Packages

Tasklist

FS#4 - iptables init script rewrite

Attached to Project: Packages
Opened by Phillip Smith (fukawi2) - Monday, 02 November 2009, 05:56 GMT
Last edited by Phillip Smith (fukawi2) - Thursday, 11 February 2010, 05:43 GMT
Task Type Enhancement
Category server-core
Status Assigned
Assigned To Phillip Smith (fukawi2)
Operating System All
Severity Low
Priority High
Reported Version 1.0
Due in Version spruce
Due Date Undecided
Percent Complete 50%
Votes 1
Private No

Details

Rewrite of the iptables init script to allow firewall rules to be maintained and updated by the package, but without affecting local rules implemented by the user.

Example configuration:

The iptables package should install:
/etc/iptables/rules.d/10-base.rules
/etc/iptables/rules.d/15-scrubbing.rules
/etc/iptables/rules.d/20-stealth.rules
/etc/iptables/rules.d/99-outbound.rules

The init script will load any *.rules file it finds in /etc/iptables/rules.d/ in order to create a complete firewall. The user is free to add any additional .rules files (eg, 40-local.rules) they require which will be loaded automatically.

Outstanding Issues:
- How to allow the user to disable a .rules file without breaking the rest of the ruleset?
- How do we determine the default policies to be pushed with a package?
This task depends upon

Comment by Phillip Smith (fukawi2) - Tuesday, 10 November 2009, 05:44 GMT
Perhaps we keep the standard Arch Linux init script, but add an additional file the is loaded 'late' when starting which just loads some basic protection stuff such as below. Of course have a flag in /etc/conf.d/iptables to disable loading this file in case it causes problems for anyone.

-I INPUT -m state --state INVALID -j DROP
-I FORWARD -m state --state INVALID -j DROP
-I OUTPUT -m state --state INVALID -j DROP
-I FORWARD -p udp -m udp --sport 4000 -m string --string "witty message" --algo bm --to 65535 -j DROP
-I INPUT -p tcp -m string --string ".ida?" --algo bm --to 65535 -m tcp --tcp-flags ACK ACK -m comment --comment "code-red" -j DROP
-I INPUT -p tcp -m string --string "/root.exe" --algo bm --to 65535 -m tcp --tcp-flags ACK ACK -m comment --comment "code-red" -j DROP
-I INPUT -p tcp -m string --string "cmd.exe" --algo bm --to 65535 -m tcp --tcp-flags ACK ACK -m comment --comment "code-red" -j DROP
-I INPUT -p tcp -m string --string "root.exe" --algo bm --to 65535 -m tcp --tcp-flags ACK ACK -m comment --comment "code-red" -j DROP
-I INPUT -p tcp -m string --string "Admin.dll" --algo bm --to 65535 -m tcp --tcp-flags ACK ACK -m comment --comment "nimda" -j DROP
-I FORWARD -p tcp -m string --string ".ida?" --algo bm --to 65535 -m tcp --tcp-flags ACK ACK -m comment --comment "code-red" -j DROP
-I FORWARD -p tcp -m string --string "/root.exe" --algo bm --to 65535 -m tcp --tcp-flags ACK ACK -m comment --comment "code-red" -j DROP
-I FORWARD -p tcp -m string --string "cmd.exe" --algo bm --to 65535 -m tcp --tcp-flags ACK ACK -m comment --comment "code-red" -j DROP
-I FORWARD -p tcp -m string --string "root.exe" --algo bm --to 65535 -m tcp --tcp-flags ACK ACK -m comment --comment "code-red" -j DROP
-I FORWARD -p tcp -m string --string "Admin.dll" --algo bm --to 65535 -m tcp --tcp-flags ACK ACK -m comment --comment "nimda" -j DROP
Comment by Daniel Moree (shadowbranch) - Friday, 13 November 2009, 02:21 GMT
We could include a rule file in packages that may need the rule. Such as when the user installs apache, we could include in the package an httpd.rules that contains a basic input rule to allow port 80 and 446 traffic. Same for SSH and the like. I think that would be the best and the user wouldn't have to worry about breaking anything when changing a rule. They would only effect that rule.
Comment by Phillip Smith (fukawi2) - Friday, 13 November 2009, 02:28 GMT
I see your point, however that could (would!) result in duplication of effort. In your example, if we packages an iptables rule with apache, then we would also have to package the same rule with lighttpd and nginx etc which has immediately tripled the maintenance requirements...

A simple solution to this could be to hard-link the rule files between the packages in the git tree (lamp.git/apache/httpd.rules, lamp.git/lightpd/httpd.rules and lamp.git/nginx/httpd.rules), but that would only work if one packager was maintaining all 3 packages.
Comment by Daniel Moree (shadowbranch) - Friday, 13 November 2009, 02:31 GMT
I'd be happy to take all three. I've custom compiled apache and lighttp and would be willing to give them all a shot.
Comment by Phillip Smith (fukawi2) - Friday, 13 November 2009, 02:35 GMT
Feel free to pull the git tree from github and have a look through what's there at the moment (if you haven't already :))
Comment by Phillip Smith (fukawi2) - Tuesday, 08 December 2009, 05:58 GMT
Any further thoughts on this Daniel?

After playing with Fedora 12 over the last few weeks, I've realised I've actually basically converted their iptables init script to Arch/BSD style as far as saving rules on stop/restart and saving counters etc lol
Comment by Faelar Siannodel (faelar) - Wednesday, 23 December 2009, 22:43 GMT
Having many config files makes it harder to correct when there's something wrong (a DROP 'before' an ACCEPT for the same port is an example). In a true KISS way one file is simpler than many :)
It makes my firewall easier to control -> I open only what I really need -> it's safer !
If I want a distribution which handle configuration of every packages for me, there's already one : debian. I really wish Arch Server won't behave like this, but I'm open-minded, if it's the best way to make the system safe then go !
Comment by Andres P (a) - Wednesday, 23 June 2010, 17:01 GMT
> A simple solution to this could be to hard-link the rule files between the
> packages in the git tree (lamp.git/apache/httpd.rules,
> lamp.git/lightpd/httpd.rules and lamp.git/nginx/httpd.rules), but that would
> only work if one packager was maintaining all 3 packages.

...make a fake dependency called httpd. It would act as provides, similarly how
msmtp and postfix provide smtp-forwarder.

This httpd package holds the iptables rules that all these packages share.
That's the whole point of dependencies.

Loading...