New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !

how to open/close firewall port 21 22 with script?

Got problems with your B2 or B3? Share and get helped!
Post Reply
Puma
Posts: 230
Joined: 29 Sep 2008, 06:30

how to open/close firewall port 21 22 with script?

Post by Puma »

Gents,

I want to control a remote backup and be safe....

So I want to use a script that opens the firewall port 21 or 22 for backup purposes.
when backup is done I want the script to close the ports to prevent external attack.
Does anyone knows the ssh commands for this?

I can start and stop the services for example:

FTP
/etc/init.d/proftpd (stop, start, restart)

debian openssh ssh control
/etc/init.d/ssh start
/etc/init.d/ssh restart
/etc/init.d/ssh stop



Thanks in advance

Puma
Linux is like a wigwam - no windows, no gates, apache inside!
Ubi
Posts: 1549
Joined: 17 Jul 2007, 09:01

Re: how to open/close firewall port 21 22 with script?

Post by Ubi »

FIrst of all, simply moving your SSH port to some obscure number (666 is a winner for me) is already near-100% effective in deterring script kiddies without any hassle with firewall rules.

But to answer the question: generally this is easy to do, but the firewall script in bubba is braindead beyond comprehension so there's a bit of a trick involved: First make sure the default is that port 21 is in "closed" mode, either in the web interface or by editing out the lines in /etc/network/firewall.conf.
Then, if you want to open a port, run this line in a shell script: (this assumes ip addres 11.22.33.44 is the remote IP). By using the -I flag, the rule is injected at the top so that it actually works.

Code: Select all

iptables -I INPUT -s 11.22.33.44 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT
If you want to close the port again, DO NOT RUN /etc/init.d/bubba-firewall restart:
For some reason this actually only saves the current rules and DOES NOT stop and restart the firewall or even reload the old firewall rules (Carl, are you reading this?). In other words, if you mess about with your bubba and reload the firewall because it did not work out, your royally screwed, and may need to go find a rescue usb.

instead do:

Code: Select all

/sbin/iptables-restore /etc/network/firewall.conf
hope this helps
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: how to open/close firewall port 21 22 with script?

Post by Gordon »

You'll actually accomplish the same as the last line when you issue /etc/init.d/bubba-firewall start (without the "re"). But yes, I do think the bubba firewall script is flaky. For one the web interface doesn't pickup on the fact that you have restricted access to a specific port to certain addresses (it will show as fully opened).

What I did find is that the firewall script will only consider the INPUT table, but you can add custom tables if you like. Working from your example you might input the following:

Code: Select all

iptables -N backup    # creates table 'backup'
iptables -F backup    # empties table 'backup'
iptables -A backup -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT    # allows existing connections to continue
iptables -A INPUT -i eth0 -s 11.22.33.44  -j backup   # tells the firewall to process rules in table 'backup' when ip 11.22.33.44 connects
Then the 'backup on' routine would be:

Code: Select all

iptables -A backup -p tcp -m multiport --dports 20,21,22 -j ACCEPT
And the 'backup off' routine:

Code: Select all

iptables -F backup
iptables -A backup -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
A really cool solution for this is to make use of the ipset match rule, but for this you will need to install the xtables-addons first. Using ipset you can dynamically change which IP(s) will be allowed to enter the 'backup' table, without actually changing a single iptables rule. Safer...
Ubi
Posts: 1549
Joined: 17 Jul 2007, 09:01

Re: how to open/close firewall port 21 22 with script?

Post by Ubi »

wouldnt the -A rule be ignored if you consider that the machine has already been loaded with a firewall rules that ends in a global deny?
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: how to open/close firewall port 21 22 with script?

Post by Gordon »

No. It is the policy that is set to deny (it is actually drop - meaning that it doesn't give any response whatsoever), not a rule.

One thing I should have mentioned. Once the first piece of code has been entered, you should issue a /etc/init.d/bubba-firewall restart. This will save that part of the firewall configuration and every change you make afterwards using the web interface, won't touch these unknown rules. When in doubt you may also add these rules manually in the /etc/network/firewall.conf file and place them in front of the first '-A' rule (in that case issue a `bubba-firewall start` after editing).
Ubi
Posts: 1549
Joined: 17 Jul 2007, 09:01

Re: how to open/close firewall port 21 22 with script?

Post by Ubi »

tnx

but why does your rule only block established and not new traffic?
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: how to open/close firewall port 21 22 with script?

Post by Gordon »

Ubi wrote:tnx

but why does your rule only block established and not new traffic?
It doesn't.

The first rule verifies the connection tracker whether it is an existing connection and if so allows it to continue. The second rule, which would be the 'on' command, would allow new connections to be established on ports ftp-data, ftp and ssh. Since the 'backup' table (or whatever you name it) does not contain a catch-all rule, processing will then continue with the next rule in the 'INPUT' table.
Puma
Posts: 230
Joined: 29 Sep 2008, 06:30

Re: how to open/close firewall port 21 22 with script?

Post by Puma »

Gordon and Ubi,

Thanks for your examples.

Would it be safe enough to only let one IP adress access ftp??

only add in firewall.conf: -A INPUT -s 111.111.111.111 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 21 -j ACCEPT

Then only a computer with this 111.111.111.111 IP adress can access ftp or am i wrong?

Puma
Linux is like a wigwam - no windows, no gates, apache inside!
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: how to open/close firewall port 21 22 with script?

Post by Gordon »

Puma,

I actually have something similar in my own ruleset (for ssh). The problem with such a rule is that the web interface for bubba-firewall will then also show this port as opened (but not the IP restriction). That may be confusing. If you follow my hint on creating the user defined table and putting the allow FTP rule in there you'll stay out of the way of te bubba-firewall settings. You may in fact even be able to use the web interface to toggle global FTP access on and off without messing up the one rule that you want activated always.

Gordon
kenned
Posts: 12
Joined: 27 Feb 2011, 13:55

Re: how to open/close firewall port 21 22 with script?

Post by kenned »

Not sure if you already solved this, but inserting a rule into a chain and removing it afterwards isn't that complicated.


Insert the rule as the first in the INPUT chain (the -I <chain> <num> inserts the rule as rule number <num>).

Code: Select all

iptables -I INPUT 1 -s 11.22.33.44 -p tcp -m state --state NEW -m tcp -m multiport --dports 21,22 -j ACCEPT
Lose the "-s 11.22.33.44" bit if you're not concerned about IP restriction.

Remove it again (copy-pasted except for the line number):

Code: Select all

iptables -D INPUT -s 11.22.33.44 -p tcp -m state --state NEW -m tcp -m multiport --dports 21,22 -j ACCEPT
-and voila!, your firewall is as good as new.

If you're certain the rule is still number 1 when you want to remove it, you can also just do

Code: Select all

iptables -D INPUT 1
-but if something changed your firewall in the meantime, this will remove whatever is #1 now.
Post Reply