2 basic iptables questions

2 basic iptables questions

[Peter]

Hi,

Two questions:

1) I understand the basics of the iptables command but I am having
trouble grasping how the various "scripts" go together.  I have a
CentOS (Red Hat) box set up and there is an init script
/etc/init.d/iptables.  There is also a support script
/etc/sysconfig/iptables-config.  I know also that 'service iptables
save' saves a ruleset file of the current ruleset inside
/etc/sysconfig/iptables.  My question is therefore "Where do I place my
main (and documented) ruleset file?".  I envision a file solely
containing a multitude of iptables commands but many files I find on
the net contain other commands as well.

2) I have inherited an iptables firewall and I'm trying to grok its
ruleset.  Here are the beginning lines of the output of 'cat
/etc/sysconfig/iptables':

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:log_and_drop - [0:0]
:service_chain - [0:0]
[0:0] -A INPUT -d 127.0.0.1 -j ACCEPT 
[0:0] -A INPUT -s 127.0.0.1 -j ACCEPT 
[0:0] -A INPUT -i lo -j ACCEPT 
[0:0] -A INPUT -j service_chain 
[0:0] -A log_and_drop -j LOG --log-prefix "FWSERVER (Blocked
Connection)" 
[0:0] -A log_and_drop -j REJECT --reject-with icmp-port-unreachable 
[0:0] -A service_chain -p icmp -j ACCEPT 
[0:0] -A service_chain -p icmp -j log_and_drop
.
.
.
{ many more '[0:0] -A service_chain' lines }
COMMIT

My question here is how is the last rule ever matched?  If ICMP is seen
it will be accepted and the evaluation stops.  What is the meaning of
this line?  My guess is that it is there to log and then block unwanted
traffic (via the log_and_drop chain) but I do not see how it works. 
The ruleset is full of these line patterns.

Peter

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: 2 basic iptables questions

[James Marcinek]

Peter,

Here's my take on it:

1) The /etc/sysconfig/iptables file is where your rules are contained 
(once you build them). I myself write a shell script that contains my 
rules, then run the script which builds them. I then do a service 
iptables save command, which will save the rules currently in 
/etc/sysconfig/iptables. I believe a backup of 
/etc/sysconfig/iptables.save is also created.

Peter wrote:
> Hi,
> 
> Two questions:
> 
> 1) I understand the basics of the iptables command but I am having
> trouble grasping how the various "scripts" go together.  I have a
> CentOS (Red Hat) box set up and there is an init script
> /etc/init.d/iptables.  There is also a support script
> /etc/sysconfig/iptables-config.  I know also that 'service iptables
> save' saves a ruleset file of the current ruleset inside
> /etc/sysconfig/iptables.  My question is therefore "Where do I place my
> main (and documented) ruleset file?".  I envision a file solely
> containing a multitude of iptables commands but many files I find on
> the net contain other commands as well.
> 
> 2) I have inherited an iptables firewall and I'm trying to grok its
> ruleset.  Here are the beginning lines of the output of 'cat
> /etc/sysconfig/iptables':
> 
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :log_and_drop - [0:0]
> :service_chain - [0:0]
> [0:0] -A INPUT -d 127.0.0.1 -j ACCEPT 
> [0:0] -A INPUT -s 127.0.0.1 -j ACCEPT 
> [0:0] -A INPUT -i lo -j ACCEPT 
> [0:0] -A INPUT -j service_chain 
> [0:0] -A log_and_drop -j LOG --log-prefix "FWSERVER (Blocked
> Connection)" 
> [0:0] -A log_and_drop -j REJECT --reject-with icmp-port-unreachable 
> [0:0] -A service_chain -p icmp -j ACCEPT 
> [0:0] -A service_chain -p icmp -j log_and_drop
> .
> .
> .
> { many more '[0:0] -A service_chain' lines }
> COMMIT
> 
> My question here is how is the last rule ever matched?  If ICMP is seen
> it will be accepted and the evaluation stops.  What is the meaning of
> this line?  My guess is that it is there to log and then block unwanted
> traffic (via the log_and_drop chain) but I do not see how it works. 
> The ruleset is full of these line patterns.

I can't help you here. I would actually like to know more about the 
logging; however your guess looks correct. The one rule looks like it 
would be evaluated first then accepted. Unless the logging facility has 
special workings...

I typically drop everything, then open what I want. Since ICMP is 
dropped, do you really need to monitor it?
> 
> Peter
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 

RE: 2 basic iptables questions

[Gary W. Smith]

Answers inline

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Peter
> Sent: Tuesday, July 25, 2006 2:21 PM
> To: netfilter
> Subject: 2 basic iptables questions
> 
> Hi,
> 
> Two questions:
> 
> 1) I understand the basics of the iptables command but I am having
> trouble grasping how the various "scripts" go together.  I have a
> CentOS (Red Hat) box set up and there is an init script
> /etc/init.d/iptables.  There is also a support script
> /etc/sysconfig/iptables-config.  I know also that 'service iptables
> save' saves a ruleset file of the current ruleset inside
> /etc/sysconfig/iptables.  My question is therefore "Where do I place
my
> main (and documented) ruleset file?".  I envision a file solely
> containing a multitude of iptables commands but many files I find on
> the net contain other commands as well.

If you load your iptables that you want to run using iptables-restore
then you can do an iptables-save, drop it into the
/etc/sysconfig/iptables file and it will autoload on the next restart of
the server (or a restart of /etc/init.d/iptables).

Some people find iptables-save/restore too limiting so they just put all
of the commands into a shell script and load each line individually.  

Both ways work.  Pick the one that's easiest to you.  Remember, if you
put something in /etc/sysconfig/iptables it will load every time the
computer starts.  If things break randomly remember to check that before
restarting.

> 
> 2) I have inherited an iptables firewall and I'm trying to grok its
> ruleset.  Here are the beginning lines of the output of 'cat
> /etc/sysconfig/iptables':
> 
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :log_and_drop - [0:0]
> :service_chain - [0:0]
> [0:0] -A INPUT -d 127.0.0.1 -j ACCEPT
> [0:0] -A INPUT -s 127.0.0.1 -j ACCEPT
> [0:0] -A INPUT -i lo -j ACCEPT
> [0:0] -A INPUT -j service_chain

Here is where you chain is called.  Basically you are telling the input
chain to jump to the service_chain at that point.  I find it helpful to
create buckets (like your service_chain) which handle certain processes
(such as a bucket for http servers, a bucket for email spoolers, etc).
I then call them on my input (or forward) chain.  This way if I have a
email spooler on a particular IP I can just forward it to the specific
chain that will already take care of what it needs to do.


> [0:0] -A log_and_drop -j LOG --log-prefix "FWSERVER (Blocked
> Connection)"
> [0:0] -A log_and_drop -j REJECT --reject-with icmp-port-unreachable
> [0:0] -A service_chain -p icmp -j ACCEPT
> [0:0] -A service_chain -p icmp -j log_and_drop
> .
> .
> .
> { many more '[0:0] -A service_chain' lines }
> COMMIT
> 
> My question here is how is the last rule ever matched?  If ICMP is
seen
> it will be accepted and the evaluation stops.  What is the meaning of
> this line?  My guess is that it is there to log and then block
unwanted
> traffic (via the log_and_drop chain) but I do not see how it works.
> The ruleset is full of these line patterns.
> 
> Peter
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com

RE: 2 basic iptables questions

[Gary W. Smith]

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of James Marcinek
> Sent: Tuesday, July 25, 2006 2:56 PM
> To: netfilter
> Subject: Re: 2 basic iptables questions
> 
> Peter,
> 
> Here's my take on it:
> 
> 1) The /etc/sysconfig/iptables file is where your rules are contained
> (once you build them). I myself write a shell script that contains my
> rules, then run the script which builds them. I then do a service
> iptables save command, which will save the rules currently in
> /etc/sysconfig/iptables. I believe a backup of
> /etc/sysconfig/iptables.save is also created.
> 

Actually, it's never logged.  If an accept is hit then the rules stop
(correct me if I'm wrong, which is frequent enough).

So in this case it looks like they originally setup a chain to handle to
log and drop but then added the accept call before it


Chain log_and_drop
> > [0:0] -A log_and_drop -j LOG --log-prefix "FWSERVER (Blocked
> > Connection)"
> > [0:0] -A log_and_drop -j REJECT --reject-with icmp-port-unreachable

Chain service_chain
> > [0:0] -A service_chain -p icmp -j ACCEPT
> > [0:0] -A service_chain -p icmp -j log_and_drop
> > .

> 
> I can't help you here. I would actually like to know more about the
> logging; however your guess looks correct. The one rule looks like it
> would be evaluated first then accepted. Unless the logging facility
has
> special workings...
> 
> I typically drop everything, then open what I want. Since ICMP is
> dropped, do you really need to monitor it?

We general log certain types of failures.  But some clients log
everything that hits their firewalls (not sure why, they just throw us
cash and say buy lots of drive space).

In general there is nothing special with logging.  It is like any other
rule but it doesn't trigger ACCEPT, REJECT or DENY which all stop
processing

We tent to do log-level=6 so it doesn't fill up the console.  You should
also note that you might want to put some rate limiting in the logging
as well.  If you do log and you get slammed with requests then it will
fill up fast.  If the same thing is duplicated 50/times sec then who
cares.

Gary

RE: 2 basic iptables questions

[Peter]

--- "Gary W. Smith" <gary@primeexalia.com> wrote:


> > 2) I have inherited an iptables firewall and I'm trying to grok its
> > ruleset.  Here are the beginning lines of the output of 'cat
> > /etc/sysconfig/iptables':
> > 
> > *filter
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > :log_and_drop - [0:0]
> > :service_chain - [0:0]
> > [0:0] -A INPUT -d 127.0.0.1 -j ACCEPT
> > [0:0] -A INPUT -s 127.0.0.1 -j ACCEPT
> > [0:0] -A INPUT -i lo -j ACCEPT
> > [0:0] -A INPUT -j service_chain
> 
> Here is where you chain is called.  Basically you are telling the
> input
> chain to jump to the service_chain at that point.  I find it helpful
> to
> create buckets (like your service_chain) which handle certain
> processes
> (such as a bucket for http servers, a bucket for email spoolers,
> etc).
> I then call them on my input (or forward) chain.  This way if I have
> a
> email spooler on a particular IP I can just forward it to the
> specific
> chain that will already take care of what it needs to do.


I know that much.  What about my question?


> > [0:0] -A log_and_drop -j LOG --log-prefix "FWSERVER (Blocked
> > Connection)"
> > [0:0] -A log_and_drop -j REJECT --reject-with icmp-port-unreachable
> > [0:0] -A service_chain -p icmp -j ACCEPT
> > [0:0] -A service_chain -p icmp -j log_and_drop
> > .
> > .
> > .
> > { many more '[0:0] -A service_chain' lines }
> > COMMIT
> > 
> > My question here is how is the last rule ever matched?  If ICMP is
> seen
> > it will be accepted and the evaluation stops.  What is the meaning
> of
> > this line?  My guess is that it is there to log and then block
> unwanted
> > traffic (via the log_and_drop chain) but I do not see how it works.
> > The ruleset is full of these line patterns.


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: 2 basic iptables questions

[Martijn Lievaart]

Peter wrote:

>Hi,
>
>Two questions:
>
>1) I understand the basics of the iptables command but I am having
>trouble grasping how the various "scripts" go together.  I have a
>CentOS (Red Hat) box set up and there is an init script
>/etc/init.d/iptables.  There is also a support script
>/etc/sysconfig/iptables-config.  I know also that 'service iptables
>save' saves a ruleset file of the current ruleset inside
>/etc/sysconfig/iptables.  My question is therefore "Where do I place my
>main (and documented) ruleset file?".  I envision a file solely
>containing a multitude of iptables commands but many files I find on
>the net contain other commands as well.
>  
>

Either write a shell script that contains the iptables commands, or 
create an input script for iptables-restore. The last is much quicker, 
but looses you the ability to do substitutions. I combine the two, 
having a perl loader the processes my rules and the calls 
iptables-restore to load the rules.

After that just call service iptables save to make the changes 
permanent. (Shutdown also calls service iptables save, but better safe 
than sorry).


>2) I have inherited an iptables firewall and I'm trying to grok its
>ruleset.  Here are the beginning lines of the output of 'cat
>/etc/sysconfig/iptables':
>
>*filter
>:INPUT ACCEPT [0:0]
>:FORWARD ACCEPT [0:0]
>:OUTPUT ACCEPT [0:0]
>:log_and_drop - [0:0]
>:service_chain - [0:0]
>[0:0] -A INPUT -d 127.0.0.1 -j ACCEPT 
>[0:0] -A INPUT -s 127.0.0.1 -j ACCEPT 
>[0:0] -A INPUT -i lo -j ACCEPT 
>[0:0] -A INPUT -j service_chain 
>[0:0] -A log_and_drop -j LOG --log-prefix "FWSERVER (Blocked
>Connection)" 
>[0:0] -A log_and_drop -j REJECT --reject-with icmp-port-unreachable 
>[0:0] -A service_chain -p icmp -j ACCEPT 
>[0:0] -A service_chain -p icmp -j log_and_drop
>.
>.
>.
>{ many more '[0:0] -A service_chain' lines }
>COMMIT
>
>My question here is how is the last rule ever matched?  If ICMP is seen
>it will be accepted and the evaluation stops.  What is the meaning of
>this line?  My guess is that it is there to log and then block unwanted
>traffic (via the log_and_drop chain) but I do not see how it works. 
>The ruleset is full of these line patterns.
>  
>

ACCEPT is a terminal target, so the second line is nonsense.

HTH,
M4