Thursday, September 17, 2020

A Raspberry Pi firewall: Package filter - 04 New rules and more logs

 Great!!! Now we are ready to create more rules in our chains, but, what happens if we start to have many rules? How can we know what they do in an easier way? Well there are two different approaches to solve this.

One of them is trying to auto document it, this is put something in the rule that helps us to identify it, and a possible way is to create a new chain and make something in it.

Let's take our ssh rule. We have a rule in input and output to allow the connections to our Raspberry using ssh. When we list the rules running in our iptables is clear to see these are rules to ssh, because in the description we can see the word 'ssh'.

 

But if we need to open a not well-known port? In this case, we can create a new Chain with a descriptive name. for example

iptables -N MYSQL

inside this chain, we can create the following rule

iptables -A MYSQL -j ACCEPT

Now in the INPUT and OUTPUT chain, we write the following rules.

iptables -A INPUT -tcp -dport 3306 -j MYSQL

iptables -A OUTPUT -tcp -sport 3306 -j MYSQL

In this case, the new chain helps us in many ways:

  • We auto document our rule because at a first shot we know this rule is related wit mysql DMBS
  • We can create more rules only for mysql without including more complexity to the INPUT and OUTPUT chains.
  • Our chains's rules are more clear.

Now, if auto document is not enough and we need more information about our rule, we can use the module 'comment' in the following way:

iptables -A INPUT -p tcp -dport 22 -m comment --comment "This rule is to allow local ssh connections" -j SSH

Excellent, now it's possible to create a large number of rules, document it and organize.

 Now If we need to fix a situation and we don't have a clear with the rule is not working well. In this case, we can use our old target friend LOG, but if we create many rules with LOG How can identify each one in the logs?

Easy, at the end of the rule include this:

iptables -A INPUT -p tcp -dport 22 -j LOG --log-prefix "SSH" 

If the information in the logs is not enough to identify the problem it is possible to add at the end a different level of the log.

iptables -A INPUT -p tcp -dport 22 -j LOG --log-prefix "SSH" --log-level 7





 

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

A Raspberry Pi firewall: Package filter - 05 Understanding the whats and whys to manage a service

  To recap. Until now we create:  Some rules in our chains INPUT and OUTPUT to allow some traffic to specific ports A backup of our rules an...