Re: iptables-save/restore with dynamic IP
On Wed, 2004-10-20 at 14:20, Martin G.H. Minkler wrote: > Alohá! snip... > > Unfortunately I am working with a dynamically assigned IP that is passed > to the iptables script called in /etc/ppp/ip-up by pppd. So, run your iptables-restore in the boot sequence eg /etc/init.d/iptables, and call a script at the end of any if-up scripts to add the dynamic addresses after they have been assigned.. This way you have a basic ruleset running before any network is up and then use the interface "up" scripts to insert any ip specific rules after any dynamic assignments are made.. You will always know the correct rule number to Insert at if you keep the interfaces as separate chains.. Regards, Peter
Re: iptables-save/restore with dynamic IP
Le jeu 21/10/2004 à 15:41, martin f krafft a écrit : > > setups in which a LAN and a gateway with just one NIC were sharing a > > What's a gateway with just one NIC? Actually, one can build a very good firewall with only one physical NIC. Well OK I admit you also need a manageable switch, which is very likely going to cost you much more than a regular switch plus an additional NIC, but if you happen to have only one NIC and no way to add an other one in your FW machine, or if you want to have multiple DMZs, 802.1Q VLANs might be an interesting concept. Regards, Sebastien
Re: iptables-save/restore with dynamic IP
martin f krafft wrote: Uh, ANY always holds, so it does not matter if you leave out the destination address. FWIW, destination IPs *cannot* be spoofed. Also, I am not sure you understand iptables correctly. If you specify two criteria in a rule, then they both have to hold. If you want to implement OR, you need two rules. What I was trying to do: if one criterium for ACCEPT could be met by an attacker by spoofing, the other would still hold and let the packet carry on down the chains to be rejected ;-) setups in which a LAN and a gateway with just one NIC were sharing a What's a gateway with just one NIC? PPPoE (WAN) on ppp0 and TCP/IP (LAN) on eth0 - both on the same physical NIC. It's as bad as it gets but if You have to make due with the hardware that's there... I do strongly recommend to those people to go and buy another NIC which they never do - M$-users, as long as it works it can't be wrong ~:-/ regards Martin
Re: iptables-save/restore with dynamic IP
Greetings! On Thu, 21 Oct 2004 16:15:49 +0200 martin f krafft <[EMAIL PROTECTED]> wrote: > also sprach [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2004.10.21.1549 > +0200]:> The only time I've seen this done has been with PPPoE; the > gateway> talked PPPoE with the remote end, and communicated with the > LAN> via the same NIC. Not that secure, but got the network running. > > Sounds horrible. While it's the same physical interface, they are logically disjunct: internet is at ppp0 while LAN is at eth0. As long as you just filter against ppp0 it should be comparatively safe (safer than directly connected Win* machines, that is). You're not safe at all against attacks (or misconfigurations) from the inside with this technique, though... I usually prefer physical separations of green/yellow/red networks, too, so this setup should only be used as emergency measure... Bye Volker Tanger ITK Security
Re: iptables-save/restore with dynamic IP
also sprach [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2004.10.21.1549 +0200]: > The only time I've seen this done has been with PPPoE; the gateway > talked PPPoE with the remote end, and communicated with the LAN > via the same NIC. Not that secure, but got the network running. Sounds horrible. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: iptables-save/restore with dynamic IP
On Thu, Oct 21, 2004 at 03:41:30PM +0200, martin f krafft wrote: > also sprach Martin G.H. Minkler <[EMAIL PROTECTED]> [2004.10.21.1532 +0200]: > > > setups in which a LAN and a gateway with just one NIC were sharing a > > What's a gateway with just one NIC? > The only time I've seen this done has been with PPPoE; the gateway talked PPPoE with the remote end, and communicated with the LAN via the same NIC. Not that secure, but got the network running. The network's owner then went and bought another NIC for the PPPoE interface at a later date. -- Simon
Re: iptables-save/restore with dynamic IP
also sprach Martin G.H. Minkler <[EMAIL PROTECTED]> [2004.10.21.1532 +0200]: > The basic idea was to double-latch things, if one criterium could > be spoofed the other would still hold. Uh, ANY always holds, so it does not matter if you leave out the destination address. FWIW, destination IPs *cannot* be spoofed. Also, I am not sure you understand iptables correctly. If you specify two criteria in a rule, then they both have to hold. If you want to implement OR, you need two rules. > setups in which a LAN and a gateway with just one NIC were sharing a What's a gateway with just one NIC? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: iptables-save/restore with dynamic IP
martin f krafft wrote: also sprach Martin G.H. Minkler <[EMAIL PROTECTED]> [2004.10.21.1345 +0200]: Although it is hardly imaginable that someone manages to spoof the interface match, I wanted my rules as tight as possible thus using interface _and_ DynIP ('$IPTABLES -A INPUT -p tcp -d $IP_INET -i $DEV_INET -m state --state NEW -j BLACKLIST')- it would naturally all be solved if I refrained from using variables and resorted to -i ppp0 instead. Why do you want your rules to be as tight as possible? While I fundamentally agree with this approach, I don't really see an added value for limiting the destination address. The basic idea was to double-latch things, if one criterium could be spoofed the other would still hold. When it comes to a pppoe connection the single IP and gateway provided by the ISP certainly limit the probability of any of that happening, on the other hand I have seen bad setups in which a LAN and a gateway with just one NIC were sharing a switch - filtering $DEV_INET would mean filtering $DEV_LAN at the same time. Well, looks like I still have to think up a situation where this rule would provide any additional protection though ;-) You do know that there are plenty firewall scripts for iptables already, right? Sure, I just like fiddling with things under the hood, messing them up and putting them back together ;-) IMHO with a bit of knowledge it is sometimes much easier to quickly act upon tsunamis of worms sweeping through a LAN from a few infected M$-boxes. Dropping their MAC-adresses so they can't bug the outside world is often more a question of speed than comfortable configuration (and eventually necessary stop/start steps). For quick and easy setups I enjoy shorewall very much. best regards Martin
Re: iptables-save/restore with dynamic IP
also sprach Martin G.H. Minkler <[EMAIL PROTECTED]> [2004.10.21.1345 +0200]: > >iptables-restore < file > > Sorry, beginners idiocy, copying stuff from a tutorial he read. No reason to be sorry. It took me a while to learn this too... > Although it is hardly imaginable that someone manages to > spoof the interface match, I wanted my rules as tight as possible > thus using interface _and_ DynIP ('$IPTABLES -A INPUT -p tcp -d > $IP_INET -i $DEV_INET -m state --state NEW -j BLACKLIST')- it > would naturally all be solved if I refrained from using variables > and resorted to -i ppp0 instead. Why do you want your rules to be as tight as possible? While I fundamentally agree with this approach, I don't really see an added value for limiting the destination address. > But since I'm experimenting and learning, some non-pragmatical > approaches may occur, especially since I want to keep the script as > generic/cross-distro-usable as possible :-) You do know that there are plenty firewall scripts for iptables already, right? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature
Re: iptables-save/restore with dynamic IP
martin f krafft wrote: also sprach Martin G.H. Minkler <[EMAIL PROTECTED]> [2004.10.20.1420 +0200]: ('cat iptables-restore' will restore that table accordingly) another useless use of cat iptables-restore < file Sorry, beginners idiocy, copying stuff from a tutorial he read. Unfortunately I am working with a dynamically assigned IP that is passed to the iptables script called in /etc/ppp/ip-up by pppd. Why do you care about your IP in the firewall rules? Use interface matching instead! Although it is hardly imaginable that someone manages to spoof the interface match, I wanted my rules as tight as possible thus using interface _and_ DynIP ('$IPTABLES -A INPUT -p tcp -d $IP_INET -i $DEV_INET -m state --state NEW -j BLACKLIST')- it would naturally all be solved if I refrained from using variables and resorted to -i ppp0 instead. But since I'm experimenting and learning, some non-pragmatical approaches may occur, especially since I want to keep the script as generic/cross-distro-usable as possible :-) Thanks anyway Martin
Re: iptables-save/restore with dynamic IP
also sprach Martin G.H. Minkler <[EMAIL PROTECTED]> [2004.10.20.1420 +0200]: > ('cat iptables-restore' will restore that table > accordingly) another useless use of cat iptables-restore < file > Unfortunately I am working with a dynamically assigned IP that is passed > to the iptables script called in /etc/ppp/ip-up by pppd. Why do you care about your IP in the firewall rules? Use interface matching instead! -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! signature.asc Description: Digital signature