Re: Nice init script for firewall to force users through squid

To: julidaoc@online.de
Cc: debian-edu@lists.debian.org
Subject: Re: Nice init script for firewall to force users through squid
From: Petter Reinholdtsen <pere@hungry.com>
Date: Sun, 6 Jul 2008 20:08:19 +0200
Message-id: <[🔎] 20080706180819.GG25939@klodrik.uio.no>
In-reply-to: <[🔎] 24333789.363831215364434610.JavaMail.servlet@kundenserver>
References: <[🔎] 24333789.363831215364434610.JavaMail.servlet@kundenserver>

[Julian Bangert]
> I just made this init script which prevents non-root users from bypassing your squid proxy :

Very nice.  Will it work on all the networked profiles and
combinations?  I mean Main-server, Main-server+Thin-client-server and
Workstation?

> It is called SkoleFirewall and releases under  a BSD-style licence :

To add it to debian-edu-config, it would be best if it had the same
lisence as the rest of the stuff there, ie GPL v2->.  Are you ok with
relicensing it?

> It does the following:
> a)Drops all outbound and forwarded traffic. Input cannot be filtered
> by user or group name so it is ignored. Most protocols require a
> "dialog" anyways:
> b) Allows traffic to and from the SkoleLinux Subnets  and local subnets
> c) Allows root, the group admins, squid, bind and apache to communicate with the rest of the network.
> 
> Ideal with squidguard. Don't forget to run updaterc.d after that 

I'm not sure if an initscript is the correct place to do this, as I
would like such setting to get activated if the host is or become the
member of a netgroup, and disabled when the host is taken out of the
netgroup.  This way individual hosts can get this setting enabled and
disabled at run time.

Some comments:

> #!/bin/sh
[...]
> modprobe ip_tables
> modprobe iptable_filter

Loading modules should probably only be done in the 'start' part.

> #Allow everything into the local network
> iptables -A OUTPUT -d 10.0.0.0/8     -j ACCEPT
> iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
> iptables -A OUTPUT -d 127.0.0.1      -j ACCEPT

Perhaps better do use a loop like this to make it easier to extend and
make it more clear that the same operation is done to each subnet?

  for subnet in 10.0.0.0/8 192.168.0.0/16 127.0.0.1 ; do
    iptables -A OUTPUT -d $subnet -j ACCEPT
  done

Probably better to loop over users and groups as well.  I would prefer
to fetch a list of user and groups that will escape the firewall from
a netgroup, to make it easier to configure it globally.

> iptables -A OUTPUT -m owner --gid-owner root -j ACCEPT # needed for
>   APT , etc ... + root should be able to do whatever he wants ...

Why are you accepting gid root, and not uid root?

> iptables -A OUTPUT -m owner --gid-owner admins -j ACCEPT # might ,
>   in some configs - cause problems

Here I would suggest fetch a netgroup using the netgroup command, and
list the groups and users there.  Perhaps something like (need to find
better netgroup names):

  for user in root bind www-data $(netgroup -u firewall-non-users) ; do
    iptables -A OUTPUT -m owner  --uid-owner $user   -j ACCEPT
  done
  # Misusing netgroup 'user' to fetch group names, no other way known to work
  for group in proxy daemon root $(netgroup -u firewall-non-groups) ; do
    iptables -A OUTPUT -m owner --gid-owner $group -j ACCEPT
  done

Not quite sure how many usernames and groups should be hardcoded, and
how many should be expected to be stored in the netgroup.

Happy hacking,
-- 
Petter Reinholdtsen

Reply to:

References:
- Nice init script for firewall to force users through squid
  - From: julidaoc@online.de

Prev by Date: Re: Problem with new install
Next by Date: Bug#487404: dont copy code from laptop-detect
Previous by thread: Nice init script for firewall to force users through squid
Next by thread: Re: Nice init script for firewall to force users through squid
Index(es):
- Date
- Thread