LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-12-2004, 10:44 PM   #1
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
iptables - allowing hostnames from ip addresses


Those of you that are regulars here would probably have read my rather large forum regarding blocking IM's in the office etc.

It is all working rather well but the workers have gotten smarter again hehe

the setup is:

I have priviledged user (eg boss and hr manager) that have access to IM's (in fact complete access outside to internet) and we have normal workers who during work hours are stopped from accessing the internet for chats etc.

Problem is not that one person has gotten smart and worked out the system and when the boss isnt around he changes his ip address to the static (and privledged) ip. So what I want to do is to have some rules that are set for those ips that are priviledged

basically to allow ONLY one hostname through on that address.

so basically it will look like

#$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.4 -h CHRISWB -j ACCEPT
#$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.4 -j DROP

this of course is me making it up but something like this... any idea how to do this?

Thanks
Chris
 
Old 01-12-2004, 11:02 PM   #2
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
or maybe MAC address would be a better option??
 
Old 01-13-2004, 12:19 AM   #3
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
ok got it going.. sorry to bother ya'll :P

Now im just counting the days till this guy works out how to clone a MAC address :P

any ideas how can keep an eye out for that?
 
Old 01-13-2004, 11:14 AM   #4
Vincent_Vega
Member
 
Registered: Nov 2003
Location: Jacksonville, FL
Distribution: Slackware & Arch
Posts: 825

Rep: Reputation: 31
So how did you do it?? Can you post it?
 
Old 01-13-2004, 02:54 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Now im just counting the days till this guy works out how to clone a MAC address :P
any ideas how can keep an eye out for that?


You could setup Arpwatch. One of it's many options is to email you anytime it detects a change in the MAC address of any of your static IP addresses.
 
Old 01-13-2004, 08:23 PM   #6
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
OK thanks for that Capt_Caveman I will look into it

I did mean to post the answer but got caught up sorry...
these were the rules I set for the "priviledged" users that were active

$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.8 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.8 -j DROP
$IPTABLES -A FORWARD -i $INSIDE -s 192.168.1.8 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT
$IPTABLES -A FORWARD -i $INSIDE -s 192.168.1.8 -j DROP

obviously you would enter the appropriate MAC address. this is now working fine. I will also update my page on how I have done everything with the new changes I have made to the scripts.

www.chrisliveonline.com/security/
 
Old 01-15-2004, 02:44 AM   #7
Vincent_Vega
Member
 
Registered: Nov 2003
Location: Jacksonville, FL
Distribution: Slackware & Arch
Posts: 825

Rep: Reputation: 31
Can you explain the $IPTABLES and $INSIDE variables to me? Do these automatically take effect at startup? I'm new to iptables but I'm trying learn. Your help is appreciated!
 
Old 01-15-2004, 03:04 AM   #8
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
ok go to the website i posted...

$IPTABLES and $INSIDE are "shortcuts" i guess is a good enough way of putting it.

At the top of the sh script I have written to do my firewall I have set DEFINITIONS

$IPTABLES and $INSIDE are two of them.

it would look something like this:

$IPTABLES=/sbin/iptables
saving me typing this out 100 million times.

$INSIDE in this case is relating to the INSIDE ethernet card

you can also use it to help creating your scripts easy so in the example of port forwarding the computer you are wanting to forward to may change for some reason. So instead of changing EVERY rule that affects that PC you will set a definition

WEBSERVER="192.168.1.2"
then rules will look like

$IPTABLES -a INPUT -i $OUTSIDE -d $WEBSERVER blah blah

Hope this helps.. but if you want to find out more check out that site or look up iptables tutorials or how tos
 
Old 01-15-2004, 03:38 AM   #9
Vincent_Vega
Member
 
Registered: Nov 2003
Location: Jacksonville, FL
Distribution: Slackware & Arch
Posts: 825

Rep: Reputation: 31
Thank you very much for that. I figured it was something like that but don't know enough to be sure. I'll definitely check out that site you posted and I'm also reading another tutorial. I'm using Firestarter for now but would like to eventually set up my own and know enough to adjust it as I need to.
Thanks again!
 
Old 01-20-2004, 10:03 AM   #10
Vincent_Vega
Member
 
Registered: Nov 2003
Location: Jacksonville, FL
Distribution: Slackware & Arch
Posts: 825

Rep: Reputation: 31
chrisfirestar,
thanks for the link to your web site! I'm using it as part of my learning experience. I do have one question though that maybe you can answer. Is it possible to use SNAT or Masquerading through a gateway? I have no real purpose for this but I'm trying to understand exactly how that works.
If you get time to think this over I would appreciate it. Or, of course, anyone else that would like to tell me, any information is appreciated.
 
Old 01-20-2004, 12:26 PM   #11
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Re: iptables - allowing hostnames from ip addresses

Quote:
Originally posted by chrisfirestar
Problem is not that one person has gotten smart and worked out the system and when the boss isnt around he changes his ip address to the static (and privledged) ip. So what I want to do is to have some rules that are set for those ips that are priviledged
Have you tried the low tech "you're violating our computer usage policy and it's a firable offense" approach?
 
Old 01-20-2004, 08:01 PM   #12
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
yes but it has become a game of cat and mouse :P i think he does it just to see if he can as opposed to hurting anything

If you are using your gateway for other computers to access the internet you will NEED to use MASQUERADE as the role of MASQ as i understand it is to convert local IP's into the public IP so that you can access services... otherwise you would have 1000's of people using a 192.168.1.* address wouldnt you :P

hope that helps
 
Old 01-20-2004, 08:10 PM   #13
Vincent_Vega
Member
 
Registered: Nov 2003
Location: Jacksonville, FL
Distribution: Slackware & Arch
Posts: 825

Rep: Reputation: 31
So the gateway would be the computer using MASQ, but no other computers on the LAN? Do you know what I mean? A computer couldn't use MASQ or SNAT itself before going to the gateway? Just a question but it's not a problem that's holding me up.

It is fun for people to try beating the system, even when it's not malicious. If this person does find a way to mask the MAC address, let us know!

Thanks for your reply.
 
Old 01-20-2004, 10:42 PM   #14
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Rep: Reputation: 30
Why are they able to change the IPs in the first place? Not knowing the policy of this persons workplace of course.


--tarballedtux
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables allowing a range adm1329 Linux - Networking 2 02-01-2005 02:04 PM
Allowing DHCP server access only to certain hostnames TVH Linux - Networking 3 11-23-2004 01:50 AM
cannot browse websites with thier hostnames but can with ip addresses shams Linux - Networking 1 10-20-2004 06:40 AM
Iptables not allowing outbound https john8675309 Linux - Software 3 09-13-2004 11:41 PM
Suse 9.0 Pro Firewall not allowing multiple IP addresses youcanlaugh Linux - Networking 1 06-29-2004 06:11 PM


All times are GMT -5. The time now is 10:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration