LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-01-2013, 04:35 PM   #1
hogdogity
LQ Newbie
 
Registered: May 2010
Posts: 5

Rep: Reputation: 0
Question IPTables for a blackhole


Im looking for an IPTables aficionado who can help me here.

Here is the situation. I have a host with two IP addresses. One is management, the other is the blackhole.

The blackhole:
When we have a know-bad destination address (botnet, callout, etc) and we want to know all the sources attempting to use it, we set a company wide route to force traffic to be "next hop" to be the balckhole IP. I have snort sitting on that interface and snort tells me who the sources are that try to callout. So the source tries to go to 123.123.123.123 (bad) but instead gets routed to 10.10.10.5 (blackhole with snort). No biggie.

If you are tempted to say "Why not monitor your egress, FW, etc - that seems like overkill!?" Just trust me, this is the only way to capture all the sources given the very disparate network that we have. Lots of egress. The blackhole route eliminates multiple local egresses and forces everyone to my central IP.

So here is my request. Because the traffic destined towards the balckhole is likely malicious - I am paranoid. I want to put in an IPtables rule to ensure that my blackhole IP is fully passive - it does not respond. But I DO need it to reply to ARPs so that the switch sees the blackhole IP as alive and continues make it routable (and possibly ICMP for convenience/heath checks)

So Can I put in a rule that basically allows everything IN to the interface, but only allows ARPs (or maybe just all layer two stuff?) out? If possible Arps and ICMP to specific set of destinations?

Is that all crazy?

Thank you! Checks in the mail.
 
Old 03-01-2013, 05:12 PM   #2
Kustom42
Senior Member
 
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,565

Rep: Reputation: 410Reputation: 410Reputation: 410Reputation: 410Reputation: 410
Maybe i'm missing somethign here but if you want to allow arp and icmp why not just drop all tcp/udp on outbound.

Code:
/sbin/iptables -A OUTPUT -p tcp -j DROP
/sbin/iptables -A OUTPUT -p udp -j DROP

That seems way to easy maybe I'm overlooking something if I am let me know and I can give you something more specific.
 
1 members found this post helpful.
Old 03-01-2013, 05:19 PM   #3
hogdogity
LQ Newbie
 
Registered: May 2010
Posts: 5

Original Poster
Rep: Reputation: 0
Thanks Kustom42 - that may be all I need. I would need to specify only the blackhole interface, but yes that might be all.
I do not know IPtables, so if it is just that simple - awesome.
 
Old 03-01-2013, 05:30 PM   #4
Kustom42
Senior Member
 
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,565

Rep: Reputation: 410Reputation: 410Reputation: 410Reputation: 410Reputation: 410
Yes, just use the -i option to specify the interface.

Read over: http://www.cyberciti.biz/tips/linux-...allow-ssh.html


It talks about locking down the entire system except for incoming ssh connections and outbound ssh traffic on an already established connection.
 
1 members found this post helpful.
Old 03-01-2013, 05:41 PM   #5
hogdogity
LQ Newbie
 
Registered: May 2010
Posts: 5

Original Poster
Rep: Reputation: 0
That is perfect. Thanks. +rep.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
simulating blackhole attack in ns-29 mnazanin Linux - Newbie 2 12-15-2011 10:42 PM
Blackhole attack Vaishali4 Linux - Security 2 10-10-2011 10:13 AM
Exim :blackhole: help needed AndeAnderson Linux - General 0 03-09-2007 10:56 AM
blackhole list vs spamassassin msound Linux - Software 6 09-06-2005 04:35 AM
blackhole spam control ram_dhupkar Linux - General 1 08-27-2003 12:13 PM


All times are GMT -5. The time now is 05:00 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration