From ec75d05e475e23ef819d8f724313b887858e8de1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Schneider?= <jschneider@entrouvert.com>
Date: Tue, 21 Jun 2011 15:26:05 +0200
Subject: [PATCH] Fix port knocking and deb entry

---
 debian/changelog | 11 +++++++++++
 firewall         | 21 ++++++++++++---------
 firewall.conf    |  2 +-
 3 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 71eeb3c..dfc143c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+eofirewall (0.1-20110621.1) unstable; urgency=low
+
+  * New release
+  * Support port knocking
+  * Add a test option
+  * Add save and load of the rules
+  * Modify states to support last iptables version
+  * Add logrotate support for the Debian packages
+
+ -- Jérôme Schneider <jschneider@entrouvert.com>  Tue, 21 Jun 2011 14:27:36 +0200
+
 eofirewall (0.1-20110509.1) unstable; urgency=low
 
   * Using SNAT instead of DNAT
diff --git a/firewall b/firewall
index 4545010..5148e69 100755
--- a/firewall
+++ b/firewall
@@ -128,17 +128,20 @@ port_knocking()
 
     port=$1
     knock_ports=$2
+    i=0
 
-    iptables -N toc2
-    iptables -A toc2 -m recent --name toc1 --remove
-    iptables -A toc2 -m recent --name toc2 --set
-    iptables -N toc3
-    iptables -A toc3 -m recent --name toc2 --remove
-    iptables -A toc3 -m recent --name toc3 --set
-    for port in $(echo $knock_ports | sed 's/,/ /g'); do
-        iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --set --name toc1
+    for kport in $(echo $knock_ports | sed 's/,/ /g'); do
+        ((i++))
+        if [ $i -gt 1 ]; then
+            iptables -N toc$i
+            iptables -A toc$i -m recent --name toc$(($i-1)) --remove
+            iptables -A toc$i -m recent --name toc$i --set
+            iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$(($i-1)) -j toc$i
+        else
+            iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
+        fi
     done
-    iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc3 -m state --state NEW -j ACCEPT
+    iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
 }
 
 start()
diff --git a/firewall.conf b/firewall.conf
index 5ce3764..88b8ec7 100644
--- a/firewall.conf
+++ b/firewall.conf
@@ -24,7 +24,7 @@ ALLOW_INTS=''
 # "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
 OPEN_PORTS=("0.0.0.0/0 tcp ssh")
 
-## Port knocking
+## Port knocking (tcp only)
 # "port knock_ports_combinaison"
 # example : PORT_KNOCK("22 121,4353,4242,111")
 PORT_KNOCK=()