LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-30-2009, 10:46 AM   #1
tuxhats
Member
 
Registered: Dec 2005
Location: Austin, Texas area
Distribution: I have multiple Distos available, but I mostly use Ubuntu.
Posts: 47

Rep: Reputation: 16
Question "ip tables" help on Ubuntu 9.04


I've been reading and trying everything about iptables, but can't seem to get it right. Here's what I need along with my server info.

This setup is for a classroom environment. I am using Ubuntu 9.04 Desktop for this setup. I have a local server setup behind a DMZ. I have only 1 ethernet card (eth0). I wish to have total internet access for my server so I can use synaptic, the internet, and etc. I get my dhcp ip address from the local router/switch, usually something like 10.229.1.87. I also have my server's mac address to use and prefer if possible.

I need to allow local classroom computers, based on their mac address, access to ssh(thru a shell) to write/do each student's work in their "jailed home" and allow access to my local web(10.229.1.87) through Firefox so students can access my lessons. I put my lessons in my server(/var/www) for them to view.

I wish to DROP/REJECT all others trying anything else from within the DMZ. Logging would be nice and perhaps then I can place them in "hosts.deny" .

This is what I've gotten so far, which doesn't work.

#!/bin/bash
# Location of the iptables command
IPTABLES=/sbin/iptables

# Flush existing firewtcp rules
$IPTABLES -F

# Delete any extraneous chains which may exist from a previous script
$IPTABLES --delete-chain

# Change the default policy of tcp three chains to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# the server's own settings
$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m state --state NEW,ESTABLISHED,RELATED -m mac --mac-source 00:11:25:--:--:-- -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m multiport --dport 21,22,80,443 -m state --state NEW,ESTABLISHED,RELATED -m mac --mac-source 00:11:25:--:--:-- -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m multiport --dport 21,22,80,443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT # tcp lo loopback
$IPTABLES -A OUTPUT -o lo -j ACCEPT # tcp lo loopback

# my laptop's settings wireless and hard-wired
$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m mac --mac-source 00:17:--:--:--:-- -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m mac --mac-source 00:21:--:--:--:-- -j ACCEPT

# put each classroom computer's 'info' below
# computer #1
# $IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m mac --mac-source 00:23:ae:--:--:-- --syn -m limit --limit 3/m -j ACCEPT
# computer #2
# $IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m mac --mac-source 00:23:ae:--:--:-- --syn -m limit --limit 3/m -j ACCEPT
# etc for each local classroom computer

# drop others activity
# $IPTABLES -A INPUT -j DROP
# $IPTABLES -A FORWARD -j DROP
# $IPTABLES -A OUTPUT -j ACCEPT
# End
exit 0

-----
Thank you for your efforts!

Last edited by tuxhats; 06-30-2009 at 10:49 AM.
 
Old 06-30-2009, 11:19 AM   #2
nowonmai
Member
 
Registered: Jun 2003
Posts: 481

Rep: Reputation: 47
What aspect doesn't work?

Also, the final DROPs will override everything before. The policy settings at the top are enough.
 
Old 06-30-2009, 12:52 PM   #3
tuxhats
Member
 
Registered: Dec 2005
Location: Austin, Texas area
Distribution: I have multiple Distos available, but I mostly use Ubuntu.
Posts: 47

Original Poster
Rep: Reputation: 16
"ip tables" help on Ubuntu 9.04

Nothing works. From the server I can't access the internet. From my laptop, I can't ssh onto the server. From another internal LAN computer that shouldn't have access, I can't ssh....which is good.
 
Old 06-30-2009, 01:05 PM   #4
pljvaldez
Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Squeeze (x86)
Posts: 6,092

Rep: Reputation: 269Reputation: 269Reputation: 269
I'm really bad with iptables, but I found that using fwbuilder helped a lot (should be in the Ubuntu repos somewhere). It's a nice graphical package that creates the iptables rules for you. You can build them on a different machine than you want to install on if so desired.

Here are a couple of good tutorials:
http://www.howtoforge.com/getting-st...rewall-builder
http://debaday.debian.net/2009/03/15...rofessionally/
 
Old 06-30-2009, 01:22 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Okay let's start with your server. You basically want to allow inbound connections to TCP ports 21, 22, 80, and 443 from hosts within the same subnet and with a specific set of MAC addresses, while at the same time allowing all outbound connections from the server. Is my understanding correct? If so, this should do the trick:
Code:
#!/bin/sh

IPT="/sbin/iptables"

LAN="10.229.1.0/24"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

$IPT -N CHECK_MAC

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i eth0 -p TCP -m multiport --dports 21,22,80,443 -s $LAN \
--syn -m state --state NEW -j CHECK_MAC
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
If my understanding of your intentions is not correct, please let me know and I'll make the appropriate changes for you. At this point, I'm starting to have doubts about whether you are referring to iptables rules on the server, or on a router/firewall sitting in front of it. As for your laptop, I would need you to elaborate a little bit before I could give you a script.

Last edited by win32sux; 06-30-2009 at 01:41 PM. Reason: Trimmed some fat.
 
Old 06-30-2009, 02:02 PM   #6
tuxhats
Member
 
Registered: Dec 2005
Location: Austin, Texas area
Distribution: I have multiple Distos available, but I mostly use Ubuntu.
Posts: 47

Original Poster
Rep: Reputation: 16
I got these errors related to "CHECK_MAC"

iptables v1.4.1.1: Couldn't load target `CHECK_MAC':/lib/xtables/libipt_CHECK_MAC.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
 
Old 06-30-2009, 02:19 PM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
I made several changes to the script minutes after posting it, including a fix for the problem you just described. On a side note, make sure you edit the LAN variable accordingly (make it reflect your actual subnet).

Last edited by win32sux; 06-30-2009 at 02:22 PM.
 
Old 06-30-2009, 03:40 PM   #8
tuxhats
Member
 
Registered: Dec 2005
Location: Austin, Texas area
Distribution: I have multiple Distos available, but I mostly use Ubuntu.
Posts: 47

Original Poster
Rep: Reputation: 16
Thank you win32sux!!! Your rewrite works!!! Yeehaw. I got the LAN variable first thing. I also added:

$IPT -A CHECK_MAC -j LOG --log-prefix "CHECK_MAC DROP: "
$IPT -A CHECK_MAC -j DROP

to the end again. It is cool? Looks like it might work.

Question: What adjustments can prohibit DOS attacks via a student trying so from the classroom(approved mac) on the ssh port? I'd like something around 3/m limit per mac address.

Thanks again.

PS -> By the way, if you are OK with it, I'm going to add you as "win32sux" from linuxquestions.org as a contributor to this project. I'm also going to add "blackhole54" for his contribution to an earlier script to prevent multiple users from logging on from the 'same' computer. IE. prevent copying(cheating).

Last edited by tuxhats; 06-30-2009 at 03:42 PM. Reason: adjustment
 
Old 06-30-2009, 05:53 PM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by tuxhats View Post
Thank you win32sux!!! Your rewrite works!!! Yeehaw.
I'm happy to hear that.

Quote:
I got the LAN variable first thing. I also added:

$IPT -A CHECK_MAC -j LOG --log-prefix "CHECK_MAC DROP: "
$IPT -A CHECK_MAC -j DROP

to the end again. It is cool? Looks like it might work.
Yeah, that should work fine. The packet would get sent to DROP at the end of the CHECK_MAC chain, instead of at the end of the INPUT chain. Even though the packet would have still been sent to DROP in my version, your addition makes it easy to spot packets that are being sent to DROP specifically because they don't match any of the allowed MACs. So yeah, I think it's cool.

Quote:
Question: What adjustments can prohibit DOS attacks via a student trying so from the classroom(approved mac) on the ssh port? I'd like something around 3/m limit per mac address.
Maybe this thread can give you some ideas. I don't think the solution we ended up with there made use of MAC-based filtering, but it shouldn't be too hard to introduce with a few tweaks.

Quote:
PS -> By the way, if you are OK with it, I'm going to add you as "win32sux" from linuxquestions.org as a contributor to this project.
Sure, I'm totally cool with that.

Quote:
I'm also going to add "blackhole54" for his contribution to an earlier script to prevent multiple users from logging on from the 'same' computer. IE. prevent copying(cheating).
Awesome! Here's a link to that thread in case anyone wishes to check it out.

Last edited by win32sux; 06-30-2009 at 05:55 PM.
 
Old 06-30-2009, 06:19 PM   #10
GrapefruiTgirl
Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 543Reputation: 543Reputation: 543Reputation: 543Reputation: 543Reputation: 543
Moved: This thread is more suitable in 'Linux Security' and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 06-30-2009, 07:34 PM   #11
tuxhats
Member
 
Registered: Dec 2005
Location: Austin, Texas area
Distribution: I have multiple Distos available, but I mostly use Ubuntu.
Posts: 47

Original Poster
Rep: Reputation: 16
Thanks again! I remembered this bit, setting the /etc/security/limits.conf to:

@students - maxlogins 2

where @students is a group consisting of all my students.

This combined with this iptable script(from win32sux) should do the trick. Especially with the "jail" setup, and blackhole54 script. Thanks!
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"urgent" Can't Install Glusterfs "ubuntu 8." sjahed Linux - Newbie 1 07-02-2008 02:13 PM
Ntfs-Fuse copy error Debian "Sid" / Ubuntu "6.06" animefriik Linux - General 0 10-06-2006 09:28 AM
MySQL "insert into two tables" ALInux Programming 2 12-17-2005 07:10 AM
how do I get around the "submit passwd" prompt in ubuntu even if I use "sudo"? t3gah Linux - Distributions 1 02-22-2005 04:42 PM
MySQL won't start "Can't open privilege tables" atom Linux - Software 0 04-20-2004 03:05 PM


All times are GMT -5. The time now is 12:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration