DGG itself is *really* just two web pages that can update a /proc/ file specific to the "recent" module of iptables. There are tiny technical differences between the recent module implementation in CentOS, Debian/Ubuntu, and OpenSuSE. But I have no doubt that you could walk through the installation process and find/resolve the differences if you tried.
The KEY is that the 90-ipt_recent.conf file (so named in OpenSuSE, of course) needs to have the "options ipt_recent ip_list_perms=0777" entry so the "/proc/net/xt_recent/GOOD" (so named in OpenSuSE also) can be modified by apache. Then the IPtables entry refers to this device during any packet receipt and allows anyone with an entry to access the system and blocks those who do not.
The two files are:
* Special port (such as 81) Self-Login DGG page: this page should be the ONLY page available on a special port and have a UUID based filename in a "non-indexable" folder so it can't be found by accident. Thus getting to that page is impossible without 200 years or some luck OR a link. That page has a user/pass simple login that will add the user to the aforementioned GOOD device file, and then bounce the user to the "Re-login" page with credentials provided by the user entry in question.
* Standard port, but with a UUID based simple access method: This is a simple database table modifier that will dump/reload the GOOD file whenever a DB entry is modified or added/deleted.
So it's really just two web pages with permission to modify the GOOD device and a special apache configuration for one of them. And ONE more thing: The initial "whitelist lockdown" itself:
- Code: Select all
# Generated by iptables-save v1.4.8 on Tue Apr 30 20:41:02 2019
*raw
:PREROUTING ACCEPT [13540172:10962897694]
:OUTPUT ACCEPT [7810190:14903965912]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Tue Apr 30 20:41:02 2019
# Generated by iptables-save v1.4.8 on Tue Apr 30 20:41:02 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -s xx.xx.xx.xx/32 -j ACCEPT
-A INPUT -s yy.xx.zz.aa/32 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_int
-A INPUT -i eth1 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m recent --rcheck --name GOOD --rsource -j ACCEPT
options
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 81 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 81 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Tue Apr 30 20:41:02 2019
Notes: The xx.xx and yy.xx IPs should be real and of course yours. The "eth0" should be replaced with the network device ID for your internal network. eth1 then is external. Port 81 in the example is for the special apache website for the DGG self-sign-in link. And it's likely your Ubuntu syntax will be different for some of this, especially the "-m recent" line.
Remember that permissions for the GOOD device file must be set to something the apache server can modify, the syntax for that is likely different for Ubuntu as well.
On a lighter note: We have functional Ubuntu 18.04.2 LTS installs that we'll be publishing shortly that will likely include an updated DGG specific to that distro.
Posted: Wed Apr 24, 2019 4:38 pm