Benutzer-Werkzeuge

Webseiten-Werkzeuge


know-how:firewall

Dies ist eine alte Version des Dokuments!


FIXME

Features

Voraussetzungen

  • Minimale Requirements mit update-ipsets.tar auf jeden Fall wird iprange benötigt
  • Für /usr/share/netfilter-persistent/plugins.d# iptables-scripts.zip , Originalmodule löschen
  • dnsmasq zum aktualisieren von den Domain/Hostname basierenden IP Sets
  • zB: auf Debian Stretch:
apt-get install ipset netfilter-persistent iptables iptables-persistent dnsmasq

Anpassungen

Verzeichnisse u. Dateien

  • Grundsätzlicher Aufbau
root@mrBox-x:/etc/iptables# ls -al /etc/iptables/
total 60
drwxr-x---  5 root root 4096 Sep 29 11:42 .
drwxr-xr-x 91 root root 4096 Nov 22 10:08 ..
drwxr-x---  2 root root 4096 Dec  8  2017 ipset-dns.v4
drwxr-x---  2 root root 4096 Sep 29 11:15 ipset-ips.v4
drwxr-x---  2 root root 4096 Sep 29 11:28 ipset-networks.v4
-rw-r-----  1 root root 9291 Sep 29 11:42 rules-new.v4
-rw-r-----  1 root root 6353 Dec  8  2017 rules-new.v6
-rw-r-----  1 root root 9291 Sep 29 11:43 rules.v4
-rw-r-----  1 root root 6353 Dec  8  2017 rules.v6


root@mrBox-x:~# ls -al /usr/share/netfilter-persistent/plugins.d/
total 16
drwxr-xr-x 2 root root 4096 Nov 22 10:19 .
drwxr-xr-x 3 root root 4096 Mar 24  2016 ..
-rwx------ 1 root root 3902 Sep 29 11:31 40-ip4tables
-rwx------ 1 root root 2078 Mar 18  2017 60-ip6tables


root@mrBox-x:~# ls -al /usr/local/sbin/update-ipsets/
total 324
drwxr-sr-x 2 root staff   4096 Sep 29 11:29 .
drwxrwsr-x 3 root staff   4096 Sep 29 11:26 ..
-rw-r--r-- 1 root staff      70 May  2  2018 commands.txt
-rw-r--r-- 1 root staff    2095 May  2  2018 functions.common
-rw-r--r-- 1 root staff    2346 May  2  2018 install.config
-rwxr--r-- 1 root staff  310196 May  2  2018 update-ipsets.sh


root@mrBox-x:/etc/cron.d# cat update-ipset 
SHELL=/bin/bash

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

*/15 * * * * root /usr/local/sbin/update-ipsets/update-ipsets.sh --silent &> /dev/null

  • Firewall IPv4 Beispiel FIXME:
# Generated by iptables-save v1.4.12 on Mon Oct 14 15:11:00 2013
*raw
:PREROUTING ACCEPT [60:6158]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -s 10.0.0.0/8 -j RETURN
-A PREROUTING -i eth0 -s 192.168.0.0/16 -j RETURN
-A PREROUTING -i eth0 -s 172.16.0.0/12 -j RETURN
-A PREROUTING -i eth0 -m set --match-set firehol_level1 src -m limit --limit 5/sec -j LOG --log-prefix "fw firehol_level1 DROP: " --log-level 7
-A PREROUTING -i eth0 -m set --match-set firehol_level1 src -j DROP
-A PREROUTING -i eth0 -m set --match-set firehol_level2 src -m limit --limit 5/sec -j LOG --log-prefix "fw firehol_level2 DROP: " --log-level 7
-A PREROUTING -i eth0 -m set --match-set firehol_level2 src -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [1:84]
:INPUT ACCEPT [1:84]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING ! -d 192.168.1.1/32 -i br0 -p udp --dport 53 -m limit --limit 5/sec -j LOG --log-prefix "fw DNS REDIRECT: " --log-level 7
-A PREROUTING ! -d 192.168.1.1/32 -i br0 -p udp --dport 53 -j REDIRECT --to 53
-A PREROUTING ! -d 192.168.1.1/32 -i br0 -p tcp -m tcp --dport 53 -m limit --limit 5/sec -j LOG --log-prefix "fw DNS REDIRECT: " --log-level 7
-A PREROUTING ! -d 192.168.1.1/32 -i br0 -p tcp -m tcp --dport 53 -j REDIRECT --to 53
-A PREROUTING ! -d 192.168.1.1/32 -i br0 -p tcp -m tcp --dport 80 -m limit --limit 5/sec -j LOG --log-prefix "fw HTTP REDIRECT: " --log-level 7
-A PREROUTING ! -d 192.168.1.1/32 -i br0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 14 15:11:00 2013
# Generated by iptables-save v1.4.12 on Mon Oct 14 15:11:00 2013
*mangle
:PREROUTING ACCEPT [348:36659]
:INPUT ACCEPT [348:36659]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [252:78891]
:POSTROUTING ACCEPT [252:78891]
COMMIT
# Completed on Mon Oct 14 15:11:00 2013
# Generated by iptables-save v1.4.12 on Mon Oct 14 15:11:00 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ALLOW - [0:0]
:EXT-FW - [0:0]
:EXT-INT - [0:0]
:FW-EXT - [0:0]
:FW-INT - [0:0]
:GARBAGE - [0:0]
:INT-EXT - [0:0]
:INT-FW - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j EXT-FW
-A INPUT -i br0 -j INT-FW
-A INPUT -j GARBAGE
-A INPUT -m limit --limit 5/sec -j LOG --log-prefix "fw INPUT DROP: " --log-level 7
-A INPUT -j DROP
-A FORWARD -i br0 -o eth0 -j INT-EXT
-A FORWARD -i eth0 -o br0 -j EXT-INT
-A FORWARD -j GARBAGE
-A FORWARD -m limit --limit 5/sec -j LOG --log-prefix "fw FORWARD DROP: " --log-level 7
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j FW-EXT
-A OUTPUT -o br0 -j FW-INT
-A OUTPUT -j GARBAGE
-A OUTPUT -m limit --limit 5/sec -j LOG --log-prefix "fw OUTPUT DROP: " --log-level 7
-A OUTPUT -j DROP
-A ALLOW -m limit --limit 5/sec -j LOG --log-prefix "fw ALLOW ACCEPT: " --log-level 7
-A ALLOW -j ACCEPT
-A EXT-FW -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A EXT-FW -p icmp -m icmp --icmp-type 8 -j ALLOW
-A EXT-FW -j GARBAGE
-A EXT-FW -m limit --limit 5/sec -j LOG --log-prefix "fw EXT-FW DROP: " --log-level 7
-A EXT-FW -j DROP
-A EXT-INT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A EXT-INT -j GARBAGE
-A EXT-INT -m limit --limit 5/sec -j LOG --log-prefix "fw EXT-INT DROP: " --log-level 7
-A EXT-INT -j DROP
-A FW-EXT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FW-EXT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A FW-EXT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A FW-EXT -p icmp -m icmp --icmp-type 8 -j ALLOW
-A FW-EXT -p udp -m udp --dport 67 -j ALLOW
-A FW-EXT -p tcp -m tcp --dport 587 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A FW-EXT -p udp -m udp --dport 123 -j ALLOW
-A FW-EXT -p udp -m udp --dport 53 -j ALLOW
-A FW-EXT -p tcp -m tcp --dport 53 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A FW-EXT -p udp -m udp --dport 65194 -j ALLOW
-A FW-EXT -m owner --uid-owner proxy -j ALLOW
-A FW-EXT -j GARBAGE
-A FW-EXT -m limit --limit 5/sec -j LOG --log-prefix "fw FW-EXT DROP: " --log-level 7
-A FW-EXT -j DROP
-A FW-INT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FW-INT -p udp -m udp --dport 68 -j ALLOW
-A FW-INT -p icmp -m icmp --icmp-type 8 -j ALLOW
-A FW-INT -j GARBAGE
-A FW-INT -m limit --limit 5/sec -j LOG --log-prefix "fw FW-INT DROP: " --log-level 7
-A FW-INT -j DROP
-A GARBAGE -d 224.0.0.1/32 -j DROP
-A GARBAGE -d 255.255.255.255/32 -j DROP
-A GARBAGE -d 224.0.0.251/32 -j DROP
-A GARBAGE -p udp -m udp --dport 137 -j DROP
-A GARBAGE -p udp -m udp --dport 138 -j DROP
-A INT-EXT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INT-EXT -p tcp --syn --dport 465 -j ALLOW
-A INT-EXT -p tcp --syn --dport 587 -j ALLOW
-A INT-EXT -p tcp --syn --dport 993 -j ALLOW
-A INT-EXT -p tcp --syn --dport 995 -j ALLOW
-A INT-EXT -p icmp -m icmp --icmp-type 8 -j ALLOW
-A INT-EXT -m limit --limit 5/sec -j LOG --log-prefix "fw INT-EXT DROP: " --log-level 7
-A INT-EXT -j DROP
-A INT-FW -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INT-FW -p tcp -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A INT-FW -p tcp -m tcp --dport 8081 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A INT-FW -p tcp -m tcp --dport 53 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A INT-FW -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A INT-FW -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ALLOW
-A INT-FW -p udp -m udp --dport 53 -j ALLOW
-A INT-FW -p udp -m udp --dport 67 -j ALLOW
-A INT-FW -p icmp -m icmp --icmp-type 8 -j ALLOW
-A INT-FW -p udp -m udp --dport 123 -j ALLOW
-A INT-FW -j GARBAGE
-A INT-FW -m limit --limit 5/sec -j LOG --log-prefix "fw INT-FW DROP: " --log-level 7
-A INT-FW -j DROP
COMMIT
# Completed on Mon Oct 14 15:11:00 2013

Backup Leitung

  • Wenn der primäre Link offline geht wechsel zum Sekundären
  • Wenn der primäre Link offline war und „zurück“ kommt wechsel wieder zum Primären
  • Wenn der primäre Link funktioniert gibt es keine Änderungen
  • /usr/local/sbin/check_wan_links.sh
#!/bin/bash


# Requirements:
# IF primary link is down switch to  secondary link if not already active
# IF primary link is down and comes back switch to primary link
# IF primary link is active and working do nothing

PRIMARY_IP="82.149.97.213"
SECONDARY_IP="192.168.29.2"

PRIMARY_GATEWAY="82.149.97.1"
SECONDARY_GATEWAY="192.168.29.1"


function checkLink() 
{
  returnCode="1"

  /bin/ping -q -c 5 -I $1 8.8.8.8 >/dev/null  || /bin/ping -q -c 5 -I $1 1.1.1.1 >/dev/null || /bin/ping -q -c 5 -I $1 9.9.9.9 >/dev/null || returnCode="0"

   echo $returnCode
}

function checkCurrentGateway()
{

default=$(/sbin/ip route get 8.8.8.8 | awk '{print $3}') 

echo $default
}

function setCurrentGateway()
{

/sbin/ip route change default via $1

echo "Default route changed to: $1"

}

linkPrimary=$(checkLink $PRIMARY_IP);
currentGateway=$(checkCurrentGateway);


#echo "Link Primary: $linkPrimary"
#echo "Current Gateway: $currentGateway"



[[ $linkPrimary == "0" && $currentGateway == $PRIMARY_GATEWAY ]] &&  setCurrentGateway $SECONDARY_GATEWAY 

[[ $linkPrimary == "1" && $currentGateway == $SECONDARY_GATEWAY ]] &&  setCurrentGateway $PRIMARY_GATEWAY

exit 0
  • Routing zB: /etc/network/interfaces
#DREI Huawei Modem
auto bond0.29
iface bond0.29 inet static
       up ip route add 192.168.29.0/24 dev bond0.29 table lte
       up ip route add default via 192.168.29.1 table lte
       up ip rule add from 192.168.92.2 lookup lte
       address 192.168.29.2
       netmask 255.255.255.0

#EXT - kabelsignal AG
auto eth2
iface eth2 inet static
	address 82.149.97.213
	netmask 255.255.255.0
	gateway 82.149.97.1
        up ip route add 82.149.97.0/24 dev eth2 table kabsi
        up ip route add default via 82.149.97.1 table kabsi
        up ip rule add from 82.149.97.213 lookup kabsi

Gäste WLAN

  • Gäste WLAN , das innerhalb der vorhandenen LAN Infrastruktur durchgereicht werden kann ohne komplexe VLAN Taggings
  • In Kombination mit zB: openwrt und openvpn möglich + Linux Firewall

Firewall Konfiguration

  • Wir benötigen eine Bridge und OpenVPN
  • Verschlüsselung ist nicht notwendig ausschließlich Authentifizierung
  • DNSMASQ dient als DHCP Server
  • /etc/dnsmasq.conf
..
dhcp-range=set:wlan,10.0.212.100,10.0.212.200,255.255.255.0,4h
dhcp-option=tag:wlan,6,8.8.8.8,8.8.4.4
dhcp-option=tag:wlan,3,10.0.212.1
..
  • /etc/network/interfaces
...
#WLAN Guest Interface
auto br-guest
iface br-guest inet manual
      pre-up  brctl addbr br-guest
      pre-up  brctl stp br-guest off
      pre-up  brctl setfd br-guest 0
      pre-up  ip addr add 10.0.212.1/24 brd + dev br-guest
      pre-up  ip li set dev br-guest up

...
  • /etc/openvpn/wlan-guest.conf
dev tap0
dev-type tap

port 65190
proto udp

mode server

management 127.0.0.1 222

cd /etc/openvpn/wlan-guest

cipher none

server 172.24.240.0 255.255.255.0

dh dh2048.pem
ca ca.crt
cert firewall.crt
key firewall.key

status status.log

client-config-dir ccd
topology subnet

tls-server

keepalive 5 15
verb 3
multihome

script-security 2
up /etc/openvpn/wlan-guest/add_tap.sh

multihome
  • /etc/openvpn/wlan-guest/add_tap.sh
#!/bin/bash

brctl addif br-guest tap0

Access Point Konfiguration

  • /etc/config/network
  • Achtung in diesem Fall 2 VLANs die das interne und Gästenetz aufteilen auf entsprechende Ports ( in diesem Fall 841n TP-Link)
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'guest'
       option ifname 'eth1.2'
       option type 'bridge'

config interface 'intern'
	option ifname 'eth0 eth1.3'
	option proto 'dhcp'
        option type 'bridge'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 2 3'


config switch_vlan
       option device 'switch0'
       option vlan '2'
       option ports '0t 1 4'
  • /etc/config/wireless
config wifi-device  radio0
	option type     mac80211
	option channel  auto
	option hwmode	11g
	option path	'platform/ar934x_wmac'
	option htmode	HT20
	list ht_capab	LDPC
	list ht_capab	SHORT-GI-20
	list ht_capab	SHORT-GI-40
	list ht_capab	TX-STBC
	list ht_capab	RX-STBC1
	list ht_capab	DSSS_CCK-40
	# REMOVE THIS LINE TO ENABLE WIFI:
	option disabled 0


config wifi-iface
	option device   radio0
	option network  guest
	option mode     ap
	option ssid     SSID_GASTNETZWERK
	option encryption psk2
        option key  PSK_GASTNETZWERK
  • /etc/openvpn/client.conf
client                                                                                                 
dev tap-guest                                                                                              
dev-type tap

cipher none
proto udp                                                                                              
remote firewall 65190                                                                
keepalive 5 10         
resolv-retry infinite                                                                                  

script-security 2
up /etc/openvpn/client/add_tap.sh

nobind                                                                                                 
ca /etc/openvpn/client/ca.crt                                                                                              
cert /etc/openvpn/client/wlanx.crt                                                                         
key /etc/openvpn/client/wlanx.key                                                                          
ns-cert-type server                                                                                    
                                                                                                       
verb 3
  • /etc/openvpn/client/add_tap.sh
#!/bin/sh


brctl addif br-guest tap-guest

rogue client workstation detection

  • Getestet mit Debian 9 - apt-get install arpalert
  • Es soll eine Mail an root geschickt werden wenn ein unbekannter Client dem System hinzugefügt wird und zusätzlich noch wenn möglich ein Port Scan auf den Client durchgeführt werden
  • grep -v ^# /etc/arpalert/arpalert.conf
maclist file = "/etc/arpalert/maclist.allow"

maclist alert file = "/etc/arpalert/maclist.deny"

maclist leases file = "/var/lib/arpalert/arpalert.leases"



lock file = "/var/run/arpalert.pid"

use syslog = true

log level = 7

user = arpalert

umask = 177

dump packet = false

daemon = false

dump inter = 5

catch only arp = true

interface = "eth1"

action on detect = "/usr/local/sbin/notifyArpalert.sh"

mod on detect = ""
mod config = ""

execution timeout = 10

max alert = 20

dump black list = false
dump white list = false
dump new address = true

mac timeout = 1555200

expire authorized mac addresses = false

max entry = 1000000

anti flood interval = 5  

anti flood global = 50

mac vendor file = "/etc/arpalert/oui.txt"
log mac vendor = true
alert mac vendor = true
mod mac vendor = true

log referenced address = false
alert on referenced address = false
mod on referenced address = false

log deny address = true
alert on deny address = true
mod on deny address = true

log new address = true
alert on new address = true
mod on new address = true

log new mac address = true
alert on new mac address = true
mod on new mac address = true

log ip change = true
alert on ip change = false
mod on ip change = true

log mac change = true
alert on mac change = false
mod on mac change = true

log unauth request = true
alert on unauth request = true
mod on unauth request = true
ignore unknown sender = false
ignore me = true
ignore self test = true
unauth ignore time method = 2

log request abus = true
alert on request abus = true
mod on request abus = true
max request = 1000000

log mac error = true
alert on mac error = true
mod on mac error = true

log flood = true
alert on flood	= true
mod on flood = true

log expire mac address = false
alert on expire mac address = false
mod on expire mac address = false
  • /usr/local/sbin/notifyArpalert.sh
#!/bin/bash


tmp_file=$(mktemp)

ip_address="$2"
mac_address="$1"
params="$3"
ethernet_device="$4"
alert_type="$5"


echo "Possible Intrusion Attempt" > $tmp_file
echo "IP Address: $ip_address" >> $tmp_file
echo "MAC Address: $mac_address" >> $tmp_file
echo "Parameters: $params" >> $tmp_file
echo "Alert Type: $alert_type" >> $tmp_file

alert_explained=$(cat << EOF
Alert Types: \n
0: ip change \n
1: mac address only detected but not in whithe list \n
2: mac address in black list \n
3: new mac address \n
4: unauthorized arp request \n
5: abusive number of arp request detected \n
6: ethernet mac address different from arp mac address \n
7: global flood detection \n
8: new mac adress without ip \n
9: mac change \n
10: mac expire \n
EOF)

echo -e $alert_explained >> $tmp_file

echo "Nmap Scan: " >> $tmp_file

ip route get $ip_address | grep -q eth1

( [[ $? == 0 ]] && nmap -Pn $ip_address  >> $tmp_file ) || echo "I'm not performing nmap on $ip_address" >> $tmp_file 


cat $tmp_file | mail -s "Possible Break in Attempt " root

rm $tmp_file
  • /etc/arpalert/maclist.allow
#KOMMENTAR GERÄT1
11:22:33:44:55:66 IP_GERÄT1 INTERFACE_NETZWERK

rogue dhcp server detection

dhcp-probe

  • FIXME - BUG beim Socket WAIT ?? - im Debugging „wartet“ er für immer nach erster Runde
  • Es sollen DHCP Server gefunden werden , die sich in der aktuellen Broadcast Domain befinden, die nicht autorisiert sind
  • getestet auf Debian 9 mit apt-get install dhcp-probe
  • löschen von dhcp-probe init Skript rm /etc/init.d/dhcp-probe
  • Die Ausgabe wird nun geloggt über syslog mit Systemd
  • Systemd Unit /lib/systemd/system/dhcp_probe\@.service
[Unit]
Description=DHCP-Probe Instance %i
After=network.target

[Service]
Type=simple
ExecStart=/usr/sbin/dhcp_probe -f -d 11 -T  %i
#2020-08-12 cc: ExecStop not defined on purpose
KillSignal=9

 
[Install]
WantedBy=multi-user.target
  • Für interface eth1:
  • ln -s /lib/systemd/system/dhcp_probe\@.service /etc/systemd/system/multi-user.target.wants/dhcp_probe\@eth1.service
  • /etc/dhcp_probe.cf
legal_server IP_DHCP_SERVER1
legal_server IP_DHCP_SERVER2
alert_program_name2  /usr/local/sbin/notifyDHCP.sh
response_wait_time 10000
  • /usr/local/sbin/notifyDHCP.sh
#!/bin/bash


tmp_file=$(mktemp)


#   -I the name of the interface on which the unexpected response packet was received
#   -i the IP source address of the packet
#   -m Ethernet source address of the packet

ip_address="NONE"
mac_address="NONE"
ethernet_device="NONE"
program_id="NONE"
while getopts ":I:i:m:p:" arg; do
    case "$arg" in
             I)
               ethernet_device=$OPTARG
             ;;
       	     i)
	       ip_address=$OPTARG
	     ;;
	     m)
               mac_address=$OPTARG
	     ;;
     	     p)
               program_id=$OPTARG
	       ;;
	    *)
	     ;;
    esac
done




echo "Possible Rogue DHCP Server" > $tmp_file
echo "IP Address: $ip_address" >> $tmp_file
echo "MAC Address: $mac_address" >> $tmp_file
echo "Ethernet Device: $ethernet_device" >> $tmp_file



echo "Nmap Scan: " >> $tmp_file

ip route get $ip_address | grep -q eth1

( [[ $? == 0 ]] && nmap -Pn $ip_address  >> $tmp_file ) || echo "I'm not performing nmap on $ip_address" >> $tmp_file 


cat $tmp_file | mail -s "POSSIBLE rogue DHCP SERVER " root

rm $tmp_file

dhclient Skript

  • Getestet unter Debian 9
  • Wir lassen den offiziellen DHCP Client dhclient eine Lease über das Interface %i zb. eth1 holen und triggern sobald er die IP setzen sollte /usr/local/sbin/triggerDHCPLease.sh Das Renewal setzen wir auf 300 Sekunden /usr/local/sbin/triggerDHCPLease.sh - Wenn die lease von einem DHCP Server kommt , den wir nicht whitelisted haben rufe notfiyDHCP.sh auf scanne ggf. die IP mit nmap und sende ein Mail an root
  • apt-get install isc-dhcp-client
  • Systemd Service cat /lib/systemd/system/dhcp-monitoring\@.service
[Unit]
Description=DHCP-Monitoring Instance %i
After=network.target

[Service]
Type=simple
ExecStart=/sbin/dhclient -v -d -sf /usr/local/sbin/triggerDHCPLease.sh -cf /usr/local/etc/dhcp-monitoring/dhclient.conf  -lf /dev/zero %i
#2020-08-12 cc: ExecStop not defined on purpose
KillSignal=9

 
[Install]
WantedBy=multi-user.target
  • Für Netzwerinterface eth1 starten
  • ln -s /lib/systemd/system/dhcp-monitoring\@.service /etc/systemd/system/multi-user.target.wants/dhcp-monitoring\@eth1.service
ls -al /etc/systemd/system/multi-user.target.wants/dhcp-monitoring\@eth1.service 
lrwxrwxrwx 1 root root 44 Aug 12 13:35 /etc/systemd/system/multi-user.target.wants/dhcp-monitoring@eth1.service -> /lib/systemd/system/dhcp-monitoring@.service
  • /usr/local/sbin/triggerDHCPLease.sh
#!/bin/bash

WHITELISTED_DHCP_SERVERS="^(IP_DHCP_SERVER_1|IP_DHCP_SERVER2)$"

#2020-08-12 cc: will be triggered from dhclient therefore certain variables have to exist

#Variable new_dhcp_server_identifier must be present

function bailout 
{

	echo -e "$1"
	exit 2

}

[[ -v new_dhcp_server_identifier ]] || bailout "new_dhcp_server_identifier is not set - called by dhclient ? "



echo $new_dhcp_server_identifier | grep -q -P "$WHITELISTED_DHCP_SERVERS"

grepReturn=$?

if [ $grepReturn != "0" ]
then

	/usr/local/sbin/notifyDHCP.sh -i  $new_dhcp_server_identifier

fi


exit 0


#       man page for more information about the syntax of this file
#       and a more comprehensive list of the parameters understood by
#       dhclient.
#
# Normally, if the DHCP server provides reasonable information and does
#       not leave anything out (like the domain name, for example), then
#       few changes must be made to this file, if any.
#

option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;

send host-name = gethostname();
request subnet-mask, broadcast-address, time-offset, routers,
        domain-name, domain-name-servers, domain-search, host-name,
        dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
        netbios-name-servers, netbios-scope, interface-mtu,
        rfc3442-classless-static-routes, ntp-servers;

supersede dhcp-rebinding-time 300;
supersede dhcp-lease-time 300;
supersede dhcp-renewal-time 300;

roadworker openvpn wake on lan (wol) trigger

  • zB: bei Roadworkern die per Remote Desktop auf ihre Bürorechner zugreifen möchten / Die Bürorechner können ruhig heruntergefahren werden / Sobald eine erfolgreiche authentifizierte Verbindung aufgebaut wurde wird wol für den Rechner getriggered
  • /etc/openvpn/roadworker.conf (getestet auf Debian stretch)
...
script-security 2
client-connect /usr/local/sbin/wake-on-vpn.sh
...
  • /usr/local/sbin/wake-on-vpn.sh
#!/bin/bash

case "$common_name" in 
	COMMON_NAME_ROADWORKER)

	echo "Wake up Client associated with: $common_name"

/usr/bin/wakeonlan -i IP_BROADCAST  TARGET_MAC_ADDRESS | /usr/bin/logger -t roadworker

;;


*)
	echo "No Client to wake up found: $common_name" | logger -t roadworker

;;

esac


exit 0

roadworker strongswan ipsec

  • FIXME Auth über radius server / Trigger bei strongswan für wake on lan
  • Getestet auf: Ubuntu 18.04
  • /etc/ipsec.conf
  • Verbindungsparameter wurden speziell auf Windows Rechner ausgerichtet , damit IPSEC VPN im Windows automatisch funktioniert - Achtung bei Windows wird die Default Route ersetzt , muss sich um ein „Feature“ handeln egal ob bei leftsubnet nur das Zielnetz spezifiziert wird
  • CA Zertifikat muss für den Computer Zertifikatsstore importiert worden sein und FQDN muss matchen bei Verbindungsaufbau mit zB: vpn.firewall.at
# ipsec.conf - strongSwan IPsec configuration file
config setup
    #plutostart=no

conn %default
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no

conn roadworker 
    left=%any
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=vpn.firewall.at.crt
    leftid=@vpn.firweall.at
    right=%any
    rightsourceip=172.16.3.0/24
    rightauth=eap-radius
    eap_identity=%identity
    rightsendcert=never   
    auto=add
    leftupdown=/usr/local/sbin/wakeup.sh
  • wake on lan (wol) bei erfolgreichem Login: /usr/local/sbin/wakeup.sh
#!/bin/bash

#Debugging: env > /tmp/env_wakeup
#PLUTO_XAUTH_ID=ACCOUNTNAME@DOMAIN

/usr/sbin/etherwake -i eth1 -b -D MAC_ADDRESS

exit 0

WEB Module

Blocks - IPSET

  • In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können

Blocks - Hostnamen

  • In Kombination mit dnsmasq / um quasi „dns Spoofing“ zu betreiben d.h. das Resolving zu überschreiben für bestimmte Hostnamen
  • www-data muss dnsmasq neu starten können zB: visudo → www-data ALL=(ALL)NOPASSWD:/usr/sbin/service dnsmasq restart

Proxy

  • Um squid proxy ACLs zu bearbeiten
  • Achtung www-data braucht sudo Rechte für parse / reload
  • zB: visudo → www-data ALL=(ALL)NOPASSWD:/usr/sbin/squid3 -k reconfigure, /usr/sbin/squid3 -k parse

Authorizer

Diese Website verwendet Cookies. Durch die Nutzung der Website stimmen Sie dem Speichern von Cookies auf Ihrem Computer zu. Außerdem bestätigen Sie, dass Sie unsere Datenschutzbestimmungen gelesen und verstanden haben. Wenn Sie nicht einverstanden sind, verlassen Sie die Website.Weitere Information
know-how/firewall.1612866733.txt.gz · Zuletzt geändert: 2021/02/09 11:32 von cc