[gentoo-user] Help with script for iptables

[gentoo-user] Help with script for iptables

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1158 bytes --]

Hi All,

I have been using Daniel Robbins' basic script for years but now on a laptop I 
have more than one ways of connecting to the Internet.  The script uses the 
variable UPLINK to define the incoming interface like so:
==============================================
#change this to the name of the interface that provides your "uplink"
#(connection to the Internet)

UPLINK="eth0"

if [ "$1" = "start" ]
then
        echo "Starting firewall..."
        iptables -P INPUT DROP
        iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[snip...]
==============================================

I would like to define more than one iface in UPLINK, e.g. eth0, wlan0, ppp0.  
How am I supposed to do this?  I've tried space, comma and colon as 
delimiters, but all fail.  I've also tried entering UPLINK="iface_name" one 
on each line, but the last line seems to be the one that is always used.

I'd very much appreciate your script savvy guidance here, because I couldn't 
fight my way out of a paper bag when it comes to scripting . . .  :)
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Help with script for iptables

[Flophouse Joe]

On Wed, 15 Nov 2006, Mick wrote:

>        iptables -P INPUT DROP
>        iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
>        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> I would like to define more than one iface in UPLINK, e.g. eth0, wlan0, ppp0.

It sounds like you want to write a rule that says,

"If the packet arrives on any of the interfaces eth0, wlan0, or ppp0,
then do ${something} with it."

I have never found a good way to do this, but I have found several bad
ways of doing this. :)

Here is one of the easiest of the bad ways:

Make separate rules which effectively test for each of the interfaces
you're interested in.  If the rules match, then make the packets jump to
a new chain for further testing.

Let's use eth0, wlan0, and ppp0 as an example.  Assume that you've got
these interfaces bound on a Gentoo system acting as a firewall and NAT
device.  You trust eth0 and wlan0, as these are the interfaces from
which you connect to the system.  You don't trust ppp0, as its IP
address is publicly routable.

You wish to be able to SSH into the Gentoo system from hosts on the eth0
and wlan0 interfaces, but not from packets arriving on the ppp0
interface.

You can't write a rule like the following:

 	iptables -A INPUT -i eth0,wlan0 -p tcp --dport ssh -j ACCEPT

So instead you write rules like this:

 	iptables -N in-from-trusted

 	iptables -A INPUT -i eth0 -j in-from-trusted
 	iptables -A INPUT -i wlan0 -j in-from-trusted

 	iptables -A in-from-trusted -p tcp --dport ssh -j ACCEPT

Consider how this works.  Assume that one of your trusted hosts on the
eth0 segment sends a new SSH packet to the Gentoo system.

The SSH packet hits the "INPUT" chain, where it matches the first rule
because it arrives on the eth0 interface.  The packet them jumps (-j) to
the chain in-from-trusted.  The packet matches the first rule in this
chain because its destination tcp port is 22, and so the packet is
accepted.

The same rules apply for an incoming ssh packet arriving on the wlan0
interface.

If an ssh packet comes in on the ppp0 interface, it won't match any of
the rules from the INPUT chain listed above, and-- assuming that there
are no further rules in the INPUT chain-- its fate will be that of the
policy of the INPUT chain: DROP.

Finally, consider a packet arriving on the wlan0 interface whose
destination tcp port is, say, http .  This packet will match the rule
"-A INPUT -i wlan0" and it will jump to the in-from-trusted chain.  It
won't match the rule in in-from-trusted "-p tcp --dport ssh", and so it
won't be accepted here.

This method works well enough in this example, but gets unwieldly
quickly if taken to its logical extreme.  I once maintained a set of
iptables rules that was written entirely in this method.  It was nothing
but a series of "tests" chained together with jumps and returns.  Even
though I wrote it, it was nearly impossible for me to follow and debug
it: tracing a packet required consulting five or six chains, and
inserting new rules was a chore because it was always necessary to avoid
inserting a rule in such a way to short-circuit an existing "test".

I warned you this was a bad way. :)

It's entirely possible that I'm misunderstanding the design of
netfilter, but it seems to me that the solution to complicated rulesets
is to permit boolean logic in rules like so:

 	iptables -A INPUT \
 	\(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \
 	-j ACCEPT

Joe
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Help with script for iptables

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1790 bytes --]

Thanks Joe,

On Wednesday 15 November 2006 21:25, Flophouse Joe wrote:
> On Wed, 15 Nov 2006, Mick wrote:
> >        iptables -P INPUT DROP
> >        iptables -A INPUT -i ! ${UPLINK} -j ACCEPT

> > I would like to define more than one iface in UPLINK, e.g. eth0, wlan0,
> > ppp0.
>
> It sounds like you want to write a rule that says,
>
> "If the packet arrives on any of the interfaces eth0, wlan0, or ppp0,
> then do ${something} with it."

Yes. I was thinking is it possible to define the interfaces like:

UPLINK="eth0 wlan0 ppp0"

and then add something like:
=====================================================
 for x in ${INTERFACES}
	do
		iptables -A INPUT -i ! ${x} -j ACCEPT
		. . . more rules . . .
		iptables -A INPUT -p tcp -i ${x} -j DROP
	fi
=====================================================
type of think.  Not sure if the syntax is correct, but the idea is that we 
define multiple interfaces, but only write the rules once with the 
variable 'x' where the interface is meant to go.

> Here is one of the easiest of the bad ways:
>
> Make separate rules which effectively test for each of the interfaces
> you're interested in.  If the rules match, then make the packets jump to
> a new chain for further testing.

That's a simple enough way although as you say it can quickly get complicated 
especially so if you want to modify rules, change chains and so on.

> It's entirely possible that I'm misunderstanding the design of
> netfilter, but it seems to me that the solution to complicated rulesets
> is to permit boolean logic in rules like so:
>
>  	iptables -A INPUT \
>  	\(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \
>  	-j ACCEPT

Is there a legit way of specifying such rules?
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Help with script for iptables

[Iain Buchanan]

On Wed, 2006-11-15 at 20:29 +0000, Mick wrote:
> Hi All,
> 
> I have been using Daniel Robbins' basic script for years but now on a laptop I 
> have more than one ways of connecting to the Internet.  The script uses the 
> variable UPLINK to define the incoming interface like so:
> ==============================================
> #change this to the name of the interface that provides your "uplink"
> #(connection to the Internet)

you could try modifying the script slightly:

> UPLINK="eth0"

make that
UPLINK="eth0 ppp0" # space separated

then I was going to say use a
for i in x; do ...; done
loop, but I realised that won't work exactly, because of the line
>        iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
then something strange would happen.

What you're really saying is "for every interface not specified, accept
incoming packets".  This gets a bit tricky, cause you either have to
parse the output of ifconfig (ugly) or specify the interface that are
NOT "uplinks" (prone to user error).

You could say:

UPLINK="eth0 wlan0 ppp0"

if [ "$1" = "start" ]
then
        echo "Starting firewall..."
        iptables -P INPUT DROP
	for IFS in `ifconfig | grep "Link encap:" | awk '{print $1}'`; do
		for UPIFS in ${UPLINK}; do
			# if IFS isn't in UPIFS, then accept all trafic on IFS
			if ...

forget that! too ugly.  What are you really trying to do?  Make all your
interface the "uplink", ie. firewalled?

In that case, just say this:

> UPLINK="who cares?"
> 
> if [ "$1" = "start" ]
> then
>         echo "Starting firewall..."
>         iptables -P INPUT DROP
>         iptables -A INPUT -i lo -j ACCEPT
>         iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

done! Now everything is firewalled, and only lo is trusted.

However, I haven't seen the rest of this script, so I don't know if that
will break things.  Maybe you want to post back with some more info if
that doesn't suit your needs...

cya!
-- 
Iain Buchanan <iaindb at netspace dot net dot au>

	"How many people work here?"
	"Oh, about half."

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Help with script for iptables

[Flophouse Joe]

On Wed, 15 Nov 2006, Mick wrote:
> On Wednesday 15 November 2006 21:25, Flophouse Joe wrote:
>> On Wed, 15 Nov 2006, Mick wrote:

> UPLINK="eth0 wlan0 ppp0"
> for x in ${INTERFACES}
> 	do
> 		iptables -A INPUT -i ! ${x} -j ACCEPT
> 		. . . more rules . . .
> 		iptables -A INPUT -p tcp -i ${x} -j DROP
> 	fi
> =====================================================
> type of think.  Not sure if the syntax is correct, but the idea is that we
> define multiple interfaces, but only write the rules once with the
> variable 'x' where the interface is meant to go.

I'm not 100% certain that I understand the goal, so please let me know
if I've gotten it wrong.  It sounds like you want to apply identical
firewall rules to each of three interfaces.  It's possible that there
are other interfaces, and if traffic arrives on those interfaces, then
it should not be matched by the rules in the for loop.

If this is the case, then yes, the for loop you've suggested should be
perfectly fine.  The rules you specify in that loop will only be applied
to traffic which arrives on the interfaces that you loop through.

If you're anything like me, you'll find the rules created in this manner 
slightly difficult to read from the output of "iptables -vnL", but you'd 
have the same problem using the test-then-jump method I mentioned in my 
previous post.  As near as I can tell, this is a limitation of iptables 
(or netfilter) itself, in that (to the best of my knowledge) it isn't 
possible to specify a rule that matches multiple interfaces whose names 
don't begin the same way.

>> It's entirely possible that I'm misunderstanding the design of
>> netfilter, but it seems to me that the solution to complicated rulesets
>> is to permit boolean logic in rules like so:
>>
>>  	iptables -A INPUT \
>>  	\(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \
>>  	-j ACCEPT
>
> Is there a legit way of specifying such rules?

Not that I'm aware of, but I'd very much like to be proven wrong.  Does
anyone else on the list know of a way to specify boolean conditions in
iptables rules as illustrated above?

For what it's worth, I have found a way to get something that
approximates the ability to use ORs in iptables rules, but it borders on
the criminially insane.  I describe it below:

I have a Gentoo system in my house which acts as a firewall and NAT
gateway.  It has three network interfaces:

eth0 connects to the public internet,
eth1 connects to a non-routable network segment,
eth2 connects to a non-routable wireless access point left wide open.

I wish for some hosts-- and only some hosts-- to be able to connect to the
wireless access point and have their traffic masqueraded out to the
public internet.

Since I'm dealing with a very small number of hosts, and since these
hosts are directly connected to the Gentoo system's ethernet segment,
I've decided to filter traffic from the wireless access point based on
the source MAC address of the ethernet frames coming from the wireless
access point.

Let's say that I trused the hosts with MAC address 00:11:22:33:44:55 and
with MAC address 00:22:44:66:88:AA, and I wished for these hosts to have
their traffic forwarded out to the internet without any restrictions
whatsoever.

This would be simple enough:

 	iptables -A FORWARD -i eth2 -o eth0 \
 	-m mac --source-mac 00:11:22:33:44:55 -j ACCEPT

 	iptables -A FORWARD -i eth2 -o eth0 \
 	-m mac --source-mac 00:22:44:66:88:AA -j ACCEPT

But in reality, the rules are a bit more complicated.  I disallow
outgoing access to SMTP and BitTorrent, for example.  I also disallow
outgoing traffic to certain UDP ports.

These rules add up quickly.  It's possible to collapse some of these rules 
using -m multiport , but I still end up with a few rules for each of the 
hosts that are being forwarded from the wireless interface to the public. 
And since I can't test for multiple MAC addresses in one rule, I need 
separate rules for each host.

I've got about six hosts connecting to the wireless access point, and
I've got three rules for each host.  Because I can't "OR" rules
together, I've got 6 x 3 = 18 rules to juggle.

This isn't too big of a deal if I wrap it up in a for loop, but it's
still unsightly to look at in the output of "iptables -vnL"

I've used the connmark match and the CONNMARK target to get the same
effect.

In table mangle chain PREROUTING, I have rules that look like this:

 	iptables -t mangle -A PREROUTING \
 	-m mac --mac-source 00:11:22:33:44:55 \
 	-j CONNMARK --set-mark 0x1/0x1

 	iptables -t mangle -A PREROUTING \
 	-m mac --mac-source 00:22:44:66:88:AA \
 	-j CONNMARK --set-mark 0x1/0x1

 	iptables -t mangle -A PREROUTING \
 	-m mac --mac-source 33:66:99:CC:FF:00 \
 	-j CONNMARK --set-mark 0x1/0x1

And now I can collapse the rules in table filter, chain FORWARD like so:

 	iptables -A FORWARD -p tcp -m multiport ! --dports 25,6881 \
 	-i eth2 -o eth0 -m connmark 0x1/0x1 -j ACCEPT

 	iptables -A FORWARD -p udp -m multiport ! --dports 123,456 \
 	-i eth2 -o eth0 -m connmark 0x1/0x1 -j ACCEPT

The "connmark 0x1/0x1" business sets a bit associated with the connection; think of
it as setting a variable and then checking for it later.

The above two rules are effectively saying the following:

 	iptables -A FORWARD -p tcp -m multiport ! --dports 25,6881 \
 	-i eth2 -o eth0 \
 	-m mac --mac-source mac-1,mac-2,mac3 \
 	-j ACCEPT

 	iptables -A FORWARD -p tcp -m multiport ! --dports 123,456 \
 	-i eth2 -o eth0 \
 	-m mac --mac-source mac-1,mac-2,mac-3 \
 	-j ACCEPT

As you can see, this method is pretty complicated, too.  It's not really
any substitute for "real" boolean logic (as described near the top of
this post).  If anyone knows of a way to do this, I'd like to know
about it.

Joe
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Help with script for iptables

[Mick]

[-- Attachment #1: Type: text/plain, Size: 6910 bytes --]

On Thursday 16 November 2006 01:15, Flophouse Joe wrote:
> On Wed, 15 Nov 2006, Mick wrote:
> > On Wednesday 15 November 2006 21:25, Flophouse Joe wrote:
> >> On Wed, 15 Nov 2006, Mick wrote:
> >
> > UPLINK="eth0 wlan0 ppp0"
> > for x in ${INTERFACES}
> > 	do
> > 		iptables -A INPUT -i ! ${x} -j ACCEPT
> > 		. . . more rules . . .
> > 		iptables -A INPUT -p tcp -i ${x} -j DROP
> > 	fi
> > =====================================================
> > type of think.  Not sure if the syntax is correct, but the idea is that
> > we define multiple interfaces, but only write the rules once with the
> > variable 'x' where the interface is meant to go.
>
> I'm not 100% certain that I understand the goal, so please let me know
> if I've gotten it wrong.  It sounds like you want to apply identical
> firewall rules to each of three interfaces.  It's possible that there
> are other interfaces, and if traffic arrives on those interfaces, then
> it should not be matched by the rules in the for loop.

Yes, it's a laptop so there is no internal/external interface(s) split in 
terms of trust; well other than "lo".

> If this is the case, then yes, the for loop you've suggested should be
> perfectly fine.  The rules you specify in that loop will only be applied
> to traffic which arrives on the interfaces that you loop through.

I think that by partly showing my rule set I have confused the point.  I 
should have made it clearer, this is my main set of rules right now:
======================================
UPLINK="eth0"
if [ "$1" = "start" ]
then
        echo "Starting firewall..."
        iptables -P INPUT DROP
        iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow rsync connections from study1 to update portage
        iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport 
873 -d 192.168.0.5 -j ACCEPT
#Allow tcp connections from study1 to download distfiles
        iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport 
1024 -d 192.168.0.5 -j ACCEPT
        iptables -A INPUT -p tcp -i ${UPLINK} -j DROP
        iptables -A INPUT -p udp -i ${UPLINK} -j DROP
[snip...]

elif [ "$1" = "stop" ]
then
        echo "Stopping firewall..."
        iptables -F INPUT
        iptables -P INPUT ACCEPT
        #turn off NAT/masquerading, if any
        iptables -t nat -F POSTROUTING
fi
======================================

(The ! ${UPLINK} rule is there to catch any external ifaces who might try to 
spoof their address as localhost.)

> >> It's entirely possible that I'm misunderstanding the design of
> >> netfilter, but it seems to me that the solution to complicated rulesets
> >> is to permit boolean logic in rules like so:
> >>
> >>  	iptables -A INPUT \
> >>  	\(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \
> >>  	-j ACCEPT
> >
> > Is there a legit way of specifying such rules?
>
> Not that I'm aware of, but I'd very much like to be proven wrong.  Does
> anyone else on the list know of a way to specify boolean conditions in
> iptables rules as illustrated above?
>
> For what it's worth, I have found a way to get something that
> approximates the ability to use ORs in iptables rules, but it borders on
> the criminially insane.  I describe it below:
[snip...]

> As you can see, this method is pretty complicated, too.  It's not really
> any substitute for "real" boolean logic (as described near the top of
> this post).  If anyone knows of a way to do this, I'd like to know
> about it.

me too!

Meanwhile, I've changed it to this:
==============================================
UPLINK="eth0 wlan0 ppp0"

if [ "$1" = "start" ]
then
        echo "Starting firewall..."
for x in ${UPLINK}
do
        iptables -P INPUT DROP
        iptables -A INPUT -i ! ${x} -j ACCEPT
        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow rsync connections from study1 to update portage
        iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 873 -d 
192.168.0.5 -j ACCEPT
#Allow tcp connections from study1 to download distfiles
        iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d 
192.168.0.5 -j ACCEPT
        iptables -A INPUT -p tcp -i ${x} -j DROP
        iptables -A INPUT -p udp -i ${x} -j DROP
done
==============================================

which seems to do the trick for my simple firewalling needs:
==============================================
# iptables -L -v 
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination         
    0     0 ACCEPT     all  --  !eth0  any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            
state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  eth0   any     study1               
192.168.0.5         tcp dpt:rsync 
    0     0 ACCEPT     tcp  --  eth0   any     study1               
192.168.0.5         tcp dpt:1024 
    0     0 DROP       tcp  --  eth0   any     anywhere             anywhere            
    0     0 DROP       udp  --  eth0   any     anywhere             anywhere            
    0     0 ACCEPT     all  --  !wlan0 any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            
state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  wlan0  any     study1               
192.168.0.5         tcp dpt:rsync 
    0     0 ACCEPT     tcp  --  wlan0  any     study1               
192.168.0.5         tcp dpt:1024 
    0     0 DROP       tcp  --  wlan0  any     anywhere             anywhere            
    0     0 DROP       udp  --  wlan0  any     anywhere             anywhere            
    0     0 ACCEPT     all  --  !ppp0  any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            
state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  ppp0   any     study1               
192.168.0.5         tcp dpt:rsync 
    0     0 ACCEPT     tcp  --  ppp0   any     study1               
192.168.0.5         tcp dpt:1024 
    0     0 DROP       tcp  --  ppp0   any     anywhere             anywhere            
    0     0 DROP       udp  --  ppp0   any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain OUTPUT (policy ACCEPT 17M packets, 7060M bytes)
 pkts bytes target     prot opt in     out     source               
destination
==============================================

Thank you all for your help!  :)
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Help with script for iptables

[Nangus Garba]

[-- Attachment #1: Type: text/plain, Size: 994 bytes --]

# I think that a set of rules that looks something like this would be easier
to maintain
# there are 500 little tricks that I could add if I was home and had my
notes

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT

#this will take care of all interfaces by default
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# maybe you should just use one interface for portage to connect through
such as eth0
# might also be a good plan to use the mac address instead of the ip it is a
little harder to spoof

#Allow rsync connections from study1 to update portage
iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 873 -d
192.168.0.5 -j ACCEPT
#Allow tcp connections from study1 to download distfiles
iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d
192.168.0.5 -j ACCEPT
#      these rules are kinda taken car of by: iptables -P INPUT DROP
#       iptables -A INPUT -p tcp -i ${x} -j DROP
#        iptables -A INPUT -p udp -i ${x} -j DROP

[-- Attachment #2: Type: text/html, Size: 1785 bytes --]

Re: [gentoo-user] Help with script for iptables

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1585 bytes --]

On Thursday 16 November 2006 15:19, Nangus Garba wrote:
> # I think that a set of rules that looks something like this would be
> easier to maintain
> # there are 500 little tricks that I could add if I was home and had my
> notes

Hey! Thanks for your help - please send some more when you get home.  :)

> iptables -P INPUT DROP
> iptables -A INPUT -i lo -j ACCEPT

The "! $iface" is meant to catch incoming packets on an external iface which 
have their IP address spoofed to 127.0.0.1 type of thing.  Will "lo" achieve 
the same thing?

> #this will take care of all interfaces by default
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # maybe you should just use one interface for portage to connect through
> such as eth0

Good point.

> # might also be a good plan to use the mac address instead of the ip it is
> a little harder to spoof

Could I use both in a single rule?

> #Allow rsync connections from study1 to update portage
> iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 873 -d
> 192.168.0.5 -j ACCEPT
> #Allow tcp connections from study1 to download distfiles
> iptables -A INPUT -i eth0 -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d
> 192.168.0.5 -j ACCEPT
> #      these rules are kinda taken car of by: iptables -P INPUT DROP

Yes, in their current format they are, but I had previously set them up to 
REJECT with different messages

> #       iptables -A INPUT -p tcp -i ${x} -j DROP
> #        iptables -A INPUT -p udp -i ${x} -j DROP

Keep 'em coming!  :)
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]