Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Allowing only specified IPs or MACs?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
PostPosted: Sun Sep 06, 2015 1:06 am    Post subject: Allowing only specified IPs or MACs? Reply with quote
I am trying to block all traffic that is not specified in an IP table or a MAC table. The reason for this is that the server runs an Asterisk SIP/H323 server and I want everything blocked EXCEPT for the wireless and LAN MACs on my laptop due to me being at various locations and needing to use Linphone from these locations. I also want all IP phones at our main office and remote office to have access. Those locations have static WAN IP addresses. Below is what I am looking at using. Please tell me what you think.
Code:

#!/bin/bash

# Configure IPv4 tables
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -N MACS
iptables -N IPS

# IPv4 MAC filtering
iptables -A MACS -m mac --mac-source=00:11:22:33:44:55 -j ACCEPT
iptables -A MACS -m mac --mac-source=00:AA:BB:CC:DD:EE -j ACCEPT
iptables -A MACS -j RETURN

# IPv4 IP address filtering
iptables -A IPS -s 192.168.0.1 -j ACCEPT
iptables -A IPS -s 192.168.0.2 -j ACCEPT
iptables -A IPS -j RETURN

# IPv4 firewall
iptables -t filter -A INPUT -j MACS
iptables -t filter -A INPUT -j IPS
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports ssh,5060,5061,10000:20000 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m multiport --dports 5060,5061,10000:20000 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

# Configure IPv6 firewalling
ip6tables -F
ip6tables -X
ip6tables -Z
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT

I changed the MACs and the two IPs to protect them, but you get the idea.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3846
Location: Austro Bavaria
PostPosted: Sun Sep 06, 2015 9:27 am    Post subject: Reply with quote
macs are kinda useless as you can spoof those.
ip adresses can also be choosen freely.

I assume this covers the topic iptables, so you may choose a better title which starts with iptables...

Quote:
me being at various locations a


Well i am not htat interested in networks. but afaik those are send in the ip layer, and when i listen to that communication i can later spoof it and reuse it, so rather useless.

you better aim for a proper handshake / protocol which ensures the partners are the real partners...
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185
PostPosted: Mon Sep 07, 2015 8:42 am    Post subject: Reply with quote
That set of rules won't do it. This will grant full access to the named MACs en IPs and allow acces to ssh and SIP to everyone else.

It is also quite pointless, because except for in your own home you will be masqueraded in practically every location that gives you internet access. And apart from your work offices you will not only not know what IP and/or MAC you will be using, but other people behind that same router/firewall will have access too. What you need is a mechanism that allows you to identify yourself to be given access. A lightweight method for this is a technique called "knocking", where you hit a specific sequence of TCP ports within a given time frame, but what you really want is a VPN.
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
PostPosted: Tue Sep 08, 2015 3:02 pm    Post subject: Reply with quote
This has to be possible somehow. How else would SIP providers like Nextiva be able to do it? We need a solution here. Others do it, so we need to be able to do it. For now, I have blocked everything except out office with this setup.
Code:

#!/bin/bash

# Configure IPv4 tables
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -N ALLOWED

# IPv4 MAC/IP filtering
iptables -A ALLOWED ! -s 123.456.789.012 -j REJECT
iptables -A ALLOWED -j RETURN

# IPv4 firewall
iptables -t filter -A INPUT -j ALLOWED
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports ssh,5060,5061,10000:20000 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m multiport --dports 5060,5061,10000:20000 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

# Configure IPv6 firewalling
ip6tables -F
ip6tables -X
ip6tables -Z
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT

This should instantly reject any connection not at our main office, and then filter connections being made from our main office. Does this make more sense than before?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185
PostPosted: Thu Sep 10, 2015 4:06 pm    Post subject: Reply with quote
Sure it is possible. But if you want to guard yourself against people spoofing IPs or MACs iptables alone is not going to do it.

You could probably investigate if that SIP server provides any means for this. Like a callback function that lets the server connect to you on your request.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy