Skip to main content

ipset

ipsets are a powerful way of making a dynamic firewall on a normal Linux machine. A feature of the netfilter code, an ipset is an in-memory list of IPs, that can be referenced in any fireawall rules.

Knocknoc can add and remove IPs from an ipset, thereby allowing an arbitrary application of dynamic allow-listing to any linux box.

IPsets need to exist before you can update them, so the overall process is:

  1. Create an ipset by name and type using the ipset utility
  2. Use a systemd or similar script to ensure the ipset is created on startup, or at least on firewall start
  3. Integrate the IPset into your firewall software scripting, example for UFW is here, and Shorewall is here.

 

Sudoers first

To create a custom sudoers file in the /etc/sudoers.d/ directory for the user knocknoc-agent, allowing them to run the command /usr/sbin/ipset with any arguments, follow these steps:

  1. Create a New File in /etc/sudoers.d/:

    • Choose a meaningful name for the file, such as knocknoc-agent.
    • The command would be sudo visudo -f /etc/sudoers.d/knocknoc-agent.
    • This opens a new file in the sudoers.d directory for editing with proper syntax checking.
  2. Add the Necessary Rule:

    • In the editor that opens, add the following line:
      knocknoc-agent ALL=(ALL) NOPASSWD: /usr/sbin/ipset *
    • This line follows the same syntax and meaning as described previously.
  3. Save and Exit:

    • Save the file and exit the editor. visudo will automatically check the syntax.
  4. Set Correct Permissions:

    • Ensure that the file has the correct permissions. It should be readable by root only and should not be writable by any other user.
    • You can set the appropriate permissions using: sudo chmod 0440 /etc/sudoers.d/knocknoc-agent.
  5. Verify the Configuration:

    • To check if your configuration works, switch to the knocknoc-agent user (if possible) and try executing the ipset command with sudo without a password.

Important Notes:

  • Always use visudo to edit sudoers files to prevent syntax errors.
  • Ensure that the files in /etc/sudoers.d/ have strict permissions (like 0440) to maintain security.
  • Be cautious with NOPASSWD: as it allows executing the specified command without a password, which can be a security risk if not properly managed.