Add a whitelist for ssh, port knocking set to 15 seconds and move the config to /etc/firewall
This commit is contained in:
parent
e8fe286563
commit
0440531e2f
6
Makefile
6
Makefile
|
@ -6,14 +6,14 @@
|
|||
##
|
||||
|
||||
NAME = firewall
|
||||
RM = rm -rf
|
||||
DESTDIR=
|
||||
|
||||
all:
|
||||
|
||||
install:
|
||||
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d/
|
||||
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/
|
||||
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d
|
||||
install -d -m 0755 -o root -g root $(DESTDIR)/etc/firewall
|
||||
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall
|
||||
install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
|
||||
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
|
||||
|
||||
|
|
15
firewall
15
firewall
|
@ -21,10 +21,10 @@ abort()
|
|||
exit 1
|
||||
}
|
||||
|
||||
if [ -f "/etc/firewall.conf" ]; then
|
||||
source /etc/firewall.conf
|
||||
if [ -f "/etc/firewall/firewall.conf" ]; then
|
||||
source /etc/firewall/firewall.conf
|
||||
else
|
||||
abort "No configuration file /etc/firewall.conf"
|
||||
abort "No configuration file /etc/firewall/firewall.conf"
|
||||
fi
|
||||
|
||||
clean()
|
||||
|
@ -41,7 +41,7 @@ clean()
|
|||
test_config()
|
||||
{
|
||||
if [ ! "$WAN_INT" -o ! "$IP" ]; then
|
||||
echo "Bad configuration please check your /etc/firewall.conf"
|
||||
echo "Bad configuration please check your /etc/firewall/firewall.conf"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
@ -141,7 +141,7 @@ port_knocking()
|
|||
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
|
||||
fi
|
||||
done
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 6 --name toc$i -m state --state NEW -j ACCEPT
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
|
||||
}
|
||||
|
||||
start()
|
||||
|
@ -260,6 +260,11 @@ start()
|
|||
port_redirection $args
|
||||
done
|
||||
|
||||
## Whitelist
|
||||
for arg in "${WHITELIST_SSH[@]}"; do
|
||||
open_port $arg tcp ssh
|
||||
done
|
||||
|
||||
## NAT
|
||||
if [ $NAT == 1 ]; then
|
||||
echo "+ Activate nat"
|
||||
|
|
|
@ -39,6 +39,10 @@ TRAFFICS=()
|
|||
# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
|
||||
REDIRECTIONS=()
|
||||
|
||||
## Whitelist ssh
|
||||
# example : WHITELIST_SSH=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
|
||||
#WHITELIST_SSH=()
|
||||
|
||||
# Hook point to write your own iptables rules
|
||||
ipt_hook()
|
||||
{
|
||||
|
|
Reference in New Issue