summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJérôme Schneider <jschneider@entrouvert.com>2011-06-21 15:54:06 (GMT)
committerJérôme Schneider <jschneider@entrouvert.com>2011-06-21 15:54:06 (GMT)
commit0440531e2fda302111ca9b1f7c028bc0cf4bfa8e (patch)
treecaced8d7e050be37dc2132a72427981dbe030973
parente8fe286563e7f4ab96b9c6edfc9dff2983ee64db (diff)
downloadeofirewall-0440531e2fda302111ca9b1f7c028bc0cf4bfa8e.zip
eofirewall-0440531e2fda302111ca9b1f7c028bc0cf4bfa8e.tar.gz
eofirewall-0440531e2fda302111ca9b1f7c028bc0cf4bfa8e.tar.bz2
Add a whitelist for ssh, port knocking set to 15 seconds and move the config to /etc/firewall
-rw-r--r--Makefile6
-rwxr-xr-xfirewall15
-rw-r--r--firewall.conf4
3 files changed, 17 insertions, 8 deletions
diff --git a/Makefile b/Makefile
index 3f38207..be10f99 100644
--- a/Makefile
+++ b/Makefile
@@ -6,14 +6,14 @@
##
NAME = firewall
-RM = rm -rf
DESTDIR=
all:
install:
- install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d/
- install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/
+ install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d
+ install -d -m 0755 -o root -g root $(DESTDIR)/etc/firewall
+ install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall
install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
diff --git a/firewall b/firewall
index 092e43b..0935e63 100755
--- a/firewall
+++ b/firewall
@@ -21,10 +21,10 @@ abort()
exit 1
}
-if [ -f "/etc/firewall.conf" ]; then
- source /etc/firewall.conf
+if [ -f "/etc/firewall/firewall.conf" ]; then
+ source /etc/firewall/firewall.conf
else
- abort "No configuration file /etc/firewall.conf"
+ abort "No configuration file /etc/firewall/firewall.conf"
fi
clean()
@@ -41,7 +41,7 @@ clean()
test_config()
{
if [ ! "$WAN_INT" -o ! "$IP" ]; then
- echo "Bad configuration please check your /etc/firewall.conf"
+ echo "Bad configuration please check your /etc/firewall/firewall.conf"
exit 1
fi
}
@@ -141,7 +141,7 @@ port_knocking()
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
fi
done
- iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 6 --name toc$i -m state --state NEW -j ACCEPT
+ iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
}
start()
@@ -260,6 +260,11 @@ start()
port_redirection $args
done
+ ## Whitelist
+ for arg in "${WHITELIST_SSH[@]}"; do
+ open_port $arg tcp ssh
+ done
+
## NAT
if [ $NAT == 1 ]; then
echo "+ Activate nat"
diff --git a/firewall.conf b/firewall.conf
index 88b8ec7..7f16f34 100644
--- a/firewall.conf
+++ b/firewall.conf
@@ -39,6 +39,10 @@ TRAFFICS=()
# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
REDIRECTIONS=()
+## Whitelist ssh
+# example : WHITELIST_SSH=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
+#WHITELIST_SSH=()
+
# Hook point to write your own iptables rules
ipt_hook()
{