Skip to main content

I made a GIF!

Post a Comment

Whitelist and Blacklist w/ IPTables

Recently had an issue w/ an RPC application which would not use static ports.  The process opened a dynamic port above 1024.

Using a GUI like Novell's YaST is a handy way to manage simple inbound service permissions.  However dynamic ports cannot easily be added to the permitted service ports.  A simple fix is to whitelist certain trusted hosts, permitting all traffic.


We created a BASH script w/ the iptables commands creating two custom chains, adding rules and updating the INPUT/OUTPUT/FORWARDING chains.  The script is below:
#!/bin/bash
## Host WhiteList (permit) / BlackList (deny) Chains
##
## iptables also allows you to create custom chains,
## which can then be specified as a target to jump to.
## For example, you could create a so-called whitelist
## for trusted IP address, and a blacklist for evil
## nodes on the Internet.
##
## To create the chains, you would give the following
## commands:
#       iptables -N whitelist
#       iptables -N blacklist

iptables -N whitelist
iptables -N blacklist

## To add a rule to these chains (or any other chain), use:
#       iptables -A whitelist -s 192.168.0.0/24 -j ACCEPT
#       iptables -A blacklist -s 207.46.130.0/24 -j DROP

iptables -A whitelist -s 10.6.11.138/32 -j ACCEPT
iptables -A blacklist -s 10.6.12.98/32 -j DROP

## Then, specify these chains as a target in your
## INPUT, FORWARD and/or OUTPUT chain:
#       iptables -A INPUT -j whitelist
#       iptables -A INPUT -j blacklist
#       iptables -A OUTPUT -j whitelist
#       iptables -A OUTPUT -j blacklist
#       iptables -A FORWARD -j whitelist
#       iptables -A FORWARD -j blacklist

iptables -A INPUT -j whitelist
iptables -A INPUT -j blacklist
iptables -A OUTPUT -j whitelist
iptables -A OUTPUT -j blacklist
iptables -A FORWARD -j whitelist
iptables -A FORWARD -j blacklist
The next task is to integrate these w/ YaST's rules.  We could run the script from rc.local, but integration w/ the native management utilities is preferred.

YaST stores it's firewall settings in /etc/sysconfig/SuSEfirewall2.  The file consists of attributes and values for populating IPTables.  Locate FW_TRUSTED_NETS and add your networks there.  Ex: FW_TRUSTED_NETS="10.6.11.138 10.13.16.0/23"A firewall restart is required to enable the changes.  The script is below:
#! /bin/bash

## Configure Firewall Trusted Nets
## Space delimited hosts or networks
## Be sure to escape any '/' w/ leading '\'
## Ex: 158.93.190.0\/24 10.0.0.0\/9
NETS="10.6.11.138 10.13.16.0\/23"

FWCFG=/etc/sysconfig/SuSEfirewall2
TIMESTAMP=`date +%Y%m%d-%H%M`

mv $FWCFG $FWCFG.$TIMESTAMP
sed "s/^FW_TRUSTED_NETS.*$/FW_TRUSTED_NETS=\"$NETS\"/" $FWCFG.$TIMESTAMP > $FWCFG

echo "Original firewall trusted nets "
echo "from backup file $FWCFG.$TIMESTAMP"
grep ^FW_TRUSTED_NETS $FWCFG.$TIMESTAMP
echo "Current firewall trusted nets"
echo "from configuration file $FWCFG"
grep ^FW_TRUSTED_NETS $FWCFG

/sbin/rcSuSEfirewall2 restart
Labels:

Comments

Post a Comment

Popular posts from this blog

Cisco ASA ICMP packet-tracer

Occasionally devices fail to respond to a ping.  This can result from devices being off-line, having a local firewall enabled or the perimeter firewall configuration.  The Cisco ASA ICMP packet-tracer options differ from the TCP or UDP command options.  An example is below: packet-tracer input outside icmp A.B.C.D 8 0 E.F.G.H The ICMP type is "8" (echo request) with code"0" (none).  There are no options on destination IPv4 address E.F.G.H. Complete ICMP documentation at URL http://www.iana.org/assignments/icmp-parameters/ Complete Cisco ASA packet-tracer documentation at URL http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
Post a Comment
Read more

Xfce4 lock screen not working

Xfce4 would not start a screensaver on my Linux system.  Researching it, it ran xflock4 from the command line ad received an error: Property "/general/LockCommand" does not exist on channel "xfce4-session". To fix this, additional configuration needed, but no hacks. First, verify xflock4 and xfconf-query are available. $ which xflock4 xfconf-query /bin/xflock4 /bin/xfconf-query Next  install a lock screen package that provides 'xlock', 'slock', 'i3lock' or similar.  $ sudo yum install -y xlockmore-gtk i3lock Last, add an executable (with options) as /general/LockCommand in the xfce4-session settings. $ xfconf-query -c xfce4-session --create -p /general/LockCommand --set "xlock -mode matrix" --type  string $ xfconf-query -c xfce4-session --create -p /general/LockCommand --set "i3lock -c 000000" --type string Test by running xflock4 from the command line or through the GUI.
7 comments
Read more

X11 Forwarding issue solved

TL;DR Disabling IPv6 necessitates SSHd AddressFamily is "inet" for X11 Forwarding to work. Issue OpenSSH assumes both IPv6 and IPv4 protocols are enabled, and default SSHd AddressFamily value "any" is valid. Quickly skimming the OpenSSH source code, it was not obvious why SSHd does not fail gracefully, selecting only an available IP address family. Therefore, for X11 Forwarding to work correctly, in /etc/ssh/sshd_config we must choose: Defaults - IPv6 enabled and SSHd AddressFamily value " any " Custom - IPv6 disabled and SSHd AddressFamily value " inet " Background PuTTY was not creating a $HOME/.Xauthority file on ssh login and no X11 applications would run, despite setting $DISPLAY.  PuTTY was correctly configured with: X11 Forwarding enabled X display location empty Remote authentication protocol MIT-Magic-Cookie-1 X authority file for local display empty On the initial ssh login there should be a .Xauthority notic
12 comments
Read more