Provided by: firehol-doc_3.1.7+ds-4_all
NAME
firehol-iptrap - dynamically put IP addresses in an ipset
SYNOPSIS
{ iptrap | iptrap4 | iptrap6 } ipset type seconds [ timeout | counters ] [ method method ] [rule-params] [ except [rule-params] ]... { ipuntrap | ipuntrap4 | ipuntrap6 } ipset type [ timeout | counters ] [ method method ] [rule-params] [ except [rule-params] ]...
DESCRIPTION
iptrap adds the IP addresses of the matching packets to ipset. ipuntrap deletes the IP addresses of the matching packets from ipset. Both helpers do not affect the flow of traffic. They do not ACCEPT, REJECT, DROP packets or affect the firewall in any way. ipset is the name of the ipset to use. type selects which of the IP addresses of the matching packets will be used (added or removed from the ipset). type can be src, dst, src,dst, dst,src, etc. If type is a pair, then the ipset must be an ipset of pairs too. seconds is required by iptrap and gives the duration in seconds of the lifetime of each IP address that is added to ipset. Every matching packet will refresh this duration for the IP address in the ipset. The Linux kernel will automatically remove the IP from the ipset when this time expires. The user may monitor the remaining time for each IP, by running ipset list NAME (where NAME is the ipset parameter given in the iptrap command). The seconds value default will not set any seconds. The ipset default will be used. A seconds of 0 (zero), writes to the ipset permanently (this is a feature of the ipset command, not the ipset FireHOL helper). The keywords timeout and counters are mutually exclusive. timeout is the default and means that each IP address every time is matched its timeout will be refreshed, while counters means that its packets and bytes counters will be refreshed. Unfortunately the kernel either re-add the IP in the ipset with the new timeout - but its counters will be lost, or just the counters will be updated, but the timeout will not be refreshed. method is defines the storage method of the underlying ipset. It accepts all the types the ipset commands accepts. method and type should match. For example if method is hash:ip then method should be either src or dst. If method is hash:ip,ip then method should be either src,dst or dst,src. If method is hash:ip,port,ip method should be src,src,dst or src,dst,dst or dst,src,src or dst,dst,src. For more information check the manual page of the ipset command. The rule-params define a set of rule parameters to restrict the traffic that is matched to this helper. See firehol-params(5) for more details. except rule-params are used to exclude traffic, i.e. traffic that normally is matched by the first set of rule-params, will be excluded if matched by the second. iptrap and ipuntrap are hooked on PREROUTING so it is only useful for incoming traffic. iptrap and ipuntrap cannot setup both IPv4 and IPv6 traps with one call. The reason is that the ipset can either be IPv4 or IPv6. Both helpers will create the ipset specified, if that ipset is not already created by other statements. When the ipset is created by the iptrap helper, the ipset will not be reset (emptied) when the firewall is restarted. The ipset options used when these helpers create ipsets can be controlled with the variable IPTRAP_DEFAULT_IPSET_OPTIONS.
EXAMPLES
# Example: mini-IDS # add to the ipset `trap` for an hour (3600 seconds) all IPs from all packets # coming from eth0 and going to tcp/3306 (mysql). iptrap4 src trap 3600 inface eth0 proto tcp dport 3306 log "TRAPPED HTTP" # block them blacklist4 full inface eth0 log "BLOCKED" src ipset:trap except src ipset:whitelist # Example: ipuntrap ipuntrap4 src trap inface eth0 src ipset:trap proto tcp dport 80 log "UNTRAPPED HTTP" # Example: a knock # The user will be able to knock at tcp/12345 iptrap4 src knock1 30 inface eth0 proto tcp dport 12345 log "KNOCK STEP 1" # in 30 seconds knock at tcp/23456 iptrap4 src knock2 60 inface eth0 proto tcp dport 23456 src ipset:knock1 log "KNOCK STEP 2" # in 60 seconds knock at tcp/34566 iptrap4 src knock3 90 inface eth0 proto tcp dport 34567 src ipset:knock2 log "KNOCK STEP 3" # # and in 90 seconds ssh interface ... server ssh accept src ipset:knock3
SEE ALSO
• firehol(1) - FireHOL program • firehol.conf(5) - FireHOL configuration • FireHOL Website (http://firehol.org/) • FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf) • FireHOL Online Documentation (http://firehol.org/documentation/)
AUTHORS
FireHOL Team.