Re: [SLUG] iptables question

From: Paul M Foster (paulf@quillandmouse.com)
Date: Mon Jul 21 2003 - 18:30:46 EDT


On Mon, Jul 21, 2003 at 12:03:29PM -0400, Derek Glidden wrote:

> On Mon, 2003-07-21 at 01:26, Paul M Foster wrote:
> > Here's an odd scenario. Assume the following:
> >
> > iptables -N mytarget
> > iptables -I INPUT -j mytarget
> >
> > Assume no other specification of the mytarget chain/rule. And assume,
> > per the above, that the mytarget chain acts as the first target on the
> > INPUT chain. (Any other rules added with the -A parameter on the INPUT
> > chain would get added _after_ this original rule.)
> >
> > The question is this: it seems that, without specifying the interface,
> > protocol or disposition of the mytarget chain/rule, it's a wide open
> > target, accepting anything from anywhere. If that's true, then if you
> > actually did this, it would obviate the rest of the rules in your INPUT
> > chain. Is that right? Or does a "blank" rule like this just pass packets
> > to the next rule or the default policy (ACCEPT)?
> >
> > (This isn't a made up example. The latest Coyote effectively does this.)
>
> It's just like calling a subroutine. If the user-defined target called
> "mytarget" doesn't have anything in it, then processing of packets
> proceeds directly to the next rule listed in the INPUT table. If there
> is nothing in the "mytarget" target, then it might as well not be there.
>
> If there are no filters specified, then yes, each packet will go through
> the "mytarget" target for processing, regardless of protocol or port,
> before moving down to the next rule in the INPUT table.
>
> It's an odd thing to do, and will add a few cycles of extra processing
> to each packet as analysis has to jump to the "mytarget" target, (unless
> netfilter is smart enough to ignore empty targets, which I don't know)
> but unless there is an explicit "ACCEPT" in the "mytarget" target for
> some set of packets, it doesn't really do anything to the security of
> the rest of the rule chain.
>
> It is a bit suspicious however, as if it's a well-known target as part
> of the Coyote distribution, anyone who would be able to execute a single
> command on the box will be able to insert their own rules into the front
> of the iptables rule chain, to for example allow their own IP address in
> and out without being noticed.
>
> But the explanation may be as innocuous as "we use this table to
> temporarily insert rules so that people who have authenticated in to the
> admin interface are briefly allowed access into the box, and when
> they're done, we wipe the target so that all the other standard rules
> are in effect. Doing it this way makes it so we don't have to
> completely wipe and reload the ruleset each time when we need to make a
> temporary change to the security profile of the firewall."
>

>From tracing through the scripts, it appears this is part of the
explanation. The other part appears to be that they are in the process
of building some capabilities into the distro, but are not done yet. So
these are sort of "place-marker" rules.

My concern was that a blank chain like this would match all packets and
use the default ACCEPT policy to bypass all the other rules, thus making
the firewall null and void. Fortunately, it looks like I was wrong.

Paul



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:40:28 EDT