UCS-Firewall, Beschränkung Zugriff auf SSH und UMC über Quell-IPs

Hi,

ich wüde gerne auf UCS Servern,den Zugriff auf gewisisse Ports auf gewisse IP-Adressen beschränken. Im speziellen geht es um den Zugriff auf SSH und die UMC, Die UCS-Server sollen rein als ActiveDirectory- bzw. Windows-Fileserver dienen, daher ist ein Zugriff auf SSH und UMC für Nicht-Admins nicht notwendig.

Soweit ich das bis jetzt verstanden habe, besteht via UCR nicht die Möglichkeit Firewall-Regeln zu erzeugen, die auf Quell-IP-Adressen beschränkt sind. Gemäß UCS Doku können allerdings eigene Firewall-Regeln über die Datei /etc/security/packetfilter.d/50_local.sh eingebunden werden, daher habe ich erstmal diesen Ansatz verfolgt. Hierbei habe ich aber das folgende Problem:

Da die Ports 22 und 443 defaultmäßig in der Datei /etc/security/packetfilter.d/10_univention-firewall_start.sh freigeschaltet werden, werden Filterregeln für diese Ports, die ich über 50_local.sh an die Iptables-Ketten angehänge, durch die entsprechenden Netzwerkpakete nicht erreicht, da sie ja bereits vorher schon akzeptiert worden sind. Die eigenen Regeln kann ich aber auch nicht vor der Ausfürhrung von 10_univention_firewall_start.sh eingerichten, da in 10_univention_firewall_start.sh die Regel-Ketten initial geleert werden.und somit alle Regeln, die vorher eingefügt wurden, wieder gelöscht werden.

Gibt es hier evtl. noch einen andreren Ansatz, die beiden Ports mit UCS-Mitteln gemäß Quell-IP-Adressen zu filtern, den ich evtl. übersehen habe?

Gruß,
Frank

Translated your request as we prefer English here:

Hi. I would like to limit access to certain ports to UCS servers,

I would like to restrict access to certain ports to certain IP addresses on UCS servers. In particular it is about the access to SSH and the UMC, The UCS servers should serve purely as ActiveDirectory and/or Windows file servers, therefore an access to SSH and UMC is not necessary for non-admins.

As far as I have understood so far, there is no possibility to create firewall rules via UCR that are limited to source IP addresses. However, according to UCS documentation, you can include your own firewall rules via the file /etc/security/packetfilter.d/50_local.sh, so I took this approach first. But here I have the following problem:

Since ports 22 and 443 are enabled by default in the file /etc/security/packetfilter.d/10_univention-firewall_start.sh, filter rules for these ports, which I append to the Iptables chains via 50_local.sh, are not reached by the corresponding network packets, since they have already been accepted before. However, I cannot set up my own rules before executing 10_univention_firewall_start.sh, because in 10_univention_firewall_start.sh the rule chains are initially emptied and thus all rules that were inserted before are deleted again.

Is there any other way to filter the two ports with UCS means according to source IP addresses that I might have overlooked?

Greetings,
Frank

Translated with www.DeepL.com/Translator

I am just a little bit unsure about your motivation. You say “access for non-admins is not needed for UMC nor SSH”. Right, but these are user restriction, not IP range restrictions. To prevent users to use you will not need packet filter rules.

Anyways, for restrictions to UMC have a look at this article.

Regarding SSH, have you checked the documentation or did you try it? I read:

Local rules have a higher priority and overwrite rules provided by packages.

This should be enough to define your own rules and use an IP range as limit.

/CV

Hi Christian,

thanks for your fast reply!

I am just a little bit unsure about your motivation. You say “access for non-admins is not needed for UMC nor SSH”. Right, but these are user restriction, not IP range restrictions. To prevent users to use you will not need packet filter rules.

Sorry if the text of my posting was a little bit misleading in this regard: I want to block non-admin workstations in my network from connecting to SSH or UMC for security reasons. So as a frist step I tried to use a firewall rule blocking ports 22 and 443 except for a fixed list of IPs of admin workstations…

Anyways, for restrictions to UMC have a look at this article.

Thanks for the information, will try that later.

Regarding SSH, have you checked the documentation or did you try it? I read:
Local rules have a higher priority and overwrite rules provided by packages.
This should be enough to define your own rules and use an IP range as limit.

Yes, I have already tried that. But as far as I understand you can only add firewall rules via UCR that are restricted by destination IP address not by source IP:

E.g. an UCR variable like

security/packetfilter/tcp/22/a.b.c.d=REJECT

will generate an iptables rule

iptables --wait -A INPUT -p "tcp" -d a.b.c.d --dport 22 -j REJECT

So packets are only filtered by destination IP.

The only way to achieve filtering by source IPs I have found is putting the corresponing rules in 50_local.sh and insert them at fixed position in the iptables chain (and not appending them at the end of the INPUT chain), E.g. to block port 443 for all IPs except a.b.c.d:

iptables --wait -I INPUT 5 -p "tcp" ! --source a.b.c.d --dport 443 -j REJECT
ip6tables --wait -I INPUT 5 -p "tcp" ! --source a.b.c.d --dport 443 -j REJECT

With this solution I see the possiblity that the functionality will break if the firewall structure is changed in some way during a future UCS upgrade.

Frank

Use 50_local.sh and insert those rejecting rules at the top, not at specific positions.