Thomas,
Thank you.
IPSETS are new to me to as well.
iptables was fairly straight forward.
I know that Fedora is a somewhat bleeding edge distribution, but it
seems sometimes things are changed just for the sake of change. I am a
great believer in "if it isn't broken, don't fix it." Oh well, it is
what it is. And I am greatful to all who do the hard work in the Fedora
community. I contribute as I can.
Just to clarify, I could add IPs to the drop zone with my network
interface in the home or work or some other zone and the drop zone would
be checked first and any sources found in the drop zone would be
disconnected before hitting the other zones. That is, if ssh is enabled
in home and a host in the drop zone tried to connect using ssh, the host
would not be able to connect. Is that correct?
Also another bit of clarification, you state that the ipset can be
modified while in use by firewalld. Do I understand correctly that if I
create an ipset and add a rule to firewalld to drop the IPs in the ipset
and I add an IP or delete and IP from the ipset while firewalld is using
it, firewalld will start or stop dropping the IP without having to
reload firewalld?
Sorry if I am being a bit in need of hand holding, but we are talking
about the security of a server. Right now I am working on the inactive
server, but I want to have a better understanding before I use firewalld
on a live server.
A suggestion would to make note of all the noob questions like mine and
add or change the documentation to make the points more clear.
Thanks,
John
On 08/22/2013 02:50 PM, Thomas Woerner wrote:
On 08/21/2013 11:07 PM, John Griffiths wrote:
> I thought I had the idea of how to add an IP to be dropped like iptables
> but after some further reading, I am not sure.
>
> I add IPs to iptables that I find are trying to hack into or abuse the
> system by using a script to examine log files and compile a list of IPs
> and add them to iptables. Of course that requires a restart of iptables
> for the new rules to take effect.
>
> I thought I could add the IPs to the DROP zone as sources. That
> apparently is not what I should do. That leaves me with what I should do
> and can it be done.
>
You can bind IP addresses to the drop zone. But with lots of IP
addresses this will result in performance hit.
Therefore I would propose to use an ipset for this.
Create an ipset and add all ip addresses in it. Then add a permanent
direct rule to the firewall to DROP these. The performance hit should
be much lower (I have not tested it with that many entries, though).
Here are some steps to get this working for you. Please modify as needed.
1) Create droplist shell script in /usr/local/bin and add IP addresses
to the droplist ipset:
cat > /usr/local/bin/droplist.sh <<EOF
#!/bin/bash
case "\$1" in
start)
echo "Create droplist"
/sbin/ipset create droplist hash:ip hashsize 4096
RETVAL=\$?
# Add IP addresses here (see examples below)...
################################################
/sbin/ipset add droplist 192.168.0.5
/sbin/ipset add droplist 192.168.0.6
################################################
;;
stop)
echo "Destroy droplist"
/sbin/ipset destroy droplist
RETVAL=\$?
;;
esac
exit $RETVAL
EOF
chmod ug+rx /usr/local/bin/droplist.sh
2) Create the service to create the droplist before firewalld starts:
cat > /etc/systemd/system/droplist.service <<EOF
[Unit]
Description=Droplist
Before=firewalld.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/droplist.sh start
ExecStop=/usr/local/bin/droplist.sh stop
[Install]
WantedBy=basic.target
EOF
3) Use the droplist permanently in firewalld. A firewalld reload is
needed to activate it (firewall-cmd --reload):
cat > /etc/firewalld/direct.xml <<EOF
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule ipv="ipv4" table="filter" chain="INPUT"
priority="0">-m set
--match-set droplist src -j DROP</rule>
</direct>
EOF
Please remember that you can not destroy a set that is in use by the
firewall. Also if a set is needed in a rule, the set has to be created
before the rule can be added to the firewall. But you can add entries
to and remove entries from the set while it is in use already. It is
not possible to mix IPv4 and IPv6 addresses in a set. Use one set for
IPv4 and another one for IPv6 instead. Please have a look at the ipset
man page. If you are also using network address, please use hash:net.
As firewalld is not able to handle ipsets itself, you have to make
sure that the ipset you want to use in the firewall is created before
firewalld starts, otherwise adding the rule using the set will fail.
ipset does not provide an init or systemd service atm.
You can add permanent direct rules with firewalld version 0.3.4 with
the direct.xml file in /etc/firewalld. The D-Bus interface for
permanent direct rules is in the GIT repo since some days now and the
command line support and UI stuff will be there soon.
BTW: The addition of address sets is on my the TODO list for rich
language, but this will most likely take some time.
> I have over 8000 host IPs that I drop using:
>
> -A INPUT -s 222.221.2.210 -j DROP
> -A INPUT -s 222.221.12.13 -j DROP
> -A INPUT -s 222.221.12.104 -j DROP
> -A INPUT -s 222.221.88.88 -j DROP
>
> How do I drop connections to hosts that have abused the privilege of
> connecting to a service?
>
> I was using
>
> for i in `grep DROP iptables | awk '{print $4}' | sort -n -t. -k1,1
> -k2,2 -k3,3 -k4,4`
> do
> firewall-cmd --permanent --zone=drop --add-source=${i}/32
> done
>
> That is extremely slow by the way since two files are written for each
> add. Took a long time to add 8000+ records. It would be nice to have a
> batch mode to do multiple inserts.
>
> The public zone is still default. The network interface is in zone home
> and my VPN connection is in zone work.
>
> Any guidance is greatly appreciated.
>
> John
>
>
> _______________________________________________
> firewalld-users mailing list
> firewalld-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
>
Regards,
Thomas