On Tue, Apr 27, 2004 at 07:51:33PM +0300, Shachar Shemesh wrote: > Noam Meltzer wrote: > > >Hi, > >I was wondering if any1 knows if iptables has the ability to implement > >"application intelligence"? > > The short answer is "no". > > A slightly longer answer is that, if you have a proxy software that can > act as a transparent proxy, you can direct all traffic to it using > IPTables. This, esentially, what firewalls that do have application > knowledge usually do anyways. > > >My sepcific interest is to implement something like this: > >I have a host, connected to the internet, and it runs iptables, while > >ssh's tcp port is the only one opened. > >Now, I want that instead of opening this port, every communication to > >that port will be dropped, unless the computer which tries to connect > >to it, will try to connect with a specific user. > > First of all, what you just said makes no sense. SSH will pass somewhere > around 8 or 10 TCP packets around before the username is sent. You > cannot drop the traffic until these packets have been sent, because > before that NOONE knows who the user is. > > Check Point has a mechanism by which they identify the user by external > means. This allows exactly what you are looking for, assuming you are > willing to install additional (typically Windows) software on the > machine you connect from, or contact another port and identify yourself > first.
If you want to implement something similar, try to see if there is a similar pam module. But ssh authentication specifically doesn't have to go through pam. Also consider using port knocking, e.g: (seen today on freshmeat) http://www.phantomcode.com/bashiptableportknocking/ . BTW: speaking on "seen on freshmeat today": http://www.cse.unsw.edu.au/~stabilizer/ | The goal of the Stabilizer project is to quickly stabilize buggy GUI | applications so that people can get real work done with them. | | In our approach, thousands/millions of users collaboratively and quickly | stabilize a buggy GUI application simply by using the application | normally and reporting any bugs that they encounter to prevent anyone | (including themselves) from encountering those same bugs again. | | In particular, as soon as a few people report the same bug, warnings | will be issued to all users whenever they are about to trigger that bug | and they will be given the opportunity to abort the input event -- thus | avoiding the bug altogether and keeping the application stable. | | We expect such an approach to be several orders of magnitude faster than | stabilizing an application by a handful of developers fixing bugs. Of | course, those bugs need to be fixed eventually, but why not make the | application useful in the meantime? Indeed, this will encourage more | people to use alpha/beta releases of the application on a regular basis | and report more (distinct) bugs. > > > > >example: > >the user "haim" is allowed to my machine, and others ain't. > > > >doing: > >remote-machine> ssh [EMAIL PROTECTED] > >will be dropped by iptables. > >doing: > >remote-machine> ssh [EMAIL PROTECTED] > >will be allowed by iptables. > > Here you have another problem. SSH is an encrypted protocol. IPTables > has no way of known WHAT the username passed was. I'm afraid you will > have to play around with SSH's config in order to achieve this goal. > > >10x, > >Noam Meltzer > > Shachar > > -- > Shachar Shemesh > Lingnu Open Source Consulting > http://www.lingnu.com/ > > > ================================================================= > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] -- Tzafrir Cohen +---------------------------+ http://www.technion.ac.il/~tzafrir/ |vim is a mutt's best friend| mailto:[EMAIL PROTECTED] +---------------------------+ ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
