Activating the fwsnort Chains with Jump Rules

The final section in fwsnort.sh makes the whole ruleset active within the kernel by directing iptables to send traffic through these rules. All of the iptables commands executed by fwsnort.sh up until this point simply load the fwsnort policy into the running kernel.

Because there are not yet any jump rules to send packets from the built-in iptables chains into the fwsnort chains, we have utilized only kernel memory so far; none of the rules can yet interact with packets as they flow within the kernel. This changes with the final six commands, which first delete any existing fwsnort jump rule3 and then make the very first rule in each of the INPUT, OUTPUT, and FORWARD chains jump all packets to the respective fwsnort chain. (The jump rules are the only rules added by fwsnort to any of the built-in iptables chains.)

$IPTABLES -D FORWARD -i ! lo -j FWSNORT_FORWARD 2> /dev/null $IPTABLES -I FORWARD 1 -i ! lo -j FWSNORT_FORWARD $IPTABLES -D INPUT -i ! lo -j FWSNORT_INPUT 2> /dev/null $IPTABLES -I INPUT 1 -i ! lo -j FWSNORT_INPUT $IPTABLES -D OUTPUT -o ! lo -j FWSNORT_OUTPUT 2> /dev/null $IPTABLES -I OUTPUT 1 -o ! lo -j FWSNORT_OUTPUT

NOTE See Appendix B for an example fwsnort.sh script that translates the web-attacks Snort rules file into an equivalent iptables policy.

Was this article helpful?

0 0

Post a comment