Puppet Class: iptables::rules::scanblock

Defined in:
manifests/rules/scanblock.pp

Overview

Provide a method for setting up an iptables electric fence

Any host that makes it past all of your allow rules will be added to the ban list.

> WARNING > > If you enable this, be sure to enable your IPTables rules prior to > connecting with a client or you’re likely to **completely deny** your > internal hosts. > > WARNING

NOTE: Changing any of the “ip_*“ variables will cause the iptables service to be triggered. This is because the variables cannot take effect until the iptables rules are reset.

## Management

Details on managing xt_recent can be found in “iptables(8)“. The following are just some useful commands.

  • Add address to list “echo +addr >/proc/net/xt_recent/LIST_NAME“

  • Remove address from list “echo -addr >/proc/net/xt_recent/LIST_NAME“

  • Remove all address from list “echo / >/proc/net/xt_recent/LIST_NAME“

Parameters:

  • enable (Boolean) (defaults to: true)

    Enable or disable scan blocking

  • seconds (Integer[0]) (defaults to: 60)

    Connections from attackers must happen within this number of seconds to be considered an attack

    • Directly relates to hitcount to log and block attackers

  • hitcount (Integer[0]) (defaults to: 2)

    The number of hits that must happen within ‘seconds’ to be considered an attack

  • set_rttl (Boolean) (defaults to: false)

    Set this if you worry about having external parties DoS your system by spoofing their IP addresses

  • update_interval (Integer[0]) (defaults to: 3600)

    Block attackers for this long (in seconds)

    • Connecting systems must not connect for at least this long prior to being allowed to reconnect

  • logs_per_minute (Integer[0]) (defaults to: 5)

    How many logs to send given logs_per_minute connections per minute

    • This is mainly so that you don’t end up overrunning your log services

  • ip_list_tot (Integer[0]) (defaults to: 200)

    The number of addresses remembered per table

    • This effectively becomes the maximum size of your block list

    • NOTE: Be aware that more addresses means more load on your system

  • ip_pkt_list_tot (Integer[0]) (defaults to: 20)

    The number of packets per address remembered

  • ip_list_hash_size (Integer[0]) (defaults to: 0)

    Hash table size

    • “0“ means to calculate it based on “ip_list_tot“

  • ip_list_perms (String) (defaults to: '0640')

    Permissions for “/proc/net/xt_recent/*“ files

  • ip_list_uid (Integer[0]) (defaults to: 0)

    Numerical “UID“ for ownership of “/proc/net/xt_recent/*“ files

  • ip_list_gid (Integer[0]) (defaults to: 0)

    Numerical “GID“ for ownership of “/proc/net/xt_recent/*“ files

See Also:

Author:

  • Trevor Vaughan <tvaughan@onyxpoint.com>



91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
 
# File 'manifests/rules/scanblock.pp', line 91

class iptables::rules::scanblock (
  Boolean    $enable            = true,
  Integer[0] $seconds           = 60,
  Integer[0] $hitcount          = 2,
  Boolean    $set_rttl          = false,
  Integer[0] $update_interval   = 3600,
  Integer[0] $logs_per_minute   = 5,
  Integer[0] $ip_list_tot       = 200,
  Integer[0] $ip_pkt_list_tot   = 20,
  Integer[0] $ip_list_hash_size = 0,
  String     $ip_list_perms     = '0640',
  Integer[0] $ip_list_uid       = 0,
  Integer[0] $ip_list_gid       = 0
) {
  assert_private()

  if $set_rttl {
    $_rttl = '--rttl'
  }
  else {
    # lint:ignore:empty_string_assignment
    $_rttl = ''
    # lint:endignore
  }

  if $enable {
    $_v4mask = '--mask 255.255.255.255'

    iptables_rule{'attk_check':
      order    => 28,
      header   => false,
      apply_to => 'ipv4',
      # lint:ignore:only_variable_string
      content  => @("EOM")
        -A LOCAL-INPUT -m state --state NEW -j ATTK_CHECK
        -A ATTACKED -m limit --limit ${logs_per_minute}/min -j LOG --log-prefix "IPT: (Rule ATTACKED): "
        -A ATTACKED -m recent --set --name BANNED ${_v4mask} --rsource -j DROP
        -A ATTK_CHECK -m recent --set --name ATTK --rsource
        -A ATTK_CHECK -m recent --update --seconds ${seconds} --hitcount ${hitcount} ${_rttl} --name ATTK ${_v4mask} --rsource -j ATTACKED
        |EOM
    }
    # lint:endignore

    iptables_rule{'ban_check':
      order    => 7,
      apply_to => 'ipv4',
      content  => "-m recent --update --seconds ${update_interval} --name BANNED ${_v4mask} --rsource -j DROP"
    }

    if $facts['ipv6_enabled'] {
      $_v6mask = '--mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff'

      iptables_rule{'attk_check_v6':
        order    => 28,
        header   => false,
        apply_to => 'ipv6',
        # lint:ignore:only_variable_string
        content  => @("EOM")
          -A LOCAL-INPUT -m state --state NEW -j ATTK_CHECK
          -A ATTACKED -m limit --limit ${logs_per_minute}/min -j LOG --log-prefix "IPT: (Rule ATTACKED): "
          -A ATTACKED -m recent --set --name BANNED ${_v6mask} --rsource -j DROP
          -A ATTK_CHECK -m recent --set --name ATTK --rsource
          -A ATTK_CHECK -m recent --update --seconds ${seconds} --hitcount ${hitcount} ${_rttl} --name ATTK ${_v6mask} --rsource -j ATTACKED
          |EOM
      }
      # lint:endignore

      iptables_rule{'ban_check_v6':
        order    => 7,
        apply_to => 'ipv6',
        content  => "-m recent --update --seconds ${update_interval} --name BANNED ${_v6mask} --rsource -j DROP"
      }
    }
  }

  class { 'iptables::rules::mod_recent':
    ip_list_tot       => $ip_list_tot,
    ip_pkt_list_tot   => $ip_pkt_list_tot,
    ip_list_hash_size => $ip_list_hash_size,
    ip_list_perms     => $ip_list_perms,
    ip_list_uid       => $ip_list_uid,
    ip_list_gid       => $ip_list_gid,
    notify_iptables   => true
  }
}