Re: Syncing iptables rules between two servers

[Drew Leske <dleske () uvic ca>]

Hi Lars et al,

One thing that I would recommend if you go this way is to have these shared
rules separate and distinct from the rest of your firewall rules.  So if
something goes wrong with the transfer, hopefully the rest of your firewall
will come up fine.

So call them what you want, but on host A and host B have:

/etc/init.d/firewall.host{A,B}
/etc/init.d/firewall.common

firewall.hostA and B does the standard initialisation of firewall modules,
sets table policies and sets the basic rules.  They then set whatever rules
are appropriate to that host.

After this they call in the firewall.common file.  They then continue with
the rest of their stuff.

The firewall.common file isn't named well in this example.  It should NOT
contain all the common firewall definition: it should only contain the
automatically generated rules.  If for some reason the transfer gets
botched, the firewall should be complete except for the blocked IPs.

I'm making a few assumptions here.  First, I assume your policies are DROP
for anything not explicitly allowed (at least on the INPUT table, probably
on the FORWARD, maybe not on the OUTPUT table).  Second, the rest of your
iptables rules don't change (why would they).  Third, I forget what the rest
of my assumptions were.

Other people have said this but I would concur on use of 'rsync -ae ssh' to
keep them sync'd through ssh.  Another slightly more complicated option, but
more secure and kind of neat, is the following:

If you are concerned about opening up root access between the boxes you may
be interested in using the "command" field of the authorized_keys file in
OpenSSH (see 'man sshd').  You could use this to set up a key that on the
receiving host may only be used to run a single command: in this case, a
script that accepts the blocked IP's over STDIN, pipes them to the
firewall.common file, does some basic sanity testing and then restarts
iptables using the new definition.  Then you simply pipe the updated blocked
IPs to the ssh call:  cat blocked_ips | ssh hostB.  If it's properly set up
on hostB, this is basically all you need to do.

I like this way because then you don't have passwordless root access from
one host to another, except for this very limited context.


Hope that's of some use to you.
Drew.


Lars Solberg wrote:
> Hi
>
> Is there anyone that know about how I can "sync" iptables rules on two
> different servers? The plan is to have (on one of the servers) a
> script that automaticly block ip adresses with iptables depending on
> different conditions. When that ip adress is blocked I want it to
> automaticly be blocked on another server to.
>
> One idea is to change the script that is adding the block rule to
> iptables to make it soo it can send the rule to the other server, but
> this is not an option, the iptables rules must be synced after the
> iptables rule have been added.
> Another idea is to get the iptables to use an sql database of some
> sort to load the rules, but I dont know how, and this whould be
> somehow ruining the whole thing of having a firewall if you make it
> dependent an sql server (i think).. But afterall, if this is possible
> this is option.
>
> Any ideas?
> Hope someone can help out..
>
> Thanks
>   Lars

-- 
Drew Leske :: Systems Group/Unix, Computing Services, University of Victoria
  dleske () uvic ca / +1250 472 5055 (office) / +1250 588 4311 (cel)

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------