On Thursday 16 November 2006 01:15, Flophouse Joe wrote:
> On Wed, 15 Nov 2006, Mick wrote:
> > On Wednesday 15 November 2006 21:25, Flophouse Joe wrote:
> >> On Wed, 15 Nov 2006, Mick wrote:
> >
> > UPLINK="eth0 wlan0 ppp0"
> > for x in ${INTERFACES}
> > do
> > iptables -A INPUT -i ! ${x} -j ACCEPT
> > . . . more rules . . .
> > iptables -A INPUT -p tcp -i ${x} -j DROP
> > fi
> > =====================================================
> > type of think. Not sure if the syntax is correct, but the idea is that
> > we define multiple interfaces, but only write the rules once with the
> > variable 'x' where the interface is meant to go.
>
> I'm not 100% certain that I understand the goal, so please let me know
> if I've gotten it wrong. It sounds like you want to apply identical
> firewall rules to each of three interfaces. It's possible that there
> are other interfaces, and if traffic arrives on those interfaces, then
> it should not be matched by the rules in the for loop.
Yes, it's a laptop so there is no internal/external interface(s) split in
terms of trust; well other than "lo".
> If this is the case, then yes, the for loop you've suggested should be
> perfectly fine. The rules you specify in that loop will only be applied
> to traffic which arrives on the interfaces that you loop through.
I think that by partly showing my rule set I have confused the point. I
should have made it clearer, this is my main set of rules right now:
======================================
UPLINK="eth0"
if [ "$1" = "start" ]
then
echo "Starting firewall..."
iptables -P INPUT DROP
iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow rsync connections from study1 to update portage
iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport
873 -d 192.168.0.5 -j ACCEPT
#Allow tcp connections from study1 to download distfiles
iptables -A INPUT -i ${UPLINK} -p tcp -s 192.168.0.2 -m tcp --dport
1024 -d 192.168.0.5 -j ACCEPT
iptables -A INPUT -p tcp -i ${UPLINK} -j DROP
iptables -A INPUT -p udp -i ${UPLINK} -j DROP
[snip...]
elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
iptables -F INPUT
iptables -P INPUT ACCEPT
#turn off NAT/masquerading, if any
iptables -t nat -F POSTROUTING
fi
======================================
(The ! ${UPLINK} rule is there to catch any external ifaces who might try to
spoof their address as localhost.)
> >> It's entirely possible that I'm misunderstanding the design of
> >> netfilter, but it seems to me that the solution to complicated rulesets
> >> is to permit boolean logic in rules like so:
> >>
> >> iptables -A INPUT \
> >> \(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \
> >> -j ACCEPT
> >
> > Is there a legit way of specifying such rules?
>
> Not that I'm aware of, but I'd very much like to be proven wrong. Does
> anyone else on the list know of a way to specify boolean conditions in
> iptables rules as illustrated above?
>
> For what it's worth, I have found a way to get something that
> approximates the ability to use ORs in iptables rules, but it borders on
> the criminially insane. I describe it below:
[snip...]
> As you can see, this method is pretty complicated, too. It's not really
> any substitute for "real" boolean logic (as described near the top of
> this post). If anyone knows of a way to do this, I'd like to know
> about it.
me too!
Meanwhile, I've changed it to this:
==============================================
UPLINK="eth0 wlan0 ppp0"
if [ "$1" = "start" ]
then
echo "Starting firewall..."
for x in ${UPLINK}
do
iptables -P INPUT DROP
iptables -A INPUT -i ! ${x} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow rsync connections from study1 to update portage
iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 873 -d
192.168.0.5 -j ACCEPT
#Allow tcp connections from study1 to download distfiles
iptables -A INPUT -i ${x} -p tcp -s 192.168.0.2 -m tcp --dport 1024 -d
192.168.0.5 -j ACCEPT
iptables -A INPUT -p tcp -i ${x} -j DROP
iptables -A INPUT -p udp -i ${x} -j DROP
done
==============================================
which seems to do the trick for my simple firewalling needs:
==============================================
# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- !eth0 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 any study1
192.168.0.5 tcp dpt:rsync
0 0 ACCEPT tcp -- eth0 any study1
192.168.0.5 tcp dpt:1024
0 0 DROP tcp -- eth0 any anywhere anywhere
0 0 DROP udp -- eth0 any anywhere anywhere
0 0 ACCEPT all -- !wlan0 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- wlan0 any study1
192.168.0.5 tcp dpt:rsync
0 0 ACCEPT tcp -- wlan0 any study1
192.168.0.5 tcp dpt:1024
0 0 DROP tcp -- wlan0 any anywhere anywhere
0 0 DROP udp -- wlan0 any anywhere anywhere
0 0 ACCEPT all -- !ppp0 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 any study1
192.168.0.5 tcp dpt:rsync
0 0 ACCEPT tcp -- ppp0 any study1
192.168.0.5 tcp dpt:1024
0 0 DROP tcp -- ppp0 any anywhere anywhere
0 0 DROP udp -- ppp0 any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 17M packets, 7060M bytes)
pkts bytes target prot opt in out source
destination
==============================================
Thank you all for your help! :)
--
Regards,
Mick
pgprm3iCaS4Sd.pgp
Description: PGP signature
