entrouvert
/
eofirewall
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity

Improve firewall: 

* Using SNAT instead of DNAT
 * Finish new configuration file
 * Add test
This commit is contained in:
Jérôme Schneider 2011-05-09 22:44:46 +02:00
parent 1785bd3b8f
commit de369b6a3e
2 changed files with 67 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
firewall
View File

@ -59,21 +59,28 @@ critical_return()
forward_port() forward_port()
{ {
traffic=$1 if [ $# != 4 ]; then
source=$(echo $traffic | cut -d "-" -f1) echo "! Bad syntax for port forward : $*"
port=$(echo $traffic | cut -d "-" -f2) return
destination=$(echo $traffic | cut -d "-" -f3)
proto=$(echo $traffic | cut -d "-" -f4)
dest_ip=$(echo $destination | cut -d ":" -f1)
dest_port=$(echo $destination | cut -d ":" -f2)
if [ ! "$port" -o ! "$proto" -o ! "$destination" -o ! "$dest_ip" -o ! "$dest_port" -o ! "$LAN_INT" ]; then
echo "! Bad syntax for traffic : $1"
else
echo "+ Forward $port to $destination for protocol $proto"
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
fi fi
source=$1
port=$2
destination=$3
proto=$4
if echo "$destination" | grep -q ":"; then
dest_ip=$(echo $destination | cut -d ":" -f1)
dest_port=$(echo $destination | cut -d ":" -f2)
if [ ! "$LAN_INT" ]; then
echo "!! WARNING you must add a LAN interface (LAN_INT) for a port forward"
else
echo "+ Forward $port to $destination for protocol $proto"
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
fi
fi
} }
open_port() open_port()
@ -100,14 +107,18 @@ open_port()
port_redirection() port_redirection()
{ {
redirection=$1 if [ $# != 4 ]; then
int=$(echo $traffic | cut -d "-" -f1) echo "! Bad syntax for port redirection : $*"
srcport=$(echo $traffic | cut -d "-" -f2) return
destport=$(echo $traffic | cut -d "-" -f3) fi
proto=$(echo $traffic | cut -d "-" -f4)
if=$1
proto=$2
srcport=$3
destport=$4
echo "+ Redirect $int port $srcport to $destport for portocol $proto" echo "+ Redirect $if port $srcport to $destport for portocol $proto"
iptables -t nat -A PREROUTING -i $int -p $proto --dport $srcport -j REDIRECT --to-port $destport iptables -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
} }
start() start()
@ -188,16 +199,9 @@ start()
if [ $PING == 1 ]; then if [ $PING == 1 ]; then
echo "+ PING allowed" echo "+ PING allowed"
## stop ping flood attack iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix "iptables: PING-FLOOD: " --log-ip-options --log-level 4
$IPTABLES -A INPUT -p icmp -j DROP
fi fi
if [ $FTP == 1 ]; then if [ $FTP == 1 ]; then
@ -214,26 +218,25 @@ start()
fi fi
## Open Ports ## Open Ports
for traffic in "${OPEN_PORTS[@]}"; do for args in "${OPEN_PORTS[@]}"; do
open_port $traffic open_port $args
done done
## Port forwading ## Port forwading
for traffic in $TRAFFICS; do for args in "${TRAFFICS[@]}"; do
forward_port $traffic forward_port $args
done done
## Port redirection ## Port redirection
for redirection in $REDIRECTIONS; do for args in "${REDIRECTIONS[@]}"; do
port_redirection $redirection port_redirection $args
done done
## NAT ## NAT
if [ $NAT == 1 ]; then if [ $NAT == 1 ]; then
echo "+ Activate nat" echo "+ Activate nat"
modprobe ip_nat_ftp for proto in ftp irc sip h323; do modprobe nf_nat_$proto; done
modprobe ip_nat_irc $IPTABLES -t nat -A POSTROUTING -o $WAN_INT -s $LAN_NETWORK -j SNAT --to-source $IP
$IPTABLES -t nat -A POSTROUTING -s $LAN_NETWORK -j MASQUERADE
fi fi
ipt_hook ipt_hook

53
firewall.conf
View File

@ -1,47 +1,42 @@
IPTABLES=/sbin/iptables IPTABLES=/sbin/iptables
# WAN configuration ## WAN configuration
WAN_INT='' WAN_INT='' # WAN interface
IP='' IP='' # WAN IP
# Allow ping PING=1 # Allow ping
PING=1 FTP=0 # Allow FTP server (passive and active)
# Allow FTP server (passive and active) ## LAN configuration
FTP=0 NAT=0 # Activate nat (need a LAN_NETWORK)
LAN_NETWORK='' # LAN network (ex: 192.168.1.0/24)
LAN=0 # Allow traffic between the WAN and LAN
LAN_INT='' # LAN interface
# NAT LAN_NETWORK ## Allow all traffic for interface(s)
NAT=0
LAN_NETWORK=''
# Allow traffic between the WAN and LAN
LAN=0
LAN_INT=''
# Allow all traffic for interface(s)
# example ALLOW_INTS='br0 xenbr42' # example ALLOW_INTS='br0 xenbr42'
ALLOW_INTS='' ALLOW_INTS=''
# Open ports ## Open ports
# source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...] # "source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]" ...
# The default destination is the IP ! # The default destination is the IP !
# example : # example : OPEN_PORTS=("0.0.0.0/0 tcp 22" "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
#OPEN_PORTS=("0.0.0.0/0 tcp 22" "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
OPEN_PORTS=("0.0.0.0/0 tcp ssh") OPEN_PORTS=("0.0.0.0/0 tcp ssh")
# Port forwarding ## Port forwarding
# source-port-destination:port-protocole source-port-destination:port-protocole ... # "source port destination:port protocol" "source port destination:port protocol" ...
# example : TRAFFICS='0.0.0.0/0-80-192.168.0.42:80-tcp 42.42.42.42-4242-192.168.0.43:22-tcp' # example : TRAFFICS=("0.0.0.0/0 80 192.168.0.42:80 tcp" "42.42.42.42 4242 192.168.0.43:22 tcp")
TRAFFICS="" TRAFFICS=("")
# Port redirection ## Port redirection
# interface-sourceport-destport-protocole # "interface protocol sourceport destport" ...
# example : REDIRECTIONS='$LAN_INT-25-4242-tcp $WAN_INT-25-4242-udp eth42-32-25-tcp' # example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
REDIRECTIONS="" REDIRECTIONS=("")
# Hook point to write your own iptables rules # Hook point to write your own iptables rules
ipt_hook() ipt_hook()
{ {
echo "+ Load your own iptables rules" echo "+ Load your own iptables rules"
# Write your own iptables rules here # Write your own iptables rules here
} }