Skip to content
/ nf_bridge_troll Public

Allow network socket connections to a linux machine if the source_ip has a specific DNS A record for a subdomain that you control.

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kostecky/nf_bridge_troll

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
nf_bridge_troll.py
nf_bridge_troll.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

nf_bridge_troll

Allow network socket connections to a linux machine if the source_ip has a specific DNS A record for a subdomain that you control.

This concept dates back to my days administering mail clusters that use DNSBLs to regulate SPAM traffic. This allows you to configure a dynamic firewall with 1 rule that allows you to grant access based on DNS records you control.

got a red herring?

Description

Utilizing Linux netfilter's NFQUEUE target we can allow a user space program to make a decision about whether or not a packet is accepted or dropped.

We leverage the python bindings for libnetfilter_queue to analyze the source IP of a packet, issue a DNS A query for ${source_ip}.${acl_domain}, and allow the packet if a 127.0.0.2 response is received.

Example

  1. A source machine with an IP of 1.2.3.4 connects to a target host that implements this process + NF_QUEUE target in its iptables configuration.

  2. The target machine checks to see if the packet is already part of an established connection. If not, it passes it to the NF_QUEUE target.

  3. The packet is passed to the callback written in this process, which does the following:

a. Builds a DNS query based on the source IP: 1.2.3.4.acl.yourdomain.com

b. Perform the DNS query

c. If the RR answer matches 127.0.0.2 the packet is accepted and a connection is established

Installation and usage

Warning, this is not without dragons!

  1. You will need to install the development packages on your distro that contain all the requirements that python-netfilterqueue has.

  2. pip install -r requirements.txt

  3. Use your favourite process manager to launch the nf_bridge_troll.py process in the foreground with the ACL_DOMAIN environment variable set to the subdomain you control. Something like acl.yourdomain.com works well.

  4. Ensure that the TTL on your subdomain zone and the records are set low. 1 minute preferably.

  5. Insert the last iptables rule below or a variant of it depending on your needs to activate the system. Make sure it comes after the RELATED,ESTABLISHED rule that should be a default on most modern distributions.

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 51235 -j NFQUEUE --queue-num 1

This rule will target any tcp packets heading towards port 51235 and send it to queue number 1.

  1. Whenever you want to allow a host to have access to a machine, insert an A record in to your ACL_DOMAIN in the following format:
1.2.3.4.acl.yourdomain.com.   IN A  127.0.0.2

About

Allow network socket connections to a linux machine if the source_ip has a specific DNS A record for a subdomain that you control.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages