eSafe has iptables too
HISTORICAL NOTE Aladdin was an Israeli company known for its security eTokens and mail filtering appliances - eSafe. In 2009 it was bought by Safenet primarily for the token/DRM line, and soon the eSafe appliance was discontinued. Later the Safenet was in turn acquired by Gemalto. You can read about Aladdin at Aladdin Wiki
Did you know that eSafe software is based on RedHat Enterprise Linux (RHEL) ? Of course you did.
But what does it mean? It means that all (or almost all) tools/utilities/programming logic of the Linux is at your fingertips.
Let’s take for example software eSafe runs on the boot
[root@esafe root]# chkconfig --list
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off anacron 0:off 1:off 2:off 3:off 4:off 5:off 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off micropre_ctl 0:off 1:off 2:on 3:on 4:on 5:on 6:off irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off smartd 0:off 1:off 2:off 3:off 4:off 5:off 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off log2trap 0:off 1:off 2:off 3:off 4:off 5:off 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off webmin 0:off 1:off 2:on 3:on 4:off 5:on 6:off esafe 0:off 1:off 2:off 3:on 4:on 5:on 6:offToday I played with just one of them – iptables. First things first – eSafe is not a firewall . You don’t usually give bunch of papers (called money) to use eSafe for the function that any Pentium 4 PC can do for the fraction of the price. So, it is not supported and not to be used as the mainstream feature. Nevertheless it is here and may come handy in some situations.
In the output of chkconfig --list chckconfig showed that whenever eSafe is on, iptables is on as well. The default iptables policy is ALLOW ANY ANY :
[root@esafe root]# iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destinationFew observations:Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
- To block incoming connections destined for the eSafe itself you use INPUT chain, FORWARD chain has no meaning in bridged eSafe Gateway (in routing Gateway mode it would be applicable I guess)
- I tried few basic rules on the eSafe Hellgate 200 while turning on High-Debug mode , and while machine was loaded by debug mode , using iptables filtering did not add visible overhead to it.
In most of the deployment scenarios eSafe is installed between internal interface of the firewall and LAN. It means that from outside it is protected quite well whereas from LAN it is wide open to any trouble coming in. eSafe has its own means of limiting access to certain IPs.
To limit access to eConsole – you go in eConsole to Options -> Access and Permissions -> configure user (by default admin will be there) and IP from which this user will be granted access.
To limit access to WebGUI (HTTPS) : in the WebGUI go to Settings -> Access Control -> put IP to allow it access in “eSafe Appliance accepts connections from:”
To limit access by SSH use Linux means (there are few ways but I show just one of them) :
vi /etc/ssh/sshd_config
add at the end the following line to limit ssh access to 10.99.99.150 only:
AllowUsers *@10.99.99.150
Or, using wildcards to the whole network only:
AllowUsers *@10...*
All the above is correct and fine BUT – what if you need to temporarily limit access and not permanently ? All the above are permanent changes that will survive reboot and if you make a mistake you grant someone a visit to the appliance for console connection. On the other hand you may use iptables to achieve the same access control and should something go wrong reboot will return all back to normal.
So, let’s go:
- I don’t like when debugging some complicated issue after logging off from eConsole I can’t access it again as someone from LAN already logged in :
1) Grant your IP the access to econsole:
[root@esafe root]# iptables -I INPUT -p tcp -s 10.99.99.150 --dport 43969:43982 -j ACCEPT
2) Deny anyone else
[root@esafe root]# iptables -I INPUT 2 -p tcp --dport 43969:43982 -j DROP
- SSH in general isn’t something a client should have access to :
1) First allow youself access:
[root@esafe root]# iptables -I INPUT -p tcp --dport 22 -s 10.99.99.150 -j ACCEPT
2) Then deny anyone else:
[root@esafe root]# iptables -I INPUT 2 -p tcp --dport 22 -j DROP**
3) Restart ssh daemon (it won't disconnect your current session):
[root@esafe root]# service sshd restart
[root@esafe root]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 10.99.99.150 anywhere tcp dpt:ssh DROP tcp -- anywhere anywhere tcp dpt:ssh
Those addicted to iptables know that some spicy features come with modules and kernel options set at compile time. To give you the taste of what is included in eSafe iptables, the listing follows:
/lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/arp_tables.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/arpt_mangle.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/arptable_filter.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack_amanda.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack_irc.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_conntrack_tftp.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_amanda.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_ftp.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_irc.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_snmp_basic.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_nat_tftp.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_queue.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ip_tables.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipchains.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipfwadm.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_DSCP.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ECN.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_LOG.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_MARK.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_MIRROR.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_REDIRECT.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_REJECT.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_TCPMSS.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_TOS.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ULOG.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ah.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_conntrack.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_dscp.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ecn.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_esp.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_helper.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_length.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_limit.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_mac.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_mark.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_multiport.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_owner.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_pkttype.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_recent.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_state.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_tcpmss.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_tos.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_ttl.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/ipt_unclean.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/iptable_filter.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/iptable_mangle.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv4/netfilter/iptable_nat.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/ah6.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/esp6.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/ip6_tunnel.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/ipcomp6.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/ipv6.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6_tables.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_LOG.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_MARK.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_ah.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_dst.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_esp.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_eui64.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_frag.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_hbh.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_hl.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_ipv6header.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_length.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_limit.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_mac.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_mark.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_multiport.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_owner.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6t_rt.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6table_filter.o /lib/modules/2.4.21-47.ELsmp/kernel/net/ipv6/netfilter/ip6table_mangle.o