Improve firewall:
* Using SNAT instead of DNAT * Finish new configuration file * Add test
This commit is contained in:
parent
1785bd3b8f
commit
de369b6a3e
83
firewall
83
firewall
|
@ -59,21 +59,28 @@ critical_return()
|
||||||
|
|
||||||
forward_port()
|
forward_port()
|
||||||
{
|
{
|
||||||
traffic=$1
|
if [ $# != 4 ]; then
|
||||||
source=$(echo $traffic | cut -d "-" -f1)
|
echo "! Bad syntax for port forward : $*"
|
||||||
port=$(echo $traffic | cut -d "-" -f2)
|
return
|
||||||
destination=$(echo $traffic | cut -d "-" -f3)
|
|
||||||
proto=$(echo $traffic | cut -d "-" -f4)
|
|
||||||
dest_ip=$(echo $destination | cut -d ":" -f1)
|
|
||||||
dest_port=$(echo $destination | cut -d ":" -f2)
|
|
||||||
|
|
||||||
if [ ! "$port" -o ! "$proto" -o ! "$destination" -o ! "$dest_ip" -o ! "$dest_port" -o ! "$LAN_INT" ]; then
|
|
||||||
echo "! Bad syntax for traffic : $1"
|
|
||||||
else
|
|
||||||
echo "+ Forward $port to $destination for protocol $proto"
|
|
||||||
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
|
|
||||||
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
source=$1
|
||||||
|
port=$2
|
||||||
|
destination=$3
|
||||||
|
proto=$4
|
||||||
|
|
||||||
|
if echo "$destination" | grep -q ":"; then
|
||||||
|
dest_ip=$(echo $destination | cut -d ":" -f1)
|
||||||
|
dest_port=$(echo $destination | cut -d ":" -f2)
|
||||||
|
if [ ! "$LAN_INT" ]; then
|
||||||
|
echo "!! WARNING you must add a LAN interface (LAN_INT) for a port forward"
|
||||||
|
else
|
||||||
|
echo "+ Forward $port to $destination for protocol $proto"
|
||||||
|
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
|
||||||
|
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
open_port()
|
open_port()
|
||||||
|
@ -100,14 +107,18 @@ open_port()
|
||||||
|
|
||||||
port_redirection()
|
port_redirection()
|
||||||
{
|
{
|
||||||
redirection=$1
|
if [ $# != 4 ]; then
|
||||||
int=$(echo $traffic | cut -d "-" -f1)
|
echo "! Bad syntax for port redirection : $*"
|
||||||
srcport=$(echo $traffic | cut -d "-" -f2)
|
return
|
||||||
destport=$(echo $traffic | cut -d "-" -f3)
|
fi
|
||||||
proto=$(echo $traffic | cut -d "-" -f4)
|
|
||||||
|
if=$1
|
||||||
|
proto=$2
|
||||||
|
srcport=$3
|
||||||
|
destport=$4
|
||||||
|
|
||||||
echo "+ Redirect $int port $srcport to $destport for portocol $proto"
|
echo "+ Redirect $if port $srcport to $destport for portocol $proto"
|
||||||
iptables -t nat -A PREROUTING -i $int -p $proto --dport $srcport -j REDIRECT --to-port $destport
|
iptables -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
|
||||||
}
|
}
|
||||||
|
|
||||||
start()
|
start()
|
||||||
|
@ -188,16 +199,9 @@ start()
|
||||||
|
|
||||||
if [ $PING == 1 ]; then
|
if [ $PING == 1 ]; then
|
||||||
echo "+ PING allowed"
|
echo "+ PING allowed"
|
||||||
## stop ping flood attack
|
iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT
|
||||||
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT
|
||||||
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
|
iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT
|
||||||
# Don't accept ICMP redirect messages
|
|
||||||
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
|
|
||||||
# Don't send ICMP redirect messages
|
|
||||||
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
|
|
||||||
$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
|
|
||||||
$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix "iptables: PING-FLOOD: " --log-ip-options --log-level 4
|
|
||||||
$IPTABLES -A INPUT -p icmp -j DROP
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $FTP == 1 ]; then
|
if [ $FTP == 1 ]; then
|
||||||
|
@ -214,26 +218,25 @@ start()
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## Open Ports
|
## Open Ports
|
||||||
for traffic in "${OPEN_PORTS[@]}"; do
|
for args in "${OPEN_PORTS[@]}"; do
|
||||||
open_port $traffic
|
open_port $args
|
||||||
done
|
done
|
||||||
|
|
||||||
## Port forwading
|
## Port forwading
|
||||||
for traffic in $TRAFFICS; do
|
for args in "${TRAFFICS[@]}"; do
|
||||||
forward_port $traffic
|
forward_port $args
|
||||||
done
|
done
|
||||||
|
|
||||||
## Port redirection
|
## Port redirection
|
||||||
for redirection in $REDIRECTIONS; do
|
for args in "${REDIRECTIONS[@]}"; do
|
||||||
port_redirection $redirection
|
port_redirection $args
|
||||||
done
|
done
|
||||||
|
|
||||||
## NAT
|
## NAT
|
||||||
if [ $NAT == 1 ]; then
|
if [ $NAT == 1 ]; then
|
||||||
echo "+ Activate nat"
|
echo "+ Activate nat"
|
||||||
modprobe ip_nat_ftp
|
for proto in ftp irc sip h323; do modprobe nf_nat_$proto; done
|
||||||
modprobe ip_nat_irc
|
$IPTABLES -t nat -A POSTROUTING -o $WAN_INT -s $LAN_NETWORK -j SNAT --to-source $IP
|
||||||
$IPTABLES -t nat -A POSTROUTING -s $LAN_NETWORK -j MASQUERADE
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ipt_hook
|
ipt_hook
|
||||||
|
|
|
@ -1,47 +1,42 @@
|
||||||
IPTABLES=/sbin/iptables
|
IPTABLES=/sbin/iptables
|
||||||
|
|
||||||
# WAN configuration
|
## WAN configuration
|
||||||
WAN_INT=''
|
WAN_INT='' # WAN interface
|
||||||
IP=''
|
IP='' # WAN IP
|
||||||
|
|
||||||
# Allow ping
|
PING=1 # Allow ping
|
||||||
PING=1
|
FTP=0 # Allow FTP server (passive and active)
|
||||||
|
|
||||||
# Allow FTP server (passive and active)
|
## LAN configuration
|
||||||
FTP=0
|
NAT=0 # Activate nat (need a LAN_NETWORK)
|
||||||
|
LAN_NETWORK='' # LAN network (ex: 192.168.1.0/24)
|
||||||
|
LAN=0 # Allow traffic between the WAN and LAN
|
||||||
|
LAN_INT='' # LAN interface
|
||||||
|
|
||||||
# NAT LAN_NETWORK
|
## Allow all traffic for interface(s)
|
||||||
NAT=0
|
|
||||||
LAN_NETWORK=''
|
|
||||||
# Allow traffic between the WAN and LAN
|
|
||||||
LAN=0
|
|
||||||
LAN_INT=''
|
|
||||||
|
|
||||||
# Allow all traffic for interface(s)
|
|
||||||
# example ALLOW_INTS='br0 xenbr42'
|
# example ALLOW_INTS='br0 xenbr42'
|
||||||
ALLOW_INTS=''
|
ALLOW_INTS=''
|
||||||
|
|
||||||
# Open ports
|
## Open ports
|
||||||
# source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]
|
# "source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]" ...
|
||||||
# The default destination is the IP !
|
# The default destination is the IP !
|
||||||
# example :
|
# example : OPEN_PORTS=("0.0.0.0/0 tcp 22" "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
|
||||||
#OPEN_PORTS=("0.0.0.0/0 tcp 22" "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
|
|
||||||
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
|
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
|
||||||
|
|
||||||
# Port forwarding
|
## Port forwarding
|
||||||
# source-port-destination:port-protocole source-port-destination:port-protocole ...
|
# "source port destination:port protocol" "source port destination:port protocol" ...
|
||||||
# example : TRAFFICS='0.0.0.0/0-80-192.168.0.42:80-tcp 42.42.42.42-4242-192.168.0.43:22-tcp'
|
# example : TRAFFICS=("0.0.0.0/0 80 192.168.0.42:80 tcp" "42.42.42.42 4242 192.168.0.43:22 tcp")
|
||||||
TRAFFICS=""
|
TRAFFICS=("")
|
||||||
|
|
||||||
# Port redirection
|
## Port redirection
|
||||||
# interface-sourceport-destport-protocole
|
# "interface protocol sourceport destport" ...
|
||||||
# example : REDIRECTIONS='$LAN_INT-25-4242-tcp $WAN_INT-25-4242-udp eth42-32-25-tcp'
|
# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
|
||||||
REDIRECTIONS=""
|
REDIRECTIONS=("")
|
||||||
|
|
||||||
# Hook point to write your own iptables rules
|
# Hook point to write your own iptables rules
|
||||||
ipt_hook()
|
ipt_hook()
|
||||||
{
|
{
|
||||||
echo "+ Load your own iptables rules"
|
echo "+ Load your own iptables rules"
|
||||||
# Write your own iptables rules here
|
# Write your own iptables rules here
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Reference in New Issue