[clue-tech] iptables firewall and SSL

Shawn - Red Mop redmop924 at comcast.net
Tue May 19 20:42:05 MDT 2009 

Another good resource is the fwbuilder program.  It displays your firewall rules like a Checkpoint firewall, and it can optionally generate a bash script to configure iptables, install, and run it.  It has a handy section to enable logging so you know where a packet is disappearing.  Of course, you can do that by hand as well.

On Tuesday 19 May 2009 07:04:32 pm David L. Anselmi wrote:
> Bruce Ediger wrote:
> > Can anyone point me to good web pages on iptables firewalling?
> 
> I've always used Rusty's guide:
> 
> http://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html
> 
> It's really old but it covers what I've needed.
> 
> > More specifically, I'm curious about any bad interactions between SSL and
> > iptables.
> 
> There should be a way to log what your rules are doing that will show 
> you what's dropping SSL.
> 
> > The problem was that http://www.citicards.com does an HTTP 304 "permanently
> > moved" redirect to https://www.citicards.com/blah/blah/blah.do
> > 
> > The iptables rules I came up with just wouldn't let the SSL part of HTTPS
> > pass.  No error, no "network unreachable", just apparently a connect()
> > system call timeout.
> 
> Yes, that's what happens if your rule is drop.  Packets go out, they 
> never come back.  You can confirm that all you're getting is retransmits 
> (probably SYN to port 443) with wireshark.
> 
> So did you set up specific allow rules and then drop everything else? 
> The hardest part of iptables is keeping everything consistent enough 
> that you don't confuse yourself.
> 
> In terms of boolean expressions, if you have a set of accept rules 
> followed by a drop then you've got the logical or of all your rules to 
> get in:
> 
> a || b || c || d || e || false
> 
> If you have a set of drop rules followed by an accept then you have:
> 
> !a && !b && !c && !d && !e && true
> 
> which of course is just the negation of the first.  If you keep it 
> simple like that then you can probably make sense of it.  But of course 
> the state rules and such mean it's never quite that simple.  Still, if 
> you mix chains and try to cluster your tests you're in for some 
> debugging.  (Hmm, is there a simulator that can send all possible 
> traffic at your rules and show what goes where?  And perhaps one of the 
> rule builder tools can let you create rules at a higher level of 
> abstraction.)
> 
> If you get into rules for specific nets or hosts it's harder to get 
> right, but the above still holds--it has to be simple enough for you to 
> think about clearly.
> 
> So most likely if you post your rules someone can find the problem.  Or 
> post your required behavior and see who can make the most elegant rules 
> to implement it.
> 
> Dave
> _______________________________________________
> clue-tech mailing list
> clue-tech at cluedenver.org
> http://www.cluedenver.org/mailman/listinfo/clue-tech
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue-tech/attachments/20090519/58648bb4/attachment.html

More information about the clue-tech mailing list