From 5cf9c1039f64ec56cc1ca5436b5881e59df1dfcd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Schneider?= <jschneider@entrouvert.com>
Date: Fri, 15 Nov 2013 12:05:40 +0100
Subject: [PATCH] eofirewall: implement output filters

---
 eofirewall | 65 +++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 45 insertions(+), 20 deletions(-)

diff --git a/eofirewall b/eofirewall
index 52047c1..c4a5268 100755
--- a/eofirewall
+++ b/eofirewall
@@ -15,7 +15,7 @@ chain_exists()
 {
     local chain_name="$1" ; shift
     [ $# -eq 1 ] && local table="--table $1"
-    iptables $table -n --list "$chain_name" >/dev/null 2>&1
+    $IPTABLES $table -n --list "$chain_name" >/dev/null 2>&1
 }
 
 
@@ -114,7 +114,7 @@ critical_return()
 {
     if [ `echo $?` != 0 ]; then
         log_failure_msg  "Error on the last command firewall will be stop"
-        flush
+        clean
         exit 1
     fi
 }
@@ -144,8 +144,7 @@ forward_port()
     fi
 
 }
-
-open_port()
+open_input_port()
 {
     if [ $# == 4 ]; then
         local destination=$2
@@ -164,6 +163,25 @@ open_port()
     critical_return
 }
 
+open_output_port()
+{
+    if [ $# == 4 ]; then
+        local source=$2
+        local proto=$3
+        local ports=$4
+    elif [ $# == 3 ]; then
+        local source=$IP
+        local proto=$2
+        local ports=$3
+    else
+        log_warning_msg  "Open output port bad syntax : $*"
+    fi
+    destination=$1
+    log_action_msg "Open output port(s) $ports from $source to $destination for protocol $proto"
+    $IPTABLES -A EO-OUTPUT -o $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT
+    critical_return
+}
+
 port_redirection()
 {
     if [ $# != 4 ]; then
@@ -177,7 +195,7 @@ port_redirection()
     local destport=$4
 
     log_action_msg "Redirect $if port $srcport to $destport for portocol $proto"
-    iptables -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
+    $IPTABLES -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
 }
 
 port_knocking()
@@ -196,17 +214,17 @@ port_knocking()
         ((i++))
         tock_number=$knock_number$i
         if [ $i -gt 1 ]; then
-            iptables -N EO-TOC${tock_number}
-            iptables -A EO-TOC${tock_number} -m recent --name EO-TOC$((${tock_number}-1)) --remove
-            iptables -A EO-TOC${tock_number} -m recent --name EO-TOC${tock_number} --set
-            iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name EO-TOC$((${tock_number}-1)) -j EO-TOC${tock_number}
+            $IPTABLES -N EO-TOC${tock_number}
+            $IPTABLES -A EO-TOC${tock_number} -m recent --name EO-TOC$((${tock_number}-1)) --remove
+            $IPTABLES -A EO-TOC${tock_number} -m recent --name EO-TOC${tock_number} --set
+            $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name EO-TOC$((${tock_number}-1)) -j EO-TOC${tock_number}
         else
-            iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name EO-TOC${tock_number}
+            $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name EO-TOC${tock_number}
         fi
     done
     log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
     for port in $(echo $ports | sed 's/,/ /g'); do
-        iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name EO-TOC${tock_number} -m state --state NEW -j ACCEPT
+        $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name EO-TOC${tock_number} -m state --state NEW -j ACCEPT
     done
 }
 
@@ -221,8 +239,10 @@ start()
 
     $IPTABLES -A EO-INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
 
-    if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 1 ]; then
-        log_action_msg "Allow WAN outgoing traffic"
+    if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 0 ]; then
+        $IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
+    else
+        log_action_msg "Allow WAN outgoing traffic to everywhere"
         $IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
     fi
 
@@ -265,9 +285,9 @@ start()
 
     if [ $PING == 1 ]; then
         log_action_msg "PING allowed"
-        iptables -A EO-INPUT -p icmp --icmp-type ping -j ACCEPT
-        iptables -A EO-OUTPUT -p icmp --icmp-type ping -j ACCEPT
-        iptables -A EO-FORWARD -p icmp --icmp-type ping -j ACCEPT
+        $IPTABLES -A EO-INPUT -p icmp --icmp-type ping -j ACCEPT
+        $IPTABLES -A EO-OUTPUT -p icmp --icmp-type ping -j ACCEPT
+        $IPTABLES -A EO-FORWARD -p icmp --icmp-type ping -j ACCEPT
     fi
 
     if [ $FTP == 1 ]; then
@@ -283,9 +303,14 @@ start()
         $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT
     fi
 
-    ## Open Ports
+    ## Open input ports
     for args in "${OPEN_PORTS[@]}"; do
-        open_port $args
+        open_input_port $args
+    done
+
+    ## Open ouput ports
+    for args in "${OUPUT_DESTINATIONS[@]}"; do
+        open_output_port $args
     done
 
     ## Port knocking
@@ -367,8 +392,8 @@ test_rules()
         iptables-restore < /etc/network/iptables-save
         log_action_msg "Old rules restored"
     else
-        flush
-        log_action_msg "Rules flushed"
+        clean
+        log_action_msg "Rules cleaned"
     fi
     log_action_msg "If you are happy with this new rules please use save option"
 }