Possibility to lock iptables rules.

Jason Opperisano opie at 817west.com
Wed Apr 20 20:47:53 CEST 2005


On Wed, Apr 20, 2005 at 12:49:15PM +0200, Anders Fugmann wrote:
> Hi,
> 
> I would like to request a very simple feature: The possibility to lock
> all iptable rules in the kernel, making them immutable.
> 
> This would be usefull on machines which act both as a firewall and as a
> server. The problem today if an unwanted guest manages to break into the
> machine running the firewall and becomes root, the person can easilly
> change the rules, compromising the network guarded by the hacked
> firewall.
> 
> If it was somehow possible to lock the rules once setup, the attacker
> would be unable to modify the rules, the network guarded by the firewall
> would not (pending on how the firewall was setup) not be compromised,
> even if an attacker gained access to the firewall itself.

i'm guessing you're thinking about how the *BSD's have a concept of
kern.securelevel, and certain things (like firewall rules) become
immutable; even by root, at certain levels.

i'm not a kernel programmer, but i can tell you that the linux kernel
doesn't have anything like kern.securelevel; and without it, i don't
believe what you're asking for is possible.  i'd also figure that
implementing kern.securelevel in the linux kernel would be beyond the
scope of what the netfilter developers are responsible for.

-j

--
"Stewie: Careful! You're washing a baby's scalp, not scrubbing
 the vomit out of a Christmas dress, you stupid holiday drunk."
        --Family Guy



More information about the netfilter mailing list