Hudge improvements

* Change config syntax
 * Add a lot of test
 * Support destination to open a port

debian/files

@@ -1 +0,0 @@
-eofirewall_0.1-20110307.1_all.deb admin extra

firewall

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 ### BEGIN INIT INFO
-# Provides:          firewall.sh
+# Provides:          firewall
 # Required-Start:    $remote_fs $syslog $network
 # Required-Stop:     $remote_fs $syslog $network
 # Default-Start:     2 3 4 5
@@ -10,8 +10,15 @@
 # Description:       An iptables firewall
 ### END INIT INFO
 
-source /etc/firewall.conf
+NAME="firewall"
-NAME="firewall.sh"
+
+if [ -f "/etc/firewall.conf" ]; then
+    source /etc/firewall.conf
+else
+    echo "No configuration file /etc/firewall.conf"
+    exit 1
+fi
+
 
 abort()
 {
@@ -33,6 +40,23 @@ clean()
     $IPTABLES -X
 }
 
+test_config()
+{
+    if [ ! "$WAN_INT" -o ! "$IP" ]; then
+        echo "Bad configuration please check your /etc/firewall.conf"
+        exit 1
+    fi
+}
+
+critical_return()
+{
+    if [ `echo $?` != 0 ]; then
+        echo "!!! CRITICAL error on the last command firewall will be stop"
+        stop
+        exit 1
+    fi
+}
+
 forward_port()
 {
     traffic=$1
@@ -43,9 +67,35 @@ forward_port()
     dest_ip=$(echo $destination | cut -d ":" -f1)
     dest_port=$(echo $destination | cut -d ":" -f2)
 
-    echo "+ Forward $port to $destination for protocol $proto"
+    if [ ! "$port" -o ! "$proto" -o ! "$destination" -o ! "$dest_ip" -o ! "$dest_port" -o ! "$LAN_INT" ]; then
-    $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
+        echo "! Bad syntax for traffic : $1"
-    $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
+    else
+        echo "+ Forward $port to $destination for protocol $proto"
+        $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
+        $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
+    fi
+}
+
+open_port()
+{
+    if [ $# == 4 ]; then
+        destination=$2
+        proto=$3
+        ports=$4
+    elif [ $# == 3 ]; then
+        destination=$IP
+        proto=$2
+        ports=$3
+    else
+        echo "!!! CRITICAL Open port bad syntax : $*"
+        stop && exit 1
+    fi
+    source=$1
+    for port in $(echo $ports | sed 's/,/ /g'); do
+        echo "+ Open port $port from $source to $destination for protocol $proto"
+        $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state ! --state INVALID -j ACCEPT
+        critical_return
+    done
 }
 
 port_redirection()
@@ -66,6 +116,8 @@ start()
     modprobe ip_conntrack
     clean
 
+    test_config
+
     # default policies
     $IPTABLES -P INPUT DROP
     $IPTABLES -P FORWARD DROP
@@ -79,6 +131,8 @@ start()
     $IPTABLES -A OUTPUT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
     $IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED  -j ACCEPT
 
+    critical_return
+
     if [ $LAN == 1 ]; then
         echo "+ Allow WAN outgoing traffic from lan"
         $IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
@@ -159,18 +213,11 @@ start()
         $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT
     fi
 
-
+    ## Open Ports
-    ## OPEN PORTS
+    for traffic in "${OPEN_PORTS[@]}"; do
-    for traffic in $OPEN_PORTS; do
+        open_port $traffic
-        source=$(echo $traffic | cut -d "-" -f1)
-        proto=$(echo $traffic | cut -d "-" -f2)
-        ports=$(echo $traffic | cut -d "-" -f3)
-        for port in $(echo $ports | sed 's/,/ /g'); do
-            echo "+ Open port $port to $source for protocol $proto"
-                $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state ! --state INVALID -j ACCEPT
-        done
     done
-    
+
     ## Port forwading
     for traffic in $TRAFFICS; do
         forward_port $traffic

firewall.conf

@@ -1,8 +1,8 @@
 IPTABLES=/sbin/iptables
 
 # WAN configuration
-WAN_INT='ethX'
+WAN_INT='zefezfez'
-IP='x.x.x.x'
+IP='122.122.122.122'
 
 # Allow ping
 PING=1
@@ -15,16 +15,18 @@ NAT=0
 LAN_NETWORK=''
 # Allow traffic between the WAN and LAN
 LAN=0
-LAN_INT='ethX'
+LAN_INT=''
 
 # Allow all traffic for interface(s)
 # example ALLOW_INTS='br0 xenbr42'
 ALLOW_INTS=''
 
 # Open ports
-# source-protocole-portx:porty,portz,porta,... source-protocole-portx:porty,portz,.. ...
+# source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]
-# example : OPEN_PORTS='0.0.0.0/0-tcp-ssh,imap,imaps 0.0.0.0/0-udp-1342'
+# The default destination is the IP !
-OPEN_PORTS='0.0.0.0/0-tcp-ssh'
+# example :
+#OPEN_PORTS=("0.0.0.0/0 tcp 22" "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
+OPEN_PORTS=("0.0.0.0/0 tcp ssh")
 
 # Port forwarding
 # source-port-destination:port-protocole source-port-destination:port-protocole ...