Creating user based firewalls on inbound pptp connections

There are certain security situations where you want to be able to allow a remote user to connect to your network using pptp, but you want to lock down what devices on the network they have access to.

Usually with the linux pptp system, once the user is connected, assuming ip forwarding is running on the host that is the pptp end point, they have access to anything on the local subnet.

What I've done to allow some control over this situation is create some custom scripts to go in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d

For the "up" version I have:

#!/bin/sh

PPP_USER=`/usr/bin/w | /bin/grep "$PPP_IFACE" | sed "s/ .*//"`

if [ -x "/etc/ppp/userfw/$PPP_USER" ]; then
 "/etc/ppp/userfw/$PPP_USER"
fi

exit 0

and for the down version I have

#!/bin/sh

PPP_RULE=`/sbin/iptables -L FORWARD -n -v --line-numbers | /bin/grep "$PPP_IFACE" | /usr/bin/head -1 | /bin/sed "s/ .*//"`
while [ "$PPP_RULE" != "" ]
do
       /sbin/iptables -D FORWARD "$PPP_RULE"
       PPP_RULE=`/sbin/iptables -L FORWARD -n -v --line-numbers | /bin/grep "$PPP_IFACE" | /usr/bin/head -1 | /bin/sed "s/ .*//"`
done

PPP_RULE=`/sbin/iptables -L INPUT -n -v --line-numbers | /bin/grep "$PPP_IFACE" | /usr/bin/head -1 | /bin/sed "s/ .*//"`
while [ "$PPP_RULE" != "" ]
do
       /sbin/iptables -D INPUT "$PPP_RULE"
       PPP_RULE=`/sbin/iptables -L INPUT -n -v --line-numbers | /bin/grep "$PPP_IFACE" | /usr/bin/head -1 | /bin/sed "s/ .*//"`
done

exit 0

Then create a directory /etc/ppp/userfw and put in there per user scripts

e.g.

#!/bin/sh
/sbin/iptables -A FORWARD -i "$PPP_IFACE" -j ACCEPT
/sbin/iptables -A INPUT -i "$PPP_IFACE" -j ACCEPT

(yes - that's a silly example as it just gives complete access - which they had anyway)

With this lot, you have a simple method to lock certain users down to only be able to access certain things on your network - within the flexibility of the iptables system. The important thing to do is to make sure that your user based rules all reference the interface with $PPP_IFACE so that they are attached to the right connection and they're deleted again with the down script when the interface is removed.

Bluetooth pairing on the command line

I use a debian linux box with the Gnokii SMS daemon to do computer based texting. Now normally on a server I wouldn't want to go to the bother of installing Gnome - after all, you don't sit at the server console. But, that can be an issue for doing the bluetooth pairing needed before you can use the phone with gnokii.

The answer is in /usr/share/doc/bluez-utils/examples. There's some C code in there called passkey-agent.c

Make sure you have build-essential and pkg-config and libdbus-1-dev installed then you can build it.

Then, in one terminal window run "passkey-agent 1234" and in another do "rfcomm connect rfcomm1 xx:xx:xx:xx:xx:xx" to connect to your device. The pairing will then be on the key 1234.

A useful trick to avoid installing a huge amount of stuff just to do a one off job.

Update:
Debian squeeze ships with a command "bluetooth-agent" which replaces the passkey-agent and is already complied, so you just need to do "bluetooth-agent 1234" in one terminal to set up the passkey.