IP tables

rogermark100 · #1 03-Apr-2004, 17:57

I am trying to manipulate the iptables through C.

I have not got a clue how to do this as such and would like some help with this if you can

Sorry if it is a little vague.

Thanks

dsmith · #2 03-Apr-2004, 19:37

Quote:

Originally Posted by rogermark100

I am trying to manipulate the iptables through C.

I have not got a clue how to do this as such and would like some help with this if you can

Sorry if it is a little vague.

Thanks

It is a lot vague for me

Can you explain what you are taking about? Are you talking about routing tables? Or the linux iptables (firewall)? Or the ip settings?

Sorry, I just don't have any idea what you mean...

rogermark100 · #3 16-Apr-2004, 15:48

sorry for the time taken in replying

It is modifying the iptables(for the firewalls in linux)

thankyou

dsmith · #4 17-Apr-2004, 07:08

Hi Roger.

Okay, now I know what you are talking about, what exactly is it that you want to do with the IPTables? Are you trying to programatically change the source implementation?
Or are you trying to create a program that helps with the creation of a rule set?

If it is the former, then I can't give you much help.

If it is the later, this isn't a terrible idea. What you should do though is have your program read/create a txt file (.rc) that contains the ruleset as a bash script. This wouldn't be too difficult to do.

Anyway, your problem is still sort of vague, so if you could narrow it down a bit, we will see what we can do to help.

Cheers,
d

rogermark100 · #5 17-Apr-2004, 14:54

Quote:

Originally Posted by dsmith

Hi Roger.

Okay, now I know what you are talking about, what exactly is it that you want to do with the IPTables? Are you trying to programatically change the source implementation?
Or are you trying to create a program that helps with the creation of a rule set?

If it is the former, then I can't give you much help.

If it is the later, this isn't a terrible idea. What you should do though is have your program read/create a txt file (.rc) that contains the ruleset as a bash script. This wouldn't be too difficult to do.

Anyway, your problem is still sort of vague, so if you could narrow it down a bit, we will see what we can do to help.

Cheers,
d

It is the creation of a ruleset

any help appreciated

THanks

WaltP · #6 18-Apr-2004, 01:53

Quote:

Originally Posted by rogermark100

It is the creation of a ruleset

any help appreciated

THanks

I find it interesting that in 26 words in 3 posts you feel you've given enough information to receive help. And in both responses dsmith has mentioned you are being vague.

You need to learn to explain what you wish to accomplish, what you understand, what you need help with, in other words explain what you need -- in detail! I'm sure dsmith will quit playing 20 questions around question 4 because he's wasted his time so far.

Read a few help requests on this board to get an idea how to ask your question.

dsmith · #7 18-Apr-2004, 07:22

Walt makes a pretty good point. I am not sure exactly what you are having trouble with and quite frankly if it has to do with C or not.

I was going to post a link to a howto document for iptables, but I couldn't find one. So instead I am posting a bash script that sets up a firewall. This is NOT my work, I have only modified it to make it work for me.

Code:

#!/bin/sh
#
# rc.firewall-2.4-stronger

echo -e "\nLoading custom rc.firewall...\n"

# Variable Definitions
IPTABLES=/usr/local/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
GREP=/bin/grep
AWK=/usr/bin/awk
SED=/usr/bin/sed
IFCONFIG=/sbin/ifconfig
EXTIF="eth0"
INTIF="eth1"
EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | \
$SED -e 's/.*://'`"
INTNET="192.168.192.0/24"
INTIP="192.168.192.249/24"
UNIVERSE="0.0.0.0/0"


echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

echo -en "    Loading kernel modules: "

if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
   $INSMOD ip_tables
fi


if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack
fi

if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack_ftp
fi

if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack_irc
fi


#Load the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
# 
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   $INSMOD iptable_nat
fi

if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   $INSMOD ip_nat_ftp
fi

echo "  ---"

echo "  Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP  
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT DROP  
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD 
$IPTABLES -F -t nat

if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
   $IPTABLES -F drop-and-log-it
fi

$IPTABLES -X

$IPTABLES -Z

$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info 
$IPTABLES -A drop-and-log-it -j DROP

echo -e "\n   - Loading INPUT rulesets"


#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are 
#        already flushed and set to a default policy of DROP. 
#

# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT


# remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it


# external interface, from any source, for ICMP traffic is valid
#
#  If you would like your machine to "ping" from the Internet, 
#  enable this next line
#
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT


# remote interface, any source, going to permanent PPP address is valid
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

# Allow ssh & ftp (not telnet though)
$IPTABLES -A INPUT -p TCP -s $UNIVERSE --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p TCP -s $UNIVERSE --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p TCP -s $UNIVERSE --dport 113 -j ACCEPT

# Allow port 25 (smtp)
$IPTABLES -A INPUT -p TCP -s $UNIVERSE --dport 25 -j ACCEPT

# Allow any related traffic coming back to the MASQ server in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT


# ----- Begin OPTIONAL Section -----
#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
#$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
#$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT

# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
#echo -e "      - Allowing EXTERNAL access to the WWW server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

#
# ----- End OPTIONAL Section -----



# Catch all rule, all other incoming is denied and logged.
#
$IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
$IPTABLES -A INPUT -p 50 -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e "   - Loading OUTPUT rulesets"

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
#         already flushed and set to a default policy of DROP.
#

# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT


# local interface, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT


# outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it


# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT


# ----- Begin OPTIONAL Section -----
#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
#$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT

#
# ----- End OPTIONAL Section -----

# Catch all rule, all other outgoing is denied and logged.
#
$IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
$IPTABLES -A OUTPUT -p 50 -j ACCEPT
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e "   - Loading FORWARD rulesets"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#

echo "     - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j drop-and-log-it


#echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#More liberal form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP




echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"

Let me know if this is what you are after and if so, I will get this thread moved to the Linux section of the forums. It really has nothing to do with C.

Also, use the man or info pages as well to try to figure out the use of iptables in the above script.

Let me know if this is what you are looking to do.

Cheers,
d

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread:

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Question about loading php into tables or css	pcxgamer	Web Design Forum	6	17-Sep-2005 21:08
Selecting from 2 tables at the same time	soviet	MySQL / PHP Forum	2	07-Nov-2003 23:15
[Tutorial] MySQL Basics	nniehoff	MySQL / PHP Forum	15	23-Mar-2003 19:42
drop down menu's in tables	chalaska	Web Design Forum	4	03-Aug-2002 18:59

IP tables

apologies