#1  
Old 15th August 2006, 00:57
punto punto is offline
Member
 
Join Date: Jul 2006
Posts: 84
Thanks: 12
Thanked 2 Times in 1 Post
Default Firewall ACLs

Hi I have installed ISPconfig and must say think it is a fantastic application , thankyou so much to the developers.

I was wondering if it is possible to configure the ISPconfig firewall so that you can limit ssh access to certain IP addresses?

With my other linux server I have an explicit REJECT in /etc/sysconfig/iptables for port 22 and then just add an ACCEPT in for the source IP addresses I want to accept and it works well.

-A RH-Firewall-1-INPUT -p tcp -m tcp -s 172.16.8.35 --dport 22 --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 --syn -j REJECT


Where is the script or config file for the ISPconfig firewall? Can I manually edit the script without breaking anything? I dont like having ssh access open to anyone.

Thanks in advance

Matt.
Reply With Quote
Sponsored Links
  #2  
Old 15th August 2006, 08:37
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,405
Thanks: 834
Thanked 5,496 Times in 4,326 Posts
Default

The script is:

/etc/Bastille/bastille-firewall.cfg

You will have to change the master file too:

/root/ispconfig/isp/conf/bastille-firewall.cfg.master

Then run:

/etc/init.d/bastille-firewall restart
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 15th August 2006, 12:14
punto punto is offline
Member
 
Join Date: Jul 2006
Posts: 84
Thanks: 12
Thanked 2 Times in 1 Post
Default

Great, thanks Till.

Regards

Matt
Reply With Quote
  #4  
Old 22nd August 2006, 14:26
punto punto is offline
Member
 
Join Date: Jul 2006
Posts: 84
Thanks: 12
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by till
The script is:

/etc/Bastille/bastille-firewall.cfg

You will have to change the master file too:

/root/ispconfig/isp/conf/bastille-firewall.cfg.master

Then run:

/etc/init.d/bastille-firewall restart
I found that I wasnt able to add ACLs directly to the bastille-firewall.cfg script.

After doing some reading, here is my how-to and hopefully others will find it useful:

In this case I want to restrict ssh access to only one IP address (you can configure it for any number depending on your needs)

I order to restrict access to certain source IPs for certain protocols, using the Bastille-firewall setup you need to firstly create a new directory under /etc/Bastille. This directory needs to be called firewall.d

#cd /etc/Bastille
#mkdir firewall.d


You then need to create a new file within the newly created directory called post-rule-setup.sh

#cd firewall.d
#vi post-rule-setup.sh


This is the file where any IPTABLES rules can be entered. When you restart bastille.cfg the script is read and the rules applied. A knowledge of IPTABLES is required but once you get the hang of it, it is easy enough.
So in my case I want to allow ssh access to only 123.34.56.789 and deny it to ALL other IP addresses, so my post-rule-setup.sh file will look like this:

/sbin/iptables -I INPUT -p tcp -m tcp -s 123.34.56.789 --dport 22 --syn -j ACCEPT
/sbin/iptables -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT


The first line accepts ssh (tcp port 22) connections only from 123.34.56.789 and the second line denies ALL other source IP addresses. If there is no match in this case 123.34.56.789 then all traffic bound for port 22 will be denied.

Ok now we have our rule we need to restart bastille.cfg

#/etc/init.d/bastille-firewall restart

A successfully read script will yield the following

Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done


The last line is the one we are interested in. If your IPTABLES rules are not understood or written incorrectly then you will get the following output when you restart bastille.cfg

Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules..../post-rule-setup.sh: line 5: -I: command not found
done


You will need to go back into your post-rule-setup.sh and modify it.

You can specify a subnet simply by using for example 192.168.0.0/24 notation in your rule set

Cheers

Matt
Reply With Quote
The Following 2 Users Say Thank You to punto For This Useful Post:
pakogah (17th June 2008), SupuS (7th October 2008)
  #5  
Old 23rd August 2006, 15:19
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Thumbs up

That's a great solution.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #6  
Old 25th August 2006, 13:48
tijn_tux tijn_tux is offline
Member
 
Join Date: Aug 2006
Posts: 39
Thanks: 0
Thanked 0 Times in 0 Posts
Default Works great ! :D

Thnx for the mini-howto ! works perfect!
Reply With Quote
  #7  
Old 8th September 2006, 23:54
punto punto is offline
Member
 
Join Date: Jul 2006
Posts: 84
Thanks: 12
Thanked 2 Times in 1 Post
Default

Glad you found it useful
Reply With Quote
  #8  
Old 13th October 2006, 15:25
rdutton rdutton is offline
Junior Member
 
Join Date: Sep 2006
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks punto for you explanation.

Just something extra in case people came across the same problem I did..

In additional to the file "post-rule-setup.sh" you can also add a file called "pre-chain-split.sh" in the same directory. Any commands you put in "pre-chain-split.sh" will be executed BEFORE the standard firewall rules.

This is useful when you want to allow packets through which are normally dropped due to preceding firewall rules.

e.g. I added rules to allow samba just for my home IP address:

iptables -A INPUT -s [OK_REMOTE_IP] -p udp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT
iptables -A INPUT -s [OK_REMOTE_IP] -p tcp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT
iptables -A OUTPUT -s [OK_REMOTE_IP] -p udp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT
iptables -A OUTPUT -s [OK_REMOTE_IP] -p tcp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT

There is 4 rules to account for the variations of UDP/TCP and INPUT/OUTPUT chains.

The iptables commands explained:
-A Which chain to append the rule to
-s The source address(es)
-p protocol (udp/tcp for samba)
-m Modules to load (in this case multiport)
--destination-ports The parameter to the mulitport module specifying the samba ports.
-j Jump to another chain. In this case ACCEPT
Reply With Quote
  #9  
Old 23rd November 2006, 09:53
IKShadow IKShadow is offline
Member
 
Join Date: Jan 2006
Location: Slovenia
Posts: 85
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to IKShadow
Default

Strange it does not work at my linux box


I made following rule:

Code:
/sbin/iptables -I INPUT -p tcp -m tcp -s 213.143.90.139 --dport 22 --syn -j ACCEPT
/sbin/iptables -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT
213.143.90.139 is PC from which i want to access my linux box.
(Later on i would copy/paste first line for few other IP's )

When I restart firewall everything seems ok:

Code:
krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.
But after it I cant SSH to my linux box.
__________________
SUSE 11.3 (perfect install)
ISPConfig 3.0.3.2
Reply With Quote
  #10  
Old 24th November 2006, 15:35
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

Quote:
Originally Posted by IKShadow
213.143.90.139 is PC from which i want to access my linux box.
(Later on i would copy/paste first line for few other IP's )
Are both systems in the same local network?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
High Availability (Load Balancing) behind a firewall geek.de.nz Server Operation 7 4th January 2011 13:58
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 21:42
Firewall script ColdDoT Server Operation 1 8th May 2006 23:50
The Perfect Setup - SUSE 9.3 (firewall?!) bogdinator HOWTO-Related Questions 7 12th December 2005 12:31
I need a suitable firewall. agul Server Operation 4 23rd November 2005 00:12


All times are GMT +2. The time now is 00:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.