FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Linux

 
 
LinkBack Thread Tools
 
Old 06-07-2011, 03:31 PM
Jonathan Billings
 
Default open port in iptables for specific lenght of time

On Tue, Jun 07, 2011 at 09:33:44AM -0500, Steven Buehler wrote:
> We have a system that is locked down and you have to use a key to get ssh
> access to it. We have employees and customers that are on dynamic IP's that
> keep switching. They don't have root access. What I am trying to do is
> create a script that they can log into and it will get their current IP
> address and open the firewall for a specified length of time. Once open,
> they would still have to use their public/private key to ssh into it. I
> agree this isn't perfect, but it is better than just leaving that port open
> to the world all the time.


You probably want to use the "recent" module.

You need to add something like this to your /etc/sysconfig/iptables:

# this is necessary to allow already connected sessions
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# simple port knocking
-A INPUT -p tcp -m state --state NEW -m tcp --dport 12345 -m recent --set --name remotessh --rsource
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --rcheck --seconds 300 --name remotessh --rsource -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited


This is a simple "knock" that requires that you send a packet to port
12345 on the host (it doesn't matter if it fails. You could simply
hit http://hostname:12345/ and it would work.) Once you've done that,
you have 5 minutes (300 seconds) to connect to the SSH port. Once
you've connected, all further traffic is granted by the
RELATED,ESTABLISHED state rule at the top, which is probably already
in your iptables rules. Any other connections are blocked.

The 'recent' module publishes the currently "allowed" IPs in
/proc/net/ipt_recent/remotessh (for this example in RHEL5) if you want
to monitor it somehow. In newer kernels on Fedora, it's
/proc/net/xt_recent/.

If you're really paranoid, you can change the 2 port knocking lines above into:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 12344 -m recent --remove --name remotessh --rsource
-A INPUT -p tcp -m state --state NEW -m tcp --dport 12345 -m recent --set --name remotessh --rsource
-A INPUT -p tcp -m state --state NEW -m tcp --dport 12346 -m recent --remove --name remotessh --rsource
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --rcheck --seconds 300 --name remotessh --rsource -j ACCEPT

This way, if someone port-scans the host, they won't get added to the
list of allowed ports because it'll be immediately removed as the port
scans are typically traversing ports incrementally.

--
Jonathan Billings <jsbillin@umich.edu>
College of Engineering - CAEN - Unix and Linux Support

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 06-07-2011, 04:49 PM
"Steven Buehler"
 
Default open port in iptables for specific lenght of time

> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of eugenejvr
> Sent: Tuesday, June 07, 2011 9:56 AM
> To: General Red Hat Linux discussion list
> Subject: Re: open port in iptables for specific lenght of time
>
> Look at this...
> http://www.cyberciti.biz/tips/iptables-for-restricting-access-by-time-of-
> day.html
>
> hope it helps
>
> --
>
> Eugene Jansen van Rensburg
> eMail: eugenejvr@gmail.com
>
> "Quit is NOT an option"
>
>
> On Tue, Jun 7, 2011 at 16:33, Steven Buehler <steve@ibushost.com> wrote:
> >
> > I have been googling for this and haven't found it. *I know I have
> > seen it before and thought that it was an iptables command and not a
> > separate script, but I can't remember as it has been a while since I
have
> seen it.
> > What I want to do is to open a port on the firewall with iptables for
> > a set time, like 5 hours and then after 5 hours, it will close the port
again.
> > Can anybody point me in the right direction, or if it is a command of
> > iptables, maybe post that for me?
> >
> >
> >
> > We have a system that is locked down and you have to use a key to get
> > ssh access to it. *We have employees and customers that are on dynamic
> > IP's that keep switching. *They don't have root access. *What I am
> > trying to do is create a script that they can log into and it will get
> > their current IP address and open the firewall for a specified length
> > of time. Once open, they would still have to use their public/private
> > key to ssh into it. *I agree this isn't perfect, but it is better than
> > just leaving that port open to the world all the time.
> >
> >
> >
> > Any help would be appreciated
> >
> >
> >
> > thanks
> >
> > Steve
> >
> > --

Thanks Eugine, but it seems that the stock rpm of IPtables for v 5.x doesn't
include the libipt_time.so. These systems need to be as "stock" as possible
instead of compiling from source.



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 

Thread Tools




All times are GMT. The time now is 09:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org