iptables question, how fatal it is if it can not find IP Set?

postcd

Member
Credits
89
Hello,

i am on CentOS 6, 2.6.32 kernel.
and i installed "ipset" package.
Now i created new ip set and populated it with IPs, i activated blocking of all IPs inside this set by executing:
iptables -A INPUT -m set --match-set MyIPSetName src -j DROP

I want to ask what error i will face if ipset somehow got corruped or MyIPSetName will become unavailable (deleted)?

Any fatal failure in iptables that can cause bad connectivity problem? Thank You
 


Lazydog

Member
Credits
0
If IPSET is not running iptables will fail to start. If the information within ipset become corrupt I'm not sure what will happen as I have not come across this one yet.
 

postcd

Member
Credits
89
If IPSET is not running iptables will fail to start.
Thx, i mainly meant the case when mine created ipset database does not exist.

ipset create databasename iphash
..then add it to iptables..
iptables -L|grep databasename
Code:
DROP       all  --  anywhere             anywhere            match-set databasename src
ipset destroy databasename (without removing iptables rule mentioned above)
 

wizardfromoz

Super Moderator
Staff member
Gold Supporter
Credits
15,678
Hi @postcd - I have barely scratched the surface of iptables (yet).

There is a thread going here https://www.linux.org/threads/secure-harden-centos-7.13715/ in which Administrator Rob has indicated using a CentOS 6 lab box and likewise CentOS 7 so he may have some knowledge in this area, likewise some of the other participants there.

I will watch this Topic with interest and try to learn something.

Good luck

Wizard
 

jake19

New Member
Credits
66
Hi @postcd - I have barely scratched the surface of iptables (yet).

There is a thread going here https://www.linux.org/threads/secure-harden-centos-7.13715/ in which Administrator Rob has indicated using a CentOS 6 lab box and likewise CentOS 7 so he may have some knowledge in this area, likewise some of the other participants there.

I will watch this Topic with interest and try to learn something.
Wizard, iptables can seem daunting, but it's not difficult. Rules are applied in top-down order, and the syntax is fairly easy to follow, once you get the hang of it. Some links to get you started:
https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables
https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/

However, if you're waiting for postcd to give you any guidance, you have a long wait. He's been using iptables for 4 years now, and every time they have ANY questions about a new rule/whatever, they post it. Using what they've been told/learned in the past doesn't appear to be a strong suit with them.
 

wizardfromoz

Super Moderator
Staff member
Gold Supporter
Credits
15,678
@jake19 - ta (Aussie for thank you, pron. tar) for those links, I will be sure to follow them up. :)

Wizard
 

Lazydog

Member
Credits
0
Thx, i mainly meant the case when mine created ipset database does not exist.

ipset create databasename iphash
..then add it to iptables..
iptables -L|grep databasename
Code:
DROP       all  --  anywhere             anywhere            match-set databasename src
ipset destroy databasename (without removing iptables rule mentioned above)
If databasename does not exist then iptables will fail to start. Anything referenced in iptables has to be available for iptables to start. Databasename doesn't have to have anything in it, it just ned to be available for iptables to check it and iptables will start without issues.
 

postcd

Member
Credits
89
If databasename does not exist then iptables will fail to start.
Thank you for valuable responses.
Additional question, stopped iptables will not prevent me to login the server via SSH right? It will "just" allow all traffic right? So forgotten ipset rule in iptables is not such a critical issue that would prevent connecting the server. But is serious enough to open server to all connections @reboot
 

Lazydog

Member
Credits
0
When you stop IPTABLES your system is wide open to everyone. So anything listening on a port will be reachable.
 

wami

New Member
Credits
0
I noticed that most people didn't talk about rules order which matters.
This article talks about iptables firewall and discusses rules order and everything about rules from adding, deleting, or updating.
Also, regarding the problem you face, you must not block the main ports like SSH or the gateway ports which give you access. otherwise, you will not be able to access your system and you will have to use KVM to restore access again.
Hope that helps.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Staff online

Members online


Latest posts

Top