Re: [fw-wiz] Dynamic execution of a script on arrival of a packet

From: Sigurd Urdahl (sigurdur@linpro.no)
Date: 10/31/02 

To: firewall <firewall-wizards@honor.icsalabs.com>
From: Sigurd Urdahl <sigurdur@linpro.no>
Date: Thu Oct 31 12:00:02 2002

Alex Ongena <Alex.Ongena@able.be> writes:

> Hi,
>
> I'am using Linux 2.4.19 and iptables.
> I'am looking to make a thing like:
> - by default, everything is denied in the Firewall.
> - on arrival of a packet, a 'script' (ex. perl) is
> called that evaluates some packet details (like
> Source IP, Protocol, Port, date and time of
> arrival, etc..) and can decides to 'add an
> iptable rule on the fly' to accept this and
> future packets.

You probably want to look at the QUEUE target in iptables, described
as:

        QUEUE is a special target, which queues the packet for
        userspace processing.

search for "Special Built-In targets" in [1].

> The advantage of this script could be that 'acceptance'
> criteria can be determined more flexible
> (for example, checking a database with the relation
> IP <-> User at a certain moment in time)

Depending on what you are going to use this for, maybe it would be
better to either have some kind of logon-enabling instead? Either a
web-form to fill in or maybe with PAM. You might want to take a look
at the Authentication Gateway HOWTO [2].

> PS: I'am new to this list, does there exist a searchable
> archive ?

Follow the link below:)

> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

regards,

-sig

[1] http://www.netfilter.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-7.html

[2] http://linux-rep.fnal.gov/howtos/Authentication-Gateway-HOWTO/index.html 

-- 
Sigurd Urdahl                               sigurdur@linpro.no
Systemkonsulent | Systems consultant             www.linpro.no
LIN PRO can improve the health of people who consume the eggs,
meat and milk [..] (http://www.werneragra.com/linpro.html)

Relevant Pages

  • Google Summer of Code 2009: Student applies to create a Better IPTables Management Tool
    ... a student) and select the Linux Foundation ... The tool focuses on helping the user to perceive what a particular chains of rules in a particular table does to a user specified packet. ... As the project aims for better IPtables management tool, I can contribute with my hard earned 3 years experience in maintenance of firewalls. ... The tools helps the user to either select all the rules in the chain or some particular rules and tells the impact of the application of selected rules upon the incoming/outgoing packet. ...
    (Linux-Kernel)
  • Iptables and SAMBA - Im going MAAAAAAAAAAAAAAAAAADDDDDDD!!!
    ... On this linux box i have two net cards that go to two clients ... (samba works perfectly if i shut down iptables) ... #nelle regole - MODIFICARE SECONDO I PROPRI PARAMETRI ... #della rete Interna ...
    (comp.os.linux.networking)
  • Re: firewall performance throughput between Linux and OpenBSD
    ... > The firewall is used to connect a private network to the internet. ... > ftp-proxy and the linux box does not. ... Running with a full pf rules file or the wideopen version ... > full rules file using iptables. ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Help: My girlfriends XP box cant see my Linux samba shares
    ... Mike Martin wrote: ... >I've goggle'd all over and read ten different sites for Samba conf but I'm ... Just a checkup - this should show everything is shared on your linux box. ... iptables -P FORWARD ACCEPT ...
    (alt.os.linux)
  • Cant route through Linux box
    ... We have an SDSL connection with a few static IP's. ... I can ping the sdsl router 66.80.220.65 from the linux system. ... $IPTABLES -F OUTPUT ...
    (comp.os.linux)