Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Modify iptables rules on interface state changes...
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA

PostPosted: Tue Mar 31, 2015 1:58 pm    Post subject: Modify iptables rules on interface state changes... Reply with quote

I am trying to figure out the best way to modify iptables rules when an interface comes up or goes down. I use NetworkManager. For VPN (ppp) connections this is simple. I simply add a small script to add or remove the rules to /etc/ppp.d/ip-up.d or /etc/ppp.d/ip-down.d and all is good. How can I do this with both my wired and wireless connections? I always allow all traffic on loopback, of course.

Just to be clear, what I am looking for is for everything to be dropped except loopback traffic. Once the wired (enp0s25) and wireless (wlp12s0) interfaces come up, rules are added for them individually. If I bring down the wireless, such as with the switch on the side of my PC, those rules are deleted. If I turn it on again, the rules are added again. How can I do this?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3104

PostPosted: Tue Mar 31, 2015 6:07 pm    Post subject: Reply with quote

Quote:
Just to be clear, what I am looking for is for everything to be dropped except loopback traffic
Well... Don't bring your interfaces up?

Or use this:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT ACCEPT -i lo
iptables -A OUTPUT ACCEPT -o lo


I've just noticed I have accidentaly made high-speed train 8)
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA

PostPosted: Tue Mar 31, 2015 8:11 pm    Post subject: Reply with quote

What I meant was drop everything by default except on lo. Once something like enp0s25 comes up, apply rules which allow everything out, but only SMB and SSH in. I know how to write the rules, but I do not know how to apply them when an interface changes its state.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Tue Mar 31, 2015 8:40 pm    Post subject: Reply with quote

So you want... disabling the wireless to also remove your wired network access?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA

PostPosted: Tue Mar 31, 2015 8:59 pm    Post subject: Reply with quote

No, I have a set of rules for each interface. For example, I only allow SSH on my wired interface since my wireless interface is normally used while on the go and at public places. Same for SMB.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Tue Mar 31, 2015 9:27 pm    Post subject: Reply with quote

What are you trying to achieve exactly that requires this deleting of rules every time an interface is down? What problem are you currently having by leaving them there as the first reply suggests?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA

PostPosted: Tue Mar 31, 2015 10:02 pm    Post subject: Reply with quote

A lot of times I do not have my wireless active. During this time, the rules for my WLAN are still active. On other distros if I applied a rule for an interface which did not exist, I got a warning. I was just trying to fix those being logged.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21490

PostPosted: Wed Apr 01, 2015 12:06 am    Post subject: Reply with quote

No warnings should be generated by iptables for missing interfaces. Perhaps you should tell us what is logging the junk warnings so we can help you fix that.
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA

PostPosted: Wed Apr 01, 2015 1:25 am    Post subject: Reply with quote

I'll check. They may not be logged in Gentoo. In Debian I would get a warning about the interface not existing. I may have been attempting to stomp a bug that didn't exist in Gentoo.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6835
Location: Blighty

PostPosted: Wed Apr 01, 2015 12:14 pm    Post subject: Reply with quote

If you use dhcpcd to manage your interfaces, dhcpcd will call out to dhcpcd-run-hooks(8) for each state transition so you can manage your iptable modifications in /etc/dhcpcd.exit-hook.
dhcpcd can also run this for your ppp interfaces allowing you to centralise this.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3104

PostPosted: Wed Apr 01, 2015 6:40 pm    Post subject: Reply with quote

I really don't know why you're trying to write rules for every single interface and only apply it when interface is active. Rules for inactive interfaces do nothing anyway as there is no traffic they can filter. What's the problem?
You want to blok everything? Good, just do that. Don't block eth0, then wlan0, then tap0. Just block all incoming traffic instead of checking it's source and if condition matches then block it, and if it doesn't match, block it anyway.
If you want to block all incoming traffic except for ssh, then be it.
iptables -A INPUT --dport 22 -j ACCEPT
will let ssh in.
iptables -P INPUT DROP
will still keep all other traffic away.

Generic over specific and keep things simple. Well, at least unless you're not doing it just for the sake of doing it.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum