LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables script sets wrong dynamic IP (https://www.linuxquestions.org/questions/linux-security-4/iptables-script-sets-wrong-dynamic-ip-90006/)

gundelgauk 09-06-2003 06:29 PM
iptables script sets wrong dynamic IP
 
Greetings!


I finally took the time to put together a (hopefully) neat iptables script which I intend to execute via init.d just after networking.

I have two problems with my current solution:

1) Ideally I'd start the firewall script prior to networking and not after it. However it tries to detect my outgoing interface - which is ppp0 - but fails because networking has not yet been started. Is there any way to work around this apart from removing this check from the script?

2) A far worse problem... My external IP address on ppp0 is assigned dynamically. However prior to the connection the IP on this interface is temporarily set to 192.168.1.99. As my script tries to detect ppp0's IP address and sets rules accordingly, all those rules have the wrong address in them, because the IP is changed as soon as I actually do connect. This causes my firewall to render my connection unusable. I use dial on demand so the connection is not started at boot time but rather when I first issue some request (ping, browsing, etc).

At the moment I have no other solution but to set everything to DROP at boot time and to start the firewall script manually as soon as I have got an IP address assigned. This is rather unconvenient as you might imagine. ;) Is there any way to improve the situation?

Any suggestions are greatly appreciated!


Good bye!

ppuru 09-07-2003 12:39 AM
As your ppp0 IP is assigned dynamically, you can do away with the ip checking

e.g.
iptables -t filter -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -o ppp0 -j ACCEPT

gundelgauk 09-07-2003 05:18 AM
Thanks for the reply!

That's a solution alright! I will see through my script and alter all the rules like you told me.

I'm just wondering, is there any possibility that this will decrease my security by doing this? In other words, is there a possibility of spoofing or the like that I incourage by leaving out the IP address and only specifying the interface?

Good bye!

seabass55 09-07-2003 11:15 AM
I set my ip in iptables like so
IP=`/sbin/ifconfig eth0 | grep inet | cut -d : -f 2 | cut -d \ -f 1`

This still requires you to run your script after your connection

ppuru 09-08-2003 04:12 AM
--- Quote from seabass55 Post#79 ---
Is there a possibility of spoofing or the like that I incourage by leaving out the IP address and only specifying the interface?
--- UnQuote ---

Does not appear likely.

gundelgauk 09-08-2003 07:42 AM
I modified my script and took out my dynamic IP. Now I can run it just after networking has been started at boot time. I guess thats the highest abount of security I can achieve at the moment - concerning the scripts anyways... the actual rules are a different matter I suppose. ;)


Thx again for all the advice!


All times are GMT -5. The time now is 11:00 PM.