Tiny firewall blocking everything except like 10 hosts
Forum rules
We don't support installations in VirtualBox, VMWare, qemu or others. We ignore posts about WINE, PlayOnLinux, Steam and Skype. We don't support btrfs, lvm, UEFI, side-by-side installations with GPT or dualboot with anything newer than Windows XP.
Google your problem first. Check the Wiki. Read the existing threads. It's okay to "hijack" an existing thread, yes! If your problem is not yet covered, open a new thread. To get the quickest possible help, mention the exact release codename in your post (uname -a is a good idea, too). Due to the lack of crystal balls, attach the output of lspci -nnk if you encounter hardware problems.
We don't support installations in VirtualBox, VMWare, qemu or others. We ignore posts about WINE, PlayOnLinux, Steam and Skype. We don't support btrfs, lvm, UEFI, side-by-side installations with GPT or dualboot with anything newer than Windows XP.
Google your problem first. Check the Wiki. Read the existing threads. It's okay to "hijack" an existing thread, yes! If your problem is not yet covered, open a new thread. To get the quickest possible help, mention the exact release codename in your post (uname -a is a good idea, too). Due to the lack of crystal balls, attach the output of lspci -nnk if you encounter hardware problems.
Tiny firewall blocking everything except like 10 hosts
I know the name of the BBQ game is tiny. This is why I bring this question up to everyone here. I was looking for the smallest firewall that can allow only a handful of hostnames outbound. I wanted to setup a kiosk with a handful of addresses which don't all have static ip addresses. I know I visited this a couple years back using ip tables and a script which detected the hostname and converted it to ip and i'd be willing to do that again if nobody has another idea (also heck if I can find my script to do that again, it would be nice if someone has any knowledge with setting this up again without relearning from soup to nuts)
Does that make sense?
Thanks
Does that make sense?
Thanks
-
- Baconator
- Posts: 10253
- Joined: Thu Sep 16, 2010 11:03 am
- Location: Pfälzerwald
- Contact:
Re: Tiny firewall blocking everything except like 10 hosts
The easiest would be setting a /etc/hosts.allow and /etc/hosts.deny list:
/etc/hosts.deny
would contain the line to globally restrict everything, first:
and in /etc/hosts.allow you put all domains that should be reached
for example. Then remember to restart the networking service
You can use a 'real' firewall called 'iptables', too. If not yet installed, get it from the repos. It's a bit more 'complicated' to set up, but it would be a firewall that can be fine-tuned, and not a global blacking of IP ranges.
I'd try /etc/hosts.allow and .deny first.
http://its.virginia.edu/unixsys/sec/hosts.html
If you want to restrict certain users of certain groups on your computer to access certain domains, this is also manageable in /etc/hosts - but for this, please use your google-fu :) "/etc/hosts.deny netgroups" will bring up what you need.
/etc/hosts.deny
would contain the line to globally restrict everything, first:
Code: Select all
ALL: ALL
Code: Select all
ALL: .linuxbbq.org
ALL: .wikipedia.org
# allow DNS service of google.com
ALL: 8.8.8.8 8.8.4.4
Code: Select all
sudo service networking start
I'd try /etc/hosts.allow and .deny first.
http://its.virginia.edu/unixsys/sec/hosts.html
If you want to restrict certain users of certain groups on your computer to access certain domains, this is also manageable in /etc/hosts - but for this, please use your google-fu :) "/etc/hosts.deny netgroups" will bring up what you need.
..gnutella..
Re: Tiny firewall blocking everything except like 10 hosts
That would be great if it would be that simple. I tried it and didn't have luck
The only thing in the hosts.deny was
ALL: ALL
and the only 2 lines in the hosts.allow file was
ALL: .newsday.com
ALL: 8.8.8.8 8.8.4.4
then I can access every site after I restart networking
but when I just leave ALL: .newsday.com
then I can't access www.newsday.com or any site at all.
Strange.
The only thing in the hosts.deny was
ALL: ALL
and the only 2 lines in the hosts.allow file was
ALL: .newsday.com
ALL: 8.8.8.8 8.8.4.4
then I can access every site after I restart networking
but when I just leave ALL: .newsday.com
then I can't access www.newsday.com or any site at all.
Strange.
-
- Baconator
- Posts: 10253
- Joined: Thu Sep 16, 2010 11:03 am
- Location: Pfälzerwald
- Contact:
Re: Tiny firewall blocking everything except like 10 hosts
Ah okay, this is just for incoming connections. Remove the /etc/hosts.deny and .allow entries first and restart networking.
Then it's either iptables or ufw, you have the choice. Probably iptables, because it's a tad lighter. There are some other frontends, see https://wiki.archlinux.org/index.php/Fi ... _frontends
Anyway, for iptables here's what I found on google:
http://safesrv.net/quick-how-to-denyall ... -iptables/
http://wiki.centos.org/HowTos/Network/IPTables
http://unix.stackexchange.com/questions ... 1854#11854
Set up to ACCEPT certain IPs, you add those after checking the IP address with traceroute or ping, then as last you set a policy to REJECT all others. Remember to save the table so it's recreated after a reboot (iptables-save)
As root:
iptables -I INPUT -s 55.64.17.184 -j ACCEPT
iptables -I INPUT -s 8.8.8.8 -j ACCEPT
iptables -A INPUT -j REJECT
iptables-save
should do the trick. -I inserts, -A appends, so be sure to check the iptables before you add something (iptables -L), because the iptables are read from up to down.
If you get it to work, please write us a little HowTo, I am sure this will be helpful for some! Thank you in advance!
Then it's either iptables or ufw, you have the choice. Probably iptables, because it's a tad lighter. There are some other frontends, see https://wiki.archlinux.org/index.php/Fi ... _frontends
Anyway, for iptables here's what I found on google:
http://safesrv.net/quick-how-to-denyall ... -iptables/
http://wiki.centos.org/HowTos/Network/IPTables
http://unix.stackexchange.com/questions ... 1854#11854
Set up to ACCEPT certain IPs, you add those after checking the IP address with traceroute or ping, then as last you set a policy to REJECT all others. Remember to save the table so it's recreated after a reboot (iptables-save)
As root:
iptables -I INPUT -s 55.64.17.184 -j ACCEPT
iptables -I INPUT -s 8.8.8.8 -j ACCEPT
iptables -A INPUT -j REJECT
iptables-save
should do the trick. -I inserts, -A appends, so be sure to check the iptables before you add something (iptables -L), because the iptables are read from up to down.
If you get it to work, please write us a little HowTo, I am sure this will be helpful for some! Thank you in advance!
..gnutella..
Re: Tiny firewall blocking everything except like 10 hosts
Excellente. OK here is what I got. I actually did have to do what I originally said which was using iptables and a script. For anyone else interested here is what I wound up doing which is fast and small. You will need to modify if you know hosts have more than 1 ip address.
I will have this run every 15 minutes just to make sure the ip address didn't change.
I will have this run every 15 minutes just to make sure the ip address didn't change.
Code: Select all
#!/bin/bash
#Simple example of allowing everything except only 1 www remote website through using iptables
host="www.newsday.com"
hostip="`gethostip -d "$host"`"
### SECTION 1
## First completely clear and reset the iptables. Normally I used iptables -F but that doesn't work all the time
###
# IPv6
##
## set default policies to let everything in
ip6tables --policy INPUT ACCEPT;
ip6tables --policy OUTPUT ACCEPT;
ip6tables --policy FORWARD ACCEPT;
##
## start fresh
ip6tables -Z; # zero counters
ip6tables -F; # flush (delete) rules
ip6tables -X; # delete all extra chains
# IPv4
##
## set default policies to let everything in
iptables --policy INPUT ACCEPT;
iptables --policy OUTPUT ACCEPT;
iptables --policy FORWARD ACCEPT;
##
## start fresh
iptables -Z; # zero counters
iptables -F; # flush (delete) rules
iptables -X; # delete all extra chains
### END SECTION 1
## End of resetting the iptables
###
### SECTION 2
## Allow inbound and outbound for our host above which dynamically gets the ip address and saves it to variable $hostip
###
iptables -A OUTPUT -d $hostip -j ACCEPT
#iptables -A INPUT -s $hostip -j ACCEPT #Not necessary
iptables -A OUTPUT -p tcp --dport 80 -j DROP
# Might as well add restarting code to the script here
service networking restart
- wuxmedia
- Grasshopper
- Posts: 6454
- Joined: Wed Oct 17, 2012 11:32 am
- Location: Back in Blighty
- Contact:
Re: Tiny firewall blocking everything except like 10 hosts
cool, we use shorewall at work, insane amount of config though.
just sits on top of iptables, so not super light.
(iptables always fucked with my head)
just sits on top of iptables, so not super light.
(iptables always fucked with my head)
Re: Tiny firewall blocking everything except like 10 hosts
^ I have ipkungfu setup on our server. Not hard to config, works fine and lightly.
-
- Baconator
- Posts: 10253
- Joined: Thu Sep 16, 2010 11:03 am
- Location: Pfälzerwald
- Contact:
Re: Tiny firewall blocking everything except like 10 hosts
Quite a lot of stuff for iptables in the repos (apt-cache search iptables), guess it boils down to how much you want to fine-tune.
Thanks n-sky for the script!
Thanks n-sky for the script!
..gnutella..
Re: Tiny firewall blocking everything except like 10 hosts
@GekkoP
I was curious and was checking out ipkungfu as a possible long term general solution. I don't see anywhere in the documentation how to allow the workstation to access only a handful of www sites. Something like blocking every website coming in except for 5 sites. Think of it as a kiosk where the user can only access 5 sites.
Are you enough familiar with the configuration to guide me to test that out too since I saw it was pretty small and might be a good general firewall tool if I can get it to do what I need in this case.
The script I provided above doesn't block anything else incoming or outgoing besides just websites meaning it's basically open to any other possible malicious port infiltration on the workstation through the network.
I was curious and was checking out ipkungfu as a possible long term general solution. I don't see anywhere in the documentation how to allow the workstation to access only a handful of www sites. Something like blocking every website coming in except for 5 sites. Think of it as a kiosk where the user can only access 5 sites.
Are you enough familiar with the configuration to guide me to test that out too since I saw it was pretty small and might be a good general firewall tool if I can get it to do what I need in this case.
The script I provided above doesn't block anything else incoming or outgoing besides just websites meaning it's basically open to any other possible malicious port infiltration on the workstation through the network.
Re: Tiny firewall blocking everything except like 10 hosts
^ No, unfortunately I don't know how to limit access with ipkungfu. On my setup only a couple of ports are open and the rest is out.
- wuxmedia
- Grasshopper
- Posts: 6454
- Joined: Wed Oct 17, 2012 11:32 am
- Location: Back in Blighty
- Contact:
Re: Tiny firewall blocking everything except like 10 hosts
This ubuntu page has:
not sure if that helpsThey are located in /etc/ipkungfu/ and are:
accept_hosts.conf : IP addresses of hosts or nets to always ACCEPT and
optionally the ports they are allowed to access