Add a whitelist for ssh, port knocking set to 15 seconds and move the config to /etc/firewall

This commit is contained in:
Jérôme Schneider 2011-06-21 17:54:06 +02:00
parent e8fe286563
commit 0440531e2f
3 changed files with 17 additions and 8 deletions

View File

@ -6,14 +6,14 @@
##
NAME = firewall
RM = rm -rf
DESTDIR=
all:
install:
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d/
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/
install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d
install -d -m 0755 -o root -g root $(DESTDIR)/etc/firewall
install -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall
install -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
install -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d

View File

@ -21,10 +21,10 @@ abort()
exit 1
}
if [ -f "/etc/firewall.conf" ]; then
source /etc/firewall.conf
if [ -f "/etc/firewall/firewall.conf" ]; then
source /etc/firewall/firewall.conf
else
abort "No configuration file /etc/firewall.conf"
abort "No configuration file /etc/firewall/firewall.conf"
fi
clean()
@ -41,7 +41,7 @@ clean()
test_config()
{
if [ ! "$WAN_INT" -o ! "$IP" ]; then
echo "Bad configuration please check your /etc/firewall.conf"
echo "Bad configuration please check your /etc/firewall/firewall.conf"
exit 1
fi
}
@ -141,7 +141,7 @@ port_knocking()
iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
fi
done
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 6 --name toc$i -m state --state NEW -j ACCEPT
iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
}
start()
@ -260,6 +260,11 @@ start()
port_redirection $args
done
## Whitelist
for arg in "${WHITELIST_SSH[@]}"; do
open_port $arg tcp ssh
done
## NAT
if [ $NAT == 1 ]; then
echo "+ Activate nat"

View File

@ -39,6 +39,10 @@ TRAFFICS=()
# example : REDIRECTIONS=("eth42 tcp 32 25" "$LAN_INT tcp 25 4242")
REDIRECTIONS=()
## Whitelist ssh
# example : WHITELIST_SSH=("1.2.3.4" "1.3.4.4" "192.168.1.0/24")
#WHITELIST_SSH=()
# Hook point to write your own iptables rules
ipt_hook()
{