Fix port knocking and deb entry
This commit is contained in:
parent
6a34b1697e
commit
ec75d05e47
|
@ -1,3 +1,14 @@
|
|||
eofirewall (0.1-20110621.1) unstable; urgency=low
|
||||
|
||||
* New release
|
||||
* Support port knocking
|
||||
* Add a test option
|
||||
* Add save and load of the rules
|
||||
* Modify states to support last iptables version
|
||||
* Add logrotate support for the Debian packages
|
||||
|
||||
-- Jérôme Schneider <jschneider@entrouvert.com> Tue, 21 Jun 2011 14:27:36 +0200
|
||||
|
||||
eofirewall (0.1-20110509.1) unstable; urgency=low
|
||||
|
||||
* Using SNAT instead of DNAT
|
||||
|
|
21
firewall
21
firewall
|
@ -128,17 +128,20 @@ port_knocking()
|
|||
|
||||
port=$1
|
||||
knock_ports=$2
|
||||
i=0
|
||||
|
||||
iptables -N toc2
|
||||
iptables -A toc2 -m recent --name toc1 --remove
|
||||
iptables -A toc2 -m recent --name toc2 --set
|
||||
iptables -N toc3
|
||||
iptables -A toc3 -m recent --name toc2 --remove
|
||||
iptables -A toc3 -m recent --name toc3 --set
|
||||
for port in $(echo $knock_ports | sed 's/,/ /g'); do
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --set --name toc1
|
||||
for kport in $(echo $knock_ports | sed 's/,/ /g'); do
|
||||
((i++))
|
||||
if [ $i -gt 1 ]; then
|
||||
iptables -N toc$i
|
||||
iptables -A toc$i -m recent --name toc$(($i-1)) --remove
|
||||
iptables -A toc$i -m recent --name toc$i --set
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$(($i-1)) -j toc$i
|
||||
else
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
|
||||
fi
|
||||
done
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc3 -m state --state NEW -j ACCEPT
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
|
||||
}
|
||||
|
||||
start()
|
||||
|
|
|
@ -24,7 +24,7 @@ ALLOW_INTS=''
|
|||
# "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
|
||||
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
|
||||
|
||||
## Port knocking
|
||||
## Port knocking (tcp only)
|
||||
# "port knock_ports_combinaison"
|
||||
# example : PORT_KNOCK("22 121,4353,4242,111")
|
||||
PORT_KNOCK=()
|
||||
|
|
Reference in New Issue