summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJérôme Schneider <jschneider@entrouvert.com>2011-05-09 20:44:46 (GMT)
committerJérôme Schneider <jschneider@entrouvert.com>2011-05-09 20:44:46 (GMT)
commitde369b6a3e9fa86bf0de2632d9d39d236826d2fb (patch)
treede918aabd4600360e0a6eabf9adcd9de8f3635cb
parent1785bd3b8f8ac7b6b770220672f3f1a4a7c93e57 (diff)
downloadeofirewall-de369b6a3e9fa86bf0de2632d9d39d236826d2fb.zip
eofirewall-de369b6a3e9fa86bf0de2632d9d39d236826d2fb.tar.gz
eofirewall-de369b6a3e9fa86bf0de2632d9d39d236826d2fb.tar.bz2
Improve firewall:
* Using SNAT instead of DNAT * Finish new configuration file * Add test
-rwxr-xr-xfirewall85
-rw-r--r--firewall.conf53
2 files changed, 68 insertions, 70 deletions
diff --git a/firewall b/firewall
index b4a457a..951d074 100755
--- a/firewall
+++ b/firewall
@@ -59,21 +59,28 @@ critical_return()
forward_port()
{
- traffic=$1
- source=$(echo $traffic | cut -d "-" -f1)
- port=$(echo $traffic | cut -d "-" -f2)
- destination=$(echo $traffic | cut -d "-" -f3)
- proto=$(echo $traffic | cut -d "-" -f4)
- dest_ip=$(echo $destination | cut -d ":" -f1)
- dest_port=$(echo $destination | cut -d ":" -f2)
-
- if [ ! "$port" -o ! "$proto" -o ! "$destination" -o ! "$dest_ip" -o ! "$dest_port" -o ! "$LAN_INT" ]; then
- echo "! Bad syntax for traffic : $1"
- else
- echo "+ Forward $port to $destination for protocol $proto"
- $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
- $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
+ if [ $# != 4 ]; then
+ echo "! Bad syntax for port forward : $*"
+ return
+ fi
+
+ source=$1
+ port=$2
+ destination=$3
+ proto=$4
+
+ if echo "$destination" | grep -q ":"; then
+ dest_ip=$(echo $destination | cut -d ":" -f1)
+ dest_port=$(echo $destination | cut -d ":" -f2)
+ if [ ! "$LAN_INT" ]; then
+ echo "!! WARNING you must add a LAN interface (LAN_INT) for a port forward"
+ else
+ echo "+ Forward $port to $destination for protocol $proto"
+ $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
+ $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
+ fi
fi
+
}
open_port()
@@ -100,14 +107,18 @@ open_port()
port_redirection()
{
- redirection=$1
- int=$(echo $traffic | cut -d "-" -f1)
- srcport=$(echo $traffic | cut -d "-" -f2)
- destport=$(echo $traffic | cut -d "-" -f3)
- proto=$(echo $traffic | cut -d "-" -f4)
-
- echo "+ Redirect $int port $srcport to $destport for portocol $proto"
- iptables -t nat -A PREROUTING -i $int -p $proto --dport $srcport -j REDIRECT --to-port $destport
+ if [ $# != 4 ]; then
+ echo "! Bad syntax for port redirection : $*"
+ return
+ fi
+
+ if=$1
+ proto=$2
+ srcport=$3
+ destport=$4
+
+ echo "+ Redirect $if port $srcport to $destport for portocol $proto"
+ iptables -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
}
start()
@@ -188,16 +199,9 @@ start()
if [ $PING == 1 ]; then
echo "+ PING allowed"
- ## stop ping flood attack
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- # Don't accept ICMP redirect messages
- echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
- # Don't send ICMP redirect messages
- echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
- $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
- $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix "iptables: PING-FLOOD: " --log-ip-options --log-level 4
- $IPTABLES -A INPUT -p icmp -j DROP
+ iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT
+ iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT
+ iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT
fi
if [ $FTP == 1 ]; then
@@ -214,26 +218,25 @@ start()
fi
## Open Ports
- for traffic in "${OPEN_PORTS[@]}"; do
- open_port $traffic
+ for args in "${OPEN_PORTS[@]}"; do
+ open_port $args
done
## Port forwading
- for traffic in $TRAFFICS; do
- forward_port $traffic
+ for args in "${TRAFFICS[@]}"; do
+ forward_port $args
done
## Port redirection
- for redirection in $REDIRECTIONS; do
- port_redirection $redirection
+ for args in "${REDIRECTIONS[@]}"; do
+ port_redirection $args
done
## NAT
if [ $NAT == 1 ]; then
echo "+ Activate nat"
- modprobe ip_nat_ftp
- modprobe ip_nat_irc
- $IPTABLES -t nat -A POSTROUTING -s $LAN_NETWORK -j MASQUERADE
+ for proto in ftp irc sip h323; do modprobe nf_nat_$proto; done
+ $IPTABLES -t nat -A POSTROUTING -o $WAN_INT -s $LAN_NETWORK -j SNAT --to-source $IP
fi
ipt_hook
diff --git a/firewall.conf b/firewall.conf
index 1b4e580..8f08a85 100644
--- a/firewall.conf
+++ b/firewall.conf
@@ -1,47 +1,42 @@
IPTABLES=/sbin/iptables
-# WAN configuration
-WAN_INT=''
-IP=''
+## WAN configuration
+WAN_INT='' # WAN interface
+IP='' # WAN IP
-# Allow ping
-PING=1
+PING=1 # Allow ping
+FTP=0 # Allow FTP server (passive and active)
-# Allow FTP server (passive and active)
-FTP=0
+## LAN configuration
+NAT=0 # Activate nat (need a LAN_NETWORK)
+LAN_NETWORK='' # LAN network (ex: 192.168.1.0/24)
+LAN=0 # Allow traffic between the WAN and LAN
+LAN_INT='' # LAN interface
-# NAT LAN_NETWORK
-NAT=0
-LAN_NETWORK=''
-# Allow traffic between the WAN and LAN
-LAN=0
-LAN_INT=''
-
-# Allow all traffic for interface(s)
+## Allow all traffic for interface(s)
# example ALLOW_INTS='br0 xenbr42'
ALLOW_INTS=''
-# Open ports
-# source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]
+## Open ports
+# "source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]" ...
# The default destination is the IP !
-# example :
-#OPEN_PORTS=("0.0.0.0/0 tcp 22" "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
+# example : OPEN_PORTS=("0.0.0.0/0 tcp 22" "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
-# Port forwarding
-# source-port-destination:port-protocole source-port-destination:port-protocole ...
-# example : TRAFFICS='0.0.0.0/0-80-192.168.0.42:80-tcp 42.42.42.42-4242-192.168.0.43:22-tcp'
-TRAFFICS=""
+## Port forwarding
+# "source port destination:port protocol" "source port destination:port protocol" ...
+# example : TRAFFICS=("0.0.0.0/0 80 192.168.0.42:80 tcp" "42.42.42.42 4242 192.168.0.43:22 tcp")
+TRAFFICS=("")
-# Port redirection
-# interface-sourceport-destport-protocole
-# example : REDIRECTIONS='$LAN_INT-25-4242-tcp $WAN_INT-25-4242-udp eth42-32-25-tcp'
-REDIRECTIONS=""
+## Port redirection
+# "interface protocol sourceport destport" ...
+# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
+REDIRECTIONS=("")
# Hook point to write your own iptables rules
ipt_hook()
{
- echo "+ Load your own iptables rules"
- # Write your own iptables rules here
+ echo "+ Load your own iptables rules"
+ # Write your own iptables rules here
}