Another method to manage users and groups from given ips/subnets (not just any user from a given IP or subnet) is to use PAM's access.conf (pam_access.so, found defined in the /etc/pam.d directory, with the config file usually in /etc/security/access.conf) to augment the firewall ruleset. 

It needs to be enabled (rhel systems have an option to enable it at install with benign commented-out access.conf file from which to start with (ubuntu also appears to be enabled by default, but have the rules in access.conf commented out).  

A word of warning though - this doesn't just control access from the network, but also from the console (local) including tty's (non-graphical) and pts/* devices (graphical shells).  Locking out yourself in part of in full, and everyone else out, with a bad configuration is definitely possible (trust me I know ;-) ). 

The payoff however, in learning and using this method, is a finer grained control over who has login access and from where a given user or group of users have access. 

Its a part of PAM authentication, and to get started you can search for pam_access or PAM access.conf, plus your distribution of choice. Just be sure you configure and understand the rules you've set in the access.conf file before locking down the final rule "- : ALL : ALL" .  I suggest Testing rules on a virtual machine with a snapshot made prior to applying changes, or to have a live CD boot disk handy with physical access to the system.

Cheers,
Ben

On Thu, May 12, 2011 at 11:31 AM, keith smith <klsmith2020@yahoo.com> wrote:

Interesting thought!  Thank you Joseph!

------------------------
Keith Smith

--- On Wed, 5/11/11, Joseph Sinclair <plug-discussion@stcaz.net> wrote:

From: Joseph Sinclair <plug-discussion@stcaz.net>

Subject: Re: IPTables on LAMP server in data center
To: "Main PLUG discussion list" <plug-discuss@lists.plug.phoenix.az.us>
Date: Wednesday, May 11, 2011, 10:42 PM


You could also use tcp wrappers for this, and that's a bit faster, not to mention simpler.
Note: this setup will end up locking out all communication not specifically listed in hosts.allow; so make sure hosts.allow is correct before modifying hosts.deny.

It's best to enable something like telnet temporarily while working on the SSH controls, just in case you lock yourself out.

    In hosts.allow:
sshd:ip.ad.dr.ess/NN (local net, ip address + netmask in CIDR notation)
sshd:ip.ad.dr.ess (specific internet host, repeat as needed)
httpd: ALL

    In hosts.deny:
ALL: ALL


On 05/11/2011 07:52 PM, Richard Wilson wrote:
> Keith,
>
> What you have is fine and will work, but here's something that will make it faster and more maintainable:
>
> # Create an SSH Access Table
> iptables -N SSHACS
>
> Right before your "#Data center Local network" line, put:
>
> # Handle SSH Traffic
> iptables -A INPUT -p tcp --dport 22 -j SSHACS
>
> Then for each IP you want to grant SSH Access to:
> iptables -A SSHACS -s ip.ad.re.ss/mask -j ACCEPT
>
> This is faster because it won't got through each rule for non-SSH traffic.  Splitting similar rules like this can be a big help in complex rule sets.
>
> HTH,
>
> Richard Wilson
> ---------------------------------------------------------------
> On 05/11/2011 07:24 PM, keith smith wrote:
>>
>> Hi,
>>
>> I'm rather new to IPTables.  I've written a shell script to update and save the IPTables on a web server that only has HTTPD, SSL, Secured FTP, and SSH available.
>>
>> I need to be able to access the server via SSH and SFTP and want to only allow the data center's local net and only those, by IP, that I allow to access the box over the Internet.  Port 80 and 443 should be open to everyone.
>>
>> I'm hoping someone or a couple of people can look at what I have written and give me some feedback.  I've already locked myself out of one server so I would like to avoid that again.
>>
>> Thanks in advance for your help!
>>
>> - - - - - - -
>>
>> #!/bin/bash
>> #
>> # iptables configuration for xxxxxxxxxxx
>> #------
>> # Flush all current rules from iptables
>>  iptables -F
>>
>> # Drop all forwarded packets
>> iptables -P FORWARD DROP
>>
>> # Set access for localhost
>> iptables -A INPUT -i lo -j ACCEPT
>>
>> # Port 80 for everyone
>> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>>
>> # Port 443 for everyone
>> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
>>
>> # No SMTP/POP/MySql/Named ... ETC
>>
>> # Accept packets belonging to established and related connections
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> #---------------------------------------------------------------------------------------------
>> # Allow SSH/FTP connections on tcp port 22 for only those we want to FTP or SSH into the box
>> #---------------------------------------------------------------------------------------------
>>
>> #Data center Local network
>> iptables -A INPUT -p tcp -s 192.168.100.0/28 --dport 22 -j ACCEPT
>>
>> #User 1
>> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
>>
>> #user 2
>> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
>>
>> #user 3
>> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
>>
>> #---------------------------------------------------------------------------------
>> # - - - - Add additional consultants here and run script again -  - - - -
>> #---------------------------------------------------------------------------------
>>
>> # Data Center Staff from outside
>> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
>>
>> #-----------------------------------------------------------------------------
>> # - - - - Add additional Data Center staff here and run script again -  - - - -
>> #-----------------------------------------------------------------------------
>>
>>
>> # Allow all outbound traffic
>> iptables -P OUTPUT ACCEPT
>>
>> # Drop everything else
>> iptables -P INPUT DROP
>>
>>
>> # Save settings
>> /sbin/service iptables save
>>
>> # List rules
>> iptables -L -v
>>
>>
>> ------------------------
>> Keith Smith
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


-----Inline Attachment Follows-----


---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss