summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJérôme Schneider <jschneider@entrouvert.com>2013-11-14 17:56:58 (GMT)
committerJérôme Schneider <jschneider@entrouvert.com>2013-11-14 17:56:58 (GMT)
commit5cc34f7b41d352ae3ff659e4010b950e02f62e9f (patch)
tree543dde49009d42a105ccaade8b509f3f6dc8eb60
parent39fb6404724340e6ddd0880546066b15da9e1720 (diff)
downloadeofirewall-5cc34f7b41d352ae3ff659e4010b950e02f62e9f.zip
eofirewall-5cc34f7b41d352ae3ff659e4010b950e02f62e9f.tar.gz
eofirewall-5cc34f7b41d352ae3ff659e4010b950e02f62e9f.tar.bz2
firewall: use users chains everywhere
-rwxr-xr-xfirewall172
-rw-r--r--firewall.conf6
2 files changed, 118 insertions, 60 deletions
diff --git a/firewall b/firewall
index 444acdf..cf626c0 100755
--- a/firewall
+++ b/firewall
@@ -21,13 +21,21 @@ abort()
exit 1
}
+chain_exists()
+{
+ local chain_name="$1" ; shift
+ [ $# -eq 1 ] && local table="--table $1"
+ iptables $table -n --list "$chain_name" >/dev/null 2>&1
+}
+
+
if [ -f "/etc/firewall/firewall.conf" ]; then
source /etc/firewall/firewall.conf
else
abort "No configuration file /etc/firewall/firewall.conf"
fi
-clean()
+flush()
{
$IPTABLES -t filter -F
$IPTABLES -t filter -X
@@ -51,6 +59,59 @@ clean()
$IPTABLES -t mangle -P FORWARD ACCEPT
}
+clean()
+{
+ $IPTABLES -t filter -P INPUT ACCEPT
+ $IPTABLES -t filter -P FORWARD ACCEPT
+ $IPTABLES -t filter -P OUTPUT ACCEPT
+ $IPTABLES -t nat -F
+ $IPTABLES -t nat -X
+ $IPTABLES -t mangle -F
+ $IPTABLES -t mangle -X
+
+ if chain_exists EO-INPUT; then
+ $IPTABLES -D INPUT -j EO-INPUT
+ $IPTABLES -F EO-INPUT
+ $IPTABLES -X EO-INPUT
+ fi
+ if chain_exists EO-OUTPUT; then
+ $IPTABLES -D OUTPUT -j EO-OUTPUT
+ $IPTABLES -F EO-OUTPUT
+ $IPTABLES -X EO-OUTPUT
+ fi
+ if chain_exists EO-FORWARD; then
+ $IPTABLES -D FORWARD -j EO-FORWARD
+ $IPTABLES -F EO-FORWARD
+ $IPTABLES -X EO-FORWARD
+ fi
+ if chain_exists LOGDROP; then
+ $IPTABLES -D INPUT -j LOGDROP
+ $IPTABLES -D OUTPUT -j LOGDROP
+ $IPTABLES -D FORWARD -j LOGDROP
+ $IPTABLES -F LOGDROP
+ $IPTABLES -X LOGDROP
+ fi
+}
+
+init()
+{
+ clean
+ test_config
+ modprobe ip_conntrack
+
+ $IPTABLES -N EO-INPUT
+ $IPTABLES -N EO-OUTPUT
+ $IPTABLES -N EO-FORWARD
+ $IPTABLES -N LOGDROP
+
+
+ # default policies
+ log_action_msg "DROP Input, Forward and Output by default"
+ $IPTABLES -P INPUT DROP
+ $IPTABLES -P FORWARD DROP
+ $IPTABLES -P OUTPUT DROP
+}
+
test_config()
{
# FIXME: test if the interface and the ip exist
@@ -63,7 +124,7 @@ critical_return()
{
if [ `echo $?` != 0 ]; then
log_failure_msg "Error on the last command firewall will be stop"
- stop
+ flush
exit 1
fi
}
@@ -87,7 +148,7 @@ forward_port()
log_warning_msg "You must add a LAN interface (LAN_INT) for a port forward"
else
log_action_msg "Forward $port to $destination for protocol $proto"
- $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+ $IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
fi
fi
@@ -109,7 +170,7 @@ open_port()
fi
source=$1
log_action_msg "Open port(s) $ports from $source to $destination for protocol $proto"
- $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT
critical_return
}
@@ -145,70 +206,67 @@ port_knocking()
((i++))
tock_number=$knock_number$i
if [ $i -gt 1 ]; then
- iptables -N toc${tock_number}
- iptables -A toc${tock_number} -m recent --name toc$((${tock_number}-1)) --remove
- iptables -A toc${tock_number} -m recent --name toc${tock_number} --set
- iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$((${tock_number}-1)) -j toc${tock_number}
+ iptables -N EO-TOC${tock_number}
+ iptables -A EO-TOC${tock_number} -m recent --name EO-TOC$((${tock_number}-1)) --remove
+ iptables -A EO-TOC${tock_number} -m recent --name EO-TOC${tock_number} --set
+ iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name EO-TOC$((${tock_number}-1)) -j EO-TOC${tock_number}
else
- iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
+ iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name EO-TOC${tock_number}
fi
done
log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
for port in $(echo $ports | sed 's/,/ /g'); do
- iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
+ iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name EO-TOC${tock_number} -m state --state NEW -j ACCEPT
done
}
start()
{
- test_config
- modprobe ip_conntrack
- clean
-
- # default policies
- $IPTABLES -P INPUT DROP
- $IPTABLES -P FORWARD DROP
- $IPTABLES -P OUTPUT DROP
+ init
## allow packets coming from the machine
- $IPTABLES -A INPUT -i lo -j ACCEPT
- $IPTABLES -A OUTPUT -o lo -j ACCEPT
+ log_action_msg "Accept lo interface"
+ $IPTABLES -A EO-INPUT -i lo -j ACCEPT
+ $IPTABLES -A EO-OUTPUT -o lo -j ACCEPT
- log_action_msg "Allow WAN outgoing traffic"
- $IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
- $IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+ if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 1 ]; then
+ log_action_msg "Allow WAN outgoing traffic"
+ $IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+ fi
critical_return
if [ $LAN == 1 ]; then
log_action_msg "Allow WAN outgoing traffic from lan"
- $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT
- $IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
+ $IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT
+ $IPTABLES -A EO-FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
log_action_msg "Allow local network"
- $IPTABLES -A OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT
- $IPTABLES -A INPUT -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT
+ $IPTABLES -A EO-OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT
+ $IPTABLES -A EO-INPUT -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT
fi
## block spoofing
log_action_msg "Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
## NMAP FIN/URG/PSH
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
## stop Xmas Tree type scanning
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
## stop null scanning
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
## SYN/RST
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## SYN/FIN
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
- $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
## stop sync flood
log_action_msg "Block Syn flood"
@@ -217,22 +275,22 @@ start()
if [ $PING == 1 ]; then
log_action_msg "PING allowed"
- iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT
- iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT
- iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT
+ iptables -A EO-INPUT -p icmp --icmp-type ping -j ACCEPT
+ iptables -A EO-OUTPUT -p icmp --icmp-type ping -j ACCEPT
+ iptables -A EO-FORWARD -p icmp --icmp-type ping -j ACCEPT
fi
if [ $FTP == 1 ]; then
log_action_msg "FTP allowed"
modprobe ip_conntrack_ftp
- $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
+ $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
+ $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
# Data
- $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
- $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
+ $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
# Passive mod
- $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
- $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
+ $IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
+ $IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
## Open Ports
@@ -278,9 +336,12 @@ start()
ipt_hook
+ $IPTABLES -A INPUT -j EO-INPUT
+ $IPTABLES -A OUTPUT -j EO-OUTPUT
+ $IPTABLES -A FORWARD -j EO-FORWARD
+
## LOG
## Create a LOGDROP chain to log and drop packets
- $IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -p tcp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied tcp: " --log-level 4
$IPTABLES -A LOGDROP -p udp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied udp: " --log-level 4
$IPTABLES -A LOGDROP -p icmp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied icmp: " --log-level 4
@@ -289,15 +350,9 @@ start()
$IPTABLES -A INPUT -j LOGDROP
$IPTABLES -A OUTPUT -j LOGDROP
$IPTABLES -A FORWARD -j LOGDROP
-
}
-stop()
-{
- clean
-}
-
case "$1" in
start|restore)
log_daemon_msg "Starting firewall"
@@ -310,7 +365,7 @@ case "$1" in
;;
stop)
log_daemon_msg "Stopping firewall"
- stop || exit 1
+ clean || exit 1
log_end_msg 0
;;
test)
@@ -325,7 +380,7 @@ case "$1" in
iptables-restore < /etc/network/iptables-save
log_action_msg "Old rules restored"
else
- stop
+ flush
log_action_msg "Rules flushed"
fi
log_action_msg "If you are happy with this new rules please use save option"
@@ -336,6 +391,9 @@ case "$1" in
iptables-save > /etc/network/iptables-save
log_end_msg 0
;;
+ flush)
+ flush
+ ;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|restore|save|test|stop}"
diff --git a/firewall.conf b/firewall.conf
index 29a300f..7606bac 100644
--- a/firewall.conf
+++ b/firewall.conf
@@ -1,8 +1,8 @@
IPTABLES=/sbin/iptables
## WAN configuration
-WAN_INT='' # WAN interface
-IP='' # WAN IP
+WAN_INT='eth0' # WAN interface
+IP='192.168.0.1' # WAN IP
PING=1 # Allow ping
FTP=0 # Allow FTP server (passive and active)
@@ -14,7 +14,7 @@ LAN=0 # Allow traffic between the WAN and LAN
LAN_INT='' # LAN interface
## Allow OUTPUT for everything
-ALLOW_OUTOUT_EVERYWHERE=0
+ALLOW_WAN_OUTOUT_EVERYWHERE=1
## Allow all traffic for interface(s)
# example ALLOW_INTS='br0 xenbr42'