LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-23-2007, 09:44 PM   #1
Meson
Member
 
Registered: Oct 2007
Distribution: Arch x86_64
Posts: 606

Rep: Reputation: 66
Laptop Firewall Considerations - MAC Addresses


I'm new to iptables (via firestarter) and most networking/security considerations in general.

I am worried about the security of my laptop when I take it out and connect wirelessly on my college campus and in other public locations. If I set up some rules to allow samba for the windows computers in my house using the network 192.168.1.0 or even specific computers, what is going to happen when I connect to a similarly numbered network in a public location?

Is there a way to create different rules based on the MAC address of the router/gateway?

Any guides on firewall considerations? I had previously thought that most distrobutions had the firewall locked up by default, but after running a port check I found that a good number of ports were open! And some closed. When I'm behind my router, ALL come up as silent (at Shields Up, google: firewall test). I would like my personal firewall to be the same.

I would also like it to work on all interfaces. It seems firestarter only works on one at a time.
 
Old 10-23-2007, 10:09 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Welcome to LQ!!!

I'd suggest having two firewall configs - one for when you're at home, and one for when you're not. But using the MAC address of the gateway as a location indicator wouldn't be a secure way to go - it's just way too easy to spoof a MAC. IMHO, a check for your home's wireless encryption key would be more suitable.
 
Old 10-24-2007, 10:06 AM   #3
Meson
Member
 
Registered: Oct 2007
Distribution: Arch x86_64
Posts: 606

Original Poster
Rep: Reputation: 66
Thanks for the welcome. I've often used linuxquestions as a resource but stayed on ubuntuforums. I feel discussion here will be more universally beneficial.

Anyway. When I'm out and about I use wireless, but at home I pretty much stick to a wired connection.

Do I have to write a script to change the settings?

What about checking MAC, IP, and hostname? Are there any others? (Let's assume I'm using multiple WIRED connections.
 
Old 10-24-2007, 12:17 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
OIC. Well, in a way that might make things easier. What names do your wireless and wired interfaces have? You might be able to get away with simply making interface-specific rules. That way you wouldn't even need to bother changing them. In other words, the rules would allow incoming connections into the wired NIC, while filtering everything (stealth firewall config) on the wireless.

EDIT: Wait, just re-read the last sentence in your post. Are you saying there are other wired networks you plug into besides the one at home? BTW, neither hostname, IP, or MAC are truly secure options for this, as none have any sort of authentication features, and all can be spoofed.

Last edited by win32sux; 10-24-2007 at 12:21 PM.
 
Old 10-25-2007, 12:43 AM   #5
Meson
Member
 
Registered: Oct 2007
Distribution: Arch x86_64
Posts: 606

Original Poster
Rep: Reputation: 66
One wired, multiple wireless. I don't think interface specific rules is the solution, I'm more worried about location specific rules. I might for example use wireless at home or plug in to a ethernet port at school

I know none of the three are secure but I figured all three combined is better than nothing. Are there any truly secure (and I know there is no such thing as TRULY) secure methods for authenticating a network/host that are reasonable for a simple desktop user.
 
Old 10-25-2007, 02:51 AM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Well, if you wanna make rules based on MAC/IPs this is how they go (iptables doesn't do hostnames - it'll resolve them into IPs):
Code:
iptables -A INPUT -s 192.168.1.105 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
Honestly, I think your best bet at this point is to have two firewall scripts, and manually execute them depending on your location. I wouldn't recommend going around with a MAC/IP-based rule such as the above constantly activated. But like you said, it's better than nothing. You should add protocol, port, and state matches to my example to tighten it a bit.

EDIT: Just remembered you probably meant using IP/MAC/hostname as an indicator for the network you are on, so nevermind my iptables rule. So you want the appropriate script executed depending on the MAC/IP of the gateway, right?

Last edited by win32sux; 10-25-2007 at 03:22 AM.
 
Old 10-25-2007, 10:57 AM   #7
Meson
Member
 
Registered: Oct 2007
Distribution: Arch x86_64
Posts: 606

Original Poster
Rep: Reputation: 66
Well, basically I have my home network for which I know the specifications of the router. And most of the other time I can assume I'm on a public network. I'd like to be able to at least recognize my home network in some way. Pardon me for the violation - but in a way similar to Vista seems to be able to do.
 
Old 10-25-2007, 02:35 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
What method does Vista use to make the determination?

EDIT: As a side note, I just tried to script a way to get my current router's MAC and came up with this:
Code:
arping -c1 `route -n | grep ^0.0.0.0 | awk '{print $2}'` \
2> /dev/null | grep "Unicast reply from" | awk '{print $5}' | cut -c 2-18
It's butt ugly but it works okay AFAICT.

EDIT 2: To get the IP of my router's WAN side I did a:
Code:
echo `wget -qO - http://www.whatismyip.org/`
Of course if the whatismyip.org server is down or filtered it wouldn't work.

Last edited by win32sux; 10-25-2007 at 03:17 PM.
 
Old 10-25-2007, 03:16 PM   #9
Meson
Member
 
Registered: Oct 2007
Distribution: Arch x86_64
Posts: 606

Original Poster
Rep: Reputation: 66
I don't know about the method.... anybody???

http://msdn2.microsoft.com/en-us/library/ms697388.aspx I found this article but can't make any certain sense of it... It looks like they're just using hostname and ip. Am I wrong?

Last edited by Meson; 10-25-2007 at 03:19 PM.
 
Old 10-25-2007, 04:00 PM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
I just glanced through this page and got the impression it's only done by IP, except for the Domain location type. Like it has three location types: Domain, which it determines by seeing if it can authenticate to a domain controller; Public, which (I assume) it determines by seeing if the IP is an Internet one; and Private, which (I assume) it determines by seeing if the IP is private. Once again, this is just the impression I got and I could be completely mistaken. If I am right, though, then the only "secure" determination method is the Domain one, as it's the only one that does any authentication.

Do you have any always-on GNU/Linux box on your LAN which you could have an SSL-encrypted exchange with to confirm your location? If not, well, perhaps we should move along and get you set-up with something IP/MAC-based. The shell commands I posted above could be a start if you want. I was thinking that perhaps if either of those two conditions evaluate as false (the MAC isn't yours and/or the WAN IP isn't your fixed IP (or one from your ISP's netblock if you have a dynamic IP), then the stealth firewall is activated. Or that the non-stealth firewall is activated only when at least the first condition is true or something like that. We could also throw-in a hostname check of course. So you'd end-up with an IP/MAC/Hostname scheme, which might suffice until you find a truly secure solution.

Last edited by win32sux; 10-25-2007 at 04:06 PM.
 
Old 10-25-2007, 06:17 PM   #11
Meson
Member
 
Registered: Oct 2007
Distribution: Arch x86_64
Posts: 606

Original Poster
Rep: Reputation: 66
Actually the public/private declaration is set by the user with public as the default.

But to be honest with you, thinking about it now, the windows method of recognizing networks can't be all that secure. It must be pretty easy to spoof a network (except possibly for the domain - but then again it might be easy to trick a computer into thinking it's authenticated on a domain...)

So it seems the best general solution (and not just for me but for everyone) would be to have a list of network profiles in the network status icon in gnome. With at most an alert window that says "Hey, are you on this network?"

Such a utility would need to modify your ethernet devices, firewall, and possibly other settings, samba for one...?

If I wrote some scripts to run when I decided to change a network, would they need to change the iptables configuration and then restart it?
 
Old 10-26-2007, 03:57 AM   #12
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
The (insecure) idea I had in mind was a script which would automatically get executed every time you connect to a network. The script would check the conditions mentioned above (WAN IP, gateway MAC, local hostname) and execute the iptables rules allowing access to your Samba (from specific MACs) if it looked like you were at home. But yeah, I agree that in the absense of a secure automatic location determination mechanism, nothing beats having the human make the determination.

Last edited by win32sux; 10-26-2007 at 04:07 AM.
 
Old 10-27-2007, 02:28 AM   #13
Meson
Member
 
Registered: Oct 2007
Distribution: Arch x86_64
Posts: 606

Original Poster
Rep: Reputation: 66
Too bad I only know java right now. I think I could come up with something pretty useful for people. I've been putting a lot of thought into this.
 
Old 10-27-2007, 08:47 AM   #14
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Well, I wrote you a proof-of-concept script to get the ball rolling:
Code:
#!/bin/sh

# This script will execute a certain script if it detects that your
# router's MAC address, your WAN IP address, and your host name are what
# they would be when at home. It'll also execute a certain script if
# it finds that they aren't.

# Set the specs for your home network here:
ROUTER_MAC="xx:xx:xx:xx:xx:xx"
WAN_IP="xxx.xxx.xxx.xxx"
HOSTNAME="xxxxxxxxxxx"

# Set the scripts to be executed after determination is made:
AT_HOME_SCRIPT="/home/win32sux/firewall-samba.txt"
NOT_AT_HOME_SCRIPT="/home/win32sux/firewall-stealth.txt"

# Now we get the specs of the network you are currently in:
CURRENT_ROUTER_MAC=$(arping -c1 $(route -n | grep ^0.0.0.0 | awk '{print $2}') \
            2> /dev/null | grep "Unicast reply from" | awk '{print $5}' \
            | cut -c 2-18)
CURRENT_WAN_IP=$(echo $(wget -qO - http://www.whatismyip.org/))
CURRENT_HOSTNAME=$(hostname)

# Now we check if they all match, and execute the appropriate script depending
# on whether or not they did:
if [ $CURRENT_ROUTER_MAC = $ROUTER_MAC ] && [ $CURRENT_WAN_IP = $WAN_IP ] \
     && [ $CURRENT_HOSTNAME = $HOSTNAME ]; then
  sh $AT_HOME_SCRIPT
else
  sh $NOT_AT_HOME_SCRIPT
fi
I only gave it a very quick test (and once again, it's only a proof-of-concept) so take it with a grain of salt. The WAN IP check will need to be tweaked if your ISP gives you dynamic IPs, and a way to deal with errors (whatismyip.org server is down, for example) would be imperative. Also, I'm not exactly sure where one would place this script to have it executed everytime you associate to a new wireless network, but I'm sure that info is just a google away.

Last edited by win32sux; 10-27-2007 at 09:05 AM.
 
Old 10-27-2007, 06:43 PM   #15
Meson
Member
 
Registered: Oct 2007
Distribution: Arch x86_64
Posts: 606

Original Poster
Rep: Reputation: 66
Code:
# Set the specs for your home network here:
ROUTER_MAC="xx:xx:xx:xx:xx:xx"
WAN_IP="xxx.xxx.xxx.xxx"
HOSTNAME="xxxxxxxxxxx"
DYNAMIC=true

.....

# Now we check if they all match, and execute the appropriate script depending
# on whether or not they did:
if [ $CURRENT_ROUTER_MAC = $ROUTER_MAC ] && ([ DYNAMIC ] || [ $CURRENT_WAN_IP = $WAN_IP ]) \
     && [ $CURRENT_HOSTNAME = $HOSTNAME ]; then
  sh $AT_HOME_SCRIPT
else
  sh $NOT_AT_HOME_SCRIPT
fi
How are scripts evaluated? Will [ $CURRENT_WAN_IP = $WAN_IP ] always be looked at or does it depend on [DYNAMIC]?
 
  


Reply

Tags
firestarter, firewall, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Mapping IP addresses to MAC addresses basilio Linux - Networking 17 09-12-2007 02:48 AM
Lan subnet and mac addresses firewall Ungluun Linux - Networking 1 12-20-2006 11:18 AM
Firewall considerations - 2 Dual boot PCs rickh Fedora 3 04-26-2005 11:06 PM
Mac Addresses nixdisciple Linux - Security 6 07-01-2002 11:55 PM
Finding mac addresses Chijtska Linux - Security 5 02-27-2002 05:34 AM


All times are GMT -5. The time now is 06:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration