entrouvert
/
eofirewall
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity

Add a whitelist for ssh, port knocking set to 15 seconds and move the config to /etc/firewall

This commit is contained in:
Jérôme Schneider 2011-06-21 17:54:06 +02:00
parent e8fe286563
commit 0440531e2f
3 changed files with 17 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Makefile
View File

@ -6,14 +6,14 @@
## ##
NAME = firewall NAME = firewall
RM = rm -rf
DESTDIR= DESTDIR=
all: all:
install: install:
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d/ install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/ install -d -m 0755 -o root -g root $(DESTDIR)/etc/firewall
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall
install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d

15
firewall
View File

@ -21,10 +21,10 @@ abort()
exit 1 exit 1
} }
if [ -f "/etc/firewall.conf" ]; then if [ -f "/etc/firewall/firewall.conf" ]; then
source /etc/firewall.conf source /etc/firewall/firewall.conf
else else
abort "No configuration file /etc/firewall.conf" abort "No configuration file /etc/firewall/firewall.conf"
fi fi
clean() clean()
@ -41,7 +41,7 @@ clean()
test_config() test_config()
{ {
if [ ! "$WAN_INT" -o ! "$IP" ]; then if [ ! "$WAN_INT" -o ! "$IP" ]; then
echo "Bad configuration please check your /etc/firewall.conf" echo "Bad configuration please check your /etc/firewall/firewall.conf"
exit 1 exit 1
fi fi
} }
@ -141,7 +141,7 @@ port_knocking()
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
fi fi
done done
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 6 --name toc$i -m state --state NEW -j ACCEPT iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
} }
start() start()
@ -260,6 +260,11 @@ start()
port_redirection $args port_redirection $args
done done
## Whitelist
for arg in "${WHITELIST_SSH[@]}"; do
open_port $arg tcp ssh
done
## NAT ## NAT
if [ $NAT == 1 ]; then if [ $NAT == 1 ]; then
echo "+ Activate nat" echo "+ Activate nat"

4
firewall.conf
View File

@ -39,6 +39,10 @@ TRAFFICS=()
# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242") # example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
REDIRECTIONS=() REDIRECTIONS=()
## Whitelist ssh
# example : WHITELIST_SSH=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
#WHITELIST_SSH=()
# Hook point to write your own iptables rules # Hook point to write your own iptables rules
ipt_hook() ipt_hook()
{ {