Re: Nice init script for firewall to force users through squid
[Julian Bangert]
> I just made this init script which prevents non-root users from bypassing your squid proxy :
Very nice. Will it work on all the networked profiles and
combinations? I mean Main-server, Main-server+Thin-client-server and
Workstation?
> It is called SkoleFirewall and releases under a BSD-style licence :
To add it to debian-edu-config, it would be best if it had the same
lisence as the rest of the stuff there, ie GPL v2->. Are you ok with
relicensing it?
> It does the following:
> a)Drops all outbound and forwarded traffic. Input cannot be filtered
> by user or group name so it is ignored. Most protocols require a
> "dialog" anyways:
> b) Allows traffic to and from the SkoleLinux Subnets and local subnets
> c) Allows root, the group admins, squid, bind and apache to communicate with the rest of the network.
>
> Ideal with squidguard. Don't forget to run updaterc.d after that
I'm not sure if an initscript is the correct place to do this, as I
would like such setting to get activated if the host is or become the
member of a netgroup, and disabled when the host is taken out of the
netgroup. This way individual hosts can get this setting enabled and
disabled at run time.
Some comments:
> #!/bin/sh
[...]
> modprobe ip_tables
> modprobe iptable_filter
Loading modules should probably only be done in the 'start' part.
> #Allow everything into the local network
> iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT
> iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
> iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
Perhaps better do use a loop like this to make it easier to extend and
make it more clear that the same operation is done to each subnet?
for subnet in 10.0.0.0/8 192.168.0.0/16 127.0.0.1 ; do
iptables -A OUTPUT -d $subnet -j ACCEPT
done
Probably better to loop over users and groups as well. I would prefer
to fetch a list of user and groups that will escape the firewall from
a netgroup, to make it easier to configure it globally.
> iptables -A OUTPUT -m owner --gid-owner root -j ACCEPT # needed for
> APT , etc ... + root should be able to do whatever he wants ...
Why are you accepting gid root, and not uid root?
> iptables -A OUTPUT -m owner --gid-owner admins -j ACCEPT # might ,
> in some configs - cause problems
Here I would suggest fetch a netgroup using the netgroup command, and
list the groups and users there. Perhaps something like (need to find
better netgroup names):
for user in root bind www-data $(netgroup -u firewall-non-users) ; do
iptables -A OUTPUT -m owner --uid-owner $user -j ACCEPT
done
# Misusing netgroup 'user' to fetch group names, no other way known to work
for group in proxy daemon root $(netgroup -u firewall-non-groups) ; do
iptables -A OUTPUT -m owner --gid-owner $group -j ACCEPT
done
Not quite sure how many usernames and groups should be hardcoded, and
how many should be expected to be stored in the netgroup.
Happy hacking,
--
Petter Reinholdtsen
Reply to: