LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-06-2003, 07:29 PM   #1
gundelgauk
Member
 
Registered: Jul 2003
Distribution: Gentoo
Posts: 168

Rep: Reputation: 30
Red face iptables script sets wrong dynamic IP


Greetings!


I finally took the time to put together a (hopefully) neat iptables script which I intend to execute via init.d just after networking.

I have two problems with my current solution:

1) Ideally I'd start the firewall script prior to networking and not after it. However it tries to detect my outgoing interface - which is ppp0 - but fails because networking has not yet been started. Is there any way to work around this apart from removing this check from the script?

2) A far worse problem... My external IP address on ppp0 is assigned dynamically. However prior to the connection the IP on this interface is temporarily set to 192.168.1.99. As my script tries to detect ppp0's IP address and sets rules accordingly, all those rules have the wrong address in them, because the IP is changed as soon as I actually do connect. This causes my firewall to render my connection unusable. I use dial on demand so the connection is not started at boot time but rather when I first issue some request (ping, browsing, etc).

At the moment I have no other solution but to set everything to DROP at boot time and to start the firewall script manually as soon as I have got an IP address assigned. This is rather unconvenient as you might imagine. Is there any way to improve the situation?

Any suggestions are greatly appreciated!


Good bye!
 
Old 09-07-2003, 01:39 AM   #2
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 47
As your ppp0 IP is assigned dynamically, you can do away with the ip checking

e.g.
iptables -t filter -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -o ppp0 -j ACCEPT
 
Old 09-07-2003, 06:18 AM   #3
gundelgauk
Member
 
Registered: Jul 2003
Distribution: Gentoo
Posts: 168

Original Poster
Rep: Reputation: 30
Thanks for the reply!

That's a solution alright! I will see through my script and alter all the rules like you told me.

I'm just wondering, is there any possibility that this will decrease my security by doing this? In other words, is there a possibility of spoofing or the like that I incourage by leaving out the IP address and only specifying the interface?

Good bye!
 
Old 09-07-2003, 12:15 PM   #4
seabass55
Member
 
Registered: Jan 2003
Location: 127.0.0.1
Distribution: Fedora&Gentoo
Posts: 207

Rep: Reputation: 30
I set my ip in iptables like so
IP=`/sbin/ifconfig eth0 | grep inet | cut -d : -f 2 | cut -d \ -f 1`

This still requires you to run your script after your connection
 
Old 09-08-2003, 05:12 AM   #5
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 47
--- Quote from seabass55 Post#79 ---
Is there a possibility of spoofing or the like that I incourage by leaving out the IP address and only specifying the interface?
--- UnQuote ---

Does not appear likely.
 
Old 09-08-2003, 08:42 AM   #6
gundelgauk
Member
 
Registered: Jul 2003
Distribution: Gentoo
Posts: 168

Original Poster
Rep: Reputation: 30
I modified my script and took out my dynamic IP. Now I can run it just after networking has been started at boot time. I guess thats the highest abount of security I can achieve at the moment - concerning the scripts anyways... the actual rules are a different matter I suppose.


Thx again for all the advice!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dynamic IP with iptables HAMM3R Linux - Security 1 11-15-2005 10:30 PM
printer sets margins wrong (sometimes) marie-p Linux - Hardware 0 01-23-2005 01:05 PM
fstab defaults sets wrong permissions dibblethewrecke Linux - Newbie 3 12-11-2004 03:10 PM
What's wrong with my iptables script? veritas Linux - Security 3 06-06-2004 12:39 PM
Dynamic Disk Sets, Installing Mandrake on them. NiX0n Mandriva 1 11-12-2003 04:08 PM


All times are GMT -5. The time now is 05:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration