Re: [SLUG] iptables question

From: Derek Glidden (dglidden@illusionary.com)
Date: Mon Jul 21 2003 - 12:03:29 EDT


On Mon, 2003-07-21 at 01:26, Paul M Foster wrote:
> Here's an odd scenario. Assume the following:
>
> iptables -N mytarget
> iptables -I INPUT -j mytarget
>
> Assume no other specification of the mytarget chain/rule. And assume,
> per the above, that the mytarget chain acts as the first target on the
> INPUT chain. (Any other rules added with the -A parameter on the INPUT
> chain would get added _after_ this original rule.)
>
> The question is this: it seems that, without specifying the interface,
> protocol or disposition of the mytarget chain/rule, it's a wide open
> target, accepting anything from anywhere. If that's true, then if you
> actually did this, it would obviate the rest of the rules in your INPUT
> chain. Is that right? Or does a "blank" rule like this just pass packets
> to the next rule or the default policy (ACCEPT)?
>
> (This isn't a made up example. The latest Coyote effectively does this.)

It's just like calling a subroutine. If the user-defined target called
"mytarget" doesn't have anything in it, then processing of packets
proceeds directly to the next rule listed in the INPUT table. If there
is nothing in the "mytarget" target, then it might as well not be there.

If there are no filters specified, then yes, each packet will go through
the "mytarget" target for processing, regardless of protocol or port,
before moving down to the next rule in the INPUT table.

It's an odd thing to do, and will add a few cycles of extra processing
to each packet as analysis has to jump to the "mytarget" target, (unless
netfilter is smart enough to ignore empty targets, which I don't know)
but unless there is an explicit "ACCEPT" in the "mytarget" target for
some set of packets, it doesn't really do anything to the security of
the rest of the rule chain.

It is a bit suspicious however, as if it's a well-known target as part
of the Coyote distribution, anyone who would be able to execute a single
command on the box will be able to insert their own rules into the front
of the iptables rule chain, to for example allow their own IP address in
and out without being noticed.

But the explanation may be as innocuous as "we use this table to
temporarily insert rules so that people who have authenticated in to the
admin interface are briefly allowed access into the box, and when
they're done, we wipe the target so that all the other standard rules
are in effect. Doing it this way makes it so we don't have to
completely wipe and reload the ruleset each time when we need to make a
temporary change to the security profile of the firewall."

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"We all enter this world in the    | Support Electronic Freedom
same way: naked; screaming; soaked |        http://www.eff.org/
in blood. But if you live your     |  http://www.anti-dmca.org/
life right, that kind of thing     |---------------------------
doesn't have to stop there." -- Dana Gould



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:39:41 EDT