security impact of creating rulesets with iptables (cmd)

["Christoph A." <casmls@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1753 bytes --]

Hi,

I read Jan's "Towards the perfect ruleset" paper [1]

[1] http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf

and I would have a question about the mentioned security risk when
creating hole rulesets with the iptables command (chapter 3).

I understand why it is a bad idea to create n rules by using multiple
times iptables -A... (instead of iptables-restore) because it
"downloads" the entire table n-times and sets the entire table n-times
(performing n*2 operations) while passing n^2 rules between kernel and
userspace.

The second and more interesting point is that this would also introduce
a timeframe where packets could slip through while these exchanges
between kernel and userspace are happening. Why does setting the policy
to DROP not solve this problem?

I asume these commands are processed from top to bottom, I couldn't
imagine of a opportunity when packets could slip through

example
(presuming an empty INPUT chain)

1: iptables -P INPUT DROP
2: iptables -A INPUT -s 10.0.0.0/8 -j DROP
3: iptables -A INPUT -p tcp --dport 22 --syn -j ACCEPT

After (1) the chain would be empty
after (2):
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DROP     all  --  *      *       10.0.0.0/8
0.0.0.0/0

(3):
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DROP     all  --  *      *       10.0.0.0/8
0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:22

I'm not using iptables -A sequences in scripts anymore but would be
curious about this security risk anyway.

curious
Christoph A.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]