summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJérôme Schneider <jschneider@entrouvert.com>2011-03-16 19:43:22 (GMT)
committerJérôme Schneider <jschneider@entrouvert.com>2011-03-16 19:46:03 (GMT)
commit9df7935f908426fcc1e3d1566529dd5593394ed5 (patch)
tree22d4cd253d6a31b360711bafab663165bd9c8425
parent8a79bdbdec2704842ebc674d0467b07748c6f6b9 (diff)
downloadeofirewall-9df7935f908426fcc1e3d1566529dd5593394ed5.zip
eofirewall-9df7935f908426fcc1e3d1566529dd5593394ed5.tar.gz
eofirewall-9df7935f908426fcc1e3d1566529dd5593394ed5.tar.bz2
Hudge improvements
* Change config syntax * Add a lot of test * Support destination to open a port
-rw-r--r--debian/files1
-rwxr-xr-xfirewall81
-rw-r--r--firewall.conf14
3 files changed, 72 insertions, 24 deletions
diff --git a/debian/files b/debian/files
deleted file mode 100644
index f97d057..0000000
--- a/debian/files
+++ /dev/null
@@ -1 +0,0 @@
-eofirewall_0.1-20110307.1_all.deb admin extra
diff --git a/firewall b/firewall
index 2e1119d..f0167e2 100755
--- a/firewall
+++ b/firewall
@@ -1,7 +1,7 @@
#!/bin/bash
### BEGIN INIT INFO
-# Provides: firewall.sh
+# Provides: firewall
# Required-Start: $remote_fs $syslog $network
# Required-Stop: $remote_fs $syslog $network
# Default-Start: 2 3 4 5
@@ -10,8 +10,15 @@
# Description: An iptables firewall
### END INIT INFO
-source /etc/firewall.conf
-NAME="firewall.sh"
+NAME="firewall"
+
+if [ -f "/etc/firewall.conf" ]; then
+ source /etc/firewall.conf
+else
+ echo "No configuration file /etc/firewall.conf"
+ exit 1
+fi
+
abort()
{
@@ -33,6 +40,23 @@ clean()
$IPTABLES -X
}
+test_config()
+{
+ if [ ! "$WAN_INT" -o ! "$IP" ]; then
+ echo "Bad configuration please check your /etc/firewall.conf"
+ exit 1
+ fi
+}
+
+critical_return()
+{
+ if [ `echo $?` != 0 ]; then
+ echo "!!! CRITICAL error on the last command firewall will be stop"
+ stop
+ exit 1
+ fi
+}
+
forward_port()
{
traffic=$1
@@ -43,9 +67,35 @@ forward_port()
dest_ip=$(echo $destination | cut -d ":" -f1)
dest_port=$(echo $destination | cut -d ":" -f2)
- echo "+ Forward $port to $destination for protocol $proto"
- $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
- $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
+ if [ ! "$port" -o ! "$proto" -o ! "$destination" -o ! "$dest_ip" -o ! "$dest_port" -o ! "$LAN_INT" ]; then
+ echo "! Bad syntax for traffic : $1"
+ else
+ echo "+ Forward $port to $destination for protocol $proto"
+ $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
+ $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
+ fi
+}
+
+open_port()
+{
+ if [ $# == 4 ]; then
+ destination=$2
+ proto=$3
+ ports=$4
+ elif [ $# == 3 ]; then
+ destination=$IP
+ proto=$2
+ ports=$3
+ else
+ echo "!!! CRITICAL Open port bad syntax : $*"
+ stop && exit 1
+ fi
+ source=$1
+ for port in $(echo $ports | sed 's/,/ /g'); do
+ echo "+ Open port $port from $source to $destination for protocol $proto"
+ $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state ! --state INVALID -j ACCEPT
+ critical_return
+ done
}
port_redirection()
@@ -66,6 +116,8 @@ start()
modprobe ip_conntrack
clean
+ test_config
+
# default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
@@ -79,6 +131,8 @@ start()
$IPTABLES -A OUTPUT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
$IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
+ critical_return
+
if [ $LAN == 1 ]; then
echo "+ Allow WAN outgoing traffic from lan"
$IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
@@ -159,18 +213,11 @@ start()
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
-
- ## OPEN PORTS
- for traffic in $OPEN_PORTS; do
- source=$(echo $traffic | cut -d "-" -f1)
- proto=$(echo $traffic | cut -d "-" -f2)
- ports=$(echo $traffic | cut -d "-" -f3)
- for port in $(echo $ports | sed 's/,/ /g'); do
- echo "+ Open port $port to $source for protocol $proto"
- $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state ! --state INVALID -j ACCEPT
- done
+ ## Open Ports
+ for traffic in "${OPEN_PORTS[@]}"; do
+ open_port $traffic
done
-
+
## Port forwading
for traffic in $TRAFFICS; do
forward_port $traffic
diff --git a/firewall.conf b/firewall.conf
index 5e7827a..c62c2a5 100644
--- a/firewall.conf
+++ b/firewall.conf
@@ -1,8 +1,8 @@
IPTABLES=/sbin/iptables
# WAN configuration
-WAN_INT='ethX'
-IP='x.x.x.x'
+WAN_INT='zefezfez'
+IP='122.122.122.122'
# Allow ping
PING=1
@@ -15,16 +15,18 @@ NAT=0
LAN_NETWORK=''
# Allow traffic between the WAN and LAN
LAN=0
-LAN_INT='ethX'
+LAN_INT=''
# Allow all traffic for interface(s)
# example ALLOW_INTS='br0 xenbr42'
ALLOW_INTS=''
# Open ports
-# source-protocole-portx:porty,portz,porta,... source-protocole-portx:porty,portz,.. ...
-# example : OPEN_PORTS='0.0.0.0/0-tcp-ssh,imap,imaps 0.0.0.0/0-udp-1342'
-OPEN_PORTS='0.0.0.0/0-tcp-ssh'
+# source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]
+# The default destination is the IP !
+# example :
+#OPEN_PORTS=("0.0.0.0/0 tcp 22" "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
+OPEN_PORTS=("0.0.0.0/0 tcp ssh")
# Port forwarding
# source-port-destination:port-protocole source-port-destination:port-protocole ...