Setting up a NAT
January 7, 2005 2:33 PM Subscribe
PacketFilter: (Ha! Double entendre!) I need to set up a firewall/router box for a client because their Linksys router isn't doing what they need anymore. [More past the firewall]
This is kind of a weird problem.
One of my clients uses a tool hosted by a third party. The tool has been the target of bot attacks in recent weeks, so the third party has set up their server to deny requests from a particular IP address after n number of requests have been received from that IP address. They say this is to control bots and their server admins are not willing to open it up again for my client.
My client has asked me to replace their linksys firewall/router with a firewall/router/dhcp box that will allow them to randomly NAT their outgoing traffic to an IP address from their block, which should keep them from getting blocked by the anti-bot control.
I know I can NAT outgoing traffic with iptables, but I'm not sure where to start with the random-from-block thing. Ideas?
This is kind of a weird problem.
One of my clients uses a tool hosted by a third party. The tool has been the target of bot attacks in recent weeks, so the third party has set up their server to deny requests from a particular IP address after n number of requests have been received from that IP address. They say this is to control bots and their server admins are not willing to open it up again for my client.
My client has asked me to replace their linksys firewall/router with a firewall/router/dhcp box that will allow them to randomly NAT their outgoing traffic to an IP address from their block, which should keep them from getting blocked by the anti-bot control.
I know I can NAT outgoing traffic with iptables, but I'm not sure where to start with the random-from-block thing. Ideas?
(or slightly more fancy: have a cronjob that tests if the 3rd party server can be reached via the current nat, and if not then re-load iptables, forcing it to select a new ip)
posted by dorian at 2:48 PM on January 7, 2005
posted by dorian at 2:48 PM on January 7, 2005
oh wait. duh.
if the new firewall has only 1 physical external port but is allowed to choose from a set of static ip addresses, then have the iptables script do nat by interface (which it most likely will do anyway by default) rather than by ip address, and have a cronjob that re-loads eth0 (or whatever your external interface may be) and have the eth0 do the random picking.
sorry was not thinking it through earlier.
posted by dorian at 3:02 PM on January 7, 2005
if the new firewall has only 1 physical external port but is allowed to choose from a set of static ip addresses, then have the iptables script do nat by interface (which it most likely will do anyway by default) rather than by ip address, and have a cronjob that re-loads eth0 (or whatever your external interface may be) and have the eth0 do the random picking.
sorry was not thinking it through earlier.
posted by dorian at 3:02 PM on January 7, 2005
Isn't this really a band-aid that will fall off sooner or later? Or is it n requests in a given timespan?
posted by yerfatma at 3:13 PM on January 7, 2005
posted by yerfatma at 3:13 PM on January 7, 2005
You may already be aware of this, but many Linksys routers have been customized with all sorts of neat features since the firmware was released to the general public. More info: Run linux on a router, VOIP stuff, all sorts of Linksys router info, power boost, and more.
posted by Civil_Disobedient at 3:49 PM on January 7, 2005
posted by Civil_Disobedient at 3:49 PM on January 7, 2005
Response by poster: xmutex: No, I don't work for a spammer. They don't do any spam, they're just dealing with an asshat of a third party service provider. :-P
Just to explain the legit-ness: There's another way to access the tool they're using, but it requires someone to sign in with administrative priviledges ... something that my customer really, really, really, really REALLY doesn't want to give to the rank and file sales reps. The free, no-password tool gives the sales reps a quick 'yes/no' statement of product availability and current reverse auction status. The third party company, even though they're going to see *their* revenue decline if we can't get this working, says that our IP is bot-harvesting the script. No, we're not, that's just the sound of 30 sales reps hitting submit every few seconds while discussing product options with their customers...
Dorian: Thanks! Your first idea was better, to just reset iptables every time it borks. (Actually, what I'm going to do is have a web page somewhere that'll trigger a shell script that hunts for an IP address from the block that still has access.) The reason being is that there are several websites with static IPs and a DNS server hosted behind this firewall as well. That's actually the other reason for doing this; we're out of port forwards on their old Linksys router.
posted by SpecialK at 3:52 PM on January 7, 2005
Just to explain the legit-ness: There's another way to access the tool they're using, but it requires someone to sign in with administrative priviledges ... something that my customer really, really, really, really REALLY doesn't want to give to the rank and file sales reps. The free, no-password tool gives the sales reps a quick 'yes/no' statement of product availability and current reverse auction status. The third party company, even though they're going to see *their* revenue decline if we can't get this working, says that our IP is bot-harvesting the script. No, we're not, that's just the sound of 30 sales reps hitting submit every few seconds while discussing product options with their customers...
Dorian: Thanks! Your first idea was better, to just reset iptables every time it borks. (Actually, what I'm going to do is have a web page somewhere that'll trigger a shell script that hunts for an IP address from the block that still has access.) The reason being is that there are several websites with static IPs and a DNS server hosted behind this firewall as well. That's actually the other reason for doing this; we're out of port forwards on their old Linksys router.
posted by SpecialK at 3:52 PM on January 7, 2005
Response by poster: yerfatma: n requests in a given time frame with a longer ban based on extreme overuse, as far as we can tell. I've talked to their system administrator, he's a recalcitrant asshat. He won't give my client an EDI interface so that they stop hitting his script so hard, and he blames my client for his bandwidth bill being high. I'm sure this will only last until he permabans our whole IP addy range, but at that point we can point out to the VP of Ops, who has been unwilling to overrule the sysadmin so far, that the revenue that's coming from my client's company will stop... at that point, we're beginning to talk real money.
posted by SpecialK at 3:56 PM on January 7, 2005
posted by SpecialK at 3:56 PM on January 7, 2005
Is there some way you could do this with clever web proxying? Spreading the load over multiple IP's seems like it would work better than using a single IP until it gets banned, rinse, repeat... and more elegant, too.
It seems like hopping IP's for all outbound traffic would have a negative effect on any other connections that happen to be open... persistent connections like AIM or Shoutcast would be particularly affected, but other operations like large downloads would also be interrupted.
posted by mote at 3:50 PM on January 8, 2005
It seems like hopping IP's for all outbound traffic would have a negative effect on any other connections that happen to be open... persistent connections like AIM or Shoutcast would be particularly affected, but other operations like large downloads would also be interrupted.
posted by mote at 3:50 PM on January 8, 2005
This thread is closed to new comments.
posted by dorian at 2:45 PM on January 7, 2005