* iptables doubt
@ 2006-04-12 13:54 varun
[not found] ` <443E21C1.9090508@info.ucl.ac.be>
0 siblings, 1 reply; 12+ messages in thread
From: varun @ 2006-04-12 13:54 UTC (permalink / raw)
To: netfilter-devel
Hi all,
Iam new to netfilters and iam trying to play around to
understand a few things. By default when no policies are specified then
it allows all traffic to go out and in to the n/w. I want to change this
to default as deny.
That is when there is no policy all should be default deny.
So in order to achieve that i tried to change the code a little.
In the file iptable_filter.c there is a variable called
static int forward = NF_ACCEPT
I changed this to NF_DROP and when i compiled and used it
sure i was not able to send any or recv any packets
but even after i give a policy like iptables -t filter -A
INPUT -j ACCEPT
Nothing changes. So achieve what i want what should i do?
And where do i change?
Another thing is that in normally when i put a policy like
iptables -t filter -A OUTPUT -j REJECT
Even my own self IP doesnt ping? Why should this happen?
Isint it ok to ping local ip and loopback ip?
If i want such implementation where i should be able to
ping to self and local but not any other ip?
Is it possible?
I dont want to add policies rather is it possible just
by changing the iptables kernel code?
Please help me on this?
Varun
^ permalink raw reply [flat|nested] 12+ messages in thread[parent not found: <443E21C1.9090508@info.ucl.ac.be>]
[parent not found: <443E341F.1080206@rocsys.com>]
* Re: iptables doubt [not found] ` <443E341F.1080206@rocsys.com> @ 2006-04-13 12:24 ` Sebastien Tandel 2006-04-13 13:01 ` varun 0 siblings, 1 reply; 12+ messages in thread From: Sebastien Tandel @ 2006-04-13 12:24 UTC (permalink / raw) To: varun, netfilter-devel -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 varun wrote: > Hi Sebastien, > > Thanx for the reply. Actually i did figure > out some things. It seems to work fine but iam not sure if may lead to > any problem. This is what i have done. > Instead of adding static routes what i have done is added this small > code in the function ipt_do_table. > > if(in == NULL) > goto jump; > if(memcmp(in->name,"lo",2) == 0) > { > verdict = NF_ACCEPT; > return verdict; > } > > jump: > * We handle fragments by dealing with the first fragment as > * if it was a normal packet. All other fragments are treated > * normally, except that they will NEVER match rules that ask > * things we don't know, ie. tcp syn flag or ports). If the > * rule is also a fragment-specific rule, non-fragments won't > * match it. */ > offset = ntohs(ip->frag_off) & IP_OFFSET; It seems "good" modulo these changes to be more concise ... if (in != NULL && memcmp(in->name, "lo", 2) == 0) return NF_ACCEPT; * We handle fragments by dealing with the first fragment as * if it was a normal packet. All other fragments are treated * normally, except that they will NEVER match rules that ask * things we don't know, ie. tcp syn flag or ports). If the * rule is also a fragment-specific rule, non-fragments won't * match it. */ offset = ntohs(ip->frag_off) & IP_OFFSET; Note that you have done a shortcut that does not test the outgoing interface. It means that you can receive packets from another interface and going to the loopback address ... > With this every time a packet comes with IN dev as lo i would simply > accept. It seems ok and works well but is there any problem with it if i > do so? > IMHO, there is no pblm doing this way except that : 1) you have hardcoded the "rule" (half-hardcoded see remark here above) 2) there is no more option to change the behavior of the "rule" you just added (i.e. we can't reject anymore a packet going through the loopback interface) > Varun > > > > > > > > > Sebastien Tandel wrote: > > Hi, > varun wrote: > > >>>> Hi all, >>>> >>>> Iam new to netfilters and iam trying to play around to >>>> understand a few things. By default when no policies are specified then >>>> it allows all traffic to go out and in to the n/w. I want to change this >>>> to default as deny. >>>> That is when there is no policy all should be default deny. >>>> >>>> So in order to achieve that i tried to change the code a >>>> little. >>>> In the file iptable_filter.c there is a variable called >>>> static int forward = NF_ACCEPT >>>> I changed this to NF_DROP and when i compiled and used it >>>> sure i was not able to send any or recv any packets >>>> > > I think you made the right change in your code in order to have a DROP > policy by default in your netfilter. the problem is just after ... > > > >>>> but even after i give a policy like iptables -t filter -A >>>> INPUT -j ACCEPT >>>> Nothing changes. So achieve what i want what should i do? >>>> And where do i change? >>>> > > > It is quiet normal as you told netfilter to accept incoming packets but > you did not configure netfilter to accept *outgoing* packets ... > iptables -t filter -A OUTPUT -j ACCEPT > > > >>>> Another thing is that in normally when i put a policy like >>>> iptables -t filter -A OUTPUT -j REJECT >>>> Even my own self IP doesnt ping? Why should this happen? >>>> Isint it ok to ping local ip and loopback ip? >>>> If i want such implementation where i should be able to >>>> ping to self and local but not any other ip? >>>> Is it possible? >>>> > > > lo is the interface allotted to your local interface (i.e. your host)! > You must therefore create two rules in order to let netfilter accept > outgoing and incoming packets from and arriving to your local interface. > iptables -A INPOUT -i lo -j ACCEPT > iptables -A OUTPUT -o lo -j ACCEPT > > > > >>>> I dont want to add policies rather is it possible just by >>>> changing the iptables kernel code? >>>> > > > You have to initialize netfilter by adding two static rules implementing > the ones described here above. > > sta >> >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEPkLmw76McB8jGxkRAsN0AJ4jZP6mhN2vk+/L93qy5uhC8WSJVwCfQpun Fc4d8NMUJo6M64QBMPTO/dg= =c7ol -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: iptables doubt 2006-04-13 12:24 ` Sebastien Tandel @ 2006-04-13 13:01 ` varun 2006-04-13 13:16 ` Sebastien Tandel 0 siblings, 1 reply; 12+ messages in thread From: varun @ 2006-04-13 13:01 UTC (permalink / raw) To: Sebastien Tandel; +Cc: netfilter-devel Hi Sebastien, Thanx again. Yeah i cannot set a rule for lo. Though it is not necessary in my case i would like have that option. So is static rule only the way? Another thing is i want to implement rule priority. That is after the rules are set when a packet arrives it needs to search the rule chain. I want that to searched with respect to priority. So even the user can change the priority of already set rule as he likes. Is it already implemented in iptables or is it needed to be implemented? I also want to maintain unique rule id. That is say i declair unsigned int i; So for any rule be it nat or anything this is global rule id that is assigned to any policy added. By this say if a user added a rule whose id i give as 15. And then he deletes it then after adding another policy he will get policy id of 16 and not 15. rule no 15 will be given only after full size of unsigned int is completed, i mean one full circle (i = 0 to i=4294967295). So to do it how should i go about it? Any suggestions? Varun Sebastien Tandel wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >varun wrote: > > >>Hi Sebastien, >> >> Thanx for the reply. Actually i did figure >>out some things. It seems to work fine but iam not sure if may lead to >>any problem. This is what i have done. >>Instead of adding static routes what i have done is added this small >>code in the function ipt_do_table. >> >> if(in == NULL) >> goto jump; >> if(memcmp(in->name,"lo",2) == 0) >> { >> verdict = NF_ACCEPT; >> return verdict; >> } >> >>jump: >>* We handle fragments by dealing with the first fragment as >> * if it was a normal packet. All other fragments are treated >> * normally, except that they will NEVER match rules that ask >> * things we don't know, ie. tcp syn flag or ports). If the >> * rule is also a fragment-specific rule, non-fragments won't >> * match it. */ >> offset = ntohs(ip->frag_off) & IP_OFFSET; >> >> > >It seems "good" modulo these changes to be more concise ... > > if (in != NULL && memcmp(in->name, "lo", 2) == 0) > return NF_ACCEPT; > * We handle fragments by dealing with the first fragment as > * if it was a normal packet. All other fragments are treated > * normally, except that they will NEVER match rules that ask > * things we don't know, ie. tcp syn flag or ports). If the > * rule is also a fragment-specific rule, non-fragments won't > * match it. */ > offset = ntohs(ip->frag_off) & IP_OFFSET; > >Note that you have done a shortcut that does not test the outgoing >interface. It means that you can receive packets from another interface >and going to the loopback address ... > > > >>With this every time a packet comes with IN dev as lo i would simply >>accept. It seems ok and works well but is there any problem with it if i >>do so? >> >> >> > >IMHO, there is no pblm doing this way except that : > 1) you have hardcoded the "rule" (half-hardcoded see remark here above) > 2) there is no more option to change the behavior of the "rule" you >just added (i.e. we can't reject anymore a packet going through the >loopback interface) > > > > >>Varun >> >> >> >> >> >> >> >> >>Sebastien Tandel wrote: >> >>Hi, >>varun wrote: >> >> >> >> >>>>>Hi all, >>>>> >>>>> Iam new to netfilters and iam trying to play around to >>>>>understand a few things. By default when no policies are specified then >>>>>it allows all traffic to go out and in to the n/w. I want to change this >>>>>to default as deny. >>>>> That is when there is no policy all should be default deny. >>>>> >>>>> So in order to achieve that i tried to change the code a >>>>>little. >>>>> In the file iptable_filter.c there is a variable called >>>>>static int forward = NF_ACCEPT >>>>> I changed this to NF_DROP and when i compiled and used it >>>>>sure i was not able to send any or recv any packets >>>>> >>>>> >>>>> >>I think you made the right change in your code in order to have a DROP >>policy by default in your netfilter. the problem is just after ... >> >> >> >> >> >>>>> but even after i give a policy like iptables -t filter -A >>>>>INPUT -j ACCEPT >>>>> Nothing changes. So achieve what i want what should i do? >>>>>And where do i change? >>>>> >>>>> >>>>> >>It is quiet normal as you told netfilter to accept incoming packets but >>you did not configure netfilter to accept *outgoing* packets ... >>iptables -t filter -A OUTPUT -j ACCEPT >> >> >> >> >> >>>>> Another thing is that in normally when i put a policy like >>>>>iptables -t filter -A OUTPUT -j REJECT >>>>> Even my own self IP doesnt ping? Why should this happen? >>>>> Isint it ok to ping local ip and loopback ip? >>>>> If i want such implementation where i should be able to >>>>>ping to self and local but not any other ip? >>>>> Is it possible? >>>>> >>>>> >>>>> >>lo is the interface allotted to your local interface (i.e. your host)! >>You must therefore create two rules in order to let netfilter accept >>outgoing and incoming packets from and arriving to your local interface. >>iptables -A INPOUT -i lo -j ACCEPT >>iptables -A OUTPUT -o lo -j ACCEPT >> >> >> >> >> >> >>>>> I dont want to add policies rather is it possible just by >>>>>changing the iptables kernel code? >>>>> >>>>> >>>>> >>You have to initialize netfilter by adding two static rules implementing >>the ones described here above. >> >>sta >> >> > > > > > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.2 (GNU/Linux) >Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > >iD8DBQFEPkLmw76McB8jGxkRAsN0AJ4jZP6mhN2vk+/L93qy5uhC8WSJVwCfQpun >Fc4d8NMUJo6M64QBMPTO/dg= >=c7ol >-----END PGP SIGNATURE----- > > > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: iptables doubt 2006-04-13 13:01 ` varun @ 2006-04-13 13:16 ` Sebastien Tandel 2006-04-13 13:53 ` varun 0 siblings, 1 reply; 12+ messages in thread From: Sebastien Tandel @ 2006-04-13 13:16 UTC (permalink / raw) To: varun, netfilter-devel -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 varun wrote: > Hi Sebastien, > > Thanx again. Yeah i cannot set a rule for lo. > Though it is not necessary in my case i would like have that option. So > is static rule only the way? I think so ... Why do you want to code it directly in netfilter instead of using the init.d scripts? > Another thing is i want to implement rule > priority. > That is after the rules are set when a packet > arrives it needs to search the rule chain. I want that to searched with > respect to priority. So even the user can change the priority of already > set rule as he likes. Is it already implemented in iptables or is it > needed to be implemented? > > I also want to maintain unique rule id. That > is say i declair unsigned int i; > So for any rule be it nat or anything this > is global rule id that is assigned to any policy added. > By this say if a user added a rule whose id i > give as 15. And then he deletes it then after adding another policy he > will get policy id of 16 and not 15. rule no 15 will be given only after > full size of unsigned int is completed, i mean one full circle (i = 0 to > i=4294967295). So to do it how should i go about it? Any suggestions? > > Varun It is clearly not implemented and I haven't any clue for you on this matter but ... What will be the benefit of it? > Sebastien Tandel wrote: > > > varun wrote: > > >>>> Hi Sebastien, >>>> >>>> Thanx for the reply. Actually i did figure >>>> out some things. It seems to work fine but iam not sure if may lead to >>>> any problem. This is what i have done. >>>> Instead of adding static routes what i have done is added this small >>>> code in the function ipt_do_table. >>>> >>>> if(in == NULL) >>>> goto jump; >>>> if(memcmp(in->name,"lo",2) == 0) >>>> { >>>> verdict = NF_ACCEPT; >>>> return verdict; >>>> } >>>> >>>> jump: >>>> * We handle fragments by dealing with the first fragment as >>>> * if it was a normal packet. All other fragments are treated >>>> * normally, except that they will NEVER match rules that ask >>>> * things we don't know, ie. tcp syn flag or ports). If the >>>> * rule is also a fragment-specific rule, non-fragments won't >>>> * match it. */ >>>> offset = ntohs(ip->frag_off) & IP_OFFSET; >>>> > > > It seems "good" modulo these changes to be more concise ... > > if (in != NULL && memcmp(in->name, "lo", 2) == 0) > return NF_ACCEPT; > * We handle fragments by dealing with the first fragment as > * if it was a normal packet. All other fragments are treated > * normally, except that they will NEVER match rules that ask > * things we don't know, ie. tcp syn flag or ports). If the > * rule is also a fragment-specific rule, non-fragments won't > * match it. */ > offset = ntohs(ip->frag_off) & IP_OFFSET; > > Note that you have done a shortcut that does not test the outgoing > interface. It means that you can receive packets from another interface > and going to the loopback address ... > > > >>>> With this every time a packet comes with IN dev as lo i would simply >>>> accept. It seems ok and works well but is there any problem with it if i >>>> do so? >>>> >>>> > > > IMHO, there is no pblm doing this way except that : > 1) you have hardcoded the "rule" (half-hardcoded see remark here > above) > 2) there is no more option to change the behavior of the "rule" you > just added (i.e. we can't reject anymore a packet going through the > loopback interface) > > > > >>>> Varun >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> Sebastien Tandel wrote: >>>> >>>> Hi, >>>> varun wrote: >>>> >>>> >>>> >>>> >>>>>>> Hi all, >>>>>>> >>>>>>> Iam new to netfilters and iam trying to play around to >>>>>>> understand a few things. By default when no policies are specified >>>>>>> then >>>>>>> it allows all traffic to go out and in to the n/w. I want to >>>>>>> change this >>>>>>> to default as deny. >>>>>>> That is when there is no policy all should be default deny. >>>>>>> >>>>>>> So in order to achieve that i tried to change the code a >>>>>>> little. >>>>>>> In the file iptable_filter.c there is a variable called >>>>>>> static int forward = NF_ACCEPT >>>>>>> I changed this to NF_DROP and when i compiled and used it >>>>>>> sure i was not able to send any or recv any packets >>>>>>> >>>>>>> >>>> >>>> I think you made the right change in your code in order to have a DROP >>>> policy by default in your netfilter. the problem is just after ... >>>> >>>> >>>> >>>> >>>> >>>>>>> but even after i give a policy like iptables -t filter -A >>>>>>> INPUT -j ACCEPT >>>>>>> Nothing changes. So achieve what i want what should i do? >>>>>>> And where do i change? >>>>>>> >>>>>>> >>>> >>>> It is quiet normal as you told netfilter to accept incoming packets but >>>> you did not configure netfilter to accept *outgoing* packets ... >>>> iptables -t filter -A OUTPUT -j ACCEPT >>>> >>>> >>>> >>>> >>>> >>>>>>> Another thing is that in normally when i put a policy like >>>>>>> iptables -t filter -A OUTPUT -j REJECT >>>>>>> Even my own self IP doesnt ping? Why should this happen? >>>>>>> Isint it ok to ping local ip and loopback ip? >>>>>>> If i want such implementation where i should be able to >>>>>>> ping to self and local but not any other ip? >>>>>>> Is it possible? >>>>>>> >>>>>>> >>>> >>>> lo is the interface allotted to your local interface (i.e. your host)! >>>> You must therefore create two rules in order to let netfilter accept >>>> outgoing and incoming packets from and arriving to your local interface. >>>> iptables -A INPOUT -i lo -j ACCEPT >>>> iptables -A OUTPUT -o lo -j ACCEPT >>>> >>>> >>>> >>>> >>>> >>>> >>>>>>> I dont want to add policies rather is it possible >>>>>>> just by >>>>>>> changing the iptables kernel code? >>>>>>> >>>>>>> >>>> >>>> You have to initialize netfilter by adding two static rules implementing >>>> the ones described here above. >>>> >>>> sta >>>> > > > > > > >> >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEPk80w76McB8jGxkRAjzkAJ9v7l94tGG8mRCSq6MM5Fxf+K0zlQCglRX3 B3HeNfHiKBlHbUxNwgnqBzM= =9D0f -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: iptables doubt 2006-04-13 13:16 ` Sebastien Tandel @ 2006-04-13 13:53 ` varun 2006-04-13 14:16 ` Sebastien Tandel 2006-04-13 16:04 ` Sven-Haegar Koch 0 siblings, 2 replies; 12+ messages in thread From: varun @ 2006-04-13 13:53 UTC (permalink / raw) To: Sebastien Tandel; +Cc: netfilter-devel Hi Sebastien, Well i do not want to use policy from user space because , the very need for me to do this activity is to play around and get to understand netfilter iptables. The features i want to implement like that priority for policy is that imagine a scenario where user added some policies and then for some reason wants one policy to be checked before checking others then he would have to add the policy again and delete the old policy isint it? By the thanx for the help man and can you suggest me some good mailing list which deal with iptables development where newbies like me could get some help. This mailing list does not seem to help newbies much. Varun Sebastien Tandel wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >varun wrote: > > >>Hi Sebastien, >> >> Thanx again. Yeah i cannot set a rule for lo. >>Though it is not necessary in my case i would like have that option. So >>is static rule only the way? >> >> > >I think so ... > >Why do you want to code it directly in netfilter instead of using the >init.d scripts? > > > >> Another thing is i want to implement rule >>priority. >> That is after the rules are set when a packet >>arrives it needs to search the rule chain. I want that to searched with >>respect to priority. So even the user can change the priority of already >>set rule as he likes. Is it already implemented in iptables or is it >>needed to be implemented? >> >> I also want to maintain unique rule id. That >>is say i declair unsigned int i; >> So for any rule be it nat or anything this >>is global rule id that is assigned to any policy added. >> By this say if a user added a rule whose id i >>give as 15. And then he deletes it then after adding another policy he >>will get policy id of 16 and not 15. rule no 15 will be given only after >>full size of unsigned int is completed, i mean one full circle (i = 0 to >>i=4294967295). So to do it how should i go about it? Any suggestions? >> >>Varun >> >> > >It is clearly not implemented and I haven't any clue for you on this >matter but ... What will be the benefit of it? > > > >>Sebastien Tandel wrote: >> >> >>varun wrote: >> >> >> >> >>>>>Hi Sebastien, >>>>> >>>>> Thanx for the reply. Actually i did figure >>>>>out some things. It seems to work fine but iam not sure if may lead to >>>>>any problem. This is what i have done. >>>>>Instead of adding static routes what i have done is added this small >>>>>code in the function ipt_do_table. >>>>> >>>>> if(in == NULL) >>>>> goto jump; >>>>> if(memcmp(in->name,"lo",2) == 0) >>>>> { >>>>> verdict = NF_ACCEPT; >>>>> return verdict; >>>>> } >>>>> >>>>>jump: >>>>>* We handle fragments by dealing with the first fragment as >>>>> * if it was a normal packet. All other fragments are treated >>>>> * normally, except that they will NEVER match rules that ask >>>>> * things we don't know, ie. tcp syn flag or ports). If the >>>>> * rule is also a fragment-specific rule, non-fragments won't >>>>> * match it. */ >>>>> offset = ntohs(ip->frag_off) & IP_OFFSET; >>>>> >>>>> >>>>> >>It seems "good" modulo these changes to be more concise ... >> >> if (in != NULL && memcmp(in->name, "lo", 2) == 0) >> return NF_ACCEPT; >> * We handle fragments by dealing with the first fragment as >> * if it was a normal packet. All other fragments are treated >> * normally, except that they will NEVER match rules that ask >> * things we don't know, ie. tcp syn flag or ports). If the >> * rule is also a fragment-specific rule, non-fragments won't >> * match it. */ >> offset = ntohs(ip->frag_off) & IP_OFFSET; >> >>Note that you have done a shortcut that does not test the outgoing >>interface. It means that you can receive packets from another interface >>and going to the loopback address ... >> >> >> >> >> >>>>>With this every time a packet comes with IN dev as lo i would simply >>>>>accept. It seems ok and works well but is there any problem with it if i >>>>>do so? >>>>> >>>>> >>>>> >>>>> >>IMHO, there is no pblm doing this way except that : >> 1) you have hardcoded the "rule" (half-hardcoded see remark here >>above) >> 2) there is no more option to change the behavior of the "rule" you >>just added (i.e. we can't reject anymore a packet going through the >>loopback interface) >> >> >> >> >> >> >>>>>Varun >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>Sebastien Tandel wrote: >>>>> >>>>>Hi, >>>>>varun wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>>Hi all, >>>>>>>> >>>>>>>> Iam new to netfilters and iam trying to play around to >>>>>>>>understand a few things. By default when no policies are specified >>>>>>>>then >>>>>>>>it allows all traffic to go out and in to the n/w. I want to >>>>>>>>change this >>>>>>>>to default as deny. >>>>>>>> That is when there is no policy all should be default deny. >>>>>>>> >>>>>>>> So in order to achieve that i tried to change the code a >>>>>>>>little. >>>>>>>> In the file iptable_filter.c there is a variable called >>>>>>>>static int forward = NF_ACCEPT >>>>>>>> I changed this to NF_DROP and when i compiled and used it >>>>>>>>sure i was not able to send any or recv any packets >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>I think you made the right change in your code in order to have a DROP >>>>>policy by default in your netfilter. the problem is just after ... >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> but even after i give a policy like iptables -t filter -A >>>>>>>>INPUT -j ACCEPT >>>>>>>> Nothing changes. So achieve what i want what should i do? >>>>>>>>And where do i change? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>It is quiet normal as you told netfilter to accept incoming packets but >>>>>you did not configure netfilter to accept *outgoing* packets ... >>>>>iptables -t filter -A OUTPUT -j ACCEPT >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> Another thing is that in normally when i put a policy like >>>>>>>>iptables -t filter -A OUTPUT -j REJECT >>>>>>>> Even my own self IP doesnt ping? Why should this happen? >>>>>>>> Isint it ok to ping local ip and loopback ip? >>>>>>>> If i want such implementation where i should be able to >>>>>>>>ping to self and local but not any other ip? >>>>>>>> Is it possible? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>lo is the interface allotted to your local interface (i.e. your host)! >>>>>You must therefore create two rules in order to let netfilter accept >>>>>outgoing and incoming packets from and arriving to your local interface. >>>>>iptables -A INPOUT -i lo -j ACCEPT >>>>>iptables -A OUTPUT -o lo -j ACCEPT >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>>> I dont want to add policies rather is it possible >>>>>>>>just by >>>>>>>>changing the iptables kernel code? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>You have to initialize netfilter by adding two static rules implementing >>>>>the ones described here above. >>>>> >>>>>sta >>>>> >>>>> >>>>> >> >> >> >> >> >> > > > > > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.2 (GNU/Linux) >Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > >iD8DBQFEPk80w76McB8jGxkRAjzkAJ9v7l94tGG8mRCSq6MM5Fxf+K0zlQCglRX3 >B3HeNfHiKBlHbUxNwgnqBzM= >=9D0f >-----END PGP SIGNATURE----- > > > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: iptables doubt 2006-04-13 13:53 ` varun @ 2006-04-13 14:16 ` Sebastien Tandel 2006-04-14 3:42 ` varun 2006-04-13 16:04 ` Sven-Haegar Koch 1 sibling, 1 reply; 12+ messages in thread From: Sebastien Tandel @ 2006-04-13 14:16 UTC (permalink / raw) To: varun, netfilter-devel -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, varun wrote: > Hi Sebastien, > > Well i do not want to use policy from user space > because , the very need for me to do this activity is to play around and > get to understand netfilter iptables. ok ... that's the point :) > > The features i want to implement like that > priority for policy is that imagine a scenario where user added some > policies and then for some reason wants one policy to be checked before > checking others then he would have to add the policy again and delete > the old policy isint it? Yes it is correct ... even if this may seem curious I think it is not the worth to add such a mechanism to netfilter. IMHO, a switch option '-M' (MOVE) would be sufficient but not with all these unique-id's ... I fear that with the time this number list would be completely fragmented and human-unreadable I don't know wether it had already been discussed on this mailing-list. IMHO, it is not a strong requirement for iptables/netfilter and this situation may be handled in a semi-automatic way with a user script (with the danger, however, of having a race condition with another user script changing netfilter too). Of course, if it is another exercise to play with netfilter do it and have fun ;) > By the thanx for the help man and can you > suggest me some good mailing list which deal with iptables development > where newbies like me could get some help. This mailing list does not > seem to help newbies much. Unfortunately, I don't know any other mailing list devoted to netfilter. :-/ sta -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEPl07w76McB8jGxkRAi5cAJ0TPTCHg3ENQtf/7OMS8NQvlfqglgCfUkJp GMvcI8Bety73ooSHNMQM/3I= =ztZe -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: iptables doubt 2006-04-13 14:16 ` Sebastien Tandel @ 2006-04-14 3:42 ` varun 0 siblings, 0 replies; 12+ messages in thread From: varun @ 2006-04-14 3:42 UTC (permalink / raw) To: Sebastien Tandel; +Cc: netfilter-devel Hi, By the way can you tell me which is the structure that holds the rule ie when i give iptables -t filter -A FORWARD -j REJECT Which struct in kernel which holds the rule and which is the function that adds the rule from user space to the list in kernel? I assume that we are maintaing stack implementation for holding rules on one table am i right? Varun Sebastien Tandel wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hi, > >varun wrote: > > >>Hi Sebastien, >> >> Well i do not want to use policy from user space >>because , the very need for me to do this activity is to play around and >>get to understand netfilter iptables. >> >> > >ok ... that's the point :) > > > >> The features i want to implement like that >>priority for policy is that imagine a scenario where user added some >>policies and then for some reason wants one policy to be checked before >>checking others then he would have to add the policy again and delete >>the old policy isint it? >> >> > >Yes it is correct ... even if this may seem curious I think it is not >the worth to add such a mechanism to netfilter. IMHO, a switch option >'-M' (MOVE) would be sufficient but not with all these unique-id's ... I >fear that with the time this number list would be completely fragmented >and human-unreadable >I don't know wether it had already been discussed on this mailing-list. >IMHO, it is not a strong requirement for iptables/netfilter and this >situation may be handled in a semi-automatic way with a user script >(with the danger, however, of having a race condition with another user >script changing netfilter too). >Of course, if it is another exercise to play with netfilter do it and >have fun ;) > > > >> By the thanx for the help man and can you >>suggest me some good mailing list which deal with iptables development >>where newbies like me could get some help. This mailing list does not >>seem to help newbies much. >> >> > >Unfortunately, I don't know any other mailing list devoted to netfilter. :-/ > >sta >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.2 (GNU/Linux) >Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > >iD8DBQFEPl07w76McB8jGxkRAi5cAJ0TPTCHg3ENQtf/7OMS8NQvlfqglgCfUkJp >GMvcI8Bety73ooSHNMQM/3I= >=ztZe >-----END PGP SIGNATURE----- > > > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: iptables doubt 2006-04-13 13:53 ` varun 2006-04-13 14:16 ` Sebastien Tandel @ 2006-04-13 16:04 ` Sven-Haegar Koch 2006-04-14 3:33 ` varun 1 sibling, 1 reply; 12+ messages in thread From: Sven-Haegar Koch @ 2006-04-13 16:04 UTC (permalink / raw) To: varun; +Cc: netfilter-devel On Thu, 13 Apr 2006, varun wrote: > The features i want to implement like that priority > for policy is that imagine a scenario where user added some policies and then > for some reason wants one policy to be checked before checking others then he > would have to add the policy again and delete the old policy isint it? Every iptables rule change is loading the whole ruleset into userspace, modifying it, and copying the result back into kernelspace. So you should be able to fetch the rules (f.e. with iptables-save), modify them as you like, and push them back (iptables-restore). c'ya sven -- The Internet treats censorship as a routing problem, and routes around it. (John Gilmore on http://www.cygnus.com/~gnu/) ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: iptables doubt 2006-04-13 16:04 ` Sven-Haegar Koch @ 2006-04-14 3:33 ` varun 0 siblings, 0 replies; 12+ messages in thread From: varun @ 2006-04-14 3:33 UTC (permalink / raw) To: Sven-Haegar Koch; +Cc: netfilter-devel Yeah it is true but this can done only after safe but not dynamically? Is there a way to do dynamically? Varun Sven-Haegar Koch wrote: > On Thu, 13 Apr 2006, varun wrote: > >> The features i want to implement like that >> priority for policy is that imagine a scenario where user added some >> policies and then for some reason wants one policy to be checked >> before checking others then he would have to add the policy again and >> delete the old policy isint it? > > > Every iptables rule change is loading the whole ruleset into > userspace, modifying it, and copying the result back into kernelspace. > > So you should be able to fetch the rules (f.e. with iptables-save), > modify them as you like, and push them back (iptables-restore). > > c'ya > sven > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: iptables doubt @ 2006-04-13 10:14 Sebastien Tandel 0 siblings, 0 replies; 12+ messages in thread From: Sebastien Tandel @ 2006-04-13 10:14 UTC (permalink / raw) To: netfilter-devel -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, varun wrote: > Hi all, > > Iam new to netfilters and iam trying to play around to > understand a few things. By default when no policies are specified then > it allows all traffic to go out and in to the n/w. I want to change this > to default as deny. > That is when there is no policy all should be default deny. > > So in order to achieve that i tried to change the code a little. > In the file iptable_filter.c there is a variable called > static int forward = NF_ACCEPT > I changed this to NF_DROP and when i compiled and used it > sure i was not able to send any or recv any packets I think you made the right change in your code in order to have a DROP policy by default in your netfilter. the problem is just after ... > but even after i give a policy like iptables -t filter -A > INPUT -j ACCEPT > Nothing changes. So achieve what i want what should i do? > And where do i change? It is quiet normal as you told netfilter to accept incoming packets but you did not configure netfilter to accept *outgoing* packets ... iptables -t filter -A OUTPUT -j ACCEPT > > Another thing is that in normally when i put a policy like > iptables -t filter -A OUTPUT -j REJECT > Even my own self IP doesnt ping? Why should this happen? > Isint it ok to ping local ip and loopback ip? > If i want such implementation where i should be able to > ping to self and local but not any other ip? > Is it possible? lo is the interface allotted to your local interface (i.e. your host)! You must therefore create two rules in order to let netfilter accept outgoing and incoming packets from and arriving to your local interface. iptables -A INPOUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT > I dont want to add policies rather is it possible just by > changing the iptables kernel code? You have to initialize netfilter by adding two static rules implementing the ones described here above. sta -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEPiSEw76McB8jGxkRAhzNAJoCC6FwR6PvmEJG8IzNXeod29u8jQCdFPY7 N9fguzx+i6R9s+sCpz+AHfc= =120L -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: iptables doubt
@ 2006-04-13 16:57 Sebastien Tandel
0 siblings, 0 replies; 12+ messages in thread
From: Sebastien Tandel @ 2006-04-13 16:57 UTC (permalink / raw)
To: netfilter-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sven-Haegar Koch wrote:
> On Thu, 13 Apr 2006, varun wrote:
>
>> The features i want to implement like that
>> priority for policy is that imagine a scenario where user added some
>> policies and then for some reason wants one policy to be checked
>> before checking others then he would have to add the policy again and
>> delete the old policy isint it?
>
>
> Every iptables rule change is loading the whole ruleset into userspace,
> modifying it, and copying the result back into kernelspace.
>
> So you should be able to fetch the rules (f.e. with iptables-save),
> modify them as you like, and push them back (iptables-restore).
>
> c'ya
> sven
>
which is not robust when competing with another user script doing some
change to netfilter ... i.e. there is no function doing an atomic move.
sta
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEPoLww76McB8jGxkRAs7AAJ9ICzjiB1J/V82UIOsqyKT9AyeGMQCgjiMd
Maq9ku/nKaaXv81wdGd+zU8=
=2j+D
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 12+ messages in thread* iptables doubt
@ 2006-04-26 7:09 varun
0 siblings, 0 replies; 12+ messages in thread
From: varun @ 2006-04-26 7:09 UTC (permalink / raw)
To: netdev
Hi all,
Ive been trying to understand iptables kernel code and
basically how it functions. In doing so i have a few questions.
In the file ip_tables.c there is call do_replace() which
is used as the start point entry from sockopt.
That is this gets called everytime a user entrers
policies from user. Here that data is given to me in the form of
void __user *user.
This iam copying to kernel space and dereferencing into
ipt_replace and so on. Am i right?
The first question is user seems to send a size as 860
when trying to add the first policy. Does that mean that user is
maintaining the offset of the policies added?
tmp.size shows as 768 which is (4 default policies x
sizeof(struct ipt_standard)) + sizeof(struct ipt_error)
Am i correct in understanding? If so why should user
space kernel policy offset?
Next thing is i added one extra field (int
num)in the struct ipt_entry_target . This is added after the unsigned
char data[0] field.
struct ipt_entry_target
{
union {
struct {
u_int16_t target_size;
/* Used by userspace */
char name[IPT_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
} user;
struct {
u_int16_t target_size;
/* Used inside the kernel */
struct ipt_target *target;
} kernel;
/* Total length */
u_int16_t target_size;
} u;
unsigned char data[0];
unsigned int uniqueId; /*I added this*/
};
Iam using this field to give a global id from my kernel for every
policy added excluding the default ones added by kernel. So if someone
calls for iptables -F or iptables -t filter -D .... then this number
should not be assigned to the structure.
I want to know where is the correct place to add this value to
structure without effecting the functionality.
Iam also aware that making this change in structure will result in
segmentation fault un userspace. Ill handel it seperately.
Can this be done? Please help me in this regard.
How can i know from the kernel structures if the policy is for -A or -D
or -F ?
Varun
^ permalink raw reply [flat|nested] 12+ messages in threadend of thread, other threads:[~2006-04-26 7:01 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-04-12 13:54 iptables doubt varun
[not found] ` <443E21C1.9090508@info.ucl.ac.be>
[not found] ` <443E341F.1080206@rocsys.com>
2006-04-13 12:24 ` Sebastien Tandel
2006-04-13 13:01 ` varun
2006-04-13 13:16 ` Sebastien Tandel
2006-04-13 13:53 ` varun
2006-04-13 14:16 ` Sebastien Tandel
2006-04-14 3:42 ` varun
2006-04-13 16:04 ` Sven-Haegar Koch
2006-04-14 3:33 ` varun
-- strict thread matches above, loose matches on Subject: below --
2006-04-13 10:14 Sebastien Tandel
2006-04-13 16:57 Sebastien Tandel
2006-04-26 7:09 varun
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.