Re: iptables & tcp wrappers

From: Luis M (lemsx1_at_latinomixed.com)
Date: 10/03/04

  • Next message: Thomas Chiverton: "Re: iptables & tcp wrappers" 
    To: Meatplow <greg@meatplow.com>
Date: Sat, 02 Oct 2004 21:12:25 -0400

    On Fri, 2004-09-24 at 13:57 -0700, Meatplow wrote:
    > Hello.
    <snip>
    > My basic input command is this :
    > #iptables -A INPUT -p tcp -s PUT_IP_HERE -d 0/0 --syn -j DROP

    Hello,

    I know this has been answered in many ways already, but this is yet
    another approach. There is a nifty package called Firestarter that has a
    nice way to create a firewall, but unfortunately it needs X support and
    the script it creates is kind of simplistic and oriented towards a
    desktop computer. However, you can tweak it to open certain ports, and
    then use the resulting files (under /etc/firestarter; especially
    firewall.sh) and copy this file to the server in question. Then you will
    copy the init from /etc/init.d/firestarter and modify it so that it
    doesn't require the firestarter binary to load your rules
    (/etc/firestarter/firewall.sh).

    Now this is the cool part about using this approach, you will edit your
    hosts.deny file to deny everything explicitly, unless it's under
    hosts.allow. And in hosts.allow you will have these rules:

    sshd ssh: aa.bb.cc.dd # a list of allowed IPs
    sshd ssh: ALL : spawn ( /etc/firestarter/slap-this-bitch %a %d ) & :
    DENY # spawns a process that adds the offending IP to the blocked-hosts
    file and reloads the firewall

    The "slap-this-bitch" script looks like this:

    ----- CUT HERE -----

    #!/bin/sh
    #
    # Luis Mondesi | lemsx1 # hotmail ! com
    # 2003-09-10 00:15 UTC
    #
    # This script slaps a host or ip
    # it adds it to the
    #
    # /etc/firestarter/blocked-hosts
    #
    # file and then reloads the
    #
    # /etc/firestarter/firewall.sh
    #
    # script
    #
    # args:
    # $1 = ip or hostname
    # $2 = service
    #
    # example:
    # slap-this-bitch aa.bb.cc.dd sshd
    #
    # This is called from hosts.allow like this:
    #
    # sshd ssh: ALL : spawn ( /path/to/slap-this-bitch %h %d ) & : DENY
    #
    #

    if [ x$1 != "x" ]; then
        echo $1 >> /etc/firestarter/blocked-hosts \
        && /etc/firestarter/firewall.sh

        # if you want an email sent to report this:
        if [ x$2 != "x" ]; then
            echo "Host has been blocked for life [ tried to use $2 ]: $1."\
            | /usr/bin/mail -s "Host Blocked all access $2-$1" root
        else
            echo "Host has been blocked for life: $1"\
            | /usr/bin/mail -s "Host Blocked all access $1" root
        fi

    else

        echo "Wrong arguments sent to $0"\
        | /usr/bin/mail -s "Wrong arguments" root

    fi

    ----- END CUT ------

    This means that if somebody from an unknown IP (or a not allowed one)
    tries to access your box, it will get blocked from all other services.

    You might want to play around with this in non-production systems first,
    but it works beautifully. The only bad thing is that it's very mean, but
    if the box that we are talking about only has certain services open to
    the public, there is no reason why people should be trying to connect to
    it using SSH or port scan you to probe for things. So if they are mean
    to you, why not be mean back? Eventually you might want to cut some of
    those IPs loose, which you can do by simply deleting them from
    blocked-hosts.

    Hope this helps, 

    --
----)(----- 
Luis M 
System Administrator 
LatinoMixed.com 
lemsx1@latinomixed.com 
Slowly and surely the unix crept up on the Nintendo user ... 
http://www.latinomixed.com/
  • Next message: Thomas Chiverton: "Re: iptables & tcp wrappers"