使用recent模块中iptables,我如何检查源 IP 地址是否存在于列表中,如果存在,则将其添加到另一个列表中?
我正在尝试实现端口敲击iptables与此模块一起使用( recent)。
因此,我想通过将源 IP 地址从一个列表移动到另一个列表来检测 TCP 数据包是否以特定顺序到达,从而将其推进到最终列表,这将允许源 IP 访问机器。
我的问题基本上是,当数据包具有正确的目标端口并且位于正确的当前步骤(列表)中时,如何将源 IP 添加到下一步(列表),所有这些都在一条规则中。如下所示:
1:
# we'd like to accept the already authenticated packets quickly, hence the first rule
iptables -A KNOCKING -m recent --rcheck --seconds 60 --reap --name knockfinal -j ACCEPT
2:
# src ip is not authenticated, let's verify the first knock
# if the first port knock was correct (port 1111), add the src ip to the 'knock1' list
iptables -A KNOCKING -p tcp --dport 1111 -m recent --name knock1 --set -j DROP
3:
# now, here is the issue...
# how do we both check if the src ip is already in the 'knock1' list
# plus the second port knock was correct (port 2222), and add the src ip to 'knock2' list
# ideally, we would write something like this
iptables -A KNOCKING -m recent --rcheck --seconds 10 --reap --name knock1 -p tcp --dport 2222 -m recent --name knock2 --set -j DROP
我已经阅读了几种使用 iptables 设置端口敲击的不同方法,但是这个对我来说似乎是最简单的方法,所以我真的很想确认或否认可以使用这种方法来做到这一点。
答案1
事实证明,我上面发布的那一行正是应该这样写:)我想我对于iptables能够处理这样一个“复杂”的规则太悲观了。
以下是我的简单端口敲击配置:
# set default policy for INPUT chain to DROP
iptables -P INPUT DROP
# accept all local traffic
iptables -A INPUT -i lo -j ACCEPT
# accept all the already-established connections
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m multiport --sports 25,80,443,465,587 -j ACCEPT
# add more of your own rules here...
# at the end, redirect all the packets into the KNOCKING chain
# this makes it easy to quickly enable/disable KNOCKING chain, if need be
iptables -A INPUT -j KNOCKING
# if the src ip is already authenticated, accept it
iptables -A KNOCKING -m recent --rcheck --seconds 60 --reap --name knockfinal -j ACCEPT
# if the packet is not authenticated and the first port knock is correct
# add the src ip into the 'knock1' list
iptables -A KNOCKING -p tcp -m tcp --dport 1111 -m recent --set --name knock1 -j DROP
# if the src ip is already in the 'knock1' list (with the expiry time of 10 seconds)
# and the 2nd port knock is correct, add the src ip to the 'knock2' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock1 -m tcp --dport 2222 -m recent --set --name knock2 -j DROP
# if the src ip is already in the 'knock2' list (with the expiry time of 10 seconds)
# and the 3rd port knock is correct, add the src ip to the 'knock3' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock2 -m tcp --dport 3333 -m recent --set --name knock3 -j DROP
# if the src ip is already in the 'knock3' list (with the expiry time of 10 seconds)
# and the 4th port knock is correct, add the src ip to the 'knockfinal' list
iptables -A KNOCKING -p tcp -m recent --rcheck --seconds 10 --reap --name knock3 -m tcp --dport 4444 -m recent --set --name knockfinal -j DROP
# otherwise, we don't do anything and the default INPUT policy will drop the packet
我想这是迄今为止我见过的最短的 iptables 端口敲击规则集......