Topic: sme 7.4 iptables template

[micromike]

Hello

I'm looking for way to add own rules for firewall (iptables).

where can I find template for iptables ? or how to create it?

Reason why I'm asking I have allow external ip for ssh.

I couldn't find anyway to do via WebGui / admin login.

Thanks Mika.

[Stefano]

hi Mika and welcome

I suggest you to read carefully the documentation as (almost) everything you need is there..

to solve your problem, read here

HTH
Ciao
Stefano
 

[janet]

micromike

Reason why I'm asking I have allow external ip for ssh.

For finer control use db settings for the firewall
http://wiki.contribs.org/SME_Server:Documentation:FAQ#DB_Settings

(replace the service name as required)

[micromike]

like this.
config setprop sshd AllowHosts 1.2.3.4,10.11.12.0/24

ok, 

 Custom templates
Allow incoming IP address

    * I want to allow All traffic from some ip-addresses to my server.

Create a custom template and list the IP's

mkdir -p /etc/e-smith/templates-custom/etc/ssh/sshd_config
pico -w /etc/e-smith/templates-custom/etc/ssh/sshd_config
/sbin/iptables -A INPUT -p tcp --dport 22 -s 69.212.12.x/32 -j ALLOW


expand and restart

/sbin/e-smith/expand-template /etc/ssh/sshd_config
/etc/init.d/sshd restart

Good I need make few test.


thanks for pointing me correct directions 

[janet]

micromike

I want to allow All traffic from some ip-addresses to my server.

In that case, don't bother with custom templates.
As already suggested, just add that host IP to the Remote Access panel in server manager, ie to allow all traffic from that address.
This will treat users on that host IP as part of the local network, and as such they have all the privileges that a local user would have, so use it wisely.

[micromike]

well we are close but not end of goal

I took list from iptables -L

Chain InboundTCP_3486 (1 references)
target     prot opt source               destination
denylog    all  --  0.0.0.0/0           !10.0.0.10
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.10           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.10           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.10           tcp dpt:113
ACCEPT     tcp  --  0.0.0.0/0            10.0.0.10           tcp dpt:25

here is old rules which allow connect from internet via ssh into sme server
ACCEPT     tcp  --  217.30.yyy.xx        10.0.0.10           tcp dpt:22

that's the rule, I'm looking for way to change it


>> according web-manager page
Remote Management

It is possible to allow hosts on remote networks to access the server manager by entering those networks here. Use a subnet mask of 255.255.255.255 to limit the access to the specified host. Any hosts within the specified range will be able to access the server manager using HTTPS.

>> tha's for HTTPS not for SSH, or am I wrong???

that's from backup server which I try to connect to office server throught ssh

[root@linuxserver ~]# ssh -vv 194.252.yyy.xxx
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 194.252.yyy.xxx [194.252.yyy.xxx] port 22.
debug1: connect to address 194.252.yyy.xxx port 22: Connection timed out
ssh: connect to host 194.252.yyy.xxx port 22: Connection timed out
[root@linuxserver ~]#

Both are running sme server, 7.4 in the office there is firewall which forward ssh traffic to sme server.
they are using nat in the office.

other choise is swich off firewall from sme server, how?

tried once iptables -F , but that's freezed box and after rebooted, firewall was back on.



Thanks Mika.

[janet]

micromike

Sorry, I meant to say add the IP to the Local networks panel.
That only works for local networks though.

There are db commands to do what you want
http://forums.contribs.org/index.php/topic,34333.msg147942.html#msg147942

sme7 has put this control (& many others too) into the config database so end users/admins have no need to get directly involved with tweaking firewall rules etc, which if you don't know what you are doing is a risky business and may well create an insecure server.

For controlling email access

Note though that blocking IP's is usually only temporarily useful as spammers change IP's often, far better to rely on RBL lists, and hope they get updated quickly.

This will block the senders IP for smtp at the firewall.

db configuration setprop smtpd DenyHosts xxx.xxx.xxx.xxx
signal-event remoteaccess-update

where xxx.xxx.xxx.xxx is the ip address you want to block. You can add multiple ip addresses by comma seperating them.


For controlling ssh access

This will allow ssh access ONLY from the designated IP's & block all other sources.

/sbin/e-smith/db configuration setprop sshd TCPPort 22
/sbin/e-smith/db configuration setprop sshd AllowHosts xxx.xxx.xxx.xxx
/sbin/e-smith/signal-event remoteaccess-update

or

/sbin/e-smith/db configuration setprop sshd TCPPort 22
/sbin/e-smith/db configuration setprop sshd AllowHosts x.x.x.1,y.y.y.2
/sbin/e-smith/signal-event remoteaccess-update

To enter multiple AllowHosts IP's, comma separate the IP addresses and/or netmasks (e.g. 16.17.18.19,203.14.64.0/24), as in the above example

ssh will then only be allowed from those IP addresses. The firewall code will drop ssh connections from any other hosts.


For controlling web access

This will block access attempts to your web server from the designated IP(s).
Note also that this will be successful at blocking robots etc as their IPs are often static or a group of static IPs, but as hackers change IP's often, blocking ports to stop hackers is like chasing your own tail.

db configuration setprop httpd-e-smith DenyHosts zz.zzz.zz.zzz
signal-event remoteaccess-update

where zz.zzz.zz.zzz is the remote host IP

[micromike]

Thanks, it works now.   


Mika.

[micromike]

Issue resolved.

[janet]

micromike

What method and/or command(s) did you use to resolve your problem ?

[micromike]

this one.

/sbin/e-smith/db configuration setprop sshd AllowHosts xxx.xxx.xxx.xxx
/sbin/e-smith/signal-event remoteaccess-update

>>  next step is get affa works, but that's the other story.