documento na Internet
Viso Geral
:: Scripts com o Iptables http://www.CintraBatista.net/docs/sent/gter/
:: Malformed Packets
ARP Poisoning (a partir de 2 feira, 14/04/2003)
:: ARP Poisoning default gateway
Palestra apresentada na Reunio do GTS, ocorrida em
:: ARP Poisoning Iptables
conjunto com a 15 Reunio do GTER.
Denial of Service
:: TCP SYN FLOOD: caractersticas DATA: Quartafeira, 09/abril/2003, s 11:00
:: Syn Flood: Resultados
:: Syn Flood: reaes mais comuns LOCAL:
:: Syn Flood: reao vivel atualmente
:: Syn Flood Netfilter Centro de Convenes Frei Caneca
:: Denial of Service (DoS): outros tipos Rua Frei Caneca, 569, 4 andar
So Paulo SP
rea de contedo atualizada em Wednesday, 2003April09 03:52:37 GMT3 (So Paulo, Brazil, South
America)
Objetivos Estratgia
Back to Home
Home
Apresentao Objetivos
:: Objetivos
Estratgia
:: Dados do Autor
Disponibilizar contedo para servir de referncias
Viso Geral
futuras
:: Scripts com o
Iptables Apresentar solues criativas com o uso de Netfilter
:: Malformed Packets
Iptables
ARP Poisoning
:: ARP Poisoning
default gateway Explicar o possvel dentro da limitao de tempo: 50
:: ARP Poisoning
Iptables minutos
Denial of Service Estratgia
:: TCP SYN FLOOD:
caractersticas Devido limitao de tempo, optouse por enriquecer/diversificar o contedo,
:: Syn Flood: consequentemente sacrificandose as explicaes mais detalhadas, embora
Resultados procurando limitar um pouco o contedo para no haver um desequilbrio
:: Syn Flood: reaes exagerado.
mais comuns
:: Syn Flood: reao
vivel atualmente
:: Syn Flood Netfilter
:: Denial of Service
(DoS): outros tipos
rea de contedo atualizada em Wednesday, 2003April09 04:37:39 GMT3 (So Paulo, Brazil, South
America)
Objetivos Estratgia 2
GTER15: Exemplos de Aplicaes do GNU/Linux Netfilter Iptables
Dados do Autor
Back to Home
Home
Antonio Augusto de Cintra Batista
Apresentao
:: Objetivos Estratgia <antonio@CintraBatista.net>
:: Dados do Autor
Engenheiro Eletrnico
Viso Geral
:: Scripts com o Iptables Security Officer Diveo
:: Malformed Packets
ARP Poisoning Proprietrio IPtrip Fabricao de Roteadores de Borda (BGP, OSPF)
:: ARP Poisoning default
gateway Fundador em 1987 Sodalys Fabricao desde 1991 de aparelhos para o
:: ARP Poisoning Iptables tratamento da hiperhidrose (excesso de suor).
Denial of Service
:: TCP SYN FLOOD:
caractersticas
:: Syn Flood: Resultados
:: Syn Flood: reaes
mais comuns
:: Syn Flood: reao
vivel atualmente
:: Syn Flood Netfilter
:: Denial of Service
(DoS): outros tipos
rea de contedo atualizada em Wednesday, 2003April09 07:12:05 GMT3 (So Paulo, Brazil, South
America)
Dados do Autor 3
GTER15: Exemplos de Aplicaes do GNU/Linux Netfilter Iptables
Home
Apresentao
Exemplo de um script com recursos diversos
:: Objetivos
Estratgia #!/bin/bash
:: Dados do #
Autor # (C) by Antonio Batista
# Licensed as a free software under GNU GPL version 2
Viso Geral #
:: Scripts com
o Iptables # Iptables programs directory
PRGDIR="/usr/local/iptables/bin"
:: Malformed
# Iptables data directory
Packets DATDIR="/usr/local/iptables/data"
ARP
# Load appropriate modules.
Poisoning # modprobe ip_tables
:: ARP # modprobe ip_conntrack
Poisoning # modprobe ip_conntrack_ftp
default
gateway # to protect against arp poisoning
GW="10.1.1.1"
:: ARP MAC="00:02:4B:CB:11:00"
Poisoning /usr/sbin/arp s $GW $MAC 2>/dev/null
Iptables
# These lines are here in case rules are already in place and the script
Denial of # is ever rerun on the fly.
Service # We want to remove all rules and preexisiting user defined chains and
:: TCP SYN # zero the counters before we implement new rules.
FLOOD: iptables F
iptables X
caractersticas
iptables Z
:: Syn Flood:
Resultados iptables P INPUT ACCEPT
:: Syn Flood: iptables P FORWARD ACCEPT
reaes mais iptables P OUTPUT ACCEPT
comuns
## ============================================================
:: Syn Flood: # RULES
reao vivel
atualmente # A custom chain to log and drop.
:: Syn Flood # We must remember that the LOG target is a
# "nonterminating target", i.e., a match on this rule does
Netfilter
# not stop the rules traversal, and the next target (DROP)
:: Denial of # results evaluated as well.
Service (DoS): iptables N dropcounter
outros tipos iptables A dropcounter j RETURN
iptables N logdrop
iptables A logdrop m limit limit 10/s limitburst 4 j LOG \
logprefix "[SYN FLOOD] "
iptables A logdrop j dropcounter
iptables A logdrop j DROP
iptables N logmalform
iptables A logmalform m limit limit 10/s limitburst 4 j LOG \
logprefix "[MALFORMED] "
iptables A logmalform j DROP
iptables N malfgroup
#$PRGDIR/malfgroup.sh
iptables A malfgroup p tcp tcpflags SYN,FIN SYN,FIN j logmalform
iptables A malfgroup p tcp tcpflags SYN,RST SYN,RST j logmalform
iptables A malfgroup p tcp tcpflags FIN,RST FIN,RST j logmalform
iptables A malfgroup j RETURN
###############################################
# INPUT chain groups
###############################################
iptables N inbestgroup
#$PRGDIR/inbestgroup.sh
iptables A inbestgroup j RETURN
# iptables N inpreidsgroup
# $PRGDIR/inpreidsgroup.sh
# iptables A inpreidsgroup j RETURN
iptables N inmalfgroup
#$PRGDIR/inmalfgroup.sh
iptables A inmalfgroup j malfgroup
iptables A inmalfgroup j RETURN
iptables N inbadgroup
#$PRGDIR/inbadgroup.sh
iptables A inbadgroup j RETURN
iptables N ingoodgroup
#$PRGDIR/ingoodgroup.sh
iptables A ingoodgroup j RETURN
iptables N indenygroup
#$PRGDIR/indenygroup.sh
iptables A indenygroup j RETURN
iptables N inacceptgroup
#$PRGDIR/inacceptgroup.sh
iptables A inacceptgroup j RETURN
iptables N indsggroup
#$PRGDIR/indsggroup.sh
iptables A indsggroup j RETURN
iptables N incustomergroup
#$PRGDIR/incustomergroup.sh
iptables A incustomergroup j RETURN
# iptables N inidsgroup
# $PRGDIR/inidsgroup.sh
# iptables A inidsgroup j RETURN
iptables N infwgroup
$PRGDIR/infwgroup.sh
iptables A infwgroup j RETURN
###############################################
# FORWARD chain groups
###############################################
# iptables N fwdbestgroup
# $PRGDIR/fwdbestgroup.sh
# iptables A fwdbestgroup j RETURN
# iptables N fwdmalfgroup
#$PRGDIR/fwdmalfgroup.sh
# iptables A fwdmalfgroup j malfgroup
# iptables A fwdmalfgroup j RETURN
# iptables N fwdbadgroup
# $PRGDIR/fwdbadgroup.sh
# iptables A fwdbadgroup j RETURN
# iptables N fwdgoodgroup
# $PRGDIR/fwdgoodgroup.sh
# iptables A fwdgoodgroup j RETURN
# iptables N fwddenygroup
#$PRGDIR/fwddenygroup.sh
# iptables A fwddenygroup j RETURN
# iptables N fwdacceptgroup
#$PRGDIR/fwdacceptgroup.sh
# iptables A fwdacceptgroup j RETURN
# iptables N fwddsggroup
#$PRGDIR/fwdacceptgroup.sh
# iptables A fwddsggroup j RETURN
# iptables N fwdcustomergroup
# $PRGDIR/fwdcustomergroup.sh
# iptables A fwdcustomergroup j RETURN
# iptables N fwdfwgroup
#$PRGDIR/fwdfwgroup.sh
# iptables A fwdfwgroup j RETURN
###############################################
# OUTPUT chain groups
###############################################
iptables N outmalfgroup
$PRGDIR/outmalfgroup.sh
iptables A outmalfgroup j malfgroup
iptables A outmalfgroup j RETURN
iptables N outgoodgroup
$PRGDIR/outgoodgroup.sh
iptables A outgoodgroup j RETURN
iptables N outfwgroup
$PRGDIR/outfwgroup.sh
iptables A outfwgroup j RETURN
## SYNFLOOD
#
iptables N synflood
iptables A synflood m limit limit 50/s limitburst 4 j RETURN
iptables A synflood j logdrop
###############################################
# INPUT
###############################################
# The conventional chains
iptables A INPUT i lo j ACCEPT
# Best Group
iptables A INPUT j inbestgroup
# PreIDS Group
# iptables A INPUT j inpreidsgroup
# Malformed
iptables A INPUT j inmalfgroup
# Bad VIP
iptables A INPUT j inbadgroup
# Good VIP
iptables A INPUT j ingoodgroup
# Deny Group
iptables A INPUT j indenygroup
# Accept Group
iptables A INPUT j inacceptgroup
# Deny Services Group
iptables A INPUT j indsggroup
# Customer Group
iptables A INPUT j incustomergroup
# Syn Flood
iptables A INPUT p tcp syn j synflood
# Firewall
iptables A INPUT j infwgroup
# DEFAULT DROP
iptables A INPUT m limit limit 10/s limitburst 4 j LOG \
logprefix "[INPUT FW] "
iptables A INPUT j DROP
# IDS Group
# iptables A INPUT j inidsgroup
# iptables A INPUT j DROP
###############################################
# FORWARD
###############################################
# Best VIP
# iptables A FORWARD j fwdbestgroup
# Malformed
# iptables A FORWARD j fwdmalfgroup
# Bad VIP
# iptables A FORWARD j fwdbadgroup
# Good VIP
# iptables A FORWARD j fwdgoodgroup
# Deny Group
# iptables A FORWARD j fwddenygroup
# Accept Group
# iptables A FORWARD j fwdacceptgroup
# Deny Services Group
# iptables A FORWARD j fwddsggroup
# Customer VIP
# iptables A FORWARD j fwdcustomergroup
# Syn Flood
# iptables A FORWARD p tcp syn j synflood
# Firewall
# iptables A FORWARD j fwdfwgroup
# DEFAULT ACCEPT
#iptables A FORWARD m limit limit 10/s limitburst 4 j LOG \
# logprefix "[FORWARD FW] "
# iptables A FORWARD j ACCEPT
###############################################
# OUTPUT
###############################################
iptables A OUTPUT o lo j ACCEPT
# Malformed
iptables A OUTPUT j outmalfgroup
# Good VIP
iptables A OUTPUT j outgoodgroup
# Deny Group
# Accept Group
# Deny Services Group
# SynFlood
iptables A OUTPUT p tcp syn j synflood
# Firewall
iptables A OUTPUT j outfwgroup
# DEFAULT ACCEPT
iptables A OUTPUT j ACCEPT
# THE END
# ==================================================================
rea de contedo atualizada em Wednesday, 2003April09 10:35:50 GMT3 (So Paulo, Brazil, South
America)
Home
Apresentao
Exemplo de regras
:: Objetivos
Estratgia iptables N logmalform
:: Dados do iptables A logmalform m limit limit 10/s limitburst 4 j LOG \
Autor logprefix "[MALFORMED] "
iptables A logmalform j DROP
Viso Geral
:: Scripts com iptables N malfgroup
o Iptables #$PRGDIR/malfgroup.sh
iptables A malfgroup p tcp tcpflags SYN,FIN SYN,FIN j logmalform
:: Malformed
iptables A malfgroup p tcp tcpflags SYN,RST SYN,RST j logmalform
Packets iptables A malfgroup p tcp tcpflags FIN,RST FIN,RST j logmalform
ARP iptables A malfgroup j RETURN
Poisoning
:: ARP
Poisoning
default
gateway
:: ARP
Poisoning
Iptables
Denial of
Service
:: TCP SYN
FLOOD:
caractersticas
:: Syn Flood:
Resultados
:: Syn Flood:
reaes mais
comuns
:: Syn Flood:
reao vivel
atualmente
:: Syn Flood
Netfilter
:: Denial of
Service (DoS):
outros tipos
rea de contedo atualizada em Wednesday, 2003April09 10:39:20 GMT3 (So Paulo, Brazil, South
America)
Home
Apresentao
Entradas estticas na tabela
:: Objetivos Estratgia ARP
:: Dados do Autor
Viso Geral
GW="10.1.1.1"
:: Scripts com o Iptables MAC="00:02:4B:CB:11:00"
:: Malformed Packets /usr/sbin/arp s $GW $MAC 2>/dev/null
ARP Poisoning
:: ARP Poisoning default gateway
Podese fazer o mesmo com outros gateways ou
:: ARP Poisoning Iptables
mquinas mais crticas
Denial of Service
:: TCP SYN FLOOD: caractersticas Consultando a tabela ARP:
:: Syn Flood: Resultados
:: Syn Flood: reaes mais comuns arp na
:: Syn Flood: reao vivel atualmente
:: Syn Flood Netfilter
:: Denial of Service (DoS): outros tipos
rea de contedo atualizada em Wednesday, 2003April09 02:22:17 GMT3 (So Paulo, Brazil, South
America)
Home
Apresentao EXEMPLO de "programao" de firewall camada 2, ou roteador:
:: Objetivos
# ARP Poisoning
Estratgia iptables A FORWARD j arpfwgroup
:: Dados do # Best VIP
Autor iptables A FORWARD j fwdbestgroup
# Malformed
Viso Geral iptables A FORWARD j fwdmalfgroup
:: Scripts com # Bad VIP
o Iptables iptables A FORWARD j fwdbadgroup
:: Malformed # Good VIP
iptables A FORWARD j fwdgoodgroup
Packets # Deny Group
ARP iptables A FORWARD j fwddenygroup
# Accept Group
Poisoning
iptables A FORWARD j fwdacceptgroup
:: ARP # Deny Services Group
Poisoning iptables A FORWARD j fwddsggroup
default # Customer VIP
gateway iptables A FORWARD j fwdcustomergroup
# Syn Flood
:: ARP
iptables A FORWARD p tcp syn j synflood
Poisoning # Firewall
Iptables iptables A FORWARD j fwdfwgroup
# DEFAULT DROP
Denial of iptables A FORWARD m limit limit 10/s limitburst 4 j LOG \
Service logprefix "[FORWARD FW] "
:: TCP SYN iptables A FORWARD j DROP
FLOOD:
caractersticas
:: Syn Flood: Chain arpfwgroup em detalhes:
Resultados
:: Syn Flood: iptables N arpfwgroup
reaes mais iptables A arpfwgroup p all m mac macsource ! 00:11:22:33:44:55 \
comuns s 10.1.2.3 j DROP
iptables A arpfwgroup p all s 10.1.2.3 j RETURN
:: Syn Flood: iptables A arpfwgroup p all m mac macsource ! 66:77:88:99:AA:BB \
reao vivel s 10.1.2.4 j DROP
atualmente iptables A arpfwgroup p all s 10.1.2.4 j RETURN
:: Syn Flood iptables A arpfwgroup p all s 10.1.2.0/23 j DROP
Netfilter # Bloqueia todo o restante por default
iptables A arpfwgroup p all j DROP
:: Denial of
Service (DoS):
outros tipos A ferramenta est a... para colocar em produo de forma escalvel, podese criar uma
poltica e implantla tecnicamente fazendo scripts que consultam a tabela do arpwatch:
/var/lib/arpwatch/eth0.dat
/var/lib/arpwatch/eth1.dat
Podese utilizar esta chain arpfwgroup que criamos nas seguintes chains
prdefinidas:
rea de contedo atualizada em Wednesday, 2003April09 03:34:07 GMT3 (So Paulo, Brazil, South
America)
rea de contedo atualizada em Wednesday, 2003April09 10:52:00 GMT3 (So Paulo, Brazil, South
America)
Home
Apresentao
:: Objetivos Estratgia 2 a 3 K pacotes/segundo j so suficientes
:: Dados do Autor para causar DoS em todos os firewalls
Viso Geral conhecidos (nem precisa dos 30 a 100 K
:: Scripts com o Iptables
:: Malformed Packets
pkts/s).
ARP Poisoning
:: ARP Poisoning default gateway Firewall est em DoS => toda a estrutura de
:: ARP Poisoning Iptables rede abaixo dele est em DoS, e no somente
Denial of Service o endereo IP destinatrio do ataque.
:: TCP SYN FLOOD:
caractersticas
:: Syn Flood: Resultados O recurso que os firewalls e equipamentos de
:: Syn Flood: reaes mais
comuns rede costumam chamar de Syn Flood
:: Syn Flood: reao vivel Defender no passa de um portscan
atualmente
:: Syn Flood Netfilter
defender, e ainda faz com que estes
:: Denial of Service (DoS): outros equipamentos entrem em DoS mais
tipos
rapidamente. Portscan tipicamente originado
por IP de origem verdadeiro (no "spoofado").
rea de contedo atualizada em Wednesday, 2003April09 10:48:36 GMT3 (So Paulo, Brazil, South
America)
Home
Apresentao
:: Objetivos Identificao do endereo IP atacado.
Estratgia
:: Dados do
Autor
Bloqueio rpido deste IP atacado (garantir a
Viso Geral
disponibilidade do restante da rede).
:: Scripts com o
Iptables Identificao da interface de rede intraAS mais externa,
:: Malformed
Packets e AS adjacente.
ARP Poisoning
:: ARP Solicitar que o AS adjacente identifique a sua interface de
Poisoning
default gateway rede intraAS mais externa, e assim sucessivamente at
:: ARP chegar na origem. Esta abordagem hoje muito terica e
Poisoning
Iptables
no funciona na prtica com a grande maioria dos AS's.
Denial of
Service Alternativa vivel que sobrou: identificar e bloquear o
:: TCP SYN
FLOOD:
endereo IP atacado, o mais rapidamente possvel.
caractersticas
:: Syn Flood: Uma alternativa esperada para futuro (breve?): ICMP
Resultados
:: Syn Flood: traceback
reaes mais http://www.ietf.org/internetdrafts/draftietfitrace04.txt
comuns
:: Syn Flood: Meu sentimento a respeito: falta algoritmo de garantia de
reao vivel autenticidade da origem destes pacotes (e no por falta
atualmente
:: Syn Flood
de tecnologia para isto).
Netfilter
:: Denial of
Service (DoS):
outros tipos
rea de contedo atualizada em Wednesday, 2003April09 10:58:07 GMT3 (So Paulo, Brazil, South
America)
Home
Apresentao
Requer a soluo de um PROBLEMA
:: Objetivos Estratgia PRINCIPAL
:: Dados do Autor
Viso Geral
:: Scripts com o Iptables
:: Malformed Packets Deteo automtica e rpida do
ARP Poisoning
:: ARP Poisoning default
endereo IP atacado.
gateway
:: ARP Poisoning Iptables
Denial of Service
:: TCP SYN FLOOD:
caractersticas
:: Syn Flood: Resultados
:: Syn Flood: reaes mais
comuns
:: Syn Flood: reao vivel
atualmente
:: Syn Flood Netfilter
:: Denial of Service (DoS):
outros tipos
rea de contedo atualizada em Wednesday, 2003April09 06:24:07 GMT3 (So Paulo, Brazil, South
America)
Home
Apresentao
Regras de iptables
:: Objetivos
Estratgia
:: Dados do Chains criadas para a deteo:
Autor
Viso Geral ## SYNFLOOD
#
:: Scripts com o iptables N synflood
Iptables iptables A synflood m limit limit 500/s limitburst 4 j RETURN
:: Malformed iptables A synflood j logdrop
Packets
ARP Poisoning iptables N logdrop
:: ARP iptables A logdrop m limit limit 10/s limitburst 4 j LOG \
Poisoning logprefix "[SYN FLOOD] "
default gateway iptables A logdrop j DROP
:: ARP
Poisoning
Iptables Exemplo de como elas podem ser chamadas:
Denial of
Service # Customer chain
:: TCP SYN iptables A FORWARD j fwdcustomergroup
# Syn Flood
FLOOD: iptables A FORWARD p tcp syn j synflood
caractersticas # Firewall chain
:: Syn Flood: iptables A FORWARD j fwdfwgroup
Resultados # DEFAULT DROP
:: Syn Flood: iptables A FORWARD m limit limit 10/s limitburst 4 j LOG \
logprefix "[FORWARD FW] "
reaes mais iptables A FORWARD j DROP
comuns
:: Syn Flood:
reao vivel
atualmente
:: Syn Flood
Netfilter
:: Denial of
Service (DoS):
outros tipos
rea de contedo atualizada em Wednesday, 2003April09 10:59:59 GMT3 (So Paulo, Brazil, South
America)
Home
Apresentao
:: Objetivos Estratgia Seja o protocolo ICMP, UDP, OSPF, IPinIP,
:: Dados do Autor SCTP, ...
Viso Geral
:: Scripts com o Iptables
:: Malformed Packets
A abordagem anloga, com pequenas adaptaes
ARP Poisoning
(configuraes) para atender necessidades
:: ARP Poisoning default particulares.
gateway
:: ARP Poisoning Iptables
Denial of Service
:: TCP SYN FLOOD:
caractersticas
:: Syn Flood: Resultados
:: Syn Flood: reaes
mais comuns
:: Syn Flood: reao
vivel atualmente
:: Syn Flood Netfilter
:: Denial of Service
(DoS): outros tipos
rea de contedo atualizada em Wednesday, 2003April09 06:55:13 GMT3 (So Paulo, Brazil, South
America)