Casual technical question about /etc/services

Dagmar d'Surreal dagmar.wants at nospam.com
Tue Mar 23 16:49:54 PST 2004


Okay, something that's been bugging me for awhile I'm now going to ask
about outright, with some backstory to explain why I'm asking...

I'm just about done with the /etc/rc.d/init.d/functions-network script,
which is basically necessary because otherwise these init scripts are
going to become really unreadable once the modular iptables sections are
added (see attachments for examples).  I've built routines to simplify
"punching holes" in the firewall rules for incoming and outgoing
connections by service name (to make it even more readable) and it does
this by looking up the service name in /etc/services to find the port
number (and protocols) and now it's bugging me that I'd had to modify
the routine to accomodate instances of services which never, ever, to my
knowledge use both tcp and udp, and yet, _both_ are listed in
/etc/services.  Example: 

ident	113/tcp
auth	113/tcp
auth	113/udp

Now, I've never seen something that could look up states on what amounts
to a stateless connection, and nearly all the entries in /etc/services
have them doubled up like this.  Does anyone know _why_ unused protocols
are listed like this?

(By the way I am aware of the effects of running the same script to
start a daemon twice in a row.  I'm undecided about the solutions for
that I've thought up.)
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org
-------------- next part --------------
log_info() {
	# Just uncomment this line to create syslog information about what happens in here.
	logger -t functions-network -p local3.info "$@"
}

getaddr() {
	local interface=$1
	local variable=$2
  	line=`ip -4 addr show dev $interface | grep inet`
	if [ -z "$line" ]
	then
		unset $variable
		return
	fi
	local IFS=" /"
	set $line
	eval $variable="$2"
}

getcidr() {
	local interface=$1
	local variable=$2
	line=`ip -4 addr show dev $interface | grep inet`
	if [ -z "$line" ]
	then
		unset $variable
		return
	fi
	set $line
	eval $variable="$2"
}

# These should possibly emit warnings if a named service isn't found.
permit_outbound() {
  local interface=$1 service=$2 protocol=$3
  for line in `awk '{ if ( $1 == "'$service'" ) print $2 }' /etc/services`; do 
    local IFS=" /"
    set $line
    if [ -n "$protocol" ] && [ $2 = $protocol ]
    then
      iptables -A OUTPUT -o $interface -p $2 --dport $1 -m state --state NEW -j ACCEPT 2>/dev/null
      iptables -A OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
      iptables -A INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
      log_info "iptables -A OUTPUT -o $interface -p $2 --dport $1 -m state --state NEW -j ACCEPT"
      log_info "iptables -A OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
      log_info "iptables -A INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
    fi
  done
}

permit_inbound() {
  local interface=$1 service=$2 protocol=$3
  for line in `awk '{ if ( $1 == "'$service'" ) print $2 }' /etc/services`; do 
    local IFS=" /"
    set $line
    if [ -n "$protocol" ] && [ $2 = $protocol ]
    then
      iptables -A INPUT -i $interface -p $2 --sport $1 -m state --state NEW -j ACCEPT 2>/dev/null
      iptables -A INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
      iptables -A OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
      log_info "iptables -A INPUT -i $interface -p $2 --sport $1 -m state --state NEW -j ACCEPT"
      log_info "iptables -A INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
      log_info "iptables -A OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
    fi
  done
}

revoke_outbound() {
  local interface=$1 service=$2 protocol=$3
  local interface=$1
  for line in `awk '{ if ( $1 == "'$service'" ) print $2 }' /etc/services`; do 
    local IFS=" /"
    set $line
    if [ -n "$protocol" ] && [ $2 = $protocol ]
    then
      iptables -D OUTPUT -o $interface -p $2 --dport $1 -m state --state NEW -j ACCEPT 2>/dev/null
      iptables -D OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
      iptables -D INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
      log_info "iptables -D OUTPUT -o $interface -p $2 --dport $1 -m state --state NEW -j ACCEPT"
      log_info "iptables -D OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
      log_info "iptables -D INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
    fi 
  done
}

revoke_inbound() {
  local interface=$1 service=$2 protocol=$3
  for line in `awk '{ if ( $1 == "'$2'" ) print $2 }' /etc/services`; do 
    local IFS=" /"
    set $line
    if [ -n "$protocol" ] && [ $2 = $protocol ]
    then
      iptables -D INPUT -i $interface -p $2 --sport $1 -m state --state NEW -j ACCEPT 2>/dev/null
      iptables -D INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
      iptables -D OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
      log_info "iptables -D INPUT -i $interface -p $2 --sport $1 -m state --state NEW -j ACCEPT"
      log_info "iptables -D INPUT -i $interface -p $2 --sport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
      log_info "iptables -D OUTPUT -o $interface -p $2 --dport $1 -m state --state ESTABLISHED,RELATED -j ACCEPT"
    fi
  done
}

exempt_group() {
  iptables -I OUTPUT -o $1 -m owner --gid-owner $2 -j ACCEPT 2>/dev/null
  log_info "iptables -I OUTPUT -o $1 -m owner --gid-owner $2 -j ACCEPT"
}

unexempt_group() {
  iptables -D OUTPUT -o $1 -m owner --gid-owner $2 -j ACCEPT 2>/dev/null
  log_info "iptables -D OUTPUT -o $1 -m owner --gid-owner $2 -j ACCEPT"
}





-------------- next part --------------
A non-text attachment was scrubbed...
Name: nessusd
Type: application/x-shellscript
Size: 1520 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20040323/e5af459c/attachment.bin>


More information about the hlfs-dev mailing list