[Firehol-devs] user-defined chains

Costa Tsaousis costa at tsaousis.gr
Fri Jul 20 21:05:21 BST 2007 

Andrew Schulman wrote:
> I just posted the following as a feature request at the sf.net page.
>
> I'd like to see a new primary command 'chain', that defines a user-defined
> chain and causes following rules to be appended to that chain.  For example:
>
> interface eth0
>   client any mathieu user mathieu
>   client ...
>
> chain mathieu
>   client any return custom '...'
>   client any reject custom '...'
>   ...
>
> The above would allow me to set up a chain of conditions that apply only to
> user mathieu, so I can deny his traffic under certain conditions (e.g. when
> he should be sleeping), or otherwise return to allow it to pass under the
> same conditions as everyone else's.
>
> The above example is a current requirement of mine, and when the custom
> conditions are complicated enough I don't think there's any other way to
> meet it except through a user defined chain.  I have other requirements that
> are most naturally met by user-defined chains, but for which there are
> workarounds.
>
> A 'chain' command would be simple, and it would add a lot of value.  It
> would provide an important feature of firehol that's missing compared to
> using plain iptables.
>
> Question:  Is this a feature that's likely to be implemented in firehol
> soon?  And if not, and if I develop the feature myself and post a patch
> (including documentation), would it be likely to be considered for
> inclusion?
>
> Thanks,
> Andrew.
>
How about this approach?

Changelog of FireHOL v1.257:

Added helper 'action':

action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control 
the
action of other firewall rules during runtime.

For example, you can setup the custom action ACT1, which by default is 
ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.       

The first argument must always be the word 'chain', for the 
moment.            

        name    can be any chain name accepted by iptables.
                It is suggested to keep it between 5 to 10 letters.

        action  can be any action supported by FireHOL, although only 
ACCEPT,
                REJECT, DROP, RETURN may have any meaning under this 
use.              

Example 1:       
At the top of firehol.conf, create the action ACT1:       

action chain ACT1 accept       

later, in interfaces and routers, create rules that use the ACT1 
action:       

server smtp ACT1       
client imap ACT1       

Please note that actions created this way are case sensitive.           
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):

iptables -t filter -I ACT1 -j DROP       

The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules
that have the action ACT1 will now be dropped.           
To return to the default action (ACCEPT), run the following linux 
command:       

iptables -t filter -D ACT1 -j DROP       

This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
neutralized (it will be the same as they were not specified at all in
firehol.conf).

Example 2:

action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop

will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.


Costa

More information about the Firehol-devs mailing list