iptables rule with with random time variable argument.

Novi · 03-20-2017, 05:19 AM

Hello all.

I am looking for long time iptables rule satisfying the following conditions.
Assuming, we have a pool of users (from: --uid owner 100, until: -- uid owner 200)
Our iptables rule:

Code:

iptables -t filter -A OUTPUT -m owner --uid-owner 100 -j REJECT

Question: How to randomly change an argument

Code:

--uid-owner

every 5 minutes?

Regards.
Mark

Turbocapitalist · 03-20-2017, 06:05 AM

You can delete a specific rule number using -D and then correspondingly -I can insert it before a specific rule number

Code:

iptables -L INPUT --line-numbers

iptables -I INPUT 4 -p TCP --dport 22 -m state --state NEW -m limit --limit 4/minute --limit-burst 5 -j ACCEPT
iptables -L INPUT --line-numbers

iptables -D 4
iptables -L INPUT --line-numbers

If that's too tricky, you can use a comment to tag it and then kill it with grep

Code:

iptables -L INPUT --line-numbers

iptables -I INPUT 4 -p TCP --dport 22 -m state --state NEW -m limit --limit 4/minute --limit-burst 5 -j ACCEPT -m comment --comment "foo bar"

iptables-save | grep -v -- '--comment "foo bar"' | iptables-restore

iptables -L INPUT --line-numbers

About the UID, if you are using bash, you can use modulo to get 0 to 99 and then add 100:

Code:

echo $(($RANDOM % 100 + 100))

That should give you 100 through 199

Novi · 03-22-2017, 04:10 AM

@Turbocapitalist
I,am afraid, I presented my position in an insufficient way.
Briefly, the idea is to REJECT entire traffic in OUTPUT chain for random user, and change the user every 5 minutes.
With other words, iptables rule:

Code:

iptables -t filter -A OUTPUT -m owner --uid-owner 100 -j REJECT

will REJECT (for one random user) entire traffic in OUTPUT chain for 5 minutes. No Internet connection.
Everyone else will enjoy Internet connection, every 5 minutes different (random) user will be discriminated.

Turbocapitalist · 03-22-2017, 04:15 AM

No problem. You can adapt the above methods for the OUTPUT chain as well. The substitution is simple. It's up to you though, unless you are stuck with something specific.

As far as doing it every 5 minutes, you'd use cron for that and I'd recommend wrapping everything in a script and calling the script. See

Code:

man crontab
man 5 crontab

sundialsvcs · 03-22-2017, 07:45 AM

Or do it the modern way with systemd timers.

In any case, remember that "a script" can be written in any programming language, thanks to the #!shebang feature of the shell. You can therefore use Perl or PHP or Ruby or any other language of your choice to write a small program to issue the new iptables rules. It would randomly pick a number between 1 and 100, flush the existing rules and insert new ones that banished that number.

It would take a little more work, but it could be done, to parse the output of the ps command to determine which uid's within that range are presently logged in, and to randomly pick one of them to be stoned to death. Otherwise, the odds will be "only one in a hundred" that any of them would actually feel the pain. And, I presume from your description that you do want someone to feel the axe every five minutes.

Novi · 03-23-2017, 04:50 AM

Meanwhile I study the best iptables tutorial online:
- http://www.iptables.info/en/iptables-contents.html
and
- iptables module list 2016: https://programming-review.com/list-...ables-modules/
Crontab or systemd timers, this could be one way to do that, but I was thinking about time based or statistic based iptables rule.

Turbocapitalist · 03-23-2017, 05:16 AM

Quote:

Originally Posted by Novi

but I was thinking about time based or statistic based iptables rule.

You could do that but it wouldn't really be able to rotate between UIDs. In order to remove a UID from being blocked, you'd have to remove that iptables rule. In order to block a different UID, you'd have to create a new rule for just that UID. iptables doesn't accept variables in that regard.

If you are using bash, you can use its buit-in random variable $RANDOM:

Code:

unhappy=$(id -u $(who | awk -v r=$RANDOM '$1 != "root" { a[$1]; } END { for ( i in a ) { count++; b[count] = i}; print b[r % count +1]; }' ) ); 

echo $unhappy

iptables -I OUTPUT 1 -m owner --uid-owner $unhappy -j REJECT -m comment --comment "xyzzy"

Novi · 03-23-2017, 07:37 AM

What do you think about this?
First:

Code:

apt-get install ipt_statistic

iptables -t filter -A OUTPUT -m owner --uid-owner 100 -m statistic --mode random --probability 0.50 -j DROP

and rotate it with crontarb every 5 minutes?
If I could ask you for favor, please improve my suggestion.
Another solution:
http://www.how2install.net/index.php...subuntudebian/

Turbocapitalist · 03-23-2017, 08:11 AM

There's not much modification needed. Take into account the earlier posts:

Code:

iptables -I OUTPUT 1 -m owner --uid-owner $unhappy -m statistic --mode random --probability 0.50 -j DROP -m comment --comment "grief"

Then run a script every five minutes from your cron job. In that script delete the old rule and then pick some unhappy UID and afflict it with a new rule.

The reason for starting with -I OUTPUT 1 is so that the rule lands at the top of the chain and no other rules can allow the packet to pass.

Also, do you want them to just time out after an unnecessary wait? If so then stick with DROP. Do you want them to know immediately that the packet was rejected? If so, then use REJECT.

Novi · 03-26-2017, 11:34 AM

To simplify the problem I replaced --uid-owner with IP address.

The question: Howto achieve random public address with iptables rule?

My idea, as last iptables firewall rule:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.254 (Pool of addresses 1.2.3.4-1.2.3.254)

rotating every 5 minutes:
0 */5 * * * /home/mark/firewall.sh

Question, what is better solution?
a\ - Pool of addresses 1.2.3.4-1.2.3.254
b\ - 1.2.3.4/24
c\ - iprange --src-range 1.2.3.4-1.2.3.254

Which is the right answer?
Kind regards.
Mark