how to delete *some* netfilter rules?

how to delete *some* netfilter rules?

[Pavel Mores]

Hello,

the problem I'm facing now might well be already solved by someone else
so I thought I'd better ask.

My filter table is filled by several separate independent scripts, each
serving a distinct purpose.  Say that I use one script to generate
firewalling rules and another to enter a couple of packet accounting
rules needed by a monitoring subsystem.  Now, what if I want to flush
the firewalling rules *without* disturbing the traffic monitoring rules?

It certainly is possible to add to the firewall script a "delete_rules"
function that would basically mimic my "insert_rules" function, only
with -D instead of -A or -I.  But this tends to be ugly and avoiding the
need to edit 2 places for every single change is not easy in bash (can't
use perl there).

I thought about placing rules with different purpose into different user
chains, like, having a "FIREWALL-INPUT", "FIREWALL-FORWARD",
"TRAFFIC-MONITOR" etc. chains that would be called from the predefined
chains.  Resetting a subsystem would mean just flushing one or two
user-defined chains.  Well, this *is* simple but it assumes that rules
entered by different subsystems can't be traversed in arbitrary order -
which might turn out a severe limitation.

Basically, what I'm looking for is a way to mark rules with "owner" or
"user" id and then just say "delete any rule where the owner is
firewall".  Does anyone know a simple and robust way how to handle this?
Thanks in advance.

	pvl

P.S.  Please Cc: your replies to me since I'm not subscribed to this
list.

Re: how to delete *some* netfilter rules?

[Jan Humme]

On Friday 14 June 2002 18:18, Pavel Mores wrote:
> Hello,
>
> the problem I'm facing now might well be already solved by someone else
> so I thought I'd better ask.
>
> My filter table is filled by several separate independent scripts, each
> serving a distinct purpose.  Say that I use one script to generate
> firewalling rules and another to enter a couple of packet accounting
> rules needed by a monitoring subsystem.  Now, what if I want to flush
> the firewalling rules *without* disturbing the traffic monitoring rules?
>
> It certainly is possible to add to the firewall script a "delete_rules"
> function that would basically mimic my "insert_rules" function, only
> with -D instead of -A or -I.  But this tends to be ugly and avoiding the
> need to edit 2 places for every single change is not easy in bash (can't
> use perl there).

Your bash script could look like this:

#!/bin/bash

ADD=-A
INS=-I

if [ -n "$1" ]; then
	if [  "$1" != "delete" ]; then
		echo usage: $0 [delete]
		exit 1
	fi
	ADD=-D
	INS=-D
fi

#examples:
iptables $ADD INPUT -i eth0 10.0.0.0/8 -j DROP
iptables $INS OUTPUT -i eth0 192.168.0.0/16 -j DROP

# etc etc etc

Now:
1) If you run your script w/o any parameter, it works like today.
2) If your provide the text "delete" as the second parameter, it deletes all 
the rules.
3) In all other cases, it prints an error message.

>P.S.  Please Cc: your replies to me since I'm not subscribed to this
list.

Please do.

Jan Humme.

Re: how to delete *some* netfilter rules?

[Martin Tomasek]

[-- Attachment #1: Type: text/plain, Size: 833 bytes --]

using iptables without full path is insecure, I would modify this script
this way:

> Your bash script could look like this:
> 
> #!/bin/bash
+IPT=/usr/sbin/iptables
> 
-> ADD=-A
+ADD="$IPT -A"
-> INS=-I
+INS="$IPT -I"
> 
> if [ -n "$1" ]; then
> 	if [  "$1" != "delete" ]; then
> 		echo usage: $0 [delete]
> 		exit 1
> 	fi

these two too:
> 	ADD=-D
> 	INS=-D

> fi
> 
> #examples:
-> iptables $ADD INPUT -i eth0 10.0.0.0/8 -j DROP
+$ADD INPUT -i eth0 10.0.0.0/8 -j DROP
-> iptables $INS OUTPUT -i eth0 192.168.0.0/16 -j DROP
+$INS OUTPUT -i eth0 192.168.0.0/16 -j DROP
> 

there is other way of rules deletion:

iptables -D chain num

where num is rule number in chain. in some cases it is better to
use this command.

-- 
Martin Tomasek, mtd@email.cz
BOFH excuse #27:
radiosity depletion

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]