Possibility to lock iptables rules.

Anders Fugmann afu at fugmann.net
Wed Apr 20 12:49:15 CEST 2005


Hi,

I would like to request a very simple feature: The possibility to lock
all iptable rules in the kernel, making them immutable.

This would be usefull on machines which act both as a firewall and as a
server. The problem today if an unwanted guest manages to break into the
machine running the firewall and becomes root, the person can easilly
change the rules, compromising the network guarded by the hacked
firewall.

If it was somehow possible to lock the rules once setup, the attacker
would be unable to modify the rules, the network guarded by the firewall
would not (pending on how the firewall was setup) not be compromised,
even if an attacker gained access to the firewall itself.

I was thinking something in the lines of:

iptables --lock [--action <PANIC|LOG>],

where 'action' would specify how the machine should react if anyone was
to try and modify the rules. PANIC would cause the system to panic. LOG
would simple make the kernel log the attempt and then ignore the
request.

The only way to unlock the tables would be to reboot the machine. I know
that this system if not 100% foolproof, as the attacker could install a
custom kernel, and then reboot the machine, but it would cirtanly make
at lot harder for most attackers

I really hope that this feature could be implemented. I know that is is
not excatly trivial to implement as the address of the bit signifying
that the tables are lock would need to be hidden to avoid the attacker
to simply write a zero the the specific address to unlock the tables.

Regards
Anders Fugmann

P.s.
Please CC me on replys, as I'm not on the list.











More information about the netfilter mailing list