Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: I have multiple Distos available, but I mostly use Ubuntu.
Posts: 47
Rep:
"ip tables" help on Ubuntu 9.04
I've been reading and trying everything about iptables, but can't seem to get it right. Here's what I need along with my server info.
This setup is for a classroom environment. I am using Ubuntu 9.04 Desktop for this setup. I have a local server setup behind a DMZ. I have only 1 ethernet card (eth0). I wish to have total internet access for my server so I can use synaptic, the internet, and etc. I get my dhcp ip address from the local router/switch, usually something like 10.229.1.87. I also have my server's mac address to use and prefer if possible.
I need to allow local classroom computers, based on their mac address, access to ssh(thru a shell) to write/do each student's work in their "jailed home" and allow access to my local web(10.229.1.87) through Firefox so students can access my lessons. I put my lessons in my server(/var/www) for them to view.
I wish to DROP/REJECT all others trying anything else from within the DMZ. Logging would be nice and perhaps then I can place them in "hosts.deny" .
This is what I've gotten so far, which doesn't work.
#!/bin/bash
# Location of the iptables command
IPTABLES=/sbin/iptables
# Flush existing firewtcp rules
$IPTABLES -F
# Delete any extraneous chains which may exist from a previous script
$IPTABLES --delete-chain
# Change the default policy of tcp three chains to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# the server's own settings
$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m state --state NEW,ESTABLISHED,RELATED -m mac --mac-source 00:11:25:--:--:-- -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m multiport --dport 21,22,80,443 -m state --state NEW,ESTABLISHED,RELATED -m mac --mac-source 00:11:25:--:--:-- -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m multiport --dport 21,22,80,443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT # tcp lo loopback
$IPTABLES -A OUTPUT -o lo -j ACCEPT # tcp lo loopback
# my laptop's settings wireless and hard-wired
$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m mac --mac-source 00:17:--:--:--:-- -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m mac --mac-source 00:21:--:--:--:-- -j ACCEPT
# put each classroom computer's 'info' below
# computer #1
# $IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m mac --mac-source 00:23:ae:--:--:-- --syn -m limit --limit 3/m -j ACCEPT
# computer #2
# $IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,80,443 -m mac --mac-source 00:23:ae:--:--:-- --syn -m limit --limit 3/m -j ACCEPT
# etc for each local classroom computer
# drop others activity
# $IPTABLES -A INPUT -j DROP
# $IPTABLES -A FORWARD -j DROP
# $IPTABLES -A OUTPUT -j ACCEPT
# End
exit 0
Distribution: I have multiple Distos available, but I mostly use Ubuntu.
Posts: 47
Original Poster
Rep:
"ip tables" help on Ubuntu 9.04
Nothing works. From the server I can't access the internet. From my laptop, I can't ssh onto the server. From another internal LAN computer that shouldn't have access, I can't ssh....which is good.
I'm really bad with iptables, but I found that using fwbuilder helped a lot (should be in the Ubuntu repos somewhere). It's a nice graphical package that creates the iptables rules for you. You can build them on a different machine than you want to install on if so desired.
Okay let's start with your server. You basically want to allow inbound connections to TCP ports 21, 22, 80, and 443 from hosts within the same subnet and with a specific set of MAC addresses, while at the same time allowing all outbound connections from the server. Is my understanding correct? If so, this should do the trick:
Code:
#!/bin/sh
IPT="/sbin/iptables"
LAN="10.229.1.0/24"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw
$IPT -N CHECK_MAC
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i eth0 -p TCP -m multiport --dports 21,22,80,443 -s $LAN \
--syn -m state --state NEW -j CHECK_MAC
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
$IPT -A CHECK_MAC -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
If my understanding of your intentions is not correct, please let me know and I'll make the appropriate changes for you. At this point, I'm starting to have doubts about whether you are referring to iptables rules on the server, or on a router/firewall sitting in front of it. As for your laptop, I would need you to elaborate a little bit before I could give you a script.
Last edited by win32sux; 06-30-2009 at 01:41 PM.
Reason: Trimmed some fat.
Distribution: I have multiple Distos available, but I mostly use Ubuntu.
Posts: 47
Original Poster
Rep:
I got these errors related to "CHECK_MAC"
iptables v1.4.1.1: Couldn't load target `CHECK_MAC':/lib/xtables/libipt_CHECK_MAC.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
I made several changes to the script minutes after posting it, including a fix for the problem you just described. On a side note, make sure you edit the LAN variable accordingly (make it reflect your actual subnet).
Distribution: I have multiple Distos available, but I mostly use Ubuntu.
Posts: 47
Original Poster
Rep:
Thank you win32sux!!! Your rewrite works!!! Yeehaw. I got the LAN variable first thing. I also added:
$IPT -A CHECK_MAC -j LOG --log-prefix "CHECK_MAC DROP: "
$IPT -A CHECK_MAC -j DROP
to the end again. It is cool? Looks like it might work.
Question: What adjustments can prohibit DOS attacks via a student trying so from the classroom(approved mac) on the ssh port? I'd like something around 3/m limit per mac address.
Thanks again.
PS -> By the way, if you are OK with it, I'm going to add you as "win32sux" from linuxquestions.org as a contributor to this project. I'm also going to add "blackhole54" for his contribution to an earlier script to prevent multiple users from logging on from the 'same' computer. IE. prevent copying(cheating).
Last edited by tuxhats; 06-30-2009 at 03:42 PM.
Reason: adjustment
Thank you win32sux!!! Your rewrite works!!! Yeehaw.
I'm happy to hear that.
Quote:
I got the LAN variable first thing. I also added:
$IPT -A CHECK_MAC -j LOG --log-prefix "CHECK_MAC DROP: "
$IPT -A CHECK_MAC -j DROP
to the end again. It is cool? Looks like it might work.
Yeah, that should work fine. The packet would get sent to DROP at the end of the CHECK_MAC chain, instead of at the end of the INPUT chain. Even though the packet would have still been sent to DROP in my version, your addition makes it easy to spot packets that are being sent to DROP specifically because they don't match any of the allowed MACs. So yeah, I think it's cool.
Quote:
Question: What adjustments can prohibit DOS attacks via a student trying so from the classroom(approved mac) on the ssh port? I'd like something around 3/m limit per mac address.
Maybe this thread can give you some ideas. I don't think the solution we ended up with there made use of MAC-based filtering, but it shouldn't be too hard to introduce with a few tweaks.
Quote:
PS -> By the way, if you are OK with it, I'm going to add you as "win32sux" from linuxquestions.org as a contributor to this project.
Sure, I'm totally cool with that.
Quote:
I'm also going to add "blackhole54" for his contribution to an earlier script to prevent multiple users from logging on from the 'same' computer. IE. prevent copying(cheating).
Awesome! Here's a link to that thread in case anyone wishes to check it out.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.