How to filter traffic using port+process in IPTables

muath · 02-29-2004, 07:09 AM

I want to prevent any process other than Apache from accepting connections on port 80. How to do such thing ? Also how to do it for other processes?

peter_robb · 02-29-2004, 04:05 PM

You sound like you have a situation to fix...

A few more details would help pls.

Usually, if a process has bound to a socket, nothing else can also bind unless the card is promiscuous.

muath · 03-01-2004, 02:13 AM

What I really want is to develop a Zone Alarm alternative on Linux. I have started a project on sourceforge (www.sourceforge.net/projects/linuxalarm) to do such thing but I get stuck with program access control. I have two ways to do so: 1- intercept the system call ( I do not know how to do this and think it is undoable)
2- Use IPTables and try combine it with something else. I have, in fact, developed a transparent proxy using IPTable REDIRECT rule but there are still some problems. So I was wondering if I can do something else using IPTables.

Regards

peter_robb · 03-01-2004, 04:24 AM

iptables has an owner match to match pid, uid, gid & sid.

Have a read of this excellent tutorial

Also in the netfilter patch-o-matic system is a condition match, allowing you to poulate /proc/net/ipt_condition with something you have extracted, eg logged-on users & pids etc

muath · 03-01-2004, 05:39 AM

Thanks for the tutorial.

Can you please clarify the following

Quote:

Also in the netfilter patch-o-matic system is a condition match, allowing you to poulate /proc/net/ipt_condition with something you have extracted, eg logged-on users & pids etc

Another thing. I want to avoid patching as possible as I can because this is intended for end users (dummy) who does at least not know the meaning of source code

peter_robb · 03-01-2004, 05:59 AM

The "condition" match described at http://www.netfilter.org/patch-o-mat...xtra-condition allows you to find some useful data about a process, or about logged on users or anything else you think is useful, place a reference to it in /proc/net/ipt_condition and use an iptable rule to test the condition.

I use it with log files to test if remote systems have tried to connect and then add a variable to ipt_condition. The iptable rule opens access to a special ftp server for their dynamic ip number if they have tried to connect, and closes it once the transaction has been confirmed ok by the remote.

The possibilities are endless...

You may wish to have the feature built in, & if users choose to patch, they can get extra features..

muath · 03-01-2004, 06:19 AM

Thanks very much. It seems intersting to me. Would you please give any examples you have for this rule or any link to a place where I can find more information about it (other than the patch-o-matic which has few info).

peter_robb · 03-01-2004, 07:04 AM

There aren't any others I've seen, and mine is for security reasons, so it won't get listed

The match is checking for a condition true/false
so you can simply find a condition with a script, eg grep a log file for a value, either count the number of valid entries (grep -c) or prove a value is present, and then in a script eg, "did the login start the antivirus prog?"

if [ -f /var/run/mksd/mksd.pid ]; then
PID=`cat /var/run/mksd/mksd.pid | awk '{print $1}'`
MKSDS=`ps -p $PID 2>/dev/null | grep -c mksd | awk '{print $1}'`
if [ $MKSDS -gt 0 ]; then
touch /proc/net/ipt_condition/name
echo 1 > /proc/net/ipt_condition/name
else
exit 0
fi

Mostly just build regex type testing from /proc/ variables or from tailing log files and add a variable name and then a value.
Then remove them once the condition has terminated...
I tend to have pre-existing match rules but dynamic rules in sub chains.

& in true Linux fashion, you are now at the leading edge of this option

muath · 03-01-2004, 09:35 AM

O.K. I have three questions:

1- What are the privilages that program should have to access these conditions?

2- Does this come by default with IPTables or needs recompilation?

3- For your script can you please give a short explanation of what it does and how to use it in a rule? (sorry my background is Java, J2EE, web development and security and I have just started C,C++,shell scripts, ...etc so forgive me)

Regards

peter_robb · 03-01-2004, 10:23 AM

To insert rules, it needs to be root, (but that's only a general agreement)..
The permissions on /usr/bin/iptables determine who can use it...

It needs a kernel recompile, which would be better as a user's option if you want to make it "universal", kind of an "extra" feature..

That example isn't complete either

There's lots more..
It uses regex and shell scripting.
Both quite easy to learn (and easy to forget if not used for a while!)

That example basically finds a pid number for a process, cleans the text in awk, tests the pid against ps to prove it's mksd running and counts how many processes exist.
If one or more are running, it creates the "condition" name and gives it a true value 1.

I have a permanent rule to match the true value and pass packets into a sub chain to compare other ip details, source, port etc
It dynamically controls what ports are open if the av scanner is on/off.

There are plenty of sources to learn regex and shell scripting, a quick Google will list some..

muath · 03-01-2004, 11:20 AM

Thanks Peter very much. I really appreciate your help.

If you wish visit my project (www.sourceforge.net/projects/linuxalarm)

It is still in early stages but I hope it to be the defacto standard in personal firewalls in Linux

(remember it is GPLed and free).

Some of the problems I am trying to solve are (more of configuration and managment than technical):
1- creating a CVS and cheking all the code in. Some problems with ssh and sourceforge but I am about to finish them.
2- I have started GUI with QT and uses qmake. I am now trying to use automake/autoconf instead.
3- I have just learned some of the standards of GNU programming style.

So it seams to be a lot of things to be learned and LOT OF INTERSTING STUFF.

Thanks again. Regards