Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd please sign up again. Thanks!

iptables question, how fatal it is if it can not find IP Set?

Discussion in 'Linux Networking' started by postcd, Sep 29, 2017.

  1. postcd

    postcd New Member

    Joined:
    Jul 8, 2017
    Messages:
    10
    Likes Received:
    1
    Hello,

    i am on CentOS 6, 2.6.32 kernel.
    and i installed "ipset" package.
    Now i created new ip set and populated it with IPs, i activated blocking of all IPs inside this set by executing:
    iptables -A INPUT -m set --match-set MyIPSetName src -j DROP



    I want to ask what error i will face if ipset somehow got corruped or MyIPSetName will become unavailable (deleted)?

    Any fatal failure in iptables that can cause bad connectivity problem? Thank You
     
  2. Lazydog

    Lazydog Member

    Joined:
    Jul 27, 2017
    Messages:
    27
    Likes Received:
    27
    If IPSET is not running iptables will fail to start. If the information within ipset become corrupt I'm not sure what will happen as I have not come across this one yet.
     
  3. postcd

    postcd New Member

    Joined:
    Jul 8, 2017
    Messages:
    10
    Likes Received:
    1
    Thx, i mainly meant the case when mine created ipset database does not exist.

    ipset create databasename iphash
    ..then add it to iptables..
    iptables -L|grep databasename
    Code:
    DROP       all  --  anywhere             anywhere            match-set databasename src
    ipset destroy databasename (without removing iptables rule mentioned above)
     
  4. wizardfromoz

    wizardfromoz Well-Known Member

    Joined:
    Apr 30, 2017
    Messages:
    232
    Likes Received:
    261
    Hi @postcd - I have barely scratched the surface of iptables (yet).

    There is a thread going here https://www.linux.org/threads/secure-harden-centos-7.13715/ in which Administrator Rob has indicated using a CentOS 6 lab box and likewise CentOS 7 so he may have some knowledge in this area, likewise some of the other participants there.

    I will watch this Topic with interest and try to learn something.

    Good luck

    Wizard
     
  5. jake19

    jake19 New Member

    Joined:
    Jul 10, 2017
    Messages:
    1
    Likes Received:
    1
    Wizard, iptables can seem daunting, but it's not difficult. Rules are applied in top-down order, and the syntax is fairly easy to follow, once you get the hang of it. Some links to get you started:
    https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables
    https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/

    However, if you're waiting for postcd to give you any guidance, you have a long wait. He's been using iptables for 4 years now, and every time they have ANY questions about a new rule/whatever, they post it. Using what they've been told/learned in the past doesn't appear to be a strong suit with them.
     
    wizardfromoz likes this.
  6. wizardfromoz

    wizardfromoz Well-Known Member

    Joined:
    Apr 30, 2017
    Messages:
    232
    Likes Received:
    261
    @jake19 - ta (Aussie for thank you, pron. tar) for those links, I will be sure to follow them up. :)

    Wizard
     
  7. Lazydog

    Lazydog Member

    Joined:
    Jul 27, 2017
    Messages:
    27
    Likes Received:
    27
    If databasename does not exist then iptables will fail to start. Anything referenced in iptables has to be available for iptables to start. Databasename doesn't have to have anything in it, it just ned to be available for iptables to check it and iptables will start without issues.
     
    postcd likes this.
  8. postcd

    postcd New Member

    Joined:
    Jul 8, 2017
    Messages:
    10
    Likes Received:
    1
    Thank you for valuable responses.
    Additional question, stopped iptables will not prevent me to login the server via SSH right? It will "just" allow all traffic right? So forgotten ipset rule in iptables is not such a critical issue that would prevent connecting the server. But is serious enough to open server to all connections @reboot
     
  9. Lazydog

    Lazydog Member

    Joined:
    Jul 27, 2017
    Messages:
    27
    Likes Received:
    27
    When you stop IPTABLES your system is wide open to everyone. So anything listening on a port will be reachable.
     

Share This Page