View previous topic :: View next topic |
Author |
Message |
mslinn Apprentice
Joined: 24 Sep 2004 Posts: 206 Location: Half Moon Bay, CA
|
Posted: Sun Oct 10, 2004 5:47 am Post subject: Controlling ssh using tumbler and iptables |
|
|
I needed to set up iptables on a machines' external NIC, and to enable ssh to a specific client IP address using a knock variant. Several variants of knock exist; I chose tumbler. 'Knocking' is merely sending a request to open a tcp port, using an IP packet with the syn bit set. The connection setups requested by tcp knocks are not acted upon by the server, but they are noticed because libpcap is used to detect them. tcp knocks are detected even if a firewall like iptables is set to screen out connections to the ports in question.
When knocking on tcp ports, do not open the firewall for ssh prior to the knock. This defeats the purpose of the knock.
After the knock is recognized, the firewall should only open the minimum number of ports to the specific IP address that knocks, and the ports should be closed as soon as possible.
udp packets, being connectionless, aren't really 'knocks', but just as with the unacknowledged tcp connection requests that we are calling 'knocks', a sniffer cannot detect any response should the server read a udp packet. Unlike a tcp knock setup, however, the firewall must be configured to allow the udp 'knock' packet in.
Tumbler uses upd, not tcp, so it isn't really 'knocking', but it is more secure than is 'knock' in that the encrypted string that it sends can't be sniffed and replayed.
Tumbler installation instructions for Gentoo
Code: |
$ sudo mkdir -p /usr/local/portage/net-firewall/tumbler
$ cd /usr/local/portage/net-firewall/tumbler
$ sudo wget http://umn.dl.sourceforge.net/sourceforge/tumbler/tumbler.tar.gz
$ sudo tar xzf tumbler.tar.gz
$ sudo mv tumbler /usr/bin/
$ sudo mv tumblerd /usr/sbin/
$ # Ensure that the firewall allows FTP to pass!
$ sudo emerge ncftp ftp # required by MCPAN
$ sudo perl -MCPAN -e shell
# If this is the first time you run MCPAN, accept all defaults by pressing enter until it asks for
# your favorite CPAN sites. Use these:
# http://ftp.sedl.org/pub/mirrors/CPAN/
# ftp://ftp.kernel.org/pub/CPAN/ and
# ftp://ftp-mirror.internap.com/pub/CPAN/
# also install Bundle::CPAN
cpan> install Term::ReadKey Digest::SHA
cpan> quit |
If you are just using tumbler to access other sites that are running tumblerd, you don't need to do any more configuration. Skip to the test step at the end.
Make /etc/tumblerd.conf like this:
Code: | # $Id$
## The knockd config file parser errors on blank comment lines
## so we use two octothorpes for blank lines
##
# The common section contains configuration options for the tumblerd daemon
# Set the UDP port to listen on to any port you choose that is greater than 1024 (I show port 9876) and define the log file
[common]
port = 9876
log = /var/log/tumblerd.log
# Each door that a user can knock on is defined by a unique [door-X] section,
# the first section is for opening the SSH port, and second for closing
##
# Each door has a secret (i.e. the password for this door that is part of the
# knock) and a command to execute.
##
# In the command it's possible to use the macros %IP% for the IP address of
# the person who knocked and %NAME% for the name of the door (in the first door
# here the name is open-ssh)
[door-open-ssh-USER1]
secret = reallyLongStringOfGobbledegookHere
command = /usr/local/bin/tumblerKnock %IP% %NAME%
[door-open-ssh-USER2]
secret = anotherReallyLongStringHere
command = /usr/local/bin/tumblerKnock %IP% %NAME% |
Make /etc/init.d/tumblerd like this:
Code: | #!/sbin/runscript
# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
depend() {
need iptables
}
checkconfig() {
if [ ! -e /etc/tumblerd.conf ] ; then
eerror "You need an /etc/tumblerd.conf file to run tumblerd"
return 1
fi
}
start() {
ebegin "Starting tumblerd"
start-stop-daemon -b -m --start --pidfile /var/run/tumblerd.pid --startas /usr/sbin/tumblerd
eend $?
}
stop() {
ebegin "Stopping tumblerd"
start-stop-daemon --stop --quiet --pidfile /var/run/tumblerd.pid
eend $?
} |
/usr/local/bin/tumblerKnock is invoked by tumblerd once a user's key is recognized. The firewall is opened to allow a new ssh connection to be established to the 'knocking' IP address only.
Code: | #!/bin/bash
# $Id$
IP=$1
DOOR=$2
SLEEP=10
IPTABLES="/sbin/iptables"
# accept ssh connections from any IP
#SSH_ARGS="allow-ssh-traffic-in -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT"
# only accept ssh connections from $IP
SSH_ARGS="allow-ssh-traffic-in -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT -s $IP"
CMD_OPEN="$IPTABLES -A $SSH_ARGS"
CMD_CLOSE="$IPTABLES -D $SSH_ARGS"
case $DOOR in
open-ssh)
`$CMD_OPEN`
echo "$(date +"%a %b %e %H:%M:%S %Y:") $CMD_OPEN" >> /var/log/tumblerd.log
sleep $SLEEP
`$CMD_CLOSE`
echo "$(date +"%a %b %e %H:%M:%S %Y:") $CMD_CLOSE" >> /var/log/tumblerd.log
;;
close-ssh)
`$CMD_CLOSE`
echo "$(date +"%a %b %e %H:%M:%S %Y:") $CMD_CLOSE" >> /var/log/tumblerd.log
;;
*) echo "$0: Error - $DOOR is an unknown door" ;;
esac |
Here is a script that sets up iptables. Feel free to modify it for your own needs:
Code: | #!/bin/bash
# $Id$
# Email and web server iptables settings
# Port assignments are described at http://www.chebucto.ns.ca/~rakerman/port-table.html
# Well-known port numbers: http://www.iana.org/assignments/port-numbers
IPTABLES=/sbin/iptables
IINTERFACE=eth0
DNS1=1.2.3.4
DNS2=1.2.3.5
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -X
#default rule
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection
$IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix "Bad packet from ${IINTERFACE}:"
$IPTABLES -A allowed-connection -j DROP
#ICMP traffic
$IPTABLES -N icmp_allowed
$IPTABLES -F icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp --icmp-type ping -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp --icmp-type pong -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"
$IPTABLES -A icmp_allowed -p icmp -j DROP
#Allow incoming ssh
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
#Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 5/s -p tcp --tcp-flags ALL RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 5/s -p tcp --tcp-flags ALL FIN --dport ssh -j ACCEPT
# Enable the next line via port knocking to allow new connections
#$IPTABLES -A allow-ssh-traffic-in -m limit --limit 5/s -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT
# Listen to Tumbler knocks
$IPTABLES -A allow-ssh-traffic-in -p udp --dport 1956 -m state --state NEW -j ACCEPT
#Allow incoming http
$IPTABLES -N allow-www-traffic-in
$IPTABLES -F allow-www-traffic-in
$IPTABLES -A allow-www-traffic-in -p tcp --sport 1024: --dport www -m state --state NEW -j ACCEPT
$IPTABLES -A allow-www-traffic-in -p tcp --sport 1024: --dport https -m state --state NEW -j ACCEPT
#Allow incoming email
$IPTABLES -N allow-email-traffic-in
$IPTABLES -F allow-email-traffic-in
$IPTABLES -A allow-email-traffic-in -p tcp --dport smtp -m state --state NEW -j ACCEPT
$IPTABLES -A allow-email-traffic-in -p tcp --dport imaps -m state --state NEW -j ACCEPT
#Allow incoming ftp
$IPTABLES -N allow-ftp-in
$IPTABLES -F allow-ftp-in
$IPTABLES -A allow-ftp-in -p tcp --dport 21 -m state --state NEW -j ACCEPT # ftp
$IPTABLES -A allow-ftp-in -p udp --dport 21 -m state --state NEW -j ACCEPT # ftp
$IPTABLES -A allow-ftp-in -p tcp --dport 20 -m state --state NEW -j ACCEPT # ftp-data
$IPTABLES -A allow-ftp-in -p udp --dport 20 -m state --state NEW -j ACCEPT # ftp-data
#Allow incoming misc traffic
$IPTABLES -N allow-misc-in
$IPTABLES -F allow-misc-in
$IPTABLES -A allow-misc-in -p tcp --dport 1720 -m state --state NEW -j ACCEPT # h323hostcall
$IPTABLES -A allow-misc-in -p udp --dport 1720 -m state --state NEW -j ACCEPT # h323hostcall
$IPTABLES -A allow-misc-in -p tcp --dport ldap -m state --state NEW -j ACCEPT # LDAP 389
$IPTABLES -A allow-misc-in -p udp --dport ldap -m state --state NEW -j ACCEPT # LDAP 389
$IPTABLES -A allow-misc-in -p tcp --dport ldaps -m state --state NEW -j ACCEPT # LDAPS 636
$IPTABLES -A allow-misc-in -p udp --dport ldaps -m state --state NEW -j ACCEPT # LDAPS 636
$IPTABLES -A allow-misc-in -p tcp --dport 554 -m state --state NEW -j ACCEPT # rtsp (Quicktime 4)
$IPTABLES -A allow-misc-in -p udp --dport 554 -m state --state NEW -j ACCEPT # rtsp (Quicktime 4)
$IPTABLES -A allow-misc-in -p tcp --dport 7070 -m state --state NEW -j ACCEPT # RTSP (Real)
$IPTABLES -A allow-misc-in -p tcp --dport nntps -m state --state NEW -j ACCEPT # NNTPS
$IPTABLES -A allow-misc-in -p tcp --dport 1723 -m state --state NEW -j ACCEPT # pptp
$IPTABLES -A allow-misc-in -p tcp --dport 1863 -m state --state NEW -j ACCEPT # msnp (MSN Messenger)
$IPTABLES -A allow-misc-in -p udp --dport 1863 -m state --state NEW -j ACCEPT # msnp (MSN Messenger)
$IPTABLES -A allow-misc-in -p tcp --dport 28800:29100 -m state --state NEW -j ACCEPT # MSN Messenger Games
$IPTABLES -A allow-misc-in -p udp --dport 28800:29100 -m state --state NEW -j ACCEPT # MSN Messenger Games
$IPTABLES -A allow-misc-in -p udp --dport 2001:2120 -m state --state NEW -j ACCEPT # MSN Messenger Voice
$IPTABLES -A allow-misc-in -p udp --dport 6801 -m state --state NEW -j ACCEPT # MSN Messenger Voice
$IPTABLES -A allow-misc-in -p udp --dport 6901 -m state --state NEW -j ACCEPT # MSN Messenger Voice
$IPTABLES -A allow-misc-in -p tcp --dport 6891:6901 -m state --state NEW -j ACCEPT # MSN File Tx & voice
$IPTABLES -A allow-misc-in -p tcp --dport 5000:5001 -m state --state NEW -j ACCEPT # Yahoo IM
$IPTABLES -A allow-misc-in -p udp --dport 5000:5010 -m state --state NEW -j ACCEPT # Yahoo IM
$IPTABLES -A allow-misc-in -p udp --dport 5100 -m state --state NEW -j ACCEPT # Yahoo IM Webcam
$IPTABLES -A allow-misc-in -p udp --dport 11999 -m state --state NEW -j ACCEPT # Yahoo IM Games
$IPTABLES -A allow-misc-in -p tcp --dport 5190:5193 -m state --state NEW -j ACCEPT # AIM
$IPTABLES -A allow-misc-in -p udp --dport 5190:5193 -m state --state NEW -j ACCEPT # AIM
$IPTABLES -A allow-misc-in -p tcp --dport 30000:30001 -m state --state NEW -j ACCEPT # GnomeMeeting
$IPTABLES -A allow-misc-in -p udp --dport 30000:30010 -m state --state NEW -j ACCEPT # GnomeMeeting
$IPTABLES -A allow-misc-in -p tcp --dport 5800:5802 -m state --state NEW -j ACCEPT # VNC
$IPTABLES -A allow-misc-in -p udp --dport 5900:5902 -m state --state NEW -j ACCEPT # VNC
$IPTABLES -A allow-misc-in -p tcp --dport 1512 -m state --state NEW -j ACCEPT # wins
$IPTABLES -A allow-misc-in -p udp --dport 1512 -m state --state NEW -j ACCEPT # wins
#Allow outgoing ssh
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -m state --state NEW -j ACCEPT
#Allow outgoing dns
$IPTABLES -N allow-dns-traffic-out
$IPTABLES -F allow-dns-traffic-out
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain -m state --state NEW -j ACCEPT
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain -m state --state NEW -j ACCEPT
#Allow outgoing http and https
$IPTABLES -N allow-www-traffic-out
$IPTABLES -F allow-www-traffic-out
$IPTABLES -A allow-www-traffic-out -p tcp --dport www -m state --state NEW -j ACCEPT
$IPTABLES -A allow-www-traffic-out -p tcp --dport https -m state --state NEW -j ACCEPT
#Allow outgoing email
$IPTABLES -N allow-email-traffic-out
$IPTABLES -F allow-email-traffic-out
$IPTABLES -A allow-email-traffic-out -p tcp --dport smtp -m state --state NEW -j ACCEPT
#Allow outgoing mysql
$IPTABLES -N allow-mysql-traffic-out
$IPTABLES -F allow-mysql-traffic-out
$IPTABLES -A allow-mysql-traffic-out -p tcp -d your.mysql.server.com --dport mysql -m state --state NEW -j ACCEPT
$IPTABLES -A allow-mysql-traffic-out -p tcp -d your.mysql.server.com --dport mysql -m state --state NEW -j ACCEPT
#Allow outgoing postgres
$IPTABLES -N allow-postgres-traffic-out
$IPTABLES -F allow-postgres-traffic-out
$IPTABLES -A allow-postgres-traffic-out -p tcp -d your.postgres.server.com --dport postgres -m state --state NEW -j ACCEPT
$IPTABLES -A allow-postgres-traffic-out -p tcp -d your.postgres.server.com --dport postgres -m state --state NEW -j ACCEPT
#Allow outgoing nfs
$IPTABLES -N allow-nfs-traffic-out
$IPTABLES -F allow-nfs-traffic-out
$IPTABLES -A allow-nfs-traffic-out -p udp -d your.nfs.server.com --dport sunrpc -j ACCEPT
$IPTABLES -A allow-nfs-traffic-out -p tcp -d your.nfs.server.com --dport sunrpc -j ACCEPT
$IPTABLES -A allow-nfs-traffic-out -p udp -d your.nfs.server.com --dport 2049 -j ACCEPT
$IPTABLES -A allow-nfs-traffic-out -p tcp -d your.nfs.server.com --dport 2049 -j ACCEPT
$IPTABLES -A allow-nfs-traffic-out -p udp -d your.nfs.server.com --dport 32764 -j ACCEPT
$IPTABLES -A allow-nfs-traffic-out -p tcp -d your.nfs.server.com --dport 32764 -j ACCEPT
$IPTABLES -A allow-nfs-traffic-out -p udp -d your.nfs.server.com --dport 32765 -j ACCEPT
$IPTABLES -A allow-nfs-traffic-out -p tcp -d your.nfs.server.com --dport 32765 -j ACCEPT
$IPTABLES -A allow-nfs-traffic-out -p udp -d your.nfs.server.com --dport 32766 -j ACCEPT
$IPTABLES -A allow-nfs-traffic-out -p tcp -d your.nfs.server.com --dport 32766 -j ACCEPT
$IPTABLES -A allow-nfs-traffic-out -p udp -d your.nfs.server.com --dport 32767 -j ACCEPT
$IPTABLES -A allow-nfs-traffic-out -p tcp -d your.nfs.server.com --dport 32767 -j ACCEPT
#Allow outgoing syslog to temple
$IPTABLES -N allow-syslog-traffic-out
$IPTABLES -F allow-syslog-traffic-out
$IPTABLES -A allow-syslog-traffic-out -p udp -d your.logging.server.com --dport syslog -j ACCEPT
#Allow outgoing imaps to temple
$IPTABLES -N allow-imaps-traffic-out
$IPTABLES -F allow-imaps-traffic-out
$IPTABLES -A allow-imaps-traffic-out -p tcp -d your.imap.server.com --dport imaps -j ACCEPT
#Allow outgoing ntp
$IPTABLES -N allow-ntp-traffic-out
$IPTABLES -F allow-ntp-traffic-out
$IPTABLES -A allow-ntp-traffic-out -p udp --dport ntp -j ACCEPT
#Allow outgoing rsync
$IPTABLES -N allow-rsync-traffic-out
$IPTABLES -F allow-rsync-traffic-out
$IPTABLES -A allow-rsync-traffic-out -p tcp --dport rsync -m state --state NEW -j ACCEPT
#Allow outgoing ftp
$IPTABLES -N allow-ftp-out
$IPTABLES -F allow-ftp-out
$IPTABLES -A allow-ftp-out -p tcp --dport 20 -m state --state NEW -j ACCEPT # ftp
$IPTABLES -A allow-ftp-out -p udp --dport 20 -m state --state NEW -j ACCEPT # ftp
$IPTABLES -A allow-ftp-out -p tcp --dport 21 -m state --state NEW -j ACCEPT # ftp-data
$IPTABLES -A allow-ftp-out -p udp --dport 21 -m state --state NEW -j ACCEPT # ftp-data
#Allow outgoing misc traffic
$IPTABLES -N allow-misc-out
$IPTABLES -F allow-misc-out
$IPTABLES -A allow-misc-out -p tcp --dport 1720 -m state --state NEW -j ACCEPT # h323hostcall
$IPTABLES -A allow-misc-out -p udp --dport 1720 -m state --state NEW -j ACCEPT # h323hostcall
$IPTABLES -A allow-misc-out -p tcp --dport ldap -m state --state NEW -j ACCEPT # LDAP 389
$IPTABLES -A allow-misc-out -p udp --dport ldap -m state --state NEW -j ACCEPT # LDAP 389
$IPTABLES -A allow-misc-out -p tcp --dport ldaps -m state --state NEW -j ACCEPT # LDAPS 636
$IPTABLES -A allow-misc-out -p udp --dport ldaps -m state --state NEW -j ACCEPT # LDAPS 636
$IPTABLES -A allow-misc-out -p tcp --dport 554 -m state --state NEW -j ACCEPT # rtsp (Quicktime 4)
$IPTABLES -A allow-misc-out -p udp --dport 554 -m state --state NEW -j ACCEPT # rtsp (Quicktime 4)
$IPTABLES -A allow-misc-out -p tcp --dport 7070 -m state --state NEW -j ACCEPT # RTSP (Real)
$IPTABLES -A allow-misc-out -p tcp --dport nntps -m state --state NEW -j ACCEPT # NNTPS
$IPTABLES -A allow-misc-out -p tcp --dport 1723 -m state --state NEW -j ACCEPT # pptp
$IPTABLES -A allow-misc-out -p tcp --dport 1863 -m state --state NEW -j ACCEPT # msnp (MSN Messenger)
$IPTABLES -A allow-misc-out -p udp --dport 1863 -m state --state NEW -j ACCEPT # msnp (MSN Messenger)
$IPTABLES -A allow-misc-out -p tcp --dport 28800:29100 -m state --state NEW -j ACCEPT # MSN Messenger Games
$IPTABLES -A allow-misc-out -p udp --dport 28800:29100 -m state --state NEW -j ACCEPT # MSN Messenger Games
$IPTABLES -A allow-misc-out -p udp --dport 2001:2120 -m state --state NEW -j ACCEPT # MSN Messenger Voice
$IPTABLES -A allow-misc-out -p udp --dport 6801 -m state --state NEW -j ACCEPT # MSN Messenger Voice
$IPTABLES -A allow-misc-out -p udp --dport 6901 -m state --state NEW -j ACCEPT # MSN Messenger Voice
$IPTABLES -A allow-misc-out -p tcp --dport 6891:6901 -m state --state NEW -j ACCEPT # MSN File Tx & voice
$IPTABLES -A allow-misc-out -p tcp --dport 5000:5001 -m state --state NEW -j ACCEPT # Yahoo IM
$IPTABLES -A allow-misc-out -p udp --dport 5000:5010 -m state --state NEW -j ACCEPT # Yahoo IM
$IPTABLES -A allow-misc-out -p udp --dport 5100 -m state --state NEW -j ACCEPT # Yahoo IM Webcam
$IPTABLES -A allow-misc-out -p udp --dport 11999 -m state --state NEW -j ACCEPT # Yahoo IM Games
$IPTABLES -A allow-misc-out -p tcp --dport 5190:5193 -m state --state NEW -j ACCEPT # AIM
$IPTABLES -A allow-misc-out -p udp --dport 5190:5193 -m state --state NEW -j ACCEPT # AIM
$IPTABLES -A allow-misc-out -p tcp --dport 30000:30001 -m state --state NEW -j ACCEPT # GnomeMeeting
$IPTABLES -A allow-misc-out -p udp --dport 30000:30010 -m state --state NEW -j ACCEPT # GnomeMeeting
$IPTABLES -A allow-misc-out -p tcp --dport 5800:5802 -m state --state NEW -j ACCEPT # VNC
$IPTABLES -A allow-misc-out -p udp --dport 5900:5902 -m state --state NEW -j ACCEPT # VNC
$IPTABLES -A allow-misc-out -p tcp --dport 1512 -m state --state NEW -j ACCEPT # wins
$IPTABLES -A allow-misc-out -p udp --dport 1512 -m state --state NEW -j ACCEPT # wins
#Catch portscanners
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Apply and add invalid states to the chains
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -j icmp_allowed
$IPTABLES -A INPUT -j check-flags
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -j allow-ssh-traffic-in
$IPTABLES -A INPUT -j allow-www-traffic-in
$IPTABLES -A INPUT -j allow-email-traffic-in
$IPTABLES -A INPUT -j allow-ftp-in
$IPTABLES -A INPUT -j allow-misc-in
$IPTABLES -A INPUT -j allowed-connection
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -j icmp_allowed
$IPTABLES -A OUTPUT -j check-flags
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -j allow-ssh-traffic-out
$IPTABLES -A OUTPUT -j allow-dns-traffic-out
$IPTABLES -A OUTPUT -j allow-www-traffic-out
$IPTABLES -A OUTPUT -j allow-email-traffic-out
$IPTABLES -A OUTPUT -j allow-mysql-traffic-out
$IPTABLES -A OUTPUT -j allow-postgres-traffic-out
$IPTABLES -A OUTPUT -j allow-nfs-traffic-out
$IPTABLES -A OUTPUT -j allow-syslog-traffic-out
$IPTABLES -A OUTPUT -j allow-imaps-traffic-out
$IPTABLES -A OUTPUT -j allow-ntp-traffic-out
$IPTABLES -A OUTPUT -j allow-rsync-traffic-out
$IPTABLES -A OUTPUT -j allow-ftp-out
$IPTABLES -A OUTPUT -j allow-misc-out
$IPTABLES -A OUTPUT -j allowed-connection
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -L
/etc/init.d/iptables save |
Start tumblerd like this:
Code: | /etc/init.d/tumblerd start |
Add tumblerd to the default run level:
Code: | rc-update add tumblerd default |
Testing Tumbler
Open a terminal and tail the log:
Code: | tail -f /var/log/tumblerd.log |
Knock on the door (using port 9876):
Code: | tumbler --open tumbler://reallyLongStringOfGobbledegookHere@localhost:9876/ |
Using Tumbler
Each user has their own tumbler key. The keys are managed by editing /etc/tumblerd.conf and restarting tumblerd.
Code: | $ tumbler --open tumbler://userKeyGoesHEre@your.domain.com:9876/
$ ssh your.domain.com |
You can close the port manually once you are done, if you are so disposed:
Code: | $ tumbler --close tumbler://userKeyGoesHere@your.domain.com:9876/ |
I haven't got the sshd port open timeout to work yet, so the sshd port will remain open for your IP address until the machine is rebooted. Eventually I intend to limit the period of time that the sshd port will accept new connections to 10 seconds after tumbler authorizes access. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|