-1

I have a .NET 6 Web API application and I want to edit my iptables rule in hosted system. (the system that Web API run on it)

I have rule like below

-A INPUT -m tcp  --protocol tcp --source 2.2.2.2 --destination 1.1.1.1 --source-port 111 --destination-port 222 --jump DROP

I try this rule in iptables command in bash and work correctly, but when I try to create rule for this like below

IpTablesRule rule = IpTablesRule.Parse($"-A  INPUT  -m tcp--protocol tcp --source 2.2.2.2 --destination 1.1.1.1 --source-port 111 --destination-port 222 --jump DROP", null, chains);

and then try to add to system like below

ipTablesSystem = new IpTablesSystem(system: new LocalFactory(), tableAdapter: new IPTablesBinaryAdapter());
inputChain = ipTablesSystem.GetChain(table: Table.FILTER, chain: Chain.INPUT, ipVersion: (int)IpVersion.V4);
inputChain.AddRule(rule);

No any error rise on system or something like that, but after I try to see system rules with bash (cli) with iptables -L I do not see my rules

Why my rule does not exist in system? and how to resolve this problem?

Improve this question
6
  • 1
    Please don't create unrelated tags. There's no such thing as c#-iptables. This only creates noise Commented Aug 10, 2023 at 12:42
  • Besides, it would be very strange if a web application could make system modifications or worse, modify firewalls. That's what every hacker wishes. Web apps run under restricted accounts that typically can't even access folders outside the web site, much less open firewall ports Commented Aug 10, 2023 at 12:45
  • 1
    In any case, the source code shows that inputChain.AddRule adds an object to a collection, it doesn't execute iptables at all. The IPTablesLibAdapterClient.AddRule does. Don't rush to use it though without understanding what's going on because you could end up causing serious problems. Let the deployment script take care of network setup. Commented Aug 10, 2023 at 12:52
  • Above code does not publish yet on PR, I refer to project, for better explanation. many web base remote iptables project exist for example github.com/palner/iptables-api Commented Aug 10, 2023 at 12:59
  • 1
    Doesn't change the fact that web apps can't modify firewalls (just dare ask the machine's admin what you tried) and inputChain.AddRule doesn't execute anything. API doesn't mean "Web" or "Remote". Yes, there are a lot of libraries but they only work if the executing account has permission to make modifications. And web apps should never, ever have such permissions Commented Aug 10, 2023 at 13:05

1 Answer 1

Reset to default
1

This is for bad using of API, the correct way is like below

IpTablesRule rule = IpTablesRule.Parse($"-A  INPUT  -m tcp --protocol tcp --source 2.2.2.2 --destination 1.1.1.1 --source-port 111 --destination-port 222 --jump DROP", null, chains);

var ipTablesSystem = new IpTablesSystem(system: new LocalFactory(), tableAdapter: ipTablesAdapter);

IIPTablesAdapterClient table = ipTablesSystem.GetTableAdapter((int)IpVersion.V4);

table.AddRule(rule);

The note is, you must get table from IpTablesSystem and add or remove rulse from table.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.