Shorewall users - Oct 2012 - open port from script

Hi,

I have following situation. I have client box that is behind dynamic IP. And I
would like to open specific port only for that client IP.
Every time IP changes I have to reconfigure firewall (Shorewall) and server
application.

Is there a way to open port from script?
My initial idea is to detect change of IP on client side ssh to server and
execute script to close old IP and open for new one.
I can do replace on IP in /etc/shorewall/rules and reload shorewall. Is there
more elegant way of doing it?

Any suggestions?

Thanks

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

Am 19.10.2012 05:57, schrieb Hristo Benev:

Good morning,

How about

Step 1.
You do ssh on your server from the client box with a non-privileged account
into a specifically created home dir for that user.

Step 2a.
You detect this successfull login in the system logs by tailing the log and
evaluating the login attempts. Then you have the IP, you write this into a
specific file.
or Step 2b.
You don''t ssh from the client box, but you scp (secure copy over ssh) a
file
you created on the client box that contains the new IP

Step 3.
You have a cron job running that looks for (via Makefile e.g.) modifications
to the IP file and upon modification executes the make command. In the
Makefile you have the commands to take your rules "basefile"
(containing all
rules you have in place anyway) and combines it with the IP file''s
contents
and appends it to the shorewall rules file and after completion issues the
shorewall restart command.

The benefits of this approach over your original idea is

a) you don''t use a privileged account on either machine to transfer the
IP
information and you don''t open a hole even if the client box is
compromised
b) you can automate it quite nicely and even if you modify your own ruleset,
it wil "always" be incorporated

Does it help or does it look too complicated even after the third reading? ;-)

> Hi,
> 
> I have following situation. I have client box that is behind dynamic IP.
And I would like to open specific port only for that client IP.
> Every time IP changes I have to reconfigure firewall (Shorewall) and server
application.
> 
> Is there a way to open port from script?
> My initial idea is to detect change of IP on client side ssh to server and
execute script to close old IP and open for new one.
> I can do replace on IP in /etc/shorewall/rules and reload shorewall. Is
there more elegant way of doing it?
> 
> Any suggestions?
> 
> Thanks
> 
>
------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

-- 

Florian Piekert, PMP                                      floppy@floppy.org

==========================================================================Note: 
this message was  send by me *only* if the  eMail message contains a
correct pgp signature corresponding to my address at  floppy@floppy.org. Do
you need my  PGP  public key? Check out http://www.floppy.org or send me an
email with  the subject "send pgp public key" to  this address of
mine.Thx!



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

Hello,

For this situation, i would prefer an aprroach involving a VPN (OpenVPN?)

That way you would be sure that only that client would be able to access your 
firewall, then you just configure which access should be given to the VPN 
network, or you could even restrict by VPN IP Address given to the client.

Other way to implement what you said, would be to use something like no-ip or 
dyndns on the client, creating an DNS entry like client.no-ip.com, and 
periodically check if the IP address has changed, if so you reflect those on 
the firewall.

Note that you''ll have to have to have a daemon on the client side to
update
the IP address (http://sourceforge.net/apps/trac/ddclient/)

Still, I think the first option is the best and more secure.

regards

--

Duarte Rocha <dfr@eurotux.com>
_____________________________________________________
A)bort, R)etry, I)nfluence with large hammer.


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

>-------- Оригинално писмо --------
 >От: Duarte Fernandes Rocha dfr@eurotux.com

 >Относно: Re: [Shorewall-users] open port from script

 >До: shorewall-users@lists.sourceforge.net

 >Изпратено на: Петък, 2012, Октомври 19 13:10:09 EEST



 
> 
 
>  
 
>   
 
>     p, li { white-space: pre-wrap; } ;
 
>   
 
>  
 
>   
 
>   Hello, 
 
>     
 
>   For this situation, i would prefer an aprroach involving a VPN (OpenVPN?)
 
>     
 
>   That way you would be sure that only that client would be able to access
your firewall, then you just configure which access should be given to the VPN
network, or you could even restrict by VPN IP Address given to the client.
 
>     
 
>   Other way to implement what you said, would be to use something like
no-ip or dyndns on the client, creating an DNS entry like client.no-ip.com, and
periodically check if the IP address has changed, if so you reflect those on the
firewall.
 
>     
 
>   Note that you'll have to have to have a daemon on the client side to
update the IP address (http://sourceforge.net/apps/trac/ddclient/)
 
>     
 
>   Still, I think the first option is the best and more secure. 
 
>     
 
>   regards 
 
>     
 
>   -- 
 
>     
 
>   Duarte Rocha  
 
>   _____________________________________________________ 
 
>   A)bort, R)etry, I)nfluence with large hammer.
 
>
Unfortunately OpenVPN is not an option. I have UDP traffic between 2 servers and
internet at the client is very limited and low quality.

Initially this was my idea... to use dns and check on server for update, but
downside is that I have additional delay.
On client side I can run script after ip change...

Thank you for the advice :)

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On Fri, Oct 19, 2012 at 5:57 AM, Hristo Benev <foxb@abv.bg> wrote:
> Hi,
>
> I have following situation. I have client box that is behind dynamic IP.
> And I would like to open specific port only for that client IP.
> Every time IP changes I have to reconfigure firewall (Shorewall) and
> server application.
>
> Is there a way to open port from script?
> My initial idea is to detect change of IP on client side ssh to server and
> execute script to close old IP and open for new one.
> I can do replace on IP in /etc/shorewall/rules and reload shorewall. Is
> there more elegant way of doing it?
>
> Any suggestions?
>
You can also use Port Knocking mechanism.

Regards


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

>-------- Оригинално писмо --------
 >От: Florian Piekert floppy@floppy.org

 >Относно: Re: [Shorewall-users] open port from script

 >До: Shorewall Users <shorewall-users@lists.sourceforge.net>

 >Изпратено на: Петък, 2012, Октомври 19 08:59:57 EEST



 
> Am 19.10.2012 05:57, schrieb Hristo Benev:
 
> 
 
> Good morning,
 
> 
 
> How about
 
> 
 
> Step 1.
 
> You do ssh on your server from the client box with a non-privileged account
 
> into a specifically created home dir for that user.
 
> 
 
> Step 2a.
 
> You detect this successfull login in the system logs by tailing the log and
 
> evaluating the login attempts. Then you have the IP, you write this into a
 
> specific file.
 
> or Step 2b.
 
> You don't ssh from the client box, but you scp (secure copy over ssh) a
file
 
> you created on the client box that contains the new IP
 
> 
 
> Step 3.
 
> You have a cron job running that looks for (via Makefile e.g.)
modifications
 
> to the IP file and upon modification executes the make command. In the
 
> Makefile you have the commands to take your rules "basefile"
(containing all
 
> rules you have in place anyway) and combines it with the IP file's
contents
 
> and appends it to the shorewall rules file and after completion issues the
 
> shorewall restart command.
 
> 
 
> The benefits of this approach over your original idea is
 
> 
 
> a) you don't use a privileged account on either machine to transfer the
IP
 
> information and you don't open a hole even if the client box is
compromised
 
> b) you can automate it quite nicely and even if you modify your own
ruleset,
 
> it wil "always" be incorporated
 
> 
 
> Does it help or does it look too complicated even after the third reading?
;-)
 
> 
 
> 
 
> > Hi,
 
> > 
 
> > I have following situation. I have client box that is behind dynamic
IP. And I would like to open specific port only for that client IP.
 
> > Every time IP changes I have to reconfigure firewall (Shorewall) and
server application.
 
> > 
 
> > Is there a way to open port from script?
 
> > My initial idea is to detect change of IP on client side ssh to server
and execute script to close old IP and open for new one.
 
> > I can do replace on IP in /etc/shorewall/rules and reload shorewall.
Is there more elegant way of doing it?
 
> > 
 
> > Any suggestions?
 
> > 
 
> > Thanks
 
> > 
 
> >
------------------------------------------------------------------------------
 
> > Everyone hates slow websites. So do we.
 
> > Make your web apps faster with AppDynamics
 
> > Download AppDynamics Lite for free today:
 
> > http://p.sf.net/sfu/appdyn_sfd2d_oct
 
> > _______________________________________________
 
> > Shorewall-users mailing list
 
> > Shorewall-users@lists.sourceforge.net
 
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
 
> > 
 
> 
 
> 
 
> -- 
 
> 
 
> Florian Piekert, PMP                                      floppy@floppy.org
 
> 
 
> ========================================================================== 
> Note:  this message was  send by me *only* if the  eMail message contains a
 
> correct pgp signature corresponding to my address at  floppy@floppy.org. Do
 
> you need my  PGP  public key? Check out http://www.floppy.org or send me an
 
> email with  the subject "send pgp public key" to  this address of
mine.Thx!
Thank you for the advice...

It is not complicated ;)
And actually that was one of my initial variants.

As for security concerns.
remote system is well secured (actually it is sort of appliance).
I can use sudoers file and allow the user to execute scrip that has changes
hardcoded... just IP will be variable (or even can be detected via SSH_CLIENT
variable).
And in newer SSH implementation user can be chrooted :)

Adding daemon that periodically checks is adding additional delay...

I was thinking to add a web server that is pinged and executes a script, but
found SSH will be more secure implementation.


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Am 19.10.2012 14:17, schrieb Hristo Benev:

Hello,
> It is not complicated ;)
> And actually that was one of my initial variants.
> 
> As for security concerns.
> remote system is well secured (actually it is sort of appliance).
> I can use sudoers file and allow the user to execute scrip that has changes
hardcoded... just IP will be variable (or even can be detected via SSH_CLIENT
variable).
> And in newer SSH implementation user can be chrooted :)
> 
> Adding daemon that periodically checks is adding additional delay...
If you check it with cron periodically, you can turn it down to once each
minute.

But if you put a script into the cron entry that is executed once a minute,
you can have the script repeat the real "check process" behind it like
this

check_updates
sleep 3
check_updates
sleep 3
...
and fill up until you complete the minute until the script is triggered again.

This is a dirty variant, but leaves no delay (near to nothing).
> I was thinking to add a web server that is pinged and executes a script,
but found SSH will be more secure implementation.
Does this represent a suitable cost/benefit ratio? And remember, you need
privileged rights for modifying the shorewall config files. That''s
nothing I
would like to see my apache doing...

-- 

Florian Piekert, PMP                                      floppy@floppy.org

==========================================================================Note: 
this message was  send by me *only* if the  eMail message contains a
correct pgp signature corresponding to my address at  floppy@floppy.org. Do
you need my  PGP  public key? Check out http://www.floppy.org or send me an
email with  the subject "send pgp public key" to  this address of
mine.Thx!



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

Another option would be port-knocking or single-packet authentication.

These are comparatively simple methods of opening a port only to a
specific address which has demonstrated they know the pre-determined
"combination" or is in possession of a cryptographic key you have
issued them.  As such, they are only useful if the client user is known
to you, so you can get them to perform the required connecting
procedure.

It''s pretty easy now to use the ''-recent'' match to
create your own
simple port-knocking solution entirely within iptables.
http://serverfault.com/questions/314604/setup-port-knocking-with-iptables-on-single-port

You can leverage Shorewall to create a more generally useful solution:
http://www.shorewall.net/PortKnocking.html

There are a variety of packages available for port-knocking (daemons
and clients both), or you can create your own scripts:
http://portknocking.org/

If your security needs are greater, you might prefer single-packet
authentication, which is more secure.  Fwknop is a good package for
single packet authentication:
http://www.cipherdyne.org/fwknop/

I have also scripted my own single-packet authentication
solution before.  So, that is entirely possible if you prefer.


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct