Add port knocking and support save and load rules
* Support port knocking * Add a test option * Add save and load of the rules * Modify states to support last iptables version * Add logrotate support for the Debian packages
This commit is contained in:
parent
b4601423a0
commit
6a34b1697e
2
Makefile
2
Makefile
|
@ -14,6 +14,6 @@ all:
|
||||||
install:
|
install:
|
||||||
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d/
|
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d/
|
||||||
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/
|
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/
|
||||||
install -m 0640 -o root -g root iptables.conf $(DESTDIR)/etc/rsyslog.d
|
install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
|
||||||
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
|
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
|
||||||
|
|
||||||
|
|
16
README
16
README
|
@ -1,4 +1,14 @@
|
||||||
= INSTALLATION =
|
= Installation =
|
||||||
* Install rsyslog
|
* Requrie: rsyslog, logrotate and iptables
|
||||||
* make install
|
* make install
|
||||||
* use /etc/init.d/firewall [stop | start | restart]
|
|
||||||
|
= Usage =
|
||||||
|
|
||||||
|
First launch test your configuration:
|
||||||
|
/etc/init.d/firewall test
|
||||||
|
Second save this change (this will load your rules and save it):
|
||||||
|
/etc/init.d/firewall save
|
||||||
|
You need to use save at least one time.
|
||||||
|
|
||||||
|
/etc/init.d/firewall stop: will flush your rules
|
||||||
|
/etc/init.d/firewall start|restore: will load your saved rules
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
/var/log/iptables.log {
|
||||||
|
weekly
|
||||||
|
rotate 6
|
||||||
|
compress
|
||||||
|
delaycompress
|
||||||
|
missingok
|
||||||
|
create 640 root adm
|
||||||
|
}
|
||||||
|
|
87
firewall
87
firewall
|
@ -12,14 +12,6 @@
|
||||||
|
|
||||||
NAME="firewall"
|
NAME="firewall"
|
||||||
|
|
||||||
if [ -f "/etc/firewall.conf" ]; then
|
|
||||||
source /etc/firewall.conf
|
|
||||||
else
|
|
||||||
echo "No configuration file /etc/firewall.conf"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
abort()
|
abort()
|
||||||
{
|
{
|
||||||
message=$@
|
message=$@
|
||||||
|
@ -29,6 +21,12 @@ abort()
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if [ -f "/etc/firewall.conf" ]; then
|
||||||
|
source /etc/firewall.conf
|
||||||
|
else
|
||||||
|
abort "No configuration file /etc/firewall.conf"
|
||||||
|
fi
|
||||||
|
|
||||||
clean()
|
clean()
|
||||||
{
|
{
|
||||||
$IPTABLES -F
|
$IPTABLES -F
|
||||||
|
@ -76,7 +74,7 @@ forward_port()
|
||||||
echo "!! WARNING you must add a LAN interface (LAN_INT) for a port forward"
|
echo "!! WARNING you must add a LAN interface (LAN_INT) for a port forward"
|
||||||
else
|
else
|
||||||
echo "+ Forward $port to $destination for protocol $proto"
|
echo "+ Forward $port to $destination for protocol $proto"
|
||||||
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
|
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||||
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
|
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -100,7 +98,7 @@ open_port()
|
||||||
source=$1
|
source=$1
|
||||||
for port in $(echo $ports | sed 's/,/ /g'); do
|
for port in $(echo $ports | sed 's/,/ /g'); do
|
||||||
echo "+ Open port $port from $source to $destination for protocol $proto"
|
echo "+ Open port $port from $source to $destination for protocol $proto"
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination --dport $port -m state ! --state INVALID -j ACCEPT
|
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination --dport $port -m state --state NEW -j ACCEPT
|
||||||
critical_return
|
critical_return
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
@ -111,7 +109,7 @@ port_redirection()
|
||||||
echo "! Bad syntax for port redirection : $*"
|
echo "! Bad syntax for port redirection : $*"
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if=$1
|
if=$1
|
||||||
proto=$2
|
proto=$2
|
||||||
srcport=$3
|
srcport=$3
|
||||||
|
@ -121,6 +119,28 @@ port_redirection()
|
||||||
iptables -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
|
iptables -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
|
||||||
}
|
}
|
||||||
|
|
||||||
|
port_knocking()
|
||||||
|
{
|
||||||
|
if [ $# != 2 ]; then
|
||||||
|
echo "! Bad syntax for port knocking : $*"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
port=$1
|
||||||
|
knock_ports=$2
|
||||||
|
|
||||||
|
iptables -N toc2
|
||||||
|
iptables -A toc2 -m recent --name toc1 --remove
|
||||||
|
iptables -A toc2 -m recent --name toc2 --set
|
||||||
|
iptables -N toc3
|
||||||
|
iptables -A toc3 -m recent --name toc2 --remove
|
||||||
|
iptables -A toc3 -m recent --name toc3 --set
|
||||||
|
for port in $(echo $knock_ports | sed 's/,/ /g'); do
|
||||||
|
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --set --name toc1
|
||||||
|
done
|
||||||
|
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc3 -m state --state NEW -j ACCEPT
|
||||||
|
}
|
||||||
|
|
||||||
start()
|
start()
|
||||||
{
|
{
|
||||||
echo "Starting: Firewall"
|
echo "Starting: Firewall"
|
||||||
|
@ -139,14 +159,14 @@ start()
|
||||||
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
||||||
|
|
||||||
echo "+ Allow WAN outgoing traffic"
|
echo "+ Allow WAN outgoing traffic"
|
||||||
$IPTABLES -A OUTPUT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
|
$IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
$IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
critical_return
|
critical_return
|
||||||
|
|
||||||
if [ $LAN == 1 ]; then
|
if [ $LAN == 1 ]; then
|
||||||
echo "+ Allow WAN outgoing traffic from lan"
|
echo "+ Allow WAN outgoing traffic from lan"
|
||||||
$IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
|
$IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||||
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
|
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
echo "+ Allow local network"
|
echo "+ Allow local network"
|
||||||
|
@ -154,7 +174,7 @@ start()
|
||||||
$IPTABLES -A INPUT -i $LAN_INT -p all -j ACCEPT
|
$IPTABLES -A INPUT -i $LAN_INT -p all -j ACCEPT
|
||||||
for ALLOW_INT in $ALLOW_INTS; do
|
for ALLOW_INT in $ALLOW_INTS; do
|
||||||
echo "+ Allow WAN outgoing traffic for interface $ALLOW_INT"
|
echo "+ Allow WAN outgoing traffic for interface $ALLOW_INT"
|
||||||
$IPTABLES -A FORWARD -i $ALLOW_INT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
|
$IPTABLES -A FORWARD -i $ALLOW_INT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||||
$IPTABLES -A FORWARD -i $WAN_INT -o $ALLOW_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
|
$IPTABLES -A FORWARD -i $WAN_INT -o $ALLOW_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
echo "+ Allow local network"
|
echo "+ Allow local network"
|
||||||
|
@ -222,6 +242,11 @@ start()
|
||||||
open_port $args
|
open_port $args
|
||||||
done
|
done
|
||||||
|
|
||||||
|
## Port knocking
|
||||||
|
for args in "${PORT_KNOCK[@]}"; do
|
||||||
|
port_knocking $args
|
||||||
|
done
|
||||||
|
|
||||||
## Port forwading
|
## Port forwading
|
||||||
for args in "${TRAFFICS[@]}"; do
|
for args in "${TRAFFICS[@]}"; do
|
||||||
forward_port $args
|
forward_port $args
|
||||||
|
@ -279,19 +304,39 @@ stop()
|
||||||
}
|
}
|
||||||
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
start)
|
start|restore)
|
||||||
start || exit 1
|
if [ -f /etc/network/iptables-save ]; then
|
||||||
|
iptables-restore < /etc/network/iptables-save
|
||||||
|
echo "Firewall: rules loaded"
|
||||||
|
else
|
||||||
|
abort "!! No iptables rules saved please use test and save script options"
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
stop)
|
stop)
|
||||||
stop || exit 1
|
stop || exit 1
|
||||||
;;
|
;;
|
||||||
restart|force-reload)
|
test)
|
||||||
|
echo "You have 30 seconds to test your new rules"
|
||||||
|
start || exit 1
|
||||||
|
echo "... Please test your rules"
|
||||||
|
sleep 30
|
||||||
|
echo "---- The test is finished ----"
|
||||||
|
if [ -f /etc/network/iptables-save ]; then
|
||||||
|
iptables-restore < /etc/network/iptables-save
|
||||||
|
echo "Old rules restored"
|
||||||
|
else
|
||||||
stop
|
stop
|
||||||
start || exit 1
|
echo "Rules flushed"
|
||||||
|
fi
|
||||||
|
echo "If you are happy with this new rules please use save option"
|
||||||
|
;;
|
||||||
|
save)
|
||||||
|
start || exit 1
|
||||||
|
iptables-save > /etc/network/iptables-save
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
N=/etc/init.d/$NAME
|
N=/etc/init.d/$NAME
|
||||||
abort "Usage: $N {start|stop|restart|force-reload}" >&2
|
abort "Usage: $N {start|restore|save|test|stop}" >&2
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
|
|
@ -20,9 +20,15 @@ ALLOW_INTS=''
|
||||||
## Open ports
|
## Open ports
|
||||||
# "source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]" ...
|
# "source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]" ...
|
||||||
# The default destination is the IP !
|
# The default destination is the IP !
|
||||||
# example : OPEN_PORTS=("0.0.0.0/0 tcp 22" "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
|
# example : OPEN_PORTS=("0.0.0.0/0 tcp 22"
|
||||||
|
# "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
|
||||||
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
|
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
|
||||||
|
|
||||||
|
## Port knocking
|
||||||
|
# "port knock_ports_combinaison"
|
||||||
|
# example : PORT_KNOCK("22 121,4353,4242,111")
|
||||||
|
PORT_KNOCK=()
|
||||||
|
|
||||||
## Port forwarding
|
## Port forwarding
|
||||||
# "source port destination:port protocol" "source port destination:port protocol" ...
|
# "source port destination:port protocol" "source port destination:port protocol" ...
|
||||||
# example : TRAFFICS=("0.0.0.0/0 80 192.168.0.42:80 tcp" "42.42.42.42 4242 192.168.0.43:22 tcp")
|
# example : TRAFFICS=("0.0.0.0/0 80 192.168.0.42:80 tcp" "42.42.42.42 4242 192.168.0.43:22 tcp")
|
||||||
|
|
Reference in New Issue