On 9/23/2013 5:41 AM, Luca Camillo wrote: > Hi all, I need an help to implement this kind of rules on shorewall: > iptables --insert INPUT -p udp --dport 53 -m u32 --u32 > "0x28&0xFFDFDFDF=0x055a5a47 && 0x2c&0xDFDFFFDF=0x53540343 && > 0x30&0xDFDFFFFF=0x4f4d0000" -j DROP > > This kind of rules need to block a DNS Amplification Attack. > I found this file > https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt > where we can find iptables rules to prevent this kind of attack by filter > message request. > > I already found http://www.shorewall.net/pub/shorewall/contrib/DNSDDOS/ but > seems old and ineffective > > Is there any way to do that on shorewall?
Yes.
/etc/shorewall/actions:
DNSR
/etc/shorewall/rules:
DNSR net all udp 53
Attached is a file named action.DNSR which needs to be moved to
/etc/shorewall. That file only implements the first three rules from the
example -- the rest are left to those that want to implement this (I
think it is pretty obvious how to add the additional rules).
Also attached is a patch which must be applied to Config.pm. That file
may be installed in /usr/share/shorewall/Shorewall or somewhere under
/usr/share/perl*.
patch <path to>/Config.pm < ADDCOMMENT.patch
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 7fa42c1..137c7ec 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -147,6 +147,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
process_comment
no_comment
macro_comment
+ set_comment
push_comment
pop_comment
dump_mark_layout
@@ -2118,6 +2119,13 @@ sub clear_comment() {
}
#
+# Set the current comment
+#
+sub set_comment( $ ) {
+ ( $comment ) = @_;
+}
+
+#
# Push and Pop comment stack
#
sub push_comment() {
#
# Shorewall 4 - DNS applification action.
#
##########################################################################################
BEGIN PERL;
use Shorewall::Config;
use Shorewall::Chains;
#
# Get the action chain
#
my $chainref = get_action_chain;
#
# Save any current comment
#
my $oldcomment = push_comment;
sub add_drop_rule( $;$ ) {
my ( $u32, $comment ) = @_;
my $oldcomment;
set_comment( $comment || '' );
add_ijump( $chainref, j => DROP, u32 => qq(--u32 \"$u32\") );
}
add_drop_rule( "0x28=0x07737563 && 0x2c=0x6b646467 && 0x30=0x02636300", "DROP
DNS Q suckddq.cc" );
add_drop_rule( "0x2c=0x6966756e && 0x30=0x03636f6d" , "DROP
DNS Q napifun.com" );
add_drop_rule( "0x28=0x0768616b && 0x2c=0x34756d7a && 0x30=0x036e6574", "DROP
DNS Q hak4umz.net" );
#
# Restore the current comment
#
pop_comment( $oldcomment );
1;
END PERL;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
