Showing posts with label iptables. Show all posts
Showing posts with label iptables. Show all posts

Tuesday, June 26, 2012

Setting up reverse DNS server...

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post about DNS configuration I skipped reverse DNS configuration. But, it is necessary to have it in some cases, like FreeIPA installation or for mail servers. So, I'm going to explain how to configure reverse DNS server.

While "normal" DNS resolution works by names, from root server down to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authoritative one for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name we are looking for, reverse DNS resolution works within special top-level domain (in-addr.arpa). Within this domain, sub-domains are comprised from octets within IP address in reverse order. Now, if your block of IP addresses ends on byte boundary (e.g. /8, /16, /24) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 setup is relatively simple. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise, you upstream provider (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one that holds larger IP address block) has to point to your domain on a per address base.

Let us bring this to more concrete values. Suppose that our public IP address space is 192.0.2.0/24. Also, suppose that your mail server has public IP address 192.0.2.2. In that case, reverse query is sent for name 2.2.0.192.in-addr.arpa and query type is set to PTR, i.e. we are looking for a name 2 within 2.0.192.in-addr.arpa zone.

So, it's relatively easy to setup reverse DNS. You need to define appropriate zones that include only network part of your IP addresses. In our case we have two zones, but IP addresses used for one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m depends on who's asking (client from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local network or client on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet). So, we have three zones in effect:
  1. DMZ, when asked by local clients, is in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network 10.0.0.0/24. This means we have reverse zone 0.0.10.in-addr.arpa for local clients.
  2. DMZ, when asked by internet clients, is in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network 192.0.2.0/24. This means that for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m reverse zone is 2.0.192.in-addr.arpa.
  3. Finally, clients in local network (non-DMZ one) have IP addresses from a block 172.16.1.0/24 and so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are placed within reverse zone 1.16.172.in-addr.arpa.
So, within internal view you should add cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following two zone statements:
zone "0.0.10.in-addr.arpa" {
    type master;
    file "example-domain.com.local.rev";
};

zone "1.16.172.in-addr.arpa" {
    type master;
    file "example-domain.local.rev";
};
And within internet view you should add cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following zone statement:
zone "2.0.192.in-addr.arpa" {
   type master;
    file "example-domain.com.rev";
};
Then, you should create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three zone files (example-domain.com.local.rev, example-domain.local.rev, and example-domain.com.rev) with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following content:
# cat example-domain.com.local.rev
 $TTL 1D
@    IN    SOA    @ root.example-domain.com. (
            2012062601 ; serial
            1D         ; refresh
            1H         ; retry
            1W         ; expire
            3H )       ; minimum
           NS    ns1.example-domain.com.

1          PTR    ns1.example-domain.com.
# cat example-domain.local.rev
 $TTL 1D
@    IN    SOA    @ root.example-domain.com. (
            2012062601 ; serial
            1D         ; refresh
            1H         ; retry
            1W         ; expire
            3H )       ; minimum
           NS    ns1.example-domain.com.

1          PTR    test.example-domain.local.
# cat example-domain.com.rev
$TTL 1D
@    IN    SOA    @ root.example-domain.com. (
            2012062601 ; serial
            1D         ; refresh
            1H         ; retry
            1W         ; expire
            3H )    ; minimum
           NS    ns1.example-domain.com.

1          PTR    ns1.example-domain.com.
Don't forget to change permissions on those files as explained in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous post. Now, restart BIND and test server:
# nslookup ns1.example-domain.com 127.0.0.1
Server:  127.0.0.1
Address: 127.0.0.1#53

Name:    ns1.example-domain.com
Address: 10.0.0.1
[root@ipa ~]# nslookup 10.0.0.1 127.0.0.1
Server:  127.0.0.1
Address: 127.0.0.1#53

1.0.0.10.in-addr.arpa    name = ns1.example-domain.com.
As it can be seen, DNS server correctly handles request for IP addres 10.0.0.1 and returns ns1.sistemnet.hr. Let's try with a name from LAN:
# nslookup test.example-domain.local 127.0.0.1
Server:  127.0.0.1
Address: 127.0.0.1#53

Name:    ipa.example-domain.local
Address: 192.0.2.1

[root@ipa named]# nslookup 192.0.2.1 127.0.0.1
Server:  127.0.0.1
Address: 127.0.0.1#53

1.2.0.192.in-addr.arpa    name = test.example-domain.local
That one is correct too. So, that's it, you have reverse DNS correctly configured. Testing from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outside I'm leaving to you as an exercise. ;)

Monday, June 25, 2012

Setting up DNS server...

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous post I described how to install minimal CentOS distribution with some additional useful tools. In this part I'm going to describe how to install DNS server. This DNS server will exhibit certain behavior depending on where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client is, in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words we are going to setup split DNS. Note that since DNS server is accessible from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, it is placed in DMZ network, i.e. 10.0.0.0/24.

Environment and configuration parameters


In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following text we assume network topology from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous post, but we need some additional assumptions and requirements before going furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. First, our public domain is example-domain.com and all hosts within DMZ will belong to that zone, i.e. FQDN of mail server will be mail.example-domain.com. But, when some client from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet asks for certain host, e.g. mail.example-domain.com DNS server will return public IP address. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, when client from a local network, or even DMZ, asks for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same host private IP address will be returned, i.e. 10.0.0.2. The reason for such behavior is more efficient routing. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, if client from a local network would receive public IP address, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic would have to be NAT-ed. We'll also assume that we are assigned a public block of IP addresses 192.0.2.0/24.

There will be  also additional domain example-domain.local in which all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hosts from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local domain will be placed. Additionally, this domain will be visible only from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local network and DMZ, it will not exist for clients on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet.

To simplify things we are not going to install secondary DNS server nor we are going to install reverse zones. For a test purposes this is OK, but if you are doing anything serious, you should definitely install slave DNS servers (or use someone's service) and configure reverse zones. Also, I completely skipped IPv6 configuration and DNSSEC configuration.

Installation of necessary packages


There are a number of DNS server implementations to choose from. The one shipped with CentOS is BIND. It is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most popular DNS server, with most features, but, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past it had a lot of vulnerabilities. Nevercá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365less, we'll use that one. Maybe sometime in future, I write something about alternatives, too.

So, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first step, is to install necessary packages:
yum install bind.x86_64 bind-chroot.x86_64 bind-utils.x86_64
Server itself is in bind package, bind-chroot is used to confine server to alternative root filesystem in case it is compromised. Finally, bind-utils contains utilities we need to test server. This is 4.1M of download data, and it takes around 7M after installation. Not much.

Note that it is a good security practice to confine server into alternative root. As I already said, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past bind had many vulnerabilities, and in case new one is discovered and exploited, we want to minimize potential damage.

That's all about installation.

Configuration

Next, we need to configure server before starting it. Main configuration file for bind is /etc/named.conf . So, open it with your favorite editor as we are going to make some changes in it. Remember that our domain is called example-domain.com and that we want private addresses to be returned for internal clients, and public ones for external clients. Additionally, we have a local domain example-domain.local. Here is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /etc/named.conf file:
acl lnets {
    10.0.0.0/24;
    172.16.1.0/24;
    127.0.0.0/8;
};

options {
  listen-on port 53 { any; };
  directory     "/var/named";
  dump-file     "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  allow-update     { none; };
  recursion no;

  dnssec-enable no;
};

view "internal" {
    match-clients { lnets; };
    recursion yes;

    zone "." IN {
        type hint;
        file "named.ca";
    };

    zone "example-domain.local" {
        type master;
        file "example-domain.local";
    };

    zone "example-domain.com" {
        type master;
        file "example.domain.local";
    };

    include "/etc/named.rfc1912.zones";
};

view "internet" {
    match-clients { any; };
    recursion no;

    zone "example-domain.com" {
        type master;
        file "example-domain.com";
    };
};
Let me now explain what this configuration file actually specifies. In global, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are four blocks, i.e. acl, options, and two view blocks.

acl block (or blocks, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re may be more such statements) specifies some symbolic name that will refer to group of addresses.  This is good from maintenance perspective because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is only one place where something is defined. In our case, we define our local networks, i.e. DMZ and local LAN. There is also loopback address because when some application on DNS server itself asks something, DNS server should treat it as if it is coming from a local network.

Next is an option block. In our case we specify that DNS server should listen (listen-on) port 53 on any IP address (any). In case you want to restrict on which addresses DNS server listens, you can enumerate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m here instead of any keyword. Better yet, create ACL and use symbolic name. In option block we also disabled DNSSEC (dnssec-enable no), disabled updates to server (allow-update no), and disabled recursion (recursion no). Apart from that we defined directories, e.g. for zone files.

Finally, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are two view statements. They define zones depending on where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client asking is. If it is on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local networks, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n first view (i.e. internal) is consulted, and if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client is anywhere else, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second view is consulted (i.e. internet). match-clients statement classifies clients, and it is here that we use our ACL lnets. When query arrives, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source address from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packet is taken and compared to match-clients. The first one that matches is used. So, it is obvious that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second view matches anything but since it is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last one, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n it is a catch-all view. Anyway, for our local clients we allow recursive queries (recursion yes), while we disallow it for a global clients (recursion no). This is a good security practice! Also, note that for internal clients we define example-domain.local zone, which isn't defined for global clients. And, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same example-domain.com zone, two different files (i.e. databases with names) are used. This reflects cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that we want local clients to get local IP addresses, while global clients should get globally valid IP addresses.

Zone configurations

There are three zones in our case. First one is a global one, used to answer queries to clients on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. Looking into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main configuration file cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file containing this zone has to be example-domain.com and it has to be placed in /var/named directory! The content of this file is:
$TTL 1D
@    IN    SOA    @ root.example-domain.com. (
            2012062501    ; serial
            1D            ; refresh
            1H            ; retry
            1W            ; expire
            3H )          ; minimum
           NS    ns1.example-domain.com.

ns1        A    192.0.2.1
There are three records in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 file. The first one defines zone itself, it is called Start of Authority, or SOA. The @ sign is shorthand for zone name and it is taken from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 /etc/named.conf file. Then, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a continuation that defines name server (NS) for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 zone. It is continuation because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first column (where @ sign is) isn't defined so it is taken from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous record. Name server is ns1.example-domain.com. Finally, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is IP address of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name server (A record). You should keep in mind that any name that doesn't end with dot is appended with a domain name. A lot of errors are caused by that omission. For example, if you wrote ns1.example-domain.com (without ending dot) this would translate into ns1.example-comain.com.example-domain.com. which is obviously wrong. But note that we are counting on this behavior in A records since we only wrote a name, without a domain!

The ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r zone files are similar to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous one and also have to be within /var/named directory. I.e. for local view of example-domain.com. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content of zone file is:
$TTL 1D
@    IN    SOA    @ root.example-domain.com. (
            2012062501 ; serial
            1D         ; refresh
            1H         ; retry
            1W         ; expire
            3H )       ; minimum
        NS    ns1.example-domain.com.

ns1        A    10.0.0.2
Note that it is almost identical, except that IP address for name server is now from a private range! Finally, here is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 content of zone that contains names from a local network:
$TTL 1D
@    IN    SOA    @ root.example-domain.local. (
            2012062501 ; serial
            1D         ; refresh
            1H         ; retry
            1W         ; expire
            3H )       ; minimum
        NS    ns1.example-domain.com.

test        A    172.16.1.1
Again, almost cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same. Note that I added one test record with phony IP address. This is so that I can test DNS server if it is correctly resolving IP addresses.

One final thing before starting DNS server! You should change file ownership and SELinux context. To do so, use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following two commands (run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in /var/named directory):
chcon system_u:object_r:named_zone_t:s0 example-domain.*
chown root.named example-domain.*
The first command changes SELinux context, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second one owner and group of files. So, it is time to start BIND, i.e. DNS, server:
/etc/init.d/named start
If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re were some error messages, like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following one:
zone example-domain.com/IN/internal: loading from master file example-domain.com.local failed: permission denied
zone example-domain.com/IN/internal: not loaded due to errors.
Then something is wrong. Look carefully what it says to you as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 error messages are quite self explanatory! In this particular case cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem is that DNS server can not read zone file. If you get that particular error message, check that SELinux context and ownership were changed properly.

Testing


Now, if you get just OK, it doesn't yet mean that everything is OK. You have to query server in order to see if it responds correctly. But, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re were any errors, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will be logged in /var/log/messages.

To test DNS server, use nslookup like this:
nslookup 127.0.0.1
Here, I assume you are testing on a DNS server itself. If you are testing on some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r host cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you should change address 127.0.0.1 with proper IP address of DNS server (public one in case you ask from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internet, local one if you are asking from some computer in DMZ or local network). In any case you should receive correct answers. Here are few examples:
# nslookup ns1.example-domain.com 127.0.0.1
Server:        127.0.0.1
Address:    127.0.0.1#53

Name:    ns1.example-domain.com
Address: 10.0.0.2
# nslookup test.example-domain.local 127.0.0.1
Server:        127.0.0.1
Address:    127.0.0.1#53

Name:    test.example-domain.local
Address: 172.16.1.1
As expected, when internal host sends request internal IP address are returned. You should also check that any valid name is properly resolved (recursive queries). For example, you could ask for www.google.hr:
# nslookup www.google.hr 127.0.0.1
Server:        127.0.0.1
Address:    127.0.0.1#53

Non-authoritative answer:
www.google.hr    canonical name = www-cctld.l.google.com.
Name:    www-cctld.l.google.com
Address: 173.194.70.94
Which, in this case, resolves properly.

Now, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a question how to test if names are properly resolved for clients on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. The obvious solution is to try from some host on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet and see what's happening. In case you don't have host on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, you can cheat using NAT. ;)

Do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following. First, add some random IP address to your loopback interface, i.e.:
ip addr add 3.3.3.3/32 dev lo
Then, configure NAT so that any query sent via loopback gets source IP address changed:
iptables -A POSTROUTING -o lo -t nat -p udp --dport 53 -j SNAT --to-source 3.3.3.3
And now, try to send few queries:
# nslookup www.slashdot.org. 127.0.0.1
Server:        127.0.0.1
Address:    127.0.0.1#53

** server can't find www.slashdot.org: REFUSED
That one is OK. Namely, we don't want to resolve third party names for outside clients (remember, recursive is off!). Next test:
# nslookup ns1.example-domain.local. 127.0.0.1
Server:        127.0.0.1
Address:    127.0.0.1#53

** server can't find ns1.example-domain.local: REFUSED
This one doesn't work eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. Which is what we wanted, i.e. our local domain isn't visible to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outside world. Finally, this one:
# nslookup ns1.example-domain.com. 127.0.0.1
Server:        127.0.0.1
Address:    127.0.0.1#53

Name:    ns1.example-domain.com
Address: 192.0.2.1
Which sends us correct outside address.

So, all set and done. Don't forget to remove temporary records (i.e. test), iptables rule, lo address, and also don't forget to modify /etc/resolv.conf so that your new server is used by default by local applications.

Thursday, January 19, 2012

OSSEC active response...

This is still work in progress (I need to add more about configuration part). But since OSSEC is so badly documented and I don't know when this will be finished I'm publishing it now.
Prompted by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem caused by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OSSEC active response, I decided to try to debug why an error is occurring in logs and fine tune it. But in order to do that I had first to understand how it works. There is a section in OSSEC manual about active response, but what wasn't immediately clear to me is who runs active response and where this is configured. But soon I found out that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 active response is run on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client via agent (actually this part wasn't problematic) but that active response is configured on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one that instructs agents to run active response.

On server you'll find active response configuration in $OSSEC/etc/ossec.conf. In that file you have several parts of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration:
  1. Set of blocks. Each one defines a command for active response and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 arguments it expects. Note that those commands have to exist on agents.
  2. Set of blocks that define circumstances under which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will be active response and which command will be executed.
Scripts for active response

Scripts for active response receive five arguments. The first argument is eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r add or delete. If add is specified, given IP address should be added to a ban list, in case delete is specified address should be removed from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ban list. The second argument is a user name. The third argument is offending IP address. Fourth argument is Unix timestamp (microsecond resolution) when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script was called. Final argument is rule number that triggered active response.
firewall-drop.sh script

This script ships with OSSEC and it adds or removes IP addresses from firewall. It is a relatively simple shell script that accepts command line arguments as specified in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 introduction of this section and installs IP address in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ban list (or removes it from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, depending on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command line arguments). The script could be run on Linux, FreeBSD, NetBSD, Solaris and AIX. The following description is specific to Linux behavior even though some things will be common across different platforms.

This script logs its activity into active-responses.log file (in my case in /var/ossec/logs directory). For each invocation one line is emitted into that file. Here is an example of one log entry:
Thu Jan 19 13:52:29 CET 2012 /var/ossec/active-response/bin/firewall-drop.sh add - 193.41.36.141 1326977549.1358625 3301
First group of fields is timestamp when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 log entry was generated. Next is a full path and name of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script itself. Finally, all five arguments given to script are also recorded.

Ocasionally, you'll also see error messages like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following one:
Thu Jan 19 06:17:19 CET 2012 Unable to run (iptables returning != 1): 1 - /var/ossec/active-response/bin/firewall-drop.sh delete - 208.115.236.82 1326949601.551727 3301
This log entry is a bit misleading. What happened is that iptables command returned exit code 1 (judging from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 log entry it could be interpreted as if it returned something else and 1 was expected, but that's not true). What is important to note is that you'll usually see multiple log entries like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous one grouped togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only thing that will differ between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number 1 (shown in bold above). What basically happens is that in case of an error returned by iptables command cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script tries to run it five times, so, you'll usually see five records and each of those records is numbered.

There are two places where this error might occur. The first one is when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP address is removed from INPUT chain, while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r is when it is removed from FORWARD chain.

The only reason this error can occur is because someone or something already removed IP address (or added it). But, this should not happen. Still, it happened to em but I don't know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reason for that.

Looking into this script it was clear that it could be improved from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logging perspective. Currently, if you manually run this command from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command line it will write part of error messages to stdout and some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r to log file.

Manual control of scripts

Scripts for active response can be started from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 server using agent_control tool. Note that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 help message of this tool isn't updated to reflect real arguments (bug?) so I had to look into source to infer how to call it. Let me give you several examples of its use.

To list all available agent use this command in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following way:
# ./agent_control -l
   ID: 000, Name: agent0.somedomain.local (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: agent1.somedomain.local, IP: 192.168.1.2, Active
   ID: 002, Name: agent2.somedomain.local, IP: 192.168.1.3, Active
   ID: 003, Name: agent3.somedomain.local, IP: 192.168.1.4, Disconnected
The output of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command is a list of known agents, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r active or non-active. In case you want only active agents use -lc option instead.

Next, if you want to find out some information about a certain agent, you can query it in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following way:
# ./agent_control -i 002

OSSEC HIDS agent_control. Agent information:
   Agent ID:   002
   Agent Name: agent2.somedomain.local
   IP address: 192.168.1.3
   Status:     Active

   Operating system:    Linux agent2.somedomain.local 2.6.32-131.17.1.el6.x86_64..
   Client version:      OSSEC HIDS v2.5-SNP-100907
   Last keep alive:     Thu Jan 19 13:26:01 2012

   Syscheck last started  at: Thu Jan 19 12:10:16 2012
   Rootcheck last started at: Thu Jan 19 06:33:06 2012
To activate active response on a certain agent use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following form of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agent_control command:
./agent_control -b 1.1.1.1 -f firewall-drop600 -u 002
Here, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IP address to be blocked is argument of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 -b option (in this case 1.1.1.1). There could be more responses available (defined in ossec.conf on server) and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 option -f selects which one to run. To see which responses are available use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 option -L, like this:
# ./agent_control -L

OSSEC HIDS agent_control. Available active responses:

   Response name: host-deny600, command: host-deny.sh
   Response name: firewall-drop600, command: firewall-drop.sh
Agent on which this command should initiate active response is specified via ID given as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parameter to option -u. Note that, if you look into help output of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agent_control, this option is not listed, at least not in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 version 2.6.0. There is a bit of inconsistency here, as some commands use agent ID as a parameter, while this one requires separate parameter. It would be more uniform if all command would instead use -u option.

Note that when you manually initiate active response cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n fourth argument to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script will be '(from_cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365_server)' and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fifth argument will be '(no_rule_id)'.

Also, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rule that was added can not be removed with agent_control, you have to wait for it to timeout when it will be automatically removed.

Tuesday, January 17, 2012

Interesting problem with OSSEC, active response and mail delivery...

We had a problem that manifested itself in such a way that mail messages didn't come from certain domains, or more specifically from certain mail servers. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, no clue was given in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mail log to know what went wrong and to make things worse, logs from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote mail server were inaccessible to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re what actually happened. Finally, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 worse thing was that this happened sporadically. It turned out that this was consequence of a circumstances and a bug with ossec active response. This post explains what happened.

We changed DNS domain several months ago, let me call cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new domain newdomain.hr, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old one olddomain.hr. DNS was reconfigured so that it correctly handled requests for a new domain, but we had to leave old domain because of some Web server. The cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old domain was changed so that when someone asked which is a mail exchanger for olddomain.hr it would receive response: mail.newdomain.hr. Finally, domain olddomain.hr was removed from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mail server. This was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first error, and now I think that it is better eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r to leave old domain on mail server or to not return any response! Actually, if you want to get rid of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old domain, it is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best to remove it from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mail server and that DNS server doesn't return any response for a mail exchanger of a given domain. If you know how mail works, you'll know that by changing MX record for old domain from mail.olddomain.hr to mail.newdomain.hr didn't change anything!

Anyway, that's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 part concerning mail. Now, about OSSEC. It has a possibility of active response, i.e. to block offending IP addresses for a certain amount of time, 10 minutes by default. One class of offending IP addresses are those that try to deliver mail messages which require mail server to be open relay. Since mail server is properly configured it rejects those messages with a message 'Relay denied'. After mail server rejects  such delivery attempt OSSEC kicks in and blocks offending IP address for 10 minutes.

This, by itself didn't have to be a problem because blocking rules are automatically removed after 10 minutes. But, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a bug in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 removal script that manifested itself in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logs like follows (found on agent in /var/ossec/logs/active-responses.log):
Unable to run (iptables returning != 1): 1 - /var/ossec/active-response/bin/firewall-drop.sh delete - 203.83.62.99 1326738019.2370422 3301
For some reason removal of IP address from block list wasn't successful and that basically meant that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source mail host is blocked indefinitely!

Majority of mail servers that to generate such 'Relay denied' messages are truly spammers and if some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m were indefinitely blocked that was actually good. But, this particular source mail server that was blocked is very popular one with many users serving many different domains, so now when some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r user tried to send an email that was legal and had correct address, IPtables blocked access and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mail couldn't be delivered. There was nothing in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logs of destination mail server. Also, sending user didn't receive any response message since mail was being temporary put on hold on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source server.

This particular problem was solved by completely removing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old domain. Now, source mail servers won't even try to deliver mails for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old domain and thus OSSEC won't block legitimate servers. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sending users will get notification immediately about non-existent mail address.

Thursday, September 22, 2011

Implementing IF, AND, OR, etc. in iptables...

I saw that some people accessed my blog while searching for OR, AND, IF and similar operators in iptables. These operators are indeed implemented within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subsystem but not in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 usual sense, that is, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not so obvious. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are implicit in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way you are writing rules. But, if you understand how that works, writing iptables rules becomes much easier.

Before continuing you have to understand how packets are processed by netfilter/iptables framework. Firewall rules are data driven language, but actually, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things are very simple. All cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packets traverse different parts of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Linux kernel. At certain points those packets are stopped (figuratively speaking) and set of rules is "executed" that can alter, drop or pass packet. If packet is passed (or modified and passed) it goes to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r parts of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kernel where potentially anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r set of rules is invoked.

The points where packets are "stopped" are chains, PREROUTING, INPUT, FORWARD, POSTROUTING, OUTPUT. In each chain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are different tables, but I'll ignore those for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 moment as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not important for this post.

Set of rules at each point (chain) is added or deleted using iptables command. The iptables command needs an argument that defines in which chain rule is added. That argument is option -A after which name of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chain follows. For example, to add something to INPUT chain, you would write:
iptables -A INPUT ...
Ok, let us now start with a simple example, what if you want to do some processing on every packet that has source address 192.168.1.1, i.e.
if (src(ip) == 192.168.1.1) {
   do_something_with_packet;
}
To achieve that functionality, just write cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rule as follows:
iptables -A INPUT -s 192.168.1.1 do_something_with_packet
The part do_something_with_packet I'll explain later, but basically this is a part that will do something useful with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packet on which this rule is executed.

Now, what if you want to add additional constraint, e.g. destination address is 192.168.1.2, i.e.

if (src(ip) == 192.168.1.1 and dst(ip) == 192.168.1.2) {
   do_something_with_packet;
}
Well, what you'll write is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:
iptables -A INPUT -s 192.168.1.1 -d 192.168.1.2 do_something_with_packet
easy, isn't it? All cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 constraint you wish to bind with operator AND are just written one after anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. Operator AND is implicit. Ok, now you can ask: But if I want to have OR, what to do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n? For example, something like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

if (src(ip) == 192.168.1.1 or dst(ip) == 192.168.1.2) {
   do_something_with_packet;
}
Believe it or not, it's simple, write it like this:
iptables -A INPUT -s 192.168.1.1 do_something_with_packet
iptables -A INPUT -d 192.168.1.2 do_something_with_packet
I suppose that you figured it that when you add iptables one after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are bound by OR, while, when you write constraints in a single command cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are bound by AND. Alternatively speaking, reading from left to right is AND, and from top to bottom is OR.

Saturday, September 10, 2011

Implementing Turing machine using iptables...

Ok, today I decided that I'm going to try to implement Turing machine using iptables. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 start it was obvious to me that I'll use stream of IP packets as a tape. So, after reading a bit and thinking, I decided to implement this Turing machine. The reason I selected that particular one is because tape always moves to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right, and that simplifies things a lot. More precisely, I decided to implement example given in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 linked Wikipedia article.

Now, next problem, after deciding which Turing machine to implement, was where to keep internal state of a Turing machine. For that part I found that I can have mark value (32bit number, i.e. state) per connection. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, this means that testing current state is performed with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following test:

-m conntrack --mark

and to set new state I have to use:

-j CONNTRACK --set-mark

It also means that packets that belong to a tape should belong to a single connection, i.e. TCP connection.

Also, I had to decide where to keep content of a cell. There are different possibilities, but for now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 simplest one is to use MARK target. So, to test a value of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cell I use:

--mark

and to set it, I use

-j MARK --set-mark

The last bit is initialization, i.e. to set initial state, and halting. To set initial state I used state tracking feature of connections in iptables, i.e. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following test:

-m state --state NEW -j CONNTRACK  --set-mark

finally, to halt machine, I set connection tracking state to special state in which no iptable rule will be triggered again.

So, let me show initial version of a shell script that makes this a bit "higher level". First, some initializations, i.e. tape and states definitions:

# Tape is a stream of IP packets belonging to a single TCP connection
TAPE="-s 192.168.0.1 -d 192.168.0.2 -p tcp --dport 80 --sport 10000"

# States, assigned arbitrarily integer values
STATE_A=1
STATE_B=2
STATE_C=3

# Halt state
HALT=4          # Halt state, no instruction will be executed in this state

# Tests when Turing machine is in a particular state
IN_STATE_A="-m connmark --mark $STATE_A"
IN_STATE_B="-m connmark --mark $STATE_B"
IN_STATE_C="-m connmark --mark $STATE_C"

# Actions to change a state of a Turing machine
SET_STATE_A="-j CONNAMRK --set-mark $STATE_A"
SET_STATE_B="-j CONNAMRK --set-mark $STATE_B"
SET_STATE_C="-j CONNAMRK --set-mark $STATE_C"

Next, few pseudo instruction:

INITIALIZE_STATE_A="-m state --state NEW --mark $STATE_A"

# Reading a symbol from a tape, i.e. packet
READ_SYMBOL_0="--mark 0"
READ_SYMBOL_1="--mark 1"

# Writing a symbol to a tape, i.e. packet
WRITE_SYMBOL_0="-j MARK --set-mark 0"
WRITE_SYMBOL_1="-j MARK --set-mark 1"

# Short-hand "pseudo-instruction" to add instruction to a Turing machine
ADD_TURING_INSTRUCTION="iptables -A INPUT $TAPE"

Finally, all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instructions:

# If in state A and symbol 0 was read write symbol 1 and go to state B
$ADD_TURING_INSTRUCTION $IN_STATE_A $READ_SYMBOL0 $WRITE_SYMBOL1
$ADD_TURING_INSTRUCTION $IN_STATE_A $READ_SYMBOL0 $SET_STATE_B

# If in state A and symbol 0 was read write symbol 1 and go to state C
$ADD_TURING_INSTRUCTION $IN_STATE_A $READ_SYMBOL1 $WRITE_SYMBOL1
$ADD_TURING_INSTRUCTION $IN_STATE_A $READ_SYMBOL1 $SET_STATE_C

# If in state B and symbol 0 was read write symbol 0 and go to state A
$ADD_TURING_INSTRUCTION $IN_STATE_B $READ_SYMBOL0 $WRITE_SYMBOL1
$ADD_TURING_INSTRUCTION $IN_STATE_B $READ_SYMBOL0 $SET_STATE_A

# If in state B and symbol 1 was read write symbol 1 and go to state B
$ADD_TURING_INSTRUCTION $IN_STATE_B $READ_SYMBOL1 $WRITE_SYMBOL1
$ADD_TURING_INSTRUCTION $IN_STATE_B $READ_SYMBOL1 $SET_STATE_B

# If in state C and symbol 0 was read write symbol 1 and go to state B
$ADD_TURING_INSTRUCTION $IN_STATE_C $READ_SYMBOL0 $WRITE_SYMBOL1
$ADD_TURING_INSTRUCTION $IN_STATE_C $READ_SYMBOL0 $SET_STATE_B

# If in state C and symbol 1 was read write symbol 1 and halt
$ADD_TURING_INSTRUCTION $IN_STATE_C $READ_SYMBOL1 $WRITE_SYMBOL1
$ADD_TURING_INSTRUCTION $IN_STATE_C $READ_SYMBOL1 $HALT

# Initialize Turing machine
$ADD_TURING_INSTRUCTION $INITIALIZE_STATE_A

Note that I have to use two iptables commands in order to implement writing a symbol and transitioning to a new state. The reason is that I can have only one target per iptables command. Certainly, it could be hidden by making those variables and pseudo-instructions fancier, but, for now this will do...

This particular  Turing machine didn't require me to have transition to a new state without moving a tape. But, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a solution for this too. All rules have to be placed in a single user-defined chain, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n when no tape movement is required just use -g (iptables' goto target) and start all rules from start. In efect, what will happen is that all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules will be executed again on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same packet which means on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same cell. So elegant, isn't it? :)

Friday, March 18, 2011

Implementing if statement in iptables

It just occurred to me that user defined chains in iptables are actually equivalent of an if statement. Namely, if you need to do something like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

if (packet meets certain criteria) {
    ...
}

cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you'll actually do it so that anything between curly braces will be placed in user defined chain, while test if packet meets certain criteria would be iptables command that uses -j to jump to user defined chain.

Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 -j switch is actually goto statement in iptables. :)

Maybe this isn't something new to you, but for me it was revelation. Now, to try to make a Turing machine using iptables...

But more seriously, using user defined chains improves readability, reusability and performance of iptables system.

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive