Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Pgl and iptables

sansduck
2013-07-13
2013-07-13
  • sansduck
    sansduck
    2013-07-13

    If packet is allowed by pgl, does it return to iptables to be processed further by other rules?

     
  • jre-phoenix
    jre-phoenix
    2013-07-13

    Yes.

    See the Technical note in the README:

    pgld checks traffic (packets) that is sent to the iptables NFQUEUE target. If
    the necessary netfilter support is not built in the kernel directly, pglcmd will load the necessary kernel modules. If they are not available, pgld can not be started.
    If a packet matches the blocklist, then pgld DROPs it directly. If configured
    pgld MARKs the packet instead. Per default the MARKing feature is on if you use
    pglcmd. So blocked packets get the MARK "10", which is shown as "0xa" by
    iptables.
    If a packet doesn't match the blocklist, then pgld ACCEPTs it directly. If
    configured pgld MARKs the packet instead. Per default the MARKing feature is on
    if you use pglcmd. So allowed packets get the MARK "20", which is shown as
    "0x14" by iptables.
    A MARKed packet repeats the hook function (NF_REPEAT). So it is sent back to
    the head of the iptables chain again. This means it enters the chain INPUT,
    OUTPUT or FORWARD again, but this time bearing a MARK. Then further iptables
    rules that match the MARK decide what happens with the packets.
    Per default pglcmd sets iptables rules to REJECT outgoing packets, and to DROP
    incoming and forwarded packets, if they were "marked block". If they were
    "marked allow", pglcmd's iptables setup just ignores them, so other iptables
    rules decide what happens to them.
    It is strongly recommended to use the MARKing feature, because this allows to
    integrate pgl with other firewalls.
    A packet may only bear one mark, so there mustn't be any other applications or
    iptables rules that mark packets. Otherwise the setup will not work and the
    packet will loop forever.

    Maybe I should rewrite that part. Anyway with other words (in the default setting):

    Whitelisting rule applies
    --> iptables target RETURN (for default setting of IPTABLES_TARGET_WHITELISTING)

    pgld accepts
    --> MARK packet with "20" (shown as "0x14" by iptables)
    --> repeat hook function, without going to the pgl chain (quite similar to RETURN)

    pgld blocks
    --> MARK packet with "10" (shown as "0xa" by iptables)
    --> repeat hook function hitting the iptables target REJECT_FWD="DROP" or REJECT_IN="DROP" or REJECT_OUT="REJECT"

    Edit 2013-07-14: minor corrections

     
    Last edit: jre-phoenix 2013-07-14
  • sansduck
    sansduck
    2013-07-13

    Thank you :)