Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use iptable chains specific to OSSEC for firewall-drop.sh #678

Open
treydock opened this issue Oct 7, 2015 · 1 comment
Open

Use iptable chains specific to OSSEC for firewall-drop.sh #678

treydock opened this issue Oct 7, 2015 · 1 comment

Comments

@treydock
Copy link

treydock commented Oct 7, 2015

Currently my systems use Puppet to manage all firewall rules. The behavior of the Puppetlabs Firewall module allows for unmanaged rules to be "purged". This is problematic on hosts that also run OSSEC with firewall-drop.sh enabled. For the time being I've had to only rely on the host-deny active response which only covers a small number of services.

A feature I'd like to see is the firewall-drop.sh using iptables chains specific to OSSEC, and that the chain for OSSEC be where firewall-drop.sh adds the blocked IP addresses. This is likely non-trivial to implement as would require something to either check for the existence of the chains at service start, or to ensure they exist every time firewall-drop.sh is executed.

Basic idea I implemented ad-hoc to validate it could work:

iptables -N OSSEC
iptables -I INPUT -j OSSEC
iptables -I FORWARD -j OSSEC

Then the change to firewall-drop.sh:

--- firewall-drop.sh.orig   2015-10-07 10:37:44.811179258 -0500
+++ firewall-drop.sh    2015-10-07 10:38:58.361207652 -0500
@@ -23,12 +23,14 @@
 LSFILT="/usr/sbin/lsfilt"
 MKFILT="/usr/sbin/mkfilt"
 RMFILT="/usr/sbin/rmfilt"
+ARG=""
 ARG1=""
 ARG2=""
 RULEID=""
 ACTION=$1
 USER=$2
 IP=$3
+CHAIN="OSSEC"
 PWD=`pwd`
 LOCK="${PWD}/fw-drop"
 LOCK_PID="${PWD}/fw-drop/pid"
@@ -141,11 +143,9 @@
 # We should run on linux
 if [ "X${UNAME}" = "XLinux" ]; then
    if [ "x${ACTION}" = "xadd" ]; then
-      ARG1="-I INPUT -s ${IP} -j DROP"
-      ARG2="-I FORWARD -s ${IP} -j DROP"
+      ARG="-I ${CHAIN} -s ${IP} -j DROP"
    else
-      ARG1="-D INPUT -s ${IP} -j DROP"
-      ARG2="-D FORWARD -s ${IP} -j DROP"
+      ARG="-D ${CHAIN} -s ${IP} -j DROP"
    fi

    # Checking if iptables is present
@@ -161,7 +161,7 @@
    COUNT=0;
    lock;
    while [ 1 ]; do
-        ${IPTABLES} ${ARG1}
+        ${IPTABLES} ${ARG}
         RES=$?
         if [ $RES = 0 ]; then
             break;
@@ -175,23 +175,6 @@
             fi
         fi
    done
-
-   COUNT=0;
-   while [ 1 ]; do
-        ${IPTABLES} ${ARG2}
-        RES=$?
-        if [ $RES = 0 ]; then
-            break;
-        else
-            COUNT=`expr $COUNT + 1`;
-            echo "`date` Unable to run (iptables returning != $RES): $COUNT - $0 $1 $2 $3 $4 $5" >> ${LOG_FILE}
-            sleep $COUNT;
-
-            if [ $COUNT -gt 4 ]; then
-                break;
-            fi
-        fi
-   done
    unlock;

    exit 0;
@Eig8phei
Copy link

This is very interesting to me too. I'm using barebone iptables with a custom script but it would help to have things "organized" inside a chain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@treydock @Eig8phei