ESTABLISHED Custom Service inserts new line?

Timothy
2004-10-13
2013-03-05
  • Timothy
    Timothy
    2004-10-13

    FWB 2.0.3 on Win32

    I have my current iptables firewall set to log all --state NEW http & https requests, and to NOT log all --state ESTABLISHED, RELATED http & https requests.

    ++++++++++++++++++++++++++++++++++++++++++++++++
    $IPTABLES -N www_log
    $IPTABLES -N www_nolog
    $IPTABLES -A FORWARD  -i eth3 -p tcp  -m multiport  --dports 80,443  -m state --state new -j www_log
    $IPTABLES -A FORWARD  -i eth3 -p tcp  -m multiport  --dports 80,443  -m state --state ESTABLISHED,RELATED -j www_nolog
    $IPTABLES -A www_log   -j LOG  --log-level info --log-prefix "Web "  --log-tcp-sequence  --log-tcp-options  --log-ip-options
    $IPTABLES -A www_log  -d 10.3.0.2  -j ACCEPT
    $IPTABLES -A www_nolog  -d 10.3.0.2  -j ACCEPT
    ++++++++++++++++++++++++++++++++++++++++++++++++

    I am trying to duplicate these two tasks with the fwb gui.  The first part is easy in fwbuilder, but I am having difficulty duplicating this functionality for the second part.

    In fwbuilder I put the web server in the destination, http, https, and ESTABLISHED (allfrom the standard library) in the Service column, and I get the followig lines when it compiles:

    $IPTABLES -N Cid416D6F9D.0
    $IPTABLES -A FORWARD  -i eth3 -p tcp  -m multiport  --dports 80,443  -m state --state NEW  -j Cid416D6F9D.0
    $IPTABLES -A FORWARD  -i eth3  -m state --state ESTABLISHED,RELATED  -j Cid416D6F9D.0
    $IPTABLES -A Cid416D6F9D.0   -d 10.3.0.2  -j ACCEPT
    =====================================

    If I make the rule statless in the options, I get this

    ====================================
    $IPTABLES -N Cid416D6F9D.0
    $IPTABLES -A FORWARD  -i eth3 -p tcp  -m multiport  --dports 80,443  -j Cid416D6F9D.0
    $IPTABLES -A FORWARD  -i eth3  -m state --state ESTABLISHED,RELATED  -j Cid416D6F9D.0
    $IPTABLES -A Cid416D6F9D.0   -d 10.3.0.2  -j ACCEPT
    =====================================

    I was hoping for this:
    ++++++++++++++++++++++++++++++++++++
    $IPTABLES -N Cid416D6F9D.0
    $IPTABLES -A FORWARD  -i eth3 -p tcp  -m multiport  --dports 80,443  -m state --state ESTABLISHED,RELATED -j Cid416D6F9D.0
    $IPTABLES -A Cid416D6F9D.0   -d 10.3.0.2  -j ACCEPT
    ++++++++++++++++++++++++++++++++++++

    Another side question, is it possible to change the rule names?  I was hoping for something a little more intuitive than Cid16D6F9D.0

    Thanks in advance for any assistance or insights any might have to offer!

     
    • Vadim Kurland
      Vadim Kurland
      2004-10-14

      several service objects in the same rule are treated as "service1 OR service2 " etc. That is why you get "ESTABLISHED,RELATED" in  a separate rule. If you want to get it in the same rule that checks for ports 80 and 443, you create a custom service object similar to object "ESTABLISHED" and add  "-p tcp -m multiport --dports 80,443 " to the code it generates. Simply select object "ESTABLISHED", right click on it and use menu item "Duplicate", then edit the copy object that you'll get.