Dabase BAcked IPTables

Dabase BAcked IPTables

[Nick Khamis]

Hello Everyone,

Is it possible to have a MySQL backed IPTables? What we are trying to
accomplish is having our clients supply us with a mac address (or ip),
and we would let them through our core network. This would be done
automatically on our website i.e.:

* User logs into the website, and provides mac address
* We insert the record in the database as an allow rule...
* Restart iptables?

Kind Regards,

Nick.

Re: Dabase BAcked IPTables

[Ricardo Klein]

I think someone is already working in a ipset module for that.
We need that here too...


--
Att...

Ricardo Felipe Klein
klein.rfk@gmail.com


On Fri, Jun 28, 2013 at 12:01 PM, Nick Khamis <symack@gmail.com> wrote:
> Hello Everyone,
>
> Is it possible to have a MySQL backed IPTables? What we are trying to
> accomplish is having our clients supply us with a mac address (or ip),
> and we would let them through our core network. This would be done
> automatically on our website i.e.:
>
> * User logs into the website, and provides mac address
> * We insert the record in the database as an allow rule...
> * Restart iptables?
>
> Kind Regards,
>
> Nick.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Dabase BAcked IPTables

[/dev/rob0]

On Fri, Jun 28, 2013 at 11:01:10AM -0400, Nick Khamis wrote:
> Is it possible to have a MySQL backed IPTables?

No, network packets need to be handled in real time. Your SQL query 
would take too long.

> What we are trying to accomplish is having our clients supply us 
> with a mac address (or ip), and we would let them through our core 
> network. This would be done automatically on our website i.e.:
> 
> * User logs into the website, and provides mac address
> * We insert the record in the database as an allow rule...

Sounds like a job for ipset(8).

> * Restart iptables?

Restart? What does that mean? iptables is not a daemon.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: Dabase BAcked IPTables

[Ricardo Klein]

Rob,

do you know the actual status of ipset "mac only" module? Someone has
told me that it is being developed...
I tried to make this work with mac_ip module and using "0.0.0.0/0" to
match the mac address with any ip, but, it didnt worked...
--
Att...

Ricardo Felipe Klein
klein.rfk@gmail.com


On Fri, Jun 28, 2013 at 8:19 PM, /dev/rob0 <rob0@gmx.co.uk> wrote:
> On Fri, Jun 28, 2013 at 11:01:10AM -0400, Nick Khamis wrote:
>> Is it possible to have a MySQL backed IPTables?
>
> No, network packets need to be handled in real time. Your SQL query
> would take too long.
>
>> What we are trying to accomplish is having our clients supply us
>> with a mac address (or ip), and we would let them through our core
>> network. This would be done automatically on our website i.e.:
>>
>> * User logs into the website, and provides mac address
>> * We insert the record in the database as an allow rule...
>
> Sounds like a job for ipset(8).
>
>> * Restart iptables?
>
> Restart? What does that mean? iptables is not a daemon.
> --
>   http://rob0.nodns4.us/ -- system administration and consulting
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Dabase BAcked IPTables

[Nick Khamis]

On 6/28/13, /dev/rob0 <rob0@gmx.co.uk> wrote:
> On Fri, Jun 28, 2013 at 11:01:10AM -0400, Nick Khamis wrote:
>> Is it possible to have a MySQL backed IPTables?
>
> No, network packets need to be handled in real time. Your SQL query
> would take too long.
>
>> What we are trying to accomplish is having our clients supply us
>> with a mac address (or ip), and we would let them through our core
>> network. This would be done automatically on our website i.e.:
>>
>> * User logs into the website, and provides mac address
>> * We insert the record in the database as an allow rule...
>
> Sounds like a job for ipset(8).
>
>> * Restart iptables?
>
> Restart? What does that mean? iptables is not a daemon.
> --
>   http://rob0.nodns4.us/ -- system administration and consulting
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

How did I overlook ipset? By restart I mean ./iptables && iptables-save

Kind Regards,

Nick.

Re: Dabase BAcked IPTables

[/dev/rob0]

On Fri, Jun 28, 2013 at 08:05:44PM -0400, Nick Khamis wrote:
> On 6/28/13, /dev/rob0 <rob0@gmx.co.uk> wrote:
> > On Fri, Jun 28, 2013 at 11:01:10AM -0400, Nick Khamis wrote:
> >> What we are trying to accomplish is having our clients supply
> >> us with a mac address (or ip), and we would let them through
> >> our core network. This would be done automatically on our
> >> website i.e.:
> >>
> >> * User logs into the website, and provides mac address
> >> * We insert the record in the database as an allow rule...
> >
> > Sounds like a job for ipset(8).
> >
> >> * Restart iptables?
> >
> > Restart? What does that mean? iptables is not a daemon.
> 
> How did I overlook ipset? By restart I mean ./iptables && 
> iptables-save

I'm still not sure what that means; is ./iptables a script? (Not 
using the one in $PATH for a reason?) And iptables-save(8) merely 
writes the rules to stdout.

When you update your ipset, any rule referring to that set uses the
new set right away. There would be no point in dumping and then 
reloading your ruleset.


P.S. to Ricardo: No, sorry, I don't know about it. But for this 
purpose a MAC address would not be needed. "User logs into the 
website," this cannot be done without an IP address.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: Dabase BAcked IPTables

[Nick Khamis]

Ooops, I realized how many blanks I am leaving in my messages. The
website is only used to allow the user to enter their mac address in
order to have access to our services (not HTTP).

Yes, ./iptables.sh is the ruleset script.

>> When you update your ipset, any rule referring to that set uses the
>> new set right away. There would be no point in dumping and then
>> reloading your ruleset.

Hmm, this covers adding *new* mac or even ip addresses however, how
would delete/modify existing entries dynamically.

Kind Regards.

Nick.

Re: Dabase BAcked IPTables

[Eliezer Croitoru]

The internet works on IP not on mac....
it's like "I want to buy a car who don't move"
OK NP just buy something else then a car...

ipset is the tool and you would need couple security levels in order to 
prevent spoofing and defending aginst Some malicious attempts on this 
site..

Eliezer

On 06/29/2013 04:21 AM, Nick Khamis wrote:
> Ooops, I realized how many blanks I am leaving in my messages. The
> website is only used to allow the user to enter their mac address in
> order to have access to our services (not HTTP).
>
> Yes, ./iptables.sh is the ruleset script.
>
>>> When you update your ipset, any rule referring to that set uses the
>>> new set right away. There would be no point in dumping and then
>>> reloading your ruleset.
>
> Hmm, this covers adding *new* mac or even ip addresses however, how
> would delete/modify existing entries dynamically.
>
> Kind Regards.
>
> Nick.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Dabase BAcked IPTables

[Jozsef Kadlecsik]

On Fri, 28 Jun 2013, Ricardo Klein wrote:

> I think someone is already working in a ipset module for that.
> We need that here too...

I'd be fairly surprised at such a module...

> On Fri, Jun 28, 2013 at 12:01 PM, Nick Khamis <symack@gmail.com> wrote:
> >
> > Is it possible to have a MySQL backed IPTables? What we are trying to
> > accomplish is having our clients supply us with a mac address (or ip),
> > and we would let them through our core network. This would be done
> > automatically on our website i.e.:
> >
> > * User logs into the website, and provides mac address
> > * We insert the record in the database as an allow rule...
> > * Restart iptables?

That's pretty similar to a captive portal, which is quite simple to setup: 
you need a small webpage written say in PHP (IP and MAC can be gathered 
directly if the webserver is on the same LAN) and a bitmap:ip,mac type of 
set with timeout, and some static iptables rules. It's almost trivial if 
the things run on the gateway.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: Dabase BAcked IPTables

[Andrew Beverley]

On Sat, 2013-06-29 at 20:19 +0200, Jozsef Kadlecsik wrote:
> > > * User logs into the website, and provides mac address
> > > * We insert the record in the database as an allow rule...
> > > * Restart iptables?
> 
> That's pretty similar to a captive portal, which is quite simple to setup: 
> you need a small webpage written say in PHP (IP and MAC can be gathered 
> directly if the webserver is on the same LAN) and a bitmap:ip,mac type of 
> set with timeout, and some static iptables rules. It's almost trivial if 
> the things run on the gateway.

And an example is here:

http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal

Except it does not use ipset, which would be a *much* better way of
implementing it ;-)

Re: Dabase BAcked IPTables

[Nick Khamis]

I love you guys!!! I am sorry that I have left out important details
that left you speculating. We offer a SIP phone service to our
clients. In netfilter speak that's:

-A UDP -p udp -m udp --sport 5060 ---dport 5080 -j ACCEPT :)

Anyone can use our SIP server however, they will first need to create
an account through our website, and provide the mac of the device that
will be connecting to us. The website does not have to capture their
info.

Why we prefer mac is because the device will not be static, it will be
on the move hopping on different networks all happy and stuff :)....

Andrew, that is kind of what we are looking for but as you mentioned
ipset would be a much better way of doing it. Until this post I did
not know of ipset, will have to educate myself regarding it.

What is unclear at this moment is, do we have mac support, or is it
called *ip*set for a reason? Secondly, can we update and remove
existing entries in our config.

Kind Regards,

Nick.

Re: Dabase BAcked IPTables

[Neal Murphy]

On Saturday, June 29, 2013 04:39:06 PM Nick Khamis wrote:
> I love you guys!!! I am sorry that I have left out important details
> that left you speculating. We offer a SIP phone service to our
> clients. In netfilter speak that's:
> 
> -A UDP -p udp -m udp --sport 5060 ---dport 5080 -j ACCEPT :)
> 
> Anyone can use our SIP server however, they will first need to create
> an account through our website, and provide the mac of the device that
> will be connecting to us. The website does not have to capture their
> info.
> 
> Why we prefer mac is because the device will not be static, it will be
> on the move hopping on different networks all happy and stuff :)....
> 
> Andrew, that is kind of what we are looking for but as you mentioned
> ipset would be a much better way of doing it. Until this post I did
> not know of ipset, will have to educate myself regarding it.
> 
> What is unclear at this moment is, do we have mac support,

The MAC address is only used on local links. The MAC address of a packet 
arriving at your firewall or perimeter router is that of the router at the 
other (ISP) end of your link. The only exception would be if the higher 
protocol (SIP) includes the MAC address; but that's another ball of wax.

Does SIP handle roaming? If so, you'd almost need a SIP helper to track and 
update the client's IP.

Re: Dabase BAcked IPTables

[Nick Khamis]

>> The MAC address is only used on local links. The MAC address of a packet
>> arriving at your firewall or perimeter router is that of the router at the
>> other (ISP) end of your link.

Our client application adds a P-Assertion to the SIP message
indicating the mac of
the requesting client. Now, I am not sure how we can tie that into
"--src" of IPTables.
As you rightfully pointed out, the source of the arriving packet will
be irrelevant.
Thanks for pointing that out.

We can always manage this on our SIP servers, maybe that's the better
place for it?
If possible it would be nice to keep firewalling to IPTables...

>> Does SIP handle roaming? If so, you'd almost need a SIP helper to track and
>> update the client's IP.

We handle roaming logic using our proxies.

Kind Regards,

N.

Re: Dabase BAcked IPTables

[Dash Four]

Nick Khamis wrote:
>>> The MAC address is only used on local links. The MAC address of a packet
>>> arriving at your firewall or perimeter router is that of the router at the
>>> other (ISP) end of your link.
>>>       
>
> Our client application adds a P-Assertion to the SIP message
> indicating the mac of
> the requesting client. Now, I am not sure how we can tie that into
> "--src" of IPTables.
>   
If you need to capture embedded MAC addresses in that header you would 
need to analyse the SIP packet - not a trivial thing to do by any means. 
Even then, what's stopping, say, an adversary from crafting a packet 
with a "legitimate" MAC address embedded in that header.

Even if you match IP and MAC addresses together, that won't be 100% 
secure as these could be easily forged.

Since your clients are using an application you provide, why don't you 
secure the signalling using PKI - that way you could distribute a 
certificate with the client. The server on your side of the connection 
won't accept it unless a secure handshake has been established - job done.

OK, that won't prevent you from somebody ddos-ing you, but you could 
easily protect yourself from this using standard iptables tools.

Re: Dabase BAcked IPTables

[Nick Khamis]

>> why don't you secure the signalling using PKI

I think this is the smarter way of doing it.

>> The server on your side of the connection won't accept it unless a secure handshake has >> been established - job done.

I am familiar with PKI and SSH handshake. In this scenario what would
be responsible for securing the handshake? Can we use iptables to
match public/private keys and establish a secure connection? We really
like to abstract outwards the different services (i.e., leave SIP
related doings to the SIP server, and handshake securing to OpenVPN?).

>> OK, that won't prevent you from somebody ddos-ing you, but you could easily protect
>> yourself from this using standard iptables tools.

I think with PKI, and standard iptables ddos is less of an issue?

Guys, thank you so much! And thank you iptables for making our
networks a little more secure, and the internet a little more
bearable!

Kind Regards,

Nick.