View previous topic :: View next topic |
Author |
Message |
The_Great_Sephiroth Veteran
Joined: 03 Oct 2014 Posts: 1602 Location: Fayetteville, NC, USA
|
Posted: Sun Sep 06, 2015 1:06 am Post subject: Allowing only specified IPs or MACs? |
|
|
I am trying to block all traffic that is not specified in an IP table or a MAC table. The reason for this is that the server runs an Asterisk SIP/H323 server and I want everything blocked EXCEPT for the wireless and LAN MACs on my laptop due to me being at various locations and needing to use Linphone from these locations. I also want all IP phones at our main office and remote office to have access. Those locations have static WAN IP addresses. Below is what I am looking at using. Please tell me what you think.
Code: |
#!/bin/bash
# Configure IPv4 tables
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -N MACS
iptables -N IPS
# IPv4 MAC filtering
iptables -A MACS -m mac --mac-source=00:11:22:33:44:55 -j ACCEPT
iptables -A MACS -m mac --mac-source=00:AA:BB:CC:DD:EE -j ACCEPT
iptables -A MACS -j RETURN
# IPv4 IP address filtering
iptables -A IPS -s 192.168.0.1 -j ACCEPT
iptables -A IPS -s 192.168.0.2 -j ACCEPT
iptables -A IPS -j RETURN
# IPv4 firewall
iptables -t filter -A INPUT -j MACS
iptables -t filter -A INPUT -j IPS
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports ssh,5060,5061,10000:20000 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m multiport --dports 5060,5061,10000:20000 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Configure IPv6 firewalling
ip6tables -F
ip6tables -X
ip6tables -Z
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
|
I changed the MACs and the two IPs to protect them, but you get the idea. _________________ Ever picture systemd as what runs "The Borg"? |
|
Back to top |
|
|
Roman_Gruber Advocate
Joined: 03 Oct 2006 Posts: 3846 Location: Austro Bavaria
|
Posted: Sun Sep 06, 2015 9:27 am Post subject: |
|
|
macs are kinda useless as you can spoof those.
ip adresses can also be choosen freely.
I assume this covers the topic iptables, so you may choose a better title which starts with iptables...
Quote: | me being at various locations a |
Well i am not htat interested in networks. but afaik those are send in the ip layer, and when i listen to that communication i can later spoof it and reuse it, so rather useless.
you better aim for a proper handshake / protocol which ensures the partners are the real partners... |
|
Back to top |
|
|
gordonb3 Apprentice
Joined: 01 Jul 2015 Posts: 185
|
Posted: Mon Sep 07, 2015 8:42 am Post subject: |
|
|
That set of rules won't do it. This will grant full access to the named MACs en IPs and allow acces to ssh and SIP to everyone else.
It is also quite pointless, because except for in your own home you will be masqueraded in practically every location that gives you internet access. And apart from your work offices you will not only not know what IP and/or MAC you will be using, but other people behind that same router/firewall will have access too. What you need is a mechanism that allows you to identify yourself to be given access. A lightweight method for this is a technique called "knocking", where you hit a specific sequence of TCP ports within a given time frame, but what you really want is a VPN. |
|
Back to top |
|
|
The_Great_Sephiroth Veteran
Joined: 03 Oct 2014 Posts: 1602 Location: Fayetteville, NC, USA
|
Posted: Tue Sep 08, 2015 3:02 pm Post subject: |
|
|
This has to be possible somehow. How else would SIP providers like Nextiva be able to do it? We need a solution here. Others do it, so we need to be able to do it. For now, I have blocked everything except out office with this setup.
Code: |
#!/bin/bash
# Configure IPv4 tables
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -N ALLOWED
# IPv4 MAC/IP filtering
iptables -A ALLOWED ! -s 123.456.789.012 -j REJECT
iptables -A ALLOWED -j RETURN
# IPv4 firewall
iptables -t filter -A INPUT -j ALLOWED
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports ssh,5060,5061,10000:20000 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m multiport --dports 5060,5061,10000:20000 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Configure IPv6 firewalling
ip6tables -F
ip6tables -X
ip6tables -Z
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
|
This should instantly reject any connection not at our main office, and then filter connections being made from our main office. Does this make more sense than before? _________________ Ever picture systemd as what runs "The Borg"? |
|
Back to top |
|
|
gordonb3 Apprentice
Joined: 01 Jul 2015 Posts: 185
|
Posted: Thu Sep 10, 2015 4:06 pm Post subject: |
|
|
Sure it is possible. But if you want to guard yourself against people spoofing IPs or MACs iptables alone is not going to do it.
You could probably investigate if that SIP server provides any means for this. Like a callback function that lets the server connect to you on your request. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|