summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJérôme Schneider <jschneider@entrouvert.com>2013-07-23 08:27:01 (GMT)
committerJérôme Schneider <jschneider@entrouvert.com>2013-07-23 08:27:01 (GMT)
commitbb7b95c78d45a7a1531540aaa043d9a0134a7cb7 (patch)
tree95ee18dd1dd6fb66813aa6eedddb69dfa31ac9dd
parent2d303501062fb51472a3e19ba0de32d640d2ca56 (diff)
downloadeofirewall-bb7b95c78d45a7a1531540aaa043d9a0134a7cb7.zip
eofirewall-bb7b95c78d45a7a1531540aaa043d9a0134a7cb7.tar.gz
eofirewall-bb7b95c78d45a7a1531540aaa043d9a0134a7cb7.tar.bz2
firewall: improve whitelist support and port knocking support
-rw-r--r--debian/changelog7
-rwxr-xr-xfirewall17
-rw-r--r--firewall.conf15
3 files changed, 29 insertions, 10 deletions
diff --git a/debian/changelog b/debian/changelog
index 638ac87..c1c4c31 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+eofirewall (0.1+git20130723-1) wheezy; urgency=low
+
+ * Add new whitelist management
+ * Improve portknocking management
+
+ -- Jérôme Schneider <jschneider@entrouvert.com> Tue, 23 Jul 2013 10:07:19 +0200
+
eofirewall (0.1+git20110704-squeeze0) stable; urgency=low
* Use lsb init messages
diff --git a/firewall b/firewall
index 517b6fe..f24503d 100755
--- a/firewall
+++ b/firewall
@@ -138,7 +138,7 @@ port_knocking()
return
fi
- local port=$1
+ local ports=$1
local knock_ports=$2
local knock_number=$3
local i=0
@@ -155,8 +155,10 @@ port_knocking()
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
fi
done
- log_action_msg "Port knocking for $port with combinaison $knock_ports on $WAN_INT"
- iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
+ log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
+ for port in $(echo $ports | sed 's/,/ /g'); do
+ iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
+ done
}
start()
@@ -257,11 +259,18 @@ start()
port_redirection $args
done
- ## Whitelist
+ ## Old: Whitelist
for arg in "${WHITELIST_SSH[@]}"; do
+ log_warning_msg "WHITELIST_SSH is obsolete: this option will be removed in next version"
open_port $arg tcp ssh
done
+ for ip in "${WHITELIST[@]}"; do
+ for args in "${WHITELIST_OPEN_PORTS[@]}"; do
+ open_port $ip $args
+ done
+ done
+
## NAT
if [ $NAT == 1 ]; then
log_action_msg "Activate nat"
diff --git a/firewall.conf b/firewall.conf
index f58fffa..92284d7 100644
--- a/firewall.conf
+++ b/firewall.conf
@@ -25,8 +25,8 @@ ALLOW_INTS=''
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
## Port knocking (tcp only)
-# "port knock_ports_combinaison"
-# example : PORT_KNOCK("22 121,4353,4242,111")
+# "port[,port] knock_ports_combinaison"
+# example : PORT_KNOCK("22,4242 121,4353,4242,111")
PORT_KNOCK=()
## Port forwarding
@@ -39,12 +39,15 @@ TRAFFICS=()
# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
REDIRECTIONS=()
-## Whitelist ssh
+## Whitelist
# example with an external file
# source /etc/firewall/whitelist_ssh
-# WHITELIST_SSH=(${WHITELIST_SSH[@]})
-# example : WHITELIST_SSH=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
-#WHITELIST_SSH=()
+# WHITELIST=(${WHITELIST[@])
+# example : WHITELIST=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
+#WHITELIST=()
+
+## Whitelist port and protocol
+# exmaple : WHITELIST_OPEN_PORTS=("tcp ssh,8006" "udp 4242")
# Hook point to write your own iptables rules
ipt_hook()