Hudge improvements

* Change config syntax * Add a lot of test * Support destination to open a port
2011-03-16 20:43:22 +01:00 · 2011-03-16 20:43:22 +01:00 · 9df7935f90
parent 8a79bdbdec
commit 9df7935f90
3 changed files with 72 additions and 24 deletions
--- a/debian/files
+++ b/debian/files
@ -1 +0,0 @@
-eofirewall_0.1-20110307.1_all.deb admin extra
--- a/81
+++ b/81
@ -1,7 +1,7 @@
 #!/bin/bash

 ### BEGIN INIT INFO
-# Provides:          firewall.sh
+# Provides:          firewall
 # Required-Start:    $remote_fs $syslog $network
 # Required-Stop:     $remote_fs $syslog $network
 # Default-Start:     2 3 4 5
@ -10,8 +10,15 @@
 # Description:       An iptables firewall
 ### END INIT INFO

-source /etc/firewall.conf
-NAME="firewall.sh"
+NAME="firewall"
+
+if [ -f "/etc/firewall.conf" ]; then
+    source /etc/firewall.conf
+else
+    echo "No configuration file /etc/firewall.conf"
+    exit 1
+fi
+

 abort()
 {
@ -33,6 +40,23 @@ clean()
    $IPTABLES -X
 }

+test_config()
+{
+    if [ ! "$WAN_INT" -o ! "$IP" ]; then
+        echo "Bad configuration please check your /etc/firewall.conf"
+        exit 1
+    fi
+}
+
+critical_return()
+{
+    if [ `echo $?` != 0 ]; then
+        echo "!!! CRITICAL error on the last command firewall will be stop"
+        stop
+        exit 1
+    fi
+}
+
 forward_port()
 {
    traffic=$1
@ -43,9 +67,35 @@ forward_port()
    dest_ip=$(echo $destination | cut -d ":" -f1)
    dest_port=$(echo $destination | cut -d ":" -f2)

-    echo "+ Forward $port to $destination for protocol $proto"
-    $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
-    $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
+    if [ ! "$port" -o ! "$proto" -o ! "$destination" -o ! "$dest_ip" -o ! "$dest_port" -o ! "$LAN_INT" ]; then
+        echo "! Bad syntax for traffic : $1"
+    else
+        echo "+ Forward $port to $destination for protocol $proto"
+        $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
+        $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
+    fi
+}
+
+open_port()
+{
+    if [ $# == 4 ]; then
+        destination=$2
+        proto=$3
+        ports=$4
+    elif [ $# == 3 ]; then
+        destination=$IP
+        proto=$2
+        ports=$3
+    else
+        echo "!!! CRITICAL Open port bad syntax : $*"
+        stop && exit 1
+    fi
+    source=$1
+    for port in $(echo $ports | sed 's/,/ /g'); do
+        echo "+ Open port $port from $source to $destination for protocol $proto"
+        $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state ! --state INVALID -j ACCEPT
+        critical_return
+    done
 }

 port_redirection()
@ -66,6 +116,8 @@ start()
    modprobe ip_conntrack
    clean

+    test_config
+
    # default policies
    $IPTABLES -P INPUT DROP
    $IPTABLES -P FORWARD DROP
@ -79,6 +131,8 @@ start()
    $IPTABLES -A OUTPUT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
    $IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED  -j ACCEPT

+    critical_return
+
    if [ $LAN == 1 ]; then
        echo "+ Allow WAN outgoing traffic from lan"
        $IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
@ -159,18 +213,11 @@ start()
        $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT
    fi

-
-    ## OPEN PORTS
-    for traffic in $OPEN_PORTS; do
-        source=$(echo $traffic | cut -d "-" -f1)
-        proto=$(echo $traffic | cut -d "-" -f2)
-        ports=$(echo $traffic | cut -d "-" -f3)
-        for port in $(echo $ports | sed 's/,/ /g'); do
-            echo "+ Open port $port to $source for protocol $proto"
-                $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state ! --state INVALID -j ACCEPT
-        done
+    ## Open Ports
+    for traffic in "${OPEN_PORTS[@]}"; do
+        open_port $traffic
    done
-    
+
    ## Port forwading
    for traffic in $TRAFFICS; do
        forward_port $traffic
--- a/firewall.conf
+++ b/firewall.conf
@ -1,8 +1,8 @@
 IPTABLES=/sbin/iptables

 # WAN configuration
-WAN_INT='ethX'
-IP='x.x.x.x'
+WAN_INT='zefezfez'
+IP='122.122.122.122'

 # Allow ping
 PING=1
@ -15,16 +15,18 @@ NAT=0
 LAN_NETWORK=''
 # Allow traffic between the WAN and LAN
 LAN=0
-LAN_INT='ethX'
+LAN_INT=''

 # Allow all traffic for interface(s)
 # example ALLOW_INTS='br0 xenbr42'
 ALLOW_INTS=''

 # Open ports
-# source-protocole-portx:porty,portz,porta,... source-protocole-portx:porty,portz,.. ...
-# example : OPEN_PORTS='0.0.0.0/0-tcp-ssh,imap,imaps 0.0.0.0/0-udp-1342'
-OPEN_PORTS='0.0.0.0/0-tcp-ssh'
+# source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]
+# The default destination is the IP !
+# example :
+#OPEN_PORTS=("0.0.0.0/0 tcp 22" "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
+OPEN_PORTS=("0.0.0.0/0 tcp ssh")

 # Port forwarding
 # source-port-destination:port-protocole source-port-destination:port-protocole ...
				`@ -1 +0,0 @@`
				`eofirewall_0.1-20110307.1_all.deb admin extra`