LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-04-2013, 11:48 PM   #1
danyim
LQ Newbie
 
Registered: Apr 2013
Posts: 12

Rep: Reputation: Disabled
my changes in /etc/sysocnfig/iptables is overwritten by unknown process


Hi,

Could someone shed some light here?
I stop iptables service, then edited /etc/sysconfig/iptables, commented out some rules in filter's FORWARD and nat's POSTROUTING,saved the file, then started iptables service, after i reopen the iptables file, I found it mysteriously was overwritten. seems I'm not allow to make change to this file. Thanks in advance.

by the way, I'm using RHEL 6.2 + KVM

Dan

Last edited by danyim; 04-04-2013 at 11:51 PM.
 
Old 04-05-2013, 01:01 AM   #2
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661

Rep: Reputation: 66
Hello,

You can put watch on your /etc/sysconfig/iptables file using auditctl command

auditctl -w /etc/sysconfig/iptables -p w -k iptables-key

To watch which process edited the file

ausearch -k iptables-key



Thanks

Last edited by vishesh; 04-05-2013 at 01:06 AM.
 
Old 04-05-2013, 03:02 PM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Did you notice right at the top of the file:
Quote:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
 
Old 04-05-2013, 08:58 PM   #4
danyim
LQ Newbie
 
Registered: Apr 2013
Posts: 12

Original Poster
Rep: Reputation: Disabled
no, there is no such comment at the top of the file

only #GENERATED BY Modular IPTABLES Config

Quote:
Originally Posted by Noway2 View Post
Did you notice right at the top of the file:
 
Old 04-05-2013, 09:59 PM   #5
danyim
LQ Newbie
 
Registered: Apr 2013
Posts: 12

Original Poster
Rep: Reputation: Disabled
thank you..... I still don't get it... which process updated it?

Quote:
Originally Posted by vishesh View Post
Hello,

You can put watch on your /etc/sysconfig/iptables file using auditctl command

auditctl -w /etc/sysconfig/iptables -p w -k iptables-key

To watch which process edited the file

ausearch -k iptables-key

Thanks
Code:
time->Fri Apr  5 21:30:04 2013
type=CONFIG_CHANGE msg=audit(1365211804.514:46721): auid=500 ses=5 subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="remove rule" key="iptables-key" list=4 res=1
----
time->Fri Apr  5 21:33:18 2013
type=CONFIG_CHANGE msg=audit(1365211998.449:46763): auid=500 ses=5 subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule" key="iptables-key2" list=4 res=1
----
time->Fri Apr  5 21:33:37 2013
type=PATH msg=audit(1365212017.935:46764): item=2 name="/etc/sysconfig/iptables" inode=21369843 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:system_conf_t:s0
type=PATH msg=audit(1365212017.935:46764): item=1 name="/etc/sysconfig/iptables" inode=21369843 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:system_conf_t:s0
type=PATH msg=audit(1365212017.935:46764): item=0 name="/etc/sysconfig/iptables" inode=21369843 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:system_conf_t:s0
type=CWD msg=audit(1365212017.935:46764):  cwd="/"
type=SYSCALL msg=audit(1365212017.935:46764): arch=c000003e syscall=2 success=yes exit=4 a0=7fffa5bcef81 a1=201 a2=0 a3=0 items=3 ppid=30218 pid=30294 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:initrc_t:s0 key="iptables-key2"

Last edited by unSpawn; 04-06-2013 at 06:33 AM. Reason: //Encap. BB tags
 
Old 04-06-2013, 06:36 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,828
Blog Entries: 54

Rep: Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993
Quote:
Originally Posted by danyim View Post
I stop iptables service, then edited /etc/sysconfig/iptables, commented out some rules in filter's FORWARD and nat's POSTROUTING,saved the file, then started iptables service, after i reopen the iptables file, I found it mysteriously was overwritten. seems I'm not allow to make change to this file.
What does
Code:
grep ^IPTABLES_SAVE_ON /etc/sysconfig/iptables-config
return?
 
Old 04-06-2013, 10:31 AM   #7
danyim
LQ Newbie
 
Registered: Apr 2013
Posts: 12

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
What does
Code:
grep ^IPTABLES_SAVE_ON /etc/sysconfig/iptables-config
return?

IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
 
Old 04-06-2013, 07:34 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,828
Blog Entries: 54

Rep: Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993
OK, then try editing a copy of /etc/sysconfig/iptables (save as say /etc/sysconfig/iptables.new), then
Code:
cat /etc/sysconfig/iptables.new | iptables-restore -cvt
If the output looks OK remove the "vt" switches. This will load the "new" rule set in memory. Now sync "new" with "old":
Code:
cat /etc/sysconfig/iptables.new > /etc/sysconfig/iptables
and you should be set. *Note if this is a remote machine you double and triple check your rule set so you don't get locked out.
 
Old 04-06-2013, 10:43 PM   #9
danyim
LQ Newbie
 
Registered: Apr 2013
Posts: 12

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
OK, then try editing a copy of /etc/sysconfig/iptables (save as say /etc/sysconfig/iptables.new), then
Code:
cat /etc/sysconfig/iptables.new | iptables-restore -cvt
If the output looks OK remove the "vt" switches. This will load the "new" rule set in memory. Now sync "new" with "old":
Code:
cat /etc/sysconfig/iptables.new > /etc/sysconfig/iptables
and you should be set. *Note if this is a remote machine you double and triple check your rule set so you don't get locked out.
Thanks for your help..... unfortunately, it doesn't work. I did what you suggested, but after I service iptables stop and start, the old config came back again. It seems there is a service/process guards the iptables, no matter what changes I make, it just wipes out my changes and restores some secretly saved version back.
 
Old 04-06-2013, 11:03 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,828
Blog Entries: 54

Rep: Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993
OK. You could try forcing an error this way: add your rules to /etc/sysconfig/iptables, save, close file. Now
Code:
chattr +iu /etc/sysconfig/iptables
and restart iptables service. If it doesn't throw any errors then at least no process would be able to modify the file either until you unset these extended attributes. It's a rather crude workaround though. *Add an entry to your admin log so you don't wonder later on why you won't be able to save changes ;-p
 
Old 04-07-2013, 11:24 PM   #11
danyim
LQ Newbie
 
Registered: Apr 2013
Posts: 12

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
OK. You could try forcing an error this way: add your rules to /etc/sysconfig/iptables, save, close file. Now
Code:
chattr +iu /etc/sysconfig/iptables
and restart iptables service. If it doesn't throw any errors then at least no process would be able to modify the file either until you unset these extended attributes. It's a rather crude workaround though. *Add an entry to your admin log so you don't wonder later on why you won't be able to save changes ;-p
wow, that's brilliant yet brutal ! thanks a lot, it works.

BTW, by any chance you can tell what kind of process/service guards the iptables ? I see "cp" in the auditctl output.
 
Old 04-08-2013, 02:20 AM   #12
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
As unSpawn implied, it'll cause the offending process(es) to fail and (hopefully ) log the error.
Then you can figure out what's going on.
The 'cp' cmd is likely the offending overwrite cmd.
 
1 members found this post helpful.
Old 04-11-2013, 07:31 AM   #13
danyim
LQ Newbie
 
Registered: Apr 2013
Posts: 12

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by chrism01 View Post
As unSpawn implied, it'll cause the offending process(es) to fail and (hopefully ) log the error.
Then you can figure out what's going on.
The 'cp' cmd is likely the offending overwrite cmd.
I finially found the script which issues the cp command: in my iptables-config file, there is one line create-rule-file.sh, this script merge all rules to /etc/sysconfig/iptables.

Thank you all.
 
Old 04-11-2013, 04:15 PM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,828
Blog Entries: 54

Rep: Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993
Quote:
Originally Posted by danyim View Post
I finially found the script which issues the cp command: in my iptables-config file, there is one line create-rule-file.sh, this script merge all rules to /etc/sysconfig/iptables.
I'm sure I don't know all firewall configuration means but I'm pretty certain that would be a local modification and not a stock RHEL(-like) supplied one.
 
Old 04-11-2013, 11:52 PM   #15
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 1,626

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
A long time ago I started putting my own firewall setup in /etc/sysconfig/iptables.custom and changing the "IPTABLES_DATA=" line in /etc/sysconfig/iptables-config to point to that file. That way, any inadvertently run program that tries to set up a firewall can do whatever it likes to /etc/sysconfig/iptables, and it will have no effect at all.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what is the process named unknown process belonging to root? irajjs Mandriva 12 09-04-2012 09:50 PM
Unknown process utilizing CPU. pinga123 Linux - Newbie 3 05-05-2011 08:03 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
unknown daemon process swmok Linux - Software 2 01-05-2005 12:10 AM
Unknown process jstu Linux - General 2 01-30-2003 03:03 PM


All times are GMT -5. The time now is 09:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration