9 місяців тому · 63ad49b09f
--- a/TESTING.md
+++ b/TESTING.md
@@ -0,0 +1,76 @@
 
				+% Testing the script
			
 
				+
			
 
				+# Testing the script
			
 
				+
			
 
				+## Checking duplicates
			
 
				+
			
 
				+```bash
			
 
				+$ for chain in INPUT OUTPUT FORWARD ; do echo $chain ; sudo iptables -L $chain -v | sort -u | wc -l ; sudo iptables -L $chain -v | wc -l  ; done
			
 
				+INPUT
			
 
				+21
			
 
				+24
			
 
				+OUTPUT
			
 
				+14
			
 
				+17
			
 
				+FORWARD
			
 
				+3
			
 
				+3
			
 
				+```
			
 
				+
			
 
				+## Identifying duplicates
			
 
				+
			
 
				+```bash
			
 
				+sudo iptables -L INPUT -v | sort
			
 
				+```
			
 
				+
			
 
				+
			
 
				+```
			
 
				+/sbin/iptables -A INPUT -i lo -s localhost -d localhost -j ACCEPTn
			
 
				+/sbin/iptables -A INPUT -i lo -j ACCEPT
			
 
				+```
			
 
				+
			
 
				+
			
 
				+# Possible addition
			
 
				+
			
 
				+
			
 
				+```bash
			
 
				+CONFIGURATION_USER_RULES_DIR=${CONFIGURATION_DIR}/rules.d
			
 
				+#...
			
 
				+
			
 
				+####################################################
			
 
				+# Executes the user-defined rules
			
 
				+####################################################
			
 
				+fw_run_user_rules () {
			
 
				+	local do_action
			
 
				+	do_action=$1
			
 
				+	if [ -d $CONFIGURATION_USER_RULES_DIR ]
			
 
				+	then
			
 
				+		for user_file in $(ls $CONFIGURATION_USER_RULES_DIR)
			
 
				+		do
			
 
				+			(
			
 
				+				echo "$do_action user_file=$user_file"
			
 
				+				#typeset -f | awk '/ \(\) $/ && !/^main / {print $1}'
			
 
				+				awk '/^lfirewall_set_/{print $1}' "$CONFIGURATION_USER_RULES_DIR/${user_file}"
			
 
				+				for function_name in `awk '/^lfirewall_set_/{print $1}' "$CONFIGURATION_USER_RULES_DIR/${user_file}"`
			
 
				+				do
			
 
				+					echo "$do_action $user_file > $function_name"
			
 
				+				done
			
 
				+			)
			
 
				+		done
			
 
				+	fi
			
 
				+}
			
 
				+
			
 
				+
			
 
				+# Inside fw_execute
			
 
				+
			
 
				+	#**************************************************************************#
			
 
				+	# User Rules execution
			
 
				+	#**************************************************************************#
			
 
				+	# NOT YET ACTIVATED
			
 
				+	#fw_run_user_rules $do_action
			
 
				+
			
 
				+
			
 
				+# In Makefile
			
 
				+config:
			
 
				+    $(MKDIR) -p $(FIREWALL_ETC_DIR) $(FIREWALL_ETC_DIR)/rules.d
			
 
				+```
			
--- a/etc/lfirewall.conf
+++ b/etc/lfirewall.conf
@@ -73,3 +73,5 @@ REMOTE_TCP_SERVICES="22 $REMOTE_TCP_SERVICES" # SSH
 
				 REMOTE_TCP_SERVICES="$REMOTE_TCP_SERVICES $SAMBA_PORTS"
			
 
				 
			
 
				 REMOTE_UDP_SERVICES="53" # DNS
			
 
				+
			
 
				+BANNED_LISTS="et_spamhaus spamhaus_drop et_dshield"
			
--- a/scripts/lfirewall
+++ b/scripts/lfirewall
@@ -246,10 +246,10 @@ then
 
				 	exit 2
			
 
				 fi
			
 
				 
			
 
				-IPTABLES_CHECK=__iptables_check_action
			
 
				-IPTABLES_ADD=__iptable_add_action
			
 
				-IPTABLES_INSERT=__iptable_insert_action
			
 
				-IPTABLES_SET_POLICY=__iptable_set_policy_action
			
 
				+export IPTABLES_CHECK=__iptables_check_action
			
 
				+export IPTABLES_ADD=__iptable_add_action
			
 
				+export IPTABLES_INSERT=__iptable_insert_action
			
 
				+export IPTABLES_SET_POLICY=__iptable_set_policy_action
			
 
				 
			
 
				 export IP_TABLES
			
 
				 export NETWORK_IF
			
@@ -276,7 +276,10 @@ do_exec () {
 
				 	if [ ${verbose} -ge 1 ] ; then
			
 
				 		echo $IP_TABLES $iptables_option $*
			
 
				 	fi
			
 
				-	$IP_TABLES $iptables_option $*	
			
 
				+	if ! $IP_TABLES -C $* > /dev/null 2>&1
			
 
				+	then
			
 
				+		$IP_TABLES $iptables_option $*
			
 
				+	fi
			
 
				 }
			
 
				 
			
 
				 do_check () {
			
@@ -338,10 +341,10 @@ fw_exec_basic_input_rules(){
 
				 	$do_action $IPTABLES_ADD $IT_INPUT -i lo -j ACCEPT
			
 
				 }
			
 
				 
			
 
				+
			
 
				 ##########################
			
 
				 # Executes the Firewall rules
			
 
				 ##########################
			
 
				-
			
 
				 fw_execute () {
			
 
				 	local do_action
			
 
				 	do_action=$1
			
@@ -429,6 +432,98 @@ fw_execute () {
 
				 	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
			
 
				 	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
			
 
				 	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
			
 
				+
			
 
				+	#**************************************************************************#
			
 
				+	# blacklist action
			
 
				+	#**************************************************************************#
			
 
				+	fw_blacklist $do_action
			
 
				+
			
 
				+	#**************************************************************************#
			
 
				+	# whitelist action
			
 
				+	#**************************************************************************#
			
 
				+	fw_whitelist $do_action
			
 
				+}
			
 
				+
			
 
				+
			
 
				+warn_user_missing_ban_list() {
			
 
				+	local ban_list_name
			
 
				+	ban_list_name=$1
			
 
				+	printf "###############################################################\n\r" >&2
			
 
				+	printf "#                   IMPORTANT WARNING !!!                     #\n\r" >&2
			
 
				+	printf "# Banned list named '$ban_list_name' does not exist           #\n\r" >&2
			
 
				+	printf "# Please create it using with at least one entry using :      #\n\r" >&2
			
 
				+	printf "# # ipset create $ban_list_name hash:net hashsize 4096              #\n\r" >&2
			
 
				+	printf "#                                                             #\n\r" >&2
			
 
				+	printf "###############################################################\n\r" >&2
			
 
				+}
			
 
				+
			
 
				+fw_blacklist(){
			
 
				+	local do_action
			
 
				+	do_action=$1
			
 
				+	case $do_action in
			
 
				+		do_exec)
			
 
				+			if [ -n "${BANNED_LISTS:-}" ]
			
 
				+			then
			
 
				+				for ban_list in ${BANNED_LISTS}
			
 
				+				do
			
 
				+					if ipset list ${ban_list} > /dev/null
			
 
				+					then
			
 
				+						if ! iptables -C INPUT -m set --match-set ${ban_list} src -j DROP > /dev/null 2>&1
			
 
				+						then
			
 
				+							echo "Enabling $ban_list"
			
 
				+							iptables -I INPUT -m set --match-set ${ban_list} src -j DROP
			
 
				+						fi
			
 
				+					else
			
 
				+						warn_user_missing_ban_list ${ban_list}
			
 
				+					fi
			
 
				+				done
			
 
				+			fi
			
 
				+			;;
			
 
				+		*)
			
 
				+			;;
			
 
				+	esac
			
 
				+}
			
 
				+
			
 
				+warn_user_no_whitelist() {
			
 
				+	printf "###############################################################\n\r" >&2
			
 
				+	printf "#                   IMPORTANT WARNING !!!                     #\n\r" >&2
			
 
				+	printf "# Your whitelist is empty or non existent                     #\n\r" >&2
			
 
				+	printf "# Please create one using with at least one entry using :     #\n\r" >&2
			
 
				+	printf "# # ipset create whitelist hash:net hashsize 4096              #\n\r" >&2
			
 
				+	printf "#                                                             #\n\r" >&2
			
 
				+	printf "# Append at least your IP address using one of the following: #\n\r" >&2
			
 
				+	printf "# # ipset add whitelist 12.34.56.78                        #\n\r" >&2
			
 
				+	printf "# # ipset add whitelist 192.168.0.0/16                        #\n\r" >&2
			
 
				+	printf "#                                                             #\n\r" >&2
			
 
				+	printf "###############################################################\n\r" >&2
			
 
				+}
			
 
				+
			
 
				+fw_whitelist() {
			
 
				+	local do_action
			
 
				+	do_action=$1
			
 
				+	if ! ipset list whitelist > /dev/null
			
 
				+	then
			
 
				+		warn_user_no_whitelist
			
 
				+		return
			
 
				+	else
			
 
				+		if [ `ipset list whitelist 2> /dev/null | awk '/Number of entries/ {print $NF}'` -eq 0 ]
			
 
				+		then
			
 
				+			warn_user_no_whitelist
			
 
				+			return
			
 
				+		fi
			
 
				+	fi
			
 
				+	
			
 
				+	if [ -n "$TCP_SERVICES" ] ; then
			
 
				+		for PORT in $TCP_SERVICES; do
			
 
				+			$do_action $IPTABLES_INSERT $IT_INPUT -p tcp -m tcp --dport ${PORT} -m set --match-set whitelist src -j ACCEPT
			
 
				+		done
			
 
				+	fi
			
 
				+	if [ -n "$UDP_SERVICES" ] ; then
			
 
				+		for PORT in $UDP_SERVICES; do
			
 
				+			$do_action $IPTABLES_INSERT $IT_INPUT -p udp -m udp --dport ${PORT} -m set --match-set whitelist src -j ACCEPT
			
 
				+		done
			
 
				+	fi
			
 
				+
			
 
				 }
			
 
				 
			
 
				 fw_network_protection(){