mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-28 21:51:46 +02:00
Add ICMP and MULTIPORT support to the black list
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@237 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
80498aa034
commit
53f8743591
@ -4,18 +4,30 @@
|
|||||||
# /etc/shorewall/blacklist
|
# /etc/shorewall/blacklist
|
||||||
#
|
#
|
||||||
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
|
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
|
||||||
|
#
|
||||||
|
# MAC addresses must be prefixed with "~" and use "-"
|
||||||
|
# as a separator.
|
||||||
|
#
|
||||||
|
# Example: ~00-A0-C9-15-39-78
|
||||||
|
#
|
||||||
|
# PROTOCOL - Optional. If specified, must be a protocol number
|
||||||
|
# or a protocol name from /etc/protocols.
|
||||||
|
#
|
||||||
|
# PORTS - Optional. May only be specified if the protocol
|
||||||
|
# is TCP (6) or UDP (17). A comma-separated list
|
||||||
|
# of port numbers or service names from /etc/services.
|
||||||
|
#
|
||||||
# When a packet arrives on in interface that has the 'blacklist' option
|
# When a packet arrives on in interface that has the 'blacklist' option
|
||||||
# specified, its source IP address is checked against this file and disposed of
|
# specified, its source IP address is checked against this file and disposed of
|
||||||
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
|
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
|
||||||
# /etc/shorewall/shorewall.conf
|
# /etc/shorewall/shorewall.conf
|
||||||
#
|
#
|
||||||
# MAC addresses must be prefixed with "~" and use "-" as a separator.
|
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
|
||||||
#
|
# the protocol (and one of the ports if PORTS supplied) are blocked.
|
||||||
# Example: ~00-A0-C9-15-39-78
|
|
||||||
#
|
|
||||||
# Each ADDRESS/SUBNET may be optionally followed by a protocol name or number
|
|
||||||
# and an optional port number. If these are supplied, only packets matching
|
|
||||||
# the protocol and the port (if supplied) are blocked.
|
|
||||||
#
|
#
|
||||||
# Example:
|
# Example:
|
||||||
#
|
#
|
||||||
@ -23,6 +35,7 @@
|
|||||||
#
|
#
|
||||||
# ADDRESS/SUBNET PROTOCOL PORT
|
# ADDRESS/SUBNET PROTOCOL PORT
|
||||||
# 192.0.2.126 udp 53
|
# 192.0.2.126 udp 53
|
||||||
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#ADDRESS/SUBNET PROTOCOL PORT
|
#ADDRESS/SUBNET PROTOCOL PORT
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -70,6 +70,14 @@ list_search() # $1 = element to search for , $2-$n = list
|
|||||||
|
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
###############################################################################
|
||||||
|
# Function to count list elements #
|
||||||
|
###############################################################################
|
||||||
|
list_count() {
|
||||||
|
local temp=`separate_list $1`
|
||||||
|
|
||||||
|
echo $temp | wc -w
|
||||||
|
}
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Mutual exclusion -- These functions are jackets for the mutual exclusion #
|
# Mutual exclusion -- These functions are jackets for the mutual exclusion #
|
||||||
@ -1772,14 +1780,6 @@ add_a_rule()
|
|||||||
################################################################################
|
################################################################################
|
||||||
process_rule() {
|
process_rule() {
|
||||||
|
|
||||||
# Function to count list elements
|
|
||||||
|
|
||||||
list_count() {
|
|
||||||
local temp=`separate_list $1`
|
|
||||||
|
|
||||||
echo $temp | wc -w
|
|
||||||
}
|
|
||||||
|
|
||||||
# Function Body -- isolate log level
|
# Function Body -- isolate log level
|
||||||
|
|
||||||
if [ "$target" = "${target%:*}" ]; then
|
if [ "$target" = "${target%:*}" ]; then
|
||||||
@ -2501,6 +2501,21 @@ setup_intrazone() # $1 = zone
|
|||||||
ensurechain ${1}2${1}
|
ensurechain ${1}2${1}
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
###############################################################################
|
||||||
|
# Add a record to the blacklst chain #
|
||||||
|
# #
|
||||||
|
# $source = address match #
|
||||||
|
# $proto = protocol selector #
|
||||||
|
# $dport = destination port selector #
|
||||||
|
###############################################################################
|
||||||
|
add_blacklist_rule() {
|
||||||
|
[ -n "$BLACKLIST_LOGLEVEL" ] && \
|
||||||
|
run_iptables -A blacklst $source $proto $dport -j \
|
||||||
|
LOG $LOGPARMS --log-prefix \
|
||||||
|
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
|
||||||
|
--log-level $BLACKLIST_LOGLEVEL
|
||||||
|
run_iptables -A blacklst $source $proto $dport -j $disposition
|
||||||
|
}
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Process a record from the blacklist file #
|
# Process a record from the blacklist file #
|
||||||
@ -2512,7 +2527,7 @@ setup_intrazone() # $1 = zone
|
|||||||
process_blacklist_rec() {
|
process_blacklist_rec() {
|
||||||
local source
|
local source
|
||||||
local addr
|
local addr
|
||||||
local proto=
|
local proto
|
||||||
local dport
|
local dport
|
||||||
|
|
||||||
for addr in `separate_list $subnet`; do
|
for addr in `separate_list $subnet`; do
|
||||||
@ -2528,19 +2543,47 @@ process_blacklist_rec() {
|
|||||||
|
|
||||||
if [ -n "$protocol" ]; then
|
if [ -n "$protocol" ]; then
|
||||||
proto=" -p $protocol "
|
proto=" -p $protocol "
|
||||||
|
|
||||||
[ -n "$port" ] && dport="--dport $port"
|
case $protocol in
|
||||||
|
tcp|TCP|6|udp|UDP|17)
|
||||||
|
if [ -n "$ports" ]; then
|
||||||
|
if [ -n "$MULTIPORT" -a \
|
||||||
|
"$ports" != "${ports%,*}" -a \
|
||||||
|
"$ports" = "${ports%:*}" -a \
|
||||||
|
`list_count $ports` -le 15 ]
|
||||||
|
then
|
||||||
|
dport="-m multiport --dports $ports"
|
||||||
|
add_blacklist_rule
|
||||||
|
else
|
||||||
|
for dport in `separate_list $ports`; do
|
||||||
|
dport="--dport $dport"
|
||||||
|
add_blacklist_rule
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
add_blacklist_rule
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
icmp|ICMP|0)
|
||||||
|
if [ -n "$ports" ]; then
|
||||||
|
for dport in `separate_list $ports`; do
|
||||||
|
dport="--icmp-type $dport"
|
||||||
|
add_blacklist_rule
|
||||||
|
done
|
||||||
|
else
|
||||||
|
add_blacklist_rule
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
add_blacklist_rule
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
else
|
||||||
|
add_blacklist_rule
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$BLACKLIST_LOGLEVEL" ] && \
|
if [ -n "$ports" ]; then
|
||||||
run_iptables -A blacklst $source $proto $dport -j \
|
addr="$addr $protocol $ports"
|
||||||
LOG $LOGPARMS --log-prefix \
|
|
||||||
"Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \
|
|
||||||
--log-level $BLACKLIST_LOGLEVEL
|
|
||||||
run_iptables -A blacklst $source $proto $dport -j $disposition
|
|
||||||
|
|
||||||
if [ -n "$port" ]; then
|
|
||||||
addr="$addr $protocol $port"
|
|
||||||
elif [ -n "$protocol" ]; then
|
elif [ -n "$protocol" ]; then
|
||||||
addr="$addr $protocol"
|
addr="$addr $protocol"
|
||||||
fi
|
fi
|
||||||
@ -2574,8 +2617,8 @@ setup_blacklist() {
|
|||||||
|
|
||||||
[ "$disposition" = REJECT ] && disposition=reject
|
[ "$disposition" = REJECT ] && disposition=reject
|
||||||
|
|
||||||
while read subnet protocol port; do
|
while read subnet protocol ports; do
|
||||||
expandv subnet protocol port
|
expandv subnet protocol ports
|
||||||
process_blacklist_rec
|
process_blacklist_rec
|
||||||
done < $TMP_DIR/blacklist
|
done < $TMP_DIR/blacklist
|
||||||
|
|
||||||
@ -2598,8 +2641,8 @@ refresh_blacklist() {
|
|||||||
|
|
||||||
run_iptables -F blacklst
|
run_iptables -F blacklst
|
||||||
|
|
||||||
while read subnet protocol port; do
|
while read subnet protocol ports; do
|
||||||
expandv subnet protocol port
|
expandv subnet protocol ports
|
||||||
process_blacklist_rec
|
process_blacklist_rec
|
||||||
done < $TMP_DIR/blacklist
|
done < $TMP_DIR/blacklist
|
||||||
fi
|
fi
|
||||||
|
Loading…
x
Reference in New Issue
Block a user