Fw: iptables-save/restore question

Fw: iptables-save/restore question

[Bo Jacobsen]

HI,  I have tried the following:

I run some iptables commands then run iptables -L -n > testfile1 to save the setup.
Then I run iptables-restore testfile1 and than run iptables-save again:
iptables -L -n > testfile2

When I run diff on the two files (testfile1, testfile2) I can see that they are NOT the same.
In the following is an example of what diff finds different:

104,105c104,105
< ACCEPT     tcp  --  192.168.7.0/24       0.0.0.0/0          state NEW,ESTABLISHED tcp spts:1024:65535 dpt:53
< ACCEPT     tcp  --  0.0.0.0/0            192.168.7.0/24     state ESTABLISHED tcp spt:53 dpts:1024:65535
---
> ACCEPT     tcp  --  192.168.7.0/24       0.0.0.0/0          tcp spts:1024:65535 dpt:53 state NEW,ESTABLISHED
> ACCEPT     tcp  --  0.0.0.0/0            192.168.7.0/24     tcp spt:53 dpts:1024:65535 state ESTABLISHED

The first two lines are after running the iptables commands directly.
The result of the two command semantics are of course the same, but why is this happening.

The reason we want to make this test is that we need to be sure that the rules generated directly by
the iptables commands, are EXATLY the same as what the iptables-save/restore command pair does.

One thing is to test that the iptable commands works, another is to blindly trust that our 300 iptable rules
are correctly saved and restored by iptables-save/restore (a firewall with 4 different local lans).
If there is another way of confirming iptables-save/restore results, I would appreciate some info.


Thanks in advance
Bo Jacobsen

Re: Fw: iptables-save/restore question

[Anders Fugmann]

Bo Jacobsen wrote:
> I run some iptables commands then run iptables -L -n > testfile1 to save the setup.
> Then I run iptables-restore testfile1 and than run iptables-save again:
> iptables -L -n > testfile2
Why dont you use 'iptables-save' to save the rules?

> The reason we want to make this test is that we need to be sure that the rules generated directly by
> the iptables commands, are EXATLY the same as what the iptables-save/restore command pair does.
Do you distrust the iptables-restore command. If you do, then insert 
each rule by hand (or through a sctipt.).  You cannot validate rules, 
the way you described above, even if the saved files were equal.

Example: Assume a bug is present resulting in iptables -L -n lists all 
ip-addresses as 0.0.0.0/0. When you use iptables-restore, then the rules 
has 0.0.0.0/0 instead of the original ipnumbers.  Even if 
iptables-save/iptables-restore produces the same results, you have not 
proven that iptables-save works, because the original rules did have 
other ipaddresses than 0.0.0.0/0.

> 
> One thing is to test that the iptable commands works, another is to blindly trust that our 300 iptable rules
> are correctly saved and restored by iptables-save/restore (a firewall with 4 different local lans).
What are you afraid of. iptables-restore not able to process 300 lines? 
You you trust it to read even 1 rule?

If you cannot trust iptables-restore then do not use it. If you trust 
it, then trust it enough the assume that iptables-restore would yeild an 
exit value <>0, if any error occured while setting the rules.

Regards
Anders Fugmann


-- 
Neo: 'Can you fly that thing?'
Trinity: 'Not yet'.
$ apt-get install pilot-prg-v212helicopter.

Re: Fw: iptables-save/restore question

[Axel Heinrici]

Hi

On Tuesday 17 September 2002 12:09, Bo Jacobsen wrote:
> HI,  I have tried the following:
>
> I run some iptables commands then run iptables -L -n > testfile1
> to save the setup. Then I run iptables-restore testfile1 and than
> run iptables-save again: iptables -L -n > testfile2
>
> When I run diff on the two files (testfile1, testfile2) I can see
> that they are NOT the same. In the following is an example of
> what diff finds different:
> .......
>
> The reason we want to make this test is that we need to be sure
> that the rules generated directly by the iptables commands, are
> EXATLY the same as what the iptables-save/restore command pair
> does.
>
> One thing is to test that the iptable commands works, another is
> to blindly trust that our 300 iptable rules are correctly saved
> and restored by iptables-save/restore (a firewall with 4
> different local lans). If there is another way of confirming
> iptables-save/restore results, I would appreciate some info.
>
This means that you want to prove iptables-save/restore by using 
iptables. IMHO from this test you only prove something like 
"self-consistency" of iptables. You should run nmap or even more 
sophisticated tests to prove if everything is working the way you 
want.
If you want to asure someone else by this show then try 
iptables-restore testfile2. And afterwards use iptables -L -n 
>testfile3. Then run diff on testfile2 vs. testfile3 and see if 
this result is more convincing :-) 

greetings 
	Axel

Re: Fw: iptables-save/restore question

[Bo Jacobsen]

> Bo Jacobsen wrote:
> > I run some iptables commands then run iptables -L -n > testfile1 to save the setup.
> > Then I run iptables-restore testfile1 and than run iptables-save again:
> > iptables -L -n > testfile2
> Why don't you use 'iptables-save' to save the rules?

I do, but by this procedure I try to verify that running save and restore will do nothing to the rules and will produce the
same result as if running iptables commands directly from our scripts.
This of course assuming that the iptables -L -n is working.
My point is that IF there is a bug in either iptables-save or restore (with my rules) the diff command will show it.

> 
> > The reason we want to make this test is that we need to be sure that the rules generated directly by
> > the iptables commands, are EXATLY the same as what the iptables-save/restore command pair does.
> Do you distrust the iptables-restore command. If you do, then insert 
> each rule by hand (or through a script.).  You cannot validate rules, 
> the way you described above, even if the saved files were equal.
> 
> Example: Assume a bug is present resulting in iptables -L -n lists all 
> ip-addresses as 0.0.0.0/0. When you use iptables-restore, then the rules 
> has 0.0.0.0/0 instead of the original ipnumbers.  Even if 
> iptables-save/iptables-restore produces the same results, you have not 
> proven that iptables-save works, because the original rules did have 
> other ipaddresses than 0.0.0.0/0.

That is "perfectly OK", because as long as the iptables-save/restore works, the rules are set as expected (I just
don't know it, as the diff shows no errors).
Of course if both iptables -L -n lists AND iptables-save/restore is not working, THEN it's no good, and we are all screed, but I 
trust the netfilter programmers enough to bet that the chances of that happening, is very slim.

> 
> > 
> > One thing is to test that the iptable commands works, another is to blindly trust that our 300 iptable rules
> > are correctly saved and restored by iptables-save/restore (a firewall with 4 different local lans).
> What are you afraid of. iptables-restore not able to process 300 lines? 
> You you trust it to read even 1 rule?
No comments.
.
> 
> If you cannot trust iptables-restore then do not use it. If you trust 
> it, then trust it enough the assume that iptables-restore would yeild an 
> exit value <>0, if any error occured while setting the rules.
> Regards
> Anders Fugmann
> 
> 
> -- 
> Neo: 'Can you fly that thing?'
> Trinity: 'Not yet'.
> $ apt-get install pilot-prg-v212helicopter.
> 
> 
>