wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,199
- Reaction score
- 5,218
I have begun work on the next release of Travelin' Man to provide BOTH an administrator-maintainable WhiteList for the Linux IPtables firewall as well as a facility for those in the field to add their own IP addresses using a phone and perhaps email as well.
Now is the time to offer suggestions!!!
My initial design looks like this. There would be a MySQL database to store entries rather than separate .iptables files as we have with Travelin' Man 3 now. The admin-maintained portion would work pretty much as TM3 works today. There would be scripts to add ip's, FQDN's, and delete existing entries.
The new piece would be for remote users to maintain their own WhiteList entries. Basically, the administrator would assign an 8-digit unique account number (that doesn't start with a zero or 9) and a 5-digit PIN (that doesn't start with a zero) together with the user's email address for each remote user. Account numbers starting with 9 would be reserved for admin use with root privileges. The fourth field would store ONE IP address. Each authorized user could add or replace their WhiteListed IP address by calling in, providing the correct acctno and pin and then keying in an IP address, e.g. 123*45*67*89 for 123.45.67.89. They'd get a chance to verify that the IP address was correct but no other error checking. They'll know if it doesn't work 'cause their phone won't work. Then they can dial in and try again.
On the server itself, there would be a reserved directory to hold files generated by these phone calls. A typical file with wide open privileges (Level 0 in TM3) would look like this:
Code:
# // New entry for 12345678
-A INPUT -s 1.2.3.4 -j ACCEPT
# // End entry for 12345678
FYI: The Asterisk user account cannot be used to manage IPtables directly for security reasons. So...
Once every minute or two, a cron job running as root would check to see if any files were in the directory. If so, it would process them by adding the contents to /etc/sysconfig/iptables (CentOS/SciLinux platform) or /etc/network/iptables (RasPi/BeagleBone) and restarting IPtables: iptables-restart. It also would remove any previous IPtables entry for that same account number. An email would be sent to the end-user when the new IP address was activated by looking up the email address based upon the unique account number. Then the file would be removed.
I'm undecided whether to include a permissions field to manage which rights get assigned to each acctno. TM3 lets you choose from wide open access or a combination of 9 other services. Do we need that?? If so, it would be admin-controlled when you created user accounts.
Other ideas??