A poor man's firewall framework
This is a Poor-man’s firewall rule management framework.
Briefly it allows you to quickly make use of common rules. In addition it
allows for extensibility, eg. via the included webknock tool.
I found myself creating the same set of iptables rules across multiple servers
and virtual machines. So I decided to consolidate this into one easy to
install package where I can change as few things as possible per hose.
pmfw can be configured by editing a few files.
/etc/pmfw/hosts.allow: Add one IP address per line for hosts you want to always allow ssh access to (tcp port 22).
/etc/pmfw/custom.rules: Here you can create custom rules that you want to always include. This should be in the same format that iptables-save expects. For example, this line will allow NTP (UDP Port 123).
- -A in_pub_udp -p udp -m udp --sport 123 --dport 123 -j ACCEPT
/etc/pmfw/pmfw.conf: Here, I’ve consolidated several common services into simple variables that can be turned on/off. By default it looks like this:
- # Set this to your internet-facing interface
- iface_internet="eth0"
- # Allow standard ping packets
- allow_ping=1
- # Allow http traffic
- allow_http=0
- # Allow https traffic
- allow_https=0
- # Allow ntp traffic
- allow_ntp=1
- # Allow webknock server (the webknock-server package should be installed and requires manual configuration)
- allow_webknock=1
- # Make use of some default logging
- default_logging=1
- # Allow auto-configuration via cron (set this to 1 once you've verified your firewall rules)
- allow_cron=0
This configures eth0 as the primary internet interface. And it allows Ping and NTP packets. It also allows webknocking to work. (more on that below).
/etc/pmfw/webknock.rules: Webknock.rules is a shell script that will be
executed. Any output given will be included in the final generated rule set.
This is a script allowing you to create any complexity of conditions you want.
By default, this just allows ssh for the given IP:
- -A in_pub_tcp -p tcp -m tcp --dport 22 -s "$ip" -j ACCEPT
Once configured, you can execute @pmfw-deploy —dry-run@. This will print out
the iptables rules for you to verify.
@pmfw-deploy@ will implement the rules.
Once you’ve verified the rules are correct, you should set @allow_cron=1@ in
the /etc/pmfw/pmfw.conf file, especially when using webknocking. This will
ensure that the the rules will be re-implemented every hour.
Ensure you install the @webknock@ script in your path somewhere, such as ~/bin/
or /usr/local/bin/. Then, create a file in @~/.webknock@ that looks like this:
key,http://my.server.example.com/my/secret/path/
Then you’ll be able to run webknock to open up the port for a short period of time:
webknock key
The Poor-man’s web-knocker is a simple added layer to your security system.
This is a bit simpler than using a dedicated packet-based port knocker as it
allows you to use standard web clients, nor does it require a dedicated daemon.
Simply copy the file default-webknock.php into your server directory somehwere, like so:
cp /var/lib/pmfw/default-webknock.php /var/www/html/my/secret/path/index.php
You will then be able to use the webknock client above. Or simply use curl like so:
curl http://my.server.example.com/my/secret/path/
On success, you’ll get a notice showing your extern IP address. And from there
you should be able to access your system depending on the rules specified in
the Configruation section.
If you want something more secure, I suggest Judd Vinet’s knockd server
http://www.zeroflux.org/projects/knock. Or fwknop for Single Packet
Authorization. However, webknock is probably good enough for most people who
just want to reduce the number of illegal login attempts visible in the system
logs.