1 |
On Thursday 16 November 2006 01:15, Flophouse Joe wrote: |
2 |
> On Wed, 15 Nov 2006, Mick wrote: |
3 |
> > On Wednesday 15 November 2006 21:25, Flophouse Joe wrote: |
4 |
> >> On Wed, 15 Nov 2006, Mick wrote: |
5 |
> > |
6 |
> > UPLINK="eth0 wlan0 ppp0" |
7 |
> > for x in ${INTERFACES} |
8 |
> > do |
9 |
> > iptables -A INPUT -i ! ${x} -j ACCEPT |
10 |
> > . . . more rules . . . |
11 |
> > iptables -A INPUT -p tcp -i ${x} -j DROP |
12 |
> > fi |
13 |
> > ===================================================== |
14 |
> > type of think. Not sure if the syntax is correct, but the idea is that |
15 |
> > we define multiple interfaces, but only write the rules once with the |
16 |
> > variable 'x' where the interface is meant to go. |
17 |
> |
18 |
> I'm not 100% certain that I understand the goal, so please let me know |
19 |
> if I've gotten it wrong. It sounds like you want to apply identical |
20 |
> firewall rules to each of three interfaces. It's possible that there |
21 |
> are other interfaces, and if traffic arrives on those interfaces, then |
22 |
> it should not be matched by the rules in the for loop. |
23 |
|
24 |
Yes, it's a laptop so there is no internal/external interface(s) split in |
25 |
terms of trust; well other than "lo". |
26 |
|
27 |
> If this is the case, then yes, the for loop you've suggested should be |
28 |
> perfectly fine. The rules you specify in that loop will only be applied |
29 |
> to traffic which arrives on the interfaces that you loop through. |
30 |
|
31 |
I think that by partly showing my rule set I have confused the point. I |
32 |
should have made it clearer, this is my main set of rules right now: |
33 |
====================================== |
34 |
UPLINK="eth0" |
35 |
if [ "$1" = "start" ] |
36 |
then |
37 |
echo "Starting firewall..." |
38 |
iptables -P INPUT DROP |
39 |
iptables -A INPUT -i ! ${UPLINK} -j ACCEPT |
40 |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
41 |
#Allow rsync connections from study1 to update portage |
42 |
iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport |
43 |
873 -d 192.168.0.5 -j ACCEPT |
44 |
#Allow tcp connections from study1 to download distfiles |
45 |
iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport |
46 |
1024 -d 192.168.0.5 -j ACCEPT |
47 |
iptables -A INPUT -p tcp -i ${UPLINK} -j DROP |
48 |
iptables -A INPUT -p udp -i ${UPLINK} -j DROP |
49 |
[snip...] |
50 |
|
51 |
elif [ "$1" = "stop" ] |
52 |
then |
53 |
echo "Stopping firewall..." |
54 |
iptables -F INPUT |
55 |
iptables -P INPUT ACCEPT |
56 |
#turn off NAT/masquerading, if any |
57 |
iptables -t nat -F POSTROUTING |
58 |
fi |
59 |
====================================== |
60 |
|
61 |
(The ! ${UPLINK} rule is there to catch any external ifaces who might try to |
62 |
spoof their address as localhost.) |
63 |
|
64 |
> >> It's entirely possible that I'm misunderstanding the design of |
65 |
> >> netfilter, but it seems to me that the solution to complicated rulesets |
66 |
> >> is to permit boolean logic in rules like so: |
67 |
> >> |
68 |
> >> iptables -A INPUT \ |
69 |
> >> \(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \ |
70 |
> >> -j ACCEPT |
71 |
> > |
72 |
> > Is there a legit way of specifying such rules? |
73 |
> |
74 |
> Not that I'm aware of, but I'd very much like to be proven wrong. Does |
75 |
> anyone else on the list know of a way to specify boolean conditions in |
76 |
> iptables rules as illustrated above? |
77 |
> |
78 |
> For what it's worth, I have found a way to get something that |
79 |
> approximates the ability to use ORs in iptables rules, but it borders on |
80 |
> the criminially insane. I describe it below: |
81 |
[snip...] |
82 |
|
83 |
> As you can see, this method is pretty complicated, too. It's not really |
84 |
> any substitute for "real" boolean logic (as described near the top of |
85 |
> this post). If anyone knows of a way to do this, I'd like to know |
86 |
> about it. |
87 |
|
88 |
me too! |
89 |
|
90 |
Meanwhile, I've changed it to this: |
91 |
============================================== |
92 |
UPLINK="eth0 wlan0 ppp0" |
93 |
|
94 |
if [ "$1" = "start" ] |
95 |
then |
96 |
echo "Starting firewall..." |
97 |
for x in ${UPLINK} |
98 |
do |
99 |
iptables -P INPUT DROP |
100 |
iptables -A INPUT -i ! ${x} -j ACCEPT |
101 |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
102 |
#Allow rsync connections from study1 to update portage |
103 |
iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 873 -d |
104 |
192.168.0.5 -j ACCEPT |
105 |
#Allow tcp connections from study1 to download distfiles |
106 |
iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d |
107 |
192.168.0.5 -j ACCEPT |
108 |
iptables -A INPUT -p tcp -i ${x} -j DROP |
109 |
iptables -A INPUT -p udp -i ${x} -j DROP |
110 |
done |
111 |
============================================== |
112 |
|
113 |
which seems to do the trick for my simple firewalling needs: |
114 |
============================================== |
115 |
# iptables -L -v |
116 |
Chain INPUT (policy DROP 0 packets, 0 bytes) |
117 |
pkts bytes target prot opt in out source |
118 |
destination |
119 |
0 0 ACCEPT all -- !eth0 any anywhere anywhere |
120 |
0 0 ACCEPT all -- any any anywhere anywhere |
121 |
state RELATED,ESTABLISHED |
122 |
0 0 ACCEPT tcp -- eth0 any study1 |
123 |
192.168.0.5 tcp dpt:rsync |
124 |
0 0 ACCEPT tcp -- eth0 any study1 |
125 |
192.168.0.5 tcp dpt:1024 |
126 |
0 0 DROP tcp -- eth0 any anywhere anywhere |
127 |
0 0 DROP udp -- eth0 any anywhere anywhere |
128 |
0 0 ACCEPT all -- !wlan0 any anywhere anywhere |
129 |
0 0 ACCEPT all -- any any anywhere anywhere |
130 |
state RELATED,ESTABLISHED |
131 |
0 0 ACCEPT tcp -- wlan0 any study1 |
132 |
192.168.0.5 tcp dpt:rsync |
133 |
0 0 ACCEPT tcp -- wlan0 any study1 |
134 |
192.168.0.5 tcp dpt:1024 |
135 |
0 0 DROP tcp -- wlan0 any anywhere anywhere |
136 |
0 0 DROP udp -- wlan0 any anywhere anywhere |
137 |
0 0 ACCEPT all -- !ppp0 any anywhere anywhere |
138 |
0 0 ACCEPT all -- any any anywhere anywhere |
139 |
state RELATED,ESTABLISHED |
140 |
0 0 ACCEPT tcp -- ppp0 any study1 |
141 |
192.168.0.5 tcp dpt:rsync |
142 |
0 0 ACCEPT tcp -- ppp0 any study1 |
143 |
192.168.0.5 tcp dpt:1024 |
144 |
0 0 DROP tcp -- ppp0 any anywhere anywhere |
145 |
0 0 DROP udp -- ppp0 any anywhere anywhere |
146 |
|
147 |
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) |
148 |
pkts bytes target prot opt in out source |
149 |
destination |
150 |
|
151 |
Chain OUTPUT (policy ACCEPT 17M packets, 7060M bytes) |
152 |
pkts bytes target prot opt in out source |
153 |
destination |
154 |
============================================== |
155 |
|
156 |
Thank you all for your help! :) |
157 |
-- |
158 |
Regards, |
159 |
Mick |