Re: [gentoo-user] Help with script for iptables - gentoo-user

From:	Mick <michaelkintzios@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Help with script for iptables
Date:	Thu, 16 Nov 2006 09:25:41
Message-Id:	`200611160920.45191.michaelkintzios@gmail.com`
In Reply to:	Re: [gentoo-user] Help with script for iptables by Flophouse Joe

1

On Thursday 16 November 2006 01:15, Flophouse Joe wrote:

2

> On Wed, 15 Nov 2006, Mick wrote:

3

> > On Wednesday 15 November 2006 21:25, Flophouse Joe wrote:

4

> >> On Wed, 15 Nov 2006, Mick wrote:

5

> >

6

> > UPLINK="eth0 wlan0 ppp0"

7

> > for x in ${INTERFACES}

8

> > 	do

9

> > 		iptables -A INPUT -i ! ${x} -j ACCEPT

10

> > 		. . . more rules . . .

11

> > 		iptables -A INPUT -p tcp -i ${x} -j DROP

12

> > 	fi

13

> > =====================================================

14

> > type of think.  Not sure if the syntax is correct, but the idea is that

15

> > we define multiple interfaces, but only write the rules once with the

16

> > variable 'x' where the interface is meant to go.

17

>

18

> I'm not 100% certain that I understand the goal, so please let me know

19

> if I've gotten it wrong.  It sounds like you want to apply identical

20

> firewall rules to each of three interfaces.  It's possible that there

21

> are other interfaces, and if traffic arrives on those interfaces, then

22

> it should not be matched by the rules in the for loop.

23

24

Yes, it's a laptop so there is no internal/external interface(s) split in 

25

terms of trust; well other than "lo".

26

27

> If this is the case, then yes, the for loop you've suggested should be

28

> perfectly fine.  The rules you specify in that loop will only be applied

29

> to traffic which arrives on the interfaces that you loop through.

30

31

I think that by partly showing my rule set I have confused the point.  I 

32

should have made it clearer, this is my main set of rules right now:

33

======================================

34

UPLINK="eth0"

35

if [ "$1" = "start" ]

36

then

37

        echo "Starting firewall..."

38

        iptables -P INPUT DROP

39

        iptables -A INPUT -i ! ${UPLINK} -j ACCEPT

40

        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

41

#Allow rsync connections from study1 to update portage

42

        iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport 

43

873 -d 192.168.0.5 -j ACCEPT

44

#Allow tcp connections from study1 to download distfiles

45

        iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport 

46

1024 -d 192.168.0.5 -j ACCEPT

47

        iptables -A INPUT -p tcp -i ${UPLINK} -j DROP

48

        iptables -A INPUT -p udp -i ${UPLINK} -j DROP

49

[snip...]

50

51

elif [ "$1" = "stop" ]

52

then

53

        echo "Stopping firewall..."

54

        iptables -F INPUT

55

        iptables -P INPUT ACCEPT

56

        #turn off NAT/masquerading, if any

57

        iptables -t nat -F POSTROUTING

58

fi

59

======================================

60

61

(The ! ${UPLINK} rule is there to catch any external ifaces who might try to 

62

spoof their address as localhost.)

63

64

> >> It's entirely possible that I'm misunderstanding the design of

65

> >> netfilter, but it seems to me that the solution to complicated rulesets

66

> >> is to permit boolean logic in rules like so:

67

> >>

68

> >>  	iptables -A INPUT \

69

> >>  	\(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \

70

> >>  	-j ACCEPT

71

> >

72

> > Is there a legit way of specifying such rules?

73

>

74

> Not that I'm aware of, but I'd very much like to be proven wrong.  Does

75

> anyone else on the list know of a way to specify boolean conditions in

76

> iptables rules as illustrated above?

77

>

78

> For what it's worth, I have found a way to get something that

79

> approximates the ability to use ORs in iptables rules, but it borders on

80

> the criminially insane.  I describe it below:

81

[snip...]

82

83

> As you can see, this method is pretty complicated, too.  It's not really

84

> any substitute for "real" boolean logic (as described near the top of

85

> this post).  If anyone knows of a way to do this, I'd like to know

86

> about it.

87

88

me too!

89

90

Meanwhile, I've changed it to this:

91

==============================================

92

UPLINK="eth0 wlan0 ppp0"

93

94

if [ "$1" = "start" ]

95

then

96

        echo "Starting firewall..."

97

for x in ${UPLINK}

98

do

99

        iptables -P INPUT DROP

100

        iptables -A INPUT -i ! ${x} -j ACCEPT

101

        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

102

#Allow rsync connections from study1 to update portage

103

        iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 873 -d 

104

192.168.0.5 -j ACCEPT

105

#Allow tcp connections from study1 to download distfiles

106

        iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d 

107

192.168.0.5 -j ACCEPT

108

        iptables -A INPUT -p tcp -i ${x} -j DROP

109

        iptables -A INPUT -p udp -i ${x} -j DROP

110

done

111

==============================================

112

113

which seems to do the trick for my simple firewalling needs:

114

==============================================

115

# iptables -L -v 

116

Chain INPUT (policy DROP 0 packets, 0 bytes)

117

 pkts bytes target     prot opt in     out     source               

118

destination         

119

    0     0 ACCEPT     all  --  !eth0  any     anywhere             anywhere            

120

    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

121

state RELATED,ESTABLISHED 

122

    0     0 ACCEPT     tcp  --  eth0   any     study1               

123

192.168.0.5         tcp dpt:rsync 

124

    0     0 ACCEPT     tcp  --  eth0   any     study1               

125

192.168.0.5         tcp dpt:1024 

126

    0     0 DROP       tcp  --  eth0   any     anywhere             anywhere            

127

    0     0 DROP       udp  --  eth0   any     anywhere             anywhere            

128

    0     0 ACCEPT     all  --  !wlan0 any     anywhere             anywhere            

129

    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

130

state RELATED,ESTABLISHED 

131

    0     0 ACCEPT     tcp  --  wlan0  any     study1               

132

192.168.0.5         tcp dpt:rsync 

133

    0     0 ACCEPT     tcp  --  wlan0  any     study1               

134

192.168.0.5         tcp dpt:1024 

135

    0     0 DROP       tcp  --  wlan0  any     anywhere             anywhere            

136

    0     0 DROP       udp  --  wlan0  any     anywhere             anywhere            

137

    0     0 ACCEPT     all  --  !ppp0  any     anywhere             anywhere            

138

    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

139

state RELATED,ESTABLISHED 

140

    0     0 ACCEPT     tcp  --  ppp0   any     study1               

141

192.168.0.5         tcp dpt:rsync 

142

    0     0 ACCEPT     tcp  --  ppp0   any     study1               

143

192.168.0.5         tcp dpt:1024 

144

    0     0 DROP       tcp  --  ppp0   any     anywhere             anywhere            

145

    0     0 DROP       udp  --  ppp0   any     anywhere             anywhere            

146

147

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

148

 pkts bytes target     prot opt in     out     source               

149

destination         

150

151

Chain OUTPUT (policy ACCEPT 17M packets, 7060M bytes)

152

 pkts bytes target     prot opt in     out     source               

153

destination

154

==============================================

155

156

Thank you all for your help!  :)

157

--

158

Regards,

159

Mick

Gentoo Archives: gentoo-user

Replies

1	On Thursday 16 November 2006 01:15, Flophouse Joe wrote:
2	> On Wed, 15 Nov 2006, Mick wrote:
3	> > On Wednesday 15 November 2006 21:25, Flophouse Joe wrote:
4	> >> On Wed, 15 Nov 2006, Mick wrote:
5	> >
6	> > UPLINK="eth0 wlan0 ppp0"
7	> > for x in ${INTERFACES}
8	> > do
9	> > iptables -A INPUT -i ! ${x} -j ACCEPT
10	> > . . . more rules . . .
11	> > iptables -A INPUT -p tcp -i ${x} -j DROP
12	> > fi
13	> > =====================================================
14	> > type of think. Not sure if the syntax is correct, but the idea is that
15	> > we define multiple interfaces, but only write the rules once with the
16	> > variable 'x' where the interface is meant to go.
17	>
18	> I'm not 100% certain that I understand the goal, so please let me know
19	> if I've gotten it wrong. It sounds like you want to apply identical
20	> firewall rules to each of three interfaces. It's possible that there
21	> are other interfaces, and if traffic arrives on those interfaces, then
22	> it should not be matched by the rules in the for loop.
23
24	Yes, it's a laptop so there is no internal/external interface(s) split in
25	terms of trust; well other than "lo".
26
27	> If this is the case, then yes, the for loop you've suggested should be
28	> perfectly fine. The rules you specify in that loop will only be applied
29	> to traffic which arrives on the interfaces that you loop through.
30
31	I think that by partly showing my rule set I have confused the point. I
32	should have made it clearer, this is my main set of rules right now:
33	======================================
34	UPLINK="eth0"
35	if [ "$1" = "start" ]
36	then
37	echo "Starting firewall..."
38	iptables -P INPUT DROP
39	iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
40	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
41	#Allow rsync connections from study1 to update portage
42	iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport
43	873 -d 192.168.0.5 -j ACCEPT
44	#Allow tcp connections from study1 to download distfiles
45	iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport
46	1024 -d 192.168.0.5 -j ACCEPT
47	iptables -A INPUT -p tcp -i ${UPLINK} -j DROP
48	iptables -A INPUT -p udp -i ${UPLINK} -j DROP
49	[snip...]
50
51	elif [ "$1" = "stop" ]
52	then
53	echo "Stopping firewall..."
54	iptables -F INPUT
55	iptables -P INPUT ACCEPT
56	#turn off NAT/masquerading, if any
57	iptables -t nat -F POSTROUTING
58	fi
59	======================================
60
61	(The ! ${UPLINK} rule is there to catch any external ifaces who might try to
62	spoof their address as localhost.)
63
64	> >> It's entirely possible that I'm misunderstanding the design of
65	> >> netfilter, but it seems to me that the solution to complicated rulesets
66	> >> is to permit boolean logic in rules like so:
67	> >>
68	> >> iptables -A INPUT \
69	> >> \(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \
70	> >> -j ACCEPT
71	> >
72	> > Is there a legit way of specifying such rules?
73	>
74	> Not that I'm aware of, but I'd very much like to be proven wrong. Does
75	> anyone else on the list know of a way to specify boolean conditions in
76	> iptables rules as illustrated above?
77	>
78	> For what it's worth, I have found a way to get something that
79	> approximates the ability to use ORs in iptables rules, but it borders on
80	> the criminially insane. I describe it below:
81	[snip...]
82
83	> As you can see, this method is pretty complicated, too. It's not really
84	> any substitute for "real" boolean logic (as described near the top of
85	> this post). If anyone knows of a way to do this, I'd like to know
86	> about it.
87
88	me too!
89
90	Meanwhile, I've changed it to this:
91	==============================================
92	UPLINK="eth0 wlan0 ppp0"
93
94	if [ "$1" = "start" ]
95	then
96	echo "Starting firewall..."
97	for x in ${UPLINK}
98	do
99	iptables -P INPUT DROP
100	iptables -A INPUT -i ! ${x} -j ACCEPT
101	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
102	#Allow rsync connections from study1 to update portage
103	iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 873 -d
104	192.168.0.5 -j ACCEPT
105	#Allow tcp connections from study1 to download distfiles
106	iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d
107	192.168.0.5 -j ACCEPT
108	iptables -A INPUT -p tcp -i ${x} -j DROP
109	iptables -A INPUT -p udp -i ${x} -j DROP
110	done
111	==============================================
112
113	which seems to do the trick for my simple firewalling needs:
114	==============================================
115	# iptables -L -v
116	Chain INPUT (policy DROP 0 packets, 0 bytes)
117	pkts bytes target prot opt in out source
118	destination
119	0 0 ACCEPT all -- !eth0 any anywhere anywhere
120	0 0 ACCEPT all -- any any anywhere anywhere
121	state RELATED,ESTABLISHED
122	0 0 ACCEPT tcp -- eth0 any study1
123	192.168.0.5 tcp dpt:rsync
124	0 0 ACCEPT tcp -- eth0 any study1
125	192.168.0.5 tcp dpt:1024
126	0 0 DROP tcp -- eth0 any anywhere anywhere
127	0 0 DROP udp -- eth0 any anywhere anywhere
128	0 0 ACCEPT all -- !wlan0 any anywhere anywhere
129	0 0 ACCEPT all -- any any anywhere anywhere
130	state RELATED,ESTABLISHED
131	0 0 ACCEPT tcp -- wlan0 any study1
132	192.168.0.5 tcp dpt:rsync
133	0 0 ACCEPT tcp -- wlan0 any study1
134	192.168.0.5 tcp dpt:1024
135	0 0 DROP tcp -- wlan0 any anywhere anywhere
136	0 0 DROP udp -- wlan0 any anywhere anywhere
137	0 0 ACCEPT all -- !ppp0 any anywhere anywhere
138	0 0 ACCEPT all -- any any anywhere anywhere
139	state RELATED,ESTABLISHED
140	0 0 ACCEPT tcp -- ppp0 any study1
141	192.168.0.5 tcp dpt:rsync
142	0 0 ACCEPT tcp -- ppp0 any study1
143	192.168.0.5 tcp dpt:1024
144	0 0 DROP tcp -- ppp0 any anywhere anywhere
145	0 0 DROP udp -- ppp0 any anywhere anywhere
146
147	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
148	pkts bytes target prot opt in out source
149	destination
150
151	Chain OUTPUT (policy ACCEPT 17M packets, 7060M bytes)
152	pkts bytes target prot opt in out source
153	destination
154	==============================================
155
156	Thank you all for your help! :)
157	--
158	Regards,
159	Mick