Skip to main content

ipset

ipsets are a powerful way of making a dynamic firewall on a normal Linux machine. A feature of the netfilter code, an ipset is an in-memory list of IPs, that can be referenced in any fireawall rules.

Knocknoc can add and remove IPs from an ipset, thereby allowing an arbitrary application of dynamic allow-listing to any linux box.

Sudoers first

To create a custom sudoers file in the /etc/sudoers.d/ directory for the user knocknoc-agent, allowing them to run the command /usr/sbin/ipset with any arguments, follow these steps:

  1. Create a New File in /etc/sudoers.d/:

    • Choose a meaningful name for the file, such as knocknoc-agent.
    • The command would be sudo visudo -f /etc/sudoers.d/knocknoc-agent.
    • This opens a new file in the sudoers.d directory for editing with proper syntax checking.
  2. Add the Necessary Rule:

    • In the editor that opens, add the following line:
      knocknoc-agent ALL=(ALL) NOPASSWD: /usr/sbin/ipset *
    • This line follows the same syntax and meaning as described previously.
  3. Save and Exit:

    • Save the file and exit the editor. visudo will automatically check the syntax.
  4. Set Correct Permissions:

    • Ensure that the file has the correct permissions. It should be readable by root only and should not be writable by any other user.
    • You can set the appropriate permissions using: sudo chmod 0440 /etc/sudoers.d/knocknoc-agent.
  5. Verify the Configuration:

    • To check if your configuration works, switch to the knocknoc-agent user (if possible) and try executing the ipset command with sudo without a password.

Important Notes:

  • Always use visudo to edit sudoers files to prevent syntax errors.
  • Ensure that the files in /etc/sudoers.d/ have strict permissions (like 0440) to maintain security.
  • Be cautious with NOPASSWD: as it allows executing the specified command without a password, which can be a security risk if not properly managed.