Shorewall users - Oct 2012 - the right syntax for run_iptables command?

Hi all,

 

I need to add the following IPTABLES command

 

iptables -A INPUT -p udp -m udp --dport 5060 -m string --string "Cirpack
KeepAlive Packet" --algo bm -j DROP

 

into the /etc/Shorewall/start file.

 

Although I''ve tried with various combinations of single and double
quotes
around the < Cirpack KeepAlive Packet > string, I don''t seem to
be able to
find the right combination that Shorewall would accept, assuming that
that''s
where it fails.

 

FYI, IPTABLES doesn''t complain when I submit the same command at the
shell
level. 

 

Sure enough the string in the file has the run_iptables at the beginning.

 

I use Shorewall 4.5.6.2.

 

Thanks for your help,

 

Costa.

 

 



------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

On 10/14/12 10:25 AM, Costantino wrote:
> Hi all,
> 
> I need to add the following IPTABLES command
> 
> iptables -A INPUT -p udp -m udp --dport 5060 -m string --string
> "Cirpack KeepAlive Packet" --algo bm -j DROP
> 
> into the /etc/Shorewall/start file.
That won''t work, even if you do add the command. At the very least, you
want to use -I INPUT rather than -A INPUT.
> 
> Although I’ve tried with various combinations of single and double 
> quotes around the < Cirpack KeepAlive Packet > string, I don’t seem
> to be able to find the right combination that Shorewall would
> accept, assuming that that’s where it fails.
The current run_iptables() doesn''t handle quotes in the passed command.
The attached patch will allow you to do this:

run_iptables "-A INPUT -p udp --dport 5060 \
  -m string --string \"Cirpack KeepAlive Packet\" --algo bm -j
DROP"

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

Whatever I do, whether I insert the escape character before the double quote
or not it complains with the message:

  <-- cut -->
Processing /etc/shorewall/start ...
Bad argument `KeepAlive''
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Command "/sbin/iptables -I INPUT -p udp -m udp --dport 5060 -m
string  --string "Cirpack KeepAlive Packet" --algo bm -j DROP"
Failed
Processing /etc/shorewall/stop ...
  <-- cut -->

It looks to me as if as soon as it encounters a <blank> character it
declares the end of the string.

Costa

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: 14 October 2012 20:05
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] the right syntax for run_iptables command?

On 10/14/12 10:25 AM, Costantino wrote:
> Hi all,
> 
> I need to add the following IPTABLES command
> 
> iptables -A INPUT -p udp -m udp --dport 5060 -m string --string 
> "Cirpack KeepAlive Packet" --algo bm -j DROP
> 
> into the /etc/Shorewall/start file.
That won''t work, even if you do add the command. At the very least, you
want
to use -I INPUT rather than -A INPUT.
> 
> Although I''ve tried with various combinations of single and double
> quotes around the < Cirpack KeepAlive Packet > string, I
don''t seem to
> be able to find the right combination that Shorewall would accept, 
> assuming that that''s where it fails.
The current run_iptables() doesn''t handle quotes in the passed command.
The attached patch will allow you to do this:

run_iptables "-A INPUT -p udp --dport 5060 \
  -m string --string \"Cirpack KeepAlive Packet\" --algo bm -j
DROP"

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

On 10/14/2012 03:34 PM, Costantino wrote:
> Whatever I do, whether I insert the escape character before the double
quote
> or not it complains with the message:
> 
>   <-- cut -->
> Processing /etc/shorewall/start ...
> Bad argument `KeepAlive''
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Command "/sbin/iptables -I INPUT -p udp -m udp --dport 5060
-m
> string  --string "Cirpack KeepAlive Packet" --algo bm -j
DROP" Failed
> Processing /etc/shorewall/stop ...
>   <-- cut -->
> 
> It looks to me as if as soon as it encounters a <blank> character it
> declares the end of the string.
> 
Did you apply the patch?

-Tom
-- 
--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

Thanks Tom, 

The patch does work and the IPTABLES line with the -I modification indeed
it''s effective in stopping the unwanted packets. Before the patch we
were
receiving 1pckt/sec!

Costa

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: 15 October 2012 01:25
To: Shorewall Users
Subject: Re: [Shorewall-users] the right syntax for run_iptables command?

On 10/14/2012 03:34 PM, Costantino wrote:
> Whatever I do, whether I insert the escape character before the double 
> quote or not it complains with the message:
> 
>   <-- cut -->
> Processing /etc/shorewall/start ...
> Bad argument `KeepAlive''
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Command "/sbin/iptables -I INPUT -p udp -m udp --dport 5060 
> -m string  --string "Cirpack KeepAlive Packet" --algo bm -j
DROP"
> Failed Processing /etc/shorewall/stop ...
>   <-- cut -->
> 
> It looks to me as if as soon as it encounters a <blank> character it 
> declares the end of the string.
> 
Did you apply the patch?

-Tom
--
--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

On 10/15/2012 12:14 AM, Costantino wrote:
> Thanks Tom,
>
> The patch does work and the IPTABLES line with the -I modification indeed
> it''s effective in stopping the unwanted packets. Before the patch
we were
> receiving 1pckt/sec!
>
A more elegant way to do this is to:

1. Add this line to /etc/shorewall/actions:

	Cirpack		    # Drop Cirpack KeepAlive packets

2. Place the attached file in /etc/shorewall/.

3. In your rules file, add:

	Cirpack	        z            $FW

Where ''z'' is the zone that is sending the keepalive packets.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev