Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm looking for a way to add a rule that would whitelist my ip address when I login with SSH. I can grab the IP out of the SSH_CONNECTION variable, however I'm not sure how I could add it into iptables with my non-root privileged user. I've got root access, but I want the process to be automatic. I considered sudo, however I don't want normal users to be able to modify anything about iptables, though perhaps there is a trick about it that I don't know which would only allow it in the /etc/profile or the like.
I'm looking for a way to add a rule that would whitelist my ip address when I login with SSH. I can grab the IP out of the SSH_CONNECTION variable, however I'm not sure how I could add it into iptables with my non-root privileged user. I've got root access, but I want the process to be automatic. I considered sudo, however I don't want normal users to be able to modify anything about iptables, though perhaps there is a trick about it that I don't know which would only allow it in the /etc/profile or the like.
Any ideas on how I could do this?
Thanks,
Michael
use sudo.
just make sure only you have access to /sbin/iptables as a sudo user.
yes, the command can be added in your .bash_profile
sudo file
Code:
# Cmnd alias specification
Cmnd_Alias IP = IPTABLES /sbin/iptables
# User privilege specification
username ALL=IPTABLES, NOPASSWD: IPTABLES
then just add the relevant command to .bash_profile or start up file of your choice
Well that could work. The only thing is I was hoping to have all users who successfully login be whitelisted. I can't think of a not ugly way to do that without giving everyone iptables access.
Unless there is some way to have sshd run a command after a successful login. That should be run as root and potentially would only happen during a ssh login. Knowing ssh it would be viewed as a major security flaw and is probably denied.
Well still looking around for that perfect solution. But for now I think I'll go with iptables restricted to me with sudo. Thank you for the suggestion.
ForceCommand
Forces the execution of the command specified by ForceCommand,
ignoring any command supplied by the client and ~/.ssh/rc if pre-
sent. The command is invoked by using the user's login shell
with the -c option. This applies to shell, command, or subsystem
execution. It is most useful inside a Match block. The command
originally supplied by the client is available in the
SSH_ORIGINAL_COMMAND environment variable. Specifying a command
of ``internal-sftp'' will force the use of an in-process sftp
server that requires no support files when used with
ChrootDirectory.
Hopefully 'user's login shell' means their shell eg bash, but run as sshd and give sshd sudo access to iptables.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.