2月 202016
 

リゾルバに仕込む用? の部品? かな?
阿弥陀な chain でごめんなさい☆

FILTER-53 chain

iptables -N FILTER-53-HIT
iptables -N FILTER-53-TCP
iptables -N FILTER-53-UDP

DNS TCP Response
:FILTER-53-TCP

iptables -A FILTER-53-TCP -m string --hex-string=\|80\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|81\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|82\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|83\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|84\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|85\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|86\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|87\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|88\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|89\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|8A\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|8B\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|8C\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|8D\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|8E\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|8F\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|90\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|91\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|92\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|93\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|94\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|95\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|96\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|97\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|98\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|99\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|9A\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|9B\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|9C\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|9D\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|9E\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|9F\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|A0\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|A1\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|A2\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|A3\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|A4\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|A5\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|A6\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|A7\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|B0\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|B1\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|B2\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|B3\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|B4\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|B5\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|B6\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -m string --hex-string=\|B7\| --algo bm --from 56 --to 57 -j FILTER-53-HIT
iptables -A FILTER-53-TCP -j RETURN

DNS UDP Response
:FILTER-53-UDP

iptables -A FILTER-53-UDP -m string --hex-string=\|80\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|81\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|82\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|83\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|84\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|85\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|86\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|87\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|88\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|89\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|8A\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|8B\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|8C\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|8D\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|8E\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|8F\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|90\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|91\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|92\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|93\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|94\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|95\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|96\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|97\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|98\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|99\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|9A\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|9B\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|9C\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|9D\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|9E\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|9F\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|A0\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|A1\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|A2\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|A3\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|A4\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|A5\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|A6\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|A7\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|B0\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|B1\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|B2\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|B3\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|B4\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|B5\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|B6\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -m string --hex-string=\|B7\| --algo bm --from 30 --to 31 -j FILTER-53-HIT
iptables -A FILTER-53-UDP -j RETURN

長くて通さないのを REJECT
:FILTER-53-HIT

iptables -A FILTER-53-HIT -p tcp -m length --length 1024: -j REJECT --reject-with tcp-reset
iptables -A FILTER-53-HIT -p udp -m length --length 512: -j REJECT --reject-with icmp-admin-prohibited
iptables -A FILTER-53-HIT -j RETURN

長いのを喰わせたくない Query-IF を FILTER-53
:INPUT

iptables -A INPUT -i {Query-IF} -p udp --sport 53 -j FILTER-53-UDP
iptables -A INPUT -i {Query-IF} -p tcp --sport 53 -m state --state ESTABLISHED -j FILTER-53-TCP

長いのを吐かせたくない Response-IF を FILTER-53
:OUTPUT

iptables -A OUTPUT -o {Response-IF} -p udp --sport 53 -j FILTER-53-UDP
iptables -A OUTPUT -o {Response-IF} -p tcp --sport 53 -m state --state ESTABLISHED -j FILTER-53-TCP

適当に query

$ drill -a4 nic.ad.jp. a
$ drill -a4 129.192.41.192.in-addr.arpa. ptr
$ drill -a4 nic.ad.jp. any
$ drill -a4 -o rd nic.ad.jp. @ns3.nic.ad.jp. a
$ drill -a4 -o rd 129.192.41.192.in-addr.arpa. @ns3.nic.ad.jp. ptr
$ drill -a4 -o rd nic.ad.jp. @ns3.nic.ad.jp. any

結果こんな感じ

$ sudo iptables -nvL|grep -vE ^\ *0
Chain INPUT (policy ACCEPT 44 packets, 11572 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   11  4689 FILTER-53-UDP  udp  --  {Query-IF} *       0.0.0.0/0            0.0.0.0/0            udp spt:53
   42 34706 FILTER-53-TCP  tcp  --  {Query-IF} *       0.0.0.0/0            0.0.0.0/0            tcp spt:53 state ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 79 packets, 6517 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FILTER-53-HIT (96 references)
 pkts bytes target     prot opt in     out     source               destination         
    3  3168 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            length 512:65535 LOG flags 0 level 4
    3  3168 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            length 512:65535 reject-with icmp-admin-prohibited
   21 26980 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            length 1024:65535 LOG flags 0 level 4
   21 26980 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            length 1024:65535 reject-with tcp-reset
   12  2135 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FILTER-53-TCP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   18 19476 FILTER-53-HIT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "|80|" ALGO name bm FROM 56 TO 57
    3  7504 FILTER-53-HIT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "|84|" ALGO name bm FROM 56 TO 57
   21  7726 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FILTER-53-UDP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    7  3782 FILTER-53-HIT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "|80|" ALGO name bm FROM 30 TO 31
    3   246 FILTER-53-HIT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "|81|" ALGO name bm FROM 30 TO 31
    1   368 FILTER-53-HIT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "|83|" ALGO name bm FROM 30 TO 31
    2   419 FILTER-53-HIT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "|84|" ALGO name bm FROM 30 TO 31
    2   488 FILTER-53-HIT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "|86|" ALGO name bm FROM 30 TO 31
    8  1521 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

現在コメント投稿は停止しております。