Iptables rule ID

Hello to everyone.
I was working a few months ago on a FreeBSD system, using IPFW for
filtering packets. At first it seemed annoying having to type a rule ID
but later I found it useful. For those of you who don't know ipfw's
syntax, it goes something like this:

ipfw add 3426 allow all from any to 192.168.0.0/24

The 3426 is an arbitrary rule ID, and the kernel uses this number to
check the rules in sequence.

I would like to know: is there a way to do such a thing with iptables?
I need to identify some rules that are created on the fly by a script,
from a database. That is, with an ID field of a database I would like
to create rules and have some way to match them back to the database. I
can't use the IP or MAC address because both can change, but the rule
ID won't, and that's what I need.

Regards,
Hernan

On 2006-02-22, drg <(E-Mail Removed)> wrote:
> Hello to everyone.
> I was working a few months ago on a FreeBSD system, using IPFW for
> filtering packets. At first it seemed annoying having to type a rule ID
> but later I found it useful. For those of you who don't know ipfw's
> syntax, it goes something like this:
>
> ipfw add 3426 allow all from any to 192.168.0.0/24
>
> The 3426 is an arbitrary rule ID, and the kernel uses this number to
> check the rules in sequence.
>
> I would like to know: is there a way to do such a thing with iptables?
> I need to identify some rules that are created on the fly by a script,
> from a database. That is, with an ID field of a database I would like
> to create rules and have some way to match them back to the database. I
> can't use the IP or MAC address because both can change, but the rule
> ID won't, and that's what I need.


Perhaps --comment would do what you want...

RW

--

http://rlworkman.net

On 21 Feb 2006 18:07:48 -0800, "drg" <(E-Mail Removed)> wrote:

>ipfw add 3426 allow all from any to 192.168.0.0/24
>
>The 3426 is an arbitrary rule ID, and the kernel uses this number to
>check the rules in sequence.
>
>I would like to know: is there a way to do such a thing with iptables?

There's a comment option in 2.6.recent kernels I've not used.

>I need to identify some rules that are created on the fly by a script,
>from a database. That is, with an ID field of a database I would like
>to create rules and have some way to match them back to the database.

The method I use is to implement named chains for things, an example:
....
install_input_recent_filter() # name action_new dwell_secs
{
report " $1 "
local new="${1}new"
local dup="${1}dup"
iptables -N $new
iptables -A $new -j $LOGGED "InpDrop $new "
iptables -A $new -m recent --name $1 --set -j $2
iptables -N $dup
iptables -A $dup -j $LOGGED "InpDrop $dup "
iptables -A $dup -j DROP
iptables -A INPUT -m recent --name $1 --rcheck --seconds $3 -j $dup
}
....
# msft exploit garbage disposal
install_input_recent_filter msft ireject 3600
iptables -A INPUT -p tcp --dport $MSJUNK1 -j msftnew
iptables -A INPUT -p udp --dport $MSJUNK1 -j msftnew
iptables -A INPUT -p tcp $MDPORT $MSJUNK2 -j msftnew
iptables -A INPUT -p udp $MDPORT $MSJUNK2 -j msftnew
....

leads to:
Chain msftdup (1 references)
pkts bytes target prot opt in out source destination
301 24450 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `InpDrop msftdup '
301 24450 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain msftnew (4 references)
pkts bytes target prot opt in out source destination
217 35974 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `InpDrop msftnew '
217 35974 ireject all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: msft side: source

and summarised as:

Classify unwanted junk:
92 repeated MSFT exploit ports
49 MSFT exploit ports
21 dropped for web traffic calming
5 probe from privileged port
3 random ports
2 attempted login
2 repeated probe from privileged port
2 repeated random ports

as well as:

Top 10 offenders by host, port:
hits code host address ports
30 AU 220.240.112.185 24 445/tcp, 6 139/tcp
21 US 66.249.72.102 21 80/tcp
18 AU 220.240.112.13 10 445/tcp, 8 139/tcp
16 AU 220.240.253.80 12 445/tcp, 4 139/tcp
10 AU 220.240.149.25 8 445/tcp, 2 139/tcp
8 AU 220.240.220.51 5 445/tcp, 3 139/tcp
5 US 204.16.208.67 3 1027/udp, 2 1026/udp
4 CN 222.171.27.36 2 1027/udp, 2 1026/udp
4 AU 220.240.44.170 2 445/tcp, 2 139/tcp
3 CN 221.224.202.1 3 139/tcp

Easy? So what is it you try to do, iptables is flexible, works for me.

Cheers,
Grant.
--
http://bugsplatter.mine.nu/
--
.... The computer scientist, who had listened to all of this said,
"Yes, but where do you think the chaos came from?"

well what I want is to do make and delete rules on the fly.

when a user tries to browse the net, he gets redirected to a webpage,
asking him for a user/pass. he then enters this info and if it's
correct, a rule is created with his current IP address and MAC address.
he then can browse freely for a few days or until an inactivity counter
times out.
If someone tries to use the same pass, the rule is deleted and
re-created. so the old address will get blocked again. Much like
"mikrotik's" web based authentication.

The rules are also used for bandwidth limiting/traffic shaping as well,
so I cannot use squid's authentication.