From mboxrd@z Thu Jan 1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
by nuthatch.gentoo.org with esmtp (Exim 4.60)
(envelope-from <gentoo-user+bounces-54837-garchives=archives.gentoo.org@gentoo.org>)
id 1GkdV6-0000rN-Rl
for garchives@archives.gentoo.org; Thu, 16 Nov 2006 09:25:41 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kAG9MqMC022257;
Thu, 16 Nov 2006 09:22:52 GMT
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170])
by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id kAG9KoCQ011658
for <gentoo-user@lists.gentoo.org>; Thu, 16 Nov 2006 09:20:50 GMT
Received: by ug-out-1314.google.com with SMTP id z38so356006ugc
for <gentoo-user@lists.gentoo.org>; Thu, 16 Nov 2006 01:20:50 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=beta; d=gmail.com;
h=received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:message-id:content-type:content-transfer-encoding;
b=EvCdchFJXvx1NcrgB6odbJqCVVhZ9lnxVhdcS48ykRb5h61YcKVyTC95R4I1nVFS2G7lVBPwNFa8lGATwoLzx6zKILZ2xsSvr2s7g0l8udASo9lgUfr0reW5q7NWNbOcS2XXX6wi5tX+Ik0XwbCIGIgXk9jcWmoewsyDnLD5h54=
Received: by 10.66.232.10 with SMTP id e10mr493546ugh.1163668849988;
Thu, 16 Nov 2006 01:20:49 -0800 (PST)
Received: from lappy ( [86.140.42.138])
by mx.google.com with ESMTP id 20sm1957062uga.2006.11.16.01.20.48;
Thu, 16 Nov 2006 01:20:49 -0800 (PST)
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Help with script for iptables
Date: Thu, 16 Nov 2006 09:20:33 +0000
User-Agent: KMail/1.9.5
References: <200611152029.35737.michaelkintzios@gmail.com> <200611152315.17728.michaelkintzios@gmail.com> <Pine.LNX.4.64.0611151912060.31856@becky16.halibutdepot.org>
In-Reply-To: <Pine.LNX.4.64.0611151912060.31856@becky16.halibutdepot.org>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Message-Id: <200611160920.45191.michaelkintzios@gmail.com>
Content-Type: multipart/signed;
boundary="nextPart1772988.ryNaQuGHYD";
protocol="application/pgp-signature";
micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 640cfeb5-c62b-4b20-be8d-03902b1f689f
X-Archives-Hash: e6bb39ccb96d036922f5bd0bf2c891bf
--nextPart1772988.ryNaQuGHYD
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Thursday 16 November 2006 01:15, Flophouse Joe wrote:
> On Wed, 15 Nov 2006, Mick wrote:
> > On Wednesday 15 November 2006 21:25, Flophouse Joe wrote:
> >> On Wed, 15 Nov 2006, Mick wrote:
> >
> > UPLINK=3D"eth0 wlan0 ppp0"
> > for x in ${INTERFACES}
> > do
> > iptables -A INPUT -i ! ${x} -j ACCEPT
> > . . . more rules . . .
> > iptables -A INPUT -p tcp -i ${x} -j DROP
> > fi
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
> > type of think. Not sure if the syntax is correct, but the idea is that
> > we define multiple interfaces, but only write the rules once with the
> > variable 'x' where the interface is meant to go.
>
> I'm not 100% certain that I understand the goal, so please let me know
> if I've gotten it wrong. It sounds like you want to apply identical
> firewall rules to each of three interfaces. It's possible that there
> are other interfaces, and if traffic arrives on those interfaces, then
> it should not be matched by the rules in the for loop.
Yes, it's a laptop so there is no internal/external interface(s) split in=20
terms of trust; well other than "lo".
> If this is the case, then yes, the for loop you've suggested should be
> perfectly fine. The rules you specify in that loop will only be applied
> to traffic which arrives on the interfaces that you loop through.
I think that by partly showing my rule set I have confused the point. I=20
should have made it clearer, this is my main set of rules right now:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
UPLINK=3D"eth0"
if [ "$1" =3D "start" ]
then
echo "Starting firewall..."
iptables -P INPUT DROP
iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow rsync connections from study1 to update portage
iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport=
=20
873 -d 192.168.0.5 -j ACCEPT
#Allow tcp connections from study1 to download distfiles
iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport=
=20
1024 -d 192.168.0.5 -j ACCEPT
iptables -A INPUT -p tcp -i ${UPLINK} -j DROP
iptables -A INPUT -p udp -i ${UPLINK} -j DROP
[snip...]
elif [ "$1" =3D "stop" ]
then
echo "Stopping firewall..."
iptables -F INPUT
iptables -P INPUT ACCEPT
#turn off NAT/masquerading, if any
iptables -t nat -F POSTROUTING
fi
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
(The ! ${UPLINK} rule is there to catch any external ifaces who might try t=
o=20
spoof their address as localhost.)
> >> It's entirely possible that I'm misunderstanding the design of
> >> netfilter, but it seems to me that the solution to complicated rulesets
> >> is to permit boolean logic in rules like so:
> >>
> >> iptables -A INPUT \
> >> \(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \
> >> -j ACCEPT
> >
> > Is there a legit way of specifying such rules?
>
> Not that I'm aware of, but I'd very much like to be proven wrong. Does
> anyone else on the list know of a way to specify boolean conditions in
> iptables rules as illustrated above?
>
> For what it's worth, I have found a way to get something that
> approximates the ability to use ORs in iptables rules, but it borders on
> the criminially insane. I describe it below:
[snip...]
> As you can see, this method is pretty complicated, too. It's not really
> any substitute for "real" boolean logic (as described near the top of
> this post). If anyone knows of a way to do this, I'd like to know
> about it.
me too!
Meanwhile, I've changed it to this:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
UPLINK=3D"eth0 wlan0 ppp0"
if [ "$1" =3D "start" ]
then
echo "Starting firewall..."
for x in ${UPLINK}
do
iptables -P INPUT DROP
iptables -A INPUT -i ! ${x} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow rsync connections from study1 to update portage
iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 873 =
=2Dd=20
192.168.0.5 -j ACCEPT
#Allow tcp connections from study1 to download distfiles
iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 1024=
-d=20
192.168.0.5 -j ACCEPT
iptables -A INPUT -p tcp -i ${x} -j DROP
iptables -A INPUT -p udp -i ${x} -j DROP
done
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
which seems to do the trick for my simple firewalling needs:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# iptables -L -v=20
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source =20
destination =20
0 0 ACCEPT all -- !eth0 any anywhere anywher=
e =20
0 0 ACCEPT all -- any any anywhere anywher=
e =20
state RELATED,ESTABLISHED=20
0 0 ACCEPT tcp -- eth0 any study1 =20
192.168.0.5 tcp dpt:rsync=20
0 0 ACCEPT tcp -- eth0 any study1 =20
192.168.0.5 tcp dpt:1024=20
0 0 DROP tcp -- eth0 any anywhere anywher=
e =20
0 0 DROP udp -- eth0 any anywhere anywher=
e =20
0 0 ACCEPT all -- !wlan0 any anywhere anywher=
e =20
0 0 ACCEPT all -- any any anywhere anywher=
e =20
state RELATED,ESTABLISHED=20
0 0 ACCEPT tcp -- wlan0 any study1 =20
192.168.0.5 tcp dpt:rsync=20
0 0 ACCEPT tcp -- wlan0 any study1 =20
192.168.0.5 tcp dpt:1024=20
0 0 DROP tcp -- wlan0 any anywhere anywher=
e =20
0 0 DROP udp -- wlan0 any anywhere anywher=
e =20
0 0 ACCEPT all -- !ppp0 any anywhere anywher=
e =20
0 0 ACCEPT all -- any any anywhere anywher=
e =20
state RELATED,ESTABLISHED=20
0 0 ACCEPT tcp -- ppp0 any study1 =20
192.168.0.5 tcp dpt:rsync=20
0 0 ACCEPT tcp -- ppp0 any study1 =20
192.168.0.5 tcp dpt:1024=20
0 0 DROP tcp -- ppp0 any anywhere anywher=
e =20
0 0 DROP udp -- ppp0 any anywhere anywher=
e =20
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source =20
destination =20
Chain OUTPUT (policy ACCEPT 17M packets, 7060M bytes)
pkts bytes target prot opt in out source =20
destination
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Thank you all for your help! :)
=2D-=20
Regards,
Mick
--nextPart1772988.ryNaQuGHYD
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQBFXC1t5Fp0QerLYPcRAkYhAJ9VLpeSwUYOV2uIqfi54j8NXRZSuwCdGoLT
yCdz078GpQ6/P33iHck7urU=
=rAl+
-----END PGP SIGNATURE-----
--nextPart1772988.ryNaQuGHYD--
--
gentoo-user@gentoo.org mailing list