Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
os6.2 iptables entries question
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2014-12-18
07:31 AM
2014-12-18
07:31 AM
os6.2 iptables entries question
I'm thinking of setting up knocking. I notice that the iptables on my os6.2 system has ACCEPT entries for the major ports used by the NAS (22, 80, 443, etc). There is no DROP rule so these entries are not really doing anything but I'm curious how they got there. On boot something must be setting these up but I cannot find it. Can someone point me to where that is?
Message 1 of 3
Labels:
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2014-12-21
08:47 PM
2014-12-21
08:47 PM
Re: os6.2 iptables entries question
No one? Well, I don't see where they are added but I poked around at the os6.2 configuration and it seems the box is using connman exclusively to set up the network. This means none of the scripts in /etc/network/if* are even invoked. The dbus connection is beyond me and I don't feel like researching it. So where's a good place to call iptables-restore? I can't find one so I'm thinking of adding a script to init.d since that has dependency rules.
There are not very many features built into in os6.2 iptables so all I can really do is close all non-lan port 22 and then use knockd to open specific client machines. But without state or conntrack I have to leave them open and manually close later unless someone knows how to detect state with what is in os6.2.
steve
There are not very many features built into in os6.2 iptables so all I can really do is close all non-lan port 22 and then use knockd to open specific client machines. But without state or conntrack I have to leave them open and manually close later unless someone knows how to detect state with what is in os6.2.
steve
Message 2 of 3
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2014-12-26
09:55 AM
2014-12-26
09:55 AM
Re: os6.2 iptables entries question
I did not find what was setting these default rules:
It seems that something on the system can re-add the default iptables rules. After a day or so I saw them reappear in iptables. Fortunately it Appends them so they come after the ones I set up. If anyone has any clue what script/component in the system is setting them please let me know. I'm thinking it is buried in connman since I see connman has some iptables support in source code, but I haven't found where it is configured yet.
steve
-A INPUT -i bond0
-A INPUT -i bond0 -p tcp -m tcp --dport 22
-A INPUT -i bond0 -p tcp -m tcp --sport 22
-A INPUT -i bond0 -p tcp -m tcp --dport 80
-A INPUT -i bond0 -p tcp -m tcp --sport 80
-A INPUT -i bond0 -p tcp -m tcp --dport 443
-A INPUT -i bond0 -p tcp -m tcp --sport 443
-A INPUT -i bond0 -p tcp -m tcp --dport 445
-A INPUT -i bond0 -p tcp -m tcp --sport 445
-A INPUT -i bond0 -p tcp -m tcp --dport 2049
-A INPUT -i bond0 -p tcp -m tcp --sport 2049
-A INPUT -i bond0 -p tcp -m tcp --dport 548
-A INPUT -i bond0 -p tcp -m tcp --sport 548
-A INPUT -i bond0 -p tcp -m tcp --dport 3260
-A INPUT -i bond0 -p tcp -m tcp --sport 3260
-A INPUT -i bond0 -p tcp -m tcp --dport 25
-A INPUT -i bond0 -p tcp -m tcp --sport 25
-A OUTPUT -o bond0
-A OUTPUT -o bond0 -p tcp -m tcp --sport 22
-A OUTPUT -o bond0 -p tcp -m tcp --dport 22
-A OUTPUT -o bond0 -p tcp -m tcp --sport 80
-A OUTPUT -o bond0 -p tcp -m tcp --dport 80
-A OUTPUT -o bond0 -p tcp -m tcp --sport 443
-A OUTPUT -o bond0 -p tcp -m tcp --dport 443
-A OUTPUT -o bond0 -p tcp -m tcp --sport 445
-A OUTPUT -o bond0 -p tcp -m tcp --dport 445
-A OUTPUT -o bond0 -p tcp -m tcp --sport 2049
-A OUTPUT -o bond0 -p tcp -m tcp --dport 2049
-A OUTPUT -o bond0 -p tcp -m tcp --sport 548
-A OUTPUT -o bond0 -p tcp -m tcp --dport 548
-A OUTPUT -o bond0 -p tcp -m tcp --sport 3260
-A OUTPUT -o bond0 -p tcp -m tcp --dport 3260
-A OUTPUT -o bond0 -p tcp -m tcp --sport 25
-A OUTPUT -o bond0 -p tcp -m tcp --dport 25
It seems that something on the system can re-add the default iptables rules. After a day or so I saw them reappear in iptables. Fortunately it Appends them so they come after the ones I set up. If anyone has any clue what script/component in the system is setting them please let me know. I'm thinking it is buried in connman since I see connman has some iptables support in source code, but I haven't found where it is configured yet.
steve
Message 3 of 3