Recently had an issue w/ an RPC application which would not use static ports. The process opened a dynamic port above 1024.
Using a GUI like Novell's YaST is a handy way to manage simple inbound service permissions. However dynamic ports cannot easily be added to the permitted service ports. A simple fix is to whitelist certain trusted hosts, permitting all traffic.
We created a BASH script w/ the iptables commands creating two custom chains, adding rules and updating the INPUT/OUTPUT/FORWARDING chains. The script is below:
YaST stores it's firewall settings in /etc/sysconfig/SuSEfirewall2. The file consists of attributes and values for populating IPTables. Locate FW_TRUSTED_NETS and add your networks there. Ex: FW_TRUSTED_NETS="10.6.11.138 10.13.16.0/23". A firewall restart is required to enable the changes. The script is below:
Using a GUI like Novell's YaST is a handy way to manage simple inbound service permissions. However dynamic ports cannot easily be added to the permitted service ports. A simple fix is to whitelist certain trusted hosts, permitting all traffic.
We created a BASH script w/ the iptables commands creating two custom chains, adding rules and updating the INPUT/OUTPUT/FORWARDING chains. The script is below:
#!/bin/bashThe next task is to integrate these w/ YaST's rules. We could run the script from rc.local, but integration w/ the native management utilities is preferred.
## Host WhiteList (permit) / BlackList (deny) Chains
##
## iptables also allows you to create custom chains,
## which can then be specified as a target to jump to.
## For example, you could create a so-called whitelist
## for trusted IP address, and a blacklist for evil
## nodes on the Internet.
##
## To create the chains, you would give the following
## commands:
# iptables -N whitelist
# iptables -N blacklist
iptables -N whitelist
iptables -N blacklist
## To add a rule to these chains (or any other chain), use:
# iptables -A whitelist -s 192.168.0.0/24 -j ACCEPT
# iptables -A blacklist -s 207.46.130.0/24 -j DROP
iptables -A whitelist -s 10.6.11.138/32 -j ACCEPT
iptables -A blacklist -s 10.6.12.98/32 -j DROP
## Then, specify these chains as a target in your
## INPUT, FORWARD and/or OUTPUT chain:
# iptables -A INPUT -j whitelist
# iptables -A INPUT -j blacklist
# iptables -A OUTPUT -j whitelist
# iptables -A OUTPUT -j blacklist
# iptables -A FORWARD -j whitelist
# iptables -A FORWARD -j blacklist
iptables -A INPUT -j whitelist
iptables -A INPUT -j blacklist
iptables -A OUTPUT -j whitelist
iptables -A OUTPUT -j blacklist
iptables -A FORWARD -j whitelist
iptables -A FORWARD -j blacklist
YaST stores it's firewall settings in /etc/sysconfig/SuSEfirewall2. The file consists of attributes and values for populating IPTables. Locate FW_TRUSTED_NETS and add your networks there. Ex: FW_TRUSTED_NETS="10.6.11.138 10.13.16.0/23". A firewall restart is required to enable the changes. The script is below:
#! /bin/bash
## Configure Firewall Trusted Nets
## Space delimited hosts or networks
## Be sure to escape any '/' w/ leading '\'
## Ex: 158.93.190.0\/24 10.0.0.0\/9
NETS="10.6.11.138 10.13.16.0\/23"
FWCFG=/etc/sysconfig/SuSEfirewall2
TIMESTAMP=`date +%Y%m%d-%H%M`
mv $FWCFG $FWCFG.$TIMESTAMP
sed "s/^FW_TRUSTED_NETS.*$/FW_TRUSTED_NETS=\"$NETS\"/" $FWCFG.$TIMESTAMP > $FWCFG
echo "Original firewall trusted nets "
echo "from backup file $FWCFG.$TIMESTAMP"
grep ^FW_TRUSTED_NETS $FWCFG.$TIMESTAMP
echo "Current firewall trusted nets"
echo "from configuration file $FWCFG"
grep ^FW_TRUSTED_NETS $FWCFG
/sbin/rcSuSEfirewall2 restart
Comments