Recipe to allow Squirrelmail users to request temp firewall access

1. Allow web server to execute the temp firewall script with no passwd.

In /etc/sudoers

apache ALL=NOPASSWD:/usr/local/adm/firewall/add_temp.pl

1. Adjust your firewall script (that you use on startup) to allow a “temporary” table which is consulted for input. Also remove ssh so that it is not allowed by default.

In /usr/local/adm/firewall/firewall

#!/bin/sh

iptables -N block iptables -F block iptables -N temporary iptables -F temporary iptables -F INPUT

# allow established and related conections from outside iptables -A block -m state –state ESTABLISHED,RELATED -j ACCEPT

# allow inbound FTP, SSH, HTTP, DNS iptables -A block -p tcp –dport http -j ACCEPT iptables -A block -p tcp –dport https -j ACCEPT ##iptables -A block -p tcp –dport ssh -j ACCEPT iptables -A block -p tcp –dport smtp -j ACCEPT

# allow stuff in “temporary” table - should get cleared at 4 am iptables -A block -j temporary

# special cases and requested open ports go here…

# drop everything else (some silently, others logged) iptables -A block -p udp –dport 137 -j DROP iptables -A block -p udp –dport 138 -j DROP #gconnor#iptables -A block -j LOG –log-level notice –log-prefix FIREWALL-DROP: iptables -A block -j DROP

# apply block filter to INPUT iptables -A INPUT -j block

echo “firewall enabled”

1. Here is the actual temporary add script

/usr/local/adm/firewall/add_temp.pl #!/usr/bin/perl -w

use strict;

my $debug = 0 ; my ($remote, $result) ;

my $br = "
" ;

if ( $ARGV[0] && $ARGV[0]=~/(d+.d+.d+.d+)/ ) { $remote = $1 ; print “Adding ip “,$remote,” to temporary access list (until 4 am) $brn”; $ENV{‘PATH’} = ‘/bin:/usr/bin’; $result=qx"/sbin/iptables -A temporary -p tcp –dport ssh -s $remote -j ACCEPT" ; print $result,$br, “n” ; print “Temporary access list now contains:$brn”; $result=qx"/sbin/iptables -L temporary" ; print $result,$br, “n” ;

} else { print “$0: IP address not found $brn” ; }

1. New plugin for squirrelmail

/usr/share/squirrelmail/plugins/sshenable/setup.php

/usr/share/squirrelmail/plugins/sshenable/sshenable.php

Finally, tell crontab to execute “iptables -F temporary” every morning so that the temp entries are erased.

Done!