Add a whitelist for ssh, port knocking set to 15 seconds and move the config to /etc/firewall
This commit is contained in:
parent
e8fe286563
commit
0440531e2f
6
Makefile
6
Makefile
|
@ -6,14 +6,14 @@
|
||||||
##
|
##
|
||||||
|
|
||||||
NAME = firewall
|
NAME = firewall
|
||||||
RM = rm -rf
|
|
||||||
DESTDIR=
|
DESTDIR=
|
||||||
|
|
||||||
all:
|
all:
|
||||||
|
|
||||||
install:
|
install:
|
||||||
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d/
|
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d
|
||||||
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/
|
install -d -m 0755 -o root -g root $(DESTDIR)/etc/firewall
|
||||||
|
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall
|
||||||
install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
|
install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
|
||||||
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
|
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
|
||||||
|
|
||||||
|
|
15
firewall
15
firewall
|
@ -21,10 +21,10 @@ abort()
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
if [ -f "/etc/firewall.conf" ]; then
|
if [ -f "/etc/firewall/firewall.conf" ]; then
|
||||||
source /etc/firewall.conf
|
source /etc/firewall/firewall.conf
|
||||||
else
|
else
|
||||||
abort "No configuration file /etc/firewall.conf"
|
abort "No configuration file /etc/firewall/firewall.conf"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
clean()
|
clean()
|
||||||
|
@ -41,7 +41,7 @@ clean()
|
||||||
test_config()
|
test_config()
|
||||||
{
|
{
|
||||||
if [ ! "$WAN_INT" -o ! "$IP" ]; then
|
if [ ! "$WAN_INT" -o ! "$IP" ]; then
|
||||||
echo "Bad configuration please check your /etc/firewall.conf"
|
echo "Bad configuration please check your /etc/firewall/firewall.conf"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -141,7 +141,7 @@ port_knocking()
|
||||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
|
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 6 --name toc$i -m state --state NEW -j ACCEPT
|
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
|
||||||
}
|
}
|
||||||
|
|
||||||
start()
|
start()
|
||||||
|
@ -260,6 +260,11 @@ start()
|
||||||
port_redirection $args
|
port_redirection $args
|
||||||
done
|
done
|
||||||
|
|
||||||
|
## Whitelist
|
||||||
|
for arg in "${WHITELIST_SSH[@]}"; do
|
||||||
|
open_port $arg tcp ssh
|
||||||
|
done
|
||||||
|
|
||||||
## NAT
|
## NAT
|
||||||
if [ $NAT == 1 ]; then
|
if [ $NAT == 1 ]; then
|
||||||
echo "+ Activate nat"
|
echo "+ Activate nat"
|
||||||
|
|
|
@ -39,6 +39,10 @@ TRAFFICS=()
|
||||||
# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
|
# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
|
||||||
REDIRECTIONS=()
|
REDIRECTIONS=()
|
||||||
|
|
||||||
|
## Whitelist ssh
|
||||||
|
# example : WHITELIST_SSH=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
|
||||||
|
#WHITELIST_SSH=()
|
||||||
|
|
||||||
# Hook point to write your own iptables rules
|
# Hook point to write your own iptables rules
|
||||||
ipt_hook()
|
ipt_hook()
|
||||||
{
|
{
|
||||||
|
|
Reference in New Issue