[nos-bbs] Blocking intruders (ipset exercise) latest JNOS dev
Maiko Langelaar (Personal)
maiko at pcsinternet.ca
Wed May 3 13:22:07 EDT 2023
On my test system, I have recently switched to 'ipset' to manage
my 'database of intruders, unwanted probes, dos attacks, etc'.
1) Setup ip6tables - just the forwarding portion between linux and jnos :
sysctl -w net.ipv6.conf.all.forwarding=1
ip6tables --flush
# allow the only remote system I currently test with
ip6tables -A FORWARD -s 2001:x:x::y::/64 -j ACCEPT
# block systems contained in my 'ipset' database
ip6tables -A FORWARD -m set --match-set myipv6set src -j DROP
# allow forwarding between JNOS and the Linux host
ip6tables -A FORWARD -i eth0 -o tun8 -j ACCEPT
ip6tables -A FORWARD -i tun8 -o eth0 -j ACCEPT
Note : eth0 is to the internet, tun8 is the tap0 for my IPV6 jnos
2) Create the ipset as follows :
ipset create myipv6set hash:net family inet6
3) Enable the nolistener feature on JNOS 2.0odev :
ip nolisten 1
4) Keep an eye on the logs, and from time to time you might see :
17:49:20 network: 2x2x:96:xxxx:b0cc:e:2:2:9:49838 - no TCP (443)
listener
17:49:21 network: 2x2x:96:xxxx:b0cc:e:2:2:9:49838 - no TCP (443)
listener
It's like a video game :]
5) Do a whois on the ip address to try and get a block size :
whois 2x2x:96:xxxx:b0cc:e:2:2:9
This particular one gave me the following, perfect :
CIDR: 2x2x:96:xxxx::/48
6) Then simply use the command below to add to the 'ipset' database,
and you will no longer see them attempting to access your JNOS :
bash-5.1# ipset add myipv6set 2x2x:96:xxxx::/48
Note : I have masked the true IP address .. just cause ...
This works for IPV4 as well, similar commands. It's instant !
Hope this is helpful (not everyone will want to do it this way of
course) ...
Maiko / VE4KLM
More information about the nos-bbs
mailing list