summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJérôme Schneider <jschneider@entrouvert.com>2013-11-15 11:05:40 (GMT)
committerJérôme Schneider <jschneider@entrouvert.com>2013-11-15 11:05:40 (GMT)
commit5cf9c1039f64ec56cc1ca5436b5881e59df1dfcd (patch)
tree50ec9907c6dcdc4b3f9c6020ba176fef094ef85c
parent033410319d74fb0a976b05d0508e3b27042111b0 (diff)
downloadeofirewall-5cf9c1039f64ec56cc1ca5436b5881e59df1dfcd.zip
eofirewall-5cf9c1039f64ec56cc1ca5436b5881e59df1dfcd.tar.gz
eofirewall-5cf9c1039f64ec56cc1ca5436b5881e59df1dfcd.tar.bz2
eofirewall: implement output filters
-rwxr-xr-xeofirewall65
1 files changed, 45 insertions, 20 deletions
diff --git a/eofirewall b/eofirewall
index 52047c1..c4a5268 100755
--- a/eofirewall
+++ b/eofirewall
@@ -15,7 +15,7 @@ chain_exists()
{
local chain_name="$1" ; shift
[ $# -eq 1 ] && local table="--table $1"
- iptables $table -n --list "$chain_name" >/dev/null 2>&1
+ $IPTABLES $table -n --list "$chain_name" >/dev/null 2>&1
}
@@ -114,7 +114,7 @@ critical_return()
{
if [ `echo $?` != 0 ]; then
log_failure_msg "Error on the last command firewall will be stop"
- flush
+ clean
exit 1
fi
}
@@ -144,8 +144,7 @@ forward_port()
fi
}
-
-open_port()
+open_input_port()
{
if [ $# == 4 ]; then
local destination=$2
@@ -164,6 +163,25 @@ open_port()
critical_return
}
+open_output_port()
+{
+ if [ $# == 4 ]; then
+ local source=$2
+ local proto=$3
+ local ports=$4
+ elif [ $# == 3 ]; then
+ local source=$IP
+ local proto=$2
+ local ports=$3
+ else
+ log_warning_msg "Open output port bad syntax : $*"
+ fi
+ destination=$1
+ log_action_msg "Open output port(s) $ports from $source to $destination for protocol $proto"
+ $IPTABLES -A EO-OUTPUT -o $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT
+ critical_return
+}
+
port_redirection()
{
if [ $# != 4 ]; then
@@ -177,7 +195,7 @@ port_redirection()
local destport=$4
log_action_msg "Redirect $if port $srcport to $destport for portocol $proto"
- iptables -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
+ $IPTABLES -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
}
port_knocking()
@@ -196,17 +214,17 @@ port_knocking()
((i++))
tock_number=$knock_number$i
if [ $i -gt 1 ]; then
- iptables -N EO-TOC${tock_number}
- iptables -A EO-TOC${tock_number} -m recent --name EO-TOC$((${tock_number}-1)) --remove
- iptables -A EO-TOC${tock_number} -m recent --name EO-TOC${tock_number} --set
- iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name EO-TOC$((${tock_number}-1)) -j EO-TOC${tock_number}
+ $IPTABLES -N EO-TOC${tock_number}
+ $IPTABLES -A EO-TOC${tock_number} -m recent --name EO-TOC$((${tock_number}-1)) --remove
+ $IPTABLES -A EO-TOC${tock_number} -m recent --name EO-TOC${tock_number} --set
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name EO-TOC$((${tock_number}-1)) -j EO-TOC${tock_number}
else
- iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name EO-TOC${tock_number}
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name EO-TOC${tock_number}
fi
done
log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
for port in $(echo $ports | sed 's/,/ /g'); do
- iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name EO-TOC${tock_number} -m state --state NEW -j ACCEPT
+ $IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name EO-TOC${tock_number} -m state --state NEW -j ACCEPT
done
}
@@ -221,8 +239,10 @@ start()
$IPTABLES -A EO-INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
- if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 1 ]; then
- log_action_msg "Allow WAN outgoing traffic"
+ if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 0 ]; then
+ $IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
+ else
+ log_action_msg "Allow WAN outgoing traffic to everywhere"
$IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
fi
@@ -265,9 +285,9 @@ start()
if [ $PING == 1 ]; then
log_action_msg "PING allowed"
- iptables -A EO-INPUT -p icmp --icmp-type ping -j ACCEPT
- iptables -A EO-OUTPUT -p icmp --icmp-type ping -j ACCEPT
- iptables -A EO-FORWARD -p icmp --icmp-type ping -j ACCEPT
+ $IPTABLES -A EO-INPUT -p icmp --icmp-type ping -j ACCEPT
+ $IPTABLES -A EO-OUTPUT -p icmp --icmp-type ping -j ACCEPT
+ $IPTABLES -A EO-FORWARD -p icmp --icmp-type ping -j ACCEPT
fi
if [ $FTP == 1 ]; then
@@ -283,9 +303,14 @@ start()
$IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
- ## Open Ports
+ ## Open input ports
for args in "${OPEN_PORTS[@]}"; do
- open_port $args
+ open_input_port $args
+ done
+
+ ## Open ouput ports
+ for args in "${OUPUT_DESTINATIONS[@]}"; do
+ open_output_port $args
done
## Port knocking
@@ -367,8 +392,8 @@ test_rules()
iptables-restore < /etc/network/iptables-save
log_action_msg "Old rules restored"
else
- flush
- log_action_msg "Rules flushed"
+ clean
+ log_action_msg "Rules cleaned"
fi
log_action_msg "If you are happy with this new rules please use save option"
}