Group on Iptables

Group on Iptables

[Masiero Giorgio, PD]

Hy my name is Giorgio,
	I'm tryng to translate our Checkpoint FW-1 ruleset into Iptables.
	I do not know iptables well so I really need a suggestion to plan my future efforts.
	The problem is this:
	Is it possible to use objects like Checkpoint Groups (that is a set of host and/or networks) into an Iptables rule.

	It seems to me that iptables accept souce/destination that are only one host/network.

	Thanks			Giorgio

Re: Group on Iptables

[Gavin Hamill]

On Wednesday 27 August 2003 3:44 pm, Masiero Giorgio, PD wrote:
> 	Is it possible to use objects like Checkpoint Groups (that is a set of
> host and/or networks) into an Iptables rule.

You can achieve a 'groups' functionality by defining new tables, e.g.

$IPTABLES -N UNIXSERVERS
$IPTABLES -N WINSERVERS

$IPTABLES -A FORWARD -p tcp -d 11.22.33.44 -j UNIXSERVERS
$IPTABLES -A FORWARD -p tcp -d 11.22.33.45 -j UNIXSERVERS
$IPTABLES -A FORWARD -p tcp -d 11.22.33.46 -j UNIXSERVERS

$IPTABLES -A FORWARD -p tcp -d 11.22.33.54 -j WINSERVERS
$IPTABLES -A FORWARD -p tcp -d 11.22.33.55 -j WINSERVERS
$IPTABLES -A FORWARD -p tcp -d 11.22.33.56 -j WINSERVERS

Now any traffic for the UNIX servers with IP addresses 44, 45, 46 will go to 
the UNIXSERVERS table, and likewise any traffic for the Windows servers with 
IPs 54. 55, 56 will go to the WINSERVERS table.

You can now apply 'group policy' by doing

$IPTABLES -A WINSERVERS -p tcp --dport 135:139 -j DROP
$IPTABLES -A WINSERVERS -p tcp --dport 445 -j DROP

$IPTABLES -A UNIXSERVERS -p tcp --dport 5900 -j DROP

etc.

Cheers,
Gavin.

Re: Group on Iptables

[Chris Brenton]

Masiero Giorgio, PD wrote:
>
> Hy my name is Giorgio,

Greetings Giorgio,

> 	Is it possible to use objects like Checkpoint Groups (that is a set of host and/or networks) into an Iptables rule.
> 	It seems to me that iptables accept souce/destination that are only one host/network.


First off, you really want to write your rules based on IP address 
rather than host or domain names, it makes processing the rules go much 
quicker and speeds up the firewall.

Second, try doing something like this in your initialization script:

# Known Spammers
while read SPAMMER ; do
iptables -A FORWARD -i eth0 -p tcp -s $SPAMMER -d 0/0 --dport 25 -j LOG 
--log-prefix " SPAMMER  "
iptables -A FORWARD -i eth0 -p tcp -s $SPAMMER -d 0/0 --dport 25 -j 
REJECT --reject-with icmp-host-unreachable
done < /etc/spammers-list.txt

# Hostile addresses
while read BLACKHAT ; do
iptables -A FORWARD -i eth0 -s $BLACKHAT -d 0/0 -j LOG --log-prefix " 
BLACKHAT  "
iptables -A FORWARD -i eth0 -s $BLACKHAT -d 0/0 --dport 25 -j REJECT 
--reject-with icmp-host-unreachable
done < /etc/blackhat-list.txt

The *.txt file indicated on the "done" line is simply a plain text file 
that lists each IP address or subnet to process, one per line. Something 
like this:

211.99.204.0/23
211.99.206.0/24
210.77.157.40/32
210.77.157.0/24

So now your "groups" are the lists of addresses in each file. If you 
need to make a change just edit the group and reload your rules. Note 
that doing a:

iptables -L -n

will allow you to verify that all the addresses were loaded.

HTH,
C

Re: Group on Iptables

[Jim Carter]

On Wed, 27 Aug 2003, Masiero Giorgio, PD wrote:
> 	I'm tryng to translate our Checkpoint FW-1 ruleset into Iptables.
> 	The problem is this: Is it possible to use objects like Checkpoint
> 	Groups (that is a set of host and/or networks) into an Iptables
> 	rule.

One possibility is to use a netmask, e.g. -d 192.168.10.0/24 for that
subnet of 256 addresses.  Similarly for -s.  If the targeted nets or hosts
do not fall in a neat subnet, and if the set has to be referred to from
several places, you could make a special chain and jump to it.  If no rule
in the chain eats the packet (-j DROP, -j ACCEPT, etc.), control will
return to where the chain was called.

It would be really nice to have an analog of -m multiport, for hosts or
networks.  But I don't see one in
http://www.netfilter.org/documentation/pomlist/pom-extra.html

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA  90095-1555
Email: jimc@math.ucla.edu    http://www.math.ucla.edu/~jimc (q.v. for PGP key)

Re: Group on Iptables

[Ralf Spenneberg]

Am Mit, 2003-08-27 um 16.44 schrieb Masiero Giorgio, PD:
> Hy my name is Giorgio,
> 	I'm tryng to translate our Checkpoint FW-1 ruleset into Iptables.
> 	I do not know iptables well so I really need a suggestion to plan my future efforts.
> 	The problem is this:
> 	Is it possible to use objects like Checkpoint Groups (that is a set of host and/or networks) into an Iptables rule.
> 
> 	It seems to me that iptables accept souce/destination that are only one host/network.
> 
You can use the ippool feature to match several hosts using one rule.
ippool is in patch-o-matic. Go the the netfilter homepage and read up on
applying patch-o-matic and ippool.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org