entrouvert
/
eofirewall
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity

Use lsb init messages

This commit is contained in:
Jérôme Schneider 2011-07-04 19:07:54 +02:00
parent 3308d21135
commit 710b80e89f
2 changed files with 38 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
debian/changelog vendored
View File

@ -1,3 +1,10 @@
eofirewall (0.1+git20110704-squeeze0) stable; urgency=low
* Use lsb init messages
* New version name
-- Jérôme Schneider <jschneider@entrouvert.com> Mon, 04 Jul 2011 15:51:25 +0200
eofirewall (0.1-20110623.1) unstable; urgency=low eofirewall (0.1-20110623.1) unstable; urgency=low
* Fix multiple port knocking * Fix multiple port knocking

65
firewall
View File

@ -17,9 +17,7 @@ NAME="firewall"
abort() abort()
{ {
message=$@ message=$@
echo >&2 log_failure_msg "$message"
echo -e "$message" >&2
echo >&2
exit 1 exit 1
} }
@ -57,14 +55,14 @@ test_config()
{ {
# FIXME: test if the interface and the ip exist # FIXME: test if the interface and the ip exist
if [ ! "$WAN_INT" -o ! "$IP" ]; then if [ ! "$WAN_INT" -o ! "$IP" ]; then
abort "Bad configuration please check your /etc/firewall/firewall.conf" abort "Bad configuration please check /etc/firewall/firewall.conf"
fi fi
} }
critical_return() critical_return()
{ {
if [ `echo $?` != 0 ]; then if [ `echo $?` != 0 ]; then
echo "!!! CRITICAL error on the last command firewall will be stop" log_failure_msg "Error on the last command firewall will be stop"
stop stop
exit 1 exit 1
fi fi
@ -73,7 +71,7 @@ critical_return()
forward_port() forward_port()
{ {
if [ $# != 4 ]; then if [ $# != 4 ]; then
echo "! Bad syntax for port forward : $*" log_warning_msg "Bad syntax for port forward : $*"
return return
fi fi
@ -86,9 +84,9 @@ forward_port()
dest_ip=$(echo $destination | cut -d ":" -f1) dest_ip=$(echo $destination | cut -d ":" -f1)
dest_port=$(echo $destination | cut -d ":" -f2) dest_port=$(echo $destination | cut -d ":" -f2)
if [ ! "$LAN_INT" ]; then if [ ! "$LAN_INT" ]; then
echo "!! WARNING you must add a LAN interface (LAN_INT) for a port forward" log_warning_msg "You must add a LAN interface (LAN_INT) for a port forward"
else else
echo "+ Forward $port to $destination for protocol $proto" log_action_msg "Forward $port to $destination for protocol $proto"
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
fi fi
@ -107,11 +105,10 @@ open_port()
local proto=$2 local proto=$2
local ports=$3 local ports=$3
else else
echo "!!! CRITICAL Open port bad syntax : $*" log_warning_msg "Open port bad syntax : $*"
stop && exit 1
fi fi
source=$1 source=$1
echo "+ Open port(s) $ports from $source to $destination for protocol $proto" log_action_msg "Open port(s) $ports from $source to $destination for protocol $proto"
for port in $(echo $ports | sed 's/,/ /g'); do for port in $(echo $ports | sed 's/,/ /g'); do
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination --dport $port -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination --dport $port -m state --state NEW -j ACCEPT
critical_return critical_return
@ -121,7 +118,7 @@ open_port()
port_redirection() port_redirection()
{ {
if [ $# != 4 ]; then if [ $# != 4 ]; then
echo "! Bad syntax for port redirection : $*" log_warning_msg "Bad syntax for port redirection : $*"
return return
fi fi
@ -130,14 +127,14 @@ port_redirection()
local srcport=$3 local srcport=$3
local destport=$4 local destport=$4
echo "+ Redirect $if port $srcport to $destport for portocol $proto" log_action_msg "Redirect $if port $srcport to $destport for portocol $proto"
iptables -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport iptables -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
} }
port_knocking() port_knocking()
{ {
if [ $# != 3 ]; then if [ $# != 3 ]; then
echo "! Bad syntax for port knocking : $*" log_warning_msg "Bad syntax for port knocking : $*"
return return
fi fi
@ -158,7 +155,7 @@ port_knocking()
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number} iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
fi fi
done done
echo "+ Port knocking for $port with combinaison $knock_ports on $WAN_INT" log_action_msg "Port knocking for $port with combinaison $knock_ports on $WAN_INT"
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
} }
@ -177,33 +174,33 @@ start()
$IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT
log_progress_msg "Allow WAN outgoing traffic" log_action_msg "Allow WAN outgoing traffic"
$IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT $IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
critical_return critical_return
if [ $LAN == 1 ]; then if [ $LAN == 1 ]; then
log_progress_msg "Allow WAN outgoing traffic from lan" log_action_msg "Allow WAN outgoing traffic from lan"
$IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT $IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
log_progress_msg "Allow local network" log_action_msg "Allow local network"
$IPTABLES -A OUTPUT -o $LAN_INT -p all -j ACCEPT $IPTABLES -A OUTPUT -o $LAN_INT -p all -j ACCEPT
$IPTABLES -A INPUT -i $LAN_INT -p all -j ACCEPT $IPTABLES -A INPUT -i $LAN_INT -p all -j ACCEPT
for ALLOW_INT in $ALLOW_INTS; do for ALLOW_INT in $ALLOW_INTS; do
log_progress_msg "Allow WAN outgoing traffic for interface $ALLOW_INT" log_action_msg "Allow WAN outgoing traffic for interface $ALLOW_INT"
$IPTABLES -A FORWARD -i $ALLOW_INT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT $IPTABLES -A FORWARD -i $ALLOW_INT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_INT -o $ALLOW_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -i $WAN_INT -o $ALLOW_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
log_progress_msg "+ Allow local network" log_action_msg "Allow local network"
$IPTABLES -A OUTPUT -o $ALLOW_INT -p all -j ACCEPT $IPTABLES -A OUTPUT -o $ALLOW_INT -p all -j ACCEPT
$IPTABLES -A INPUT -i $ALLOW_INT -p all -j ACCEPT $IPTABLES -A INPUT -i $ALLOW_INT -p all -j ACCEPT
done done
fi fi
## block spoofing ## block spoofing
log_progress_msg "Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN" log_action_msg "Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
## NMAP FIN/URG/PSH ## NMAP FIN/URG/PSH
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4 $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
@ -224,19 +221,19 @@ start()
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
## stop sync flood ## stop sync flood
log_progress_msg "Block Syn flood" log_action_msg "Block Syn flood"
echo "1" >/proc/sys/net/ipv4/tcp_syncookies echo "1" >/proc/sys/net/ipv4/tcp_syncookies
echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog
if [ $PING == 1 ]; then if [ $PING == 1 ]; then
log_progress_msg "PING allowed" log_action_msg "PING allowed"
iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT
fi fi
if [ $FTP == 1 ]; then if [ $FTP == 1 ]; then
log_progress_msg "FTP allowed" log_action_msg "FTP allowed"
modprobe ip_conntrack_ftp modprobe ip_conntrack_ftp
$IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
@ -277,7 +274,7 @@ start()
## NAT ## NAT
if [ $NAT == 1 ]; then if [ $NAT == 1 ]; then
log_progress_msg "Activate nat" log_action_msg "Activate nat"
for proto in ftp irc sip h323; do modprobe nf_nat_$proto; done for proto in ftp irc sip h323; do modprobe nf_nat_$proto; done
$IPTABLES -t nat -A POSTROUTING -o $WAN_INT -s $LAN_NETWORK -j SNAT --to-source $IP $IPTABLES -t nat -A POSTROUTING -o $WAN_INT -s $LAN_NETWORK -j SNAT --to-source $IP
fi fi
@ -310,7 +307,7 @@ case "$1" in
if [ -f /etc/network/iptables-save ]; then if [ -f /etc/network/iptables-save ]; then
iptables-restore < /etc/network/iptables-save iptables-restore < /etc/network/iptables-save
else else
log_warning_msg "!! No iptables rules saved please use test and save script options" log_warning_msg "No iptables rules saved please use test and save script options"
fi fi
log_end_msg 0 log_end_msg 0
;; ;;
@ -320,24 +317,24 @@ case "$1" in
log_end_msg 0 log_end_msg 0
;; ;;
test) test)
echo "You have 30 seconds to test your new rules" log_action_msg "Testing new rules"
log_daemon_msg "Starting new rules" log_action_msg "You have 30 seconds to test your new rules"
start || exit 1 start || exit 1
log_end_msg 0 log_end_msg 0
echo "... Please test your rules" log_action_msg "... Please test your rules"
sleep 30 sleep 30
echo "---- The test is finished ----" log_action_msg "---- The test is finished ----"
if [ -f /etc/network/iptables-save ]; then if [ -f /etc/network/iptables-save ]; then
iptables-restore < /etc/network/iptables-save iptables-restore < /etc/network/iptables-save
echo "Old rules restored" log_action_msg "Old rules restored"
else else
stop stop
echo "Rules flushed" log_action_msg "Rules flushed"
fi fi
echo "If you are happy with this new rules please use save option" log_action_msg "If you are happy with this new rules please use save option"
;; ;;
save) save)
log_daemon_msg "Starting and saving new rules" log_action_msg "Starting and saving new rules"
start || exit 1 start || exit 1
iptables-save > /etc/network/iptables-save iptables-save > /etc/network/iptables-save
log_end_msg 0 log_end_msg 0