iptables

chrisfirestar · 01-12-2004, 09:44 PM

Those of you that are regulars here would probably have read my rather large forum regarding blocking IM's in the office etc.

It is all working rather well but the workers have gotten smarter again hehe

the setup is:

I have priviledged user (eg boss and hr manager) that have access to IM's (in fact complete access outside to internet) and we have normal workers who during work hours are stopped from accessing the internet for chats etc.

Problem is not that one person has gotten smart and worked out the system and when the boss isnt around he changes his ip address to the static (and privledged) ip. So what I want to do is to have some rules that are set for those ips that are priviledged

basically to allow ONLY one hostname through on that address.

so basically it will look like

#$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.4 -h CHRISWB -j ACCEPT
#$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.4 -j DROP

this of course is me making it up but something like this... any idea how to do this?

Thanks
Chris

chrisfirestar · 01-12-2004, 10:02 PM

or maybe MAC address would be a better option??

chrisfirestar · 01-12-2004, 11:19 PM

ok got it going.. sorry to bother ya'll :P

Now im just counting the days till this guy works out how to clone a MAC address :P

any ideas how can keep an eye out for that?

Vincent_Vega · 01-13-2004, 10:14 AM

So how did you do it?? Can you post it?

Capt_Caveman · 01-13-2004, 01:54 PM

Now im just counting the days till this guy works out how to clone a MAC address :P
any ideas how can keep an eye out for that?

You could setup Arpwatch. One of it's many options is to email you anytime it detects a change in the MAC address of any of your static IP addresses.

chrisfirestar · 01-13-2004, 07:23 PM

OK thanks for that Capt_Caveman I will look into it

I did mean to post the answer but got caught up sorry...
these were the rules I set for the "priviledged" users that were active

$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.8 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.8 -j DROP
$IPTABLES -A FORWARD -i $INSIDE -s 192.168.1.8 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT
$IPTABLES -A FORWARD -i $INSIDE -s 192.168.1.8 -j DROP

obviously you would enter the appropriate MAC address. this is now working fine. I will also update my page on how I have done everything with the new changes I have made to the scripts.

www.chrisliveonline.com/security/

Vincent_Vega · 01-15-2004, 01:44 AM

Can you explain the $IPTABLES and $INSIDE variables to me? Do these automatically take effect at startup? I'm new to iptables but I'm trying learn. Your help is appreciated!

chrisfirestar · 01-15-2004, 02:04 AM

ok go to the website i posted...

$IPTABLES and $INSIDE are "shortcuts" i guess is a good enough way of putting it.

At the top of the sh script I have written to do my firewall I have set DEFINITIONS

$IPTABLES and $INSIDE are two of them.

it would look something like this:

$IPTABLES=/sbin/iptables
saving me typing this out 100 million times.

$INSIDE in this case is relating to the INSIDE ethernet card

you can also use it to help creating your scripts easy so in the example of port forwarding the computer you are wanting to forward to may change for some reason. So instead of changing EVERY rule that affects that PC you will set a definition

WEBSERVER="192.168.1.2"
then rules will look like

$IPTABLES -a INPUT -i $OUTSIDE -d $WEBSERVER blah blah

Hope this helps.. but if you want to find out more check out that site or look up iptables tutorials or how tos

Vincent_Vega · 01-15-2004, 02:38 AM

Thank you very much for that. I figured it was something like that but don't know enough to be sure. I'll definitely check out that site you posted and I'm also reading another tutorial. I'm using Firestarter for now but would like to eventually set up my own and know enough to adjust it as I need to.
Thanks again!

Vincent_Vega · 01-20-2004, 09:03 AM

chrisfirestar,
thanks for the link to your web site! I'm using it as part of my learning experience. I do have one question though that maybe you can answer. Is it possible to use SNAT or Masquerading through a gateway? I have no real purpose for this but I'm trying to understand exactly how that works.
If you get time to think this over I would appreciate it. Or, of course, anyone else that would like to tell me, any information is appreciated.

stickman · 01-20-2004, 11:26 AM

Quote:

Originally posted by chrisfirestar
Problem is not that one person has gotten smart and worked out the system and when the boss isnt around he changes his ip address to the static (and privledged) ip. So what I want to do is to have some rules that are set for those ips that are priviledged

Have you tried the low tech "you're violating our computer usage policy and it's a firable offense" approach?

chrisfirestar · 01-20-2004, 07:01 PM

yes but it has become a game of cat and mouse :P i think he does it just to see if he can as opposed to hurting anything

If you are using your gateway for other computers to access the internet you will NEED to use MASQUERADE as the role of MASQ as i understand it is to convert local IP's into the public IP so that you can access services... otherwise you would have 1000's of people using a 192.168.1.* address wouldnt you :P

hope that helps

Vincent_Vega · 01-20-2004, 07:10 PM

So the gateway would be the computer using MASQ, but no other computers on the LAN? Do you know what I mean? A computer couldn't use MASQ or SNAT itself before going to the gateway? Just a question but it's not a problem that's holding me up.

It is fun for people to try beating the system, even when it's not malicious. If this person does find a way to mask the MAC address, let us know!

Thanks for your reply.

tarballedtux · 01-20-2004, 09:42 PM

Why are they able to change the IPs in the first place? Not knowing the policy of this persons workplace of course.

--tarballedtux