[gentoo-user] netfilter: -P INPUT DROP in kernel

[gentoo-user] netfilter: -P INPUT DROP in kernel

[Daniel Waeber]

I was looking for a way to set the default rule for the INPUT chain to 
DROP. I do not want to change the rule with iptables -P INPUT DROP after 
  loading the kernel, I want that the kernel/modules automatically DROPS 
everything after it has been loaded.
You can do this with the FORWARD chain with the parameter forward=0, but 
nothing is implemented for the INPUT chain as far as i know.
I looked inside the kernel source of the modules, and hey, it is easy to 
change. I recompiled the module, reloaded it. Perfect, now i have 
default DROP.
But as it is so easy to edit, why is there no option in the kernel or a 
parameter for the module that allows to edit the default entries when 
loading the module? I can't image that I am the first one, who wants to 
have a secure linux, even if the firewall script (that could set -P 
INPUT DROP) fails or is delayed (i use parallel startup, so it could be 
that eth0 starts before iptables). Is their a reason why a default INPUT 
DROP policy is not supported in the kernel? (i know that you can easyly 
remove the access to you system, if you only managed it via ssh, but why 
not the option, if you really want to do that)
Or is there a better way to archive this goal?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] netfilter: -P INPUT DROP in kernel

[Benno Schulenberg]

Daniel Waeber wrote:
> I was looking for a way to set the default rule for the INPUT
> chain to DROP. I do not want to change the rule with iptables -P
> INPUT DROP after loading the kernel, I want that the
> kernel/modules automatically DROPS everything after it has been
> loaded.
> You can do this with the FORWARD chain with the parameter
> forward=0, but nothing is implemented for the INPUT chain as far
> as i know. I looked inside the kernel source of the modules, and
> hey, it is easy to change. I recompiled the module, reloaded it.
> Perfect, now i have default DROP.
> But as it is so easy to edit, why is there no option in the
> kernel or a parameter for the module

Make a patch that adds this parameter, allowing one to set the 
default policy for the input chain (and output chain too), and 
submit it to the kernel list.  Or show it here first.  I'd be 
interested.

(By the way, please do not reply to another message when starting a 
new topic.)

Benno
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] netfilter: -P INPUT DROP in kernel

[Daniel Waeber]

[-- Attachment #1: Type: text/plain, Size: 1669 bytes --]

Benno Schulenberg wrote:
 > (By the way, please do not reply to another message when starting a
 > new topic.)
 >
 > Benno

Sorry for that. So I start a new thread now.


 > Daniel Waeber wrote:
 >> I was looking for a way to set the default rule for the INPUT
 >> chain to DROP. I do not want to change the rule with iptables -P
 >> INPUT DROP after loading the kernel, I want that the
 >> kernel/modules automatically DROPS everything after it has been
 >> loaded.
 >> You can do this with the FORWARD chain with the parameter
 >> forward=0, but nothing is implemented for the INPUT chain as far
 >> as i know. I looked inside the kernel source of the modules, and
 >> hey, it is easy to change. I recompiled the module, reloaded it.
 >> Perfect, now i have default DROP.
 >> But as it is so easy to edit, why is there no option in the
 >> kernel or a parameter for the module
 >
 > Make a patch that adds this parameter, allowing one to set the
 > default policy for the input chain (and output chain too), and
 > submit it to the kernel list.  Or show it here first.  I'd be
 > interested.

Because I'm new to Linux, this is my first patch, so i don't know if 
everything is done right. Perhaps someone can examine it before I send 
it to kernel.org. I added code so you can pass the parameter "input=0" 
and "output=0" to the iptable_filter module to change the policies. It's 
the same code already implemented for the forward chain, which can be 
set to 0 to drop, 1 to accept.
I don't now if how/if this parameter can be passed, if netfilter is 
build inside the kernel, so perhaps this is not the perfect solution.

Have fun with a default denying firewall :)

[-- Attachment #2: patch --]
[-- Type: text/plain, Size: 1603 bytes --]

diff -upr linux-2.6.16-gentoo-r3/net/ipv4/netfilter/iptable_filter.c netfilter_dorp_patch_linux/net/ipv4/netfilter/iptable_filter.c
--- linux-2.6.16-gentoo-r3/net/ipv4/netfilter/iptable_filter.c	2006-04-21 22:51:05.000000000 +0200
+++ netfilter_dorp_patch_linux/net/ipv4/netfilter/iptable_filter.c	2006-04-21 22:38:07.000000000 +0200
@@ -135,21 +135,45 @@ static struct nf_hook_ops ipt_ops[] = {
 	},
 };
 
-/* Default to forward because I got too much mail already. */
+/* Default options for the kernel module */
+/* As default everything is accepted */
+static int input = NF_ACCEPT;
+module_param(input, bool, 0000);
+
 static int forward = NF_ACCEPT;
 module_param(forward, bool, 0000);
 
+static int output = NF_ACCEPT;
+module_param(output, bool, 0000);
+
+
+
 static int __init init(void)
 {
 	int ret;
 
+	if (input < 0 || input > NF_MAX_VERDICT ) {
+		printk("iptables input must be 0 or 1\n");
+		return -EINVAL;
+	}
 	if (forward < 0 || forward > NF_MAX_VERDICT) {
 		printk("iptables forward must be 0 or 1\n");
 		return -EINVAL;
 	}
+	if (output < 0 || output > NF_MAX_VERDICT) {
+		printk("iptables output must be 0 or 1\n");
+		return -EINVAL;
+	}
 
+	/* Set the default policys according to the module parameters */
+	/* Entry 0 is the INPUT hook */
+	initial_table.entries[0].target.verdict = -input -1;	
 	/* Entry 1 is the FORWARD hook */
 	initial_table.entries[1].target.verdict = -forward - 1;
+	/* Entry 2 is the OUTPUT hook */
+	initial_table.entries[2].target.verdict = -output -1;
+
+
 
 	/* Register table */
 	ret = ipt_register_table(&packet_filter, &initial_table.repl);

Re: [gentoo-user] netfilter: -P INPUT DROP in kernel

[Benno Schulenberg]

Daniel Waeber wrote:
> Because I'm new to Linux, this is my first patch, so i don't know
> if everything is done right. Perhaps someone can examine it
> before I send it to kernel.org.

Give your patch a descriptive name (when attaching it).  Don't add 
unneeded blank lines.  And there's a spello in policys, should be 
policies.  Also, make the same changes to ip6table_filter.c.

> I don't now if how/if this parameter can be passed, if netfilter
> is build inside the kernel, so perhaps this is not the perfect
> solution.

Try it out for yourself.  :)  Before sending something to the kernel 
mailing list, you'd better have tested your patch in several ways.
And read SubmittingPatches in the Documentation dir of the kernel 
source and some of the references mentioned at the end.

Benno
-- 
gentoo-user@gentoo.org mailing list