Conditional iptables start?

[mathog]

A certain machine will sometimes be on the campus net and other times on a private subnet. In the former case it needs to run a firewall and in the latter case it should not run a firewall. Back in the day when services started with scripts out of /etc/init.d this would have been trivial, at network startup check the IP address after dhcp and if em1 is in 192.168 no firewall, otherwise yes firewall. With the modern way of starting things I have no idea how to go about this. At present the iptables configuration for the campus connection is in /etc/sysconfig/iptables, and iptables starts automatically. It was set up like so after the iptables file was written:

systemctl stop firewalld
systemctl mask firewalld
systemctl disable firewalld
yum install iptables-services
systemctl enable iptables
systemctl start iptables

It looks like the easiest way to do this is to

systemctl disable iptables

somewhere during the boot, but I have no idea where, and it could be that that would need to be before dhcp does its thing, which isn't going to work.

Suggestions?

Thanks.

[hunter86_bg]

Are you using NetworkManager ?
If yes, you can create a script in /etc/NetworkManager/dispatcher.d which can check which connection is in use and take necessary actions:

Code: Select all

#!/bin/bash
if [ ${CONNECTION_UUID}==1024ed04-dd45-45bf-99a9-bad8f04421ae ] 
then 
systemctl stop iptables.service
Some other stuff here....
fi

[TrevorH]

Or you could just code your iptables rules so they are applicable if connected either way.

[mathog]

Or you could just code your iptables rules so they are applicable if connected either way.

I guess that makes the most sense. Start with the table for the campus net in

/etc/sysconfig/iptables

and then add these to start the INPUT and OUTPUT sections (forward drops everything) with

-A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i em1 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i em1 -j ACCEPT

I guess that should work. With both the source and the destination specified there
would be no sneaking in through these rules by faking a 192.168.0.* address on
the campus subnet (which isn't 192.168, so em1 would not match.)

Thanks.

[mathog]

Something odd fell out on testing though. Used GRC's "Shield's Up" to probe the campus interface (since I don't have access to an off campus machine at the moment to run nmap.)

It showed all ports as stealth except these 3, which were closed: 45, 111, 445.
445 comes and goes from test to test.

Code: Select all

netstat -tulpn

Showed that systemd had grabbed 111. No rpcbind is running. Enabled a rule for RPC which had been turned off
and Shield's Up now shows 111 as stealth.

nmap from another campus machine never shows anything for ports 45 or 445, it does show 111, but that's OK now.

Code: Select all

nmap $TARGET -p 45  (or -p 445)

However, netstat doesn't show anything using ports 45 or 445. Anybody know why shield's up might be showing those as closed in this instance?

Another Centos 7 machine which sometimes runs Samba has rules for 111 and 445, but no rule for 45. Shield's up always shows all ports on that machine is stealth.

Code: Select all

nmap $TARGET -p 45

from one to the other and vice versa shows:

Code: Select all

PORT   STATE    SERVICE
45/tcp filtered mpm    (tcp scan)
45/udp open|filtered mpm (udp scan)

in both directions. So why shield's up sees the machines differently is a mystery.


Both of these machines are Centos 7.6.1810.

[mathog]

Or you could just code your iptables rules so they are applicable if connected either way.

Actually that didn't quite work. The problem was that the external /etc/sysconfig/iptables file had static destination addresses from the last campus dhcp connection. On a subsequent boot the machine received a different address and was firewalled off from everything. Since I didn't want to take the -d (campus_address) qualifiers out of the iptables rules the table needed to be dynamically rewritten.

The final solution was this:

Code: Select all

cd /etc/NetworkManager/dispatcher.d
cat >25-iptables <<'EOD'
#!/bin/bash
#  If this is on the private network the following command
#  will exit with status 1 before doing anything.  
#  The existing /etc/sysconfig/iptables
#  file will then load.
#
#  On an external network it gets its name from dhcp and writes
#  a new set of rules.  Since iptables will then load later
#  save those
/etc/iptables/iptables.sh start
if [ $? -eq 0 ]
then
   # new rules written, save them
   iptables-save >/etc/sysconfig/iptables
else
   # do nothing, internal network
fi
EOD
chmod 755 25-iptables

Where /etc/iptables/iptables.sh checks the IP address at startup. If it sees a campus address it loads a whole new set up iptables rules and exits with status 0. Otherwise it exits immediately with status 1. Since iptables will start up after this (I believe) the dispatcher script saves the current rules if it wrote them. If it boots on an internal network there are already "wide open" rules in any set of rules that are written, so no need to do anything but let the boot continue.