LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   Add rule to iptables on login. (http://www.linuxquestions.org/questions/linux-software-2/add-rule-to-iptables-on-login-790943/)

paranoid times 02-23-2010 02:23 AM

Add rule to iptables on login.
 
I'm looking for a way to add a rule that would whitelist my ip address when I login with SSH. I can grab the IP out of the SSH_CONNECTION variable, however I'm not sure how I could add it into iptables with my non-root privileged user. I've got root access, but I want the process to be automatic. I considered sudo, however I don't want normal users to be able to modify anything about iptables, though perhaps there is a trick about it that I don't know which would only allow it in the /etc/profile or the like.

Any ideas on how I could do this?

Thanks,
Michael

centosboy 02-23-2010 08:56 AM

Quote:

Originally Posted by paranoid times (Post 3873496)
I'm looking for a way to add a rule that would whitelist my ip address when I login with SSH. I can grab the IP out of the SSH_CONNECTION variable, however I'm not sure how I could add it into iptables with my non-root privileged user. I've got root access, but I want the process to be automatic. I considered sudo, however I don't want normal users to be able to modify anything about iptables, though perhaps there is a trick about it that I don't know which would only allow it in the /etc/profile or the like.

Any ideas on how I could do this?

Thanks,
Michael


use sudo.
just make sure only you have access to /sbin/iptables as a sudo user.
yes, the command can be added in your .bash_profile



sudo file

Code:


# Cmnd alias specification
Cmnd_Alias IP = IPTABLES /sbin/iptables

# User privilege specification
username ALL=IPTABLES, NOPASSWD: IPTABLES


then just add the relevant command to .bash_profile or start up file of your choice

paranoid times 02-23-2010 01:36 PM

Well that could work. The only thing is I was hoping to have all users who successfully login be whitelisted. I can't think of a not ugly way to do that without giving everyone iptables access.

Unless there is some way to have sshd run a command after a successful login. That should be run as root and potentially would only happen during a ssh login. Knowing ssh it would be viewed as a major security flaw and is probably denied.

Well still looking around for that perfect solution. But for now I think I'll go with iptables restricted to me with sudo. Thank you for the suggestion.

chrism01 02-23-2010 08:04 PM

I'd look at ForceCommand http://www.openbsd.org/cgi-bin/man.c...nfig&sektion=5 and possibly Subsystem.
Quote:

ForceCommand
Forces the execution of the command specified by ForceCommand,
ignoring any command supplied by the client and ~/.ssh/rc if pre-
sent. The command is invoked by using the user's login shell
with the -c option. This applies to shell, command, or subsystem
execution. It is most useful inside a Match block. The command
originally supplied by the client is available in the
SSH_ORIGINAL_COMMAND environment variable. Specifying a command
of ``internal-sftp'' will force the use of an in-process sftp
server that requires no support files when used with
ChrootDirectory.

Hopefully 'user's login shell' means their shell eg bash, but run as sshd and give sshd sudo access to iptables.


All times are GMT -5. The time now is 04:23 AM.