Tiny firewall blocking everything except like 10 hosts

[nassausky]

I know the name of the BBQ game is tiny. This is why I bring this question up to everyone here. I was looking for the smallest firewall that can allow only a handful of hostnames outbound. I wanted to setup a kiosk with a handful of addresses which don't all have static ip addresses. I know I visited this a couple years back using ip tables and a script which detected the hostname and converted it to ip and i'd be willing to do that again if nobody has another idea (also heck if I can find my script to do that again, it would be nice if someone has any knowledge with setting this up again without relearning from soup to nuts)

Does that make sense?

Thanks

[machinebacon]

The easiest would be setting a /etc/hosts.allow and /etc/hosts.deny list:

/etc/hosts.deny

would contain the line to globally restrict everything, first:

Code: Select all

ALL: ALL

and in /etc/hosts.allow you put all domains that should be reached

Code: Select all

ALL: .linuxbbq.org
ALL: .wikipedia.org
# allow DNS service of google.com
ALL: 8.8.8.8 8.8.4.4

for example. Then remember to restart the networking service

Code: Select all

sudo service networking start

You can use a 'real' firewall called 'iptables', too. If not yet installed, get it from the repos. It's a bit more 'complicated' to set up, but it would be a firewall that can be fine-tuned, and not a global blacking of IP ranges.
I'd try /etc/hosts.allow and .deny first.

http://its.virginia.edu/unixsys/sec/hosts.html

If you want to restrict certain users of certain groups on your computer to access certain domains, this is also manageable in /etc/hosts - but for this, please use your google-fu :) "/etc/hosts.deny netgroups" will bring up what you need.

[nassausky]

That would be great if it would be that simple. I tried it and didn't have luck

The only thing in the hosts.deny was
ALL: ALL

and the only 2 lines in the hosts.allow file was
ALL: .newsday.com
ALL: 8.8.8.8 8.8.4.4

then I can access every site after I restart networking

but when I just leave ALL: .newsday.com

then I can't access www.newsday.com or any site at all.

Strange.

[machinebacon]

Ah okay, this is just for incoming connections. Remove the /etc/hosts.deny and .allow entries first and restart networking.

Then it's either iptables or ufw, you have the choice. Probably iptables, because it's a tad lighter. There are some other frontends, see https://wiki.archlinux.org/index.php/Fi ... _frontends

Anyway, for iptables here's what I found on google:
http://safesrv.net/quick-how-to-denyall ... -iptables/
http://wiki.centos.org/HowTos/Network/IPTables
http://unix.stackexchange.com/questions ... 1854#11854

Set up to ACCEPT certain IPs, you add those after checking the IP address with traceroute or ping, then as last you set a policy to REJECT all others. Remember to save the table so it's recreated after a reboot (iptables-save)

As root:
iptables -I INPUT -s 55.64.17.184 -j ACCEPT
iptables -I INPUT -s 8.8.8.8 -j ACCEPT
iptables -A INPUT -j REJECT
iptables-save

should do the trick. -I inserts, -A appends, so be sure to check the iptables before you add something (iptables -L), because the iptables are read from up to down.
If you get it to work, please write us a little HowTo, I am sure this will be helpful for some! Thank you in advance!

[nassausky]

Excellente. OK here is what I got. I actually did have to do what I originally said which was using iptables and a script. For anyone else interested here is what I wound up doing which is fast and small. You will need to modify if you know hosts have more than 1 ip address.

I will have this run every 15 minutes just to make sure the ip address didn't change.

Code: Select all

#!/bin/bash

#Simple example of allowing everything except only 1 www remote website through using iptables

host="www.newsday.com"
hostip="`gethostip -d "$host"`"


### SECTION 1
## First completely clear and reset the iptables.  Normally I used iptables -F but that doesn't work all the time
###

# IPv6

   ##
   ## set default policies to let everything in
   ip6tables --policy INPUT   ACCEPT;
   ip6tables --policy OUTPUT  ACCEPT;
   ip6tables --policy FORWARD ACCEPT;

   ##
   ## start fresh
   ip6tables -Z; # zero counters
   ip6tables -F; # flush (delete) rules
   ip6tables -X; # delete all extra chains

# IPv4

   ## 
   ## set default policies to let everything in
   iptables --policy INPUT   ACCEPT;
   iptables --policy OUTPUT  ACCEPT;
   iptables --policy FORWARD ACCEPT;

   ##
   ## start fresh
   iptables -Z; # zero counters
   iptables -F; # flush (delete) rules
   iptables -X; # delete all extra chains

### END SECTION 1
## End of resetting the iptables
###

### SECTION 2
## Allow inbound and outbound for our host above which dynamically gets the ip address and saves it to variable $hostip
###


iptables -A OUTPUT -d $hostip -j ACCEPT
#iptables -A INPUT -s $hostip -j ACCEPT #Not necessary
iptables -A OUTPUT -p tcp --dport 80 -j DROP


# Might as well add restarting code to the script here
service networking restart

[wuxmedia]

cool, we use shorewall at work, insane amount of config though.
just sits on top of iptables, so not super light.
(iptables always fucked with my head)

[GekkoP]

^ I have ipkungfu setup on our server. Not hard to config, works fine and lightly.

[machinebacon]

Quite a lot of stuff for iptables in the repos (apt-cache search iptables), guess it boils down to how much you want to fine-tune.

Thanks n-sky for the script!

[nassausky]

@GekkoP
I was curious and was checking out ipkungfu as a possible long term general solution. I don't see anywhere in the documentation how to allow the workstation to access only a handful of www sites. Something like blocking every website coming in except for 5 sites. Think of it as a kiosk where the user can only access 5 sites.

Are you enough familiar with the configuration to guide me to test that out too since I saw it was pretty small and might be a good general firewall tool if I can get it to do what I need in this case.

The script I provided above doesn't block anything else incoming or outgoing besides just websites meaning it's basically open to any other possible malicious port infiltration on the workstation through the network.

[GekkoP]

^ No, unfortunately I don't know how to limit access with ipkungfu. On my setup only a couple of ports are open and the rest is out.

[wuxmedia]

This ubuntu page has:

They are located in /etc/ipkungfu/ and are:

accept_hosts.conf : IP addresses of hosts or nets to always ACCEPT and
optionally the ports they are allowed to access

not sure if that helps