[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Nice init script for firewall to force users through squid

[Julian Bangert]
> I just made this init script which prevents non-root users from bypassing your squid proxy :

Very nice.  Will it work on all the networked profiles and
combinations?  I mean Main-server, Main-server+Thin-client-server and

> It is called SkoleFirewall and releases under  a BSD-style licence :

To add it to debian-edu-config, it would be best if it had the same
lisence as the rest of the stuff there, ie GPL v2->.  Are you ok with
relicensing it?

> It does the following:
> a)Drops all outbound and forwarded traffic. Input cannot be filtered
> by user or group name so it is ignored. Most protocols require a
> "dialog" anyways:
> b) Allows traffic to and from the SkoleLinux Subnets  and local subnets
> c) Allows root, the group admins, squid, bind and apache to communicate with the rest of the network.
> Ideal with squidguard. Don't forget to run updaterc.d after that 

I'm not sure if an initscript is the correct place to do this, as I
would like such setting to get activated if the host is or become the
member of a netgroup, and disabled when the host is taken out of the
netgroup.  This way individual hosts can get this setting enabled and
disabled at run time.

Some comments:

> #!/bin/sh
> modprobe ip_tables
> modprobe iptable_filter

Loading modules should probably only be done in the 'start' part.

> #Allow everything into the local network
> iptables -A OUTPUT -d     -j ACCEPT
> iptables -A OUTPUT -d -j ACCEPT
> iptables -A OUTPUT -d      -j ACCEPT

Perhaps better do use a loop like this to make it easier to extend and
make it more clear that the same operation is done to each subnet?

  for subnet in ; do
    iptables -A OUTPUT -d $subnet -j ACCEPT

Probably better to loop over users and groups as well.  I would prefer
to fetch a list of user and groups that will escape the firewall from
a netgroup, to make it easier to configure it globally.

> iptables -A OUTPUT -m owner --gid-owner root -j ACCEPT # needed for
>   APT , etc ... + root should be able to do whatever he wants ...

Why are you accepting gid root, and not uid root?

> iptables -A OUTPUT -m owner --gid-owner admins -j ACCEPT # might ,
>   in some configs - cause problems

Here I would suggest fetch a netgroup using the netgroup command, and
list the groups and users there.  Perhaps something like (need to find
better netgroup names):

  for user in root bind www-data $(netgroup -u firewall-non-users) ; do
    iptables -A OUTPUT -m owner  --uid-owner $user   -j ACCEPT
  # Misusing netgroup 'user' to fetch group names, no other way known to work
  for group in proxy daemon root $(netgroup -u firewall-non-groups) ; do
    iptables -A OUTPUT -m owner --gid-owner $group -j ACCEPT

Not quite sure how many usernames and groups should be hardcoded, and
how many should be expected to be stored in the netgroup.

Happy hacking,
Petter Reinholdtsen

Reply to: