real time iptables

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 135
Location: SF Bay Area
PostPosted: Thu Jun 04, 2015 6:37    Post subject: real time iptables Reply with quote
This script does near real-time blocking and INPUT chain management. It was developed to lighten up load for local and remote logging and was tuned for low-power, small memory systems.

Runs after dd-wrt built-in firewall, tested on WRT54GL, 16M, 200MHz BCM5352 w build 25974 mini. Working on a preload CIDR variation for known offenders.

I'd be interested in tuning or flaws of course Wink

Start: # ./rt_block &
Check: # ps | grep -v SW
Check: # iptables -L INPUT -nv --line-numbers
Stop: # killall tail

Notes: Insert point is INPUT chain just below RELATED,ESTABLISHED to block early without impacting outbound connections.

Code:

#!/bin/sh
# rt_block.sh - near real time block-list
# lazardo, dd-wrt forum

MAX=64
RULE=2

last=$((MAX + RULE))

# trim previous rules
CNT=$(iptables -L INPUT -n --line-numbers | grep ' DROP ' | tail -1)
CNT=${CNT%% *}

if [ "$CNT" != "" ]; then
   while [ $CNT -ge $last ]; do
      iptables -D INPUT $((CNT--))
   done
else
   CNT=0
fi

prev=""
echo "in: $RULE; del:$last; max:$MAX" > /tmp/rt_block.start
iptables -L INPUT -nv --line-numbers >> /tmp/rt_block.start

# main loop
tail -n 0 -F /var/log/messages |
while read log; do
   addr=${log##* SRC=}
   [ "$addr" == "$log" ] && continue

   addr=${addr%% DST=*}
        [ "$addr" == "$prev" ] && continue

        iptables -I INPUT $RULE -s $addr -j DROP
   [ $((++CNT)) -ge $last ] && iptables -D INPUT $last

        prev=$addr
done


Cheers,
Back to top View user's profile Send private message
Sponsor
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 135
Location: SF Bay Area
PostPosted: Mon Jun 08, 2015 0:32    Post subject: Reply with quote
* Added optional static front-loaded IP list for known problems.
* Integrated rule purge and status
* New version attached as 'rt_block.tgz', md5sum: 22ac0c0dea5d487f77efea91050e5247

Hear is the INPUT chain a few minutes after running rt_block. The built-in firewall works fine, this just reduces log entries and resources used.
* static front load rules are 2..18. These are the well known problem source addresses and so remain until purged.
* real-time DROP rules are 19..30. These will grow to $MAX, then pruned from the bottom as new ones arrive.
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     415K   29M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        5   296 DROP       0    --  *      *       120.0.0.0/6          0.0.0.0/0           
3        0     0 DROP       0    --  *      *       110.0.0.0/7          0.0.0.0/0           
4        3   156 DROP       0    --  *      *       222.0.0.0/8          0.0.0.0/0           
5        7   330 DROP       0    --  *      *       60.0.0.0/7           0.0.0.0/0           
6        0     0 DROP       0    --  *      *       58.0.0.0/7           0.0.0.0/0           
7        0     0 DROP       0    --  *      *       202.0.0.0/8          0.0.0.0/0           
8        1    40 DROP       0    --  *      *       210.0.0.0/7          0.0.0.0/0           
9        3   120 DROP       0    --  *      *       218.0.0.0/7          0.0.0.0/0           
10       1    52 DROP       0    --  *      *       116.0.0.0/6          0.0.0.0/0           
11       2   116 DROP       0    --  *      *       220.0.0.0/7          0.0.0.0/0           
12       2    80 DROP       0    --  *      *       54.214.0.0/16        0.0.0.0/0           
13       2   120 DROP       0    --  *      *       124.0.0.0/7          0.0.0.0/0           
14       0     0 DROP       0    --  *      *       112.0.0.0/6          0.0.0.0/0           
15       0     0 DROP       0    --  *      *       54.245.0.0/16        0.0.0.0/0           
16       1    40 DROP       0    --  *      *       54.244.0.0/16        0.0.0.0/0           
17       0     0 DROP       0    --  *      *       50.112.0.0/16        0.0.0.0/0           
18       0     0 DROP       0    --  *      *       180.0.0.0/8          0.0.0.0/0           
19       0     0 DROP       0    --  *      *       89.209.17.80         0.0.0.0/0           
20       0     0 DROP       0    --  *      *       69.59.235.85         0.0.0.0/0           
21       0     0 DROP       0    --  *      *       31.148.219.9         0.0.0.0/0           
22       0     0 DROP       0    --  *      *       198.20.69.98         0.0.0.0/0           
23       0     0 DROP       0    --  *      *       85.25.103.50         0.0.0.0/0           
24       0     0 DROP       0    --  *      *       37.203.214.106       0.0.0.0/0           
25       0     0 DROP       0    --  *      *       178.19.108.165       0.0.0.0/0           
26       0     0 DROP       0    --  *      *       94.23.212.183        0.0.0.0/0           
27       0     0 DROP       0    --  *      *       94.102.52.31         0.0.0.0/0           
28       0     0 DROP       0    --  *      *       192.99.45.171        0.0.0.0/0           
29       1    44 DROP       0    --  *      *       167.114.9.11         0.0.0.0/0           
30       0     0 DROP       0    --  *      *       46.29.248.181        0.0.0.0/0           
31   22021 7256K ACCEPT     udp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
32       0     0 logdrop    udp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
33       0     0 logdrop    udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
34       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
35       0     0 ACCEPT     tcp  --  vlan1  *       0.0.0.0/0            192.168.1.251       tcp dpt:27501
36     162 13527 logdrop    icmp --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
37       0     0 logdrop    2    --  *      *       0.0.0.0/0            0.0.0.0/0           
38      54  3340 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
39    552K   54M ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
40    2536  435K logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0


EDIT: Forgot to mention that the included static list is what I use, primarily CH and AWS blocks.
You should create a list with CIDR blocks and/or individual IP entries for your own problem children.

[PATCH] Fix for '#' comments in rt_block.list:
Code:

--- rt_block   2015-06-07 16:14:39.000000000 -0700
+++ rt_block.new   2015-06-10 20:55:56.724299572 -0700
@@ -23,7 +23,7 @@
    while read addr; do
       iptables -I INPUT $BASE -s $addr -j DROP
    done
-   CIDR=$(cat $LIST | wc -l)
+   CIDR=$(grep -v '^#' $LIST | wc -l)
 }
 
 _last () {

[PATCH] Fix for RST. A lot of SPT=443 drops from closed connections were being blocked which could be an issue.
Code:

--- rt_block   2015-06-12 10:35:35.664176657 -0700
+++ ../rt_block.new   2015-06-12 10:37:37.022995823 -0700
@@ -71,6 +71,7 @@
 while read raw; do
    addr=${raw##* SRC=}
    [ "$addr" == "$raw" ] && continue
+   [ "${addr##* RST}" != "$addr" ] && continue
    addr=${addr%% DST=*}
    [ "$addr" == "$prev" ] && continue
 

As always, test in your environment before making persistent, I am not a network expert.
To flush and restart:
Code:
# killall tail; ./rt_block -p; rt_block &

Cheers,

The chart shows 60% reduction in firewall logging resources even during development when rt_build was not always in place.
Back to top View user's profile Send private message
netguru76
DD-WRT User


Joined: 14 Sep 2014
Posts: 52
PostPosted: Tue Jun 30, 2015 11:22    Post subject: Reply with quote
Hi lazardo,

seeing that you are a men with knowledge to iptables...

would you be so kind and have a look at this one ...

Thx a lot!

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=283524&sid=490f813dab07675d16a9b19693ea138f
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum