[Shorewall-users] dynamic blacklist

Vieri Di Paola via Shorewall-users Wed, 24 Jan 2018 03:23:14 -0800

Hi,

I want to dynamically blacklist the IP addresses of hosts that try to connect 
to unadvertized ports. I do this by setting the following in shorewall.conf:


DYNAMIC_BLACKLIST=ipset,timeout=172800:POL_BL:info:polbl

I also set the BLACKLIST policy:

net4            $FW             BLACKLIST
net4            loc             BLACKLIST
net4            dmz             BLACKLIST
net4            net3            BLACKLIST
net4            net2            BLACKLIST
net4            net1            BLACKLIST
net4            all             BLACKLIST
net3            $FW             BLACKLIST
net3            loc             BLACKLIST
net3            dmz             BLACKLIST
net3            net4            BLACKLIST
net3            net2            BLACKLIST
net3            net1            BLACKLIST
net3            all             BLACKLIST
net2            $FW             BLACKLIST
net2            loc             BLACKLIST
net2            dmz             BLACKLIST
net2            net4            BLACKLIST
net2            net3            BLACKLIST
net2            net1            BLACKLIST
net2            all             BLACKLIST
net1            $FW             BLACKLIST
net1            loc             BLACKLIST
net1            dmz             BLACKLIST
net1            net4            BLACKLIST
net1            net3            BLACKLIST
net1            net2            BLACKLIST
net1            all             BLACKLIST

However, after blacklisting the hosts' IP addresses I'd also like to redirect 
and allow ONLY traffic to port 62000 on the $FW IF the original destination 
port was 80.
In other words, if a listed client were to connect to http://myserver then it 
would be redirected to TCP 62000. No other traffic allowed for that source IP 
addr.

I have this in rules almost at the top: 
REDIRECT:info:blsinit   net1,net2,net3,net4:+IPS_BL,+POL_BL!+GLOBAL_WL 62000   
tcp     80

However, I get this in the log:

Shorewall:blsinit:REDIRECT:IN=enp9s4 OUT= MAC=<MAC> SRC=<IP> DST=192.168.92.2 
LEN=52 TOS=0x00 PREC=0x00 TTL=122 ID=20594 DF PROTO=TCP SPT=30142 DPT=80 
WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x1
Shorewall:polbl:DROP:IN=enp9s4 OUT= MAC=<MAC> SRC=<IP> DST=192.168.92.2 LEN=52 
TOS=0x00 PREC=0x00 TTL=122 ID=20594 DF PROTO=TCP SPT=30142 DPT=62000 
WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x1

Here, "polbl" refers to the setting in DYNAMIC_BLACKLIST.

I guess it's expected, so I don't know if posting a shorewall dump to this list 
would help. I'd like to know how to change my shorewall configuration in order 
to only accept connections to 62000 for blacklisted hosts.
Adding an explicit ACCEPT rule before or after REDIRECT does not seem to 
"work". 

Am I required to use a custom DROP action instead of DYNAMIC_BLACKLIST?

Vieri

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] dynamic blacklist

Reply via email to