IPtable rules for DNS/http/https traffic for specific hosts only, not working.


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
# 1  
IPtable rules for DNS/http/https traffic for specific hosts only, not working.

Hi there,

I have a VPS and am working on a little side project for myself and friend which is a DNS proxy. Everything was great till recently. My VPS IP has been detected by some botnet or something, and I believe SMURF attacks are occuring. The VPS provider keeps shutting down my VPS automatically after 30k connections are made. Every day for the past week I've been trying to tweak BIND rules and then moved onto iptable rules. The bind rules didn't do anything for some reason. I added specific hosts to the trusted ACL in bind and thought that would stop the recursion SMURF attack - it did not. At least I think it's a SMURF attack, when I use DNSTOP to monitor queries, I see lots of queries for 1x1.cz and isc.org Both sites that myself nor any friends would ever visit.

I'm very newb with iptables and have been trying countless rules but whenever I would apply them either all traffic still gets through or no traffic (aside from ssh). I've setup ssh to port 22022 and made one tcp state rule for it, that's about the only rule that seems to work properly.

I don't have the full rules I used due to the VPS being suspended till they enable it again.

However this is what I'm trying to do:
Have friends able to access the DNS from their specific IP addresses, the DNS query comes in, for certain sites BIND is setup to override and provide the client with the servers IP address, then have the data routed through a proxy which runs on port 80/443. SSH runs on 22022. The only ports I should have open I believe are 53, 80, 443, 22022.

so for example a client uses the DNS IP for my VPS, they submit a query for 'google.com' my BIND provides them the override for google.com which points back to the VPS IP, then the data gets submitted to the proxy program which then on the users behalf makes the http/https request and relays back the information to the client.

so my rules I thought I had setup something that would accept everything for local interface, then accept for port 22022 first off, then added the exclusion for each individual source IP being my friends IP addresses, then I setup rules for OUTPUT destination to my friends IP's, I didn't lock down the exclusions to specific ports, I just said if any request for x ip comes in, then allow it. and if any request exits the server for x ip then allow it. After that I added the iptables -P OUTPUT -j DROP and INPUT -j DROP commands.

this appears to only allow me to ssh to the VPS while DNS appears to not work.

I have no clue why things aren't working.

can anyone provide proper rules for this type of setup? I'm not technical to the point that I fully understand how the smurf attack works or if that is even what's going on, I thought disabling recursion for hosts that aren't in the exclusions list would have done the trick but that didn't appear to do anything. I still would receive the queries for 1x1.cz and isc.org from random hosts, then proceeding with iptables just made things not work at all.

When I flush the rules with iptables -F the server appears to block all connections and I cannot connect to it again till I reboot the VPS. Which is strange since I thought iptables -F just clears the iptables and allows you to write new rules from what I'm reading in the man pages.


any help would be appreciated!



EDIT:
VPS provider re-enabled my VPS, here is what i'm using:
root@vps:~# cat /etc/iptables.rules.042514
# Generated by iptables-save v1.4.12 on Sat Apr 26 05:24:45 2014
*raw
:PREROUTING ACCEPT [7691:490771]
:OUTPUT ACCEPT [6864:562471]
COMMIT
# Completed on Sat Apr 26 05:24:45 2014
# Generated by iptables-save v1.4.12 on Sat Apr 26 05:24:45 2014
*nat
:PREROUTING ACCEPT [1879:118359]
:POSTROUTING ACCEPT [92:5561]
:OUTPUT ACCEPT [1203:87450]
COMMIT
# Completed on Sat Apr 26 05:24:45 2014
# Generated by iptables-save v1.4.12 on Sat Apr 26 05:24:45 2014
*mangle
:PREROUTING ACCEPT [7691:490771]
:INPUT ACCEPT [7691:490771]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6864:562471]
:POSTROUTING ACCEPT [5753:480582]
COMMIT
# Completed on Sat Apr 26 05:24:45 2014
# Generated by iptables-save v1.4.12 on Sat Apr 26 05:24:45 2014
*filter
:INPUT DROP [1611:101493]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [1111:81889]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22022 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 216.232.249.xxx/32 -j ACCEPT
-A INPUT -s 24.85.234.xxx/32 -j ACCEPT
-A INPUT -s 96.48.135.xxx/32 -j ACCEPT
-A INPUT -s 70.70.132.xxx/32 -j ACCEPT
-A OUTPUT -d 216.232.249.xxx/32 -j ACCEPT
-A OUTPUT -d 24.85.234.xxx/32 -j ACCEPT
-A OUTPUT -d 96.48.135.xxx/32 -j ACCEPT
-A OUTPUT -d 70.70.132.xxx/32 -j ACCEPT
COMMIT

EDIT:

I've gotten things working with this:

iptables -P INPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22022 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 24.85.234.xxx/32 -j ACCEPT
iptables -A INPUT -s 96.48.135.xxx/32 -j ACCEPT
iptables -A INPUT -s 70.70.132.xxx/32 -j ACCEPT
iptables -A INPUT -s 216.232.249.xxx/32 -j ACCEPT
iptables -A INPUT -s 66.85.140.xxx/32 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

I've tried limiting the output with the following commands however it never seemed to route things properly/work when I applied them:
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -d 24.85.234.xxx/32 -j ACCEPT
iptables -P OUTPUT DROP

is it safe to have input DROP aside from excluded IP's then have output ACCEPT wide open? I'm guessing it isn't that much of an issue? So far testing things to see if the DDoS attackers can use my VPS for their smurf attacks, so far the VPS has been up and running for a few hours with no issues with the new rules. I just don't know if the output ACCEPT is OK to leave as is?

Last edited by phi0x; 04-27-2014 at 06:45 PM..
# 2  
yesterday the vps got taken down again due to too many conntrack connections they said again.

I am not sure what logs to look at but when I do netstat -ntulp it shows very few connections when they bring the vps back online. I've monitored all day checking a few times every hour to see how the netstat and the /proc/net/nf_conntrack log shows. Doesn't seem like a crazy amount of connections are being produced. I'd say no more than 1-50 connections, average around 10. Mostly opened connections from dns/proxy from a few of the ip's I have allowed in.

This is no where close to their 25-30k conntrack limit.

Today the server hasn't gone down, the iptable rules are automatically applied upon boot. Shall continue to monitor..
# 3  
why not use ufw - Uncomplicated Firewall, which does all the hard work for u.
# 4  
already coded the script. did not know about UFW, however with UFW it's still a command line oriented program which I would have to code a script for it. The issue with the VPS DNS attack has not come back since. however it did last a few days while the attackers were basically ddosing the vps ip as their bots didnt do another DNS net scan to update their list of available DNS's.
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

8 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Apache - tcpdump get HTTP and HTTPS Headers

Hello I googled for "tcpdump view HOST http headers" -- that fine However can we do same for HTTPS like after the HTTPS gets decrypted by Apache ? I think this is legitimate on the server where the site is hosted since at some point the Apache itself needs to get the HOST patrameter in... (1 Reply)
Discussion started by: coolatt
1 Replies

2. Web Development

Mod_rewrite http to https

Hi Team, I have a question on the apache mod_rewrite module. I have a requirement of rewriting only specific url's to https. Requirement below:- want to match a word (test) on the url and if matches then it should rewrite to https. example:- ... (1 Reply)
Discussion started by: arumon
1 Replies

3. UNIX for Advanced & Expert Users

redirect http traffic

hi, i have freebsd gateway with ipfw as router. Recently i have setup squid-3.1.10 caching server for my lan. I want to redirect http,https traffic from gateway to linux squid box. below is my setup rl0--->xxx.xxx.xxx.xxx (connected to ISP) rl1 -->192.168.1.0/24 (my lan)... (1 Reply)
Discussion started by: goog
1 Replies

4. Web Development

redirect http to https in apache

i read thru a few article how to do it, but i could not get it to work the way i want it. vi ../httpd.conf Redirect permanent /dev https://servername/portal/ when i type servername, works fine. my goal is to type dev, and it takes me to https://servername/portal/ (4 Replies)
Discussion started by: lawsongeek
4 Replies

5. UNIX for Advanced & Expert Users

How iptables directs to localhost in this series of iptable rules

Hello, I have implimented a dansguardian system using dansguardian and privoxy. I borrowed a script from Ubuntu CE that makes it where a firewall program like firehol is not needed and it doesn't need a reconfigure of the proxy settings in browsers to be changed. I really like it that way. All... (7 Replies)
Discussion started by: Narnie
7 Replies

6. Shell Programming and Scripting

http and https

Hi friends, I have a local host http://ss3/cgi-bin/page/page_list.cgi running on apache webserver perfectly well. But suddenly, it stopped working and gave an error "Internet explorer Explorer cannot display the webpage". But when i added https, as https://ss3/cgi-bin/page/page_list.cgi the... (2 Replies)
Discussion started by: nmattam
2 Replies

7. Shell Programming and Scripting

stripping http and https from a url using sed

I have to write a sed script which removes http and https from a URL. So if a URL is https://www.example.com or Example Web Page, script should return me Example Web Page i tried echo $url | sed 's|^http://||g'. It doesn't work. Please help (4 Replies)
Discussion started by: vickylife
4 Replies

8. UNIX for Advanced & Expert Users

Encrypt traffic between Solaris 8 hosts

I have two Solaris 8 hosts that send data to one another throughout the day. It is a legacy system and the programs used are rdist, rcp and ftp. I have been asked to ensure that the data transferred is encrypted beween the two hosts. My first thought was to replace these commands with ssh.... (2 Replies)
Discussion started by: blp001
2 Replies

Featured Tech Videos