Firewall ACLs

Discussion in 'Tips/Tricks/Mods' started by punto, Aug 15, 2006.

  1. punto

    punto New Member

    Hi I have installed ISPconfig and must say think it is a fantastic application :), thankyou so much to the developers.

    I was wondering if it is possible to configure the ISPconfig firewall so that you can limit ssh access to certain IP addresses?

    With my other linux server I have an explicit REJECT in /etc/sysconfig/iptables for port 22 and then just add an ACCEPT in for the source IP addresses I want to accept and it works well.

    -A RH-Firewall-1-INPUT -p tcp -m tcp -s 172.16.8.35 --dport 22 --syn -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 --syn -j REJECT


    Where is the script or config file for the ISPconfig firewall? Can I manually edit the script without breaking anything? I dont like having ssh access open to anyone.

    Thanks in advance

    Matt.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The script is:

    /etc/Bastille/bastille-firewall.cfg

    You will have to change the master file too:

    /root/ispconfig/isp/conf/bastille-firewall.cfg.master

    Then run:

    /etc/init.d/bastille-firewall restart
     
  3. punto

    punto New Member

    Great, thanks Till.

    Regards

    Matt
     
  4. punto

    punto New Member

    I found that I wasnt able to add ACLs directly to the bastille-firewall.cfg script.

    After doing some reading, here is my how-to and hopefully others will find it useful:

    In this case I want to restrict ssh access to only one IP address (you can configure it for any number depending on your needs)

    I order to restrict access to certain source IPs for certain protocols, using the Bastille-firewall setup you need to firstly create a new directory under /etc/Bastille. This directory needs to be called firewall.d

    #cd /etc/Bastille
    #mkdir firewall.d


    You then need to create a new file within the newly created directory called post-rule-setup.sh

    #cd firewall.d
    #vi post-rule-setup.sh


    This is the file where any IPTABLES rules can be entered. When you restart bastille.cfg the script is read and the rules applied. A knowledge of IPTABLES is required but once you get the hang of it, it is easy enough.
    So in my case I want to allow ssh access to only 123.34.56.789 and deny it to ALL other IP addresses, so my post-rule-setup.sh file will look like this:

    /sbin/iptables -I INPUT -p tcp -m tcp -s 123.34.56.789 --dport 22 --syn -j ACCEPT
    /sbin/iptables -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT


    The first line accepts ssh (tcp port 22) connections only from 123.34.56.789 and the second line denies ALL other source IP addresses. If there is no match in this case 123.34.56.789 then all traffic bound for port 22 will be denied.

    Ok now we have our rule we need to restart bastille.cfg

    #/etc/init.d/bastille-firewall restart

    A successfully read script will yield the following

    Setting up IP spoofing protection... done.
    Allowing traffic from trusted interfaces... done.
    Setting up chains for public/internal interface traffic... done.
    Setting up general rules... done.
    Setting up outbound rules... done


    The last line is the one we are interested in. If your IPTABLES rules are not understood or written incorrectly then you will get the following output when you restart bastille.cfg

    Setting up IP spoofing protection... done.
    Allowing traffic from trusted interfaces... done.
    Setting up chains for public/internal interface traffic... done.
    Setting up general rules... done.
    Setting up outbound rules..../post-rule-setup.sh: line 5: -I: command not found
    done


    You will need to go back into your post-rule-setup.sh and modify it.

    You can specify a subnet simply by using for example 192.168.0.0/24 notation in your rule set

    Cheers

    Matt
     
  5. falko

    falko Super Moderator ISPConfig Developer

    That's a great solution. :)
     
  6. tijn_tux

    tijn_tux New Member

    Works great ! :D

    Thnx for the mini-howto ! works perfect! :D
     
  7. punto

    punto New Member

    Glad you found it useful :)
     
  8. rdutton

    rdutton New Member

    Thanks punto for you explanation.

    Just something extra in case people came across the same problem I did..

    In additional to the file "post-rule-setup.sh" you can also add a file called "pre-chain-split.sh" in the same directory. Any commands you put in "pre-chain-split.sh" will be executed BEFORE the standard firewall rules.

    This is useful when you want to allow packets through which are normally dropped due to preceding firewall rules.

    e.g. I added rules to allow samba just for my home IP address:

    iptables -A INPUT -s [OK_REMOTE_IP] -p udp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT
    iptables -A INPUT -s [OK_REMOTE_IP] -p tcp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT
    iptables -A OUTPUT -s [OK_REMOTE_IP] -p udp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT
    iptables -A OUTPUT -s [OK_REMOTE_IP] -p tcp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT

    There is 4 rules to account for the variations of UDP/TCP and INPUT/OUTPUT chains.

    The iptables commands explained:
    -A Which chain to append the rule to
    -s The source address(es)
    -p protocol (udp/tcp for samba)
    -m Modules to load (in this case multiport)
    --destination-ports The parameter to the mulitport module specifying the samba ports.
    -j Jump to another chain. In this case ACCEPT
     
  9. IKShadow

    IKShadow New Member

    Strange it does not work at my linux box :(


    I made following rule:

    Code:
    /sbin/iptables -I INPUT -p tcp -m tcp -s 213.143.90.139 --dport 22 --syn -j ACCEPT
    /sbin/iptables -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT
    213.143.90.139 is PC from which i want to access my linux box.
    (Later on i would copy/paste first line for few other IP's )

    When I restart firewall everything seems ok:

    Code:
    krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart
    Setting up IP spoofing protection... done.
    Allowing traffic from trusted interfaces... done.
    Setting up chains for public/internal interface traffic... done.
    Setting up general rules... done.
    Setting up outbound rules... done.
    But after it I cant SSH to my linux box.
     
  10. falko

    falko Super Moderator ISPConfig Developer

    Are both systems in the same local network?
     
  11. IKShadow

    IKShadow New Member

    Actually is its a bit complicated.

    Yes they are, but some special vlans were made etc...

    However if I check some last -i

    admin pts/0 213.143.90.139 Mon Nov 20 19:27 - 20:26 (00:59)

    So iam logged in from 213.143.90.139 IP.
    My server is on 212.72.115.185

    I hope I can solve this somehow
    I also tried to allow one ip from remote location, but it also does not work.

    Code:
    krneki:/etc/Bastille/firewall.d # vi post-rule-setup.sh
    krneki:/etc/Bastille/firewall.d # ll
    total 4
    -rw-r--r-- 1 root root 150 2006-11-24 17:12 post-rule-setup.sh
    krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart
    Setting up IP spoofing protection... done.
    Allowing traffic from trusted interfaces... done.
    Setting up chains for public/internal interface traffic... done.
    Setting up general rules... done.
    Setting up outbound rules... done.
    krneki:/etc/Bastille/firewall.d #
     
    Last edited: Nov 24, 2006
  12. falko

    falko Super Moderator ISPConfig Developer

    What's the output of
    Code:
    iptables -L
    ?
     
  13. IKShadow

    IKShadow New Member

    rule disabled
    Code:
    krneki:/ # iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    DROP       tcp  --  anywhere             loopback/8
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB
    LISHED
    ACCEPT     all  --  anywhere             anywhere
    DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTAB
    LISHED
    DROP       all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    PUB_OUT    all  --  anywhere             anywhere
    PUB_OUT    all  --  anywhere             anywhere
    PUB_OUT    all  --  anywhere             anywhere
    PUB_OUT    all  --  anywhere             anywhere
    
    Chain INT_IN (0 references)
    target     prot opt source               destination
    ACCEPT     icmp --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    Chain INT_OUT (0 references)
    target     prot opt source               destination
    ACCEPT     icmp --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere
    
    Chain PAROLE (11 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    
    Chain PUB_IN (4 references)
    target     prot opt source               destination
    ACCEPT     icmp --  anywhere             anywhere            icmp destination-un
    reachable
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:http
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:hosts2-ns
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ndmp
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:soap-http
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:soap-http
    DROP       icmp --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    Chain PUB_OUT (4 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    rule enabled:

    Code:
    krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart
    Setting up IP spoofing protection... done.
    Allowing traffic from trusted interfaces... done.
    Setting up chains for public/internal interface traffic... done.
    Setting up general rules... done.
    Setting up outbound rules... done.
    krneki:/etc/Bastille/firewall.d # iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    REJECT     tcp  --  anywhere             anywhere            tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
    ACCEPT     tcp  --  89.212.94.160        anywhere            tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN
    DROP       tcp  --  anywhere             loopback/8
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     all  --  anywhere             anywhere
    DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    DROP       all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    PUB_OUT    all  --  anywhere             anywhere
    PUB_OUT    all  --  anywhere             anywhere
    PUB_OUT    all  --  anywhere             anywhere
    PUB_OUT    all  --  anywhere             anywhere
    
    Chain INT_IN (0 references)
    target     prot opt source               destination
    ACCEPT     icmp --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    Chain INT_OUT (0 references)
    target     prot opt source               destination
    ACCEPT     icmp --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere
    
    Chain PAROLE (11 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    
    Chain PUB_IN (4 references)
    target     prot opt source               destination
    ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ftp
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ssh
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:smtp
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:domain
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:http
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:hosts2-ns
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:pop3
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:https
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:ndmp
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:mysql
    PAROLE     tcp  --  anywhere             anywhere            tcp dpt:soap-http
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:soap-http
    DROP       icmp --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    Chain PUB_OUT (4 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
     
  14. falko

    falko Super Moderator ISPConfig Developer

    Why does it say 89.212.94.160? :confused:
     
  15. IKShadow

    IKShadow New Member

    That was IP of remote PC Iam trying to add to allow list.
    (curently Iam at home and trying to connect to it )

    But it does not allow me to connect.
     
  16. falko

    falko Super Moderator ISPConfig Developer

    Please switch off the firewall, then try to connect to the system and have a look at /var/log/auth.log at the same time. Is the IP address of the system that you're connecting from logged correctly? Or is a different IP address logged (maybe due to NATting)?
     
  17. IKShadow

    IKShadow New Member

    Cant find auth.log anywhere

    Code:
    krneki:/var/log # ll
    total 35508
    -rw-r----- 1 root   root     5262 2006-11-24 16:04 acpid
    drwxr-x--- 2 root   root     4096 2006-11-26 22:01 apache2
    -rw-r----- 1 root   root        0 2006-11-15 21:50 boot.log
    -rw-r--r-- 1 root   root    32252 2006-11-24 16:04 boot.msg
    -rw-r--r-- 1 root   root    35654 2006-11-24 16:02 boot.omsg
    drwxr-xr-x 2 wwwrun root     4096 2006-11-26 22:01 cacti
    -rw------- 1 root   root   288168 2006-11-20 21:44 faillog
    drwxr-xr-x 2 root   root     4096 2006-11-27 00:30 httpd
    -rw-r--r-- 1 root   root    18799 2006-11-23 18:28 ispconfig_install.log
    drwx------ 2 root   root     4096 2006-05-02 09:03 krb5
    -rw-r--r-- 1 root   tty   3506044 2006-11-27 18:29 lastlog
    -rw-r----- 1 root   root     4220 2006-11-21 18:34 localmessages
    -rw-r----- 1 root   root  2913193 2006-11-27 18:29 mail
    -rw-r----- 1 root   root      146 2006-11-24 16:04 mail.err
    -rw-r----- 1 root   root  3211790 2006-11-27 18:29 mail.info
    -rw-r----- 1 root   root   299694 2006-11-26 22:01 mail.info-20061126.bz2
    -rw-r--r-- 1 root   root 11936823 2006-11-26 23:59 mail.ispconfigsave
    -rw-r----- 1 root   root      613 2006-11-26 21:48 mail.warn
    -rw-r----- 1 root   root   854429 2006-11-27 18:30 messages
    lrwxrwxrwx 1 root   root       23 2006-11-15 22:19 mysqld.log -> ../lib/mysql/mysqld.log
    drwxr-x--- 2 news   news     4096 2006-11-15 21:27 news
    -rw-r--r-- 1 root   root     5418 2006-11-24 16:08 ntp
    -rw-r--r-- 1 root   root    11760 2006-11-24 17:48 scpm
    -rw-r----- 1 root   root   136511 2006-11-27 16:34 warn
    -rw-rw-r-- 1 root   tty     61440 2006-11-27 18:29 wtmp
    -rw-rw-r-- 1 root   tty      9504 2006-11-17 22:00 wtmp-20061117.bz2
    -rw-rw-r-- 1 root   tty     10888 2006-11-25 22:00 wtmp-20061125.bz2
    -rw-r--r-- 1 root   root   566138 2006-11-27 18:29 xferlog
    -rw-r--r-- 1 root   root 14558779 2006-11-26 23:59 xferlog.ispconfigsave
    drwx------ 3 root   root     4096 2006-11-24 18:11 YaST2
    -rw-r----- 1 root   root   373772 2006-11-27 15:36 zmd-backend.log
    -rw-r----- 1 root   root   132397 2006-11-15 22:00 zmd-backend.log-20061115.bz2
    -rw-r----- 1 root   root   356771 2006-11-16 22:00 zmd-backend.log-20061116.bz2
    -rw-r----- 1 root   root   155100 2006-11-17 22:00 zmd-backend.log-20061117.bz2
    -rw-r----- 1 root   root    47752 2006-11-20 22:00 zmd-backend.log-20061120.bz2
    -rw-r----- 1 root   root    76112 2006-11-22 22:00 zmd-backend.log-20061122.bz2
    -rw-r----- 1 root   root    68516 2006-11-23 22:00 zmd-backend.log-20061123.bz2
    -rw-r----- 1 root   root    55366 2006-11-26 22:01 zmd-backend.log-20061126.bz2
    -rw-r--r-- 1 root   root     2510 2006-11-27 16:34 zmd-messages.log
    -rw------- 1 root   root    16523 2006-11-15 23:12 zmd-messages.log.2006-11-15
    -rw------- 1 root   root    83036 2006-11-16 18:50 zmd-messages.log.2006-11-16
    -rw------- 1 root   root    17748 2006-11-17 22:22 zmd-messages.log.2006-11-17
    -rw------- 1 root   root     2502 2006-11-18 18:44 zmd-messages.log.2006-11-18
    -rw------- 1 root   root     2433 2006-11-19 18:34 zmd-messages.log.2006-11-19
    -rw------- 1 root   root     2510 2006-11-20 18:24 zmd-messages.log.2006-11-20
    -rw------- 1 root   root     2502 2006-11-21 10:00 zmd-messages.log.2006-11-21
    -rw------- 1 root   root     7387 2006-11-22 23:59 zmd-messages.log.2006-11-22
    -rw------- 1 root   root     8499 2006-11-23 19:37 zmd-messages.log.2006-11-23
    -rw------- 1 root   root     2502 2006-11-24 17:04 zmd-messages.log.2006-11-24
    -rw------- 1 root   root     2826 2006-11-25 16:54 zmd-messages.log.2006-11-25
    -rw------- 1 root   root     2510 2006-11-26 16:44 zmd-messages.log.2006-11-26
    however in last i can see a my ip:

    Code:
    admin    pts/0        195.95.158.246   Mon Nov 27 18:29   still logged in
    
    Code:
    krneki:/var/log # vi /etc/Bastille/firewall.d/post-rule-setup.sh
    /sbin/iptables -I INPUT -p tcp -m tcp -s 195.95.158.246 --dport 22 --syn -j ACCEPT
    /sbin/iptables -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT
     
    Last edited: Nov 27, 2006
  18. falko

    falko Super Moderator ISPConfig Developer

    Then use 195.95.158.246 in your firewall rules and test if you can connect then.
     
  19. smartcall

    smartcall ISPConfig Developer ISPConfig Developer

    Actually, if you take a look at your iptables -L output, you'll see that the REJECT rule is preceeding the ACCEPT rule.
    And the way you make it work is:
    the post-rule-setup.sh is applied from last-to-first rule. and if you put the REJECT before the ACCEPT it will apply them correcrly to the firewall.
     
  20. IKShadow

    IKShadow New Member

    yap that did help :)

    Thanks
     

Share This Page