TID: Mystic BBS 1.12 A48   
   MSGID: 1:266/625 78a8d8fb   
   TZUTC: -0400   
   Hello fellow Mystic Sysops,   
      
   I'm a recent convert.  I've been running Mystic for about a month now and   
   finally connected to Fidonet (again).  What sold me on Mystic was the servers   
   control and the automatic IP blocking;  in the last few weeks of having telnet   
   and ssh ports available to the world; my deny list has reached nearly 1700   
   entries.  I'm sure your systems are even greater.   
      
   However, 'iptables' requires root privileges, and I didn't want to create a   
   security issue (perceived or actual) by marking iptables as SUID or creating a   
   SUID script that the mystic account could run.  So I came up with this   
   solution.   
      
   -- MIS Event --   
   Type : IP Blocked   
   Shell: /home/mystic/mystic/mystic-firewall-add.sh @IP@   
   (and so on)   
      
      
   -/home/mystic/mystic/mystic-firewall-add.sh-   
   #!/bin/bash   
   logger "Mystic Firewall: queueing ${1}"   
   echo $1 | cat >> /home/mystic/mystic/semaphore/iptables.add   
   -eof-   
      
      
   Now to make the root priviledges work, I add a cron job that runs every 5   
   minutes, collecting the new addresses queued into the iptables.add, and run   
   iptables to actually block them.   
   -cron entry-   
   # Mystic Firewall IP Blocker   
   */5 * * * * /root/jobs/checkMysticFW.sh >/dev/null   
   -eof-   
      
   -/root/jobs/checkMysticFW.sh-   
   #!/bin/bash   
   if [ -f /home/mystic/mystic/semaphore/iptables.add ]; then   
     IPS=`cat /home/mystic/mystic/semaphore/iptables.add`   
     rm /home/mystic/mystic/semphore/iptables.add   
      
     for IP in $IPS   
     do   
       logger "Firewall update: Adding $IP to INPUT DROP"   
       /usr/sbin/iptables -A INPUT -s $IP DROP   
     done   
      
     /usr/sbin/netfilter-persistent save   
     RS=$?   
     if [ $RS -eq 0 ]; then   
       logger "Firewall Rules saved"   
     else   
       logger "**WARNING** Firewall Rules failed to save - Res: $RS"   
     fi   
   fi   
   -eof-   
      
   So the basic flow of this process.   
   1) MIS decides to block a given IP because it violates the connection attempt   
   rules set in the individual server configuration table.   
   2) MIS executes the "IP Blocked" event, which adds the IP to the list   
   3) Every 5 mins, the cron job runs and adds all the queued IPs to the iptables   
   input filter, and after the new list of IPs have been added, makes them   
   persistent across restarts with netfilter-persistent.   
      
   You can track the activity of this process using your system log - journalctl   
   for me, I'm on Debian 12 (bookworm).    
      
   I hope you find this useful,  especially those of you running some flavor of   
   Linux.  Also: some filename and directories have been changed from my actual   
   to simplify this message.   
      
   Scott Street (1:266/625@fidonet)   
   Netmail private questions are welcome, and of course Echomail replies as well.   
      
   --- Mystic BBS v1.12 A48 (Linux/64)   
    * Origin: <=-{ The Digital Post }-=> (1:266/625)   
   SEEN-BY: 90/1 105/81 106/201 124/5009 128/260 129/12 102 125 160 165   
   SEEN-BY: 129/305 328 153/7715 218/700 226/30 227/114 229/110 111 112   
   SEEN-BY: 229/113 206 275 300 307 317 400 426 428 470 550 664 700 261/1   
   SEEN-BY: 261/220 266/75 215 512 618 625 267/152 154 282/1038 291/111   
   SEEN-BY: 292/854 320/219 322/757 342/200 396/45 460/58 633/280 712/848   
   SEEN-BY: 5075/35   
   PATH: 266/625 512 229/426