iptables question (ipcop)

mr98ai · Posted: Fri Jan 07, 2005 4:33 pm Post subject: iptables question (ipcop)

Hi, i am very new to this linux firewall thing. At work, on every windows machine (there is only about 10 or so), we run tiny personal firewall (very good firewall I might add). It is an application type firewall, so each time an application tries to get out for the first time (eg firefox) then a rule must be created to allow that app to get out / in. However, allowing firefox to connect, does not automatically allow say internet explorer to use port 80 and connect to the web. In other words, tiny personal firewall does not allow every app to access port 80 just because one application can. This is a nice feature because it prevents bad applications from leaving my computer.

My question is, how do I use iptables (I am actually using ipcop which uses iptables) to do the same thing? I want to allow just select applications to use port 80, for web access, and port 110 for email access. I installed the BlockOutTraffic mod which allows me to define which activity I allow out from my computer.

By default, (please tell me if I am wrong) ipcop blocks all incoming activity , unless it first originated from my firewall. I have no problems with this. However, it also allows all outgoing activity, which is a problem, hence the need for the BlockOutTraffic mod.

Thanks in advance

scarr · Posted: Fri Jan 07, 2005 6:56 pm Post subject:

I am not aware of a program that does what you are asking.

IPTables are done at the kernel level, there is nothing tying a port to a specific process on your computer. So the kernel doesn't know that Firefox is trying to use port 80, it just knows that A process is trying to use port 80.

One of the reason this was needed in Windows was because so many different ways exist for a system to be compromised and have a zombie process started. I don't think you will have as much of a problem with this on Linux.

To get this functionality, someone would probably have to rewrite some of the Socket code to include requesting process in the IP stream. THis of course is from what I can tell, anyway.
_________________
Scott Carr * OpenOffice.org * Documentation Maintainer
http://documentation.openoffice.org
jabber: scarr@progbits.com

djnauk · Posted: Sat Jan 08, 2005 1:22 am Post subject: Re: iptables question (ipcop)

Ox- · Guru Joined: 19 Jun 2003 Posts: 305

I'm iptables illiterate, so I use firehol for a front-end.

It has an option to specify command source, for example like this:

djnauk · Posted: Sat Jan 08, 2005 11:21 am Post subject:

Ox- · Guru Joined: 19 Jun 2003 Posts: 305

I just went to netfilter.org to check on this feature. It looks like it's in the patch-o-matic "extra repository" under the name "ownercmd". Status is "untested", so who knows

mr98ai · Posted: Sat Jan 08, 2005 2:51 pm Post subject:

Thanks for your replies.

Here is the problem though. In my work network, there are 2 computers running gentoo, about 10 running windows, and there is one firewall running ipcop. I am not worried about the linux machines running trojan horses, but I am worried about the windows machines. We just finished cleaning up a nasty virus which downloaded all kinds of files into the main directory, and every possible subdirectory, and these files would be named as porn.jpg.exe or something like that. There was about 80 different names it could be named as. Deleting the files only made room for the next batch, unless the spawning process was found and deleted.

I could do as djnauk suggested, and keep the tpf on the windows machines, but this makes administration a nightmare as more and more machines are added to the netwok, not to mention the increased cost.

Please bare with me here, I would just to make this clear in my mind: if an application on box A sends a tcp/ip packet through the firewall, is there no way for the firewall to tell (by examining the packet) which application the packet originated from? Or is this kind of packet filtering only possible on the machine that it originated from? If so, is this a "limitation" of the linux kernel, would it be possible for a different OS, or is this simply the nature of a tcp/ip packet, that the application that sent the packet is in no way connected to the packet data (other than via the ip address / port number of course)

Ox- · Guru Joined: 19 Jun 2003 Posts: 305

Oh yeah, this ownercmd thing for iptables only works locally.

The limitation is in tcp/ip and it's not really a limitation. The packets only contain source and destination addressess and ports (speaking from a very high level hand waving standpoint). The ownercmd filter can work its magic by looking in the local linux kernel memory to see which process owns the port address in the packet.

iptables can do this because it's linux specific (but even then can only do it locally because of the inherent problems with looking directly into kernel memory on a remote machine).

tcp/ip cannot embed command names because a) tcp is portable across many operating systems including some that have very different ideas about processes, b) it would add a huge overhead to packets, and c) it could be easily spoofed anyway.