forum.excito.org

Gents,

I want to control a remote backup and be safe....

So I want to use a script that opens the firewall port 21 or 22 for backup purposes.
when backup is done I want the script to close the ports to prevent external attack.
Does anyone knows the ssh commands for this?

I can start and stop the services for example:

FTP
/etc/init.d/proftpd (stop, start, restart)

debian openssh ssh control
/etc/init.d/ssh start
/etc/init.d/ssh restart
/etc/init.d/ssh stop



Thanks in advance

Puma

FIrst of all, simply moving your SSH port to some obscure number (666 is a winner for me) is already near-100% effective in deterring script kiddies without any hassle with firewall rules.

But to answer the question: generally this is easy to do, but the firewall script in bubba is braindead beyond comprehension so there's a bit of a trick involved: First make sure the default is that port 21 is in "closed" mode, either in the web interface or by editing out the lines in /etc/network/firewall.conf.
Then, if you want to open a port, run this line in a shell script: (this assumes ip addres 11.22.33.44 is the remote IP). By using the -I flag, the rule is injected at the top so that it actually works. If you want to close the port again, DO NOT RUN /etc/init.d/bubba-firewall restart:
For some reason this actually only saves the current rules and DOES NOT stop and restart the firewall or even reload the old firewall rules (Carl, are you reading this?). In other words, if you mess about with your bubba and reload the firewall because it did not work out, your royally screwed, and may need to go find a rescue usb.

instead do: hope this helps

You'll actually accomplish the same as the last line when you issue /etc/init.d/bubba-firewall start (without the "re"). But yes, I do think the bubba firewall script is flaky. For one the web interface doesn't pickup on the fact that you have restricted access to a specific port to certain addresses (it will show as fully opened).

What I did find is that the firewall script will only consider the INPUT table, but you can add custom tables if you like. Working from your example you might input the following: Then the 'backup on' routine would be: And the 'backup off' routine: A really cool solution for this is to make use of the ipset match rule, but for this you will need to install the xtables-addons first. Using ipset you can dynamically change which IP(s) will be allowed to enter the 'backup' table, without actually changing a single iptables rule. Safer...

wouldnt the -A rule be ignored if you consider that the machine has already been loaded with a firewall rules that ends in a global deny?

No. It is the policy that is set to deny (it is actually drop - meaning that it doesn't give any response whatsoever), not a rule.

One thing I should have mentioned. Once the first piece of code has been entered, you should issue a /etc/init.d/bubba-firewall restart. This will save that part of the firewall configuration and every change you make afterwards using the web interface, won't touch these unknown rules. When in doubt you may also add these rules manually in the /etc/network/firewall.conf file and place them in front of the first '-A' rule (in that case issue a `bubba-firewall start` after editing).

tnx

but why does your rule only block established and not new traffic?

Ubi wrote:tnx

but why does your rule only block established and not new traffic?

It doesn't.

The first rule verifies the connection tracker whether it is an existing connection and if so allows it to continue. The second rule, which would be the 'on' command, would allow new connections to be established on ports ftp-data, ftp and ssh. Since the 'backup' table (or whatever you name it) does not contain a catch-all rule, processing will then continue with the next rule in the 'INPUT' table.

Gordon and Ubi,

Thanks for your examples.

Would it be safe enough to only let one IP adress access ftp??

only add in firewall.conf: -A INPUT -s 111.111.111.111 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT

Then only a computer with this 111.111.111.111 IP adress can access ftp or am i wrong?

Puma

Puma,

I actually have something similar in my own ruleset (for ssh). The problem with such a rule is that the web interface for bubba-firewall will then also show this port as opened (but not the IP restriction). That may be confusing. If you follow my hint on creating the user defined table and putting the allow FTP rule in there you'll stay out of the way of te bubba-firewall settings. You may in fact even be able to use the web interface to toggle global FTP access on and off without messing up the one rule that you want activated always.

Gordon

Not sure if you already solved this, but inserting a rule into a chain and removing it afterwards isn't that complicated.


Insert the rule as the first in the INPUT chain (the -I <chain> <num> inserts the rule as rule number <num>). Lose the "-s 11.22.33.44" bit if you're not concerned about IP restriction.

Remove it again (copy-pasted except for the line number): -and voila!, your firewall is as good as new.

If you're certain the rule is still number 1 when you want to remove it, you can also just do -but if something changed your firewall in the meantime, this will remove whatever is #1 now.