Changing iptables on the fly

Hi,

I wonder what the right solution is for following setup:

I have created a small program to run on a Windows PC. This program sends a unique token via apache

formatting link
were 12345 also contains the IP address in an encrypted way. If the token is correct, the check.php file should now do something to enable FTP for that IP address. I was thinging to change iptables rules to accept TCP on port 21 for that IP address. After a timeout period, the iptable rule will be removed.

- Is that a good and healthy way to think?

- Are there better solutions?

- Do I have to restart iptables every time I change something or is there another way?

- If I always have to restart, wont this interfere with other services that run on that server?

I'm sure some of you gurus can give me the correct answers.

Thanks in advance Jan

Reply to
jandoemen
Loading thread data ...

It involves FTP and PHP, so the answer is "NO". In capital letters.

That depends on what exactly you (or your users respectively) want to achieve.

You don't "restart iptables". iptables is just a tool to manipulate rules in netfilter, which is the packet filter of the Linux kernel.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

No. Better implement a secure authentication scheme instead of using an unencrypted token.

For example, you could implement some kind of challenge-response:

formatting link

The generic answer is: you don't need to. You can anytime modify one table only.

Yours, VB.

Reply to
Volker Birk

What I want to do is to only open port 21 when for those that have the tool (our users) so noone else can use or even try to hack port 21.

One step better would be SFTP but I'm looking for three years now for a working and good chroot solution. In that case I could use keys.

You stated that iptables shouldn't be restarted that netfilter does aal the good stuff but how can I apply a changed rule than? Till now I did "service iptables restart".

Thanks Jan

Reply to
jandoemen

That was pretty clear from your posting. The question is *why* you want to do that. What do you want to achieve with this implementation?

Why do you need chrooted SSH? Would rssh or scponly suffice? Could you use WebDAV?

Read Those Fine Manuals.

man iptables

formatting link
cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Not enough information - what are you trying to do?

That's a variation on "Port Knocking" - point your browser at google, and you'll find a few solutions, threads, discussions, etc.

Web Results 1 - 10 of about 1,840,000 for port+knocking. (0.18 seconds)

Normal - allow "NEW" connections from that address for a minute - then remove the "NEW" rule - if a connection is made, the "ESTABLISHED" rule will handle the "rest" of the "conversation".

Not enough details - but probably not the best way to go. Using PHP is almost certainly a bad idea, and port knocking normally doesn't use a web service as the key. There really are _much_ better solutions. As one minor example of the disaster you are playing with - changing the firewall rules requires root privileges, and are you really so insane as to run apache as root?

No

iptables is a configuration tool. The firewall is already running as part of the kernel.

Only if you explain what you are doing, and what you have as a goal.

Your wonky web formum is actually forwarding this to a Usenet newsgroup. You'd have better results if you actually used a news reader directly, and looked at the 'comp.os.linux.security' newsgroup where this might be appropriate. Be sure to include information of what distribution you are using, and what version of that distribution.

Old guy

Reply to
Moe Trin

Thanks to all of you especially Moe.

I didn't know there existed something like portknocking but I guess it's the same idea except a few things I didn't found in other solutions.

After spending a few days studying the concept I have a few remarks:

Simple portknocking is not so very secure because of the same sequence every time. Dynamic knocking is better but more complex.

The main reason I'm looking for a web solution is:

- It works on port 80 so even when the company firewall is very secure ... if you can surf the Internet => it works.

- I prefer dynamic tokens above static port numbers.

- A small client can be written very easy in every language

So here the brute steps to my idea:

- Client requests a normal URL Code:

-------------------- e.g.

formatting link

-------------------- (where the token is a 32 or more character encrypted (MD5 or other) combination of the received token (read on) and the ip address)

- The web server (php/apache) will decrypt the received token and check if the "old token" is in a "valid token file" (read on)

- When the token is found in the file it will be removed.

- The IP address of the request is compared with the IP address in the received token.

- If all is OK, a new token is generated, written in the "valid token file" and sent to the client as response. The client will store it for use the next login.

- The correct port is opened where you still have to login with a valid user/pw combo

Does anyone knows of an existing tool that will do similar things? If not ... I know I'm partly reinventing the wheel but it has to work on port 80 (or another port that is seldom blocked) and I like the aspect of unique keys.

What do you think? Any suggestions/remarks?

Thanks in advance. You all get a copy when it is ready ;-) Jan

Reply to
jandoemen

The concept has been around since the 1980s.

and complexity is what trips people all the time. Do not make things so complex that _your_ procedure is the major cause of problems. Also remember that port knocking is not a means of authentication, but a mechanism to reduce the hammering on your server by J. Random Skript_Kiddiez and the "mal-ware de heure". If someone manages to sniff the wire and discover the knock - they still have to come up with the username and authentication token, and that is where your security lies. When I first set up portknocking on my home system, I initially had it to change port numbers daily... then weekly... and now I don't even bother, because the logs show no one has even attempted the knock (though there are hundreds of port-scans every day - a feature of wide-band access), never mind getting access to the SSH login to even _try_ a username.

Depends - like most larger companies, we use proxy servers and block direct access to the world. Remember that the company network is for company use - not the individual. We have several systems located in employee break areas that are separate from the company network so that we can check personal mail, and so on - it's actually how I'm posting this. But these systems have no removable media drives, and the users do not have administrative/root privileges and so can't install _ANY_ software. Users have access to three web browsers, three news readers, four mail tools, and a telnet and SSH client. All of these applications are configured to not remember passwords, cookies, or any other individual configurations. /home/guest is a tiny but separate partition, and the logout script removes all user owned files from that partition.

Don't get it to complicated.

Why is one needed? Again, the company systems here rarely have removable media (it's not needed to do the job), and our users don't have admin/root privileges on the company systems. Can you demonstrate why such privileges are needed to do your job?

Old guy

Reply to
Moe Trin

Wow Moe, seldom had someone replying so in depth and with such a dedication. Thanks a lot already.

You convinced me to try the simple knock. Before I spend trying the other 37 solutions I found maybe you can tell me your opinion of what the best or a good PK daemon is. I would appreciate it very much.

Thanks Jan

Reply to
jandoemen

I'm a network admin - I have to deal with complex solutions that are proposed by my users to solve elementary problems. Usually the real solution is a heck of a lot simpler than they are proposing.

What I'd suggest is using the firewall directly. You stated this was Linux, so that's 'iptables' otherwise known as 'netfilter'. So start with the unofficial HOWTOs from Rusty Russell

formatting link
to learn the options - the document you want is

[TXT] netfilter-extensions-HOWTO.txt 17-Oct-2004 14:34 79K

and the keyword you are looking for is 'recent' (section 3.16). To see one way this is used, look at

formatting link
- which uses an 'open' and 'close' knock, though he's using the default SSH port. I prefer a slightly different technique, of using the knock to open a non-default port (minor additional security) but only for a short time (the --seconds and --remove rules). You then depend on the 'established' rule to _maintain_ the connection. However this is all a personal preference rather than a 'best' vs 'not-so-good' situation.

By the way, the reason most people don't recommend the PHP technique you were proposing is simple. For your technique to work, you have to have an open port - and PHP is the _last_ thing I'd want exposed to the world. With the firewall based knock - either directly, or through a bash script that monitors the firewall logs[1], there is nothing open. Nothing open means nothing to exploit.

Old guy

[1]
formatting link
is one example with a link to a tarball (though it's a lot more complicated than need be)
Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.