Question: How can I block traffic coming from specific operating system in Linux? In other words, how can I block traffic from Windows users on my firewall and allows other people?

Answer: There is an iptables module named OSF (passive OS Fingerprinting) that was written by Evgeniy Polyakov. This module allows passively detect OS packet was sent from and perform various netfilter actions based on this match. Packets with SYN bit set are analyzed.

In order to install OSF module, do the following:

1. Download latest release from here, for example as follows:
wget http://tservice.net.ru/~s0mbre/archive/osf/osf-2008_06_14.tar.gz

2. Edit Makefile from unpacked archive in order to set proper path to iptables headers (iptables.h and libiptc/ dir).

3. If your kernel sources can not be accessed via /lib/modules/$(shell uname -r)/build, you have to replace KDIR variable with the correct path to kernel sources.
4. Run make that should build ipt_osf.ko kernel module.
5. Run make lib that will build libipt_osf.so shared library (copy it to where all other iptables shared libs are placed in your distro e.g. /lib/iptables or /lib64/iptables in Fedora).

6. Run make bin that will build userspace applications which allows to load fingerprints and obtain information about matched packets (load, osfd, ucon_osf).

7. Download signatures list:
wget http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os

8. Install kernel module:
insmod ./ipt_osf.ko

9. Load signatures:
./load ./pf.os /proc/sys/net/ipv4/osf

10. Set up iptables rules allowing/disallowing packets generated by certain OS:
iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 0 --ttl 2

This example allows traffic from Linux systems and logs packets from other ones:
ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139

BTW, OSF has following options:

  • –log
    If present, OSF will log determined genres even if they don’t match desired one.
    0 – log all matched and unknown entries.
    1 – only first one.
    2 – log all matched entries.
  • –ttl
    0 – true ip and fingerprint TTL comparison. Works for LAN.
    1 – check if ip TTL is less than fingerprint one. Works for global addresses.
    2 – do not compare TTL at all. Allows to detect NMAP, but can produce false results.
  • –connector
    If present, OSF will log all events also through netlink connector(1.0 id).
    More about connector can be found in Documentation/connector in kernel source tree.

 

5 Comments

 

  1. Pingback : Cum sa filtram packetele in functie de SO in iptables | ArLUG (Arad Linux Users Group)

  2. January 24, 2011  4:22 pm by ledlights nucash.nl fantastico Reply

    Pretty section of content. I just stumbled upon your website and in accession capital to assert that I acquire actually enjoyed account your blog posts. Any way I will be subscribing to your feeds and even I achievement you access consistently fast.

  3. February 12, 2011  9:30 pm by marketing perth Reply

    I have been gone for some time, but now I remember why I used to love this website. Thank you, Iâ??ll try and check back more frequently. How frequently do you update your website?

  4. February 18, 2011  7:01 am by reseller web hosting india Reply

    Peculiar this put up is totaly unrelated to what I was looking out google for, but it surely was indexed on the first page. I guess your doing something right if Google likes you enough to put you on the first web page of a non similar search.

Leave a reply

 

Your email address will not be published.