variables in iptables?

Discuss Networking
Post Reply
User avatar
cdhgold
administrator
administrator
Posts: 382
Joined: Tue Mar 18, 2003 6:11 pm
Location: Texas

variables in iptables?

Post by cdhgold » Wed Mar 21, 2012 6:19 am

Can you use variables inside iptables?

example:

Code: Select all

WEB_HEAD="10.178.198.133 10.178.198.136 10.178.198.138"
-A INPUT -i eth1 -m state --state NEW -m tcp -s WEB_HEAD -p tcp --dport 2049 -j ACCEPT

I have multiple rules that I want to use to accept traffic only from certain IPs and I know I can use

Code: Select all

-A INPUT -i eth1 -m state --state NEW -m tcp -s 10.178.198.133/32,10.178.198.136/32,10.178.198.138/32 -p tcp --dport 2049 -j ACCEPT
and i twill expand to 3 separate rules but that to me is messy and ugly + if I ever need to update the ips I would have to do it on every rule . I want o be able to declare WEB_HEAD at start of iptables and re-use it throughout

User avatar
Basher52
guru
guru
Posts: 923
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Re: variables in iptables?

Post by Basher52 » Wed Mar 21, 2012 2:04 pm

Yes you can :) and that's cos iptables is cool. It sure makes the rules easier to read.
I have a few and here's and example (taken from: http://www.tweako.com/iptables_explaine ... _own_rules)

Code: Select all

#/bin/sh 
#variables first! 

ipt="/sbin/iptables" 
std_ports="22,80,443" 
lan="10.0.0.0/24,192.168.0.0/24" 
any="0.0.0.0/0"  

$ipt -F 
$ipt -Z 
$ipt -X  

$ipt -P INPUT -j DROP 
$ipt -P FORWARD -j DROP 
$ipt -P OUTPUT -J DROP  

$ipt -N states 

$ipt -A states -m state --state ESTABLISHED,RELATED -j ACCEPT 
$ipt -A states -m state --state NEW -s $lan ! -d 192.168.0.250/32 -j ACCEPT 
$ipt -A states -j DROP

User avatar
cdhgold
administrator
administrator
Posts: 382
Joined: Tue Mar 18, 2003 6:11 pm
Location: Texas

Re: variables in iptables?

Post by cdhgold » Wed Mar 21, 2012 3:12 pm

thanks!!! I'll share mine as further example once I get them implemented w this!!

User avatar
cdhgold
administrator
administrator
Posts: 382
Joined: Tue Mar 18, 2003 6:11 pm
Location: Texas

Re: variables in iptables?

Post by cdhgold » Wed Mar 21, 2012 7:37 pm

this is wrapping iptables in a script i wanted to use the variables inside iptables itself

User avatar
Basher52
guru
guru
Posts: 923
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Re: variables in iptables?

Post by Basher52 » Thu Mar 22, 2012 11:07 am

Well that I, hehe, don't even know what is :P
I've learned to use this since I started with RedHat 9 and have used that since.
This makes it easy to transport it to other machines too :P

But do please tell me what "inside" means

User avatar
cdhgold
administrator
administrator
Posts: 382
Joined: Tue Mar 18, 2003 6:11 pm
Location: Texas

Re: variables in iptables?

Post by cdhgold » Thu Mar 22, 2012 4:01 pm

I want to declare it and use the variable inside /etc/sysconfig/iptables file itself

User avatar
Basher52
guru
guru
Posts: 923
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Re: variables in iptables?

Post by Basher52 » Thu Mar 22, 2012 4:16 pm

What OS are you using?
I just checked my Fedora 14 system and I have no file called that in /etc/sysconfig/
Haven't check F15 or F16 though

User avatar
cdhgold
administrator
administrator
Posts: 382
Joined: Tue Mar 18, 2003 6:11 pm
Location: Texas

Re: variables in iptables?

Post by cdhgold » Thu Mar 22, 2012 4:28 pm

cent os 6

User avatar
Basher52
guru
guru
Posts: 923
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Re: variables in iptables?

Post by Basher52 » Fri Mar 23, 2012 12:16 pm

well that should look a lot like Fedora/RedHat
is that iptables file a binary, script or what?

User avatar
cdhgold
administrator
administrator
Posts: 382
Joined: Tue Mar 18, 2003 6:11 pm
Location: Texas

Re: variables in iptables?

Post by cdhgold » Sat Mar 24, 2012 6:30 am

the file is a config file used by the service

Code: Select all

# ll /etc/sysconfig/ip*
-rw-------. 1 root root  678 Mar 11 07:35 /etc/sysconfig/ip6tables
-rw-------  1 root root 1753 Feb 24 23:26 /etc/sysconfig/ip6tables-config
-rw-------. 1 root root  613 Feb 28 02:01 /etc/sysconfig/ip6tables.old
-rw-------  1 root root  727 Mar 21 00:00 /etc/sysconfig/iptables
-rw-------  1 root root 1740 Feb 24 23:26 /etc/sysconfig/iptables-config
-rw-------. 1 root root  608 Feb 28 02:01 /etc/sysconfig/iptables.old]

User avatar
Basher52
guru
guru
Posts: 923
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Re: variables in iptables?

Post by Basher52 » Sat Mar 24, 2012 2:11 pm

oh... I only got the config files for that, no files just named iptables/ip6tables
and these just has a few lines in them.

User avatar
cdhgold
administrator
administrator
Posts: 382
Joined: Tue Mar 18, 2003 6:11 pm
Location: Texas

Re: variables in iptables?

Post by cdhgold » Sun Mar 25, 2012 6:22 am

UPDATE: what I was originally thinking can't be done - however I can use a custom iptables chain to achieve the same result - now I just need to take time ti figure out the syntax

User avatar
cdhgold
administrator
administrator
Posts: 382
Joined: Tue Mar 18, 2003 6:11 pm
Location: Texas

Re: variables in iptables?

Post by cdhgold » Wed Mar 28, 2012 6:35 am

This is my end solution

Code: Select all

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A WEBHEADS -i eth1 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A WEBHEADS -i eth1 -m state --state NEW -m tcp -p tcp --dport 8081 -j ACCEPT
-A WEBHEADS -i eth1 -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -s 10.178.198.133 -j WEBHEADS
-A INPUT -s 10.178.198.136 -j WEBHEADS
-A INPUT -s 10.178.198.138 -j WEBHEADS
-A INPUT -i eth0 -j DROP
-A INPUT -j DROP 
-A FORWARD -j DROP 
COMMIT

Post Reply