Rocking iptables like a DJ

Cleaning up the mess

The approach of allowing traffic only on demand when an interface pops up needs a mechanism to remove rules and/or deallocate chains dynamically when an interface goes down. Let’s assume our WAN interface will go down temporarily now and then. Rules like FORWARD_SUBNET_PROTECTIVE and POSTROUTING_MASQUERADE would remain and open up a theoretical chance for an attacker (with physical access to eth2) to probe different attack scenarios. For this we want the firewall to be brought back from the state in Fig. E to the state shown in Fig. D, have a closer look on the comment columns of the FORWARD chain.

Chain FORWARD (policy DROP 19 packets, 2100 bytes)
... target        prot opt in   out   source          destination         
... A274D8BD-OUT  all  --  eth0 eth2  192.168.1.0/24  0.0.0.0/0      /* FORWARD_SUBNET_PROTECTIVE_eth0_C0A8010018_eth2 */
... A274D8BD-IN   all  --  eth2 eth0  0.0.0.0/0       192.168.1.0/24 /* FORWARD_SUBNET_PROTECTIVE_eth0_C0A8010018_eth2 *

likewise for the POSTROUTING_MASQUERADE call:

Chain POSTROUTING (policy ACCEPT 225K packets, 24M bytes)
... target       prot  opt in  out   source          destination
... MASQUERADE   all   --  *   eth2  192.168.1.0/24  0.0.0.0/0   /* POSTROUTING_MASQUERADE eth0_C0A8010018_eth2 */

The marked text in the comments of these iptables rules can be used as an identifier to remove any rule which belongs to a specific ipturntables call. These can be copied from the terminal and used in conjunction with the REMOVE_RULES call:

root@myHost:~# ipturntables.sh -4 REMOVE_RULES "FORWARD_SUBNET_PROTECTIVE_eth0_C0A8010018_eth2"
# Removing rules containing 'FORWARD_SUBNET_PROTECTIVE_eth0_C0A8010018_eth2' in: FORWARD...done
# Deallocating orphaned chains: A274D8BD-IN, A274D8BD-OUT...done

root@myHost:~# ipturntables.sh -4 REMOVE_RULES "POSTROUTING_MASQUERADE eth0_C0A8010018_eth2"
# Removing rules containing 'POSTROUTING_MASQUERADE eth0_C0A8010018_eth2' in: POSTROUTING...done
# Deallocating orphaned chains: done

Any rule found with the given filter ID string will be removed and any related (probably orphaned) chain will be deallocated without reseting the whole ruleset of iptables. These calls can be placed eg. in the post-down event of an /etc/network/interfaces file.

This is just a small overview of what ipturntables.sh is capable of but there are even more features like ALLOW_PORT, FORWARD_PORT, MAC_FILTER, ALLOW_TUNNEL. In the examples shown here mainly IPv4 was used but most rules also work for IPv6 protocol. Feel free to have a look at the source yourself.