my simple and Q&D script all of the sudden became a big and comprehensive one. ha-ha
Thank you overy much for detailed explanation and putting the script together.
I have 2 questions :
i read this : "if this is a LAN - don't allow outbound on specified ports. But allow for users dbabo or root even if it's on spec LAN and ports."
Now, should i read it:
"if this is a LAN - don't allow outbound on specified ports. But allow for all other ports/protocols if user is dbabo or root.
Or it is:
"if this is a LAN - don't allow outbound on specified ports. Allow for all other ports/protocols if user is dbabo or root"

Another question is :
say if the server has many users. Say, it's part in an company. Then what options does sys/security admin have to minimize the amount of work ( let's say we have more than 1 server that has ssh ) keeping security tight?

If you have a few servers and you want to set them up to behave the same way the best method would be to sit a firewall between all the boxes and use the forwarding chain to filter traffic. That way you would centrally administor the firewall.

Yeah, sort of. Those four rules say (in the context of the script): "Allow any outgoing FTP, HTTP, HTTPS, DNS, and NTP connections - as long as their destination is NOT the LAN. Allow absolutely any outgoing connections for users dbabo and root." The LAN limitation is there so that a user with evil intentions won't be able to attack your LAN - it also prevents a worm (Apache-based, for example) from propagating in your LAN, etc.

It depends. How many users? Let's say for arguments sake that you have 75 users on the server which need to have SSH access to IP 192.168.1.233 on the LAN. Instead of writing 75 iptables rules each with a different username, you could simply write one and have a substitution occur for the usernames. Like, you could have a text file with a list of the usernames and the iptables script can be told to execute the rule once for each of those usernames. Something like:So if your /etc/ssh_users.txt file has all the SSH users listed, one per line, like:Etc... then the effect will be that each of them will get their own rule executed. That said, it's a balancing act. Some people would indeed be happy enough with one rule allowing SSH access to the required IPs for anybody, like:Any rogue users which try to connect would still need to deal with the SSH authentication, so it's not like they are getting a free pass. You could even take an inverse approach by blacklisting certain users, like:In that example, everyone would be able to SSH to 192.168.1.233 - except apache and susan.

If by "keeping security tight" you meant something more general, then the answer would still be "it depends". There's tons of aspects one needs to cover in order to keep things tight (iptables is just a small part of the picture). I don't know of a tool that will let you take care of every aspect in a super-friendly and centralized way if that's what you mean. Have you checked-out unSpawn's famous Security references thread?

EDIT: Added a blacklist example at the end. Fixed $SSH_USERS variable assignment error in the username list example. The file obviously needs to be cat-ed for the contents to be used instead of the file name/path itself - my bad.

{QUOTE]<skip>
Etc... then the effect will be that each of them will get their own rule executed.
[/QUOTE]
ok., so every time the user's list changes i would have to re-generate the iptables. It's not bad.

Thank you, i'll check it out.

Could you please recommend a good log analyzers?

Thank you very much for you help and sharing the knowledge.

Yeah, you'd basically just need to re-execute the script. You could do this manually, or you could have cron automatically do this periodically for you.

Logwatch is quite popular. A couple others are SWATCH and fwlogwatch. If you go into the Security category at freshmeat.net I'm sure you'll find many others. There are some that are specially made for iptables logs.

No problem.

Alternatively, if the users will only have on role, any normal user you want to allow access to you could add the users using a primary group that are all the same (I.E "remote") then use the following firewall rule to administer them. (Sorry for plaguerizing your code win32!)

Then in your sshd config you can use "AllowGroups remote".

Using this method adding a new user is simpler as you just need to do:

Hey, this is awesome! The thought of using a group hadn't even crossed my mind. It definitely makes things a lot simpler, and AFAICT it eliminates the need to re-execute the script (or to have it look at a file with the users listed). To give users access to the SSH daemon on the LAN you just add them to the relevant group and your done! Great stuff, thanks for posting this!

PS: I would just add that you should maintain the port/protocol/IP matches, otherwise it's carte blanche.

Perfect. That's what i was looking for too.
Thank you.

Hello again,
I decided to change the FW rules a bit and allow the use of Inet (port 80) from this machine. So i added:
which works fine, but i want to allow only a group ("users") to browse the Inet. I changed rules above to:
but it's filtering it out
Please advice.