Linux Firewalls - Michael Rash [109]
### you would use:
### BLACKLIST 192.168.10.0/24 REJECT;
BLACKLIST NONE;
### Define the jump position in the built-in chains to jump to
### the fwsnort chains.
❸ FWSNORT_INPUT_JUMP 1;
FWSNORT_OUTPUT_JUMP 1;
FWSNORT_FORWARD_JUMP 1;
### iptables chains (these do not normally need to be changed)
FWSNORT_INPUT FWSNORT_INPUT;
FWSNORT_INPUT_ESTAB FWSNORT_INPUT_ESTAB;
FWSNORT_OUTPUT FWSNORT_OUTPUT;
FWSNORT_OUTPUT_ESTAB FWSNORT_OUTPUT_ESTAB;
FWSNORT_FORWARD FWSNORT_FORWARD;
FWSNORT_FORWARD_ESTAB FWSNORT_FORWARD_ESTAB;
### System binaries
shCmd /bin/sh;
echoCmd /bin/echo;
tarCmd /bin/tar;
wgetCmd /usr/bin/wget;
unameCmd /usr/bin/uname;
ifconfigCmd /sbin/ifconfig;
iptablesCmd /sbin/iptables;
At ❶ above, the fwsnort.conf file sets the average length for the IP and TCP headers. This is necessary because the iptables length match begins at the IP header, whereas the Snort dsize option applies only the application layer data associated with a packet. By specifying the average header lengths, fwsnort can approximate the dsize option to assist in the translation process.
At ❷ we can add a whitelist and a blacklist; see "Setting Up Whitelists and Blacklists" on page 190.
At ❸ the position of the jump rule into the fwsnort chains within each of the built-in chains is defined. By default the jump rule position is the very first rule within each of these chains, but you can alter this to your liking by changing these variables around. This is not usually necessary unless you have an iptables policy that has inspection or filtering requirements that must be met before fwsnort has a chance to inspect packets.
Structure of fwsnort.sh
The Bourne shell script /etc/fwsnort/fwsnort.sh generated by fwsnort is divided into five sections. The first section is a header constructed out of comments that includes a short blurb about the purpose of the fwsnort.sh script, the command-line arguments given to fwsnort to generate fwsnort.sh, and the version of fwsnort:
[iptablesfw]# cat /etc/fwsnort/fwsnort.sh
#!/bin/sh
# File: /etc/fwsnort/fwsnort.sh
# Purpose: This script was auto-generated by fwsnort and implements an
# iptables ruleset based upon Snort rules. For more information,
# see the fwsnort man page or the documentation available at
# http://www.cipherdyne.org/fwsnort.
# Generated with: fwsnort -no-ipt-sync
# Generated on host: iptablesfw
# Generated at: Sun Jul 15 23:12:43 2007
# Author: Michael Rash # Version: 1.0 (file revision: 381) The second section of the fwsnort.sh script defines paths to the iptables and echo system binaries. These paths are inherited from the iptablesCmd and echoCmd keywords in the fwsnort.conf configuration file, and fwsnort checks to be sure that the paths make sense before building fwsnort.sh. However, the fwsnort.sh script does not necessarily have to be executed on the same system where fwsnort is installed. In fact, from a security perspective, it is better not to have Perl or any other highly capable interpreter or compiler installed on a dedicated firewall device that is not strictly necessary from an operations perspective.[60] The configuration section allows the paths to be tweaked easily for the eventual system on which fwsnort.sh is deployed: ECHO=/bin/echo IPTABLES=/sbin/iptables The third section in fwsnort.sh is responsible for building dedicated iptables chains for fwsnort rules. All fwsnort rules, with the exception of the jump rules discussed below, are added to these custom chains to maintain strict separation from any existing iptables policy. The names given to fwsnort chains broadly describe the type of traffic inspection that is performed within each chain. For example, the FWSNORT_INPUT chain is for the inspection of traffic that is directed at the local system and is therefore governed by the iptables INPUT chain. Similarly, the FWSNORT_OUTPUT chain only applies to packets that originate from the firewall system itself (via the OUTPUT chain), and the FWSNORT_FORWARD chain governs packets that are destined to be