• Is this even POSSIBLE?

    From linux_forum1@21:1/5 to All on Thu Jan 6 19:00:01 2022
    This is a multi-part message in MIME format.

    SGVsbG8sIEkgaGF2ZSAyIHF1ZXN0aW9ucyBpZiB0aGF0J3MgT0suCgpJTlBVVCBEUk9QCkZPUldB UkQgRFJPUApPVVRQVVQgRFJPUAoKLU4gQmxvY2sKLU4gTG9nZ2VyCi1BIElOUFVUIC1qIEJsb2Nr Ci1BIEJsb2NrIC1wIHRjcCAtbSB0Y3AgLS10Y3AtZmxhZ3MgU1lOLEZJTiBTWU4sRklOIC1qIExv Z2dlcgotQSBMb2dnZXIgLWogTE9HIC0tbG9nLWxldmVsIDQKLUEgTG9nZ2VyIC1qIERST1AKCi1B IElOUFVUIC1pIGxvIC1qIEFDQ0VQVAotQSBPVVRQVVQgLW8gbG8gLWogQUNDRVBUCgpUaGVyZSB3 aWxsIGJlIG1vcmUgcnVsZXMgaW4gQmxvY2ssIGJ1dCBJIGp1c3Qgd2FudCB0byB1bmRlcnN0YW5k IHRoZSBsb2dpYy4KCjEuKSBIb3cgaXMgLUEgSU5QVVQgLWogQmxvY2sgcG9zc2libGUgYmVmb3Jl IHRoZXJlIGFyZSBhbnkgcnVsZXMgYXBwZW5kZWQgdG8gQmxvY2ssIGRvZXMgdGhhdCBtZWFuIGlw dGFibGVzIGZpcnN0IHNlYXJjaGVzIGFuZCBhc3NlbWJsZXMgYWxsIHJ1bGVzIHRoYXQgYmVsb25n IHRvIGN1c3RvbSBjaGFpbnMgcmVnYXJkbGVzcyBvZiBvcmRlcj8gU2FtZSBmb3IgTG9nZ2VyLgoK Mi4pCldvdWxkIHRoaXMgYmUgT0sgdG8gbG9nIGFuZCBkcm9wIGFsbCBydWxlcyBpbiBpbiBCbG9j az8KSSBhbSB3b3JyaWVkIGJlY2F1c2UgdGhlcmUgYXJlIGZvdXIganVtcHMsIElOUFVUIC0+IEJs b2NrIC0+IExvZ2dlciAtPiBMT0cgLT4gTG9nZ2VyIC0+IERST1A=

    PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsOyBmb250LXNpemU6IDE0cHg7Ij48ZGl2IHN0 eWxlPSJmb250LWZhbWlseTogYXJpYWw7IGZvbnQtc2l6ZTogMTRweDsiPkhlbGxvLCBJIGhhdmUg MiBxdWVzdGlvbnMgaWYgdGhhdCdzIE9LLjxicj48L2Rpdj48ZGl2IHN0eWxlPSJmb250LWZhbWls eTogYXJpYWw7IGZvbnQtc2l6ZTogMTRweDsiPjxicj48L2Rpdj48ZGl2IHN0eWxlPSJmb250LWZh bWlseTogYXJpYWw7IGZvbnQtc2l6ZTogMTRweDsiPklOUFVUIERST1A8YnI+PC9kaXY+PGRpdiBz dHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsOyBmb250LXNpemU6IDE0cHg7Ij5GT1JXQVJEIERST1A8 YnI+PC9kaXY+PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsOyBmb250LXNpemU6IDE0cHg7 Ij5PVVRQVVQgRFJPUDxicj48L2Rpdj48ZGl2IHN0eWxlPSJmb250LWZhbWlseTogYXJpYWw7IGZv bnQtc2l6ZTogMTRweDsiPjxicj48L2Rpdj48ZGl2IHN0eWxlPSJmb250LWZhbWlseTogYXJpYWw7 IGZvbnQtc2l6ZTogMTRweDsiPi1OIEJsb2NrPGJyPjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFt aWx5OiBhcmlhbDsgZm9udC1zaXplOiAxNHB4OyI+LU4gTG9nZ2VyPGJyPjwvZGl2PjwvZGl2Pjxk aXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBhcmlhbDsgZm9udC1zaXplOiAxNHB4OyI+LUEgSU5QVVQg LWogQmxvY2s8YnI+PC9kaXY+PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsOyBmb250LXNp emU6IDE0cHg7Ij4tQSBCbG9jayAtcCB0Y3AgLW0gdGNwIC0tdGNwLWZsYWdzIFNZTixGSU4gU1lO LEZJTiAtaiBMb2dnZXI8YnI+PC9kaXY+PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsOyBm b250LXNpemU6IDE0cHg7Ij4tQSBMb2dnZXImbmJzcDstaiBMT0cgLS1sb2ctbGV2ZWwgNDxicj48 L2Rpdj48ZGl2IHN0eWxlPSJmb250LWZhbWlseTogYXJpYWw7IGZvbnQtc2l6ZTogMTRweDsiPi1B IExvZ2dlciAtaiBEUk9QPGJyPjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBhcmlhbDsg Zm9udC1zaXplOiAxNHB4OyI+PGJyPjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBhcmlh bDsgZm9udC1zaXplOiAxNHB4OyI+LUEgSU5QVVQgLWkgbG8gLWogQUNDRVBUPC9kaXY+PGRpdiBz dHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsOyBmb250LXNpemU6IDE0cHg7Ij4tQSBPVVRQVVQgLW8g bG8gLWogQUNDRVBUPC9kaXY+PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsOyBmb250LXNp emU6IDE0cHg7Ij48YnI+PC9kaXY+PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IGFyaWFsOyBmb250 LXNpemU6IDE0cHg7Ij5UaGVyZSB3aWxsIGJlIG1vcmUgcnVsZXMgaW4gQmxvY2ssIGJ1dCBJIGp1 c3Qgd2FudCB0byB1bmRlcnN0YW5kIHRoZSBsb2dpYy48YnI+PC9kaXY+PGRpdiBzdHlsZT0iZm9u dC1mYW1pbHk6IGFyaWFsOyBmb250LXNpemU6IDE0cHg7Ij48YnI+PC9kaXY+PGRpdiBzdHlsZT0i Zm9udC1mYW1pbHk6IGFyaWFsOyBmb250LXNpemU6IDE0cHg7Ij4xLikgSG93IGlzIC1BIElOUFVU IC1qIEJsb2NrIHBvc3NpYmxlIDxiPmJlZm9yZTwvYj4gdGhlcmUgYXJlIGFueSBydWxlcyBhcHBl bmRlZCB0byBCbG9jaywgZG9lcyB0aGF0IG1lYW4gaXB0YWJsZXMgZmlyc3Qgc2VhcmNoZXMgYW5k IGFzc2VtYmxlcyBhbGwgcnVsZXMgdGhhdCBiZWxvbmcgdG8gY3VzdG9tIGNoYWlucyByZWdhcmRs ZXNzIG9mIG9yZGVyPyBTYW1lIGZvciBMb2dnZXIuPGJyPjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQt ZmFtaWx5OiBhcmlhbDsgZm9udC1zaXplOiAxNHB4OyI+PGJyPjwvZGl2PjxkaXYgc3R5bGU9ImZv bnQtZmFtaWx5OiBhcmlhbDsgZm9udC1zaXplOiAxNHB4OyI+Mi4pJm5ic3A7PC9kaXY+PGRpdj5X b3VsZCB0aGlzIGJlIE9LIHRvIGxvZyBhbmQgZHJvcCBhbGwgcnVsZXMgaW4gaW4gQmxvY2s/PGJy PjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBhcmlhbDsgZm9udC1zaXplOiAxNHB4OyI+ SSBhbSB3b3JyaWVkIGJlY2F1c2UgdGhlcmUgYXJlIGZvdXIganVtcHMsIElOUFVUIC0mZ3Q7IEJs b2NrIC0mZ3Q7IExvZ2dlciAtJmd0OyBMT0cgLSZndDsgTG9nZ2VyIC0mZ3Q7IERST1A8L2Rpdj4=

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dan Ritter@21:1/5 to All on Thu Jan 6 20:00:01 2022
    linux_forum1 wrote:
    Hello, I have 2 questions if that's OK.

    INPUT DROP
    FORWARD DROP
    OUTPUT DROP

    -N Block
    -N Logger
    -A INPUT -j Block
    -A Block -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j Logger
    -A Logger -j LOG --log-level 4
    -A Logger -j DROP

    -A INPUT -i lo -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT

    There will be more rules in Block, but I just want to understand the logic.

    1.) How is -A INPUT -j Block possible before there are any rules appended to Block, does that mean iptables first searches and assembles all rules that belong to custom chains regardless of order? Same for Logger.

    Everything has an order. You can turn on line numbers and see
    the order.

    Creating a chain (Block, Logger) does not put it into order.

    The jump (-j) to Block, from INPUT, places the chain in order.

    I note that you don't have a rule in Block to actually drop
    packets, and you do have a rule in Logger that drops packets.
    That seems... problematic to me.

    2.)
    Would this be OK to log and drop all rules in in Block?
    I am worried because there are four jumps, INPUT -> Block -> Logger -> LOG -> Logger -> DROP

    In general, you can jump as many times as you like as long as
    you don't go in a circle. Note that -j LOG continues processing
    on the next rule in order, unlike ACCEPT, DROP and REJECT. If a chain
    ends without ACCEPT, DROP or REJECT happening, then when it ends
    execution picks up at the next statement in order following the
    jump to that chain.

    Does that help?

    -dsr-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From linux_forum1@21:1/5 to Dan Ritter on Thu Jan 6 21:20:01 2022
    Hello Dan!

    Thank you so much for the reply!

    Yes that helps a lot, but I have 2 follow up questions if you don't mind haha.

    1.) When you say " -A INPUT -j Block puts the chain in order", you mean that at this point iptables will look for any rules appended to the Block chain, no matter where they are? This would make sense cz then the order wouldn't matter and you can jump to
    a chain in the beginning, whose rules are defined at the bottom for example.

    2.) I want to log when one of these rules gets matched.
    (It's 30 - 40 rules in total)

    -A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A Block -s 169.254.0.0/16 -j DROP
    -A Block -s 172.16.0.0/12 -j DROP
    -A Block -s 192.0.2.0/24 -j DROP
    .
    .

    This is my solution:

    -A INPUT -j Block
    -A FORWARD -j Block

    -A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j Logger
    -A Block -s 169.254.0.0/16 -j Logger
    -A Block -s 172.16.0.0/12 -j Logger
    -A Block -s 192.0.2.0/24 -j Logger

    Then in Logger it gets logged and dropped.

    I considered this, but was told the above is better.

    -A INPUT -j Block
    -A FORWARD -j Block

    -A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG
    -A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A Block -s 169.254.0.0/16 -j LOG
    -A Block -s 169.254.0.0/16 -j DROP
    -A Block -s 172.16.0.0/12 -j LOG
    -A Block -s 172.16.0.0/12 -j DROP
    .
    .

    Is there a better way? Thanks again.

    ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

    On Thursday, January 6th, 2022 at 7:26 PM, Dan Ritter <dsr@randomstring.org> wrote:

    linux_forum1 wrote:

    Hello, I have 2 questions if that's OK.

    INPUT DROP

    FORWARD DROP

    OUTPUT DROP

    -N Block

    -N Logger

    -A INPUT -j Block

    -A Block -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j Logger

    -A Logger -j LOG --log-level 4

    -A Logger -j DROP

    -A INPUT -i lo -j ACCEPT

    -A OUTPUT -o lo -j ACCEPT

    There will be more rules in Block, but I just want to understand the logic.

    1.) How is -A INPUT -j Block possible before there are any rules appended to Block, does that mean iptables first searches and assembles all rules that belong to custom chains regardless of order? Same for Logger.

    Everything has an order. You can turn on line numbers and see

    the order.

    Creating a chain (Block, Logger) does not put it into order.

    The jump (-j) to Block, from INPUT, places the chain in order.

    I note that you don't have a rule in Block to actually drop

    packets, and you do have a rule in Logger that drops packets.

    That seems... problematic to me.

    2.)

    Would this be OK to log and drop all rules in in Block?

    I am worried because there are four jumps, INPUT -> Block -> Logger -> LOG -> Logger -> DROP

    In general, you can jump as many times as you like as long as

    you don't go in a circle. Note that -j LOG continues processing

    on the next rule in order, unlike ACCEPT, DROP and REJECT. If a chain

    ends without ACCEPT, DROP or REJECT happening, then when it ends

    execution picks up at the next statement in order following the

    jump to that chain.

    Does that help?

    -dsr-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)