summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJérôme Schneider <jschneider@entrouvert.com>2011-06-21 13:26:05 (GMT)
committerJérôme Schneider <jschneider@entrouvert.com>2011-06-21 13:26:05 (GMT)
commitec75d05e475e23ef819d8f724313b887858e8de1 (patch)
tree4f83f078262f30e05e1001a2bbdd5e81005bdd85
parent6a34b1697ea9f1955ee3b75809b3cd388790a8ec (diff)
downloadeofirewall-ec75d05e475e23ef819d8f724313b887858e8de1.zip
eofirewall-ec75d05e475e23ef819d8f724313b887858e8de1.tar.gz
eofirewall-ec75d05e475e23ef819d8f724313b887858e8de1.tar.bz2
Fix port knocking and deb entry
-rw-r--r--debian/changelog11
-rwxr-xr-xfirewall23
-rw-r--r--firewall.conf2
3 files changed, 25 insertions, 11 deletions
diff --git a/debian/changelog b/debian/changelog
index 71eeb3c..dfc143c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+eofirewall (0.1-20110621.1) unstable; urgency=low
+
+ * New release
+ * Support port knocking
+ * Add a test option
+ * Add save and load of the rules
+ * Modify states to support last iptables version
+ * Add logrotate support for the Debian packages
+
+ -- Jérôme Schneider <jschneider@entrouvert.com> Tue, 21 Jun 2011 14:27:36 +0200
+
eofirewall (0.1-20110509.1) unstable; urgency=low
* Using SNAT instead of DNAT
diff --git a/firewall b/firewall
index 4545010..5148e69 100755
--- a/firewall
+++ b/firewall
@@ -128,17 +128,20 @@ port_knocking()
port=$1
knock_ports=$2
-
- iptables -N toc2
- iptables -A toc2 -m recent --name toc1 --remove
- iptables -A toc2 -m recent --name toc2 --set
- iptables -N toc3
- iptables -A toc3 -m recent --name toc2 --remove
- iptables -A toc3 -m recent --name toc3 --set
- for port in $(echo $knock_ports | sed 's/,/ /g'); do
- iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --set --name toc1
+ i=0
+
+ for kport in $(echo $knock_ports | sed 's/,/ /g'); do
+ ((i++))
+ if [ $i -gt 1 ]; then
+ iptables -N toc$i
+ iptables -A toc$i -m recent --name toc$(($i-1)) --remove
+ iptables -A toc$i -m recent --name toc$i --set
+ iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$(($i-1)) -j toc$i
+ else
+ iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
+ fi
done
- iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc3 -m state --state NEW -j ACCEPT
+ iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
}
start()
diff --git a/firewall.conf b/firewall.conf
index 5ce3764..88b8ec7 100644
--- a/firewall.conf
+++ b/firewall.conf
@@ -24,7 +24,7 @@ ALLOW_INTS=''
# "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
-## Port knocking
+## Port knocking (tcp only)
# "port knock_ports_combinaison"
# example : PORT_KNOCK("22 121,4353,4242,111")
PORT_KNOCK=()