How to filter traffic using port+process in IPTables
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What I really want is to develop a Zone Alarm alternative on Linux. I have started a project on sourceforge (www.sourceforge.net/projects/linuxalarm) to do such thing but I get stuck with program access control. I have two ways to do so: 1- intercept the system call ( I do not know how to do this and think it is undoable)
2- Use IPTables and try combine it with something else. I have, in fact, developed a transparent proxy using IPTable REDIRECT rule but there are still some problems. So I was wondering if I can do something else using IPTables.
Also in the netfilter patch-o-matic system is a condition match, allowing you to poulate /proc/net/ipt_condition with something you have extracted, eg logged-on users & pids etc
Also in the netfilter patch-o-matic system is a condition match, allowing you to poulate /proc/net/ipt_condition with something you have extracted, eg logged-on users & pids etc
Another thing. I want to avoid patching as possible as I can because this is intended for end users (dummy) who does at least not know the meaning of source code
The "condition" match described at http://www.netfilter.org/patch-o-mat...xtra-condition allows you to find some useful data about a process, or about logged on users or anything else you think is useful, place a reference to it in /proc/net/ipt_condition and use an iptable rule to test the condition.
I use it with log files to test if remote systems have tried to connect and then add a variable to ipt_condition. The iptable rule opens access to a special ftp server for their dynamic ip number if they have tried to connect, and closes it once the transaction has been confirmed ok by the remote.
The possibilities are endless...
You may wish to have the feature built in, & if users choose to patch, they can get extra features..
Thanks very much. It seems intersting to me. Would you please give any examples you have for this rule or any link to a place where I can find more information about it (other than the patch-o-matic which has few info).
There aren't any others I've seen, and mine is for security reasons, so it won't get listed
The match is checking for a condition true/false
so you can simply find a condition with a script, eg grep a log file for a value, either count the number of valid entries (grep -c) or prove a value is present, and then in a script eg, "did the login start the antivirus prog?"
if [ -f /var/run/mksd/mksd.pid ]; then
PID=`cat /var/run/mksd/mksd.pid | awk '{print $1}'`
MKSDS=`ps -p $PID 2>/dev/null | grep -c mksd | awk '{print $1}'`
if [ $MKSDS -gt 0 ]; then
touch /proc/net/ipt_condition/name
echo 1 > /proc/net/ipt_condition/name
else
exit 0
fi
Mostly just build regex type testing from /proc/ variables or from tailing log files and add a variable name and then a value.
Then remove them once the condition has terminated...
I tend to have pre-existing match rules but dynamic rules in sub chains.
& in true Linux fashion, you are now at the leading edge of this option
1- What are the privilages that program should have to access these conditions?
2- Does this come by default with IPTables or needs recompilation?
3- For your script can you please give a short explanation of what it does and how to use it in a rule? (sorry my background is Java, J2EE, web development and security and I have just started C,C++,shell scripts, ...etc so forgive me)
To insert rules, it needs to be root, (but that's only a general agreement)..
The permissions on /usr/bin/iptables determine who can use it...
It needs a kernel recompile, which would be better as a user's option if you want to make it "universal", kind of an "extra" feature..
That example isn't complete either There's lots more..
It uses regex and shell scripting.
Both quite easy to learn (and easy to forget if not used for a while!)
That example basically finds a pid number for a process, cleans the text in awk, tests the pid against ps to prove it's mksd running and counts how many processes exist.
If one or more are running, it creates the "condition" name and gives it a true value 1.
I have a permanent rule to match the true value and pass packets into a sub chain to compare other ip details, source, port etc
It dynamically controls what ports are open if the av scanner is on/off.
There are plenty of sources to learn regex and shell scripting, a quick Google will list some..
It is still in early stages but I hope it to be the defacto standard in personal firewalls in Linux (remember it is GPLed and free).
Some of the problems I am trying to solve are (more of configuration and managment than technical):
1- creating a CVS and cheking all the code in. Some problems with ssh and sourceforge but I am about to finish them.
2- I have started GUI with QT and uses qmake. I am now trying to use automake/autoconf instead.
3- I have just learned some of the standards of GNU programming style.
So it seams to be a lot of things to be learned and LOT OF INTERSTING STUFF.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.