On 13/03/11 15:15, Michael Friendly wrote:
On 3/12/2011 5:55 AM, Tom H wrote:On Sat, Mar 12, 2011 at 5:06 AM, Andrei Popescu <andreimpopescu@gmail.com> wrote:On Vi, 11 mar 11, 14:56:42, Michael Friendly wrote:- Do I have to install/enable the rules from iptables for ssh, samba, etc within ufw?First you need to find out exactly how the iptables rules are loaded. Could be via /etc/rc.local a dedicated script in /etc/init.d/ or something else (is package iptables-persistent also in Ubuntu?). Do not try to use ufw until you know exactly how the current iptables rules are loaded and you know for sure you can disable them!Check "/etc/network/if-pre-up.d/" and "/etc/network/if-up.d/" too. And, if you're using Network Manager, there *may* be other directories to look into.
Please forgive me if you know this, but to me it appears that you may not. Iptables effectively works by adding individual rules to the kernel filtering tables using the 'iptables' command. This can be done at any time, and there is no infrastructure to add a set of rules routinely at start-up in Linux, so a number of ad-hoc methods exist to achieve that.
A list of 'iptables ...' commands contained in a shell script is a common method, which seems to be how you are set up at the moment. The commands 'iptables-save' and 'iptables-restore' can also be used to save the existing kernel rule set to a file and restore it to active use. Many firewall applications use this method. I use a pseudo-daemon, with the usual start/stop/reload commands plus 'clear' to open the firewall, and there are no doubt several other techniques in common use.
OK, I found /etc/network/interfaces contains the line pre-up /etc/iptables
So if you comment this out, you have removed the current method of adding iptables rules, and it should now be safe to use any other technique. At any time, you can issue the command iptables -L which will list the current state of the firewall. The listing is not in the same format as the iptables rule commands, but it will show clearly when rules have been added and when they haven't.
Only you can judge your security needs, but I would not have thought that restricting ssh to individual IP addresses was necessary. You should be using keys to access ssh rather than passwords (look up how to do this if you aren't). If as recommended you are using different keys from different client machines, then each private key should never leave its client machine (where it is stored encrypted with restrictive permissions), with at least the same resulting security as restricting the IP address. The private key is never sent across the Net, even encrypted, it is only used in the client machine.and /etc/iptables contains the rules. But I'm not sure what to do now, either with iptables or ufw. If ufw works via iptables, can I just enable ufw now without danger? How can I enable me to use use ssh from home? For example, there is currently one rule allowing me to ssh from a PC in my office iptables -A INPUT -s 130.xxx.xxx.xx/32 -p tcp --destination-port 22 -j ACCEPT I can mimic this for another PC (e.g., in my lab), but I'd like to be able to use ssh from home, where I don't think I have a fixed IP address from my service provider.
If you must use IP addresses, you can do as Andrei suggests or you might consider using tcpwrappers (/etc/hosts.allow, /etc/hosts.deny) to control access rather than iptables (you would still need an iptables acceptance rule, but without an IP address). While the man pages show hostnames, IP addresses and blocks may be used. If you have no choice but to list a dynamic address, you can check the ISP's CIDR block and allow that. It's not as secure as a single address, but it's better than letting the whole world in. You can of course also use IP address blocks in iptables rules.
-- Joe