Hudge improvements
* Change config syntax * Add a lot of test * Support destination to open a port
This commit is contained in:
parent
8a79bdbdec
commit
9df7935f90
|
@ -1 +0,0 @@
|
|||
eofirewall_0.1-20110307.1_all.deb admin extra
|
81
firewall
81
firewall
|
@ -1,7 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: firewall.sh
|
||||
# Provides: firewall
|
||||
# Required-Start: $remote_fs $syslog $network
|
||||
# Required-Stop: $remote_fs $syslog $network
|
||||
# Default-Start: 2 3 4 5
|
||||
|
@ -10,8 +10,15 @@
|
|||
# Description: An iptables firewall
|
||||
### END INIT INFO
|
||||
|
||||
source /etc/firewall.conf
|
||||
NAME="firewall.sh"
|
||||
NAME="firewall"
|
||||
|
||||
if [ -f "/etc/firewall.conf" ]; then
|
||||
source /etc/firewall.conf
|
||||
else
|
||||
echo "No configuration file /etc/firewall.conf"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
abort()
|
||||
{
|
||||
|
@ -33,6 +40,23 @@ clean()
|
|||
$IPTABLES -X
|
||||
}
|
||||
|
||||
test_config()
|
||||
{
|
||||
if [ ! "$WAN_INT" -o ! "$IP" ]; then
|
||||
echo "Bad configuration please check your /etc/firewall.conf"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
critical_return()
|
||||
{
|
||||
if [ `echo $?` != 0 ]; then
|
||||
echo "!!! CRITICAL error on the last command firewall will be stop"
|
||||
stop
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
forward_port()
|
||||
{
|
||||
traffic=$1
|
||||
|
@ -43,9 +67,35 @@ forward_port()
|
|||
dest_ip=$(echo $destination | cut -d ":" -f1)
|
||||
dest_port=$(echo $destination | cut -d ":" -f2)
|
||||
|
||||
echo "+ Forward $port to $destination for protocol $proto"
|
||||
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
|
||||
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
|
||||
if [ ! "$port" -o ! "$proto" -o ! "$destination" -o ! "$dest_ip" -o ! "$dest_port" -o ! "$LAN_INT" ]; then
|
||||
echo "! Bad syntax for traffic : $1"
|
||||
else
|
||||
echo "+ Forward $port to $destination for protocol $proto"
|
||||
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state ! --state INVALID -j ACCEPT
|
||||
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
|
||||
fi
|
||||
}
|
||||
|
||||
open_port()
|
||||
{
|
||||
if [ $# == 4 ]; then
|
||||
destination=$2
|
||||
proto=$3
|
||||
ports=$4
|
||||
elif [ $# == 3 ]; then
|
||||
destination=$IP
|
||||
proto=$2
|
||||
ports=$3
|
||||
else
|
||||
echo "!!! CRITICAL Open port bad syntax : $*"
|
||||
stop && exit 1
|
||||
fi
|
||||
source=$1
|
||||
for port in $(echo $ports | sed 's/,/ /g'); do
|
||||
echo "+ Open port $port from $source to $destination for protocol $proto"
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state ! --state INVALID -j ACCEPT
|
||||
critical_return
|
||||
done
|
||||
}
|
||||
|
||||
port_redirection()
|
||||
|
@ -66,6 +116,8 @@ start()
|
|||
modprobe ip_conntrack
|
||||
clean
|
||||
|
||||
test_config
|
||||
|
||||
# default policies
|
||||
$IPTABLES -P INPUT DROP
|
||||
$IPTABLES -P FORWARD DROP
|
||||
|
@ -79,6 +131,8 @@ start()
|
|||
$IPTABLES -A OUTPUT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
critical_return
|
||||
|
||||
if [ $LAN == 1 ]; then
|
||||
echo "+ Allow WAN outgoing traffic from lan"
|
||||
$IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state ! --state INVALID -j ACCEPT
|
||||
|
@ -159,18 +213,11 @@ start()
|
|||
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
fi
|
||||
|
||||
|
||||
## OPEN PORTS
|
||||
for traffic in $OPEN_PORTS; do
|
||||
source=$(echo $traffic | cut -d "-" -f1)
|
||||
proto=$(echo $traffic | cut -d "-" -f2)
|
||||
ports=$(echo $traffic | cut -d "-" -f3)
|
||||
for port in $(echo $ports | sed 's/,/ /g'); do
|
||||
echo "+ Open port $port to $source for protocol $proto"
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $IP --dport $port -m state ! --state INVALID -j ACCEPT
|
||||
done
|
||||
## Open Ports
|
||||
for traffic in "${OPEN_PORTS[@]}"; do
|
||||
open_port $traffic
|
||||
done
|
||||
|
||||
|
||||
## Port forwading
|
||||
for traffic in $TRAFFICS; do
|
||||
forward_port $traffic
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
IPTABLES=/sbin/iptables
|
||||
|
||||
# WAN configuration
|
||||
WAN_INT='ethX'
|
||||
IP='x.x.x.x'
|
||||
WAN_INT='zefezfez'
|
||||
IP='122.122.122.122'
|
||||
|
||||
# Allow ping
|
||||
PING=1
|
||||
|
@ -15,16 +15,18 @@ NAT=0
|
|||
LAN_NETWORK=''
|
||||
# Allow traffic between the WAN and LAN
|
||||
LAN=0
|
||||
LAN_INT='ethX'
|
||||
LAN_INT=''
|
||||
|
||||
# Allow all traffic for interface(s)
|
||||
# example ALLOW_INTS='br0 xenbr42'
|
||||
ALLOW_INTS=''
|
||||
|
||||
# Open ports
|
||||
# source-protocole-portx:porty,portz,porta,... source-protocole-portx:porty,portz,.. ...
|
||||
# example : OPEN_PORTS='0.0.0.0/0-tcp-ssh,imap,imaps 0.0.0.0/0-udp-1342'
|
||||
OPEN_PORTS='0.0.0.0/0-tcp-ssh'
|
||||
# source [destination] protocole {porta|portx:porty},[portx:porty,porta,portb,...]
|
||||
# The default destination is the IP !
|
||||
# example :
|
||||
#OPEN_PORTS=("0.0.0.0/0 tcp 22" "42.42.42.0/24 42.42.42.42 tcp ssh,imap,imaps,1024:2048,32")
|
||||
OPEN_PORTS=("0.0.0.0/0 tcp ssh")
|
||||
|
||||
# Port forwarding
|
||||
# source-port-destination:port-protocole source-port-destination:port-protocole ...
|
||||
|
|
Reference in New Issue