eofirewall: implement output filters
This commit is contained in:
Jérôme Schneider
parent
033410319d
commit
5cf9c1039f
65
eofirewall
65
eofirewall
|
|
@ -15,7 +15,7 @@ chain_exists()
|
|||
{
|
||||
local chain_name="$1" ; shift
|
||||
[ $# -eq 1 ] && local table="--table $1"
|
||||
iptables $table -n --list "$chain_name" >/dev/null 2>&1
|
||||
$IPTABLES $table -n --list "$chain_name" >/dev/null 2>&1
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -114,7 +114,7 @@ critical_return()
|
|||
{
|
||||
if [ `echo $?` != 0 ]; then
|
||||
log_failure_msg "Error on the last command firewall will be stop"
|
||||
flush
|
||||
clean
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
|
@ -144,8 +144,7 @@ forward_port()
|
|||
fi
|
||||
|
||||
}
|
||||
|
||||
open_port()
|
||||
open_input_port()
|
||||
{
|
||||
if [ $# == 4 ]; then
|
||||
local destination=$2
|
||||
|
|
@ -164,6 +163,25 @@ open_port()
|
|||
critical_return
|
||||
}
|
||||
|
||||
open_output_port()
|
||||
{
|
||||
if [ $# == 4 ]; then
|
||||
local source=$2
|
||||
local proto=$3
|
||||
local ports=$4
|
||||
elif [ $# == 3 ]; then
|
||||
local source=$IP
|
||||
local proto=$2
|
||||
local ports=$3
|
||||
else
|
||||
log_warning_msg "Open output port bad syntax : $*"
|
||||
fi
|
||||
destination=$1
|
||||
log_action_msg "Open output port(s) $ports from $source to $destination for protocol $proto"
|
||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT
|
||||
critical_return
|
||||
}
|
||||
|
||||
port_redirection()
|
||||
{
|
||||
if [ $# != 4 ]; then
|
||||
|
|
@ -177,7 +195,7 @@ port_redirection()
|
|||
local destport=$4
|
||||
|
||||
log_action_msg "Redirect $if port $srcport to $destport for portocol $proto"
|
||||
iptables -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
|
||||
$IPTABLES -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
|
||||
}
|
||||
|
||||
port_knocking()
|
||||
|
|
@ -196,17 +214,17 @@ port_knocking()
|
|||
((i++))
|
||||
tock_number=$knock_number$i
|
||||
if [ $i -gt 1 ]; then
|
||||
iptables -N EO-TOC${tock_number}
|
||||
iptables -A EO-TOC${tock_number} -m recent --name EO-TOC$((${tock_number}-1)) --remove
|
||||
iptables -A EO-TOC${tock_number} -m recent --name EO-TOC${tock_number} --set
|
||||
iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name EO-TOC$((${tock_number}-1)) -j EO-TOC${tock_number}
|
||||
$IPTABLES -N EO-TOC${tock_number}
|
||||
$IPTABLES -A EO-TOC${tock_number} -m recent --name EO-TOC$((${tock_number}-1)) --remove
|
||||
$IPTABLES -A EO-TOC${tock_number} -m recent --name EO-TOC${tock_number} --set
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name EO-TOC$((${tock_number}-1)) -j EO-TOC${tock_number}
|
||||
else
|
||||
iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name EO-TOC${tock_number}
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name EO-TOC${tock_number}
|
||||
fi
|
||||
done
|
||||
log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
|
||||
for port in $(echo $ports | sed 's/,/ /g'); do
|
||||
iptables -A EO-INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name EO-TOC${tock_number} -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name EO-TOC${tock_number} -m state --state NEW -j ACCEPT
|
||||
done
|
||||
}
|
||||
|
||||
|
|
@ -221,8 +239,10 @@ start()
|
|||
|
||||
$IPTABLES -A EO-INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 1 ]; then
|
||||
log_action_msg "Allow WAN outgoing traffic"
|
||||
if [ $ALLOW_WAN_OUTOUT_EVERYWHERE -eq 0 ]; then
|
||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
else
|
||||
log_action_msg "Allow WAN outgoing traffic to everywhere"
|
||||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||
fi
|
||||
|
||||
|
|
@ -265,9 +285,9 @@ start()
|
|||
|
||||
if [ $PING == 1 ]; then
|
||||
log_action_msg "PING allowed"
|
||||
iptables -A EO-INPUT -p icmp --icmp-type ping -j ACCEPT
|
||||
iptables -A EO-OUTPUT -p icmp --icmp-type ping -j ACCEPT
|
||||
iptables -A EO-FORWARD -p icmp --icmp-type ping -j ACCEPT
|
||||
$IPTABLES -A EO-INPUT -p icmp --icmp-type ping -j ACCEPT
|
||||
$IPTABLES -A EO-OUTPUT -p icmp --icmp-type ping -j ACCEPT
|
||||
$IPTABLES -A EO-FORWARD -p icmp --icmp-type ping -j ACCEPT
|
||||
fi
|
||||
|
||||
if [ $FTP == 1 ]; then
|
||||
|
|
@ -283,9 +303,14 @@ start()
|
|||
$IPTABLES -A EO-OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
fi
|
||||
|
||||
## Open Ports
|
||||
## Open input ports
|
||||
for args in "${OPEN_PORTS[@]}"; do
|
||||
open_port $args
|
||||
open_input_port $args
|
||||
done
|
||||
|
||||
## Open ouput ports
|
||||
for args in "${OUPUT_DESTINATIONS[@]}"; do
|
||||
open_output_port $args
|
||||
done
|
||||
|
||||
## Port knocking
|
||||
|
|
@ -367,8 +392,8 @@ test_rules()
|
|||
iptables-restore < /etc/network/iptables-save
|
||||
log_action_msg "Old rules restored"
|
||||
else
|
||||
flush
|
||||
log_action_msg "Rules flushed"
|
||||
clean
|
||||
log_action_msg "Rules cleaned"
|
||||
fi
|
||||
log_action_msg "If you are happy with this new rules please use save option"
|
||||
}
|
||||
|
|
|
|||
Reference in New Issue