LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-29-2004, 07:09 AM   #1
muath
LQ Newbie
 
Registered: Feb 2004
Posts: 6

Rep: Reputation: 0
How to filter traffic using port+process in IPTables


I want to prevent any process other than Apache from accepting connections on port 80. How to do such thing ? Also how to do it for other processes?
 
Old 02-29-2004, 04:05 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
You sound like you have a situation to fix...

A few more details would help pls.

Usually, if a process has bound to a socket, nothing else can also bind unless the card is promiscuous.
 
Old 03-01-2004, 02:13 AM   #3
muath
LQ Newbie
 
Registered: Feb 2004
Posts: 6

Original Poster
Rep: Reputation: 0
What I really want is to develop a Zone Alarm alternative on Linux. I have started a project on sourceforge (www.sourceforge.net/projects/linuxalarm) to do such thing but I get stuck with program access control. I have two ways to do so: 1- intercept the system call ( I do not know how to do this and think it is undoable)
2- Use IPTables and try combine it with something else. I have, in fact, developed a transparent proxy using IPTable REDIRECT rule but there are still some problems. So I was wondering if I can do something else using IPTables.

Regards
 
Old 03-01-2004, 04:24 AM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
iptables has an owner match to match pid, uid, gid & sid.

Have a read of this excellent tutorial

Also in the netfilter patch-o-matic system is a condition match, allowing you to poulate /proc/net/ipt_condition with something you have extracted, eg logged-on users & pids etc
 
Old 03-01-2004, 05:39 AM   #5
muath
LQ Newbie
 
Registered: Feb 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks for the tutorial.

Can you please clarify the following

Quote:
Also in the netfilter patch-o-matic system is a condition match, allowing you to poulate /proc/net/ipt_condition with something you have extracted, eg logged-on users & pids etc
Another thing. I want to avoid patching as possible as I can because this is intended for end users (dummy) who does at least not know the meaning of source code
 
Old 03-01-2004, 05:59 AM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
The "condition" match described at http://www.netfilter.org/patch-o-mat...xtra-condition allows you to find some useful data about a process, or about logged on users or anything else you think is useful, place a reference to it in /proc/net/ipt_condition and use an iptable rule to test the condition.

I use it with log files to test if remote systems have tried to connect and then add a variable to ipt_condition. The iptable rule opens access to a special ftp server for their dynamic ip number if they have tried to connect, and closes it once the transaction has been confirmed ok by the remote.

The possibilities are endless...

You may wish to have the feature built in, & if users choose to patch, they can get extra features..
 
Old 03-01-2004, 06:19 AM   #7
muath
LQ Newbie
 
Registered: Feb 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks very much. It seems intersting to me. Would you please give any examples you have for this rule or any link to a place where I can find more information about it (other than the patch-o-matic which has few info).
 
Old 03-01-2004, 07:04 AM   #8
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
There aren't any others I've seen, and mine is for security reasons, so it won't get listed

The match is checking for a condition true/false
so you can simply find a condition with a script, eg grep a log file for a value, either count the number of valid entries (grep -c) or prove a value is present, and then in a script eg, "did the login start the antivirus prog?"

if [ -f /var/run/mksd/mksd.pid ]; then
PID=`cat /var/run/mksd/mksd.pid | awk '{print $1}'`
MKSDS=`ps -p $PID 2>/dev/null | grep -c mksd | awk '{print $1}'`
if [ $MKSDS -gt 0 ]; then
touch /proc/net/ipt_condition/name
echo 1 > /proc/net/ipt_condition/name
else
exit 0
fi

Mostly just build regex type testing from /proc/ variables or from tailing log files and add a variable name and then a value.
Then remove them once the condition has terminated...
I tend to have pre-existing match rules but dynamic rules in sub chains.

& in true Linux fashion, you are now at the leading edge of this option
 
Old 03-01-2004, 09:35 AM   #9
muath
LQ Newbie
 
Registered: Feb 2004
Posts: 6

Original Poster
Rep: Reputation: 0
O.K. I have three questions:

1- What are the privilages that program should have to access these conditions?

2- Does this come by default with IPTables or needs recompilation?

3- For your script can you please give a short explanation of what it does and how to use it in a rule? (sorry my background is Java, J2EE, web development and security and I have just started C,C++,shell scripts, ...etc so forgive me)

Regards

Last edited by muath; 03-01-2004 at 09:49 AM.
 
Old 03-01-2004, 10:23 AM   #10
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
To insert rules, it needs to be root, (but that's only a general agreement)..
The permissions on /usr/bin/iptables determine who can use it...

It needs a kernel recompile, which would be better as a user's option if you want to make it "universal", kind of an "extra" feature..

That example isn't complete either There's lots more..
It uses regex and shell scripting.
Both quite easy to learn (and easy to forget if not used for a while!)

That example basically finds a pid number for a process, cleans the text in awk, tests the pid against ps to prove it's mksd running and counts how many processes exist.
If one or more are running, it creates the "condition" name and gives it a true value 1.

I have a permanent rule to match the true value and pass packets into a sub chain to compare other ip details, source, port etc
It dynamically controls what ports are open if the av scanner is on/off.

There are plenty of sources to learn regex and shell scripting, a quick Google will list some..
 
Old 03-01-2004, 11:20 AM   #11
muath
LQ Newbie
 
Registered: Feb 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks Peter very much. I really appreciate your help.

If you wish visit my project (www.sourceforge.net/projects/linuxalarm)

It is still in early stages but I hope it to be the defacto standard in personal firewalls in Linux (remember it is GPLed and free).

Some of the problems I am trying to solve are (more of configuration and managment than technical):
1- creating a CVS and cheking all the code in. Some problems with ssh and sourceforge but I am about to finish them.
2- I have started GUI with QT and uses qmake. I am now trying to use automake/autoconf instead.
3- I have just learned some of the standards of GNU programming style.

So it seams to be a lot of things to be learned and LOT OF INTERSTING STUFF.

Thanks again. Regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I block all traffic to port 110 to and IP using IPtables? abefroman Linux - Networking 8 11-16-2005 07:26 PM
can't filter traffic of vmware guest os xadian Linux - Networking 2 08-18-2005 04:50 PM
Redhat Mail issues- Transport filter process failed -Will Pay$$ for fix. rixride00 Linux - Software 1 07-20-2005 07:10 AM
iptables + IP + MAC filter varun_saa Mandriva 1 04-30-2005 06:16 AM
route locally generated traffic to ip:port to localhost:port maenho Linux - Software 2 03-11-2005 04:08 AM


All times are GMT -5. The time now is 04:32 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration