On 17 Dec 14:54, Alex Scotton wrote:
Hi All,
Hey ho! (Yeah, I know, it took me till the new year to reply... but in fairness, I only read this this morning! I was on holiday and not infront of a keyboard mostly!)
I rarely post to this list; mainly due to a lack of knowledge... but find the email chains fascinating and very informative.
Lack of knowledge isn't a problem - and questions are always welcomed...
I was hoping you could help me out with a few security adjustments on my home development server running Ubuntu 10.10; I would like to achieve the following setup with iptables and maybe a script in sshd_config?
- Accept any connection from within the LAN (192.168.0.*)
- Deny All from outside LAN (Except to ports 22, 80, 443, and the
range 8000 to 8999)
That's fairly simple to do to start with :)
(the above is admittedly easily done with a google search) but my skills cant quite stretch to finding out how to add an exception to iptables for the IP of any authenticated ssh session and on timeout or disconnect remove that exception. I could then allow external developers to develop on a private port range (7000-7999 - as I do internally) by just connecting to ssh with their public key.
OK - so with a bit of playing, I reckon this can mostly be done using nothing more than iptables...
Note: This only covers the last bit!
here goes nothing...
# For hosts that are in the recent table named sshlogin allow # connections to ports 7000 -> 7999 for up to 30 minutes after the last # interactive packet from the ssh connection iptables -I INPUT 1 --proto tcp \ -m multiport --destination-ports 7000:7999 \ -m recent --rcheck --name sshlogin --seconds 1800 \ -j ACCEPT
# For anything but the LAN and things matched by the rule above, reject # packets to ports 7000 -> 7999 iptables -I INPUT 2 --proto tcp \ -m multiport --destination-ports 7000:7999 \ ! --source 192.168.0.0/24 \ -j REJECT
# When ssh has established a connection it will send back a tos of 0x10 # in the interactive packets, we use that to update the sshlogin recent # table - this only gets set (as far as I can tell) after a successful # login. We check it server side rather than client side because I trust # the server to be more sane. iptables -A OUTPUT --proto tcp \ -m tos --tos 0x10 \ --source-port 22 \ -m recent --update --rdest --name sshlogin \ -j ACCEPT
I haven't done extensive testing on that though, it appeared to work for me quite nicely though!
If you need the rest of the firewall written too, then I suspect I can do that later tonight ;)
Cheers,