eofirewall: implement output filters
This commit is contained in:
Jérôme Schneider
parent
033410319d
commit
5cf9c1039f
65
eofirewall
65
eofirewall
|
|
@ -15,7 +15,7 @@ chain_exists()
|
||||||
{
|
{
|
||||||
local chain_name="$1" ; shift
|
local chain_name="$1" ; shift
|
||||||
[ $# -eq 1 ] && local table="--table $1"
|
[ $# -eq 1 ] && local table="--table $1"
|
||||||
iptables $table -n --list "$chain_name" >/dev/null 2>&1
|
$IPTABLES $table -n --list "$chain_name" >/dev/null 2>&1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -114,7 +114,7 @@ critical_return()
|
||||||
{
|
{
|
||||||
if [ `echo $?` != 0 ]; then
|
if [ `echo $?` != 0 ]; then
|
||||||
log_failure_msg "Error on the last command firewall will be stop"
|
log_failure_msg "Error on the last command firewall will be stop"
|
||||||
flush
|
clean
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
@ -144,8 +144,7 @@ forward_port()
|
||||||
fi
|
fi
|
||||||
|
|
||||||
}
|
}
|
||||||
|
open_input_port()
|
||||||
open_port()
|
|
||||||
{
|
{
|
||||||
if [ $# == 4 ]; then
|
if [ $# == 4 ]; then
|
||||||
local destination=$2
|
local destination=$2
|
||||||
|
|
@ -164,6 +163,25 @@ open_port()
|
||||||
critical_return
|
critical_return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
open_output_port()
|
||||||
|
{
|
||||||
|
if [ $# == 4 ]; then
|
||||||
|
local source=$2
|
||||||
|
local proto=$3
|
||||||
|
local ports=$4
|
||||||
|
elif [ $# == 3 ]; then
|
||||||
|
local source=$IP
|
||||||
|
local proto=$2
|
||||||
|
local ports=$3
|
||||||
|
else
|
||||||
|
log_warning_msg "Open output port bad syntax : $*"
|
||||||
|
fi
|
||||||
|
destination=$1
|
||||||
|
log_action_msg "Open output port(s) $ports from $source to $destination for protocol $proto"
|
||||||
|
$IPTABLES -A EO-OUTPUT -o $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT
|
||||||
|
critical_return
|
||||||
|
}
|
||||||
|
|
||||||
port_redirection()
|
port_redirection()
|
||||||
{
|
{
|
||||||
if [ $# != 4 ]; then
|
if [ $# != 4 ]; then
|
||||||
|
|
@ -177,7 +195,7 @@ port_redirection()
|
||||||
local destport=$4
|
local destport=$4
|
||||||
|
|
||||||
log_action_msg "Redirect $if port $srcport to $destport for portocol $proto"
|
log_action_msg "Redirect $if port $srcport to $destport for portocol $proto"
|
||||||
iptables -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
|
$IPTABLES -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
|
||||||
}
|
}
|
||||||
|
|
||||||
port_knocking()
|
port_knocking()
|
||||||
|
|
@ -196,17 +214,17 @@ port_knocking()
|
||||||
((i++))
|
((i++))
|
||||||
tock_number=$knock_number$i
|
tock_number=$knock_number$i
|
||||||
if [ $i -gt 1 ]; then
|
if [ $i -gt 1 ]; then
|
||||||
iptables -N EO-TOC${tock_number}
|
$IPTABLES -N EO-TOC${tock_number}
|
||||||
iptables -A EO-TOC${tock_number} -m recent --name EO-TOC$((${tock_number}-1)) --remove
|
$IPTABLES -A EO-TOC${tock_number} -m recent --name EO-TOC$((${tock_number}-1)) --remove
|
||||||
iptables -A EO-TOC${tock_number} -m recent --name EO-TOC${tock_number} --set
|
$IPTABLES -A EO-TOC${tock_number} -m recent --name EO-TOC${tock_number} --set
|
||||||
iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name EO-TOC$((${tock_number}-1)) -j EO-TOC${tock_number}
|
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name EO-TOC$((${tock_number}-1)) -j EO-TOC${tock_number}
|
||||||
else
|
else
|
||||||
iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name EO-TOC${tock_number}
|
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name EO-TOC${tock_number}
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
|
log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
|
||||||
for port in $(echo $ports | sed 's/,/ /g'); do
|
for port in $(echo $ports | sed 's/,/ /g'); do
|
||||||
iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name EO-TOC${tock_number} -m state --state NEW -j ACCEPT
|
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name EO-TOC${tock_number} -m state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -221,8 +239,10 @@ start()
|
||||||
|
|
||||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
$IPTABLES -A EO-INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 1 ]; then
|
if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 0 ]; then
|
||||||
log_action_msg "Allow WAN outgoing traffic"
|
$IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
else
|
||||||
|
log_action_msg "Allow WAN outgoing traffic to everywhere"
|
||||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
$IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
@ -265,9 +285,9 @@ start()
|
||||||
|
|
||||||
if [ $PING == 1 ]; then
|
if [ $PING == 1 ]; then
|
||||||
log_action_msg "PING allowed"
|
log_action_msg "PING allowed"
|
||||||
iptables -A EO-INPUT -p icmp --icmp-type ping -j ACCEPT
|
$IPTABLES -A EO-INPUT -p icmp --icmp-type ping -j ACCEPT
|
||||||
iptables -A EO-OUTPUT -p icmp --icmp-type ping -j ACCEPT
|
$IPTABLES -A EO-OUTPUT -p icmp --icmp-type ping -j ACCEPT
|
||||||
iptables -A EO-FORWARD -p icmp --icmp-type ping -j ACCEPT
|
$IPTABLES -A EO-FORWARD -p icmp --icmp-type ping -j ACCEPT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $FTP == 1 ]; then
|
if [ $FTP == 1 ]; then
|
||||||
|
|
@ -283,9 +303,14 @@ start()
|
||||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
$IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## Open Ports
|
## Open input ports
|
||||||
for args in "${OPEN_PORTS[@]}"; do
|
for args in "${OPEN_PORTS[@]}"; do
|
||||||
open_port $args
|
open_input_port $args
|
||||||
|
done
|
||||||
|
|
||||||
|
## Open ouput ports
|
||||||
|
for args in "${OUPUT_DESTINATIONS[@]}"; do
|
||||||
|
open_output_port $args
|
||||||
done
|
done
|
||||||
|
|
||||||
## Port knocking
|
## Port knocking
|
||||||
|
|
@ -367,8 +392,8 @@ test_rules()
|
||||||
iptables-restore < /etc/network/iptables-save
|
iptables-restore < /etc/network/iptables-save
|
||||||
log_action_msg "Old rules restored"
|
log_action_msg "Old rules restored"
|
||||||
else
|
else
|
||||||
flush
|
clean
|
||||||
log_action_msg "Rules flushed"
|
log_action_msg "Rules cleaned"
|
||||||
fi
|
fi
|
||||||
log_action_msg "If you are happy with this new rules please use save option"
|
log_action_msg "If you are happy with this new rules please use save option"
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Reference in New Issue