A certain machine will sometimes be on the campus net and other times on a private subnet. In the former case it needs to run a firewall and in the latter case it should not run a firewall. Back in the day when services started with scripts out of /etc/init.d this would have been trivial, at network startup check the IP address after dhcp and if em1 is in 192.168 no firewall, otherwise yes firewall. With the modern way of starting things I have no idea how to go about this. At present the iptables configuration for the campus connection is in /etc/sysconfig/iptables, and iptables starts automatically. It was set up like so after the iptables file was written:
systemctl stop firewalld
systemctl mask firewalld
systemctl disable firewalld
yum install iptables-services
systemctl enable iptables
systemctl start iptables
It looks like the easiest way to do this is to
systemctl disable iptables
somewhere during the boot, but I have no idea where, and it could be that that would need to be before dhcp does its thing, which isn't going to work.
Suggestions?
Thanks.
Conditional iptables start?
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: Conditional iptables start?
Are you using NetworkManager ?
If yes, you can create a script in /etc/NetworkManager/dispatcher.d which can check which connection is in use and take necessary actions:
If yes, you can create a script in /etc/NetworkManager/dispatcher.d which can check which connection is in use and take necessary actions:
Code: Select all
#!/bin/bash
if [ ${CONNECTION_UUID}==1024ed04-dd45-45bf-99a9-bad8f04421ae ]
then
systemctl stop iptables.service
Some other stuff here....
fi
Re: Conditional iptables start?
Or you could just code your iptables rules so they are applicable if connected either way.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Conditional iptables start?
I guess that makes the most sense. Start with the table for the campus net in
/etc/sysconfig/iptables
and then add these to start the INPUT and OUTPUT sections (forward drops everything) with
-A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i em1 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i em1 -j ACCEPT
I guess that should work. With both the source and the destination specified there
would be no sneaking in through these rules by faking a 192.168.0.* address on
the campus subnet (which isn't 192.168, so em1 would not match.)
Thanks.
Re: Conditional iptables start?
Something odd fell out on testing though. Used GRC's "Shield's Up" to probe the campus interface (since I don't have access to an off campus machine at the moment to run nmap.)
It showed all ports as stealth except these 3, which were closed: 45, 111, 445.
445 comes and goes from test to test.
Showed that systemd had grabbed 111. No rpcbind is running. Enabled a rule for RPC which had been turned off
and Shield's Up now shows 111 as stealth.
nmap from another campus machine never shows anything for ports 45 or 445, it does show 111, but that's OK now.
However, netstat doesn't show anything using ports 45 or 445. Anybody know why shield's up might be showing those as closed in this instance?
Another Centos 7 machine which sometimes runs Samba has rules for 111 and 445, but no rule for 45. Shield's up always shows all ports on that machine is stealth.
from one to the other and vice versa shows:
in both directions. So why shield's up sees the machines differently is a mystery.
Both of these machines are Centos 7.6.1810.
It showed all ports as stealth except these 3, which were closed: 45, 111, 445.
445 comes and goes from test to test.
Code: Select all
netstat -tulpn
and Shield's Up now shows 111 as stealth.
nmap from another campus machine never shows anything for ports 45 or 445, it does show 111, but that's OK now.
Code: Select all
nmap $TARGET -p 45 (or -p 445)
Another Centos 7 machine which sometimes runs Samba has rules for 111 and 445, but no rule for 45. Shield's up always shows all ports on that machine is stealth.
Code: Select all
nmap $TARGET -p 45
Code: Select all
PORT STATE SERVICE
45/tcp filtered mpm (tcp scan)
45/udp open|filtered mpm (udp scan)
Both of these machines are Centos 7.6.1810.
Re: Conditional iptables start?
Actually that didn't quite work. The problem was that the external /etc/sysconfig/iptables file had static destination addresses from the last campus dhcp connection. On a subsequent boot the machine received a different address and was firewalled off from everything. Since I didn't want to take the -d (campus_address) qualifiers out of the iptables rules the table needed to be dynamically rewritten.
The final solution was this:
Code: Select all
cd /etc/NetworkManager/dispatcher.d
cat >25-iptables <<'EOD'
#!/bin/bash
# If this is on the private network the following command
# will exit with status 1 before doing anything.
# The existing /etc/sysconfig/iptables
# file will then load.
#
# On an external network it gets its name from dhcp and writes
# a new set of rules. Since iptables will then load later
# save those
/etc/iptables/iptables.sh start
if [ $? -eq 0 ]
then
# new rules written, save them
iptables-save >/etc/sysconfig/iptables
else
# do nothing, internal network
fi
EOD
chmod 755 25-iptables