Tag Archives: firewall

Check if an IP is in a subnet

At some point I counted my DROP rules in my firewall and the result was kinda frightening. A lot of subnets and even more IPs...
What was really annoying was that there were a lot of IP addresses which belonged to an already blocked subnet, so I needed a script to check this for me.

It has to be a script to do this already out there in the wild. Also a machine is faster than a human. Having this in mind, why should I reinvent the wheel? So after searching a little bit on web, I found this nice perl script.

[codesyntax lang="perl"]

#!/usr/bin/perl

use strict;

use Socket qw( inet_aton );

sub ip2long($);
sub in_subnet($$);

my $ip = $ARGV[0];
my $subnet = $ARGV[1];

if( in_subnet( $ip, $subnet ) )
{
	print "It's in the subnet\n";
}
else
{
	print "It's NOT in the subnet\n";
}

sub ip2long($)
{
	return( unpack( 'N', inet_aton(shift) ) );
}

sub in_subnet($$)
{
	my $ip = shift;
	my $subnet = shift;

	my $ip_long = ip2long( $ip );

	if( $subnet=~m|(^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$| )
	{
		my $subnet = ip2long( $1 );
		my $mask = ip2long( $2 );

		if( ($ip_long & $mask)==$subnet )
		{
			return( 1 );
		}
	}
	elsif( $subnet=~m|(^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(\d{1,2})$| )
	{
		my $subnet = ip2long( $1 );
		my $bits = $2;
		my $mask = -1<<(32-$bits);

		$subnet&= $mask;

		if( ($ip_long & $mask)==$subnet )
		{
			return( 1 );
		}
	}
	elsif( $subnet=~m|(^\d{1,3}\.\d{1,3}\.\d{1,3}\.)(\d{1,3})-(\d{1,3})$| )
	{
		my $start_ip = ip2long( $1.$2 );
		my $end_ip = ip2long( $1.$3 );

		if( $start_ip<=$ip_long and $end_ip>=$ip_long )
		{
			return( 1 );
		}
	}
	elsif( $subnet=~m|^[\d\*]{1,3}\.[\d\*]{1,3}\.[\d\*]{1,3}\.[\d\*]{1,3}$| )
	{
		my $search_string = $subnet;

		$search_string=~s/\./\\\./g;
		$search_string=~s/\*/\.\*/g;

		if( $ip=~/^$search_string$/ )
		{
			return( 1 );
		}
	}

	return( 0 );
}

[/codesyntax]

Source: http://www.mikealeonetti.com/wiki/index.php?title=Check_if_an_IP_is_in_a_subnet_in_Perl

Set port knocking with knockd and iptables

This document describes a stealth method to externally open ports that, by default, are kept closed by the firewall.

Server side

1. Install knockd

[codesyntax lang="bash"]

apt-get install knockd

[/codesyntax]

2. Configure knockd

[codesyntax lang="bash"]

vim /etc/knockd.conf

[options]
        UseSyslog

[OpenClosePort]
        sequence    = 2123:udp,3543:tcp,6454:udp
        seq_timeout = 5
        Start_Command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport PORT -j ACCEPT
        tcpflags    = syn
        Cmd_timeout = 3600
        Stop_Command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport PORT -j ACCEPT

:wq

[/codesyntax]

Notes:

  • sequence - the sequence required to open desired port
  • seq_timeout - time to wait for a sequence to complete
  • Start_Command - command to be executed when a client makes the correct port-knock
  • Stop_Command - command to be executed when Cmd_Timeout seconds have passed since Start_Command has been executed
  • Cmd_Timeout - time to wait between Start_Command and Stop_Command in seconds
  • PORT - port to be opened

3. Enable knockd

 

[codesyntax lang="bash"]

vim /etc/default/knockd

:%s/START_KNOCKD=0/START_KNOCKD=1/g
:%s/#KNOCKD_OPTS="-i eth1"/KNOCKD_OPTS="-i eth0"/g
:wq

[/codesyntax]

 

4. Start knockd

[codesyntax lang="bash"]

/etc/init.d/knockd restart

[/codesyntax]

Client side

1. Knock the port

[codesyntax lang="bash"]

nmap -Pn --host_timeout 201 --max-retries 0 -sU -p 2123 host; nmap -Pn --host_timeout 201 --max-retries 0 -p 3543 host; nmap -Pn --host_timeout 201 --max-retries 0 -sU -p 6454 host

[/codesyntax]

2. Check if the port is open

[codesyntax lang="bash"]

telnet host PORT

[/codesyntax]

How to install a PPTP server on debian squeeze

This document describes the required steps to make a fully functional PPTP server on debian squeeze and how to configure Arno iptables firewall to accept incoming connections to PPTP server (in case you use this great firewall script).

If you don't use Arno iptables firewall but you still want to share internet connection with PPTP server please view the last note.

PPTP or PopTop is a vpn implementation that is rather similar to OpenVPN. The difference is that PPTP is quite a bit less secure than OpenVPN, as it is not encrypted. That said, if you need quick VPN solution that’s easy and hassle free to set up, PPTP is the obvious choice.

1. Install the PPTP server package.

[codesyntax lang="bash"]

apt-get install pptpd

[/codesyntax]

2. Edit the /etc/pptpd.conf configuration file.

[codesyntax lang="bash"]

echo "localip 192.168.1.1" >> /etc/pptpd.conf
echo "remoteip 192.168.1.236-239" >> /etc/pptpd.conf

[/codesyntax]

The Local IP is the IP address of the server, remoteip specifies the IPs the vpn will assign its clients.

3. Edit the /etc/ppp/pptpd-options configuration file:

name Private.VPN
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
proxyarp
nodefaultroute
lock
nobsdcomp
noipx
mtu 1490
mru 1490

4. Edit the chap secrets file /etc/ppp/chap-secrets and add to it the authentication credentials for a user’s connection, in the following syntax:

username <TAB> * <TAB> users-password <TAB> *

5. Restart the connection’s daemon for the settings to take affect:

[codesyntax lang="bash"]

/etc/init.d/pptpd restart

[/codesyntax]

6. Enable Forwarding (this is an optional step).

Note: By enabling forwarding we make the entire network available to us when we connect and not just the VPN server itself. Doing so allows the connecting client to "jump" through the VPN server, to all other devices on the network.

Edit the sysctl file:

[codesyntax lang="bash"]

vim /etc/sysctl.conf

[/codesyntax]

Find the net.ipv4.ip_forward line and change the parameter from 0 (disabled) to 1 (enabled):

net.ipv4.ip_forward=1

6. You can either restart the system or issue this command for the setting to take affect:

[codesyntax lang="bash"]

sysctl -p

[/codesyntax]

7. Configure Arno iptables firewall script

[codesyntax lang="bash"]

vim /etc/arno-iptables-firewall/debconf.cfg

[/codesyntax]

DC_EXT_IF="eth0"

DC_EXT_IF_DHCP_IP=1
DC_OPEN_TCP="1723"
DC_OPEN_UDP=""
DC_INT_IF="ppp+"
DC_NAT=0
DC_INTERNAL_NET="192.168.1.236/30"
DC_NAT_INTERNAL_NET=""
DC_OPEN_ICMP=0

[codesyntax lang="bash"]

vim /etc/arno-iptables-firewall/custom-rules

[/codesyntax]

/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE

8. Restart Arno iptables firewall script:

[codesyntax lang="bash"]

/etc/init.d/arno-iptables-firewall restart

[/codesyntax]

Note:

If you don't use Arno iptables firewall but you still want to share internet connection with PPTP server we have to configure NAT for PPTP connections, otherwise you cannot reach anywhere from this server. Add the following lines at the end of the /etc/rc.local right before exit 0

iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Execute the /etc/rc.local file:

[codesyntax lang="bash"]

/etc/rc.local

[/codesyntax]