Fix port knocking and config test

* Fix multiple port knocking
 * Fix config test
 * Move firewall.conf to firewall.conf.template
 * Clean start messages
 * New deb entry
This commit is contained in:
Jérôme Schneider 2011-06-23 14:56:41 +02:00
parent 66c6cc3853
commit 0749affec5
4 changed files with 53 additions and 53 deletions

View File

@ -13,7 +13,6 @@ all:
install:
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d
install -d -m 0755 -o root -g root $(DESTDIR)/etc/firewall
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall/firewall.conf.template
install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d

4
README
View File

@ -1,6 +1,8 @@
= Installation =
* Requrie: rsyslog, logrotate and iptables
* make install
* Move /etc/firewall/firewall.conf.template to /etc/firewall/firewall.conf
* Configure /etc/firewall/firewall.conf
= Usage =
@ -10,5 +12,5 @@ Second save this change (this will load your rules and save it):
/etc/init.d/firewall save
You need to use save at least one time.
/etc/init.d/firewall stop: will flush your rules
/etc/init.d/firewall stop: will flush ALL your rules
/etc/init.d/firewall start|restore: will load your saved rules

9
debian/changelog vendored
View File

@ -1,3 +1,12 @@
eofirewall (0.1-20110623.1) unstable; urgency=low
* Fix multiple port knocking
* Fix config test
* Move firewall.conf to firewall.conf.template
* Clean start messages
-- Jérôme Schneider <jschneider@entrouvert.com> Thu, 23 Jun 2011 13:52:39 +0200
eofirewall (0.1-20110621.3) unstable; urgency=low
* Add an example for the ssh whitelist

View File

@ -29,20 +29,33 @@ fi
clean()
{
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -t filter -F
$IPTABLES -t filter -X
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
}
test_config()
{
# FIXME: test if the interface and the ip exist
if [ ! "$WAN_INT" -o ! "$IP" ]; then
echo "Bad configuration please check your /etc/firewall/firewall.conf"
exit 1
abort "Bad configuration please check your /etc/firewall/firewall.conf"
fi
}
@ -96,8 +109,8 @@ open_port()
stop && exit 1
fi
source=$1
echo "+ Open port(s) $ports from $source to $destination for protocol $proto"
for port in $(echo $ports | sed 's/,/ /g'); do
echo "+ Open port $port from $source to $destination for protocol $proto"
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination --dport $port -m state --state NEW -j ACCEPT
critical_return
done
@ -121,37 +134,39 @@ port_redirection()
port_knocking()
{
if [ $# != 2 ]; then
if [ $# != 3 ]; then
echo "! Bad syntax for port knocking : $*"
return
fi
port=$1
knock_ports=$2
i=0
knock_number=$3
i=0
for kport in $(echo $knock_ports | sed 's/,/ /g'); do
((i++))
tock_number=$knock_number$i
if [ $i -gt 1 ]; then
iptables -N toc$i
iptables -A toc$i -m recent --name toc$(($i-1)) --remove
iptables -A toc$i -m recent --name toc$i --set
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$(($i-1)) -j toc$i
iptables -N toc${tock_number}
iptables -A toc${tock_number} -m recent --name toc$((${tock_number}-1)) --remove
iptables -A toc${tock_number} -m recent --name toc${tock_number} --set
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$((${tock_number}-1)) -j toc${tock_number}
else
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
fi
done
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
echo "+ Port knocking for $port with combinaison $knock_ports on $WAN_INT"
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
}
start()
{
echo "Starting: Firewall"
test_config
modprobe ip_conntrack
clean
test_config
# default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
@ -187,31 +202,23 @@ start()
fi
## block spoofing
echo "+ Block spoofing"
echo "+ Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
## NMAP FIN/URG/PSH
echo "+ Block scan ports"
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
## stop Xmas Tree type scanning
echo "+ Block Xmas Tree"
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
## stop null scanning
echo "+ Block null scanning"
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
## SYN/RST
echo "+ Block SYN/RST"
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## SYN/FIN
echo "+ Block SYN/FIN"
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
@ -246,8 +253,10 @@ start()
done
## Port knocking
j=1
for args in "${PORT_KNOCK[@]}"; do
port_knocking $args
port_knocking $args $j
((j++))
done
## Port forwading
@ -291,26 +300,7 @@ start()
stop()
{
echo "+ Firewall stoped"
$IPTABLES -t filter -F
$IPTABLES -t filter -X
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
clean
}
case "$1" in