safely apply new rulesets: iptables-apply

safely apply new rulesets: iptables-apply

[martin f krafft]

[-- Attachment #1: Type: text/plain, Size: 1117 bytes --]

Hi folks,

You probably now the feeling, that cold and hot rush of adrenaline
after you've typed "iptables-restore < new-ruleset" and didn't get to
see the shell prompt again: you've just locked yourself out of
a machine that’s potentially far away, and you feel like vandalism,
or screaming on the top of your lungs, or whatever.

I've had that feelings once too many and ended up writing
iptables-apply[0] with a docbook manpage[1].

0. http://svn.madduck.net/pub/sbin/base/iptables-apply
1. http://svn.madduck.net/pub/sbin/base/iptables-apply.dbk

iptables-apply is a simple shell script which applies the new
ruleset and then prompts whether you like it. If you've locked
yourself out, you cannot answer the prompt, and if you don't, the
script rolls back the ruleset. Nice and simple.

Could this script possibly make it into the iptables distribution
tarball? I am flexible about the licence and all...

Thanks,

-- 
martin | http://madduck.net/ | http://two.sentenc.es/
 
perl -e 'print "The earth is a disk!\n" if ( "earth" == "flat" );'
 
spamtraps: madduck.bogus@madduck.net

[-- Attachment #2: Digital signature (see http://martin-krafft.net/gpg/) --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: safely apply new rulesets: iptables-apply

[Maximilian Wilhelm]

Am Wednesday, den  5 March hub martin f krafft folgendes in die Tasten:

Hi!

> You probably now the feeling, that cold and hot rush of adrenaline
> after you've typed "iptables-restore < new-ruleset" and didn't get to
> see the shell prompt again: you've just locked yourself out of
> a machine that’s potentially far away, and you feel like vandalism,
> or screaming on the top of your lungs, or whatever.

> I've had that feelings once too many and ended up writing
> iptables-apply[0] with a docbook manpage[1].

> 0. http://svn.madduck.net/pub/sbin/base/iptables-apply
> 1. http://svn.madduck.net/pub/sbin/base/iptables-apply.dbk

> iptables-apply is a simple shell script which applies the new
> ruleset and then prompts whether you like it. If you've locked
> yourself out, you cannot answer the prompt, and if you don't, the
> script rolls back the ruleset. Nice and simple.

Oh well, that's a different approach to my version :)
While hacking on a firewall management framework, I build such a
thing, tooo.

It works a bit different but does basicly the same thing.

My idea was to create a 'token' when the rules have been loaded, wait
for 
$TIME and if the token still exists (as in has no been deleted,
because
it was impossible) revert the ruleset to the old one.

Maybe this is also interesting for others:

 * http://files.rfc2324.org/projects/alff/agent/alff-cat has to be installed
   on the firewalls (config files in the same directory)
 * I push rules to my machines using Alff but basicly a
   cat $rules_file | ssh -l root -x $firewall "alff-cat -" should work.

My scripts still use shell scripts with iptables command in them, as I did
not finish the conversion to iptables-restore...

Just my 0,02 EUR

Greetz from frosty Zurich
Max
-- 
	Follow the white penguin.

Re: safely apply new rulesets: iptables-apply

[martin f krafft]

[-- Attachment #1: Type: text/plain, Size: 799 bytes --]

also sprach Maximilian Wilhelm <max@rfc2324.org> [2008.03.05.1137 +0100]:
> Oh well, that's a different approach to my version :) While
> hacking on a firewall management framework, I build such a thing,
> tooo.

I used to use at:

  http://madduck.net/blog/2006.06.04:iptables-apply/

but I ended up at times to forget to remove the "token" and the
ruleset would revert without me knowing.

Thus I wrote iptables-apply, which kinda makes that impossible.

> Greetz from frosty Zurich

Ha! Greetings from frosty Oerlikon.

-- 
martin | http://madduck.net/ | http://two.sentenc.es/
 
whatever you do will be insignificant,
but it is very important that you do it.
                                                     -- mahatma gandhi
 
spamtraps: madduck.bogus@madduck.net

[-- Attachment #2: Digital signature (see http://martin-krafft.net/gpg/) --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: safely apply new rulesets: iptables-apply

[martin f krafft]

[-- Attachment #1: Type: text/plain, Size: 494 bytes --]

also sprach martin f krafft <madduck@madduck.net> [2008.03.05.1242 +0100]:
>   http://madduck.net/blog/2006.06.04:iptables-apply/

Btw, the iptables maintainer for Debian feels uninclined to add the
script unless it goes upstream (cf. http://bugs.debian.org/370292).

-- 
martin | http://madduck.net/ | http://two.sentenc.es/
 
"ich bin ein berliner!" (i am a jelly donut)
                                          -- john fitzgerald kennedy
 
spamtraps: madduck.bogus@madduck.net

[-- Attachment #2: Digital signature (see http://martin-krafft.net/gpg/) --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

'queue' on 64-bit

[Scott MacKay]

Hi, right now I have a need to implement an interface
using the queue mechanism under the older netfilter
design (for kernel 2.6.9-55) under a 64 bit kernel.

Are there any issues which I need to watch out for as
far as any alignments or the like when using the
library to set up/receive/set verdict?

-Scott


      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

Re: 'queue' on 64-bit

[martin f krafft]

[-- Attachment #1: Type: text/plain, Size: 248 bytes --]

Search for "recycling" on
http://www.netfilter.org/mailinglists.html.

-- 
martin | http://madduck.net/ | http://two.sentenc.es/
 
if con is the opposite of pro, is congress the opposite of progress?
 
spamtraps: madduck.bogus@madduck.net

[-- Attachment #2: Digital signature (see http://martin-krafft.net/gpg/) --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: safely apply new rulesets: iptables-apply

[Jan Engelhardt]

On Mar 5 2008 00:16, martin f krafft wrote:
>
>iptables-apply is a simple shell script which applies the new
>ruleset and then prompts whether you like it. If you've locked
>yourself out, you cannot answer the prompt, and if you don't, the
>script rolls back the ruleset. Nice and simple.

It needs a minor tweak in that the timeout needs to be started
before you output anything to the terminal, just in case the
terminal blocks.


On a related note, you cannot trap signal 0:
	trap "rm -f $TMPFILE" 0 1 2 3 4 5 6 7 8 10 11 12 13 14 15

>Could this script possibly make it into the iptables distribution
>tarball? I am flexible about the licence and all...

The idea gets my approval.

Re: safely apply new rulesets: iptables-apply

[martin f krafft]

[-- Attachment #1: Type: text/plain, Size: 1292 bytes --]

also sprach Jan Engelhardt <jengelh@computergmbh.de> [2008.03.09.1745 +0100]:
> It needs a minor tweak in that the timeout needs to be started
> before you output anything to the terminal, just in case the
> terminal blocks.

I don't really see a way to do this trivially. If the terminal
blocks, the shell script will sooner or later be suspended and
unless I used an external resource like atd as timeout processor,
there's nothing I can do, I think.

But I can turn off all printing to the terminal, which is
informational anyway.

> On a related note, you cannot trap signal 0:
> 	trap "rm -f $TMPFILE" 0 1 2 3 4 5 6 7 8 10 11 12 13 14 15

Yes, you can. Trapping 0 means at-exit. Undoubtedly, I don't need it
because I remove the tmpfile at the end anyway, but it's just
a habit I formed and never broke with because it's the only reliable
way I found to get rid of tmpfiles from shell scripts.

> >Could this script possibly make it into the iptables distribution
> >tarball? I am flexible about the licence and all...
> 
> The idea gets my approval.

Is there anything else I need to do?

Thanks.

-- 
martin | http://madduck.net/ | http://two.sentenc.es/
 
people with narrow minds usually have broad tongues.
 
spamtraps: madduck.bogus@madduck.net

[-- Attachment #2: Digital signature (see http://martin-krafft.net/gpg/) --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: safely apply new rulesets: iptables-apply

[Jan Engelhardt]

On Mar 10 2008 12:02, martin f krafft wrote:
>also sprach Jan Engelhardt <jengelh@computergmbh.de> [2008.03.09.1745 +0100]:
>> It needs a minor tweak in that the timeout needs to be started
>> before you output anything to the terminal, just in case the
>> terminal blocks.
>
>I don't really see a way to do this trivially.

echo "Applying new rules...";
iptables-restore <new.txt;
if [ "$?" -ne 0 ]; then
	echo "Dude, that failed horribly. (Old rules still intact.)";
	exit 1;
fi;

echo "Also try starting a new connection to the "\
"machine to verify that NEW connections are accepted "\
"besides ESTABLISHED.  Do the rules work? (y/n) " &

read -t 10 x;
if [ "$x" != "y" ]; then
        iptables-restore <old.txt;
fi;


>> On a related note, you cannot trap signal 0:
>> 	trap "rm -f $TMPFILE" 0 1 2 3 4 5 6 7 8 10 11 12 13 14 15
>
>Yes, you can. Trapping 0 means at-exit.

Oh, then probably use "EXIT" instead of "0" :-)

>> >Could this script possibly make it into the iptables distribution
>> >tarball? I am flexible about the licence and all...
>> 
>> The idea gets my approval.
>
>Is there anything else I need to do?
>
A bit of CodingStyle perhaps, i.e. tabs for logical indent,
and of course a patch with the updated script.

Re: safely apply new rulesets: iptables-apply

[martin f krafft]

[-- Attachment #1: Type: text/plain, Size: 600 bytes --]

also sprach Jan Engelhardt <jengelh@computergmbh.de> [2008.03.11.1954 +0100]:
> A bit of CodingStyle perhaps, i.e. tabs for logical indent, and of
> course a patch with the updated script.

Well, I disagree on the tabs, but I also don't care, so I'll do
that.

You want a patch against the netfilter tarball or the $VCS?

-- 
martin | http://madduck.net/ | http://two.sentenc.es/
 
the images rushed around his mind and tried
to find somewhere to settle down and make sense.
            -- douglas adams, "the hitchhiker's guide to the galaxy"
 
spamtraps: madduck.bogus@madduck.net

[-- Attachment #2: Digital signature (see http://martin-krafft.net/gpg/) --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: safely apply new rulesets: iptables-apply

[Jan Engelhardt]

On Mar 11 2008 20:00, martin f krafft wrote:
>
>You want a patch against the netfilter tarball or the $VCS?
>
It does not matter, since you do not modify an existing file.
In fact, posting the bare script without the diff stars is
also just fine (like before). The log message we probably
take from your first post ( 
http://marc.info/?l=netfilter&m=120467471528187&w=2 ), seems
good enough :-)

Re: safely apply new rulesets: iptables-apply

[martin f krafft]

[-- Attachment #1: Type: text/plain, Size: 729 bytes --]

also sprach Jan Engelhardt <jengelh@computergmbh.de> [2008.03.11.2030 +0100]:
> It does not matter, since you do not modify an existing file. In
> fact, posting the bare script without the diff stars is also just
> fine (like before). The log message we probably take from your
> first post ( http://marc.info/?l=netfilter&m=120467471528187&w=2
> ), seems good enough :-)

Done. Could I please ask you to commit then?

-- 
martin | http://madduck.net/ | http://two.sentenc.es/
 
"emacs sucks, literally, not an insult, just a comment that it's
 large enough to have a noticeable gravitational pull..."
                                           -- mercury on #debian-devel
 
spamtraps: madduck.bogus@madduck.net

[-- Attachment #2: Digital signature (see http://martin-krafft.net/gpg/) --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: safely apply new rulesets: iptables-apply

[martin f krafft]

[-- Attachment #1: Type: text/plain, Size: 843 bytes --]

also sprach martin f krafft <madduck@madduck.net> [2008.03.11.2129 +0100]:
> also sprach Jan Engelhardt <jengelh@computergmbh.de> [2008.03.11.2030 +0100]:
> > It does not matter, since you do not modify an existing file. In
> > fact, posting the bare script without the diff stars is also just
> > fine (like before). The log message we probably take from your
> > first post ( http://marc.info/?l=netfilter&m=120467471528187&w=2
> > ), seems good enough :-)
> 
> Done. Could I please ask you to commit then?

Any news on this? Are you still waiting for me to do something?

-- 
martin | http://madduck.net/ | http://two.sentenc.es/
 
stupidity management for the superuser
is a user space issue in unix systems.
                                                           -- alan cox
 
spamtraps: madduck.bogus@madduck.net

[-- Attachment #2: Digital signature (see http://martin-krafft.net/gpg/) --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: safely apply new rulesets: iptables-apply

[Jan Engelhardt]

On Friday 2008-04-04 08:32, martin f krafft wrote:
>also sprach martin f krafft <madduck@madduck.net> [2008.03.11.2129 +0100]:
>> also sprach Jan Engelhardt <jengelh@computergmbh.de> [2008.03.11.2030 +0100]:
>> > It does not matter, since you do not modify an existing file. In
>> > fact, posting the bare script without the diff stars is also just
>> > fine (like before). The log message we probably take from your
>> > first post ( http://marc.info/?l=netfilter&m=120467471528187&w=2
>> > ), seems good enough :-)
>> 
>> Done. Could I please ask you to commit then?
>
>Any news on this? Are you still waiting for me to do something?

My patch queue finally starts to decrease..—

Anyway, could you make a normal manpage instead of a .dbk file?
This is easier to process (because it needs no processing at all -hehe)
Thanks!

Jan

Re: safely apply new rulesets: iptables-apply

[martin f krafft]

[-- Attachment #1.1: Type: text/plain, Size: 620 bytes --]

also sprach Jan Engelhardt <jengelh@computergmbh.de> [2008.04.10.1229 +0200]:
> My patch queue finally starts to decrease..—

yay!

> Anyway, could you make a normal manpage instead of a .dbk file?
> This is easier to process (because it needs no processing at all -hehe)
> Thanks!

It's attached. Thanks!

-- 
martin | http://madduck.net/ | http://two.sentenc.es/
 
after you install windows xp, you have the option to create user
accounts. if you create user accounts, by default, they will have an
account type of administrator with no password. way to go!
 
spamtraps: madduck.bogus@madduck.net

[-- Attachment #1.2: iptables-apply.8 --]
[-- Type: text/plain, Size: 1673 bytes --]

.\"     Title: iptables-apply
.\"    Author: 
.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
.\"      Date: Jun 04, 2006
.\"    Manual: 
.\"    Source: 
.\"
.TH "IPTABLES\-APPLY" "8" "Jun 04, 2006" "" ""
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
iptables-apply \- a safer way to update iptables remotely
.SH "SYNOPSIS"
.HP 15
\fBiptables\-apply\fR [\-\fBthV\fR]\fI ruleset\-file\fR
.SH "DESCRIPTION"
.PP
iptables\-apply will try to apply a new ruleset (as output by iptables\-save/read by iptables\-restore) to iptables, then prompt the user whether the changes are okay\&. If the new ruleset cut the existing connection, the user won\'t be able to answer affirmatively\&. In this case, the script rolls back to the previous ruleset after the timeout expired\&. The timeout can be set with
\fB\-t\fR\&.
.PP
When called as ip6tables\-apply, the script will use ip6tables\-save/\-restore instead\&.
.SH "OPTIONS"
.PP
\-t \fIseconds\fR, \-\-timeout \fIseconds\fR
.RS 4
Sets the timeout after which the script will roll back to the previous ruleset\&.
.RE
.PP
\-h, \-\-help
.RS 4
Display usage information\&.
.RE
.PP
\-V, \-\-version
.RS 4
Display version information\&.
.RE
.SH "SEE ALSO"
.PP

\fBiptables-restore\fR(1),
\fBiptables-save\fR(1),
\fBiptables\fR(8)\&.
.SH "LEGALESE"
.PP
iptables\-apply is copyright by martin f\&. krafft
.PP
This manual page was written by martin f\&. krafft
<madduck@madduck\&.net>
.PP
Permission is granted to copy, distribute and/or modify this document under the terms of the Artistic License 2\&.0

[-- Attachment #2: Digital signature (see http://martin-krafft.net/gpg/) --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: safely apply new rulesets: iptables-apply

[martin f krafft]

[-- Attachment #1: Type: text/plain, Size: 608 bytes --]

also sprach martin f krafft <madduck@madduck.net> [2008.04.10.1534 +0200]:
> > My patch queue finally starts to decrease..—
> 
> yay!

On thing I forgot: could the iptables installation routine install
a symlink from ip6tables-apply to iptables-apply, too, please?

-- 
martin | http://madduck.net/ | http://two.sentenc.es/
 
"our destiny exercises its influence over us even when, as yet,
 we have not learned its nature; it is our future that lays down the
 law of our today."
                                                 - friedrich nietzsche
 
spamtraps: madduck.bogus@madduck.net

[-- Attachment #2: Digital signature (see http://martin-krafft.net/gpg/) --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: safely apply new rulesets: iptables-apply

[Martijn Lievaart]

Jan Engelhardt wrote:
> echo "Applying new rules...";
> iptables-restore <new.txt;
> if [ "$?" -ne 0 ]; then
> 	echo "Dude, that failed horribly. (Old rules still intact.)";
> 	exit 1;
> fi

Are you sure? I think it may have committed some tables already and 
errored on another.

M4

Re: safely apply new rulesets: iptables-apply

[martin f krafft]

[-- Attachment #1: Type: text/plain, Size: 741 bytes --]

also sprach Martijn Lievaart <m@rtij.nl> [2008.04.16.2356 +0200]:
>> echo "Applying new rules...";
>> iptables-restore <new.txt;
>> if [ "$?" -ne 0 ]; then
>> 	echo "Dude, that failed horribly. (Old rules still intact.)";
>> 	exit 1;
>> fi
>
> Are you sure? I think it may have committed some tables already and  
> errored on another.

No, I am not sure. But wouldn't that be a bug? iptables-restore
gives the impression to be transaction-oriented. It should be
all-or-nothing, I think.

-- 
martin | http://madduck.net/ | http://two.sentenc.es/
 
"wovon man nicht sprechen kann, darüber muß man schweigen."
                                                       -- wittgenstein
 
spamtraps: madduck.bogus@madduck.net

[-- Attachment #2: Digital signature (see http://martin-krafft.net/gpg/) --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: safely apply new rulesets: iptables-apply

[Покотиленко Костик]

В Чтв, 17/04/2008 в 10:05 +0200, martin f krafft пишет:
> also sprach Martijn Lievaart <m@rtij.nl> [2008.04.16.2356 +0200]:
> >> echo "Applying new rules...";
> >> iptables-restore <new.txt;
> >> if [ "$?" -ne 0 ]; then
> >> 	echo "Dude, that failed horribly. (Old rules still intact.)";
> >> 	exit 1;
> >> fi
> >
> > Are you sure? I think it may have committed some tables already and  
> > errored on another.
> 
> No, I am not sure. But wouldn't that be a bug? iptables-restore
> gives the impression to be transaction-oriented. It should be
> all-or-nothing, I think.

By default iptables-save generates file which COMMITs after each table.
Is it possible to COMMIT once for all tables at the end? If this is
possible - this will be the solution (all or nothing).

-- 
Покотиленко Костик <casper@meteor.dp.ua>