Thursday, December 30, 2010

Enhance Linuxbox Security : Iptables Printer Rules to Limit Access to Local LAN.

Assume a topology of a local LAN connected to the internet through a gateway in which you are configuring Iptables firewall. This gateway is attached to a printer & running a print server. The LAN belongs to 192.168.1.0/24 ip range. We want to limit the access of printer within the local LAN & bar the printer access from the outside internet. See figure.

We have to edit the iptables configuration file mentioned in this post to accomodate rules meant for print server. 
#!/bin/bash
# please verify if the Source Address Verifcation in /etc/sysctl.conf is enabled: 
#net.ipv4.conf.all.rp_flter = 1
# Define some variables
# Location of the binaries
IPTABLES="/sbin/iptables"
# Loopback Interface
LOOPBACK="lo" 
## Flush all rules
$IPTABLES -F

## Set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
# Creating a custom chain SERV. 
$IPTABLES -N SERV

## Allow access to the Loopback host, so that you can ping yourself
$IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOPBACK -j ACCEPT

## Incoming external traffic rules 
# Accept ICMP echo-replay incoming traffic for outgoing PINGs, so that when you 
# ping other pc your pc don't drop the echo-reply & you can detect alive coms.   
$IPTABLES -A INPUT  -p icmp --icmp-type echo-reply -j ACCEPT
#calling custom chain
$IPTABLES -A INPUT -j SERV

## Accept all established incoming traffic
$IPTABLES -A INPUT  -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
## Log all dropped incoming traffic
$IPTABLES -A INPUT -j LOG -log-prefix="myLogInput:"


##Rules in custom chain that will be executed when called.  
#Accepting communication at specific ports. Use command netstat --inet -pln . 
# If firefox is running on #8008
$IPTABLES -A SERV -p tcp --dport  8008 -j ACCEPT
#For allowing ssh to whole world, can create security problem
# always allow to a particular ip. 
$IPTABLES -A SERV -p tcp --dport  22 -j ACCEPT
#Limiting the printer Access to local LAN
$IPTABLES -A SERV -m iprange --src-range 192.1.168.1-192.168.1.254 -p tcp --dport 631 -j ACCEPT
$IPTABLES -A SERV -m iprange --src-range 192.1.168.1-192.168.1.254 -p udp --dport 631 -j ACCEPT

Port 631 is standard port for CUPS print server. The rules appended will allow incoming packets meant for CUPS print server from all systems within the LAN, debarring the access to print server from outside.
Posted by Unknown at 12/30/2010 10:36:00 PM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)