i have a script I use that reads ipaddress or ranges lines in from a txt file and insert them into my iptables. allows me to maintain one list for many servers. Recently I have been playing with string searches and user-agents stopping bad actors that use scripts that identify themselves using weird names in the useragent that i discover using tcpdump
I am trying to read a file and read each line in and
I am reading a file full of variables using egrep for example
JuNXhgCR
sipcli/v1.8
sipcli
friendly-scanner
pplsip
Asterisk PBX
Asterisk PBX 1.6.5
erdfcvqwaszx121
sipvicious
eyeBeam
VaxIPUserAgent
VaxSIPUserAgent/3.1
siparmyknife
VoIP SIP v11.0.0
FreePBX 1.8
Test Agent
but when i
egrep -v "^#|^$" x | while IFS= read -r uas
do
iptables -A INPUT -p udp -m udp --dport 5060 -m string --string $uas --algo bm --to 65535 -j DROP
done <"${_input}"
I just get ... but anything with a space is not passed ?? where is... VoIP SIP v11.0.0 , FreePBX 1.8 , Test Agent ??
JuNXhgCR
sipcli/v1.8
sipcli
friendly-scanner
pplsip
erdfcvqwaszx121
sipvicious
eyeBeam
VaxIPUserAgent
VaxSIPUserAgent/3.1
siparmyknife
Is there a better way to read and do this?
Related
I have a VM in VirtualBox with Debian 10 and I'm trying to NAT masquerade it's output interface (enp0s8) so that it's clients (VMs connected to it) can access the Internet.
All interfaces in the system have an IP. I've already enabled forwarding with:
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1
And then I executed:
iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE
However, whenever I execute the above, the following happens:
And no matter how many times I iptables --flush -t nat and repeat the process, the result is always the same. The rule I want to apply is never saved properly and the client's IPs are never masked.
What is the issue here? Almost all tutorials say this is the correct way for masquerading.
I've also tried using nftables, without success.
It is already showing the right output. To show the rules with the interface details, you need to use,
iptables -t nat -L -n -v
And btw, if you have setup NAT networking, it is already taken care to connect outside.
And have you set the default gateway of your clients to this box?
My site now is under ddos-attack,
"ss -ant" shows a lot of FIN-WAIT-2 (and some FIN-WAIT-1) connections from one ip (and random ports), about 500-700 connections:
FIN-WAIT-2 0 0 ::ffff:MY_IP:443 ::ffff:ATTACKERS_IP:RANDOM_PORT
.... 500-700 times
Im trying to use
iptables -A INPUT -s ATTACKERS_IP -j DROP
and
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST RST -m limit --limit 1/s -j ACCEPT
and
echo "2" > /proc/sys/net/ipv4/tcp_fin_timeout
but it doesnt help - new connections are coming in with another random ports.
So, how to TOTALLY block specific IP by iptables (or maybe something else) to prevent FIN-WAIT-2 flood by ip which freezes the server?
It depends, there's a ton of ways to approach the problem. You could block the whole country if it's a foreign-language country (provided your website is not of international market or interest).
or
You could block an entire ip block
or
You could use cloudflare to pre-mitigate the problem
or
You could ....
I am using iperf to test network bandwidth between two Ubuntu 16.04.2 hosts (10.0.0.1 and 10.0.0.51). I ran "iperf -s" on 10.0.0.51 and then ran "iperf -c 10.0.0.51 -T 10" on 10.0.0.1. I do see the connection establishment (i.e. local 10.0.0.51 port 5001 connected with 10.0.0.1 port 37680) on both the sides but I do not get the results. It just hangs. Any help is highly appreciated. Thanks
with iperf3, you can see the output in json format:
The command:
iperf3 -c <server-ip> -w 4000 -t 10 -i 2 -f MBytes -V -J --logfile test.log
Note: In this case make sure you can run iperf client and server same version i.e version 3 in both cases
Check for firewalls or packet filters, e.g. for linux use iptables -L to list them and iptables -F to delete them all. Also, what version of iperf? You might want to display interval reports (-i 1) and see what they are reporting.
I am facing some problems with tcpreplay. I am running L-7 filter userspace version on ATCA- PP81 blade, and I have this following iptable rules :
iptables -A FORWARD -j NFQUEUE --queue-num 0
iptables -t mangle -A PREROUTING -p udp -i eth0 -j NFQUEUE --queue-num 0
iptables -t mangle -A PREROUTING -p tcp -i eth0 -j NFQUEUE --queue-num 0
I am sending pcap files from a computer using tcpreplay, but all the replayed pcap files except those which have broadcast address were not detected by the iptables. I checked it with:
iptables -t mangle -L -v
I tried many ways, including using a cache file as discussed in some of the forums, and everything is in vain. Now I am totally helpless. I would appreciate it if you could reply my question.
Thanking you in anticipation
regards,
Amlas
It is not possible. This is a tcpreplay limitation.
http://tcpreplay.synfin.net/wiki/FAQ
Can I use IPTables/Traffic Control with tcpreplay?
You can not use iptables/tc on the same box as you run tcpreplay. The only way to use IPTables or Traffic Control (tc) with tcpreplay is to run tcpreplay on a different box and send the traffic through the system running iptables/tc. This limitation is due to how the Linux kernel injects frames vs. reading frames for iptables/tc which makes traffic sent via tcpreplay to be invisible to iptables/tc.
I'd like to make SSH-identification a little stronger using iptables extensions (or IPSec tools?) for marking (while sending) and matching (while recieving) the packets between my laptop and my server.
I need no VPN, just to send additional information in IP Options header (or in the AH field?).. while talking to server.
It would be nice if it could be possible by using iptables plugins for Debian only (to first alter the headers and then compare the key inside on my remote host).
I googled for a day and found such topics as Inspect protocols AH and ESP for content; Using iptables string-matching filter; Payload mangling etc - but for a now I could not understand the most important thing: which packet to install for Debian on both computers:)
My dream is to block connections using iptables on port 22 (which have no signature inside) before the SSH handshake starts. Can you help me, please?
I did my homework again, and gurus online told me to use the ToS field, "which remains the same while being transmitted over global networks".
An example how to set it:
iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10
And it's a very small field (256 bits), filled up with the service information, so there is no much room to play with and you must be very careful. But still!..
Later then the ToS value can be read on the receiving machine using something like
iptables -A INPUT -p tcp -m tos --tos 0x16