Changing iptables on the fly

Hi,

I wonder what the right solution is for following setup:

I have created a small program to run on a Windows PC. This program
sends a unique token via apache (www.xxx.com/check.php?token=12345)
were 12345 also contains the IP address in an encrypted way. If the
token is correct, the check.php file should now do something to enable
FTP for that IP address. I was thinging to change iptables rules to
accept TCP on port 21 for that IP address.
After a timeout period, the iptable rule will be removed.

- Is that a good and healthy way to think?
- Are there better solutions?
- Do I have to restart iptables every time I change something or is
there another way?
- If I always have to restart, wont this interfere with other services
that run on that server?

I'm sure some of you gurus can give me the correct answers.

Thanks in advance
Jan


--
jandoemen
------------------------------------------------------------ ------------
jandoemen's Profile: http://unixadmintalk.com270
View this thread: http://unixadmintalk.com/showthread.php?t=216154

Re: Changing iptables on the fly

jandoemen wrote:
> I have created a small program to run on a Windows PC. This program
> sends a unique token via apache (www.xxx.com/check.php?token=12345)
> were 12345 also contains the IP address in an encrypted way. If the
> token is correct, the check.php file should now do something to enable
> FTP for that IP address. I was thinging to change iptables rules to
> accept TCP on port 21 for that IP address.
> After a timeout period, the iptable rule will be removed.
>
> - Is that a good and healthy way to think?

It involves FTP and PHP, so the answer is "NO". In capital letters.

> - Are there better solutions?

That depends on what exactly you (or your users respectively) want to
achieve.

> - Do I have to restart iptables every time I change something or is
> there another way?

You don't "restart iptables". iptables is just a tool to manipulate
rules in netfilter, which is the packet filter of the Linux kernel.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Changing iptables on the fly

jandoemen wrote:
> I wonder what the right solution is for following setup:
> I have created a small program to run on a Windows PC. This program
> sends a unique token via apache (www.xxx.com/check.php?token=12345)
> were 12345 also contains the IP address in an encrypted way. If the
> token is correct, the check.php file should now do something to enable
> FTP for that IP address. I was thinging to change iptables rules to
> accept TCP on port 21 for that IP address.
> After a timeout period, the iptable rule will be removed.
> - Is that a good and healthy way to think?

No. Better implement a secure authentication scheme instead of using an
unencrypted token.

For example, you could implement some kind of challenge-response:

http://en.wikipedia.org/wiki/Challenge-response_authenticati on

> - Do I have to restart iptables every time I change something or is
> there another way?

The generic answer is: you don't need to. You can anytime modify one
table only.

Yours,
VB.
--
"Ich lache nie."
Besim Karadeniz in d.c.s.m.

Re: Changing iptables on the fly

What I want to do is to only open port 21 when for those that have the
tool (our users) so noone else can use or even try to hack port 21.

One step better would be SFTP but I'm looking for three years now for a
working and good chroot solution. In that case I could use keys.

You stated that iptables shouldn't be restarted that netfilter does aal
the good stuff but how can I apply a changed rule than? Till now I did
"service iptables restart".

Thanks
Jan


--
jandoemen
------------------------------------------------------------ ------------
jandoemen's Profile: http://unixadmintalk.com270
View this thread: http://unixadmintalk.com/showthread.php?t=216154

Re: Changing iptables on the fly

jandoemen wrote:
> What I want to do is to only open port 21 when for those that have the
> tool (our users) so noone else can use or even try to hack port 21.

That was pretty clear from your posting. The question is *why* you want
to do that. What do you want to achieve with this implementation?

> One step better would be SFTP but I'm looking for three years now for
> a working and good chroot solution. In that case I could use keys.

Why do you need chrooted SSH? Would rssh or scponly suffice? Could you
use WebDAV?

> You stated that iptables shouldn't be restarted that netfilter does
> aal the good stuff but how can I apply a changed rule than?

Read Those Fine Manuals.

man iptables
http://www.netfilter.org/

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Changing iptables on the fly

On Sat, 14 Oct 2006, in the Usenet newsgroup comp.security.firewalls, in article
, jandoemen wrote:

>I wonder what the right solution is for following setup:

Not enough information - what are you trying to do?

>I have created a small program to run on a Windows PC. This program
>sends a unique token via apache (www.xxx.com/check.php?token=12345)
>were 12345 also contains the IP address in an encrypted way. If the
>token is correct, the check.php file should now do something to enable
>FTP for that IP address. I was thinging to change iptables rules to
>accept TCP on port 21 for that IP address.

That's a variation on "Port Knocking" - point your browser at google,
and you'll find a few solutions, threads, discussions, etc.

Web Results 1 - 10 of about 1,840,000 for port+knocking. (0.18
seconds)

>After a timeout period, the iptable rule will be removed.

Normal - allow "NEW" connections from that address for a minute - then
remove the "NEW" rule - if a connection is made, the "ESTABLISHED" rule
will handle the "rest" of the "conversation".

>- Is that a good and healthy way to think?
>- Are there better solutions?

Not enough details - but probably not the best way to go. Using PHP is
almost certainly a bad idea, and port knocking normally doesn't use a
web service as the key. There really are _much_ better solutions. As
one minor example of the disaster you are playing with - changing the
firewall rules requires root privileges, and are you really so insane
as to run apache as root?

>- Do I have to restart iptables every time I change something or is
>there another way?

No

>- If I always have to restart, wont this interfere with other services
>that run on that server?

iptables is a configuration tool. The firewall is already running as
part of the kernel.

>I'm sure some of you gurus can give me the correct answers.

Only if you explain what you are doing, and what you have as a goal.

>jandoemen's Profile: http://unixadmintalk.com270

Your wonky web formum is actually forwarding this to a Usenet newsgroup.
You'd have better results if you actually used a news reader directly,
and looked at the 'comp.os.linux.security' newsgroup where this might
be appropriate. Be sure to include information of what distribution
you are using, and what version of that distribution.

Old guy

Re: Changing iptables on the fly

Thanks to all of you especially Moe.

I didn't know there existed something like portknocking but I guess
it's the same idea except a few things I didn't found in other
solutions.

After spending a few days studying the concept I have a few remarks:

Simple portknocking is not so very secure because of the same sequence
every time. Dynamic knocking is better but more complex.

The main reason I'm looking for a web solution is:
- It works on port 80 so even when the company firewall is very secure
.... if you can surf the Internet => it works.
- I prefer dynamic tokens above static port numbers.
- A small client can be written very easy in every language

So here the brute steps to my idea:

- Client requests a normal URL
Code:
--------------------
e.g. www.mydomain.com/knockknock.php?token=2b28PUcJwvGLO8aIhgiC3X 7gCnlaNlh9
--------------------

(where the token is a 32 or more character encrypted (MD5 or other)
combination of the received token (read on) and the ip address)
- The web server (php/apache) will decrypt the received token and
check if the "old token" is in a "valid token file" (read on)
- When the token is found in the file it will be removed.
- The IP address of the request is compared with the IP address in
the received token.
- If all is OK, a new token is generated, written in the "valid token
file" and sent to the client as response. The client will store it for
use the next login.
- The correct port is opened where you still have to login with a
valid user/pw combo


Does anyone knows of an existing tool that will do similar things? If
not ... I know I'm partly reinventing the wheel but it has to work on
port 80 (or another port that is seldom blocked) and I like the aspect
of unique keys.

What do you think? Any suggestions/remarks?

Thanks in advance. You all get a copy when it is ready ;-)
Jan


--
jandoemen
------------------------------------------------------------ ------------
jandoemen's Profile: http://unixadmintalk.com/270
View this thread: http://unixadmintalk.com/showthread.php?t=216154

Re: Changing iptables on the fly

On Mon, 23 Oct 2006, in the Usenet newsgroup comp.security.firewalls, in article
, jandoemen wrote:

>I didn't know there existed something like portknocking but I guess
>it's the same idea except a few things I didn't found in other
>solutions.

The concept has been around since the 1980s.

>Simple portknocking is not so very secure because of the same sequence
>every time. Dynamic knocking is better but more complex.

and complexity is what trips people all the time. Do not make things
so complex that _your_ procedure is the major cause of problems.
Also remember that port knocking is not a means of authentication, but
a mechanism to reduce the hammering on your server by J. Random
Skript_Kiddiez and the "mal-ware de heure". If someone manages to sniff
the wire and discover the knock - they still have to come up with the
username and authentication token, and that is where your security lies.
When I first set up portknocking on my home system, I initially had it to
change port numbers daily... then weekly... and now I don't even bother,
because the logs show no one has even attempted the knock (though there
are hundreds of port-scans every day - a feature of wide-band access),
never mind getting access to the SSH login to even _try_ a username.

>The main reason I'm looking for a web solution is:
>- It works on port 80 so even when the company firewall is very secure
>.. if you can surf the Internet => it works.

Depends - like most larger companies, we use proxy servers and block
direct access to the world. Remember that the company network is for
company use - not the individual. We have several systems located in
employee break areas that are separate from the company network so that
we can check personal mail, and so on - it's actually how I'm posting
this. But these systems have no removable media drives, and the users
do not have administrative/root privileges and so can't install _ANY_
software. Users have access to three web browsers, three news readers,
four mail tools, and a telnet and SSH client. All of these applications
are configured to not remember passwords, cookies, or any other individual
configurations. /home/guest is a tiny but separate partition, and the
logout script removes all user owned files from that partition.

>- I prefer dynamic tokens above static port numbers.

Don't get it to complicated.

>- A small client can be written very easy in every language

Why is one needed? Again, the company systems here rarely have removable
media (it's not needed to do the job), and our users don't have admin/root
privileges on the company systems. Can you demonstrate why such privileges
are needed to do your job?

Old guy

Re: Changing iptables on the fly

Wow Moe, seldom had someone replying so in depth and with such a
dedication. Thanks a lot already.

You convinced me to try the simple knock. Before I spend trying the
other 37 solutions I found maybe you can tell me your opinion of what
the best or a good PK daemon is. I would appreciate it very much.

Thanks
Jan


--
jandoemen
------------------------------------------------------------ ------------
jandoemen's Profile: http://unixadmintalk.com/270
View this thread: http://unixadmintalk.com/showthread.php?t=216154

Re: Changing iptables on the fly

On Thu, 26 Oct 2006, in the Usenet newsgroup comp.security.firewalls, in article
, jandoemen wrote:

>Wow Moe, seldom had someone replying so in depth and with such a
>dedication. Thanks a lot already.

I'm a network admin - I have to deal with complex solutions that are proposed
by my users to solve elementary problems. Usually the real solution is a heck
of a lot simpler than they are proposing.

>You convinced me to try the simple knock. Before I spend trying the
>other 37 solutions I found maybe you can tell me your opinion of what
>the best or a good PK daemon is. I would appreciate it very much.

What I'd suggest is using the firewall directly. You stated this was Linux,
so that's 'iptables' otherwise known as 'netfilter'. So start with the
unofficial HOWTOs from Rusty Russell
(http://www.iptables.org/documentation/HOWTO/), to learn the options - the
document you want is

[TXT] netfilter-extensions-HOWTO.txt 17-Oct-2004 14:34 79K

and the keyword you are looking for is 'recent' (section 3.16). To see one
way this is used, look at http://www.soloport.com/iptables.html - which
uses an 'open' and 'close' knock, though he's using the default SSH port.
I prefer a slightly different technique, of using the knock to open a
non-default port (minor additional security) but only for a short time
(the --seconds and --remove rules). You then depend on the 'established'
rule to _maintain_ the connection. However this is all a personal
preference rather than a 'best' vs 'not-so-good' situation.

By the way, the reason most people don't recommend the PHP technique you
were proposing is simple. For your technique to work, you have to have an
open port - and PHP is the _last_ thing I'd want exposed to the world.
With the firewall based knock - either directly, or through a bash script
that monitors the firewall logs[1], there is nothing open. Nothing open
means nothing to exploit.

Old guy

[1] http://www.phantomcode.com/bashiptableportknocking/ is one example with
a link to a tarball (though it's a lot more complicated than need be)