Iptables - a Question About Security

I have been studying Iptables for the best part of the day and have a question on the table 'security'.

'man iptables' reads;

This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets, methods implemented by SELinux and other security modules.

This table (or to-be rule) will take effect after the personal firewall filters have completed.

This is probably a long shot but, scenario:

The government heard that the Hacking Team may or may not have been selling their products to people they shouldn't, and employed us to investigate.

After tracking one of their safe houses down, we managed to compromise one of their systems and have successfully elevated our privileges to root (insert preferred methods). Now, this machine so happens to be regulating traffic for the business by implementing Iptables rules, and they have SELinux or other security modules installed, allowing the security table to be used in our attack. We also know theyre connected by eth0

sudo iptables -t security -I INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

sudo iptables -t security -I INPUT -i eth0 -p udp --dport 80 -j ACCEPT

-t security = selecting the security table. Could be NAT, mangle, raw..

-I = add this rule to the start of the current filters

-INPUT = Alter packets coming into the box itself

-i = Interface

-p = protocol

--dport = Destination port 80 (Clear text protocol)

-j = Action

Chances are this will bottleneck the server if left running, which is where we could implement something like

-m time --timestart 23:00 --timestop 04:00

-m = module

--timestart = time the rule will start

--timestop = time the rule will stop

Would be beneficial, because after performing reconnaissance we know most have left the building by 10 and the only people on the network that late is the ones we are performing the attack against.

--

If I have it right, would this mean that even for a second ALL tcp and udp traffic will be passed through in clear text every night between those hours, meaning we could have wireshark filter out for that IP, grab any credentials (SSH, HTTPS), and get the evidence we needed to prove the innocence/guilt of the individual.

Any intrusion detection system they have implemented shouldn't suspect any information being transmitted on port 80.

sudo iptables -t security -D INPUT 1

sudo iptables -t security -D INPUT 2

to delete the firewall rule we set up earlier. All that is left is to clear our tracks and hand over the evidence.

---

Am I sort of on the right lines, or will the suite encrypt the traffic before it reached this server? Im not really understanding the concept or purpose of the security table, but heres one possible attack vector(?). From a sys admin side, could we disable this table in configuration or fully prevent new rules being added until a certain event has happened.

Perl Iptable monitor I came across today. I have pseudo coded most of it, but one line

$output{$type} =~ s/ pkts^\n}\n(\n|Zeroing)/$1/gs;

is bothering me, anyone mind helping me out?