summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJérôme Schneider <jschneider@entrouvert.com>2013-11-09 09:49:32 (GMT)
committerJérôme Schneider <jschneider@entrouvert.com>2013-11-09 09:49:32 (GMT)
commit8e2e27f2b912d47e0cb7141093e9ce6c7827976a (patch)
tree6d2fca41e52b58050514481e79d554db18c4c840
parent11827cd6d1c02f8f182d70c4246a05df8a70d805 (diff)
downloadeofirewall-8e2e27f2b912d47e0cb7141093e9ce6c7827976a.zip
eofirewall-8e2e27f2b912d47e0cb7141093e9ce6c7827976a.tar.gz
eofirewall-8e2e27f2b912d47e0cb7141093e9ce6c7827976a.tar.bz2
Cleanning debian branch
-rw-r--r--Makefile18
-rw-r--r--README16
-rwxr-xr-xdebian/rules2
-rwxr-xr-xfirewall346
-rw-r--r--firewall.conf58
-rw-r--r--rsyslog.conf2
6 files changed, 2 insertions, 440 deletions
diff --git a/Makefile b/Makefile
deleted file mode 100644
index 702d59a..0000000
--- a/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-##
-## Makefile for firewall
-##
-## Made by jerome schneider Entr'ouvert
-## Login <jschneider@entrouvert.org>
-##
-
-NAME = firewall
-DESTDIR=
-
-all:
-
-install:
- install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d
- install -d -m 0755 -o root -g root $(DESTDIR)/etc/firewall
- install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall/firewall.conf.template
- install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
- install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
diff --git a/README b/README
deleted file mode 100644
index 6f99ad2..0000000
--- a/README
+++ /dev/null
@@ -1,16 +0,0 @@
-= Installation =
- * Requrie: rsyslog, logrotate and iptables
- * make install
- * Move /etc/firewall/firewall.conf.template to /etc/firewall/firewall.conf
- * Configure /etc/firewall/firewall.conf
-
-= Usage =
-
-First launch test your configuration:
- /etc/init.d/firewall test
-Second save this change (this will load your rules and save it):
- /etc/init.d/firewall save
-You need to use save at least one time.
-
-/etc/init.d/firewall stop: will flush ALL your rules
-/etc/init.d/firewall start|restore: will load your saved rules
diff --git a/debian/rules b/debian/rules
index 761c3f0..1a1e703 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,3 +12,5 @@
%:
dh $@
+override_dh_installinit:
+ dh_installinit --name=firewall
diff --git a/firewall b/firewall
deleted file mode 100755
index 444acdf..0000000
--- a/firewall
+++ /dev/null
@@ -1,346 +0,0 @@
-#!/bin/bash
-
-### BEGIN INIT INFO
-# Provides: firewall
-# Required-Start: $remote_fs $syslog $network
-# Required-Stop: $remote_fs $syslog $network
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: Iptables firewall
-# Description: An iptables firewall
-### END INIT INFO
-
-. /lib/lsb/init-functions
-
-NAME="firewall"
-
-abort()
-{
- message=$@
- log_failure_msg "$message"
- exit 1
-}
-
-if [ -f "/etc/firewall/firewall.conf" ]; then
- source /etc/firewall/firewall.conf
-else
- abort "No configuration file /etc/firewall/firewall.conf"
-fi
-
-clean()
-{
- $IPTABLES -t filter -F
- $IPTABLES -t filter -X
-
- $IPTABLES -t filter -P INPUT ACCEPT
- $IPTABLES -t filter -P FORWARD ACCEPT
- $IPTABLES -t filter -P OUTPUT ACCEPT
-
- $IPTABLES -t nat -F
- $IPTABLES -t nat -X
-
- $IPTABLES -t nat -P PREROUTING ACCEPT
- $IPTABLES -t nat -P OUTPUT ACCEPT
- $IPTABLES -t nat -P POSTROUTING ACCEPT
-
- $IPTABLES -t mangle -F
- $IPTABLES -t mangle -X
-
- $IPTABLES -t mangle -P PREROUTING ACCEPT
- $IPTABLES -t mangle -P INPUT ACCEPT
- $IPTABLES -t mangle -P FORWARD ACCEPT
-}
-
-test_config()
-{
- # FIXME: test if the interface and the ip exist
- if [ ! "$WAN_INT" -o ! "$IP" ]; then
- abort "Bad configuration please check /etc/firewall/firewall.conf"
- fi
-}
-
-critical_return()
-{
- if [ `echo $?` != 0 ]; then
- log_failure_msg "Error on the last command firewall will be stop"
- stop
- exit 1
- fi
-}
-
-forward_port()
-{
- if [ $# != 4 ]; then
- log_warning_msg "Bad syntax for port forward : $*"
- return
- fi
-
- local source=$1
- local port=$2
- local destination=$3
- local proto=$4
-
- if echo "$destination" | grep -q ":"; then
- dest_ip=$(echo $destination | cut -d ":" -f1)
- dest_port=$(echo $destination | cut -d ":" -f2)
- if [ ! "$LAN_INT" ]; then
- log_warning_msg "You must add a LAN interface (LAN_INT) for a port forward"
- else
- log_action_msg "Forward $port to $destination for protocol $proto"
- $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
- $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
- fi
- fi
-
-}
-
-open_port()
-{
- if [ $# == 4 ]; then
- local destination=$2
- local proto=$3
- local ports=$4
- elif [ $# == 3 ]; then
- local destination=$IP
- local proto=$2
- local ports=$3
- else
- log_warning_msg "Open port bad syntax : $*"
- fi
- source=$1
- log_action_msg "Open port(s) $ports from $source to $destination for protocol $proto"
- $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT
- critical_return
-}
-
-port_redirection()
-{
- if [ $# != 4 ]; then
- log_warning_msg "Bad syntax for port redirection : $*"
- return
- fi
-
- local if=$1
- local proto=$2
- local srcport=$3
- local destport=$4
-
- log_action_msg "Redirect $if port $srcport to $destport for portocol $proto"
- iptables -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
-}
-
-port_knocking()
-{
- if [ $# != 3 ]; then
- log_warning_msg "Bad syntax for port knocking : $*"
- return
- fi
-
- local ports=$1
- local knock_ports=$2
- local knock_number=$3
- local i=0
-
- for kport in $(echo $knock_ports | sed 's/,/ /g'); do
- ((i++))
- tock_number=$knock_number$i
- if [ $i -gt 1 ]; then
- iptables -N toc${tock_number}
- iptables -A toc${tock_number} -m recent --name toc$((${tock_number}-1)) --remove
- iptables -A toc${tock_number} -m recent --name toc${tock_number} --set
- iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$((${tock_number}-1)) -j toc${tock_number}
- else
- iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
- fi
- done
- log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
- for port in $(echo $ports | sed 's/,/ /g'); do
- iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
- done
-}
-
-start()
-{
- test_config
- modprobe ip_conntrack
- clean
-
- # default policies
- $IPTABLES -P INPUT DROP
- $IPTABLES -P FORWARD DROP
- $IPTABLES -P OUTPUT DROP
-
- ## allow packets coming from the machine
- $IPTABLES -A INPUT -i lo -j ACCEPT
- $IPTABLES -A OUTPUT -o lo -j ACCEPT
-
- log_action_msg "Allow WAN outgoing traffic"
- $IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
- $IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
-
- critical_return
-
- if [ $LAN == 1 ]; then
- log_action_msg "Allow WAN outgoing traffic from lan"
- $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT
- $IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
- log_action_msg "Allow local network"
- $IPTABLES -A OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT
- $IPTABLES -A INPUT -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT
- fi
-
- ## block spoofing
- log_action_msg "Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
- echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
- ## NMAP FIN/URG/PSH
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- ## stop Xmas Tree type scanning
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- ## stop null scanning
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
- ## SYN/RST
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- ## SYN/FIN
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-
- ## stop sync flood
- log_action_msg "Block Syn flood"
- echo "1" >/proc/sys/net/ipv4/tcp_syncookies
- echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog
-
- if [ $PING == 1 ]; then
- log_action_msg "PING allowed"
- iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT
- iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT
- iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT
- fi
-
- if [ $FTP == 1 ]; then
- log_action_msg "FTP allowed"
- modprobe ip_conntrack_ftp
- $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
- # Data
- $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
- $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Passive mod
- $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
- $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
- fi
-
- ## Open Ports
- for args in "${OPEN_PORTS[@]}"; do
- open_port $args
- done
-
- ## Port knocking
- local i=1
- for args in "${PORT_KNOCK[@]}"; do
- port_knocking $args $i
- ((i++))
- done
-
- ## Port forwading
- for args in "${TRAFFICS[@]}"; do
- forward_port $args
- done
-
- ## Port redirection
- for args in "${REDIRECTIONS[@]}"; do
- port_redirection $args
- done
-
- ## Old: Whitelist
- for arg in "${WHITELIST_SSH[@]}"; do
- log_warning_msg "WHITELIST_SSH is obsolete: this option will be removed in next version"
- open_port $arg tcp ssh
- done
-
- for ip in "${WHITELIST[@]}"; do
- for args in "${WHITELIST_OPEN_PORTS[@]}"; do
- open_port $ip $args
- done
- done
-
- ## NAT
- if [ $NAT == 1 ]; then
- log_action_msg "Activate nat"
- for proto in ftp irc sip h323; do modprobe nf_nat_$proto; done
- $IPTABLES -t nat -A POSTROUTING -o $WAN_INT -s $LAN_NETWORK -j SNAT --to-source $IP
- fi
-
- ipt_hook
-
- ## LOG
- ## Create a LOGDROP chain to log and drop packets
- $IPTABLES -N LOGDROP
- $IPTABLES -A LOGDROP -p tcp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied tcp: " --log-level 4
- $IPTABLES -A LOGDROP -p udp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied udp: " --log-level 4
- $IPTABLES -A LOGDROP -p icmp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied icmp: " --log-level 4
- $IPTABLES -A LOGDROP -j DROP
-
- $IPTABLES -A INPUT -j LOGDROP
- $IPTABLES -A OUTPUT -j LOGDROP
- $IPTABLES -A FORWARD -j LOGDROP
-
-}
-
-
-stop()
-{
- clean
-}
-
-case "$1" in
- start|restore)
- log_daemon_msg "Starting firewall"
- if [ -f /etc/network/iptables-save ]; then
- iptables-restore < /etc/network/iptables-save
- else
- log_warning_msg "No iptables rules saved please use test and save script options"
- fi
- log_end_msg 0
- ;;
- stop)
- log_daemon_msg "Stopping firewall"
- stop || exit 1
- log_end_msg 0
- ;;
- test)
- log_action_msg "Testing new rules"
- log_action_msg "You have 30 seconds to test your new rules"
- start || exit 1
- log_end_msg 0
- log_action_msg "... Please test your rules"
- sleep 30
- log_action_msg "---- The test is finished ----"
- if [ -f /etc/network/iptables-save ]; then
- iptables-restore < /etc/network/iptables-save
- log_action_msg "Old rules restored"
- else
- stop
- log_action_msg "Rules flushed"
- fi
- log_action_msg "If you are happy with this new rules please use save option"
- ;;
- save)
- log_action_msg "Starting and saving new rules"
- start || exit 1
- iptables-save > /etc/network/iptables-save
- log_end_msg 0
- ;;
- *)
- N=/etc/init.d/$NAME
- echo "Usage: $N {start|restore|save|test|stop}"
- exit 2
- ;;
-esac
-
-exit 0
diff --git a/firewall.conf b/firewall.conf
deleted file mode 100644
index 92284d7..0000000
--- a/firewall.conf
+++ /dev/null
@@ -1,58 +0,0 @@
-IPTABLES=/sbin/iptables
-
-## WAN configuration
-WAN_INT='' # WAN interface
-IP='' # WAN IP
-
-PING=1 # Allow ping
-FTP=0 # Allow FTP server (passive and active)
-
-## LAN configuration
-NAT=0 # Activate nat (need a LAN_NETWORK)
-LAN_NETWORK='' # LAN network (ex: 192.168.1.0/24)
-LAN=0 # Allow traffic between the WAN and LAN
-LAN_INT='' # LAN interface
-
-## Allow all traffic for interface(s)
-# example ALLOW_INTS='br0 xenbr42'
-ALLOW_INTS=''
-
-## Open ports
-# "source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]" ...
-# The default destination is the IP !
-# example : OPEN_PORTS=("0.0.0.0/0 tcp 22"
-# "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
-OPEN_PORTS=("0.0.0.0/0 tcp ssh")
-
-## Port knocking (tcp only)
-# "port[,port] knock_ports_combinaison"
-# example : PORT_KNOCK("22,4242 121,4353,4242,111")
-PORT_KNOCK=()
-
-## Port forwarding
-# "source port destination:port protocol" "source port destination:port protocol" ...
-# example : TRAFFICS=("0.0.0.0/0 80 192.168.0.42:80 tcp" "42.42.42.42 4242 192.168.0.43:22 tcp")
-TRAFFICS=()
-
-## Port redirection
-# "interface protocol sourceport destport" ...
-# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
-REDIRECTIONS=()
-
-## Whitelist
-# example with an external file
-# source /etc/firewall/whitelist_ssh
-# WHITELIST=(${WHITELIST[@])
-# example : WHITELIST=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
-#WHITELIST=()
-
-## Whitelist port and protocol
-# exmaple : WHITELIST_OPEN_PORTS=("tcp ssh,8006" "udp 4242")
-
-# Hook point to write your own iptables rules
-ipt_hook()
-{
- echo "+ Load your own iptables rules"
- # Write your own iptables rules here
-}
-
diff --git a/rsyslog.conf b/rsyslog.conf
deleted file mode 100644
index 455207a..0000000
--- a/rsyslog.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-:msg,contains,"iptables:" /var/log/iptables.log
-& ~