extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-10 23:58:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add destination IP blacklisting

Browse Source
This commit is contained in:
Tom Eastep 2010-08-10 17:33:50 -07:00
parent d9cbbea36a
commit 0234564a1b
10 changed files with 226 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -261,14 +261,23 @@ sub setup_blacklist() {
$first_entry = 0; $first_entry = 0;
} }
my ( $networks, $protocol, $ports ) = split_line 1, 3, 'blacklist file'; my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
my $direction = 'from';
$options = 'from' if $options eq '-';
for ( split /,/, $options ) {
fatal_error "Invalid OPTION ($_)" unless /^(from|to)$/;
$direction = $_;
}
expand_rule( expand_rule(
$chainref , $chainref ,
NO_RESTRICT , NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) , do_proto( $protocol , $ports, '' ) ,
$networks , $direction eq 'from' ? $networks : '',
'' , $direction eq 'to' ? $networks : '',
'' , '' ,
"-j $target" , "-j $target" ,
'' , '' ,

2
Shorewall/changelog.txt
View File

@ -20,6 +20,8 @@ Changes in Shorewall 4.4.12
10) Support new set match syntax. 10) Support new set match syntax.
11) Blacklisting by DEST IP.
Changes in Shorewall 4.4.11 Changes in Shorewall 4.4.11
1) Apply patch from Gabriel. 1) Apply patch from Gabriel.

3
Shorewall/configfiles/blacklist
View File

@ -7,4 +7,5 @@
# information. # information.
# #
############################################################################### ###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT #ADDRESS/SUBNET PROTOCOL PORT OPTIONS

67
Shorewall/lib.cli
View File

@ -1066,6 +1066,10 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
chain=$1 chain=$1
local finished local finished
finished=$2 finished=$2
local which
which='-s'
local range
range='--src-range'
if ! chain_exists dynamic; then if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2 echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@ -1077,19 +1081,31 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
case $1 in case $1 in
from)
which='-s'
range='--src-range'
shift
continue
;;
to)
which='-d'
range='--dst-range'
shift
continue
;;
*-*) *-*)
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject qt $IPTABLES -D dynamic -m iprange $range $1 -j reject
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP qt $IPTABLES -D dynamic -m iprange $range $1 -j DROP
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop
$IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1 $IPTABLES -A dynamic -m iprange $range $1 -j $chain || break 1
;; ;;
*) *)
qt $IPTABLES -D dynamic -s $1 -j reject qt $IPTABLES -D dynamic $which $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP qt $IPTABLES -D dynamic $which $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject qt $IPTABLES -D dynamic $which $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop qt $IPTABLES -D dynamic $which $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j $chain || break 1 $IPTABLES -A dynamic $which $1 -j $chain || break 1
;; ;;
esac esac
@ -1379,6 +1395,11 @@ allow_command() {
[ -n "$g_debugging" ] && set -x [ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
if shorewall_is_started ; then if shorewall_is_started ; then
local which
which='-s'
local range
range='--src-range'
if ! chain_exists dynamic; then if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2 echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
exit 2 exit 2
@ -1388,11 +1409,21 @@ allow_command() {
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
case $1 in case $1 in
from)
which='-s'
range='--src-range'
continue
;;
to)
which='-d'
range='--dst-range'
continue
;;
*-*) *-*)
if qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject ||\ if qt $IPTABLES -D dynamic -m iprange $range $1 -j reject ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP ||\ qt $IPTABLES -D dynamic -m iprange $range $1 -j DROP ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop ||\ qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
then then
echo "$1 Allowed" echo "$1 Allowed"
else else
@ -1400,10 +1431,10 @@ allow_command() {
fi fi
;; ;;
*) *)
if qt $IPTABLES -D dynamic -s $1 -j reject ||\ if qt $IPTABLES -D dynamic $which $1 -j reject ||\
qt $IPTABLES -D dynamic -s $1 -j DROP ||\ qt $IPTABLES -D dynamic $which $1 -j DROP ||\
qt $IPTABLES -D dynamic -s $1 -j logdrop ||\ qt $IPTABLES -D dynamic $which $1 -j logdrop ||\
qt $IPTABLES -D dynamic -s $1 -j logreject qt $IPTABLES -D dynamic $which $1 -j logreject
then then
echo "$1 Allowed" echo "$1 Allowed"
else else

27
Shorewall/releasenotes.txt
View File

@ -314,6 +314,33 @@ None.
you use a capabilities file, be sure to regenerate it with 4.4.12 you use a capabilities file, be sure to regenerate it with 4.4.12
shorewall-lite or shorewall6-lite. shorewall-lite or shorewall6-lite.
6) Blacklisting can now be done by destination IP address as well as
by source address.
The /etc/shorewall/blacklist and /etc/shorewall6/blacklist files
now have an optional OPTIONS column. Initially, this column can
contain either 'from' (the default) or 'to'; the latter causes the
address(es) in the ADDRESS/SUBNET column to be interpreted as a
DESTINATION address rather than a source address.
Note that static blacklisting is still restricted to traffic
ARRIVING on an interface that has the 'blacklist' option set. So to
block traffic from your local network to an internet host, you must
specify 'blacklist' on your internal interface.
Similarly, dynamic blacklisting has been enhanced to recognize the
'from' and 'to' keywords.
Example:
shorewall drop to 1.2.3.4
This command will silently drop connection requests from 1.2.3.4.
The reciprocal of that command would be:
shorewall allow to 1.2.3.4
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S I N P R I O R R E L E A S E S

2
Shorewall6/blacklist
View File

@ -7,4 +7,4 @@
# information. # information.
# #
############################################################################### ###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT #ADDRESS/SUBNET PROTOCOL PORT OPTIONS

67
Shorewall6/lib.cli
View File

@ -958,6 +958,10 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
chain=$1 chain=$1
local finished local finished
finished=$2 finished=$2
local which
which='-s'
local range
range='--src-range'
if ! chain_exists dynamic; then if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2 echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@ -969,19 +973,31 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
case $1 in case $1 in
from)
which='-s'
range='--src-range'
shift
continue
;;
to)
which='-d'
range='--dst-range'
shift
continue
;;
*-*) *-*)
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j DROP qt $IP6TABLES -D dynamic -m iprange $range $1 -j DROP
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop
$IP6TABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1 $IP6TABLES -A dynamic -m iprange $range $1 -j $chain || break 1
;; ;;
*) *)
qt $IP6TABLES -D dynamic -s $1 -j reject qt $IP6TABLES -D dynamic $which $1 -j reject
qt $IP6TABLES -D dynamic -s $1 -j DROP qt $IP6TABLES -D dynamic $which $1 -j DROP
qt $IP6TABLES -D dynamic -s $1 -j logreject qt $IP6TABLES -D dynamic $which $1 -j logreject
qt $IP6TABLES -D dynamic -s $1 -j logdrop qt $IP6TABLES -D dynamic $which $1 -j logdrop
$IP6TABLES -A dynamic -s $1 -j $chain || break 1 $IP6TABLES -A dynamic $which $1 -j $chain || break 1
;; ;;
esac esac
@ -1086,6 +1102,11 @@ allow_command() {
[ -n "$g_debugging" ] && set -x [ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
if shorewall6_is_started ; then if shorewall6_is_started ; then
local which
which='-s'
local range
range='--src-range'
if ! chain_exists dynamic; then if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2 echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
exit 2 exit 2
@ -1095,11 +1116,21 @@ allow_command() {
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
case $1 in case $1 in
from)
which='-s'
range='--src-range'
continue
;;
to)
which='-d'
range='--dst-range'
continue
;;
*-*) *-*)
if qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject ||\ if qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject ||\
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j DROP ||\ qt $IP6TABLES -D dynamic -m iprange $range $1 -j DROP ||\
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop ||\ qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop ||\
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
then then
echo "$1 Allowed" echo "$1 Allowed"
else else
@ -1107,10 +1138,10 @@ allow_command() {
fi fi
;; ;;
*) *)
if qt $IP6TABLES -D dynamic -s $1 -j reject ||\ if qt $IP6TABLES -D dynamic $which $1 -j reject ||\
qt $IP6TABLES -D dynamic -s $1 -j DROP ||\ qt $IP6TABLES -D dynamic $which $1 -j DROP ||\
qt $IP6TABLES -D dynamic -s $1 -j logdrop ||\ qt $IP6TABLES -D dynamic $which $1 -j logdrop ||\
qt $IP6TABLES -D dynamic -s $1 -j logreject qt $IP6TABLES -D dynamic $which $1 -j logreject
then then
echo "$1 Allowed" echo "$1 Allowed"
else else

59
docs/blacklisting_support.xml
View File

@ -20,6 +20,8 @@
<copyright> <copyright>
<year>2002-2006</year> <year>2002-2006</year>
<year>2010</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -61,6 +63,20 @@
the blacklists</emphasis>. Blacklists only stop blacklisted hosts from the blacklists</emphasis>. Blacklists only stop blacklisted hosts from
connecting to you — they do not stop you or your users from connecting connecting to you — they do not stop you or your users from connecting
to blacklisted hosts .</para> to blacklisted hosts .</para>
<variablelist>
<varlistentry>
<term>UPDATE</term>
<listitem>
<para>Beginning with Shorewall 4.4.12, you can also blacklist by
destination address. See <ulink
url="manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
(5) and <ulink url="manpages/shorewall.html">shorewall</ulink> (8)
for details.</para>
</listitem>
</varlistentry>
</variablelist>
</important> </important>
<important> <important>
@ -161,25 +177,28 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
Prior to that release, the feature is always enabled.</para> Prior to that release, the feature is always enabled.</para>
<para>Once enabled, dynamic blacklisting doesn't use any configuration <para>Once enabled, dynamic blacklisting doesn't use any configuration
parameters but is rather controlled using /sbin/shorewall[-lite] parameters but is rather controlled using /sbin/shorewall[-lite] commands.
commands:</para> <emphasis role="bold">Note</emphasis> that <emphasis
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
later</emphasis>.</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>drop <emphasis>&lt;ip address list&gt;</emphasis> - causes <para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
packets from the listed IP addresses to be silently dropped by the causes packets from the listed IP addresses to be silently dropped by
the firewall.</para>
</listitem>
<listitem>
<para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be rejected by the
firewall.</para> firewall.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>reject <emphasis>&lt;ip address list&gt;</emphasis> - causes <para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
packets from the listed IP addresses to be rejected by the re-enables receipt of packets from hosts previously blacklisted by a
firewall.</para>
</listitem>
<listitem>
<para>allow <emphasis>&lt;ip address list&gt;</emphasis> - re-enables
receipt of packets from hosts previously blacklisted by a
<emphasis>drop</emphasis> or <emphasis>reject</emphasis> <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
command.</para> command.</para>
</listitem> </listitem>
@ -201,19 +220,19 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>logdrop <emphasis>&lt;ip address list&gt;</emphasis> - causes <para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
packets from the listed IP addresses to be dropped and logged by the causes packets from the listed IP addresses to be dropped and logged
firewall. Logging will occur at the level specified by the by the firewall. Logging will occur at the level specified by the
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
the 'info' level if no BLACKLIST_LOGLEVEL was given).</para> the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem> </listitem>
<listitem> <listitem>
<para>logreject <emphasis>&lt;ip address list&gt;</emphasis> - causes <para>logreject [to|from}<emphasis>&lt;ip address list&gt;</emphasis>
packets from the listed IP addresses to be rejected and logged by the - causes packets from the listed IP addresses to be rejected and
firewall. Logging will occur at the level specified by the logged by the firewall. Logging will occur at the level specified by
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
the 'info' level if no BLACKLIST_LOGLEVEL was given).</para> at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>

22
manpages/shorewall-blacklist.xml
View File

@ -72,6 +72,28 @@
from services(5).</para> from services(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) - {-|to|from|}</term>
<listitem>
<para>If specified, indicates whether traffic <emphasis
role="bold">to</emphasis> or <emphasis role="bold">from</emphasis>
the ADDRESS/SUBNET should be blacklisted. The default is <emphasis
role="bold">from</emphasis>. If the ADDRESS/SUBNET column is empty,
then this column has no effect on the generated rule.</para>
<note>
<para>Blacklisting is still restricted to traffic
<emphasis>arriving</emphasis> on an interface that has the
'blacklist' option set. So to block traffic from your local
network to an internet host, you must specify
<option>blacklist</option> on your internal interface in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para>
</note>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para>When a packet arrives on an interface that has the <emphasis <para>When a packet arrives on an interface that has the <emphasis

23
manpages6/shorewall6-blacklist.xml
View File

@ -73,6 +73,29 @@
destination port numbers or service names from services(5).</para> destination port numbers or service names from services(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>OPTIONS (Optional - Added in Shorewall 4.4.12) -
{-|to|from|}</term>
<listitem>
<para>If specified, indicates whether traffic <option>to</option> or
<option>from</option> the ADDRESS/SUBNET should be blacklisted. The
default is <emphasis role="bold">from</emphasis>. If the
ADDRESS/SUBNET column is empty, then this column has no effect on
the generated rule.</para>
<note>
<para>Blacklisting is still restricted to traffic
<emphasis>arriving</emphasis> on an interface that has the
'blacklist' option set. So to block traffic from your local
network to an internet host, you must specify
<option>blacklist</option> on your internal interface in <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
(5).</para>
</note>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para>When a packet arrives on an interface that has the <emphasis <para>When a packet arrives on an interface that has the <emphasis