Changeset c9d8db9916965607ae249b301f1991b931044ee8
- Timestamp:
- 09/19/09 15:50:15 (3 years ago)
- Author:
- Neutron Soutmun <neo.neutron@…>
- Children:
- f947fbf519faeaa105b8df830c6030924a957e16
- Parents:
- aefa26aefdd4538de7337e9c9b0cced45abb1d74
- git-committer:
- Neutron Soutmun <neo.neutron@…> (09/19/09 15:50:15)
- Message:
-
Add common firewall code
[ Security Fix ]
- Add common firewall code with new extra config fields in rahunas
main config file.
- If no new config fields setting, the old behavior is used which the
external interfaces accept all connections.
- Files:
-
Legend:
- Unmodified
- Added
- Removed
-
|
rad04bbc
|
rc9d8db9
|
|
| 14 | 14 | bittorrent_download_max = "512" |
| 15 | 15 | bittorrent_upload_max = "256" |
| | 16 | |
| | 17 | external_iface_firewall = "yes" |
| | 18 | external_iface_ports_allow = "22,80,443" |
| | 19 | external_iface_ping_accept = "yes" |
| 16 | 20 | } |
-
|
r32a7d0b
|
rc9d8db9
|
|
| 51 | 51 | MAIN_BITTORRENT_UPLOAD_MAX=`get_config_value main bittorrent_upload_max $RAHUNAS_CONFIG` |
| 52 | 52 | MAIN_DHCP=`get_config_value main dhcp $RAHUNAS_CONFIG` |
| | 53 | |
| | 54 | MAIN_EXT_IFACE_FIREWALL=`get_config_value main external_iface_firewall $RAHUNAS_CONFIG` |
| | 55 | MAIN_EXT_IFACE_PORTS_ALLOW=`get_config_value main external_iface_ports_allow $RAHUNAS_CONFIG` |
| | 56 | MAIN_EXT_IFACE_PING_ACCEPT=`get_config_value main external_iface_ping_accept $RAHUNAS_CONFIG` |
| | 57 | MAIN_EXT_IFACE_LIST= |
| 53 | 58 | |
| 54 | 59 | if [ "$ENV_OVERRIDE" != "yes" ]; then |
| … |
… |
|
| 258 | 263 | |
| 259 | 264 | # INPUT from external |
| 260 | | # TODO: Make a common firewall to filter the external requests. |
| 261 | 265 | for dev in $DEV_EXTERNAL_LIST; do |
| 262 | | $IPTABLES $action INPUT \ |
| 263 | | $DEV_IN_PARAM $dev -j ACCEPT |
| | 266 | # Filter duplicated external interfaces |
| | 267 | if ! echo $MAIN_EXT_IFACE_LIST | grep $dev > /dev/null; then |
| | 268 | MAIN_EXT_IFACE_LIST=`echo "$MAIN_EXT_IFACE_LIST $dev"` |
| | 269 | |
| | 270 | $IPTABLES $action INPUT $DEV_IN_PARAM $dev -j ${NAME}_ext_fw |
| | 271 | fi |
| 264 | 272 | done |
| 265 | 273 | |
| … |
… |
|
| 435 | 443 | $IPTABLES -A FORWARD -p udp --dport 67:68 -j ACCEPT |
| 436 | 444 | fi |
| | 445 | |
| | 446 | $IPTABLES -N ${NAME}_ext_fw |
| | 447 | |
| | 448 | if [ "x$MAIN_EXT_IFACE_FIREWALL" = "xyes" ]; then |
| | 449 | # Accept all connections that made by server itself |
| | 450 | $IPTABLES -A ${NAME}_ext_fw -m state --state ESTABLISHED,RELATED -j ACCEPT |
| | 451 | |
| | 452 | # Accept DNS reply |
| | 453 | $IPTABLES -A ${NAME}_ext_fw -p udp --sport 53 \ |
| | 454 | -m state --state ESTABLISHED,RELATED -j ACCEPT |
| | 455 | |
| | 456 | if [ -n "$MAIN_EXT_IFACE_PORTS_ALLOW" ]; then |
| | 457 | $IPTABLES -A ${NAME}_ext_fw -p tcp \ |
| | 458 | -m multiport --dports ${MAIN_EXT_IFACE_PORTS_ALLOW} -j ACCEPT |
| | 459 | fi |
| | 460 | |
| | 461 | if [ "x$MAIN_EXT_IFACE_PING_ACCEPT" = "xyes" ]; then |
| | 462 | # Accept echo-request from outside |
| | 463 | $IPTABLES -A ${NAME}_ext_fw -p icmp --icmp-type 8 \ |
| | 464 | -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
| | 465 | fi |
| | 466 | |
| | 467 | # Accept echo-reply from outside |
| | 468 | $IPTABLES -A ${NAME}_ext_fw -p icmp --icmp-type 0 \ |
| | 469 | -m state --state ESTABLISHED,RELATED -j ACCEPT |
| | 470 | else |
| | 471 | if [ "x$MAIN_EXT_IFACE_FIREWALL" = "xaccept" -o "x$MAIN_EXT_IFACE_FIREWALL" = "x" ]; then |
| | 472 | $IPTABLES -A ${NAME}_ext_fw -j ACCEPT |
| | 473 | fi |
| | 474 | fi |
| | 475 | |
| | 476 | $IPTABLES -A ${NAME}_ext_fw -j RETURN |
| 437 | 477 | } |
| 438 | 478 | |
| … |
… |
|
| 457 | 497 | $IPTABLES -D FORWARD -p udp --dport 67:68 -j ACCEPT |
| 458 | 498 | fi |
| | 499 | |
| | 500 | $IPTABLES -F ${NAME}_ext_fw |
| | 501 | $IPTABLES -X ${NAME}_ext_fw |
| 459 | 502 | } |
| 460 | 503 | |
