Fix port knocking and config test
* Fix multiple port knocking * Fix config test * Move firewall.conf to firewall.conf.template * Clean start messages * New deb entry
This commit is contained in:
parent
66c6cc3853
commit
0749affec5
3
Makefile
3
Makefile
|
@ -13,7 +13,6 @@ all:
|
|||
install:
|
||||
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d
|
||||
install -d -m 0755 -o root -g root $(DESTDIR)/etc/firewall
|
||||
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall
|
||||
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall/firewall.conf.template
|
||||
install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
|
||||
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
|
||||
|
||||
|
|
4
README
4
README
|
@ -1,6 +1,8 @@
|
|||
= Installation =
|
||||
* Requrie: rsyslog, logrotate and iptables
|
||||
* make install
|
||||
* Move /etc/firewall/firewall.conf.template to /etc/firewall/firewall.conf
|
||||
* Configure /etc/firewall/firewall.conf
|
||||
|
||||
= Usage =
|
||||
|
||||
|
@ -10,5 +12,5 @@ Second save this change (this will load your rules and save it):
|
|||
/etc/init.d/firewall save
|
||||
You need to use save at least one time.
|
||||
|
||||
/etc/init.d/firewall stop: will flush your rules
|
||||
/etc/init.d/firewall stop: will flush ALL your rules
|
||||
/etc/init.d/firewall start|restore: will load your saved rules
|
||||
|
|
|
@ -1,3 +1,12 @@
|
|||
eofirewall (0.1-20110623.1) unstable; urgency=low
|
||||
|
||||
* Fix multiple port knocking
|
||||
* Fix config test
|
||||
* Move firewall.conf to firewall.conf.template
|
||||
* Clean start messages
|
||||
|
||||
-- Jérôme Schneider <jschneider@entrouvert.com> Thu, 23 Jun 2011 13:52:39 +0200
|
||||
|
||||
eofirewall (0.1-20110621.3) unstable; urgency=low
|
||||
|
||||
* Add an example for the ssh whitelist
|
||||
|
|
90
firewall
90
firewall
|
@ -29,20 +29,33 @@ fi
|
|||
|
||||
clean()
|
||||
{
|
||||
$IPTABLES -F
|
||||
$IPTABLES -F INPUT
|
||||
$IPTABLES -F OUTPUT
|
||||
$IPTABLES -F FORWARD
|
||||
$IPTABLES -F -t mangle
|
||||
$IPTABLES -F -t nat
|
||||
$IPTABLES -X
|
||||
$IPTABLES -t filter -F
|
||||
$IPTABLES -t filter -X
|
||||
|
||||
$IPTABLES -t filter -P INPUT ACCEPT
|
||||
$IPTABLES -t filter -P FORWARD ACCEPT
|
||||
$IPTABLES -t filter -P OUTPUT ACCEPT
|
||||
|
||||
$IPTABLES -t nat -F
|
||||
$IPTABLES -t nat -X
|
||||
|
||||
$IPTABLES -t nat -P PREROUTING ACCEPT
|
||||
$IPTABLES -t nat -P OUTPUT ACCEPT
|
||||
$IPTABLES -t nat -P POSTROUTING ACCEPT
|
||||
|
||||
$IPTABLES -t mangle -F
|
||||
$IPTABLES -t mangle -X
|
||||
|
||||
$IPTABLES -t mangle -P PREROUTING ACCEPT
|
||||
$IPTABLES -t mangle -P INPUT ACCEPT
|
||||
$IPTABLES -t mangle -P FORWARD ACCEPT
|
||||
}
|
||||
|
||||
test_config()
|
||||
{
|
||||
# FIXME: test if the interface and the ip exist
|
||||
if [ ! "$WAN_INT" -o ! "$IP" ]; then
|
||||
echo "Bad configuration please check your /etc/firewall/firewall.conf"
|
||||
exit 1
|
||||
abort "Bad configuration please check your /etc/firewall/firewall.conf"
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -96,8 +109,8 @@ open_port()
|
|||
stop && exit 1
|
||||
fi
|
||||
source=$1
|
||||
echo "+ Open port(s) $ports from $source to $destination for protocol $proto"
|
||||
for port in $(echo $ports | sed 's/,/ /g'); do
|
||||
echo "+ Open port $port from $source to $destination for protocol $proto"
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination --dport $port -m state --state NEW -j ACCEPT
|
||||
critical_return
|
||||
done
|
||||
|
@ -121,37 +134,39 @@ port_redirection()
|
|||
|
||||
port_knocking()
|
||||
{
|
||||
if [ $# != 2 ]; then
|
||||
if [ $# != 3 ]; then
|
||||
echo "! Bad syntax for port knocking : $*"
|
||||
return
|
||||
fi
|
||||
|
||||
port=$1
|
||||
knock_ports=$2
|
||||
i=0
|
||||
knock_number=$3
|
||||
|
||||
i=0
|
||||
for kport in $(echo $knock_ports | sed 's/,/ /g'); do
|
||||
((i++))
|
||||
tock_number=$knock_number$i
|
||||
if [ $i -gt 1 ]; then
|
||||
iptables -N toc$i
|
||||
iptables -A toc$i -m recent --name toc$(($i-1)) --remove
|
||||
iptables -A toc$i -m recent --name toc$i --set
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$(($i-1)) -j toc$i
|
||||
iptables -N toc${tock_number}
|
||||
iptables -A toc${tock_number} -m recent --name toc$((${tock_number}-1)) --remove
|
||||
iptables -A toc${tock_number} -m recent --name toc${tock_number} --set
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$((${tock_number}-1)) -j toc${tock_number}
|
||||
else
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
|
||||
fi
|
||||
done
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
|
||||
echo "+ Port knocking for $port with combinaison $knock_ports on $WAN_INT"
|
||||
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
|
||||
}
|
||||
|
||||
start()
|
||||
{
|
||||
echo "Starting: Firewall"
|
||||
test_config
|
||||
modprobe ip_conntrack
|
||||
clean
|
||||
|
||||
test_config
|
||||
|
||||
# default policies
|
||||
$IPTABLES -P INPUT DROP
|
||||
$IPTABLES -P FORWARD DROP
|
||||
|
@ -187,31 +202,23 @@ start()
|
|||
fi
|
||||
|
||||
## block spoofing
|
||||
echo "+ Block spoofing"
|
||||
echo "+ Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
|
||||
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
||||
|
||||
## NMAP FIN/URG/PSH
|
||||
echo "+ Block scan ports"
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
|
||||
|
||||
## stop Xmas Tree type scanning
|
||||
echo "+ Block Xmas Tree"
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
|
||||
|
||||
## stop null scanning
|
||||
echo "+ Block null scanning"
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
|
||||
## SYN/RST
|
||||
echo "+ Block SYN/RST"
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
## SYN/FIN
|
||||
echo "+ Block SYN/FIN"
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
|
||||
|
@ -246,8 +253,10 @@ start()
|
|||
done
|
||||
|
||||
## Port knocking
|
||||
j=1
|
||||
for args in "${PORT_KNOCK[@]}"; do
|
||||
port_knocking $args
|
||||
port_knocking $args $j
|
||||
((j++))
|
||||
done
|
||||
|
||||
## Port forwading
|
||||
|
@ -291,26 +300,7 @@ start()
|
|||
stop()
|
||||
{
|
||||
echo "+ Firewall stoped"
|
||||
$IPTABLES -t filter -F
|
||||
$IPTABLES -t filter -X
|
||||
|
||||
$IPTABLES -t filter -P INPUT ACCEPT
|
||||
$IPTABLES -t filter -P FORWARD ACCEPT
|
||||
$IPTABLES -t filter -P OUTPUT ACCEPT
|
||||
|
||||
$IPTABLES -t nat -F
|
||||
$IPTABLES -t nat -X
|
||||
|
||||
$IPTABLES -t nat -P PREROUTING ACCEPT
|
||||
$IPTABLES -t nat -P OUTPUT ACCEPT
|
||||
$IPTABLES -t nat -P POSTROUTING ACCEPT
|
||||
|
||||
$IPTABLES -t mangle -F
|
||||
$IPTABLES -t mangle -X
|
||||
|
||||
$IPTABLES -t mangle -P PREROUTING ACCEPT
|
||||
$IPTABLES -t mangle -P INPUT ACCEPT
|
||||
$IPTABLES -t mangle -P FORWARD ACCEPT
|
||||
clean
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
|
|
Reference in New Issue