Fix port knocking and config test
* Fix multiple port knocking * Fix config test * Move firewall.conf to firewall.conf.template * Clean start messages * New deb entry
This commit is contained in:
Jérôme Schneider
parent
66c6cc3853
commit
0749affec5
3
Makefile
3
Makefile
|
|
@ -13,7 +13,6 @@ all:
|
||||||
install:
|
install:
|
||||||
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d
|
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d
|
||||||
install -d -m 0755 -o root -g root $(DESTDIR)/etc/firewall
|
install -d -m 0755 -o root -g root $(DESTDIR)/etc/firewall
|
||||||
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall
|
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall/firewall.conf.template
|
||||||
install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
|
install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
|
||||||
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
|
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
|
||||||
|
|
||||||
|
|
|
||||||
4
README
4
README
|
|
@ -1,6 +1,8 @@
|
||||||
= Installation =
|
= Installation =
|
||||||
* Requrie: rsyslog, logrotate and iptables
|
* Requrie: rsyslog, logrotate and iptables
|
||||||
* make install
|
* make install
|
||||||
|
* Move /etc/firewall/firewall.conf.template to /etc/firewall/firewall.conf
|
||||||
|
* Configure /etc/firewall/firewall.conf
|
||||||
|
|
||||||
= Usage =
|
= Usage =
|
||||||
|
|
||||||
|
|
@ -10,5 +12,5 @@ Second save this change (this will load your rules and save it):
|
||||||
/etc/init.d/firewall save
|
/etc/init.d/firewall save
|
||||||
You need to use save at least one time.
|
You need to use save at least one time.
|
||||||
|
|
||||||
/etc/init.d/firewall stop: will flush your rules
|
/etc/init.d/firewall stop: will flush ALL your rules
|
||||||
/etc/init.d/firewall start|restore: will load your saved rules
|
/etc/init.d/firewall start|restore: will load your saved rules
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,12 @@
|
||||||
|
eofirewall (0.1-20110623.1) unstable; urgency=low
|
||||||
|
|
||||||
|
* Fix multiple port knocking
|
||||||
|
* Fix config test
|
||||||
|
* Move firewall.conf to firewall.conf.template
|
||||||
|
* Clean start messages
|
||||||
|
|
||||||
|
-- Jérôme Schneider <jschneider@entrouvert.com> Thu, 23 Jun 2011 13:52:39 +0200
|
||||||
|
|
||||||
eofirewall (0.1-20110621.3) unstable; urgency=low
|
eofirewall (0.1-20110621.3) unstable; urgency=low
|
||||||
|
|
||||||
* Add an example for the ssh whitelist
|
* Add an example for the ssh whitelist
|
||||||
|
|
|
||||||
90
firewall
90
firewall
|
|
@ -29,20 +29,33 @@ fi
|
||||||
|
|
||||||
clean()
|
clean()
|
||||||
{
|
{
|
||||||
$IPTABLES -F
|
$IPTABLES -t filter -F
|
||||||
$IPTABLES -F INPUT
|
$IPTABLES -t filter -X
|
||||||
$IPTABLES -F OUTPUT
|
|
||||||
$IPTABLES -F FORWARD
|
$IPTABLES -t filter -P INPUT ACCEPT
|
||||||
$IPTABLES -F -t mangle
|
$IPTABLES -t filter -P FORWARD ACCEPT
|
||||||
$IPTABLES -F -t nat
|
$IPTABLES -t filter -P OUTPUT ACCEPT
|
||||||
$IPTABLES -X
|
|
||||||
|
$IPTABLES -t nat -F
|
||||||
|
$IPTABLES -t nat -X
|
||||||
|
|
||||||
|
$IPTABLES -t nat -P PREROUTING ACCEPT
|
||||||
|
$IPTABLES -t nat -P OUTPUT ACCEPT
|
||||||
|
$IPTABLES -t nat -P POSTROUTING ACCEPT
|
||||||
|
|
||||||
|
$IPTABLES -t mangle -F
|
||||||
|
$IPTABLES -t mangle -X
|
||||||
|
|
||||||
|
$IPTABLES -t mangle -P PREROUTING ACCEPT
|
||||||
|
$IPTABLES -t mangle -P INPUT ACCEPT
|
||||||
|
$IPTABLES -t mangle -P FORWARD ACCEPT
|
||||||
}
|
}
|
||||||
|
|
||||||
test_config()
|
test_config()
|
||||||
{
|
{
|
||||||
|
# FIXME: test if the interface and the ip exist
|
||||||
if [ ! "$WAN_INT" -o ! "$IP" ]; then
|
if [ ! "$WAN_INT" -o ! "$IP" ]; then
|
||||||
echo "Bad configuration please check your /etc/firewall/firewall.conf"
|
abort "Bad configuration please check your /etc/firewall/firewall.conf"
|
||||||
exit 1
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -96,8 +109,8 @@ open_port()
|
||||||
stop && exit 1
|
stop && exit 1
|
||||||
fi
|
fi
|
||||||
source=$1
|
source=$1
|
||||||
|
echo "+ Open port(s) $ports from $source to $destination for protocol $proto"
|
||||||
for port in $(echo $ports | sed 's/,/ /g'); do
|
for port in $(echo $ports | sed 's/,/ /g'); do
|
||||||
echo "+ Open port $port from $source to $destination for protocol $proto"
|
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination --dport $port -m state --state NEW -j ACCEPT
|
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination --dport $port -m state --state NEW -j ACCEPT
|
||||||
critical_return
|
critical_return
|
||||||
done
|
done
|
||||||
|
|
@ -121,37 +134,39 @@ port_redirection()
|
||||||
|
|
||||||
port_knocking()
|
port_knocking()
|
||||||
{
|
{
|
||||||
if [ $# != 2 ]; then
|
if [ $# != 3 ]; then
|
||||||
echo "! Bad syntax for port knocking : $*"
|
echo "! Bad syntax for port knocking : $*"
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
port=$1
|
port=$1
|
||||||
knock_ports=$2
|
knock_ports=$2
|
||||||
i=0
|
knock_number=$3
|
||||||
|
|
||||||
|
i=0
|
||||||
for kport in $(echo $knock_ports | sed 's/,/ /g'); do
|
for kport in $(echo $knock_ports | sed 's/,/ /g'); do
|
||||||
((i++))
|
((i++))
|
||||||
|
tock_number=$knock_number$i
|
||||||
if [ $i -gt 1 ]; then
|
if [ $i -gt 1 ]; then
|
||||||
iptables -N toc$i
|
iptables -N toc${tock_number}
|
||||||
iptables -A toc$i -m recent --name toc$(($i-1)) --remove
|
iptables -A toc${tock_number} -m recent --name toc$((${tock_number}-1)) --remove
|
||||||
iptables -A toc$i -m recent --name toc$i --set
|
iptables -A toc${tock_number} -m recent --name toc${tock_number} --set
|
||||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$(($i-1)) -j toc$i
|
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$((${tock_number}-1)) -j toc${tock_number}
|
||||||
else
|
else
|
||||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
|
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
|
echo "+ Port knocking for $port with combinaison $knock_ports on $WAN_INT"
|
||||||
|
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
|
||||||
}
|
}
|
||||||
|
|
||||||
start()
|
start()
|
||||||
{
|
{
|
||||||
echo "Starting: Firewall"
|
echo "Starting: Firewall"
|
||||||
|
test_config
|
||||||
modprobe ip_conntrack
|
modprobe ip_conntrack
|
||||||
clean
|
clean
|
||||||
|
|
||||||
test_config
|
|
||||||
|
|
||||||
# default policies
|
# default policies
|
||||||
$IPTABLES -P INPUT DROP
|
$IPTABLES -P INPUT DROP
|
||||||
$IPTABLES -P FORWARD DROP
|
$IPTABLES -P FORWARD DROP
|
||||||
|
|
@ -187,31 +202,23 @@ start()
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## block spoofing
|
## block spoofing
|
||||||
echo "+ Block spoofing"
|
echo "+ Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
|
||||||
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
||||||
|
|
||||||
## NMAP FIN/URG/PSH
|
## NMAP FIN/URG/PSH
|
||||||
echo "+ Block scan ports"
|
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
|
||||||
|
|
||||||
## stop Xmas Tree type scanning
|
## stop Xmas Tree type scanning
|
||||||
echo "+ Block Xmas Tree"
|
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
|
||||||
|
|
||||||
## stop null scanning
|
## stop null scanning
|
||||||
echo "+ Block null scanning"
|
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
|
||||||
## SYN/RST
|
## SYN/RST
|
||||||
echo "+ Block SYN/RST"
|
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||||
## SYN/FIN
|
## SYN/FIN
|
||||||
echo "+ Block SYN/FIN"
|
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||||
|
|
||||||
|
|
@ -246,8 +253,10 @@ start()
|
||||||
done
|
done
|
||||||
|
|
||||||
## Port knocking
|
## Port knocking
|
||||||
|
j=1
|
||||||
for args in "${PORT_KNOCK[@]}"; do
|
for args in "${PORT_KNOCK[@]}"; do
|
||||||
port_knocking $args
|
port_knocking $args $j
|
||||||
|
((j++))
|
||||||
done
|
done
|
||||||
|
|
||||||
## Port forwading
|
## Port forwading
|
||||||
|
|
@ -291,26 +300,7 @@ start()
|
||||||
stop()
|
stop()
|
||||||
{
|
{
|
||||||
echo "+ Firewall stoped"
|
echo "+ Firewall stoped"
|
||||||
$IPTABLES -t filter -F
|
clean
|
||||||
$IPTABLES -t filter -X
|
|
||||||
|
|
||||||
$IPTABLES -t filter -P INPUT ACCEPT
|
|
||||||
$IPTABLES -t filter -P FORWARD ACCEPT
|
|
||||||
$IPTABLES -t filter -P OUTPUT ACCEPT
|
|
||||||
|
|
||||||
$IPTABLES -t nat -F
|
|
||||||
$IPTABLES -t nat -X
|
|
||||||
|
|
||||||
$IPTABLES -t nat -P PREROUTING ACCEPT
|
|
||||||
$IPTABLES -t nat -P OUTPUT ACCEPT
|
|
||||||
$IPTABLES -t nat -P POSTROUTING ACCEPT
|
|
||||||
|
|
||||||
$IPTABLES -t mangle -F
|
|
||||||
$IPTABLES -t mangle -X
|
|
||||||
|
|
||||||
$IPTABLES -t mangle -P PREROUTING ACCEPT
|
|
||||||
$IPTABLES -t mangle -P INPUT ACCEPT
|
|
||||||
$IPTABLES -t mangle -P FORWARD ACCEPT
|
|
||||||
}
|
}
|
||||||
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
|
|
|
||||||
Reference in New Issue