Fix port knocking and deb entry

This commit is contained in:
Jérôme Schneider 2011-06-21 15:26:05 +02:00
parent 6a34b1697e
commit ec75d05e47
3 changed files with 24 additions and 10 deletions

11
debian/changelog vendored
View File

@ -1,3 +1,14 @@
eofirewall (0.1-20110621.1) unstable; urgency=low
* New release
* Support port knocking
* Add a test option
* Add save and load of the rules
* Modify states to support last iptables version
* Add logrotate support for the Debian packages
-- Jérôme Schneider <jschneider@entrouvert.com> Tue, 21 Jun 2011 14:27:36 +0200
eofirewall (0.1-20110509.1) unstable; urgency=low
* Using SNAT instead of DNAT

View File

@ -128,17 +128,20 @@ port_knocking()
port=$1
knock_ports=$2
i=0
iptables -N toc2
iptables -A toc2 -m recent --name toc1 --remove
iptables -A toc2 -m recent --name toc2 --set
iptables -N toc3
iptables -A toc3 -m recent --name toc2 --remove
iptables -A toc3 -m recent --name toc3 --set
for port in $(echo $knock_ports | sed 's/,/ /g'); do
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --set --name toc1
for kport in $(echo $knock_ports | sed 's/,/ /g'); do
((i++))
if [ $i -gt 1 ]; then
iptables -N toc$i
iptables -A toc$i -m recent --name toc$(($i-1)) --remove
iptables -A toc$i -m recent --name toc$i --set
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$(($i-1)) -j toc$i
else
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
fi
done
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc3 -m state --state NEW -j ACCEPT
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
}
start()

View File

@ -24,7 +24,7 @@ ALLOW_INTS=''
# "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
## Port knocking
## Port knocking (tcp only)
# "port knock_ports_combinaison"
# example : PORT_KNOCK("22 121,4353,4242,111")
PORT_KNOCK=()