firewall: improve whitelist support and port knocking support

2013-07-23 10:27:01 +02:00 · 2013-07-23 10:27:01 +02:00 · bb7b95c78d
parent 2d30350106
commit bb7b95c78d
3 changed files with 29 additions and 10 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,10 @@
 eofirewall (0.1+git20130723-1) wheezy; urgency=low
  * Add new whitelist management
  * Improve portknocking management
 -- Jérôme Schneider <jschneider@entrouvert.com>  Tue, 23 Jul 2013 10:07:19 +0200
 eofirewall (0.1+git20110704-squeeze0) stable; urgency=low
  * Use lsb init messages
--- a/17
+++ b/17
@ -138,7 +138,7 @@ port_knocking()
        return
    fi
-    local port=$1
+    local ports=$1
    local knock_ports=$2
    local knock_number=$3
    local i=0
@ -155,8 +155,10 @@ port_knocking()
            iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
        fi
    done
-    log_action_msg "Port knocking for $port with combinaison $knock_ports on $WAN_INT"
+    log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
-    iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
+    for port in $(echo $ports | sed 's/,/ /g'); do
        iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
    done
 }
 start()
@ -257,11 +259,18 @@ start()
        port_redirection $args
    done
-    ## Whitelist
+    ## Old: Whitelist
    for arg in "${WHITELIST_SSH[@]}"; do
        log_warning_msg "WHITELIST_SSH is obsolete: this option will be removed in next version"
        open_port $arg tcp ssh
    done
    for ip in "${WHITELIST[@]}"; do
        for args in "${WHITELIST_OPEN_PORTS[@]}"; do
            open_port $ip $args
        done
    done
    ## NAT
    if [ $NAT == 1 ]; then
        log_action_msg "Activate nat"
--- a/firewall.conf
+++ b/firewall.conf
@ -25,8 +25,8 @@ ALLOW_INTS=''
 OPEN_PORTS=("0.0.0.0/0 tcp ssh")
 ## Port knocking (tcp only)
-# "port knock_ports_combinaison"
+# "port[,port] knock_ports_combinaison"
-# example : PORT_KNOCK("22 121,4353,4242,111")
+# example : PORT_KNOCK("22,4242 121,4353,4242,111")
 PORT_KNOCK=()
 ## Port forwarding
@ -39,12 +39,15 @@ TRAFFICS=()
 # example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
 REDIRECTIONS=()
-## Whitelist ssh
+## Whitelist
 # example with an external file
 # source /etc/firewall/whitelist_ssh
-# WHITELIST_SSH=(${WHITELIST_SSH[@]})
+# WHITELIST=(${WHITELIST[@])
-# example : WHITELIST_SSH=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
+# example : WHITELIST=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
-#WHITELIST_SSH=()
+#WHITELIST=()
 ## Whitelist port and protocol
 # exmaple : WHITELIST_OPEN_PORTS=("tcp ssh,8006" "udp 4242")
 # Hook point to write your own iptables rules
 ipt_hook()