iptables rule with with random time variable argument.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables rule with with random time variable argument.
Hello all.
I am looking for long time iptables rule satisfying the following conditions.
Assuming, we have a pool of users (from: --uid owner 100, until: -- uid owner 200)
Our iptables rule:
@Turbocapitalist
I,am afraid, I presented my position in an insufficient way.
Briefly, the idea is to REJECT entire traffic in OUTPUT chain for random user, and change the user every 5 minutes.
With other words, iptables rule:
will REJECT (for one random user) entire traffic in OUTPUT chain for 5 minutes. No Internet connection.
Everyone else will enjoy Internet connection, every 5 minutes different (random) user will be discriminated.
No problem. You can adapt the above methods for the OUTPUT chain as well. The substitution is simple. It's up to you though, unless you are stuck with something specific.
As far as doing it every 5 minutes, you'd use cron for that and I'd recommend wrapping everything in a script and calling the script. See
In any case, remember that "a script" can be written in any programming language, thanks to the #!shebang feature of the shell. You can therefore use Perl or PHP or Ruby or any other language of your choice to write a small program to issue the new iptables rules. It would randomly pick a number between 1 and 100, flush the existing rules and insert new ones that banished that number.
It would take a little more work, but it could be done, to parse the output of the ps command to determine which uid's within that range are presently logged in, and to randomly pick one of them to be stoned to death. Otherwise, the odds will be "only one in a hundred" that any of them would actually feel the pain. And, I presume from your description that you do want someone to feel the axe every five minutes.
Last edited by sundialsvcs; 03-22-2017 at 07:49 AM.
but I was thinking about time based or statistic based iptables rule.
You could do that but it wouldn't really be able to rotate between UIDs. In order to remove a UID from being blocked, you'd have to remove that iptables rule. In order to block a different UID, you'd have to create a new rule for just that UID. iptables doesn't accept variables in that regard.
If you are using bash, you can use its buit-in random variable $RANDOM:
Code:
unhappy=$(id -u $(who | awk -v r=$RANDOM '$1 != "root" { a[$1]; } END { for ( i in a ) { count++; b[count] = i}; print b[r % count +1]; }' ) );
echo $unhappy
iptables -I OUTPUT 1 -m owner --uid-owner $unhappy -j REJECT -m comment --comment "xyzzy"
There's not much modification needed. Take into account the earlier posts:
Code:
iptables -I OUTPUT 1 -m owner --uid-owner $unhappy -m statistic --mode random --probability 0.50 -j DROP -m comment --comment "grief"
Then run a script every five minutes from your cron job. In that script delete the old rule and then pick some unhappy UID and afflict it with a new rule.
The reason for starting with -I OUTPUT 1 is so that the rule lands at the top of the chain and no other rules can allow the packet to pass.
Also, do you want them to just time out after an unnecessary wait? If so then stick with DROP. Do you want them to know immediately that the packet was rejected? If so, then use REJECT.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.