Hudge improvements
* Change config syntax * Add a lot of test * Support destination to open a port
This commit is contained in:
parent
8a79bdbdec
commit
9df7935f90
|
@ -1 +0,0 @@
|
||||||
eofirewall_0.1-20110307.1_all.deb admin extra
|
|
81
firewall
81
firewall
|
@ -1,7 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
### BEGIN INIT INFO
|
### BEGIN INIT INFO
|
||||||
# Provides: firewall.sh
|
# Provides: firewall
|
||||||
# Required-Start: $remote_fs $syslog $network
|
# Required-Start: $remote_fs $syslog $network
|
||||||
# Required-Stop: $remote_fs $syslog $network
|
# Required-Stop: $remote_fs $syslog $network
|
||||||
# Default-Start: 2 3 4 5
|
# Default-Start: 2 3 4 5
|
||||||
|
@ -10,8 +10,15 @@
|
||||||
# Description: An iptables firewall
|
# Description: An iptables firewall
|
||||||
### END INIT INFO
|
### END INIT INFO
|
||||||
|
|
||||||
source /etc/firewall.conf
|
NAME="firewall"
|
||||||
NAME="firewall.sh"
|
|
||||||
|
if [ -f "/etc/firewall.conf" ]; then
|
||||||
|
source /etc/firewall.conf
|
||||||
|
else
|
||||||
|
echo "No configuration file /etc/firewall.conf"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
abort()
|
abort()
|
||||||
{
|
{
|
||||||
|
@ -33,6 +40,23 @@ clean()
|
||||||
$IPTABLES -X
|
$IPTABLES -X
|
||||||
}
|
}
|
||||||
|
|
||||||
|
test_config()
|
||||||
|
{
|
||||||
|
if [ ! "$WAN_INT" -o ! "$IP" ]; then
|
||||||
|
echo "Bad configuration please check your /etc/firewall.conf"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
critical_return()
|
||||||
|
{
|
||||||
|
if [ `echo $?` != 0 ]; then
|
||||||
|
echo "!!! CRITICAL error on the last command firewall will be stop"
|
||||||
|
stop
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
forward_port()
|
forward_port()
|
||||||
{
|
{
|
||||||
traffic=$1
|
traffic=$1
|
||||||
|
@ -43,9 +67,35 @@ forward_port()
|
||||||
dest_ip=$(echo $destination | cut -d ":" -f1)
|
dest_ip=$(echo $destination | cut -d ":" -f1)
|
||||||
dest_port=$(echo $destination | cut -d ":" -f2)
|
dest_port=$(echo $destination | cut -d ":" -f2)
|
||||||
|
|
||||||
echo "+ Forward $port to $destination for protocol $proto"
|
if [ ! "$port" -o ! "$proto" -o ! "$destination" -o ! "$dest_ip" -o ! "$dest_port" -o ! "$LAN_INT" ]; then
|
||||||
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
|
echo "! Bad syntax for traffic : $1"
|
||||||
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
|
else
|
||||||
|
echo "+ Forward $port to $destination for protocol $proto"
|
||||||
|
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
|
||||||
|
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
open_port()
|
||||||
|
{
|
||||||
|
if [ $# == 4 ]; then
|
||||||
|
destination=$2
|
||||||
|
proto=$3
|
||||||
|
ports=$4
|
||||||
|
elif [ $# == 3 ]; then
|
||||||
|
destination=$IP
|
||||||
|
proto=$2
|
||||||
|
ports=$3
|
||||||
|
else
|
||||||
|
echo "!!! CRITICAL Open port bad syntax : $*"
|
||||||
|
stop && exit 1
|
||||||
|
fi
|
||||||
|
source=$1
|
||||||
|
for port in $(echo $ports | sed 's/,/ /g'); do
|
||||||
|
echo "+ Open port $port from $source to $destination for protocol $proto"
|
||||||
|
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state ! --state INVALID -j ACCEPT
|
||||||
|
critical_return
|
||||||
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
port_redirection()
|
port_redirection()
|
||||||
|
@ -66,6 +116,8 @@ start()
|
||||||
modprobe ip_conntrack
|
modprobe ip_conntrack
|
||||||
clean
|
clean
|
||||||
|
|
||||||
|
test_config
|
||||||
|
|
||||||
# default policies
|
# default policies
|
||||||
$IPTABLES -P INPUT DROP
|
$IPTABLES -P INPUT DROP
|
||||||
$IPTABLES -P FORWARD DROP
|
$IPTABLES -P FORWARD DROP
|
||||||
|
@ -79,6 +131,8 @@ start()
|
||||||
$IPTABLES -A OUTPUT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
|
$IPTABLES -A OUTPUT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
$IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
|
||||||
|
critical_return
|
||||||
|
|
||||||
if [ $LAN == 1 ]; then
|
if [ $LAN == 1 ]; then
|
||||||
echo "+ Allow WAN outgoing traffic from lan"
|
echo "+ Allow WAN outgoing traffic from lan"
|
||||||
$IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
|
$IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
|
||||||
|
@ -159,18 +213,11 @@ start()
|
||||||
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
## Open Ports
|
||||||
## OPEN PORTS
|
for traffic in "${OPEN_PORTS[@]}"; do
|
||||||
for traffic in $OPEN_PORTS; do
|
open_port $traffic
|
||||||
source=$(echo $traffic | cut -d "-" -f1)
|
|
||||||
proto=$(echo $traffic | cut -d "-" -f2)
|
|
||||||
ports=$(echo $traffic | cut -d "-" -f3)
|
|
||||||
for port in $(echo $ports | sed 's/,/ /g'); do
|
|
||||||
echo "+ Open port $port to $source for protocol $proto"
|
|
||||||
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state ! --state INVALID -j ACCEPT
|
|
||||||
done
|
|
||||||
done
|
done
|
||||||
|
|
||||||
## Port forwading
|
## Port forwading
|
||||||
for traffic in $TRAFFICS; do
|
for traffic in $TRAFFICS; do
|
||||||
forward_port $traffic
|
forward_port $traffic
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
IPTABLES=/sbin/iptables
|
IPTABLES=/sbin/iptables
|
||||||
|
|
||||||
# WAN configuration
|
# WAN configuration
|
||||||
WAN_INT='ethX'
|
WAN_INT='zefezfez'
|
||||||
IP='x.x.x.x'
|
IP='122.122.122.122'
|
||||||
|
|
||||||
# Allow ping
|
# Allow ping
|
||||||
PING=1
|
PING=1
|
||||||
|
@ -15,16 +15,18 @@ NAT=0
|
||||||
LAN_NETWORK=''
|
LAN_NETWORK=''
|
||||||
# Allow traffic between the WAN and LAN
|
# Allow traffic between the WAN and LAN
|
||||||
LAN=0
|
LAN=0
|
||||||
LAN_INT='ethX'
|
LAN_INT=''
|
||||||
|
|
||||||
# Allow all traffic for interface(s)
|
# Allow all traffic for interface(s)
|
||||||
# example ALLOW_INTS='br0 xenbr42'
|
# example ALLOW_INTS='br0 xenbr42'
|
||||||
ALLOW_INTS=''
|
ALLOW_INTS=''
|
||||||
|
|
||||||
# Open ports
|
# Open ports
|
||||||
# source-protocole-portx:porty,portz,porta,... source-protocole-portx:porty,portz,.. ...
|
# source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]
|
||||||
# example : OPEN_PORTS='0.0.0.0/0-tcp-ssh,imap,imaps 0.0.0.0/0-udp-1342'
|
# The default destination is the IP !
|
||||||
OPEN_PORTS='0.0.0.0/0-tcp-ssh'
|
# example :
|
||||||
|
#OPEN_PORTS=("0.0.0.0/0 tcp 22" "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
|
||||||
|
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
|
||||||
|
|
||||||
# Port forwarding
|
# Port forwarding
|
||||||
# source-port-destination:port-protocole source-port-destination:port-protocole ...
|
# source-port-destination:port-protocole source-port-destination:port-protocole ...
|
||||||
|
|
Reference in New Issue