Jeff Abrahamson on 20 Apr 2005 14:51:54 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] iptables


I have an iptables script that's giving me trouble.  I'm hoping
someone here can point me in the right direction.  I've attached the
script for general feedback, but here are the two (current) problems:

1. I tried to say

     $IPTABLES -A INPUT -p udp,tcp --dport 123 -src $source -j ACCEPT

   but was obliged to change that to this to be understood:

     $IPTABLES -A INPUT -p udp --dport 123 -src $source -j ACCEPT
     $IPTABLES -A INPUT -p tcp --dport 123 -src $source -j ACCEPT

   And then I still get errors:

       + /sbin/iptables -A INPUT -p udp --dport 123 -src admin.math.drexel.edu -j ACCEPT^M
     Bad argument `admin.math.drexel.edu'^M
     Try `iptables -h' or 'iptables --help' for more information.^M


2. My ssh session's X forwarding is blocked.  Oops.


Note that I haven't even set policy to deny...

Thanks in advance for any help or suggestions.

-- 
 Jeff

 Jeff Abrahamson  <http://www.purple.com/jeff/>    +1 215/837-2287
 GPG fingerprint: 1A1A BA95 D082 A558 A276  63C6 16BF 8C4C 0D1D AE4B
#!/bin/bash

# This script was written by Jeff Abrahamson <jeffa@cs.drexel.edu in
# Januar 2005.  Some examples were inspired by a 2-April-2001 post the
# PLUG list by Darxus@ChaosReigns.com.

# This script is intended to permit ssh connections from the following
# addresses only, all in cs.drexel.edu:

#     mst
#     ramsey
#     krypton
#     graph
#
#     tux (many machines)
#     queen
#
#     Jeff at home: puddle.purple.com
#     the subnets used by Fatih, Trip, and Ali to log in from home
#     (to do)

# Note that we do not accept ssh connections *from* karma, as this
# should not happen in normal usage.


IPTABLES=/sbin/iptables

######################################################################
#### For debugging ####
# If we mess up, clean up
( sleep 20; $IPTABLES -F )

# If we really mess up, reboot.  User should cancel this with shutdown -c
( sleep 150; /sbin/shutdown -r +3 )

######################################################################

this_host=`hostname | awk -F. '{print $1}'`


# Lab workstations
lab_ws="mst.cs.drexel.edu ramsey.cs.drexel.edu krypton.cs.drexel.edu graph.cs.drexel.edu"
# Lab machines
lab="$lab_ws karma.cs.drexel.edu"

# The machines in the tux cluster.  This list may be updated by running
# x=`ssh username@tux.cs.drexel.edu gnames tux`; echo $x; unset x
# This can't be done by root, however.
tuxes="ws38 ws43 ws44 ws45 ws46 ws47 ws48 ws49 ws50 ws51 ws55 ws56 ws57 ws64 \
       ws65 ws69 ws70 ws71 ws75 ws76 ws77 ws78 ws79 ws80 ws81 ws82 \
       tweedledum tweedledee"
tuxes=`echo $tuxes | perl -pwe 's/(\S+)/$1.cs.drexel.edu/g;'`

# Home IP's (and IP ranges) of AAL folks
#  puddle is Jeff
#  141.158.0.0/16 and 151.197.0.0/16 are Trip
homes="puddle.purple.com 141.158.0.0/16 151.197.0.0/16"

# IP's (and IP ranges) for collaborators
colab_walt="wlad.mawode.com"	# Mankowski
colab_maher="68.81.106.0/8 165.123.243.0/8" # Salah
colab_newsham="4.11.64.0/20"
colabs="$colab_walt $colab_maher $colab_newsham"

# Allow ssh from these machines
dragonfly="129.25.0.0/16"	# only for mst
trusted_ssh="$tuxes queen.cs.drexel.edu $lab_ws $homes $colabs"

# SFS clients for mst:
sfs_clients="krypton.cs.drexel.edu puddle.purple.com"


$IPTABLES -F			# flush rules
$IPTABLES -Z			# reset counters

# Change policy to default to deny all incoming connections.
######## $IPTABLES -P INPUT DROP

# Don't forward anything.
$IPTABLES -P FORWARD DROP

# Accept packets on established connections or packets related to them.
# Note that SYN-ACK is established, since ESTABLISHED gets set before
# the packet is processed.
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

if [ $this_host = karma.cs.drexel.edu ]; then
    $IPTABLES -P OUTPUT DROP
    # Except ssh and http connections that want to be established
    # This is handled by the input ssh rule below.
fi

# Allow all connections to/from the loopback device.
# This is much better than allowing everything from localhost, since
# that would allow incoming connections from a spoofed IP of 127.0.0.1.
$IPTABLES -i lo -A INPUT -j ACCEPT


# Deny connections from reserved subnets - anything from here can be
# assumed to be spoofed.  The last two could eventually be assigned/valid.
#
# Reject connections to reserved networks: local users are allowed to
# know their packets are being dropped.  These are logged.
for range in 192.168.0.0/16 10.0.0.0/8 172.16.0.0/16 169.254.0.0/16 192.0.2.0/24 240.0.0.0/8 0/8; #1.0.0.0/8 2.0.0.0/8
  do
  $IPTABLES -A INPUT -p all -s $range -j DROP
  $IPTABLES -A OUTPUT -p all -s $range -j REJECT
done

# Deny from some broadcast type stuff.
# These would only be spoofed as well.  These are logged.
for range in 127.0.0.0/8 0.0.0.0/32 255.255.255.255/32 255.255.255.0/32 ; do
    $IPTABLES -A INPUT -s $range -j DROP
    $IPTABLES -A OUTPUT -d $range -j REJECT
done

# Allow incoming ssh from these hosts only:
for host in $trusted_ssh; do
    $IPTABLES -A INPUT --source $host -p tcp --dport ssh -j ACCEPT
done
if [ $this_host = mst.cs.drexel.edu ]; then
    # mst accepts ssh from drexel wireless address, also
    for host in $dragonfly; do
	$IPTABLES -A INPUT --source $host -p tcp --dport ssh -j ACCEPT
    done
fi

# Allow incoming http if this is mst or karma:
case $this_host in
    mst.cs.drexel.edu | karma.cs.drexel.edu)
        $IPTABLES -A INPUT --source $host -p tcp --destination-port ssh -j ACCEPT;;
    *) ;;			# no alternate actions to take
esac

# If this machine is mst, it is an SFS server and should accept SFS
# connections from krypton and from puddle.purple.com (Jeff's home
# machine).
for host in $sfs_clients; do
    $IPTABLES -A INPUT -p tcp --src $host --dport 4 -j ACCEPT
done

# Allow NTP responses from NTP servers listed in /etc/ntp.conf.
# "server" lines in /etc/ntpd.conf must be delimited with 1 space.
set -x
set -v
for source in `grep ^server /etc/ntp.conf | cut -d' ' -f2`
do
  $IPTABLES -A INPUT -p udp --dport 123 -src $source -j ACCEPT
  $IPTABLES -A INPUT -p tcp --dport 123 -src $source -j ACCEPT
  $IPTABLES -A OUTPUT -p udp --dport 123 --dst $host -j ACCEPT
  $IPTABLES -A OUTPUT -p tcp --dport 123 --dst $host -j ACCEPT
done


# What about Gaylord's backups ?

Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug