Hi I have installed ISPconfig and must say think it is a fantastic application , thankyou so much to the developers. I was wondering if it is possible to configure the ISPconfig firewall so that you can limit ssh access to certain IP addresses? With my other linux server I have an explicit REJECT in /etc/sysconfig/iptables for port 22 and then just add an ACCEPT in for the source IP addresses I want to accept and it works well. -A RH-Firewall-1-INPUT -p tcp -m tcp -s 172.16.8.35 --dport 22 --syn -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 --syn -j REJECT Where is the script or config file for the ISPconfig firewall? Can I manually edit the script without breaking anything? I dont like having ssh access open to anyone. Thanks in advance Matt.
The script is: /etc/Bastille/bastille-firewall.cfg You will have to change the master file too: /root/ispconfig/isp/conf/bastille-firewall.cfg.master Then run: /etc/init.d/bastille-firewall restart
I found that I wasnt able to add ACLs directly to the bastille-firewall.cfg script. After doing some reading, here is my how-to and hopefully others will find it useful: In this case I want to restrict ssh access to only one IP address (you can configure it for any number depending on your needs) I order to restrict access to certain source IPs for certain protocols, using the Bastille-firewall setup you need to firstly create a new directory under /etc/Bastille. This directory needs to be called firewall.d #cd /etc/Bastille #mkdir firewall.d You then need to create a new file within the newly created directory called post-rule-setup.sh #cd firewall.d #vi post-rule-setup.sh This is the file where any IPTABLES rules can be entered. When you restart bastille.cfg the script is read and the rules applied. A knowledge of IPTABLES is required but once you get the hang of it, it is easy enough. So in my case I want to allow ssh access to only 123.34.56.789 and deny it to ALL other IP addresses, so my post-rule-setup.sh file will look like this: /sbin/iptables -I INPUT -p tcp -m tcp -s 123.34.56.789 --dport 22 --syn -j ACCEPT /sbin/iptables -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT The first line accepts ssh (tcp port 22) connections only from 123.34.56.789 and the second line denies ALL other source IP addresses. If there is no match in this case 123.34.56.789 then all traffic bound for port 22 will be denied. Ok now we have our rule we need to restart bastille.cfg #/etc/init.d/bastille-firewall restart A successfully read script will yield the following Setting up IP spoofing protection... done. Allowing traffic from trusted interfaces... done. Setting up chains for public/internal interface traffic... done. Setting up general rules... done. Setting up outbound rules... done The last line is the one we are interested in. If your IPTABLES rules are not understood or written incorrectly then you will get the following output when you restart bastille.cfg Setting up IP spoofing protection... done. Allowing traffic from trusted interfaces... done. Setting up chains for public/internal interface traffic... done. Setting up general rules... done. Setting up outbound rules..../post-rule-setup.sh: line 5: -I: command not found done You will need to go back into your post-rule-setup.sh and modify it. You can specify a subnet simply by using for example 192.168.0.0/24 notation in your rule set Cheers Matt
I realize this thread is (really) old, but for those who arrive via searching for this solution- its important to note that if you use the commands given in the previous example, you will effectively block ssh completely. Using "-I" inserts the rule into the top of the chain by default, so the rule rejecting all ssh traffic ends up being the first rule in the chain. Personally, I do something similar to this: ############################################### ##/etc/Bastille/firewall.d/post-rule-setup.sh ##Uncomment statements/rules per your requirements ## #ip_address=<trusted_admin_IP> #ssh_port=<22 or your_ssh_port> #ispconfig_admin_port=<8080 or your_ispconfig_port> #mysql_ip=<trusted_MySQL_IP> #mysql_port=<3306 or your_MySQL_port> #iptables=</sbin/iptables or path to your iptables> ##restrict access to the ISPConfig web interface to one or more specific IPs #$iptables -I PUB_IN -p tcp -s $ip_address --dport $ispconfig_admin_port -j ACCEPT ##restrict ssh access to one or more specific IPs (make sure you have an ##alternate method of access in case your IP changes) #$iptables -I PUB_IN -p tcp -s $ip_address --dport $ssh_port -j ACCEPT ##restrict MySQL access to one or more specific IPs #$iptables -I PUB_IN -p tcp -s $ip_address --dport $mysql_port -j ACCEPT ##some of these may be unnecessary/redundant depending on your sysctl ##settings: ##null packets #$iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP ##SYN flood #$iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP ##XMAS packets #$iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP #$iptables -I INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP ##fragments #$iptables -I INPUT -f -j DROP ############################################### If you open ports using this method, be sure to leave them closed on the firewall configuration page in the ISPConfig web interface. Always verify your configuration (iptables -L -n -V) after resetting Bastille.