Another method to manage users and groups from given ips/subnets (not just any user from a given IP or subnet) is to use PAM's access.conf (pam_access.so, found defined in the /etc/pam.d directory, with the config file usually in /etc/security/access.conf) to augment the firewall ruleset. It needs to be enabled (rhel systems have an option to enable it at install with benign commented-out access.conf file from which to start with (ubuntu also appears to be enabled by default, but have the rules in access.conf commented out). *A word of warning though* - this doesn't just control access from the network, but also from the console (local) including tty's (non-graphical) and pts/* devices (graphical shells). Locking out yourself in part of in full, and everyone else out, with a bad configuration is definitely possible (trust me I know ;-) ). The payoff however, in learning and using this method, is a finer grained control over who has login access and from where a given user or group of users have access. Its a part of PAM authentication, and to get started you can search for pam_access or PAM access.conf, plus your distribution of choice. Just be sure you configure and understand the rules you've set in the access.conf file before locking down the final rule "- : ALL : ALL" . I suggest Testing rules on a virtual machine with a snapshot made prior to applying changes, or to have a live CD boot disk handy with physical access to the system. Cheers, Ben On Thu, May 12, 2011 at 11:31 AM, keith smith wrote: > > Interesting thought! Thank you Joseph! > > ------------------------ > Keith Smith > > --- On *Wed, 5/11/11, Joseph Sinclair * wrote: > > > From: Joseph Sinclair > > Subject: Re: IPTables on LAMP server in data center > To: "Main PLUG discussion list" > Date: Wednesday, May 11, 2011, 10:42 PM > > > You could also use tcp wrappers for this, and that's a bit faster, not to > mention simpler. > Note: this setup will end up locking out all communication not specifically > listed in hosts.allow; so make sure hosts.allow is correct before modifying > hosts.deny. > > It's best to enable something like telnet temporarily while working on the > SSH controls, just in case you lock yourself out. > > In hosts.allow: > sshd:ip.ad.dr.ess/NN (local net, ip address + netmask in CIDR notation) > sshd:ip.ad.dr.ess (specific internet host, repeat as needed) > httpd: ALL > > In hosts.deny: > ALL: ALL > > > On 05/11/2011 07:52 PM, Richard Wilson wrote: > > Keith, > > > > What you have is fine and will work, but here's something that will make > it faster and more maintainable: > > > > # Create an SSH Access Table > > iptables -N SSHACS > > > > Right before your "#Data center Local network" line, put: > > > > # Handle SSH Traffic > > iptables -A INPUT -p tcp --dport 22 -j SSHACS > > > > Then for each IP you want to grant SSH Access to: > > iptables -A SSHACS -s ip.ad.re.ss/mask -j ACCEPT > > > > This is faster because it won't got through each rule for non-SSH > traffic. Splitting similar rules like this can be a big help in complex > rule sets. > > > > HTH, > > > > Richard Wilson > > --------------------------------------------------------------- > > On 05/11/2011 07:24 PM, keith smith wrote: > >> > >> Hi, > >> > >> I'm rather new to IPTables. I've written a shell script to update and > save the IPTables on a web server that only has HTTPD, SSL, Secured FTP, and > SSH available. > >> > >> I need to be able to access the server via SSH and SFTP and want to only > allow the data center's local net and only those, by IP, that I allow to > access the box over the Internet. Port 80 and 443 should be open to > everyone. > >> > >> I'm hoping someone or a couple of people can look at what I have written > and give me some feedback. I've already locked myself out of one server so > I would like to avoid that again. > >> > >> Thanks in advance for your help! > >> > >> - - - - - - - > >> > >> #!/bin/bash > >> # > >> # iptables configuration for xxxxxxxxxxx > >> #------ > >> # Flush all current rules from iptables > >> iptables -F > >> > >> # Drop all forwarded packets > >> iptables -P FORWARD DROP > >> > >> # Set access for localhost > >> iptables -A INPUT -i lo -j ACCEPT > >> > >> # Port 80 for everyone > >> iptables -A INPUT -p tcp --dport 80 -j ACCEPT > >> > >> # Port 443 for everyone > >> iptables -A INPUT -p tcp --dport 443 -j ACCEPT > >> > >> # No SMTP/POP/MySql/Named ... ETC > >> > >> # Accept packets belonging to established and related connections > >> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > >> > >> > #--------------------------------------------------------------------------------------------- > >> # Allow SSH/FTP connections on tcp port 22 for only those we want to FTP > or SSH into the box > >> > #--------------------------------------------------------------------------------------------- > >> > >> #Data center Local network > >> iptables -A INPUT -p tcp -s 192.168.100.0/28 --dport 22 -j ACCEPT > >> > >> #User 1 > >> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT > >> > >> #user 2 > >> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT > >> > >> #user 3 > >> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT > >> > >> > #--------------------------------------------------------------------------------- > >> # - - - - Add additional consultants here and run script again - - - - > - > >> > #--------------------------------------------------------------------------------- > >> > >> # Data Center Staff from outside > >> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT > >> > >> > #----------------------------------------------------------------------------- > >> # - - - - Add additional Data Center staff here and run script again - > - - - - > >> > #----------------------------------------------------------------------------- > >> > >> > >> # Allow all outbound traffic > >> iptables -P OUTPUT ACCEPT > >> > >> # Drop everything else > >> iptables -P INPUT DROP > >> > >> > >> # Save settings > >> /sbin/service iptables save > >> > >> # List rules > >> iptables -L -v > >> > >> > >> ------------------------ > >> Keith Smith > >> > >> > >> --------------------------------------------------- > >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > >> To subscribe, unsubscribe, or to change your mail settings: > >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > > > > > > > --------------------------------------------------- > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > To subscribe, unsubscribe, or to change your mail settings: > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > -----Inline Attachment Follows----- > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >