Hi I have installed ISPconfig and must say think it is a fantastic application , thankyou so much to the developers. I was wondering if it is possible to configure the ISPconfig firewall so that you can limit ssh access to certain IP addresses? With my other linux server I have an explicit REJECT in /etc/sysconfig/iptables for port 22 and then just add an ACCEPT in for the source IP addresses I want to accept and it works well. -A RH-Firewall-1-INPUT -p tcp -m tcp -s 172.16.8.35 --dport 22 --syn -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 --syn -j REJECT Where is the script or config file for the ISPconfig firewall? Can I manually edit the script without breaking anything? I dont like having ssh access open to anyone. Thanks in advance Matt.
The script is: /etc/Bastille/bastille-firewall.cfg You will have to change the master file too: /root/ispconfig/isp/conf/bastille-firewall.cfg.master Then run: /etc/init.d/bastille-firewall restart
I found that I wasnt able to add ACLs directly to the bastille-firewall.cfg script. After doing some reading, here is my how-to and hopefully others will find it useful: In this case I want to restrict ssh access to only one IP address (you can configure it for any number depending on your needs) I order to restrict access to certain source IPs for certain protocols, using the Bastille-firewall setup you need to firstly create a new directory under /etc/Bastille. This directory needs to be called firewall.d #cd /etc/Bastille #mkdir firewall.d You then need to create a new file within the newly created directory called post-rule-setup.sh #cd firewall.d #vi post-rule-setup.sh This is the file where any IPTABLES rules can be entered. When you restart bastille.cfg the script is read and the rules applied. A knowledge of IPTABLES is required but once you get the hang of it, it is easy enough. So in my case I want to allow ssh access to only 123.34.56.789 and deny it to ALL other IP addresses, so my post-rule-setup.sh file will look like this: /sbin/iptables -I INPUT -p tcp -m tcp -s 123.34.56.789 --dport 22 --syn -j ACCEPT /sbin/iptables -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT The first line accepts ssh (tcp port 22) connections only from 123.34.56.789 and the second line denies ALL other source IP addresses. If there is no match in this case 123.34.56.789 then all traffic bound for port 22 will be denied. Ok now we have our rule we need to restart bastille.cfg #/etc/init.d/bastille-firewall restart A successfully read script will yield the following Setting up IP spoofing protection... done. Allowing traffic from trusted interfaces... done. Setting up chains for public/internal interface traffic... done. Setting up general rules... done. Setting up outbound rules... done The last line is the one we are interested in. If your IPTABLES rules are not understood or written incorrectly then you will get the following output when you restart bastille.cfg Setting up IP spoofing protection... done. Allowing traffic from trusted interfaces... done. Setting up chains for public/internal interface traffic... done. Setting up general rules... done. Setting up outbound rules..../post-rule-setup.sh: line 5: -I: command not found done You will need to go back into your post-rule-setup.sh and modify it. You can specify a subnet simply by using for example 192.168.0.0/24 notation in your rule set Cheers Matt
Thanks punto for you explanation. Just something extra in case people came across the same problem I did.. In additional to the file "post-rule-setup.sh" you can also add a file called "pre-chain-split.sh" in the same directory. Any commands you put in "pre-chain-split.sh" will be executed BEFORE the standard firewall rules. This is useful when you want to allow packets through which are normally dropped due to preceding firewall rules. e.g. I added rules to allow samba just for my home IP address: iptables -A INPUT -s [OK_REMOTE_IP] -p udp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT iptables -A INPUT -s [OK_REMOTE_IP] -p tcp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT iptables -A OUTPUT -s [OK_REMOTE_IP] -p udp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT iptables -A OUTPUT -s [OK_REMOTE_IP] -p tcp -m multiport --destination-ports 445,135,136,137,138,139 -j ACCEPT There is 4 rules to account for the variations of UDP/TCP and INPUT/OUTPUT chains. The iptables commands explained: -A Which chain to append the rule to -s The source address(es) -p protocol (udp/tcp for samba) -m Modules to load (in this case multiport) --destination-ports The parameter to the mulitport module specifying the samba ports. -j Jump to another chain. In this case ACCEPT
Strange it does not work at my linux box I made following rule: Code: /sbin/iptables -I INPUT -p tcp -m tcp -s 213.143.90.139 --dport 22 --syn -j ACCEPT /sbin/iptables -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT 213.143.90.139 is PC from which i want to access my linux box. (Later on i would copy/paste first line for few other IP's ) When I restart firewall everything seems ok: Code: krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart Setting up IP spoofing protection... done. Allowing traffic from trusted interfaces... done. Setting up chains for public/internal interface traffic... done. Setting up general rules... done. Setting up outbound rules... done. But after it I cant SSH to my linux box.
Actually is its a bit complicated. Yes they are, but some special vlans were made etc... However if I check some last -i admin pts/0 213.143.90.139 Mon Nov 20 19:27 - 20:26 (00:59) So iam logged in from 213.143.90.139 IP. My server is on 212.72.115.185 I hope I can solve this somehow I also tried to allow one ip from remote location, but it also does not work. Code: krneki:/etc/Bastille/firewall.d # vi post-rule-setup.sh krneki:/etc/Bastille/firewall.d # ll total 4 -rw-r--r-- 1 root root 150 2006-11-24 17:12 post-rule-setup.sh krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart Setting up IP spoofing protection... done. Allowing traffic from trusted interfaces... done. Setting up chains for public/internal interface traffic... done. Setting up general rules... done. Setting up outbound rules... done. krneki:/etc/Bastille/firewall.d #
rule disabled Code: krneki:/ # iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere loopback/8 ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED ACCEPT all -- anywhere anywhere DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain PAROLE (11 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain PUB_IN (4 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-un reachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:domain PAROLE tcp -- anywhere anywhere tcp dpt:http PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns PAROLE tcp -- anywhere anywhere tcp dpt:pop3 PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:ndmp PAROLE tcp -- anywhere anywhere tcp dpt:mysql PAROLE tcp -- anywhere anywhere tcp dpt:soap-http ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere udp dpt:soap-http DROP icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain PUB_OUT (4 references) target prot opt source destination ACCEPT all -- anywhere anywhere rule enabled: Code: krneki:/etc/Bastille/firewall.d # /etc/init.d/bastille-firewall restart Setting up IP spoofing protection... done. Allowing traffic from trusted interfaces... done. Setting up chains for public/internal interface traffic... done. Setting up general rules... done. Setting up outbound rules... done. krneki:/etc/Bastille/firewall.d # iptables -L Chain INPUT (policy DROP) target prot opt source destination REJECT tcp -- anywhere anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable ACCEPT tcp -- 89.212.94.160 anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN DROP tcp -- anywhere loopback/8 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere PUB_IN all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere PUB_OUT all -- anywhere anywhere Chain INT_IN (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain INT_OUT (0 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain PAROLE (11 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain PUB_IN (4 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request PAROLE tcp -- anywhere anywhere tcp dpt:ftp PAROLE tcp -- anywhere anywhere tcp dpt:ssh PAROLE tcp -- anywhere anywhere tcp dpt:smtp PAROLE tcp -- anywhere anywhere tcp dpt:domain PAROLE tcp -- anywhere anywhere tcp dpt:http PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns PAROLE tcp -- anywhere anywhere tcp dpt:pop3 PAROLE tcp -- anywhere anywhere tcp dpt:https PAROLE tcp -- anywhere anywhere tcp dpt:ndmp PAROLE tcp -- anywhere anywhere tcp dpt:mysql PAROLE tcp -- anywhere anywhere tcp dpt:soap-http ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere udp dpt:soap-http DROP icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain PUB_OUT (4 references) target prot opt source destination ACCEPT all -- anywhere anywhere
That was IP of remote PC Iam trying to add to allow list. (curently Iam at home and trying to connect to it ) But it does not allow me to connect.
Please switch off the firewall, then try to connect to the system and have a look at /var/log/auth.log at the same time. Is the IP address of the system that you're connecting from logged correctly? Or is a different IP address logged (maybe due to NATting)?
Cant find auth.log anywhere Code: krneki:/var/log # ll total 35508 -rw-r----- 1 root root 5262 2006-11-24 16:04 acpid drwxr-x--- 2 root root 4096 2006-11-26 22:01 apache2 -rw-r----- 1 root root 0 2006-11-15 21:50 boot.log -rw-r--r-- 1 root root 32252 2006-11-24 16:04 boot.msg -rw-r--r-- 1 root root 35654 2006-11-24 16:02 boot.omsg drwxr-xr-x 2 wwwrun root 4096 2006-11-26 22:01 cacti -rw------- 1 root root 288168 2006-11-20 21:44 faillog drwxr-xr-x 2 root root 4096 2006-11-27 00:30 httpd -rw-r--r-- 1 root root 18799 2006-11-23 18:28 ispconfig_install.log drwx------ 2 root root 4096 2006-05-02 09:03 krb5 -rw-r--r-- 1 root tty 3506044 2006-11-27 18:29 lastlog -rw-r----- 1 root root 4220 2006-11-21 18:34 localmessages -rw-r----- 1 root root 2913193 2006-11-27 18:29 mail -rw-r----- 1 root root 146 2006-11-24 16:04 mail.err -rw-r----- 1 root root 3211790 2006-11-27 18:29 mail.info -rw-r----- 1 root root 299694 2006-11-26 22:01 mail.info-20061126.bz2 -rw-r--r-- 1 root root 11936823 2006-11-26 23:59 mail.ispconfigsave -rw-r----- 1 root root 613 2006-11-26 21:48 mail.warn -rw-r----- 1 root root 854429 2006-11-27 18:30 messages lrwxrwxrwx 1 root root 23 2006-11-15 22:19 mysqld.log -> ../lib/mysql/mysqld.log drwxr-x--- 2 news news 4096 2006-11-15 21:27 news -rw-r--r-- 1 root root 5418 2006-11-24 16:08 ntp -rw-r--r-- 1 root root 11760 2006-11-24 17:48 scpm -rw-r----- 1 root root 136511 2006-11-27 16:34 warn -rw-rw-r-- 1 root tty 61440 2006-11-27 18:29 wtmp -rw-rw-r-- 1 root tty 9504 2006-11-17 22:00 wtmp-20061117.bz2 -rw-rw-r-- 1 root tty 10888 2006-11-25 22:00 wtmp-20061125.bz2 -rw-r--r-- 1 root root 566138 2006-11-27 18:29 xferlog -rw-r--r-- 1 root root 14558779 2006-11-26 23:59 xferlog.ispconfigsave drwx------ 3 root root 4096 2006-11-24 18:11 YaST2 -rw-r----- 1 root root 373772 2006-11-27 15:36 zmd-backend.log -rw-r----- 1 root root 132397 2006-11-15 22:00 zmd-backend.log-20061115.bz2 -rw-r----- 1 root root 356771 2006-11-16 22:00 zmd-backend.log-20061116.bz2 -rw-r----- 1 root root 155100 2006-11-17 22:00 zmd-backend.log-20061117.bz2 -rw-r----- 1 root root 47752 2006-11-20 22:00 zmd-backend.log-20061120.bz2 -rw-r----- 1 root root 76112 2006-11-22 22:00 zmd-backend.log-20061122.bz2 -rw-r----- 1 root root 68516 2006-11-23 22:00 zmd-backend.log-20061123.bz2 -rw-r----- 1 root root 55366 2006-11-26 22:01 zmd-backend.log-20061126.bz2 -rw-r--r-- 1 root root 2510 2006-11-27 16:34 zmd-messages.log -rw------- 1 root root 16523 2006-11-15 23:12 zmd-messages.log.2006-11-15 -rw------- 1 root root 83036 2006-11-16 18:50 zmd-messages.log.2006-11-16 -rw------- 1 root root 17748 2006-11-17 22:22 zmd-messages.log.2006-11-17 -rw------- 1 root root 2502 2006-11-18 18:44 zmd-messages.log.2006-11-18 -rw------- 1 root root 2433 2006-11-19 18:34 zmd-messages.log.2006-11-19 -rw------- 1 root root 2510 2006-11-20 18:24 zmd-messages.log.2006-11-20 -rw------- 1 root root 2502 2006-11-21 10:00 zmd-messages.log.2006-11-21 -rw------- 1 root root 7387 2006-11-22 23:59 zmd-messages.log.2006-11-22 -rw------- 1 root root 8499 2006-11-23 19:37 zmd-messages.log.2006-11-23 -rw------- 1 root root 2502 2006-11-24 17:04 zmd-messages.log.2006-11-24 -rw------- 1 root root 2826 2006-11-25 16:54 zmd-messages.log.2006-11-25 -rw------- 1 root root 2510 2006-11-26 16:44 zmd-messages.log.2006-11-26 however in last i can see a my ip: Code: admin pts/0 195.95.158.246 Mon Nov 27 18:29 still logged in Code: krneki:/var/log # vi /etc/Bastille/firewall.d/post-rule-setup.sh /sbin/iptables -I INPUT -p tcp -m tcp -s 195.95.158.246 --dport 22 --syn -j ACCEPT /sbin/iptables -I INPUT -p tcp -m tcp --dport 22 --syn -j REJECT
Actually, if you take a look at your iptables -L output, you'll see that the REJECT rule is preceeding the ACCEPT rule. And the way you make it work is: the post-rule-setup.sh is applied from last-to-first rule. and if you put the REJECT before the ACCEPT it will apply them correcrly to the firewall.