Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Temporary IP whitelisting, secure ways to do it
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Temporary IP whitelisting, secure ways to do it

hzrhzr Member
in General

I'm trying to basically set up some temporary iptables/pf/ipfw-like rules in response to a web request. For example: when the user submits a form, ACCEPT from to IPMI port, forward to internal network IP for the next hour, and remove the ACCEPT rule after that time.

I really, really do not want to even think about setcap or suid'ing the PHP or Python binary or running exec/shell()/equivalents or something - is there any other logical way to do this?

Comments

  • trewqtrewq Administrator, Patron Provider

    Create another application that runs as an API that your website backend can call?

  • SplitIceSplitIce Member, Host Rep

    The best way is to build a simple daemon to do that job for you, for simplicities sake consider running it over a unix socket.

    The simple hackish way is to use sudo and iptables/whatever to do it.

  • pbgbenpbgben Member, Host Rep

    Simple Python based API, http://python-eve.org/should be easy to create.

  • impossiblystupidimpossiblystupid Member
    edited October 2016

    Consider if fail2ban might not work (either by letting it parse a log file or calling the client directly). It's generally used to do the opposite, but it seems like you could just set up everything else in reverse to get something along the lines of port knocking. And after a quick search, I give you a couple existing starting points:

    http://diginc.us/linux/2009/using-fail2ban-to-open-back-doors-ports-in-your-iptables/

    http://www.the-art-of-web.com/system/fail2ban-action-whitelist/

  • FlamesRunnerFlamesRunner Member

    Just write a quick python daemon that handles these - that's what I do when I need to accomplish superuser tasks with PHP.

  • hzrhzr Member

    Does that not need /usr/local/bin/python3.5 suid/setcap'd globally, or do I have to somehow build it into a separate binary?

  • joepie91joepie91 Member, Patron Provider

    What is your actual usecase, and wouldn't a VPN solve it in a far more secure and less error-prone way?

  • hzrhzr Member
    edited October 2016

    VNC-esque setup to allow individual users to connect temporarily to a screen sharing session or console

    All of them are behind some form of corporate proxy or firewall that blocks most VPN services, and don't have administrative rights to install a tun/tap driver or otherwise.

    The last time I looked at guacamole it didn't support multiple users connected to a single shared session or working sound in RDP/VNC

Sign In or Register to comment.