arch dhcp サーバー nat 楽天ミニでUSBテザリング ipset(BLACKLIST試論)


具体的には下の写真の格好です

問題1:ISC-DHCPの複数の脆弱性 でなんかコワーイ、今は解決したんかいな?

問題2: dnsmasq はある時はこの設定で動いても次は動かなかったりと実に不安定

<<<<<<<<<<<<<<<<<寄り道
托鉢してます

あくまで個人的想像ですが
お釈迦様は高齢になっても弟子とともに 托鉢にいったのではないか。 衣も 糞尿衣といって死者のきていた衣を川であらったもの(死者が長年きてたので黄ばんだ)をきてたのではないか。 
参照はhttps://www.youtube.com/watch?v=Z9LAcuSScCw

元に戻ります<<<<<<<<<<<<<<

まずは 手始めに単純なのをこなします

公式リポジトリの dhcp パッケージをインストール

# ifconfig 
 enp16s0: ーーー>IN
  wlan0: ーーーー>OUT(internet)
です。





crontab
は
crontab -l | ./comment-out.bat -
@reboot shutdown -h +250 ;  /home/think/ufw-nat.bat
で





# # ./comment-out.bat ufw-nat.bat
は
ufw disable
ufw enable
ufw default deny
 ufw allow Deluge
 ufw limit ssh/tcp
 ufw status
ipset destroy ; ipset create myset hash:net ; iptables -I INPUT -m set --match-set myset src -j DROP
INN=`ifconfig | grep enp0s |cut -d : -f 1`
echo $INN
sleep 1
ifconfig $INN 139.96.30.100
sleep 1
systemctl start dhcpd4

です




なお
# ./comment-out.bat /etc/dhcpd.conf
は
option domain-name-servers 8.8.8.8, 8.8.4.4;
option subnet-mask 255.255.255.0;
option routers 139.96.30.100;
subnet 139.96.30.0 netmask 255.255.255.0 {
  range 139.96.30.150 139.96.30.155;
}
です。

https://ubuntu-nikki.hatenadiary.org/entry/20100921/1285077768 に助けてもらいました。


# diff /etc/default/ufw /etc/default/ufw-ori
19c19
< DEFAULT_FORWARD_POLICY="ACCEPT"
---
> DEFAULT_FORWARD_POLICY="DROP"




# diff /etc/ufw/sysctl.conf /etc/ufw/sysctl.conf-ori 
8c8
< net/ipv4/ip_forward=1
---
> #net/ipv4/ip_forward=1



# head -30  /etc/ufw/before.rules |  ./comment-out.bat -
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 139.96.30.0/24 -o wlan0 -j MASQUERADE
COMMIT
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
以下略


以下一応記述
# ./comment-out.bat /etc/default/ufw
IPV6=yes
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="ACCEPT"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"




# ./comment-out.bat /etc/ufw/sysctl.conf
net/ipv4/ip_forward=1
net/ipv4/conf/default/rp_filter=1
net/ipv4/conf/all/rp_filter=1
net/ipv4/conf/default/accept_source_route=0
net/ipv4/conf/all/accept_source_route=0
net/ipv6/conf/default/accept_source_route=0
net/ipv6/conf/all/accept_source_route=0
net/ipv4/conf/default/accept_redirects=0
net/ipv4/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
net/ipv4/conf/default/log_martians=0
net/ipv4/conf/all/log_martians=0
net/ipv4/tcp_sack=1



mysetの作り方は後で述べます

これにて
# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
★ここにあり DROP       all  --  anywhere             anywhere             match-set myset src
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere            

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:ssdp
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere            

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-track-forward (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 6881:6891 /* 'dapp_Deluge' */
           tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ufw-user-limit  tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: source mask: 255.255.255.255
ufw-user-limit-accept  tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain ufw-user-limit (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination 

となってます

以上

 これからが本番




## 今は実際は以下です、セキュリティのためちょっと複雑です

PC----LAN HUB---**endevourLINUX**---usb---wifiMINI---internet


ifconfig が以下です

enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 139.96.30.100  netmask 255.255.0.0  broadcast 139.96.255.255


enp0s29f7u2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.42.37  netmask 255.255.255.0  broadcast 192.168.42.255
## このenp0s29f7u2がUSBテザリングのです。 したがって natのwlan0をenp0s29f7u2におきかえるだけでいいです。  

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 6a:16:a6:0e:07:99  txqueuelen 1000  (Ethernet)
        RX packets 499367  bytes 626265031 (597.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 202466  bytes 25823640 (24.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
##  wlan0 は何も仕事をしてませんね

ipset 危ない国からのアクセスを落とす

https://wiki.archlinux.jp/index.php/Ipset みて

pacman -S ipset

curl -O http://nami.jp/ipv4bycc/cidr.txt.gz && gunzip -f cidr.txt.gz

sed -n 's/^\(CC\|HH\|RR\|KK\|LL\|II\)\t//p' cidr.txt > ccc

sort ccc > ccc-s

cp ccc-s BLACKLIST

sed "s/^/ipset add myset /g" BLACKLIST > BLACKLIST-1

BLACKLIST-1の最初の行を確認してから
sh BLACKLIST-1


-----
crontab -l
@reboot systemctl hibernate +250 ; /home/think/nat.bat ; ipset create myset hash:net ; iptables -I INPUT -m set --match-set myset src -j DROP

これで以下です

# ipset list
Name: myset
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 448
References: 1
Number of entries: 0
Members:


# iptables -L | grep myset
DROP       all  --  anywhere             anywhere             match-set myset src

上のufwを使わない簡略版は以下です


nat.bat-start

OUTT='enp16s0'
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $OUTT -j MASQUERADE
        ipset destroy
        ipset create myset hash:net
        ipset flush myset
        iptables -A INPUT -m set --match-set myset src -j DROP
iptables-save
iptables -L
#----
INN=`ifconfig | grep enp0s |cut -d : -f 1`
sleep 1
ifconfig $INN 139.96.30.100
sleep 1
systemctl start dhcpd4


簡略版なので
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             match-set ruwa src

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 
ちょっとたよりないほどですねー


速度は USB テザリングで