On Mon, Sep 07, 2009 at 03:27:56PM +0000, Penguin Lover James squawked: > Willie Wong <wwong <at> math.princeton.edu> writes: > > > > On my setup, I just block almost everything (except ssh) by default > > and maintain a white-list of IPs. > > > Can you share with us how you "white-list" IPs via your > iptables setup? That is your code you add to your startup > script and your iptables syntax on those white/black listed > IPs?
Hum? the init script for iptables automatically saves and loads the policy, at least with SAVE_ON_STOP="yes" in /etc/conf.d/iptables, so I don't have any special configs in any start-up scripts. I built my tables using the commandline. A good quick intro guide is at http://www.gentoo.org/doc/en/home-router-howto.xml , section 5. The static part of the table looks something like this Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 192.168.0.0/16 anywhere ACCEPT all -- localhost anywhere general_port_block all -- anywhere anywhere ssh_blacklist all -- anywhere anywhere Chain general_port_block (1 references) target prot opt source destination DROP tcp -- anywhere anywhere tcp dpt:ftp DROP tcp -- anywhere anywhere tcp dpt:urd DROP tcp -- anywhere anywhere tcp dpt:smtp DROP tcp -- anywhere anywhere tcp dpt:http DROP tcp -- anywhere anywhere tcp dpt:http-alt DROP tcp -- anywhere anywhere tcp dpt:https DROP tcp -- anywhere anywhere tcp dpt:783 DROP tcp -- anywhere anywhere tcp dpt:ipp If you know iptables at all, you can probably figure out what I did to set it up(*). The 'general_port_block' chain is to just make things tidier. So you see, I set the default policy to allow connections. I whitelist first the LAN and localhost. Then I filter everything through the two chains. The general_port_block chain is static, and it blocks a bunch of services, some of which I run (but which I only want my family to access from the LAN), some I don't. As you can see, I don't block ssh, because I sometimes travel a bit. So instead, I have a separate chian that helps a bit in slowing down brute force attacks. The ssh_blacklist chain is dynamically generated via a perl script. The script monitors the ssh logs and blocks IPs for a certain period of time after either an attempt to log-in as root, or five failed log-in attempts. (I have locked myself out once or twice from a hotel when I accidentaly hit the capslock...) Basically you just add a target to be blocked to the iptables and use atd to remove it some time later. (*)If you don't know iptables, man iptables. > What do you use to maintain these white/black lists of IPs, > tools and philosophy.....? My philosophy is common sense. I white list those ips that I want to be able to access the services. I black list those I don't. For services like ssh, I pray that my efforts are secure enough. HTH, W -- I am so happy that Willetta is in my life. What would I do without her? Probably go insane. In fact, I am insanely in love with Willetta, so I am insane right now... but... Sortir en Pantoufles: up 1005 days, 9:25
