From 0440531e2fda302111ca9b1f7c028bc0cf4bfa8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Schneider?= <jschneider@entrouvert.com>
Date: Tue, 21 Jun 2011 17:54:06 +0200
Subject: [PATCH] Add a whitelist for ssh, port knocking set to 15 seconds and
 move the config to /etc/firewall

---
 Makefile      |  6 +++---
 firewall      | 15 ++++++++++-----
 firewall.conf |  4 ++++
 3 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index 3f38207..be10f99 100644
--- a/Makefile
+++ b/Makefile
@@ -6,14 +6,14 @@
 ##
 
 NAME = firewall
-RM = rm -rf
 DESTDIR=
 
 all:
 
 install:
-		install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d/
-		install    -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/
+		install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d
+		install -d -m 0755 -o root -g root $(DESTDIR)/etc/firewall
+		install    -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall
 		install    -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
 		install    -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
 
diff --git a/firewall b/firewall
index 092e43b..0935e63 100755
--- a/firewall
+++ b/firewall
@@ -21,10 +21,10 @@ abort()
     exit 1
 }
 
-if [ -f "/etc/firewall.conf" ]; then
-    source /etc/firewall.conf
+if [ -f "/etc/firewall/firewall.conf" ]; then
+    source /etc/firewall/firewall.conf
 else
-    abort "No configuration file /etc/firewall.conf"
+    abort "No configuration file /etc/firewall/firewall.conf"
 fi
 
 clean()
@@ -41,7 +41,7 @@ clean()
 test_config()
 {
     if [ ! "$WAN_INT" -o ! "$IP" ]; then
-        echo "Bad configuration please check your /etc/firewall.conf"
+        echo "Bad configuration please check your /etc/firewall/firewall.conf"
         exit 1
     fi
 }
@@ -141,7 +141,7 @@ port_knocking()
             iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
         fi
     done
-    iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 6 --name toc$i -m state --state NEW -j ACCEPT
+    iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
 }
 
 start()
@@ -260,6 +260,11 @@ start()
         port_redirection $args
     done
 
+    ## Whitelist
+    for arg in "${WHITELIST_SSH[@]}"; do
+        open_port $arg tcp ssh
+    done
+
     ## NAT
     if [ $NAT == 1 ]; then
         echo "+ Activate nat"
diff --git a/firewall.conf b/firewall.conf
index 88b8ec7..7f16f34 100644
--- a/firewall.conf
+++ b/firewall.conf
@@ -39,6 +39,10 @@ TRAFFICS=()
 # example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
 REDIRECTIONS=()
 
+## Whitelist ssh
+# example : WHITELIST_SSH=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
+#WHITELIST_SSH=()
+
 # Hook point to write your own iptables rules
 ipt_hook()
 {