iptables

From: Brian Kejser (bkejser@KAISERDIGITAL.com)
Date: 08/30/01


Message-ID: <67EA3300B8C86F45957019092253E91D04C31F@morpheus.kaiserdigital.com>
From: Brian Kejser <bkejser@KAISERDIGITAL.com>
To: "'focus-linux@securityfocus.com'" <focus-linux@securityfocus.com>
Subject: iptables
Date: Thu, 30 Aug 2001 05:40:04 -0700

Hi

I've been working with iptables for some time now and I would like to
further harden my firewall rules relating to HTTP.

I've noticed that most malicious attacks (i.e. code red) do random port
scans and as such the HTTP header will not contain the host name. I also
know that iptables can process requests using external libraries (although
I've never developed any of these). So I'm assuming it's possible to develop
a library that would be called by iptables whenever an HTTP request comes in
and examine the contents of the HTTP header. If the IP address was used
instead of the host name, the packet would be dropped and the host would be
blocked. Is this possible? Does the code exist anywhere to do this? Would
there be any problems doing this (besides the fact that it would not work
with SSL?

Could this approach also be used for other Internet services (i.e. FTP,
SMTP, etc.)

Also, is it possible to block a host for a short period of time. For
example, if a machine is scanning port 23 of the firewall, could the
firewall block that IP address for 15 minutes after 2 attempts.

Brian Kejser
www.kaiserdigital.com



Relevant Pages

  • Re: Border protection for Fedora
    ... [to set the firewall when e.g.: ... Fedora has a iptables service. ... http or the like, for example caching for better speed, or filtering ... This is needed by more than tcp packets. ...
    (Fedora)
  • RE: XWT Foundation Advisory
    ... > circumvented - the administrator has explicitly allowed HTTP traffic on ... location outside the firewall. ... HTTP/1.0-style requests that do not supply a Host: header. ...
    (Bugtraq)
  • Re: strange problem connecting 2 linux boxes
    ... problem is because of a firewall. ... > So the problem is caused by something on the 192.168.0.2 host. ... > NO ROUTE TO IP ADDRESS ... iptables may be involved here. ...
    (comp.os.linux.networking)
  • Re: Configuring firewall
    ... firewall, such as iptables, ufw and ... There has been a lot of buzz about ufw ... iptables -A INPUT -p http -j ACCEPT ...
    (Ubuntu)
  • Moving SMTP to behind firewall
    ... I'm planning to move smtp server to behind firewall. ... running RHL 8.0 with IPTables. ... Curently the server have public IP with the host name smtp.xxx.com ...
    (RedHat)