Skip to main content

Thread: Firewall Builder

-

after working proxmox recently, have been interested in different way make firewalls. after struggling ufw, stuck iptables directly. after practice, have built webapp using php, javascript, , html creating linux script run , filter , log. merely in alpha stages i'd appreciate it. supports tcp(apart udp dns, , icmp pings.) assumes have iptables chain called logging(iptables -n logging), default policies drop, , internet , dns access host , it's "guests." guest virtual machine in proxmox, or other virtual machine host, type in of predefined ip address , services, including client services.
program works quite normal computer setup. if using client services, must define them(ssh, ftp, etc.)

code:
<!doctype html> <html> <head> <script>   function show()   {     var mach = ["host","first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"];     var serv = ["first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"];     for(var = 0; < 11; i++)     {       for(var j = 0; j < 9; j++)       {         if(document.getelementbyid(mach[i]+serv[j]+"name").value != "")           document.getelementbyid(mach[i]+serv[j+1]+"servicediv").style.display='inline';         else           document.getelementbyid(mach[i]+serv[j+1]+"servicediv").style.display='none';       }     }       for(var = 1; < 10; i++)     {         if(document.getelementbyid(mach[i]+"nickname").value != "nickname")           document.getelementbyid(mach[i+1]+"div").style.display='block';         else           document.getelementbyid(mach[i+1]+"div").style.display='none';     }   }   function build() {   document.getelementbyid("builddisplay").innerhtml="iptables -f\n";   var white = new array();   var whitecount = 0;   if(document.getelementbyid("firstwhitelist").value!="") white[whitecount++] = document.getelementbyid("firstwhitelist").value;   if(document.getelementbyid("secondwhitelist").value!="") white[whitecount++] = document.getelementbyid("secondwhitelist").value;   if(document.getelementbyid("thirdwhitelist").value!="") white[whitecount++] = document.getelementbyid("thirdwhitelist").value;   if(document.getelementbyid("fourthwhitelist").value!="") white[whitecount++] = document.getelementbyid("fourthwhitelist").value;   if(document.getelementbyid("fifthwhitelist").value!="") white[whitecount++] = document.getelementbyid("fifthwhitelist").value;   if(document.getelementbyid("sixthwhitelist").value!="") white[whitecount++] = document.getelementbyid("sixthwhitelist").value;   if(document.getelementbyid("seventhwhitelist").value!="") white[whitecount++] = document.getelementbyid("seventhwhitelist").value;   if(document.getelementbyid("eighthwhitelist").value!="") white[whitecount++] = document.getelementbyid("eighthwhitelist").value;   //host   document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p udp --sport 53 -j accept\niptables -a output -p udp --dport 53 -j accept\niptables -a input -p tcp --sport 80 -m state --state established -j accept\niptables -a output -p tcp --dport 80 -m state --state new,established -j accept\niptables -a output -p tcp --dport 443 -m state --state new,established -j accept\niptables -a input -p tcp --sport 443 -m state --state established -j accept\n";     if(document.getelementbyid("hosticmp").checked)     document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p icmp --icmp-type echo-request -j accept\niptables -a output -p icmp --icmp-type echo-reply -j accept\niptables -a output -p icmp --icmp-type echo-request -j accept\niptables -a input -p icmp --icmp-type echo-reply -j accept\n"; <?php $services=array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); $guests=  array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); foreach($services &$i) { echo '   if(document.getelementbyid("host'.$i.'name").value!="")   {     var dport, sport, list, listcount, inp, out;     if(document.getelementbyid("host'.$i.'server").checked)     {       dport=document.getelementbyid("host'.$i.'port").value;       sport="1024:65535";     }     else     {       sport=document.getelementbyid("host'.$i.'port").value;       dport="1024:65535";     }     if(document.getelementbyid("host'.$i.'whitelist").checked)     {       list=white;       listcount=whitecount;     }     else     {       list=new array();       list[0]="0.0.0.0/0";       listcount=1;     }     for(var = 0; < listcount; i++)     {       document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+" -m state --state established -j accept\n";       document.getelementbyid("builddisplay").innerhtml+="iptables -a output -p tcp --sport "+dport+" --dport "+sport+" -d "+list[i]+" -m state --state established,new -j accept\n";       document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp --dport "+dport+" --sport "+sport+" -m state --state new -m limit --limit "+document.getelementbyid("host'.$i.'limit").value+"/min --limit-burst "+document.getelementbyid("host'.$i.'limit").value*2+" -s "+list[i]+" -j accept\n";       document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp --dport "+dport+" --sport "+sport+" -m state --state new -m limit -s "+list[i]+" -j logging\n";       document.getelementbyid("builddisplay").innerhtml+="iptables -a logging -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+\' -j log --log-prefix "host \'+document.getelementbyid("host'.$i.'name").value+\' has had many new connections!!!"\n\';       document.getelementbyid("builddisplay").innerhtml+="iptables -a logging -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+\' -j drop\n\';                }   }';    } foreach($guests &$z) { echo 'if(document.getelementbyid("'.$z.'nickname").value!="nickname") {   document.getelementbyid("builddisplay").innerhtml+="iptables -a forward -p udp --sport 53 --dport 1024:65535 -d "+document.getelementbyid(\''.$z.'ip\').value+" -j accept\niptables -a forward -s "+document.getelementbyid(\''.$z.'ip\').value+" -j accept\niptables -a forward -p tcp --sport 80 -d "+document.getelementbyid(\''.$z.'ip\').value+" -m state --state established -j accept\niptables -a forward -p tcp --sport 443 -d "+document.getelementbyid(\''.$z.'ip\').value+" -m state --state established -j accept\n";       document.getelementbyid("builddisplay").innerhtml+="iptables -a forward -p icmp --icmp-type echo-request -j accept\niptables -a forward -p icmp --icmp-type echo-reply -j accept\n"; ';   foreach($services &$i) { echo '   if(document.getelementbyid("'.$z.$i.'name").value!="")   {     var dport, sport, list, listcount, inp, out;     if(document.getelementbyid("'.$z.$i.'server").checked)     {       dport=document.getelementbyid("'.$z.$i.'port").value;       sport="1024:65535";     }     else     {       sport=document.getelementbyid("'.$z.$i.'port").value;       dport="1024:65535";     }     if(document.getelementbyid("'.$z.$i.'whitelist").checked)     {       list=white;       listcount=whitecount;     }     else     {       list=new array();       list[0]="0.0.0.0/0";       listcount=1;     }     for(var = 0; < listcount; i++)     {       document.getelementbyid("builddisplay").innerhtml+="iptables -a forward -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+" -d "+document.getelementbyid(\''.$z.'ip\').value+" -m state --state established -j accept\n";       document.getelementbyid("builddisplay").innerhtml+="iptables -a forward -p tcp --dport "+dport+" --sport "+sport+" -d "+document.getelementbyid(\''.$z.'ip\').value+" -m state --state new -m limit --limit "+document.getelementbyid("host'.$i.'limit").value+"/min --limit-burst "+document.getelementbyid("host'.$i.'limit").value*2+" -s "+list[i]+" -j accept\n";       document.getelementbyid("builddisplay").innerhtml+="iptables -a forward -p tcp --dport "+dport+" --sport "+sport+" -d "+document.getelementbyid(\''.$z.'ip\').value+" -m state --state new -m limit -s "+list[i]+" -j logging\n";       document.getelementbyid("builddisplay").innerhtml+="iptables -a logging -p tcp --dport "+dport+" --sport "+sport+" -d "+document.getelementbyid(\''.$z.'ip\').value+" -s "+list[i]+\' -j log --log-prefix "guest \'+document.getelementbyid("'.$z.'nickname").value+"\'s "+document.getelementbyid("'.$z.$i.'name").value+\' has had many new connections!!"\n\';       document.getelementbyid("builddisplay").innerhtml+="iptables -a logging -p tcp --dport "+dport+" --sport "+sport+" -d "+document.getelementbyid(\''.$z.'ip\').value+" -s "+list[i]+\' -j drop\n\';         } //end forloop   } //end if service active ';} //end foreach service echo '}'; //end if guest active } //end foreach guest ?>    }; </script> </head> <body onload="show()"> <form> <input type="button" id="submitbutton" value="build" onclick="build()"> <div style="border: 1px solid grey; overflow: hidden"> <div style="float: left"><pre>whitelist <?php //$guests=  array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); foreach ($guests $i) {   echo ' <input type="text" id="'.$i.'whitelist">'; } echo " "; ?> </div> <textarea id="builddisplay" style="float: left"></textarea> </div> <pre>   <div style="overflow: hidden; border: 1px solid black"> host's ip address <input type="text" id="hostip"> allow icmp?<input type="checkbox" id="hosticmp" value="yes">   <?php $services=array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); //$guests=  array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); foreach ($services &$i){ echo '<div id="host'.$i.'servicediv" style="float: left; border: 1px solid red;">'.$i.' service  name    <input onchange="show()" type="text" id="host'.$i.'name">  port    <input type="text" id="host'.$i.'port">  limit   <input type="text" id="host'.$i.'limit">  server?   <input type="checkbox" id="host'.$i.'server" value="yes">  whitelist?<input type="checkbox" id="host'.$i.'whitelist" value="yes"></div>'; } echo '</pre></div>';       foreach ($guests &$i){ echo "<br>"; echo '<pre><div id="'.$i.'div" style="overflow: hidden; border: 1px solid green"><b>'.$i.' guest</b>   <input onchange="show()" type="text" id="'.$i.'nickname" value="nickname"> guest ip address<input type="text" id="'.$i.'ip">   ';   foreach ($services &$j){ echo '<div id="'.$i.$j.'servicediv" style="float: left; border: 1px solid red">'.$j.' service  name    <input onchange="show()" type="text" id="'.$i.$j.'name">  port    <input type="text" id="'.$i.$j.'port">  limit   <input type="text" id="'.$i.$j.'limit">  server?   <input type="checkbox" id="'.$i.$j.'server" value="yes">  whitelist?<input type="checkbox" id="'.$i.$j.'whitelist" value="yes"></div>'; }   echo '</form></pre></div>';} ?>   <br> <a rel="license" href="http://creativecommons.org/licenses/by-nc-sa/3.0/deed.en_us"><img alt="creative commons license" style="border-width:0" src="http://i.creativecommons.org/l/by-nc-sa/3.0/88x31.png" /></a><br /><span xmlns:dct="http://purl.org/dc/terms/" href="http://purl.org/dc/dcmitype/text" property="dct:title" rel="dct:type">iptables script builder</span> <span xmlns:cc="http://creativecommons.org/ns#" property="cc:attributionname">michael smith</span> licensed under <a rel="license" href="http://creativecommons.org/licenses/by-nc-sa/3.0/deed.en_us">creative commons attribution-noncommercial-sharealike 3.0 unported license</a>. </body> </html>

or simplified version computers
code:
<!doctype html> <html> <head> <script> function build() {   document.getelementbyid("builddisplay").innerhtml="iptables -f\n";   var white = new array();   var whitecount = 0;   if(document.getelementbyid("firstwhitelist").value!="") white[whitecount++] = document.getelementbyid("firstwhitelist").value;   if(document.getelementbyid("secondwhitelist").value!="") white[whitecount++] = document.getelementbyid("secondwhitelist").value;   if(document.getelementbyid("thirdwhitelist").value!="") white[whitecount++] = document.getelementbyid("thirdwhitelist").value;   if(document.getelementbyid("fourthwhitelist").value!="") white[whitecount++] = document.getelementbyid("fourthwhitelist").value;   if(document.getelementbyid("fifthwhitelist").value!="") white[whitecount++] = document.getelementbyid("fifthwhitelist").value;   if(document.getelementbyid("sixthwhitelist").value!="") white[whitecount++] = document.getelementbyid("sixthwhitelist").value;   if(document.getelementbyid("seventhwhitelist").value!="") white[whitecount++] = document.getelementbyid("seventhwhitelist").value;   if(document.getelementbyid("eighthwhitelist").value!="") white[whitecount++] = document.getelementbyid("eighthwhitelist").value;   document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p udp --sport 53 -j accept\niptables -a output -p udp --dport 53 -j accept\niptables -a input -p tcp --sport 80 -m state --state established -j accept\niptables -a output -p tcp --dport 80 -m state --state new,established -j accept\niptables -a output -p tcp --dport 443 -m state --state new,established -j accept\niptables -a input -p tcp --sport 443 -m state --state established -j accept\n";     if(document.getelementbyid("hosticmp").checked)     document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p icmp --icmp-type echo-request -j accept\niptables -a output -p icmp --icmp-type echo-reply -j accept\niptables -a output -p icmp --icmp-type echo-request -j accept\niptables -a input -p icmp --icmp-type echo-reply -j accept\n"; <?php $services=array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); $guests=  array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); foreach($services &$i) { echo '   if(document.getelementbyid("host'.$i.'name").value!="")   {     var dport, sport, list, listcount, inp, out;     if(document.getelementbyid("host'.$i.'server").checked)     {       dport=document.getelementbyid("host'.$i.'port").value;       sport="1024:65535";     }     else     {       sport=document.getelementbyid("host'.$i.'port").value;       dport="1024:65535";     }     if(document.getelementbyid("host'.$i.'whitelist").checked)     {       list=white;       listcount=whitecount;     }     else     {       list=new array();       list[0]="0.0.0.0/0";       listcount=1;     }     for(var = 0; < listcount; i++)     {       document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+" -m state --state established -j accept\n";       document.getelementbyid("builddisplay").innerhtml+="iptables -a output -p tcp --sport "+dport+" --dport "+sport+" -d "+list[i]+" -m state --state established,new -j accept\n";       document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp --dport "+dport+" --sport "+sport+" -m state --state new -m limit --limit "+document.getelementbyid("host'.$i.'limit").value+"/min --limit-burst "+document.getelementbyid("host'.$i.'limit").value*2+" -s "+list[i]+" -j accept\n";       document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp --dport "+dport+" --sport "+sport+" -m state --state new -m limit -s "+list[i]+" -j logging\n";       document.getelementbyid("builddisplay").innerhtml+="iptables -a logging -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+\' -j log --log-prefix "host \'+document.getelementbyid("host'.$i.'name").value+\' hit limit"\n\';       document.getelementbyid("builddisplay").innerhtml+="iptables -a logging -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+\' -j drop\n\';     }   }';    } ?>  document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp -j reject --reject-with tcp-reset\niptables -a input -p icmp -j reject\niptables -a input -j drop\niptables -a output -j drop\n"; }; </script> </head> <body> <form> <input type="button" id="submitbutton" value="build" onclick="build()"> <pre>whitelist <?php //$guests=  array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); foreach ($guests $i) {   echo ' <input type="text" id="'.$i.'whitelist">'; } echo " "; ?> <textarea id="builddisplay" style="float: left"></textarea> <br> <pre> allow icmp?<input type="checkbox" id="hosticmp" value="yes">   <?php $services=array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); foreach ($services &$i){ echo $i.' service  name    <input onchange="show()" type="text" id="host'.$i.'name">  port    <input type="text" id="host'.$i.'port">  limit   <input type="text" id="host'.$i.'limit">  server?   <input type="checkbox" id="host'.$i.'server" value="yes">  whitelist?<input type="checkbox" id="host'.$i.'whitelist" value="yes">'; } echo '</pre>'; ?>


Forum The Ubuntu Forum Community Ubuntu Official Flavours Support Networking & Wireless [ubuntu] Firewall Builder


Ubuntu

Comments

Post a Comment

Popular posts from this blog

Some mp4 files not displaying correctly (CS6)

-
Image
a week ago in premiere pro cs6 world. one day updated windows, next day few .mp4 video files opened in premiere pro, played fine well, except fact display has green (sometimes multicolour, solid green block) bars in lower third of screen. see screenshot below.   these same files open/display fine in after effects, photoshop , vlc- , quicktime players. i'd read fromyears ago windows updates causing this, removed 1 of therecent kb's no avail. i did install adobemediaencodertrial_64-6.0.3-mul-adobeupdate and dynamiclinkmediaserverretail-1.0.1-mul-adobeupdate and reverted quicktime 7.6 but nothing makes difference.   in end, formatted c:\, reinstalled windows 7 ultimate 64bit , downloaded/installed 260 updates , reinstalled cs6 (and aforementioned ame , dlms updates , qt7.6) it's still same problem.   also tried exporting (part of) 1 of these files, see if wasn't display problem: exported file same properties original has green bars.   what else can do?   thanks in advanc
Read more

Thread: Samba is not authenticating with LDAP

-
hello everyone. i've setup hp proliant server running ubuntu precise 64bit. have server running precise has openldap server running on it. i'm trying samba server authenticate ldap server users able log samba using ldap credentials. followed directions on site: http://raerek.blogspot.com/2012/05/s...sing-ldap.html http://raerek.blogspot.com/2012/05/s...g-ldap_28.html i'm using mac running mountain lion connected samba share when message: "check server name or ip address, , try again. if continue have problems, contact system administrator." when go /var/log/samba/log.workstation [2013/04/02 21:56:33.187358, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed 'nt_status_unsuccessful' $ testparm load smb config files /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) minimum windows limit (16384) processing section "[oh-fileshare]&qu
Read more