iptables: having a context for rules
I am looking for a way to get a context/status in iptables-rules. I am not talking about he context of a session here (new, established, ...).
E.g.
Request to port 80 => PASS + set CONTEXT to 1
Request to port 88 and CONTEXT is 1 => PASS
So a mechanism that is a sort of simple memory of the past.
Is that possible with an existing extension?
iptables
add a comment |
I am looking for a way to get a context/status in iptables-rules. I am not talking about he context of a session here (new, established, ...).
E.g.
Request to port 80 => PASS + set CONTEXT to 1
Request to port 88 and CONTEXT is 1 => PASS
So a mechanism that is a sort of simple memory of the past.
Is that possible with an existing extension?
iptables
add a comment |
I am looking for a way to get a context/status in iptables-rules. I am not talking about he context of a session here (new, established, ...).
E.g.
Request to port 80 => PASS + set CONTEXT to 1
Request to port 88 and CONTEXT is 1 => PASS
So a mechanism that is a sort of simple memory of the past.
Is that possible with an existing extension?
iptables
I am looking for a way to get a context/status in iptables-rules. I am not talking about he context of a session here (new, established, ...).
E.g.
Request to port 80 => PASS + set CONTEXT to 1
Request to port 88 and CONTEXT is 1 => PASS
So a mechanism that is a sort of simple memory of the past.
Is that possible with an existing extension?
iptables
iptables
asked Feb 13 at 16:31
chris01chris01
1559
1559
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The recent
match (which as an iptables
match is quite non-standard: it can be used either to check or to alter the information) could be used for your purpose:
iptables -A INPUT -p tcp --dport 80 -m recent --set --name contextA -j ACCEPT
iptables -A INPUT -p tcp --dport 88 -m recent --rcheck --name contextA -j ACCEPT
Now more plumbing is certainly needed, including the use of options like --seconds
or additional rules with option --remove
or the "context" will stay forever set. It all depends on the actual untold goal you're after.
For more complex settings, interfacing iptables
with ipset
using set
match and SET
target can probably help (it's a superset of recent
).
If you need this for port knocking, there is a specific pknock
match available with xtables-addons
(which usually requires compiling, since it's coming with external kernel modules), but then also consider tools like fwknop
.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500434%2fiptables-having-a-context-for-rules%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The recent
match (which as an iptables
match is quite non-standard: it can be used either to check or to alter the information) could be used for your purpose:
iptables -A INPUT -p tcp --dport 80 -m recent --set --name contextA -j ACCEPT
iptables -A INPUT -p tcp --dport 88 -m recent --rcheck --name contextA -j ACCEPT
Now more plumbing is certainly needed, including the use of options like --seconds
or additional rules with option --remove
or the "context" will stay forever set. It all depends on the actual untold goal you're after.
For more complex settings, interfacing iptables
with ipset
using set
match and SET
target can probably help (it's a superset of recent
).
If you need this for port knocking, there is a specific pknock
match available with xtables-addons
(which usually requires compiling, since it's coming with external kernel modules), but then also consider tools like fwknop
.
add a comment |
The recent
match (which as an iptables
match is quite non-standard: it can be used either to check or to alter the information) could be used for your purpose:
iptables -A INPUT -p tcp --dport 80 -m recent --set --name contextA -j ACCEPT
iptables -A INPUT -p tcp --dport 88 -m recent --rcheck --name contextA -j ACCEPT
Now more plumbing is certainly needed, including the use of options like --seconds
or additional rules with option --remove
or the "context" will stay forever set. It all depends on the actual untold goal you're after.
For more complex settings, interfacing iptables
with ipset
using set
match and SET
target can probably help (it's a superset of recent
).
If you need this for port knocking, there is a specific pknock
match available with xtables-addons
(which usually requires compiling, since it's coming with external kernel modules), but then also consider tools like fwknop
.
add a comment |
The recent
match (which as an iptables
match is quite non-standard: it can be used either to check or to alter the information) could be used for your purpose:
iptables -A INPUT -p tcp --dport 80 -m recent --set --name contextA -j ACCEPT
iptables -A INPUT -p tcp --dport 88 -m recent --rcheck --name contextA -j ACCEPT
Now more plumbing is certainly needed, including the use of options like --seconds
or additional rules with option --remove
or the "context" will stay forever set. It all depends on the actual untold goal you're after.
For more complex settings, interfacing iptables
with ipset
using set
match and SET
target can probably help (it's a superset of recent
).
If you need this for port knocking, there is a specific pknock
match available with xtables-addons
(which usually requires compiling, since it's coming with external kernel modules), but then also consider tools like fwknop
.
The recent
match (which as an iptables
match is quite non-standard: it can be used either to check or to alter the information) could be used for your purpose:
iptables -A INPUT -p tcp --dport 80 -m recent --set --name contextA -j ACCEPT
iptables -A INPUT -p tcp --dport 88 -m recent --rcheck --name contextA -j ACCEPT
Now more plumbing is certainly needed, including the use of options like --seconds
or additional rules with option --remove
or the "context" will stay forever set. It all depends on the actual untold goal you're after.
For more complex settings, interfacing iptables
with ipset
using set
match and SET
target can probably help (it's a superset of recent
).
If you need this for port knocking, there is a specific pknock
match available with xtables-addons
(which usually requires compiling, since it's coming with external kernel modules), but then also consider tools like fwknop
.
answered Feb 13 at 21:11
A.BA.B
5,1021726
5,1021726
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500434%2fiptables-having-a-context-for-rules%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown