I am using OpenWRT router. I need to block a URL or multiple URLs (Not IP) for specific time. for example, I want to block facebook.com so that clients of this router cant access the website. firewall rules should have the option to do that but I dont know how to do that.
Here is one way to block by domain name rather than by IP address.
The main reason of why you need such a complicated method is that each domain name (e.g. facebook.com) may be resolved as different IP address at any given time. So, we need to keep a list of resolved IP addresses and add iptables rules based on this list.
First, you should enable logging in dnsmasq config:
uci set dhcp.#dnsmasq[0].logqueries=1
uci commit dhcp
/etc/init.d/dnsmasq restart
This will give you log entries like:
daemon.info dnsmasq[2066]: reply facebook.com is 31.13.72.36
Now, you just have to constantly parse syslog and add corresponding iptables rules like this (note that you most likely need a more versatile script and ipset for better performance):
logread -f | awk '/facebook.com is .*/{print $11}' | while read IP; do iptables -I OUTPUT -d $IP -j DROP; done
Related
I need to archive and share some PCAP files with people who don't know what the various IP addresses in the pcap refer to.
So I want to find a way to edit the PCAP files and change IP addresses so they appear as the fqdn or a random string in wireshark. e.g. "server.a.some.domain" or "serverA" instead of 192.168.x.x. That way people will understand the traffic flow without having to ask what each IP is.
I can achieve this in wireshark manually with the Name Resolution function, but I want to automate changing the PCAP files before I share them.
I tried bittwiste and tcprewrite but they seem to only support changing an IP address to another IP address, not a string.
e.g. this works
$ bittwiste -I a.pcap.file.pcap -O test.pcap -T ip -s 192.168.0.0,192.168.0.2
input file: a.pcap.file.pcap
output file: test.pcap
1771 packets (665162 bytes) written
but this doesn't
$ bittwiste -I a.pcap.file.pcap -O test.pcap -T ip -s 192.168.0.0,serverA
bittwiste: invalid source IP address
Anyone know if this is possible and how to do it?
thanks
This is not as trivial as it seems. The names you want to replace are only inside the application data, i.e. typically in DNS requests and responses, as part of the TLS handshake (SNI in ClientHello, CN/SAN in server certificate), in the Host field of a HTTP request header ...
While you might try to simply string-replace all such names with something else this would break the sequence numbers in the TCP connections unless you replace it with something of exactly the same length. Even then it would make the TCP checksums invalid, would make signatures on the certificates invalid, ... and in case of DNS a simple string replace would not even find all the names since they might be encoded in DNS and are not just inside the DNS packets as a plain string.
To change the display IP address for source and destination addresses in Wireshark, right click on the packet trace -> "Edit Resolved names" and then add a string to the resolved name for source address and repeat the above step for the destination address.
To ensure that the packet trace is stored with the resolved names, store the file as .pcapng. If the file is stored as .pcap the name resolution is lost, so when you open the file again the resolved names do not appear. My Wireshark version is 4.0.1
So the capture with IP# went from:
to capture with resolved names:
I would like to redirect multiple servers to a single one.
If a person wants to connect to the servers that are being redirected he needs to use a different port and username like maru#ip.ip.ip.ip -p 9393 for example.
How can I do this?
Thank you.
If you want to make internal servers reacheable from the outside of your network, you want to look into remote port forwarding as described in this link.
You will need to set GatewayPorts to yes in sshd_config and then start the forwarding with ssh -R 9393:<remote ip>:<remote port> on the outside-facing server (there are more advanced configurations to allow only certain clients described in the above link).
I'm writing script for automation of TCP connections and I have a question. Is there an option to get destination IP address, when you call (for example):
Invoke-WebRequest google.com
Problem is, when I call this command, destination IP address is always different, so I can't use command like ''test-connection''. I would like to hear further explanation. I know that Google has multiple public addresses, but why are they different when I call Invoke-WebRequest, or Test-Connection?
Example:
1.
Destination IP from wireshark capture
2.
IP address from Test-Connection command:
google.com 172.217.18.78
Greetings
Google has a huge userbase. They want to be reachable via multiple addresses, as that provides robust connections and some load balancing too. The technique is called DNS Round Robin. In case one of the multiple IP addresses doesn't work, most modern browsers will automatically try and use other addresses.
If you would like to test a connection to particular IP, you could do a name lookup and pick one of the results. Like so,
# Get a list of all Google IPs
$googles = [Net.Dns]::GetHostAddresses("www.google.com")
# Use IP address for the 1st entry
test-connection $googles[0].IPAddressToString
Here is my scenario:
A is a provisioning server and B is an client. Whenever there is any change in B's setup, it uploads the appropriate config file to A.
I am working as an automation engineer to automate it. One of the scenario says to disconnect A from network or stop the server A. perform some changes to B and make sure that B failed to upload the files to provisioning server A.
To automate it, the simple way to stop the server A and do the appropriate actions.
Since A and B are also used for other purposes by other parties so I can not either disconnect A or B from network OR stop the server at A.
So, I am looking forward for any solution so that I can simulate the host (provisioning server) unreachable scenario. So when B will send an update to A it will fail but in actual A is running as usual.
Please suggest me some way to achieve it.
I am using Perl as a programming language but I am fine if solution is available in other language.
I've done this before using a null route. This is something that best done from the shell with the ip command.
# blackhole all packets destined for 192.168.2.1
ip route add blackhole 192.168.2.1
# to delete the same route, replace add with del
ip route del blackhole 192.168.2.1
Depending on your use case, an unreachable route may work better, as it returns ICMP-unreachable instead of discarding the packets, although they tend to have the same effect.
ip route add unreachable 192.168.2.1
And for thoroughness, if you really wanted to simulate a host-unreachable situation (vs a network-unreachable), you would have to do that at the firewall level.
# resond with icmp-host-unreachable for *any* outbound packet to 192.168.2.1
iptables -I OUTPUT -d 192.168.2.1 -j REJECT --reject-with=icmp-host-unreachable
# delete the same rule (without looking up the rule #)
iptables -D OUTPUT -d 192.168.2.1 -j REJECT --reject-with=icmp-host-unreachable
Another, perhaps easier option is to change the configuration on B to have a bogus IP address for A (e.g. 192.0.2.0) when performing the test.
Test::MockObject::Extends - great for modifying small parts of modules to create specific testing scenarios. Works great for things that you can't test well because they affect things in production or in places that you don't control.
#!/usr/bin/perl
use strict;
use warnings;
use Test::MockObject::Extends;
#Fake module that has your remote connect subroutine
use Fake::Module;
my $object = Fake::Module->new();
#replace your obj with a copy that Test::MO:E will let us mess with
$object = Test::MockObject::Extends->new( $object )
#replace your connect function with a temp fake version
$object->mock(
'your_remote_connect_sub' => sub {
#Whatever data that should returned by your connect function if the server is unavailable
return undef;
},
);
#test your sub now
if ( !defined( $object->your_remove_connect_sub() ) ) {
print "Remote server unavailable\n";
}
I have a Perl-based CGI/Fast CGI web service and want to rate-limit clients by IP address to stop aggressive clients causing too much work.
I have looked around for some code and found Algorithm::TokenBucket in CPAN but that is for client requests; it has no persistence and has no per-user config so is not really useful for server-side rate limiting.
I am looking for suggestions for something that already exists, otherwise I'll need to roll my own based on some simple persistence such as tie to DB_File per-IP address and some batch job that does the token management.
I've used Cache::FastMmap for rate-limiting by tracking hits per IP address. It's a cache so data will expire over time, but if you set the size and expire time right, this shouldn't be an issue.
The IP address is the hash key and the hash value is an array of timestamps. I have a second data structure (also backed by Cache::FastMMap) which is a hash of banned IP addresses, updated according to the data from the first structure.
I know it's not what you asked, but have you considered handling this elsewhere in the stack where it's already been done for you? Clearly I don't know your deployment stack, but if it's apache you could use mod_evasive. Alternately if you're on Linux you could let iptables do its job using something like:
#Allow only 12 connections per IP
/sbin/iptables -A INPUT -p tcp --dport 80 -m conn-limit --connlimit-above 12 -j REJECT --reject-with tcp-reset
certainly more complicated rules are possible.