Order in ruleset edition

Order in ruleset edition

[Alejandro Cabrera Obed]

Hi !!!
I'm trying to construct my own ruleset of iptables; I'm editing a file
script.

My question is the following:

Is there any order about CHAINS and TABLES that I have to follow in order to
construct my iptables ruleset ??? For example, is it the same if firstly I
write in my script my the FORWARD rules and then the OUTPUT and INPUT rules
or viceversa ???

Thanks a lot and regards !!!

Alejandro.

Re: Order in ruleset edition

[William Stearns]

Good afternoon, Alejandro,

On Wed, 26 Nov 2003, Alejandro Cabrera Obed wrote:

> I'm trying to construct my own ruleset of iptables; I'm editing a file
> script.
> 
> My question is the following:
> 
> Is there any order about CHAINS and TABLES that I have to follow in order to
> construct my iptables ruleset ??? For example, is it the same if firstly I
> write in my script my the FORWARD rules and then the OUTPUT and INPUT rules
> or viceversa ???

	There isn't a difference in the final outcome, no.

	However, unless you're blocking all traffic until the firewall is
completely constructed, the second and third chains you construct will be
left unprotected longer (on the order of 1-5 seconds or so).  It's a minor
consideration, but I've seen an attack that sneaked through a firewall as
it was being reloaded.
	Cheers,
	- Bill

---------------------------------------------------------------------------
        "Don't say you don't have enough time.  You have exactly the
same number of hours per day that were given to Helen Keller, Pasteur,
Michaelangelo, Mother Teresa, Leonardo da Vinci, Thomas Jefferson, and
Albert Einstein."
        -- H. Jackson Brown 
(Courtesy of <drow@visi.com>)
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
Linux articles at:                         http://www.opensourcedigest.com
--------------------------------------------------------------------------

Re: Order in ruleset edition

[Antony Stone]

On Wednesday 26 November 2003 6:40 pm, Alejandro Cabrera Obed wrote:

> Is there any order about CHAINS and TABLES that I have to follow in order
> to construct my iptables ruleset ??? For example, is it the same if firstly
> I write in my script my the FORWARD rules and then the OUTPUT and INPUT
> rules or viceversa ???

I recommend:

1. Turn off kernel forwarding:
echo 0 >/proc/sys/net/ipv4/ip_forward

2. Apply default DROP policies to all chains:
iptables -P DROP INPUT
iptables -P DROP OUTPUT
iptables -P DROP FORWARD

3. Flush any old rules:
iptables -F
iptables -F -t nat
iptables -F -t mangle (well, you never know...)

4. Create the rules to allow the packets you want.   The order in which you 
create them is not important, so long as the order they end up in does the 
job you want.   Do not change the default DROP policies :)

5. Turn on kernel forwarding again:
echo 1 >/proc/sys/net/ipv4/ip_forward

I regard the above as a safe way to create rules without allowing thing to 
sneak in or through whilst you're doing it.

Antony.

-- 
Ramdisk is not an installation procedure.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Order in ruleset edition

[Jeffrey Laramie]

Alejandro Cabrera Obed wrote:

>Hi !!!
>I'm trying to construct my own ruleset of iptables; I'm editing a file
>script.
>
>  
>

Alejandro,

The script you sent me was cut off before it got to the rules you added. 
Can you post your rules here on the list in text so everyone can see 
them. You've got lots of help today :-)

Aside: Where were all you guys earlier this week when Mark and I were 
trying to bunt fastballs?

Jeff

Re: Order in ruleset edition

[Antony Stone]

On Wednesday 26 November 2003 7:48 pm, Jeffrey Laramie wrote:

> Aside: Where were all you guys earlier this week when Mark and I were
> trying to bunt fastballs?

Trying to replace a 256kbps leased line (with 32 public IPs) with a 2Mbps 
satellite link (with 1 private IP), and a VPN to somewhere else which has 8 
public IPs on an ADSL....

If it works, I'm gonna be amazed....

Antony

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Order in ruleset edition

[Hildebrand, Brian]

It does not matter if you put rules for different chains amongst each other. You do not have to enter all of the forward rules first and then all of the input rules, etc. The order of the rules within the chain does matter. Obviously it makes it easier to read if you group the rules by which chain they are going into, so it isn't a bad idea. 

-----Original Message-----
From: Alejandro Cabrera Obed [mailto:sisdis@tournet.com.ar]
Sent: Wednesday, November 26, 2003 12:41
To: Netfilter lista (iptables)
Subject: Order in ruleset edition

Hi !!!
I'm trying to construct my own ruleset of iptables; I'm editing a file
script.

My question is the following:

Is there any order about CHAINS and TABLES that I have to follow in order to
construct my iptables ruleset ??? For example, is it the same if firstly I
write in my script my the FORWARD rules and then the OUTPUT and INPUT rules
or viceversa ???

Thanks a lot and regards !!!

Alejandro.


----------------------------------------
The information transmitted in this message is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material.  Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.  If you received this in error, please contact the sender and destroy any copies of this document.

RE: Order in ruleset edition

[Daniel Chemko]

The order of rule insertion only matters when the rules have the same
table and chains. So, the following table/chain combinations can be
applied in any order:

Raw/PREROUTING
Mangle/PREROUTING
Nat/PREROUTING
Mangle/INPUT
Filter/INPUT
Mangle/FORWARD
Filter/FORWARD
Raw/OUTPUT
Mangle/OUTPUT
Filter/OUTPUT
Nat/OUTPUT
Mangle/POSTROUTING
Nat/POSTROUTING

Also, any policy (-P ..) rules can be applied in any order, but if you
have more than one policy rule for any of the above table/chain
combinations, the later executed rule will persist.

-----Original Message-----
From: Alejandro Cabrera Obed [mailto:sisdis@tournet.com.ar] 
Sent: Wednesday, November 26, 2003 10:41 AM
To: Netfilter lista (iptables)
Subject: Order in ruleset edition

Hi !!!
I'm trying to construct my own ruleset of iptables; I'm editing a file
script.

My question is the following:

Is there any order about CHAINS and TABLES that I have to follow in
order to
construct my iptables ruleset ??? For example, is it the same if firstly
I
write in my script my the FORWARD rules and then the OUTPUT and INPUT
rules
or viceversa ???

Thanks a lot and regards !!!

Alejandro.

RE: Order in ruleset edition

[Hildebrand, Brian]

We do parallel updates to prevent attacks from sneaking through. Basically you have the real forward chain and you add a rule to it that jumps to a user defined rule FORWARD_0 where the filtering rules are actually located. You then load the new rules into FORWARD_1. Once those rules are loaded you change the jump from FORWARD_0 to FORWARD_1 and then remove FORWARD_0. You make sure the default forward policy is to deny so that those packets for the millisecond or two the firewall is not setup won't get through. It works very well, although I have heard this technique can take a little bit longer with huge rulesets (but nowhere near as long as a straight ruleset install after a flush). 

-----Original Message-----
From: William Stearns [mailto:wstearns@pobox.com]
Sent: Wednesday, November 26, 2003 12:59
To: Alejandro Cabrera Obed
Cc: Netfilter lista (iptables); William Stearns
Subject: Re: Order in ruleset edition

Good afternoon, Alejandro,

On Wed, 26 Nov 2003, Alejandro Cabrera Obed wrote:

> I'm trying to construct my own ruleset of iptables; I'm editing a file
> script.
>
> My question is the following:
>
> Is there any order about CHAINS and TABLES that I have to follow in order to
> construct my iptables ruleset ??? For example, is it the same if firstly I
> write in my script my the FORWARD rules and then the OUTPUT and INPUT rules
> or viceversa ???

        There isn't a difference in the final outcome, no.

        However, unless you're blocking all traffic until the firewall is
completely constructed, the second and third chains you construct will be
left unprotected longer (on the order of 1-5 seconds or so).  It's a minor
consideration, but I've seen an attack that sneaked through a firewall as
it was being reloaded.
        Cheers,
        - Bill

---------------------------------------------------------------------------
        "Don't say you don't have enough time.  You have exactly the
same number of hours per day that were given to Helen Keller, Pasteur,
Michaelangelo, Mother Teresa, Leonardo da Vinci, Thomas Jefferson, and
Albert Einstein."
        -- H. Jackson Brown
(Courtesy of <drow@visi.com>)
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
Linux articles at:                         http://www.opensourcedigest.com
--------------------------------------------------------------------------


----------------------------------------
The information transmitted in this message is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material.  Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.  If you received this in error, please contact the sender and destroy any copies of this document.

Re: Order in ruleset edition

[Leonardo Rodrigues Magalhães]

    To prevent problems during a firewall reload/restart, I usually do:

    1) do 'echo 0 > /proc/sys/net/ipv4/ip_forward' on the very beggining of
the script
    2) define the default actions to drop on the very first rules ( -P
DROP )
    3) insert ALL the rules (can take some seconds)
    4) do 'echo 1 > /proc/sys/net/ipv4/ip_forward'
    5) firewall is READY

    What do you think on this ?

    Sincerily,
    Leonardo Rodrigues

RE: Order in ruleset edition

[Hildebrand, Brian]

It is acceptable, but it creates a significant amount of downtime. Uptime is important on our network so this solution minimizes the amount of time the network is unavailable. I have had rulesets in the past that would take 5-10 minutes to upload and install because they were so large. That is a long time for any number of people to lose Internet access.

-----Original Message-----
From: Leonardo Rodrigues Magalhães [mailto:leolistas@solutti.com.br]
Sent: Wednesday, November 26, 2003 14:27
To: Hildebrand, Brian; Netfilter (E-mail)
Subject: Re: Order in ruleset edition


    To prevent problems during a firewall reload/restart, I usually do:

    1) do 'echo 0 > /proc/sys/net/ipv4/ip_forward' on the very beggining of
the script
    2) define the default actions to drop on the very first rules ( -P
DROP )
    3) insert ALL the rules (can take some seconds)
    4) do 'echo 1 > /proc/sys/net/ipv4/ip_forward'
    5) firewall is READY

    What do you think on this ?

    Sincerily,
    Leonardo Rodrigues

----------------------------------------
The information transmitted in this message is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material.  Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.  If you received this in error, please contact the sender and destroy any copies of this document.

RE: Order in ruleset edition

[Daniel Chemko]

Gold Star!

That's exactly what I do, and since I policy drop FORWARD and INPUT by default, no unauthorized traffic is getting anywhere!

-----Original Message-----
From: Leonardo Rodrigues Magalhães [mailto:leolistas@solutti.com.br] 
Sent: Wednesday, November 26, 2003 12:27 PM
To: Hildebrand, Brian; Netfilter (E-mail)
Subject: Re: Order in ruleset edition


    To prevent problems during a firewall reload/restart, I usually do:

    1) do 'echo 0 > /proc/sys/net/ipv4/ip_forward' on the very beggining of
the script
    2) define the default actions to drop on the very first rules ( -P
DROP )
    3) insert ALL the rules (can take some seconds)
    4) do 'echo 1 > /proc/sys/net/ipv4/ip_forward'
    5) firewall is READY

    What do you think on this ?

    Sincerily,
    Leonardo Rodrigues

RE: Order in ruleset edition

[Daniel Chemko]

That may be true, but even if you aren't using the iptables-save techniques to speed up the loading of rules, there are other better ways to improve the loading of rules. My current configuration works as follows when 'reloading':

# Input is small so no optimization
INPUT flush
INPUT load

Block traffic forwarding
FORWARD FLUSH
FORWARD add established,related
FORWARD add links to sub-chains
Un-Block traffic forwarding
# At this point, the forward ruleset has been re-applied, but since there are only few rules in here, there is no loss in packet data
FORWARD_SUB_CHAIN1 FLUSH
FORWARD_SUB_CHAIN1 add rules
FORWARD_SUB_CHAIN2 FLUSH
FORWARD_SUB_CHAIN2 add rules
FORWARD_SUB_CHAIN3 FLUSH
FORWARD_SUB_CHAIN3 add rules

So, the rules that fall into sub-chain 1 will only be blocked to the period it takes to flush and reapply rules to that sub-chain, instead of the time it takes to reapply the entire forwarding ruleset, which for me takes ~30 seconds (my poor slow bash scripts).

With proper breakdown of each major network component away from the FORWARD table, you can efficiently rebuild your ruleset to minimize down-time.

RE: Order in ruleset edition

[Daniel Chemko]

>Aside: Where were all you guys earlier this week when Mark and I were 
>trying to bunt fastballs?

Playing Hockey, OBVIOUSLY!

No, really. My head office is relocating so you can just imagine the
workload we're under.

RE: Order in ruleset edition

[Hildebrand, Brian]

This is basically the steps in mine again:

1. First ruleset load ever - create the user defined chain FORWARD_0. Load all the rules there. 
2. Add a rule to chain FORWARD (ie. iptables -A FORWARD -j FORWARD_0) to make sure that the traffic is traversing the user defined chain with all the filtering rules inside. Default policy on a fresh firewall should always be DENY or the firewall should be uninstalled when the first ruleset is loaded. The firewall now is functional and working. 
3. Load the new ruleset. Create a new user defined chain called FORWARD_1. Load all the new rules here. You now have two copies of your rules loaded on the firewall at the same time. 
4. If the default policy of FORWARD is not DENY, which mine always is anyway, then set the default policy to DENY. 
5. Change the "iptables -A FORWARD -j FORWARD_0" rule to "iptables -A FORWARD -j FORWARD_1". Any traffic received while this change takes place will be dropped. The change is pretty much instantaneous except on extremely large rulesets (and I mean extreme, even on the 5 minute to load ruleset the change was not noticeable). There is supposedly a modification to netfilter that can be made to make the process faster. I'm not sure because I have never needed it. Netfilter does some sanity checks that eat up additional time, and that modification supposedly gets rid of them (I like sanity checks, I expect everyone else is pretty fond of them as well :)).
6. Remove all of the old FORWARD_0 rules (and the user defined sub rules). It is important, in our script at least, that every user defined chain have an extension to the name identifying the ruleset it belongs to (for instance chain ALLOWED_PORTS would need to be ALLOWED_PORTS_0 or ALLOWED_PORTS_1, depending on which ruleset it belongs to). This prevents conflicts and ensures that new ruleset links to the objects meant for the new ruleset and not remnants from the old one. 
7. Finished.

Obviously this is all scripted. I just load a firewall script file to the system, run the script, and wait for the new ruleset to take effect. While the ruleset is loading all the old rules are still enforced, when the ruleset switches a minimal amount of traffic is dropped (never had a user notice a ruleset update), and then the new ruleset is loaded. From a safety / uptime standpoint this is the best way I have seen to do it. The other alternatives render the network useless for an extended period of time, and users notice the outage and get angry. 


----------------------------------------
The information transmitted in this message is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material.  Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.  If you received this in error, please contact the sender and destroy any copies of this document.