|
Hello, While working on a near natural language firewall program, I've
encountered this particular problem: # cat /proc/version Linux version 2.5.5-dj3 (root@barkonis) (gcc version 2.96 20000731 (Mandrake
Linux 8.1 2.96-0.62mdk)) #1 Thu Mar
7 11:34:10 MET 2002 # iptables
--version iptables
v1.2.6-20020306 script: ALLOWEDSERVS="tcp:ssh,http,ftp,smtp" WHATISALLOWED="tcp:3128,ftp,ssh,login,shell,5080,6000,ident" SCEDVT1="192.32.62.171" SCADVT1="192.32.62.156" PHB="192.32.22.146" ANDROMEDE="192.32.22.145" REMY="161.6.5.109" MADOU="161.6.5.108" ODIXION="192.32.23.160" limit desktops to
do $FTP on me to 1 per host allow
$PHB,$REMY,$MADOU,$ANDROMEDE to do $ALLOWEDSERVS on me allow
$PHB,$ANDROMEDE to do $ allow
$SCEDVT1,$SCADVT1,$ODIXION to do $FTP on me allow allow desktops to
do $SAMBA on me bidirectional allow me to do
$WHATISALLOWED on desktops allow $PHB,$REMY to
do $UT on me reject desktops
when doing $UT on me saying icmp-port-unreachable deny desktops to
do broadcast on me which translates
into: /sbin/iptables -N desktops /sbin/iptables -t filter -A desktops -j DROP ... /sbin/iptables -t filter -A desktops -p tcp -i eth0 -m mac --mac-source 00:01:02:F2:F1:9C --dport
http --syn -j ACCEPT ... /sbin/iptables -t filter -D desktops -j DROP iptables: Invalid argument if MAC match line is
discarded, last line effectively erase first 'desktops' chain's
rule, thus allowing chain parsing. Any clue ? BTW if anybody is interested in such a script, I can post it
here for people to work on it. It's a one/two/three interface-aware
firewall script. Auto proper interface election, auto chain construction, default-deny
policy with some basic protection pre-loaded, etc. As for now this is a rather large
shell script, it could be easily modified into C program using yacc syntax. Philippe BRAND InfoEdpRsaVdf Tel#47494 |
