firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add support for ulog daemon.

Browse Source
This commit is contained in:
Christoph
2019-06-29 17:20:59 +02:00
parent 07ffaea9a7
commit a74b57e0a0
4 changed files with 144 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
ip6t-firewall-gateway
View File

@ -200,10 +200,10 @@ echo
echononl "\tLog given IP Addresses"
if [[ ${#log_ip_arr[@]} -gt 0 ]]; then
for _ip in ${log_ip_arr[@]} ; do
$ip6t -A INPUT -s $_ip -j LOG --log-prefix "$_ip IN: " --log-level $log_level
$ip6t -A OUTPUT -d $_ip -j LOG --log-prefix "$_ip OUT: " --log-level $log_level
$ip6t -A FORWARD -s $_ip -j LOG --log-prefix "$_ip FORWARD FROM: " --log-level $log_level
$ip6t -A FORWARD -d $_ip -j LOG --log-prefix "$_ip FORWARD TO: " --log-level $log_level
$ip6t -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "$_ip IN: "
$ip6t -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "$_ip OUT: "
$ip6t -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$_ip FORWARD FROM: "
$ip6t -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$_ip FORWARD TO: "
done
echo_done
@ -256,11 +256,11 @@ if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
echononl "\tPass through Devices (not firewalled)"
for _dev in ${unprotected_if_arr[@]} ; do
if $log_unprotected || $log_all ; then
$ip6t -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ip6t -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ip6t -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
$ip6t -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ip6t -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
$ip6t -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
fi
fi
$ip6t -A INPUT -i $_dev -j ACCEPT
@ -288,9 +288,9 @@ echononl "\tBlock IPs / Networks / Interfaces.."
for _ip in $blocked_ips ; do
for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then
$ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
$ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: "
fi
fi
$ip6t -A INPUT -i $_dev -s $_ip -j DROP
@ -308,11 +308,11 @@ done
for _if in ${blocked_if_arr[@]} ; do
if $log_blocked_if || $log_all ; then
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
$ip6t -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
$ip6t -A FORWARD -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
$ip6t -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
fi
$ip6t -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
$ip6t -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
$ip6t -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
$ip6t -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
fi
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_if -j DROP
@ -360,7 +360,7 @@ if $protect_against_several_attacks ; then
$ip6t -N syn-flood
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then
$ip6t -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level
$ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
fi
$ip6t -A syn-flood -j DROP
@ -370,10 +370,10 @@ if $protect_against_several_attacks ; then
# ---
if $log_new_not_sync || $log_all ; then
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
fi
fi
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
@ -388,9 +388,9 @@ if $protect_against_several_attacks ; then
# ---
if $log_invalid_state || $log_all ; then
$ip6t -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
$ip6t -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
$ip6t -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
fi
fi
$ip6t -A INPUT -m state --state INVALID -j DROP
@ -405,13 +405,13 @@ if $protect_against_several_attacks ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_invalid_flags || $log_all ; then
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
fi
fi
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
@ -432,9 +432,9 @@ if $protect_against_several_attacks ; then
# - Refuse spoofed packets pretending to be from your IP address.
if $log_spoofed || $log_all ; then
for _ip in ${ext_ip_arr[@]} ; do
$ip6t -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level
$ip6t -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level
$ip6t -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
fi
done
fi
@ -449,11 +449,11 @@ if $protect_against_several_attacks ; then
# - private Adressen auf externen interface verwerfen
for _dev in ${dsl_device_arr[@]} ; do
if $log_spoofed || $log_all ; then
$ip6t -A INPUT -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level
$ip6t -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level
$ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level
$ip6t -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level
$ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
fi
fi
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP
@ -483,11 +483,11 @@ fi
if $log_voip || $log_all ; then
for _ip in ${tel_sys_ip_arr[@]} ; do
$ip6t -A FORWARD -d $_ip -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level
$ip6t -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix [VoIP] "
done
fi
#for _PORT in ${VOIP_PORTS} ; do
# $ip6t -A FORWARD -p udp --sport $_PORT -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level
# $ip6t -A FORWARD -p udp --sport $_PORT -j $LOG_TARGET $tag_log_prefix "$log_prefix [VoIP] "
#done
@ -563,13 +563,13 @@ echononl "\tDrop packets not wanted on gateway"
for _dev in ${local_if_arr[@]} ; do
if $log_not_wanted || $log_all ; then
if $not_wanted_ident ; then
$ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level
$ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: "
fi
for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: "
done
for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p udp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level
$ip6t -A INPUT -i $_dev -p udp --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: "
done
fi
if $not_wanted_ident ; then
@ -595,23 +595,23 @@ echononl "\tGenerally prohibited from WAN"
for _dev in ${ext_if_arr[@]} ; do
if $log_prohibited || $log_all ; then
if $block_ident ; then
$ip6t -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
$ip6t -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
fi
for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
$ip6t -A INPUT -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done
for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
$ip6t -A INPUT -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done
if $kernel_forward_between_interfaces ; then
if $block_ident ; then
$ip6t -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
$ip6t -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
fi
for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
$ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done
for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
$ip6t -A FORWARD -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done
fi
fi
@ -3877,7 +3877,7 @@ if $kernel_forward_between_interfaces ; then
for _dev_1 in ${local_if_arr[@]} ; do
for _dev_2 in ${local_if_arr[@]} ; do
if $log_rejected || $log_all ; then
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -j LOG --log-prefix "$log_prefix Rejected local NET: " --log-level $log_level
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected local NET: "
fi
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j DROP
done
@ -3898,12 +3898,12 @@ echo
echononl "\tLog traffic not matched so far.."
if $log_rejected || $log_all ; then
$ip6t -A OUTPUT -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level
$ip6t -A INPUT -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level
$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level
#$ip6t -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level
#$ip6t -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level
#$ip6t -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level
$ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: "
$ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: "
$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: "
#$ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: "
#$ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: "
#$ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: "
echo_done
else
echo_skipped