Bug 135667 - iptables loads no rules if FQDNs are used instead of IP addresses
Summary: iptables loads no rules if FQDNs are used instead of IP addresses
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: iptables
Version: 3.0
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-10-14 09:11 UTC by Dr Philip J Naylor
Modified: 2007-11-30 22:07 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2004-10-20 10:15:22 UTC


Attachments (Terms of Use)

Description Dr Philip J Naylor 2004-10-14 09:11:35 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.3)
Gecko/20040924

Description of problem:
As with bug #80783 I had been using machine names for firewall holes,
so as to avoid problems with dynamic/recycled IP addresses.  Whilst I
appreciate why this cannot work, it should be noted that an iptables
configuration like the one in "Additional Information" results in the
machine booting with NO firewall rules installed (i.e. the machine is
completely open) - this would not appear to be a safe failure mode,
for such a key security feature.

Version-Release number of selected component (if applicable):
iptables-1.2.8-12.3

How reproducible:
Always

Steps to Reproduce:
1. Create /etc/sysconfig/iptables which uses FQDNs for firewall holes,
as per "Additional Information"
2. Boot the machine (do not just restart iptables)
3. Run   iptables --list
    

Actual Results:  No iptables rules are implemented, iptable --list
returns :

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
                                                                     
          
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
                                                                     
          
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Expected Results:  All bar the rule for the unresolvable FQDN should
be implemented, or (at the very least) the failure mode should be to
block all access, not to allow all access.

Additional info:

Example /etc/sysconfig/iptables (all addresses changed for security) :

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ENM-Local - [0:0]
:RH-Firewall-1-INPUT - [0:0]
# jump to ENM-Local rule set
-A INPUT -j ENM-Local
-A INPUT -j RH-Firewall-1-INPUT
# start of ENM-Local rule set
# start of Nessus recommended stuff
-A ENM-Local -p tcp -m tcp --tcp-flags ALL FIN,URG,PSH -j REJECT
-A ENM-Local -p tcp -m tcp --tcp-flags ALL ALL -j REJECT
-A ENM-Local -p tcp -m tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j REJECT
-A ENM-Local -p tcp -m tcp --tcp-flags ALL NONE -j REJECT
-A ENM-Local -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT
-A ENM-Local -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
-A ENM-Local -p icmp -m icmp --icmp-type timestamp-request -s 0/0 -j
REJECT
-A ENM-Local -p icmp -m icmp --icmp-type timestamp-reply -s
192.168.1.152 -j REJECT
# end of Nessus recommended stuff
# start of RPC stuff for quota, etc
-A ENM-Local -p udp -m udp -s 192.168.1.102 --sport 111 -d 0/0 --dport
1025:65535 -j ACCEPT
-A ENM-Local -p udp -m udp -s 192.168.1.102 --sport 32700:34000 -d 0/0
--dport 1025:65535 -j ACCEPT
# end of RPC stuff
# start of ssh stuff
-A ENM-Local -p tcp -m tcp --dport 22 -s adminws.foo.com --sport
1025:65535 --syn -j ACCEPT
-A ENM-Local -p tcp -m tcp --dport 22 -s mylaptop.sales.foo.com
--sport 1025:65535 --syn -j ACCEPT
# end of ssh stuff
# end of ENM-Local rule set
# start of default firewall stuff
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.52 --sport 53 -d 0/0
--dport 1025:65535 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.2.33 --sport 53 -d 0/0
--dport 1025:65535 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Firewall-1-INPUT -p udp -m udp -j REJECT
# end of default firewall stuff
COMMIT

Comment 1 Thomas Woerner 2004-10-20 10:15:22 UTC
There will be a note in the System Admin Guide for RHEL4.

Closing "NOT A BUG".


Note You need to log in before you can comment on or make changes to this bug.