Rocking iptables like a DJ

Cleaning up the mess

The approach of allowing traffic only on demand when an interface pops up needs a mechanism to remove rules and/or deallocate chains dynamically when an interface goes down. Let’s assume our WAN interface will go down temporarily now and then. Rules like FORWARD_SUBNET_PROTECTIVE and POSTROUTING_MASQUERADE would remain and open up a theoretical chance for an attacker (with physical access to eth2) to probe different attack scenarios. For this we want the firewall to be brought back from the state in Fig. E to the state shown in Fig. D, have a closer look on the comment columns of the FORWARD chain.

Chain FORWARD (policy DROP 19 packets, 2100 bytes)
... target        prot opt in   out   source          destination         
... A274D8BD-OUT  all  --  eth0 eth2      /* FORWARD_SUBNET_PROTECTIVE_eth0_C0A8010018_eth2 */
... A274D8BD-IN   all  --  eth2 eth0 /* FORWARD_SUBNET_PROTECTIVE_eth0_C0A8010018_eth2 *

likewise for the POSTROUTING_MASQUERADE call:

Chain POSTROUTING (policy ACCEPT 225K packets, 24M bytes)
... target       prot  opt in  out   source          destination
... MASQUERADE   all   --  *   eth2   /* POSTROUTING_MASQUERADE eth0_C0A8010018_eth2 */

The marked text in the comments of these iptables rules can be used as an identifier to remove any rule which belongs to a specific ipturntables call. These can be copied from the terminal and used in conjunction with the REMOVE_RULES call:

root@myHost:~# -4 REMOVE_RULES "FORWARD_SUBNET_PROTECTIVE_eth0_C0A8010018_eth2"
# Removing rules containing 'FORWARD_SUBNET_PROTECTIVE_eth0_C0A8010018_eth2' in: FORWARD...done
# Deallocating orphaned chains: A274D8BD-IN, A274D8BD-OUT...done

root@myHost:~# -4 REMOVE_RULES "POSTROUTING_MASQUERADE eth0_C0A8010018_eth2"
# Removing rules containing 'POSTROUTING_MASQUERADE eth0_C0A8010018_eth2' in: POSTROUTING...done
# Deallocating orphaned chains: done

Any rule found with the given filter ID string will be removed and any related (probably orphaned) chain will be deallocated without reseting the whole ruleset of iptables. These calls can be placed eg. in the post-down event of an /etc/network/interfaces file.

This is just a small overview of what is capable of but there are even more features like ALLOW_PORT, FORWARD_PORT, MAC_FILTER, ALLOW_TUNNEL. In the examples shown here mainly IPv4 was used but most rules also work for IPv6 protocol. Feel free to have a look at the source yourself.


I'm a computer kid of the 80', not born but raised in good old' germany, playin' games, makin' music & lovin' the blues. My career started at an age of 10 in a shopping mall where they sold computers too. It was the first time ever i've seen such an electronic monster and was fascinated instantly. Later on i've learned my first programming skills (Basic) with a friend's Sinclair ZX 81. Yes, that one with the strange plastics keyboard. After that i got some experience with a Schneider CPC464 and the Commodore C64 until i fell in love with the Commodore Amiga, a machine with 4096 different colors which sounds nowadays to most like black'n'white tv's sounded to me at that time. We played a lot of games like Decathlon, The Last V8, Impossible Mission, Elite, Mega'lo'Mania, Xenon, Speedball or Chaos Engine and ruined a lot of those Competition Pro Joysticks. My favourites were mostly games by Sensible Software, Bitmap Brothers or Rainbow Arts. What i liked the most about that machine was it's AmigaOS, it's operating system was ahead of it's time. On this machine i learned my first assembler language (m68k) and the hardware internas. I watched the decline of Commodore with a tear in my eye and at some point i went over to usual business and my first PC and learned it's beastly manners.

вяоӣсо wrote 19 posts

Post navigation