[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is this even POSSIBLE?


Hello Dan!

Thank you so much for the reply!

Yes that helps a lot, but I have 2 follow up questions if you don't mind haha.

1.) When you say " -A INPUT -j Block puts the chain in order", you mean that at this point iptables will look for any rules appended to the Block chain, no matter where they are? This would make sense cz then the order wouldn't matter and you can jump to a chain in the beginning, whose rules are defined at the bottom for example.

2.) I want to log when one of these rules gets matched.
(It's 30 - 40 rules in total)

-A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A Block -s 169.254.0.0/16 -j DROP
-A Block -s 172.16.0.0/12 -j DROP
-A Block -s 192.0.2.0/24 -j DROP
.
.

This is my solution:

 -A INPUT -j Block
 -A FORWARD -j Block

-A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j Logger
-A Block -s 169.254.0.0/16 -j Logger
-A Block -s 172.16.0.0/12 -j Logger
-A Block -s 192.0.2.0/24 -j Logger

Then in Logger it gets logged and dropped.

I considered this, but was told the above is better.

-A INPUT -j Block
-A FORWARD -j Block

-A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG
-A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A Block -s 169.254.0.0/16 -j LOG
-A Block -s 169.254.0.0/16 -j DROP
-A Block -s 172.16.0.0/12 -j LOG
-A Block -s 172.16.0.0/12 -j DROP
.
.

Is there a better way? Thanks again.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Thursday, January 6th, 2022 at 7:26 PM, Dan Ritter <dsr@randomstring.org> wrote:

> linux_forum1 wrote:
>
> > Hello, I have 2 questions if that's OK.
> >
> > INPUT DROP
> >
> > FORWARD DROP
> >
> > OUTPUT DROP
> >
> > -N Block
> >
> > -N Logger
> >
> > -A INPUT -j Block
> >
> > -A Block -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j Logger
> >
> > -A Logger -j LOG --log-level 4
> >
> > -A Logger -j DROP
> >
> > -A INPUT -i lo -j ACCEPT
> >
> > -A OUTPUT -o lo -j ACCEPT
> >
> > There will be more rules in Block, but I just want to understand the logic.
> >
> > 1.) How is -A INPUT -j Block possible before there are any rules appended to Block, does that mean iptables first searches and assembles all rules that belong to custom chains regardless of order? Same for Logger.
>
> Everything has an order. You can turn on line numbers and see
>
> the order.
>
> Creating a chain (Block, Logger) does not put it into order.
>
> The jump (-j) to Block, from INPUT, places the chain in order.
>
> I note that you don't have a rule in Block to actually drop
>
> packets, and you do have a rule in Logger that drops packets.
>
> That seems... problematic to me.
>
> > 2.)
> >
> > Would this be OK to log and drop all rules in in Block?
> >
> > I am worried because there are four jumps, INPUT -> Block -> Logger -> LOG -> Logger -> DROP
>
> In general, you can jump as many times as you like as long as
>
> you don't go in a circle. Note that -j LOG continues processing
>
> on the next rule in order, unlike ACCEPT, DROP and REJECT. If a chain
>
> ends without ACCEPT, DROP or REJECT happening, then when it ends
>
> execution picks up at the next statement in order following the
>
> jump to that chain.
>
> Does that help?
>
> -dsr-
Reply to: