Blog

2009/05/31

Timed firewall

Some applications need special ports. When those ports are closed by the firewall then you as an administrator have a problem. You have 4 options:

  1. Refuse to open the ports.
  2. Open the ports in the firewall for the whole sub-net.
  3. Open the ports in the firewall for the computer on which the application runs.
  4. Open the ports in the firewall for the computer on which the application runs a few hours a day.

The first option is the easiest one (to implement). The second option is to global. The third option is the good one (in my opinion).

But what about option 4? I think it is the very best. The application can be used and the firewall is not open 24/7. You do not risk that something else uses those ports to sneak something out if the computer stays connected for a long period of time.

How did I manage this? First of all I created a chain in the firewall. I also created a rule that 'jumps' to this chain for 1 particual computer.

iptables -N TimedAccess
iptables -A FORWARD -p all -s 192.168.20.20 -o WAN -j TimedAccess

Now all you need to do is create a script that opens the ports in the chain TimedAccess:

iptables -A TimedAccess -p tcp --dport 6666 -j ACCEPT
iptables -A TimedAccess -p tcp --dport 7777 -j ACCEPT

Put this script in the cron to run at the time that you want to open the ports. When you want to shut them again just put the following in the cron at the right time too:

iptables --flush TimedAccess

You can always check the content of the chain with:

iptables -L TimedAccess -n