LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   my changes in /etc/sysocnfig/iptables is overwritten by unknown process (https://www.linuxquestions.org/questions/linux-security-4/my-changes-in-etc-sysocnfig-iptables-is-overwritten-by-unknown-process-4175456923/)

danyim 04-04-2013 10:48 PM
my changes in /etc/sysocnfig/iptables is overwritten by unknown process
 
Hi,

Could someone shed some light here?
I stop iptables service, then edited /etc/sysconfig/iptables, commented out some rules in filter's FORWARD and nat's POSTROUTING,saved the file, then started iptables service, after i reopen the iptables file, I found it mysteriously was overwritten. seems I'm not allow to make change to this file. Thanks in advance.

by the way, I'm using RHEL 6.2 + KVM

Dan

vishesh 04-05-2013 12:01 AM
Hello,

You can put watch on your /etc/sysconfig/iptables file using auditctl command

auditctl -w /etc/sysconfig/iptables -p w -k iptables-key

To watch which process edited the file

ausearch -k iptables-key



Thanks

Noway2 04-05-2013 02:02 PM
Did you notice right at the top of the file:
Quote:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.

danyim 04-05-2013 07:58 PM
no, there is no such comment at the top of the file
 
only #GENERATED BY Modular IPTABLES Config

Quote:
Originally Posted by Noway2 (Post 4925830)
Did you notice right at the top of the file:

danyim 04-05-2013 08:59 PM
thank you..... I still don't get it... which process updated it?
 
Quote:
Originally Posted by vishesh (Post 4925476)
Hello,

You can put watch on your /etc/sysconfig/iptables file using auditctl command

auditctl -w /etc/sysconfig/iptables -p w -k iptables-key

To watch which process edited the file

ausearch -k iptables-key

Thanks
Code:
time->Fri Apr  5 21:30:04 2013
type=CONFIG_CHANGE msg=audit(1365211804.514:46721): auid=500 ses=5 subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="remove rule" key="iptables-key" list=4 res=1
----
time->Fri Apr  5 21:33:18 2013
type=CONFIG_CHANGE msg=audit(1365211998.449:46763): auid=500 ses=5 subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule" key="iptables-key2" list=4 res=1
----
time->Fri Apr  5 21:33:37 2013
type=PATH msg=audit(1365212017.935:46764): item=2 name="/etc/sysconfig/iptables" inode=21369843 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:system_conf_t:s0
type=PATH msg=audit(1365212017.935:46764): item=1 name="/etc/sysconfig/iptables" inode=21369843 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:system_conf_t:s0
type=PATH msg=audit(1365212017.935:46764): item=0 name="/etc/sysconfig/iptables" inode=21369843 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:system_conf_t:s0
type=CWD msg=audit(1365212017.935:46764):  cwd="/"
type=SYSCALL msg=audit(1365212017.935:46764): arch=c000003e syscall=2 success=yes exit=4 a0=7fffa5bcef81 a1=201 a2=0 a3=0 items=3 ppid=30218 pid=30294 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="cp" exe="/bin/cp" subj=unconfined_u:system_r:initrc_t:s0 key="iptables-key2"

unSpawn 04-06-2013 05:36 AM
Quote:
Originally Posted by danyim (Post 4925451)
I stop iptables service, then edited /etc/sysconfig/iptables, commented out some rules in filter's FORWARD and nat's POSTROUTING,saved the file, then started iptables service, after i reopen the iptables file, I found it mysteriously was overwritten. seems I'm not allow to make change to this file.
What does
Code:
grep ^IPTABLES_SAVE_ON /etc/sysconfig/iptables-config
return?

danyim 04-06-2013 09:31 AM
Quote:
Originally Posted by unSpawn (Post 4926198)
What does
Code:
grep ^IPTABLES_SAVE_ON /etc/sysconfig/iptables-config
return?

IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"

unSpawn 04-06-2013 06:34 PM
OK, then try editing a copy of /etc/sysconfig/iptables (save as say /etc/sysconfig/iptables.new), then
Code:
cat /etc/sysconfig/iptables.new | iptables-restore -cvt
If the output looks OK remove the "vt" switches. This will load the "new" rule set in memory. Now sync "new" with "old":
Code:
cat /etc/sysconfig/iptables.new > /etc/sysconfig/iptables
and you should be set. *Note if this is a remote machine you double and triple check your rule set so you don't get locked out.

danyim 04-06-2013 09:43 PM
Quote:
Originally Posted by unSpawn (Post 4926543)
OK, then try editing a copy of /etc/sysconfig/iptables (save as say /etc/sysconfig/iptables.new), then
Code:
cat /etc/sysconfig/iptables.new | iptables-restore -cvt
If the output looks OK remove the "vt" switches. This will load the "new" rule set in memory. Now sync "new" with "old":
Code:
cat /etc/sysconfig/iptables.new > /etc/sysconfig/iptables
and you should be set. *Note if this is a remote machine you double and triple check your rule set so you don't get locked out.
Thanks for your help..... unfortunately, it doesn't work. I did what you suggested, but after I service iptables stop and start, the old config came back again. It seems there is a service/process guards the iptables, no matter what changes I make, it just wipes out my changes and restores some secretly saved version back.

unSpawn 04-06-2013 10:03 PM
OK. You could try forcing an error this way: add your rules to /etc/sysconfig/iptables, save, close file. Now
Code:
chattr +iu /etc/sysconfig/iptables
and restart iptables service. If it doesn't throw any errors then at least no process would be able to modify the file either until you unset these extended attributes. It's a rather crude workaround though. *Add an entry to your admin log so you don't wonder later on why you won't be able to save changes ;-p

danyim 04-07-2013 10:24 PM
Quote:
Originally Posted by unSpawn (Post 4926619)
OK. You could try forcing an error this way: add your rules to /etc/sysconfig/iptables, save, close file. Now
Code:
chattr +iu /etc/sysconfig/iptables
and restart iptables service. If it doesn't throw any errors then at least no process would be able to modify the file either until you unset these extended attributes. It's a rather crude workaround though. *Add an entry to your admin log so you don't wonder later on why you won't be able to save changes ;-p
wow, that's brilliant yet brutal ! thanks a lot, it works.

BTW, by any chance you can tell what kind of process/service guards the iptables ? I see "cp" in the auditctl output.

chrism01 04-08-2013 01:20 AM
As unSpawn implied, it'll cause the offending process(es) to fail and (hopefully ) log the error.
Then you can figure out what's going on.
The 'cp' cmd is likely the offending overwrite cmd.

danyim 04-11-2013 06:31 AM
Quote:
Originally Posted by chrism01 (Post 4927332)
As unSpawn implied, it'll cause the offending process(es) to fail and (hopefully ) log the error.
Then you can figure out what's going on.
The 'cp' cmd is likely the offending overwrite cmd.
I finially found the script which issues the cp command: in my iptables-config file, there is one line create-rule-file.sh, this script merge all rules to /etc/sysconfig/iptables.

Thank you all.

unSpawn 04-11-2013 03:15 PM
Quote:
Originally Posted by danyim (Post 4929675)
I finially found the script which issues the cp command: in my iptables-config file, there is one line create-rule-file.sh, this script merge all rules to /etc/sysconfig/iptables.
I'm sure I don't know all firewall configuration means but I'm pretty certain that would be a local modification and not a stock RHEL(-like) supplied one.

rknichols 04-11-2013 10:52 PM
A long time ago I started putting my own firewall setup in /etc/sysconfig/iptables.custom and changing the "IPTABLES_DATA=" line in /etc/sysconfig/iptables-config to point to that file. That way, any inadvertently run program that tries to set up a firewall can do whatever it likes to /etc/sysconfig/iptables, and it will have no effect at all.


All times are GMT -5. The time now is 03:56 AM.