iptables doubt

iptables doubt

[varun]

Hi all,

             Iam new to netfilters and iam trying to play around to 
understand a few things. By default when no policies are specified then 
it allows all traffic to go out and in to the n/w. I want to change this 
to default as deny.
             That is when there is no policy all should be default deny.

           So in order to achieve that i tried to change the  code a little.
            In the file iptable_filter.c there is a variable called 
static int forward = NF_ACCEPT
             I changed this to NF_DROP and when i compiled and used it 
sure i was not able to send any or recv any packets
             but even after i give a policy like iptables -t filter -A 
INPUT -j ACCEPT
             Nothing changes. So achieve what i want what should i do? 
And where do i change?

             Another thing is that in normally when i put a policy like 
iptables -t filter -A OUTPUT -j REJECT
              Even my own self IP doesnt ping? Why should this happen?
               Isint it ok to ping local ip and loopback ip?
                If i want such implementation where i should be able to 
ping to self and local but not any other ip?
                Is it possible?
                I dont want to add policies rather is it possible just 
by changing the iptables kernel code?

                Please help me on this?

Varun

Re: iptables doubt

[Sebastien Tandel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
varun wrote:
> Hi all,
>
>             Iam new to netfilters and iam trying to play around to
> understand a few things. By default when no policies are specified then
> it allows all traffic to go out and in to the n/w. I want to change this
> to default as deny.
>             That is when there is no policy all should be default deny.
>
>           So in order to achieve that i tried to change the  code a little.
>            In the file iptable_filter.c there is a variable called
> static int forward = NF_ACCEPT
>             I changed this to NF_DROP and when i compiled and used it
> sure i was not able to send any or recv any packets
I think you made the right change in your code in order to have a DROP
policy by default in your netfilter. the problem is just after ...

>             but even after i give a policy like iptables -t filter -A
> INPUT -j ACCEPT
>             Nothing changes. So achieve what i want what should i do?
> And where do i change?

It is quiet normal as you told netfilter to accept incoming packets but
you did not configure netfilter to accept *outgoing* packets ...
iptables -t filter -A OUTPUT -j ACCEPT

>
>             Another thing is that in normally when i put a policy like
> iptables -t filter -A OUTPUT -j REJECT
>              Even my own self IP doesnt ping? Why should this happen?
>               Isint it ok to ping local ip and loopback ip?
>                If i want such implementation where i should be able to
> ping to self and local but not any other ip?
>                Is it possible?

lo is the interface allotted to your local interface (i.e. your host)!
You must therefore create two rules in order to let netfilter accept
outgoing and incoming packets from and arriving to your local interface.
iptables -A INPOUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


>                I dont want to add policies rather is it possible just by
> changing the iptables kernel code?

You have to initialize netfilter by adding two static rules implementing
the ones described here above.

sta
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEPiSEw76McB8jGxkRAhzNAJoCC6FwR6PvmEJG8IzNXeod29u8jQCdFPY7
N9fguzx+i6R9s+sCpz+AHfc=
=120L
-----END PGP SIGNATURE-----

Re: iptables doubt

[Sebastien Tandel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


varun wrote:
> Hi Sebastien,
> 
>                            Thanx for the reply. Actually i did figure
> out some things. It seems to work fine but iam not sure if may lead to
> any problem. This is what i have done.
> Instead of adding static routes what i have done is added this small
> code in the function ipt_do_table.
> 
>                              if(in == NULL)
>                   goto jump;
>          if(memcmp(in->name,"lo",2) == 0)
>              {
>                   verdict = NF_ACCEPT;
>                   return verdict;
>              }
> 
> jump:
> * We handle fragments by dealing with the first fragment as
>         * if it was a normal packet.  All other fragments are treated
>         * normally, except that they will NEVER match rules that ask
>         * things we don't know, ie. tcp syn flag or ports).  If the
>         * rule is also a fragment-specific rule, non-fragments won't
>         * match it. */
>        offset = ntohs(ip->frag_off) & IP_OFFSET;

It seems "good" modulo these changes to be more concise ...

	if (in != NULL && memcmp(in->name, "lo", 2) == 0)
		return NF_ACCEPT;
	 * We handle fragments by dealing with the first fragment as
         * if it was a normal packet.  All other fragments are treated
         * normally, except that they will NEVER match rules that ask
         * things we don't know, ie. tcp syn flag or ports).  If the
         * rule is also a fragment-specific rule, non-fragments won't
         * match it. */
        offset = ntohs(ip->frag_off) & IP_OFFSET;

Note that you have done a shortcut that does not test the outgoing
interface. It means that you can receive packets from another interface
and going to the loopback address ...

> With this every time a packet comes with IN dev as lo i would simply
> accept. It seems ok and works well but is there any problem with it if i
> do so?
> 

IMHO, there is no pblm doing this way except that :
	1) you have hardcoded the "rule" (half-hardcoded see remark here above)
	2) there is no more option to change the behavior of the "rule" you
just added (i.e. we can't reject anymore a packet going through the
loopback interface)


> Varun
> 
> 
> 
> 
> 
> 
> 
> 
> Sebastien Tandel wrote:
> 
> Hi,
> varun wrote:
>  
> 
>>>> Hi all,
>>>>
>>>>            Iam new to netfilters and iam trying to play around to
>>>> understand a few things. By default when no policies are specified then
>>>> it allows all traffic to go out and in to the n/w. I want to change this
>>>> to default as deny.
>>>>            That is when there is no policy all should be default deny.
>>>>
>>>>          So in order to achieve that i tried to change the  code a
>>>> little.
>>>>           In the file iptable_filter.c there is a variable called
>>>> static int forward = NF_ACCEPT
>>>>            I changed this to NF_DROP and when i compiled and used it
>>>> sure i was not able to send any or recv any packets
>>>>   
> 
> I think you made the right change in your code in order to have a DROP
> policy by default in your netfilter. the problem is just after ...
> 
>  
> 
>>>>            but even after i give a policy like iptables -t filter -A
>>>> INPUT -j ACCEPT
>>>>            Nothing changes. So achieve what i want what should i do?
>>>> And where do i change?
>>>>   
> 
> 
> It is quiet normal as you told netfilter to accept incoming packets but
> you did not configure netfilter to accept *outgoing* packets ...
> iptables -t filter -A OUTPUT -j ACCEPT
> 
>  
> 
>>>>            Another thing is that in normally when i put a policy like
>>>> iptables -t filter -A OUTPUT -j REJECT
>>>>             Even my own self IP doesnt ping? Why should this happen?
>>>>              Isint it ok to ping local ip and loopback ip?
>>>>               If i want such implementation where i should be able to
>>>> ping to self and local but not any other ip?
>>>>               Is it possible?
>>>>   
> 
> 
> lo is the interface allotted to your local interface (i.e. your host)!
> You must therefore create two rules in order to let netfilter accept
> outgoing and incoming packets from and arriving to your local interface.
> iptables -A INPOUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> 
>  
> 
>>>>               I dont want to add policies rather is it possible just by
>>>> changing the iptables kernel code?
>>>>   
> 
> 
> You have to initialize netfilter by adding two static rules implementing
> the ones described here above.
> 
> sta
>>

>>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEPkLmw76McB8jGxkRAsN0AJ4jZP6mhN2vk+/L93qy5uhC8WSJVwCfQpun
Fc4d8NMUJo6M64QBMPTO/dg=
=c7ol
-----END PGP SIGNATURE-----

Re: iptables doubt

[varun]

Hi Sebastien,

                           Thanx again. Yeah i cannot set a rule for lo. 
Though it is not necessary in my case i would like have that option. So 
is static rule only the way?
                           Another thing is i want to implement rule 
priority.
                            That is after the rules are set when a 
packet arrives it needs to search the rule chain. I want that to 
searched with respect to priority. So even the user can change the 
priority of already set rule as he likes. Is it already implemented in 
iptables or is it needed to be implemented?

                             I also want to maintain unique rule id. 
That is say i declair unsigned int i;
                             So for any rule be it nat or anything this 
is global rule id that is assigned to any policy added.
                            By this say if a user added a rule whose id 
i give as 15. And then he deletes it then after adding another policy he 
will get policy id of 16 and not 15. rule no 15 will be given only after 
full size of unsigned int is completed, i mean one full circle (i = 0 to 
i=4294967295). So to do it how should i go about it? Any suggestions?

Varun








Sebastien Tandel wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>varun wrote:
>  
>
>>Hi Sebastien,
>>
>>                           Thanx for the reply. Actually i did figure
>>out some things. It seems to work fine but iam not sure if may lead to
>>any problem. This is what i have done.
>>Instead of adding static routes what i have done is added this small
>>code in the function ipt_do_table.
>>
>>                             if(in == NULL)
>>                  goto jump;
>>         if(memcmp(in->name,"lo",2) == 0)
>>             {
>>                  verdict = NF_ACCEPT;
>>                  return verdict;
>>             }
>>
>>jump:
>>* We handle fragments by dealing with the first fragment as
>>        * if it was a normal packet.  All other fragments are treated
>>        * normally, except that they will NEVER match rules that ask
>>        * things we don't know, ie. tcp syn flag or ports).  If the
>>        * rule is also a fragment-specific rule, non-fragments won't
>>        * match it. */
>>       offset = ntohs(ip->frag_off) & IP_OFFSET;
>>    
>>
>
>It seems "good" modulo these changes to be more concise ...
>
>	if (in != NULL && memcmp(in->name, "lo", 2) == 0)
>		return NF_ACCEPT;
>	 * We handle fragments by dealing with the first fragment as
>         * if it was a normal packet.  All other fragments are treated
>         * normally, except that they will NEVER match rules that ask
>         * things we don't know, ie. tcp syn flag or ports).  If the
>         * rule is also a fragment-specific rule, non-fragments won't
>         * match it. */
>        offset = ntohs(ip->frag_off) & IP_OFFSET;
>
>Note that you have done a shortcut that does not test the outgoing
>interface. It means that you can receive packets from another interface
>and going to the loopback address ...
>
>  
>
>>With this every time a packet comes with IN dev as lo i would simply
>>accept. It seems ok and works well but is there any problem with it if i
>>do so?
>>
>>    
>>
>
>IMHO, there is no pblm doing this way except that :
>	1) you have hardcoded the "rule" (half-hardcoded see remark here above)
>	2) there is no more option to change the behavior of the "rule" you
>just added (i.e. we can't reject anymore a packet going through the
>loopback interface)
>
>
>  
>
>>Varun
>>
>>
>>
>>
>>
>>
>>
>>
>>Sebastien Tandel wrote:
>>
>>Hi,
>>varun wrote:
>> 
>>
>>    
>>
>>>>>Hi all,
>>>>>
>>>>>           Iam new to netfilters and iam trying to play around to
>>>>>understand a few things. By default when no policies are specified then
>>>>>it allows all traffic to go out and in to the n/w. I want to change this
>>>>>to default as deny.
>>>>>           That is when there is no policy all should be default deny.
>>>>>
>>>>>         So in order to achieve that i tried to change the  code a
>>>>>little.
>>>>>          In the file iptable_filter.c there is a variable called
>>>>>static int forward = NF_ACCEPT
>>>>>           I changed this to NF_DROP and when i compiled and used it
>>>>>sure i was not able to send any or recv any packets
>>>>>  
>>>>>          
>>>>>
>>I think you made the right change in your code in order to have a DROP
>>policy by default in your netfilter. the problem is just after ...
>>
>> 
>>
>>    
>>
>>>>>           but even after i give a policy like iptables -t filter -A
>>>>>INPUT -j ACCEPT
>>>>>           Nothing changes. So achieve what i want what should i do?
>>>>>And where do i change?
>>>>>  
>>>>>          
>>>>>
>>It is quiet normal as you told netfilter to accept incoming packets but
>>you did not configure netfilter to accept *outgoing* packets ...
>>iptables -t filter -A OUTPUT -j ACCEPT
>>
>> 
>>
>>    
>>
>>>>>           Another thing is that in normally when i put a policy like
>>>>>iptables -t filter -A OUTPUT -j REJECT
>>>>>            Even my own self IP doesnt ping? Why should this happen?
>>>>>             Isint it ok to ping local ip and loopback ip?
>>>>>              If i want such implementation where i should be able to
>>>>>ping to self and local but not any other ip?
>>>>>              Is it possible?
>>>>>  
>>>>>          
>>>>>
>>lo is the interface allotted to your local interface (i.e. your host)!
>>You must therefore create two rules in order to let netfilter accept
>>outgoing and incoming packets from and arriving to your local interface.
>>iptables -A INPOUT -i lo -j ACCEPT
>>iptables -A OUTPUT -o lo -j ACCEPT
>>
>>
>> 
>>
>>    
>>
>>>>>              I dont want to add policies rather is it possible just by
>>>>>changing the iptables kernel code?
>>>>>  
>>>>>          
>>>>>
>>You have to initialize netfilter by adding two static rules implementing
>>the ones described here above.
>>
>>sta
>>    
>>
>
>  
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.2 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFEPkLmw76McB8jGxkRAsN0AJ4jZP6mhN2vk+/L93qy5uhC8WSJVwCfQpun
>Fc4d8NMUJo6M64QBMPTO/dg=
>=c7ol
>-----END PGP SIGNATURE-----
>
>  
>

Re: iptables doubt

[Sebastien Tandel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

varun wrote:
> Hi Sebastien,
> 
>                           Thanx again. Yeah i cannot set a rule for lo.
> Though it is not necessary in my case i would like have that option. So
> is static rule only the way?

I think so ...

Why do you want to code it directly in netfilter instead of using the
init.d scripts?

>                           Another thing is i want to implement rule
> priority.
>                            That is after the rules are set when a packet
> arrives it needs to search the rule chain. I want that to searched with
> respect to priority. So even the user can change the priority of already
> set rule as he likes. Is it already implemented in iptables or is it
> needed to be implemented?
> 
>                             I also want to maintain unique rule id. That
> is say i declair unsigned int i;
>                             So for any rule be it nat or anything this
> is global rule id that is assigned to any policy added.
>                            By this say if a user added a rule whose id i
> give as 15. And then he deletes it then after adding another policy he
> will get policy id of 16 and not 15. rule no 15 will be given only after
> full size of unsigned int is completed, i mean one full circle (i = 0 to
> i=4294967295). So to do it how should i go about it? Any suggestions?
> 
> Varun

It is clearly not implemented and I haven't any clue for you on this
matter but ... What will be the benefit of it?

> Sebastien Tandel wrote:
> 
> 
> varun wrote:
>  
> 
>>>> Hi Sebastien,
>>>>
>>>>                           Thanx for the reply. Actually i did figure
>>>> out some things. It seems to work fine but iam not sure if may lead to
>>>> any problem. This is what i have done.
>>>> Instead of adding static routes what i have done is added this small
>>>> code in the function ipt_do_table.
>>>>
>>>>                             if(in == NULL)
>>>>                  goto jump;
>>>>         if(memcmp(in->name,"lo",2) == 0)
>>>>             {
>>>>                  verdict = NF_ACCEPT;
>>>>                  return verdict;
>>>>             }
>>>>
>>>> jump:
>>>> * We handle fragments by dealing with the first fragment as
>>>>        * if it was a normal packet.  All other fragments are treated
>>>>        * normally, except that they will NEVER match rules that ask
>>>>        * things we don't know, ie. tcp syn flag or ports).  If the
>>>>        * rule is also a fragment-specific rule, non-fragments won't
>>>>        * match it. */
>>>>       offset = ntohs(ip->frag_off) & IP_OFFSET;
>>>>   
> 
> 
> It seems "good" modulo these changes to be more concise ...
> 
>     if (in != NULL && memcmp(in->name, "lo", 2) == 0)
>         return NF_ACCEPT;
>      * We handle fragments by dealing with the first fragment as
>         * if it was a normal packet.  All other fragments are treated
>         * normally, except that they will NEVER match rules that ask
>         * things we don't know, ie. tcp syn flag or ports).  If the
>         * rule is also a fragment-specific rule, non-fragments won't
>         * match it. */
>        offset = ntohs(ip->frag_off) & IP_OFFSET;
> 
> Note that you have done a shortcut that does not test the outgoing
> interface. It means that you can receive packets from another interface
> and going to the loopback address ...
> 
>  
> 
>>>> With this every time a packet comes with IN dev as lo i would simply
>>>> accept. It seems ok and works well but is there any problem with it if i
>>>> do so?
>>>>
>>>>   
> 
> 
> IMHO, there is no pblm doing this way except that :
>     1) you have hardcoded the "rule" (half-hardcoded see remark here
> above)
>     2) there is no more option to change the behavior of the "rule" you
> just added (i.e. we can't reject anymore a packet going through the
> loopback interface)
> 
> 
>  
> 
>>>> Varun
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Sebastien Tandel wrote:
>>>>
>>>> Hi,
>>>> varun wrote:
>>>>
>>>>
>>>>   
>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>>           Iam new to netfilters and iam trying to play around to
>>>>>>> understand a few things. By default when no policies are specified
>>>>>>> then
>>>>>>> it allows all traffic to go out and in to the n/w. I want to
>>>>>>> change this
>>>>>>> to default as deny.
>>>>>>>           That is when there is no policy all should be default deny.
>>>>>>>
>>>>>>>         So in order to achieve that i tried to change the  code a
>>>>>>> little.
>>>>>>>          In the file iptable_filter.c there is a variable called
>>>>>>> static int forward = NF_ACCEPT
>>>>>>>           I changed this to NF_DROP and when i compiled and used it
>>>>>>> sure i was not able to send any or recv any packets
>>>>>>>  
>>>>>>>         
>>>>
>>>> I think you made the right change in your code in order to have a DROP
>>>> policy by default in your netfilter. the problem is just after ...
>>>>
>>>>
>>>>
>>>>   
>>>>
>>>>>>>           but even after i give a policy like iptables -t filter -A
>>>>>>> INPUT -j ACCEPT
>>>>>>>           Nothing changes. So achieve what i want what should i do?
>>>>>>> And where do i change?
>>>>>>>  
>>>>>>>         
>>>>
>>>> It is quiet normal as you told netfilter to accept incoming packets but
>>>> you did not configure netfilter to accept *outgoing* packets ...
>>>> iptables -t filter -A OUTPUT -j ACCEPT
>>>>
>>>>
>>>>
>>>>   
>>>>
>>>>>>>           Another thing is that in normally when i put a policy like
>>>>>>> iptables -t filter -A OUTPUT -j REJECT
>>>>>>>            Even my own self IP doesnt ping? Why should this happen?
>>>>>>>             Isint it ok to ping local ip and loopback ip?
>>>>>>>              If i want such implementation where i should be able to
>>>>>>> ping to self and local but not any other ip?
>>>>>>>              Is it possible?
>>>>>>>  
>>>>>>>         
>>>>
>>>> lo is the interface allotted to your local interface (i.e. your host)!
>>>> You must therefore create two rules in order to let netfilter accept
>>>> outgoing and incoming packets from and arriving to your local interface.
>>>> iptables -A INPOUT -i lo -j ACCEPT
>>>> iptables -A OUTPUT -o lo -j ACCEPT
>>>>
>>>>
>>>>
>>>>
>>>>   
>>>>
>>>>>>>              I dont want to add policies rather is it possible
>>>>>>> just by
>>>>>>> changing the iptables kernel code?
>>>>>>>  
>>>>>>>         
>>>>
>>>> You have to initialize netfilter by adding two static rules implementing
>>>> the ones described here above.
>>>>
>>>> sta
>>>>   
> 
> 
>  
> 
> 
> 
>>

>>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEPk80w76McB8jGxkRAjzkAJ9v7l94tGG8mRCSq6MM5Fxf+K0zlQCglRX3
B3HeNfHiKBlHbUxNwgnqBzM=
=9D0f
-----END PGP SIGNATURE-----

Re: iptables doubt

[varun]

Hi Sebastien,

                         Well i do not want to use policy from user 
space because , the very need for me to do this activity is to play 
around and get to understand netfilter iptables.

                          The features i want to implement like that 
priority for policy is that imagine a scenario where user added some 
policies and then for some reason wants one policy to be checked before 
checking others then he would have to add the policy again and delete 
the old policy isint it?
                          By the thanx for the help man and can you 
suggest me some good mailing list which deal with iptables development 
where newbies like me could get some help. This mailing list does not 
seem to help newbies much.

Varun


Sebastien Tandel wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>varun wrote:
>  
>
>>Hi Sebastien,
>>
>>                          Thanx again. Yeah i cannot set a rule for lo.
>>Though it is not necessary in my case i would like have that option. So
>>is static rule only the way?
>>    
>>
>
>I think so ...
>
>Why do you want to code it directly in netfilter instead of using the
>init.d scripts?
>
>  
>
>>                          Another thing is i want to implement rule
>>priority.
>>                           That is after the rules are set when a packet
>>arrives it needs to search the rule chain. I want that to searched with
>>respect to priority. So even the user can change the priority of already
>>set rule as he likes. Is it already implemented in iptables or is it
>>needed to be implemented?
>>
>>                            I also want to maintain unique rule id. That
>>is say i declair unsigned int i;
>>                            So for any rule be it nat or anything this
>>is global rule id that is assigned to any policy added.
>>                           By this say if a user added a rule whose id i
>>give as 15. And then he deletes it then after adding another policy he
>>will get policy id of 16 and not 15. rule no 15 will be given only after
>>full size of unsigned int is completed, i mean one full circle (i = 0 to
>>i=4294967295). So to do it how should i go about it? Any suggestions?
>>
>>Varun
>>    
>>
>
>It is clearly not implemented and I haven't any clue for you on this
>matter but ... What will be the benefit of it?
>
>  
>
>>Sebastien Tandel wrote:
>>
>>
>>varun wrote:
>> 
>>
>>    
>>
>>>>>Hi Sebastien,
>>>>>
>>>>>                          Thanx for the reply. Actually i did figure
>>>>>out some things. It seems to work fine but iam not sure if may lead to
>>>>>any problem. This is what i have done.
>>>>>Instead of adding static routes what i have done is added this small
>>>>>code in the function ipt_do_table.
>>>>>
>>>>>                            if(in == NULL)
>>>>>                 goto jump;
>>>>>        if(memcmp(in->name,"lo",2) == 0)
>>>>>            {
>>>>>                 verdict = NF_ACCEPT;
>>>>>                 return verdict;
>>>>>            }
>>>>>
>>>>>jump:
>>>>>* We handle fragments by dealing with the first fragment as
>>>>>       * if it was a normal packet.  All other fragments are treated
>>>>>       * normally, except that they will NEVER match rules that ask
>>>>>       * things we don't know, ie. tcp syn flag or ports).  If the
>>>>>       * rule is also a fragment-specific rule, non-fragments won't
>>>>>       * match it. */
>>>>>      offset = ntohs(ip->frag_off) & IP_OFFSET;
>>>>>  
>>>>>          
>>>>>
>>It seems "good" modulo these changes to be more concise ...
>>
>>    if (in != NULL && memcmp(in->name, "lo", 2) == 0)
>>        return NF_ACCEPT;
>>     * We handle fragments by dealing with the first fragment as
>>        * if it was a normal packet.  All other fragments are treated
>>        * normally, except that they will NEVER match rules that ask
>>        * things we don't know, ie. tcp syn flag or ports).  If the
>>        * rule is also a fragment-specific rule, non-fragments won't
>>        * match it. */
>>       offset = ntohs(ip->frag_off) & IP_OFFSET;
>>
>>Note that you have done a shortcut that does not test the outgoing
>>interface. It means that you can receive packets from another interface
>>and going to the loopback address ...
>>
>> 
>>
>>    
>>
>>>>>With this every time a packet comes with IN dev as lo i would simply
>>>>>accept. It seems ok and works well but is there any problem with it if i
>>>>>do so?
>>>>>
>>>>>  
>>>>>          
>>>>>
>>IMHO, there is no pblm doing this way except that :
>>    1) you have hardcoded the "rule" (half-hardcoded see remark here
>>above)
>>    2) there is no more option to change the behavior of the "rule" you
>>just added (i.e. we can't reject anymore a packet going through the
>>loopback interface)
>>
>>
>> 
>>
>>    
>>
>>>>>Varun
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>Sebastien Tandel wrote:
>>>>>
>>>>>Hi,
>>>>>varun wrote:
>>>>>
>>>>>
>>>>>  
>>>>>
>>>>>          
>>>>>
>>>>>>>>Hi all,
>>>>>>>>
>>>>>>>>          Iam new to netfilters and iam trying to play around to
>>>>>>>>understand a few things. By default when no policies are specified
>>>>>>>>then
>>>>>>>>it allows all traffic to go out and in to the n/w. I want to
>>>>>>>>change this
>>>>>>>>to default as deny.
>>>>>>>>          That is when there is no policy all should be default deny.
>>>>>>>>
>>>>>>>>        So in order to achieve that i tried to change the  code a
>>>>>>>>little.
>>>>>>>>         In the file iptable_filter.c there is a variable called
>>>>>>>>static int forward = NF_ACCEPT
>>>>>>>>          I changed this to NF_DROP and when i compiled and used it
>>>>>>>>sure i was not able to send any or recv any packets
>>>>>>>> 
>>>>>>>>        
>>>>>>>>                
>>>>>>>>
>>>>>I think you made the right change in your code in order to have a DROP
>>>>>policy by default in your netfilter. the problem is just after ...
>>>>>
>>>>>
>>>>>
>>>>>  
>>>>>
>>>>>          
>>>>>
>>>>>>>>          but even after i give a policy like iptables -t filter -A
>>>>>>>>INPUT -j ACCEPT
>>>>>>>>          Nothing changes. So achieve what i want what should i do?
>>>>>>>>And where do i change?
>>>>>>>> 
>>>>>>>>        
>>>>>>>>                
>>>>>>>>
>>>>>It is quiet normal as you told netfilter to accept incoming packets but
>>>>>you did not configure netfilter to accept *outgoing* packets ...
>>>>>iptables -t filter -A OUTPUT -j ACCEPT
>>>>>
>>>>>
>>>>>
>>>>>  
>>>>>
>>>>>          
>>>>>
>>>>>>>>          Another thing is that in normally when i put a policy like
>>>>>>>>iptables -t filter -A OUTPUT -j REJECT
>>>>>>>>           Even my own self IP doesnt ping? Why should this happen?
>>>>>>>>            Isint it ok to ping local ip and loopback ip?
>>>>>>>>             If i want such implementation where i should be able to
>>>>>>>>ping to self and local but not any other ip?
>>>>>>>>             Is it possible?
>>>>>>>> 
>>>>>>>>        
>>>>>>>>                
>>>>>>>>
>>>>>lo is the interface allotted to your local interface (i.e. your host)!
>>>>>You must therefore create two rules in order to let netfilter accept
>>>>>outgoing and incoming packets from and arriving to your local interface.
>>>>>iptables -A INPOUT -i lo -j ACCEPT
>>>>>iptables -A OUTPUT -o lo -j ACCEPT
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>  
>>>>>
>>>>>          
>>>>>
>>>>>>>>             I dont want to add policies rather is it possible
>>>>>>>>just by
>>>>>>>>changing the iptables kernel code?
>>>>>>>> 
>>>>>>>>        
>>>>>>>>                
>>>>>>>>
>>>>>You have to initialize netfilter by adding two static rules implementing
>>>>>the ones described here above.
>>>>>
>>>>>sta
>>>>>  
>>>>>          
>>>>>
>> 
>>
>>
>>
>>    
>>
>
>  
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.2 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFEPk80w76McB8jGxkRAjzkAJ9v7l94tGG8mRCSq6MM5Fxf+K0zlQCglRX3
>B3HeNfHiKBlHbUxNwgnqBzM=
>=9D0f
>-----END PGP SIGNATURE-----
>
>  
>

Re: iptables doubt

[Sebastien Tandel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

varun wrote:
> Hi Sebastien,
> 
>                         Well i do not want to use policy from user space
> because , the very need for me to do this activity is to play around and
> get to understand netfilter iptables.

ok ... that's the point :)

> 
>                          The features i want to implement like that
> priority for policy is that imagine a scenario where user added some
> policies and then for some reason wants one policy to be checked before
> checking others then he would have to add the policy again and delete
> the old policy isint it?

Yes it is correct ... even if this may seem curious I think it is not
the worth to add such a mechanism to netfilter. IMHO, a switch option
'-M' (MOVE) would be sufficient but not with all these unique-id's ... I
fear that with the time this number list would be completely fragmented
and human-unreadable
I don't know wether it had already been discussed on this mailing-list.
IMHO, it is not a strong requirement for iptables/netfilter and this
situation may be handled in a semi-automatic way with a user script
(with the danger, however, of having a race condition with another user
script changing netfilter too).
Of course, if it is another exercise to play with netfilter do it and
have fun ;)

>                          By the thanx for the help man and can you
> suggest me some good mailing list which deal with iptables development
> where newbies like me could get some help. This mailing list does not
> seem to help newbies much.

Unfortunately, I don't know any other mailing list devoted to netfilter. :-/

sta
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEPl07w76McB8jGxkRAi5cAJ0TPTCHg3ENQtf/7OMS8NQvlfqglgCfUkJp
GMvcI8Bety73ooSHNMQM/3I=
=ztZe
-----END PGP SIGNATURE-----

Re: iptables doubt

[Sven-Haegar Koch]

On Thu, 13 Apr 2006, varun wrote:

>                         The features i want to implement like that priority 
> for policy is that imagine a scenario where user added some policies and then 
> for some reason wants one policy to be checked before checking others then he 
> would have to add the policy again and delete the old policy isint it?

Every iptables rule change is loading the whole ruleset into userspace, 
modifying it, and copying the result back into kernelspace.

So you should be able to fetch the rules (f.e. with iptables-save), modify 
them as you like, and push them back (iptables-restore).

c'ya
sven

-- 

The Internet treats censorship as a routing problem, and routes around it.
(John Gilmore on http://www.cygnus.com/~gnu/)

Re: iptables doubt

[Sebastien Tandel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sven-Haegar Koch wrote:
> On Thu, 13 Apr 2006, varun wrote:
>
>>                         The features i want to implement like that
>> priority for policy is that imagine a scenario where user added some
>> policies and then for some reason wants one policy to be checked
>> before checking others then he would have to add the policy again and
>> delete the old policy isint it?
>
>
> Every iptables rule change is loading the whole ruleset into userspace,
> modifying it, and copying the result back into kernelspace.
>
> So you should be able to fetch the rules (f.e. with iptables-save),
> modify them as you like, and push them back (iptables-restore).
>
> c'ya
> sven
>

which is not robust when competing with another user script doing some
change to netfilter ... i.e. there is no function doing an atomic move.

sta
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEPoLww76McB8jGxkRAs7AAJ9ICzjiB1J/V82UIOsqyKT9AyeGMQCgjiMd
Maq9ku/nKaaXv81wdGd+zU8=
=2j+D
-----END PGP SIGNATURE-----

Re: iptables doubt

[varun]

Yeah it is true but this can done only after safe but not dynamically? 
Is there a way to do dynamically?

Varun







Sven-Haegar Koch wrote:

> On Thu, 13 Apr 2006, varun wrote:
>
>>                         The features i want to implement like that 
>> priority for policy is that imagine a scenario where user added some 
>> policies and then for some reason wants one policy to be checked 
>> before checking others then he would have to add the policy again and 
>> delete the old policy isint it?
>
>
> Every iptables rule change is loading the whole ruleset into 
> userspace, modifying it, and copying the result back into kernelspace.
>
> So you should be able to fetch the rules (f.e. with iptables-save), 
> modify them as you like, and push them back (iptables-restore).
>
> c'ya
> sven
>

Re: iptables doubt

[varun]

Hi,

         By the way can you tell me which is the structure that holds 
the rule ie when i give iptables -t filter -A FORWARD -j REJECT
        Which struct in kernel which holds the rule and which is the 
function that adds the rule from user space to the list in kernel?
         I assume that we are maintaing stack implementation for holding 
rules on one table am i right?

Varun






Sebastien Tandel wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi,
>
>varun wrote:
>  
>
>>Hi Sebastien,
>>
>>                        Well i do not want to use policy from user space
>>because , the very need for me to do this activity is to play around and
>>get to understand netfilter iptables.
>>    
>>
>
>ok ... that's the point :)
>
>  
>
>>                         The features i want to implement like that
>>priority for policy is that imagine a scenario where user added some
>>policies and then for some reason wants one policy to be checked before
>>checking others then he would have to add the policy again and delete
>>the old policy isint it?
>>    
>>
>
>Yes it is correct ... even if this may seem curious I think it is not
>the worth to add such a mechanism to netfilter. IMHO, a switch option
>'-M' (MOVE) would be sufficient but not with all these unique-id's ... I
>fear that with the time this number list would be completely fragmented
>and human-unreadable
>I don't know wether it had already been discussed on this mailing-list.
>IMHO, it is not a strong requirement for iptables/netfilter and this
>situation may be handled in a semi-automatic way with a user script
>(with the danger, however, of having a race condition with another user
>script changing netfilter too).
>Of course, if it is another exercise to play with netfilter do it and
>have fun ;)
>
>  
>
>>                         By the thanx for the help man and can you
>>suggest me some good mailing list which deal with iptables development
>>where newbies like me could get some help. This mailing list does not
>>seem to help newbies much.
>>    
>>
>
>Unfortunately, I don't know any other mailing list devoted to netfilter. :-/
>
>sta
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.2 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFEPl07w76McB8jGxkRAi5cAJ0TPTCHg3ENQtf/7OMS8NQvlfqglgCfUkJp
>GMvcI8Bety73ooSHNMQM/3I=
>=ztZe
>-----END PGP SIGNATURE-----
>
>  
>

iptables doubt

[varun]

Hi all,

              Ive been trying to understand iptables kernel code and 
basically how it functions. In doing so i have a few questions.
              In the file ip_tables.c there is call do_replace() which 
is used as the start point entry from sockopt.
               That is this gets called everytime a user entrers 
policies from user. Here that data is given to me in the form of
                void __user *user.
                 This iam copying to kernel space and dereferencing into 
ipt_replace and so on. Am i right?
                  The first question is user seems to send a size as 860 
when trying to add the first policy. Does that mean that user is 
maintaining the offset of the policies added?
                    tmp.size shows as 768 which is (4 default policies x 
sizeof(struct ipt_standard)) + sizeof(struct ipt_error)
                    Am i correct in understanding? If so why should user 
space kernel policy offset?
                         Next thing is i added one extra field (int 
num)in the struct ipt_entry_target . This is added after the  unsigned 
char data[0] field.
struct ipt_entry_target
{
       union {
               struct {
                       u_int16_t target_size;

                       /* Used by userspace */
                       char name[IPT_FUNCTION_MAXNAMELEN-1];

                       u_int8_t revision;
               } user;
               struct {
                       u_int16_t target_size;

                       /* Used inside the kernel */
                       struct ipt_target *target;
               } kernel;

               /* Total length */
               u_int16_t target_size;
       } u;

       unsigned char data[0];
       unsigned int uniqueId;  /*I added this*/
};

    Iam using this field to give a global id from my kernel for every 
policy added excluding the default ones added by kernel. So if someone 
calls for iptables -F or iptables -t filter -D .... then this number 
should not be assigned to the structure.
   I want to know where is the correct place to add this value to 
structure without effecting the functionality.

 Iam also aware that making this change in structure will result in 
segmentation fault un userspace. Ill handel it seperately.
 Can this be done? Please help me in this regard.

 How can i know from the kernel structures if the policy is for -A or -D 
or -F ?
Varun