Recipe to allow Squirrelmail users to request temp firewall access

Leave a reply
  1. Allow web server to execute the temp firewall script with no passwd.

    2. In /etc/sudoers

    apache ALL=NOPASSWD:/usr/local/adm/firewall/add_temp.pl

  2. Adjust your firewall script (that you use on startup) to allow a “temporary” table which is consulted for input. Also remove ssh so that it is not allowed by default.


    3. In /usr/local/adm/firewall/firewall

    #!/bin/sh

    iptables -N block
    iptables -F block
    iptables -N temporary
    iptables -F temporary
    iptables -F INPUT

    # allow established and related conections from outside
    iptables -A block -m state –state ESTABLISHED,RELATED -j ACCEPT

    # allow inbound FTP, SSH, HTTP, DNS
    iptables -A block -p tcp –dport http -j ACCEPT
    iptables -A block -p tcp –dport https -j ACCEPT
    ##iptables -A block -p tcp –dport ssh -j ACCEPT
    iptables -A block -p tcp –dport smtp -j ACCEPT

    # allow stuff in “temporary” table – should get cleared at 4 am
    iptables -A block -j temporary

    # special cases and requested open ports go here…

    # drop everything else (some silently, others logged)
    iptables -A block -p udp –dport 137 -j DROP
    iptables -A block -p udp –dport 138 -j DROP
    #gconnor#iptables -A block -j LOG –log-level notice –log-prefix
    FIREWALL-DROP:
    iptables -A block -j DROP

    # apply block filter to INPUT
    iptables -A INPUT -j block

    echo “firewall enabled”

  3. Here is the actual temporary add script

    4. /usr/local/adm/firewall/add_temp.pl
    #!/usr/bin/perl -w

    use strict;

    my $debug = 0 ;
    my ($remote, $result) ;

    my $br = “
    ” ;

    if ( $ARGV[0] && $ARGV[0]=~/(d+.d+.d+.d+)/ ) {
    $remote = $1 ;
    print “Adding ip “,$remote,” to temporary access list (until 4 am)
    $brn”;
    $ENV{‘PATH’} = ‘/bin:/usr/bin’;
    $result=qx”/sbin/iptables -A temporary -p tcp –dport ssh -s
    $remote -j ACCEPT” ; print $result,$br, “n” ;
    print “Temporary access list now contains:$brn”;
    $result=qx”/sbin/iptables -L temporary” ; print $result,$br, “n” ;

    } else {
    print “$0: IP address not found $brn” ;
    }

  4. New plugin for squirrelmail

    5. /usr/share/squirrelmail/plugins/sshenable/setup.php

    /usr/share/squirrelmail/plugins/sshenable/sshenable.php
    <?php
    define('SM_PATH', '../../');
    include_once(SM_PATH . 'include/validate.php');
    $program_location = '/usr/local/adm/firewall/add_temp.pl';
    $exist = file_exists($program_location);
    if (!$exist) {
    echo "$program_location" . _(" not found.");
    } else {
    echo "

    ";
    
        $command = "sudo " . $program_location ." ".
    
$_SERVER['REMOTE_ADDR'] ;
    
        $last_line = system($command,$retval);
    
    }
    
?>
    

  5. Finally, tell crontab to execute "iptables -F temporary" every morning so that the temp entries are erased.
    6. 

    Done!

Leave a Reply