Benno Schulenberg wrote:
> (By the way, please do not reply to another message when starting a
> new topic.)
>
> Benno
Sorry for that. So I start a new thread now.
> Daniel Waeber wrote:
>> I was looking for a way to set the default rule for the INPUT
>> chain to DROP. I do not want to change the rule with iptables -P
>> INPUT DROP after loading the kernel, I want that the
>> kernel/modules automatically DROPS everything after it has been
>> loaded.
>> You can do this with the FORWARD chain with the parameter
>> forward=0, but nothing is implemented for the INPUT chain as far
>> as i know. I looked inside the kernel source of the modules, and
>> hey, it is easy to change. I recompiled the module, reloaded it.
>> Perfect, now i have default DROP.
>> But as it is so easy to edit, why is there no option in the
>> kernel or a parameter for the module
>
> Make a patch that adds this parameter, allowing one to set the
> default policy for the input chain (and output chain too), and
> submit it to the kernel list. Or show it here first. I'd be
> interested.
Because I'm new to Linux, this is my first patch, so i don't know if
everything is done right. Perhaps someone can examine it before I send
it to kernel.org. I added code so you can pass the parameter "input=0"
and "output=0" to the iptable_filter module to change the policies. It's
the same code already implemented for the forward chain, which can be
set to 0 to drop, 1 to accept.
I don't now if how/if this parameter can be passed, if netfilter is
build inside the kernel, so perhaps this is not the perfect solution.
Have fun with a default denying firewall :)
diff -upr linux-2.6.16-gentoo-r3/net/ipv4/netfilter/iptable_filter.c
netfilter_dorp_patch_linux/net/ipv4/netfilter/iptable_filter.c
--- linux-2.6.16-gentoo-r3/net/ipv4/netfilter/iptable_filter.c 2006-04-21
22:51:05.000000000 +0200
+++ netfilter_dorp_patch_linux/net/ipv4/netfilter/iptable_filter.c
2006-04-21 22:38:07.000000000 +0200
@@ -135,21 +135,45 @@ static struct nf_hook_ops ipt_ops[] = {
},
};
-/* Default to forward because I got too much mail already. */
+/* Default options for the kernel module */
+/* As default everything is accepted */
+static int input = NF_ACCEPT;
+module_param(input, bool, 0000);
+
static int forward = NF_ACCEPT;
module_param(forward, bool, 0000);
+static int output = NF_ACCEPT;
+module_param(output, bool, 0000);
+
+
+
static int __init init(void)
{
int ret;
+ if (input < 0 || input > NF_MAX_VERDICT ) {
+ printk("iptables input must be 0 or 1\n");
+ return -EINVAL;
+ }
if (forward < 0 || forward > NF_MAX_VERDICT) {
printk("iptables forward must be 0 or 1\n");
return -EINVAL;
}
+ if (output < 0 || output > NF_MAX_VERDICT) {
+ printk("iptables output must be 0 or 1\n");
+ return -EINVAL;
+ }
+ /* Set the default policys according to the module parameters */
+ /* Entry 0 is the INPUT hook */
+ initial_table.entries[0].target.verdict = -input -1;
/* Entry 1 is the FORWARD hook */
initial_table.entries[1].target.verdict = -forward - 1;
+ /* Entry 2 is the OUTPUT hook */
+ initial_table.entries[2].target.verdict = -output -1;
+
+
/* Register table */
ret = ipt_register_table(&packet_filter, &initial_table.repl);
