summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJérôme Schneider <jschneider@entrouvert.com>2011-06-23 12:56:41 (GMT)
committerJérôme Schneider <jschneider@entrouvert.com>2011-06-23 12:56:41 (GMT)
commit0749affec526488654685c16383f6ae9079a9d36 (patch)
tree711cc0f919b515b451264420dc9007f09eb4d868
parent66c6cc3853019556307ca220ec3c9f09c7f0ffde (diff)
downloadeofirewall-0749affec526488654685c16383f6ae9079a9d36.zip
eofirewall-0749affec526488654685c16383f6ae9079a9d36.tar.gz
eofirewall-0749affec526488654685c16383f6ae9079a9d36.tar.bz2
Fix port knocking and config test
* Fix multiple port knocking * Fix config test * Move firewall.conf to firewall.conf.template * Clean start messages * New deb entry
-rw-r--r--Makefile3
-rw-r--r--README4
-rw-r--r--debian/changelog9
-rwxr-xr-xfirewall90
4 files changed, 53 insertions, 53 deletions
diff --git a/Makefile b/Makefile
index be10f99..702d59a 100644
--- a/Makefile
+++ b/Makefile
@@ -13,7 +13,6 @@ all:
install:
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d
install -d -m 0755 -o root -g root $(DESTDIR)/etc/firewall
- install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall
+ install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall/firewall.conf.template
install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
-
diff --git a/README b/README
index 4e298bf..6f99ad2 100644
--- a/README
+++ b/README
@@ -1,6 +1,8 @@
= Installation =
* Requrie: rsyslog, logrotate and iptables
* make install
+ * Move /etc/firewall/firewall.conf.template to /etc/firewall/firewall.conf
+ * Configure /etc/firewall/firewall.conf
= Usage =
@@ -10,5 +12,5 @@ Second save this change (this will load your rules and save it):
/etc/init.d/firewall save
You need to use save at least one time.
-/etc/init.d/firewall stop: will flush your rules
+/etc/init.d/firewall stop: will flush ALL your rules
/etc/init.d/firewall start|restore: will load your saved rules
diff --git a/debian/changelog b/debian/changelog
index 025f6f0..5939aed 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+eofirewall (0.1-20110623.1) unstable; urgency=low
+
+ * Fix multiple port knocking
+ * Fix config test
+ * Move firewall.conf to firewall.conf.template
+ * Clean start messages
+
+ -- Jérôme Schneider <jschneider@entrouvert.com> Thu, 23 Jun 2011 13:52:39 +0200
+
eofirewall (0.1-20110621.3) unstable; urgency=low
* Add an example for the ssh whitelist
diff --git a/firewall b/firewall
index b03bea3..c625b6a 100755
--- a/firewall
+++ b/firewall
@@ -29,20 +29,33 @@ fi
clean()
{
- $IPTABLES -F
- $IPTABLES -F INPUT
- $IPTABLES -F OUTPUT
- $IPTABLES -F FORWARD
- $IPTABLES -F -t mangle
- $IPTABLES -F -t nat
- $IPTABLES -X
+ $IPTABLES -t filter -F
+ $IPTABLES -t filter -X
+
+ $IPTABLES -t filter -P INPUT ACCEPT
+ $IPTABLES -t filter -P FORWARD ACCEPT
+ $IPTABLES -t filter -P OUTPUT ACCEPT
+
+ $IPTABLES -t nat -F
+ $IPTABLES -t nat -X
+
+ $IPTABLES -t nat -P PREROUTING ACCEPT
+ $IPTABLES -t nat -P OUTPUT ACCEPT
+ $IPTABLES -t nat -P POSTROUTING ACCEPT
+
+ $IPTABLES -t mangle -F
+ $IPTABLES -t mangle -X
+
+ $IPTABLES -t mangle -P PREROUTING ACCEPT
+ $IPTABLES -t mangle -P INPUT ACCEPT
+ $IPTABLES -t mangle -P FORWARD ACCEPT
}
test_config()
{
+ # FIXME: test if the interface and the ip exist
if [ ! "$WAN_INT" -o ! "$IP" ]; then
- echo "Bad configuration please check your /etc/firewall/firewall.conf"
- exit 1
+ abort "Bad configuration please check your /etc/firewall/firewall.conf"
fi
}
@@ -96,8 +109,8 @@ open_port()
stop && exit 1
fi
source=$1
+ echo "+ Open port(s) $ports from $source to $destination for protocol $proto"
for port in $(echo $ports | sed 's/,/ /g'); do
- echo "+ Open port $port from $source to $destination for protocol $proto"
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination --dport $port -m state --state NEW -j ACCEPT
critical_return
done
@@ -121,37 +134,39 @@ port_redirection()
port_knocking()
{
- if [ $# != 2 ]; then
+ if [ $# != 3 ]; then
echo "! Bad syntax for port knocking : $*"
return
fi
port=$1
knock_ports=$2
- i=0
+ knock_number=$3
+ i=0
for kport in $(echo $knock_ports | sed 's/,/ /g'); do
((i++))
+ tock_number=$knock_number$i
if [ $i -gt 1 ]; then
- iptables -N toc$i
- iptables -A toc$i -m recent --name toc$(($i-1)) --remove
- iptables -A toc$i -m recent --name toc$i --set
- iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$(($i-1)) -j toc$i
+ iptables -N toc${tock_number}
+ iptables -A toc${tock_number} -m recent --name toc$((${tock_number}-1)) --remove
+ iptables -A toc${tock_number} -m recent --name toc${tock_number} --set
+ iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$((${tock_number}-1)) -j toc${tock_number}
else
- iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
+ iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
fi
done
- iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
+ echo "+ Port knocking for $port with combinaison $knock_ports on $WAN_INT"
+ iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
}
start()
{
echo "Starting: Firewall"
+ test_config
modprobe ip_conntrack
clean
- test_config
-
# default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
@@ -187,31 +202,23 @@ start()
fi
## block spoofing
- echo "+ Block spoofing"
+ echo "+ Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
-
## NMAP FIN/URG/PSH
- echo "+ Block scan ports"
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-
## stop Xmas Tree type scanning
- echo "+ Block Xmas Tree"
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-
## stop null scanning
- echo "+ Block null scanning"
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
## SYN/RST
- echo "+ Block SYN/RST"
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## SYN/FIN
- echo "+ Block SYN/FIN"
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
@@ -246,8 +253,10 @@ start()
done
## Port knocking
+ j=1
for args in "${PORT_KNOCK[@]}"; do
- port_knocking $args
+ port_knocking $args $j
+ ((j++))
done
## Port forwading
@@ -291,26 +300,7 @@ start()
stop()
{
echo "+ Firewall stoped"
- $IPTABLES -t filter -F
- $IPTABLES -t filter -X
-
- $IPTABLES -t filter -P INPUT ACCEPT
- $IPTABLES -t filter -P FORWARD ACCEPT
- $IPTABLES -t filter -P OUTPUT ACCEPT
-
- $IPTABLES -t nat -F
- $IPTABLES -t nat -X
-
- $IPTABLES -t nat -P PREROUTING ACCEPT
- $IPTABLES -t nat -P OUTPUT ACCEPT
- $IPTABLES -t nat -P POSTROUTING ACCEPT
-
- $IPTABLES -t mangle -F
- $IPTABLES -t mangle -X
-
- $IPTABLES -t mangle -P PREROUTING ACCEPT
- $IPTABLES -t mangle -P INPUT ACCEPT
- $IPTABLES -t mangle -P FORWARD ACCEPT
+ clean
}
case "$1" in