Hi all,

I've written a firewall using iptables, but there's one aspect of it I find unsatisfying. I have a handful of applications which I run occasionally and which require open TCP ports. Ensuring that traffic on these ports is accepted is easy enough, but when the applications are not in use these ports register as "CLOSED" to external scans.

It would be much better if there was a way to DROP packets to these ports when the applications were not in use.

I suspect that the solution is to write two iptables scripts. Then I can call the more open script before running the apps in question, and call the closed script on app termination. For a smoother experience, I could then write a script to run the open script (as su), run the app (as a user), then run the closed script (as su again) so it all happens with one console command (and two password entries).

Nonetheless, I'm hoping there's a more elegant solution that I'm not aware of. Perhaps a way to use only one iptables script. That would certainly save me typing a few passwords at the very least. If you have any ideas, I'd love to hear them. Thanks!

take a look at fail2ban
they insert their own chain at the beginning of the INPUT/OUTPUT chain to which they can RETURN
within their chain they can add and remove rules on the fly

fail2ban is used to block hosts that fail to login
you could use that as a base for your application

you don't really need two iptables scripts... you just need for a single iptables command/rule to be issued when the app starts and another iptables command (deleting the issued rule) when the app stops... i've put a simple script together for you which does precisely this... i've tested it and it works, but it would still need for you to tweak it and stuff... i'm sure it has issues, but i'm posting it mainly to get the ball rolling for you...

keep in mind i'm on ubuntu, so i'm in the habit of using sudo when i need to execute something with root powers... the point being that i execute this script (let's call it example-launcher.sh) using sudo... and within the script itself sudo is used to launch the app as the regular user of choice... so the password is only needed once - to execute the script...anyhow, here it is - i tested it with firefox and it worked fine... i am aware that firefox doesn't need any open ports but well it's what i used to test...

- the script first attempts to see if the specified port is open...

- if the port seems open, it proceeds to launch the app and then exit...

- if the port doesn't seem open, it will issue a rule to open it, and then launch the app and wait... once the app exits successfully, it issues a command to delete the rule it added earlier...

it would be pretty cool to fashion this into a desktop icon that when clicked will graphically ask you for your password...

Thanks to both of you for your replies. And win32sux: Wow! Thanks! You've seriously gone above and beyond the call of duty here.

I'll test this with my apps and report any notable changes. I'll also let you know if I can swing the GUI side. Thanks again!