Gents,
I want to control a remote backup and be safe....
So I want to use a script that opens the firewall port 21 or 22 for backup purposes.
when backup is done I want the script to close the ports to prevent external attack.
Does anyone knows the ssh commands for this?
I can start and stop the services for example:
FTP
/etc/init.d/proftpd (stop, start, restart)
debian openssh ssh control
/etc/init.d/ssh start
/etc/init.d/ssh restart
/etc/init.d/ssh stop
Thanks in advance
Puma
Please note the new address for this forum : forum.excito.org. The old address redirects here but I don't know for how long. Thanks !
New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !
how to open/close firewall port 21 22 with script?
how to open/close firewall port 21 22 with script?
Linux is like a wigwam - no windows, no gates, apache inside!
Re: how to open/close firewall port 21 22 with script?
FIrst of all, simply moving your SSH port to some obscure number (666 is a winner for me) is already near-100% effective in deterring script kiddies without any hassle with firewall rules.
But to answer the question: generally this is easy to do, but the firewall script in bubba is braindead beyond comprehension so there's a bit of a trick involved: First make sure the default is that port 21 is in "closed" mode, either in the web interface or by editing out the lines in /etc/network/firewall.conf.
Then, if you want to open a port, run this line in a shell script: (this assumes ip addres 11.22.33.44 is the remote IP). By using the -I flag, the rule is injected at the top so that it actually works.
If you want to close the port again, DO NOT RUN /etc/init.d/bubba-firewall restart:
For some reason this actually only saves the current rules and DOES NOT stop and restart the firewall or even reload the old firewall rules (Carl, are you reading this?). In other words, if you mess about with your bubba and reload the firewall because it did not work out, your royally screwed, and may need to go find a rescue usb.
instead do:
hope this helps
But to answer the question: generally this is easy to do, but the firewall script in bubba is braindead beyond comprehension so there's a bit of a trick involved: First make sure the default is that port 21 is in "closed" mode, either in the web interface or by editing out the lines in /etc/network/firewall.conf.
Then, if you want to open a port, run this line in a shell script: (this assumes ip addres 11.22.33.44 is the remote IP). By using the -I flag, the rule is injected at the top so that it actually works.
Code: Select all
iptables -I INPUT -s 11.22.33.44 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT
For some reason this actually only saves the current rules and DOES NOT stop and restart the firewall or even reload the old firewall rules (Carl, are you reading this?). In other words, if you mess about with your bubba and reload the firewall because it did not work out, your royally screwed, and may need to go find a rescue usb.
instead do:
Code: Select all
/sbin/iptables-restore /etc/network/firewall.confRe: how to open/close firewall port 21 22 with script?
You'll actually accomplish the same as the last line when you issue /etc/init.d/bubba-firewall start (without the "re"). But yes, I do think the bubba firewall script is flaky. For one the web interface doesn't pickup on the fact that you have restricted access to a specific port to certain addresses (it will show as fully opened).
What I did find is that the firewall script will only consider the INPUT table, but you can add custom tables if you like. Working from your example you might input the following:
Then the 'backup on' routine would be:
And the 'backup off' routine:
A really cool solution for this is to make use of the ipset match rule, but for this you will need to install the xtables-addons first. Using ipset you can dynamically change which IP(s) will be allowed to enter the 'backup' table, without actually changing a single iptables rule. Safer...
What I did find is that the firewall script will only consider the INPUT table, but you can add custom tables if you like. Working from your example you might input the following:
Code: Select all
iptables -N backup # creates table 'backup'
iptables -F backup # empties table 'backup'
iptables -A backup -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # allows existing connections to continue
iptables -A INPUT -i eth0 -s 11.22.33.44 -j backup # tells the firewall to process rules in table 'backup' when ip 11.22.33.44 connects
Code: Select all
iptables -A backup -p tcp -m multiport --dports 20,21,22 -j ACCEPTCode: Select all
iptables -F backup
iptables -A backup -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTRe: how to open/close firewall port 21 22 with script?
wouldnt the -A rule be ignored if you consider that the machine has already been loaded with a firewall rules that ends in a global deny?
Re: how to open/close firewall port 21 22 with script?
No. It is the policy that is set to deny (it is actually drop - meaning that it doesn't give any response whatsoever), not a rule.
One thing I should have mentioned. Once the first piece of code has been entered, you should issue a /etc/init.d/bubba-firewall restart. This will save that part of the firewall configuration and every change you make afterwards using the web interface, won't touch these unknown rules. When in doubt you may also add these rules manually in the /etc/network/firewall.conf file and place them in front of the first '-A' rule (in that case issue a `bubba-firewall start` after editing).
One thing I should have mentioned. Once the first piece of code has been entered, you should issue a /etc/init.d/bubba-firewall restart. This will save that part of the firewall configuration and every change you make afterwards using the web interface, won't touch these unknown rules. When in doubt you may also add these rules manually in the /etc/network/firewall.conf file and place them in front of the first '-A' rule (in that case issue a `bubba-firewall start` after editing).
Re: how to open/close firewall port 21 22 with script?
tnx
but why does your rule only block established and not new traffic?
but why does your rule only block established and not new traffic?
Re: how to open/close firewall port 21 22 with script?
It doesn't.Ubi wrote:tnx
but why does your rule only block established and not new traffic?
The first rule verifies the connection tracker whether it is an existing connection and if so allows it to continue. The second rule, which would be the 'on' command, would allow new connections to be established on ports ftp-data, ftp and ssh. Since the 'backup' table (or whatever you name it) does not contain a catch-all rule, processing will then continue with the next rule in the 'INPUT' table.
Re: how to open/close firewall port 21 22 with script?
Gordon and Ubi,
Thanks for your examples.
Would it be safe enough to only let one IP adress access ftp??
only add in firewall.conf: -A INPUT -s 111.111.111.111 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT
Then only a computer with this 111.111.111.111 IP adress can access ftp or am i wrong?
Puma
Thanks for your examples.
Would it be safe enough to only let one IP adress access ftp??
only add in firewall.conf: -A INPUT -s 111.111.111.111 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT
Then only a computer with this 111.111.111.111 IP adress can access ftp or am i wrong?
Puma
Linux is like a wigwam - no windows, no gates, apache inside!
Re: how to open/close firewall port 21 22 with script?
Puma,
I actually have something similar in my own ruleset (for ssh). The problem with such a rule is that the web interface for bubba-firewall will then also show this port as opened (but not the IP restriction). That may be confusing. If you follow my hint on creating the user defined table and putting the allow FTP rule in there you'll stay out of the way of te bubba-firewall settings. You may in fact even be able to use the web interface to toggle global FTP access on and off without messing up the one rule that you want activated always.
Gordon
I actually have something similar in my own ruleset (for ssh). The problem with such a rule is that the web interface for bubba-firewall will then also show this port as opened (but not the IP restriction). That may be confusing. If you follow my hint on creating the user defined table and putting the allow FTP rule in there you'll stay out of the way of te bubba-firewall settings. You may in fact even be able to use the web interface to toggle global FTP access on and off without messing up the one rule that you want activated always.
Gordon
Re: how to open/close firewall port 21 22 with script?
Not sure if you already solved this, but inserting a rule into a chain and removing it afterwards isn't that complicated.
Insert the rule as the first in the INPUT chain (the -I <chain> <num> inserts the rule as rule number <num>).
Lose the "-s 11.22.33.44" bit if you're not concerned about IP restriction.
Remove it again (copy-pasted except for the line number):
-and voila!, your firewall is as good as new.
If you're certain the rule is still number 1 when you want to remove it, you can also just do
-but if something changed your firewall in the meantime, this will remove whatever is #1 now.
Insert the rule as the first in the INPUT chain (the -I <chain> <num> inserts the rule as rule number <num>).
Code: Select all
iptables -I INPUT 1 -s 11.22.33.44 -p tcp -m state --state NEW -m tcp -m multiport --dports 21,22 -j ACCEPT
Remove it again (copy-pasted except for the line number):
Code: Select all
iptables -D INPUT -s 11.22.33.44 -p tcp -m state --state NEW -m tcp -m multiport --dports 21,22 -j ACCEPT
If you're certain the rule is still number 1 when you want to remove it, you can also just do
Code: Select all
iptables -D INPUT 1