firewall: improve whitelist support and port knocking support
This commit is contained in:
parent
2d30350106
commit
bb7b95c78d
|
@ -1,3 +1,10 @@
|
||||||
|
eofirewall (0.1+git20130723-1) wheezy; urgency=low
|
||||||
|
|
||||||
|
* Add new whitelist management
|
||||||
|
* Improve portknocking management
|
||||||
|
|
||||||
|
-- Jérôme Schneider <jschneider@entrouvert.com> Tue, 23 Jul 2013 10:07:19 +0200
|
||||||
|
|
||||||
eofirewall (0.1+git20110704-squeeze0) stable; urgency=low
|
eofirewall (0.1+git20110704-squeeze0) stable; urgency=low
|
||||||
|
|
||||||
* Use lsb init messages
|
* Use lsb init messages
|
||||||
|
|
17
firewall
17
firewall
|
@ -138,7 +138,7 @@ port_knocking()
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local port=$1
|
local ports=$1
|
||||||
local knock_ports=$2
|
local knock_ports=$2
|
||||||
local knock_number=$3
|
local knock_number=$3
|
||||||
local i=0
|
local i=0
|
||||||
|
@ -155,8 +155,10 @@ port_knocking()
|
||||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
|
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
log_action_msg "Port knocking for $port with combinaison $knock_ports on $WAN_INT"
|
log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
|
||||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
|
for port in $(echo $ports | sed 's/,/ /g'); do
|
||||||
|
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
|
||||||
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
start()
|
start()
|
||||||
|
@ -257,11 +259,18 @@ start()
|
||||||
port_redirection $args
|
port_redirection $args
|
||||||
done
|
done
|
||||||
|
|
||||||
## Whitelist
|
## Old: Whitelist
|
||||||
for arg in "${WHITELIST_SSH[@]}"; do
|
for arg in "${WHITELIST_SSH[@]}"; do
|
||||||
|
log_warning_msg "WHITELIST_SSH is obsolete: this option will be removed in next version"
|
||||||
open_port $arg tcp ssh
|
open_port $arg tcp ssh
|
||||||
done
|
done
|
||||||
|
|
||||||
|
for ip in "${WHITELIST[@]}"; do
|
||||||
|
for args in "${WHITELIST_OPEN_PORTS[@]}"; do
|
||||||
|
open_port $ip $args
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
## NAT
|
## NAT
|
||||||
if [ $NAT == 1 ]; then
|
if [ $NAT == 1 ]; then
|
||||||
log_action_msg "Activate nat"
|
log_action_msg "Activate nat"
|
||||||
|
|
|
@ -25,8 +25,8 @@ ALLOW_INTS=''
|
||||||
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
|
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
|
||||||
|
|
||||||
## Port knocking (tcp only)
|
## Port knocking (tcp only)
|
||||||
# "port knock_ports_combinaison"
|
# "port[,port] knock_ports_combinaison"
|
||||||
# example : PORT_KNOCK("22 121,4353,4242,111")
|
# example : PORT_KNOCK("22,4242 121,4353,4242,111")
|
||||||
PORT_KNOCK=()
|
PORT_KNOCK=()
|
||||||
|
|
||||||
## Port forwarding
|
## Port forwarding
|
||||||
|
@ -39,12 +39,15 @@ TRAFFICS=()
|
||||||
# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
|
# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
|
||||||
REDIRECTIONS=()
|
REDIRECTIONS=()
|
||||||
|
|
||||||
## Whitelist ssh
|
## Whitelist
|
||||||
# example with an external file
|
# example with an external file
|
||||||
# source /etc/firewall/whitelist_ssh
|
# source /etc/firewall/whitelist_ssh
|
||||||
# WHITELIST_SSH=(${WHITELIST_SSH[@]})
|
# WHITELIST=(${WHITELIST[@])
|
||||||
# example : WHITELIST_SSH=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
|
# example : WHITELIST=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
|
||||||
#WHITELIST_SSH=()
|
#WHITELIST=()
|
||||||
|
|
||||||
|
## Whitelist port and protocol
|
||||||
|
# exmaple : WHITELIST_OPEN_PORTS=("tcp ssh,8006" "udp 4242")
|
||||||
|
|
||||||
# Hook point to write your own iptables rules
|
# Hook point to write your own iptables rules
|
||||||
ipt_hook()
|
ipt_hook()
|
||||||
|
|
Reference in New Issue