Skip to main content

IPTABLES and M4

I manage high traffic web servers that are constantly under attack. To manage the security of these web servers, I need to routinely update my iptables rules, and by routinely, I mean every morning when I roll into the office.

When I searched for a solution that allowed me to dynamically define my rules with a merge option, nothing come to the forefront. There are some miscellaneous posts about using PERL and cat, but nothing really useful.

Then I remember M4. If you don't know about M4, then you should man it.

Here's what you do.

iptables.m4:


---- start ----

# Firewall configuration written by
# system-config-securitylevel
# Manual customization of this file is not
# recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
include(/root/iptables/iptables_special)
include(/root/iptables/iptables_reject)
include(/root/iptables/iptables_accept)
#
# The final rule that rejects everything
# that does not match
# the other explicit rules
#
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

----- end -----



This is the driver for the m4 process. When you want to create the iptables file, you just run:

m4 iptables.m4 > iptables

Here is a nifty script that does it all:


---- start ----

rm -f iptables
cp -f /etc/sysconfig/iptables iptables_back_`date +%Y%m%d`
m4 iptables.m4 > iptables
cp -f iptables /etc/sysconfig/
/etc/rc.d/init.d/iptables restart

---- end ----



This script will create a backup file for you so you don't clobber your current config with a bad m4 parse.

Just save that script into something like "update.x" and chmod +x on it. Then you can update components of your iptables rule file much more easily.

Quick and easy solution. No perl junk, no expensive security management software, nothing but runtime macro substitution with M4.

Popular posts from this blog

DNS Custom Logs and selinux

If you google "named custom logs selinux" you will find quite a bit of chatter about setting up custom logs outside of /var/log for DNS (named). These posts are interesting, but they tend to be run on posts about learning selinux and becoming an expert on named. What you need to know? If you have setup custom logging locations in your /etc/named.conf file, such as:     channel default_file {         file "/var/log/named/default.log" versions 3 size 5m;         severity dynamic;         print-time yes;     }; Then you will likely see errors like this in /var/log/messages: Oct 26 11:41:13 namedsvr setroubleshoot: SELinux is preventing /usr/sbin/named from write access on the directory /var/named/chroot/var/log/named. For complete SELinux messages. run sealert -l 6eab4aaf-e615-4ade-9e88-4efdc789eaf2 Then you run the sealert command as suggested by the very friendly selinux audit log and you are told: #============= named_t ============== #!
Read more

THE RISE OF FASCIST SOCIAL MEDIA

The Merriam-Webster dictionary defines fascism as: a tendency toward or actual exercise of strong autocratic or dictatorial control .  The phrase "dictatorial control" is important for the case that I am going to make about fascism in social media. The word "dictatorial" means "of or relating to a dictator," and a dictator is "one ruling in an absolute and often oppressive way." In 2020, social media has seen a rise in the number of autocratic events of censorship. The two social media outlets that I am going to focus on are Facebook and Twitter.  Background Facebook is a semi-private curated blogging platform where you, the user, share information at your leisure. The public part of Facebook is in Facebook Groups. With a group, outside people who are not privy to your "Facebook Wall" will join your group and establish a communal discourse. This can be private, by invitation only, or public. The Facebook is auth-walled so that you must
Read more

Why Taxes Make You Feel Empty

The IRS published the tax brackets for 2022 here [1]. The tax brackets are important because they tell you how tax burden is calculated. If you've never calculated your taxes, then understand that you are taxed on a marginal bracket schedule. If you are married and a joint filer, then the schedule starts with $20,550, and has steps at $83,550, $178,150, $340,100, $431,900, and $647,850. Each bracket is a bucket of burden where the tax rate changes from 12%, to 22%, to 24%, then 32%, 35%, and finally 37%. As you fill buckets your marginal tax rate changes. This complexity is why tax accountants make bank throughout the year. Or not ... Inline is an image that is the graph of the marginal rate by income. It's the gray line that is scaled according to the right hand side axis. It's also the only line always increasing. Your taxes are always increasing, no matter how much you make. That's the start of the misery. The hyperbolic-like lines are the relative changes of income
Read more