mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-29 02:54:18 +01:00
Add 'logdrop' and 'logreject' commands for dynamic blacklisting with logging
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3715 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5351d30446
commit
f0372d9209
@ -6,6 +6,8 @@ Changes in 3.2.0 Beta 2
|
|||||||
|
|
||||||
3) Add 'refreshed' extension script.
|
3) Add 'refreshed' extension script.
|
||||||
|
|
||||||
|
4) Implement 'logdrop' and 'logreject'
|
||||||
|
|
||||||
Changes in 3.1.x. and 3.2.x
|
Changes in 3.1.x. and 3.2.x
|
||||||
|
|
||||||
1) Removal of dynamic zones.
|
1) Removal of dynamic zones.
|
||||||
|
@ -7261,15 +7261,23 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
createchain reject no
|
createchain reject no
|
||||||
createchain dynamic no
|
createchain dynamic no
|
||||||
|
createchain logdrop no
|
||||||
|
createchain logreject no
|
||||||
createchain smurfs no
|
createchain smurfs no
|
||||||
|
|
||||||
|
log_rule ${BLACKLIST_LOGLEVEL:-info} logdrop DROP
|
||||||
|
log_rule ${BLACKLIST_LOGLEVEL:-info} logreject REJECT
|
||||||
|
|
||||||
|
run_iptables -A logdrop -j DROP
|
||||||
|
run_iptables -A logreject -j reject
|
||||||
|
|
||||||
indent >&3 << __EOF__
|
indent >&3 << __EOF__
|
||||||
|
|
||||||
if [ -f /var/lib/shorewall/save ]; then
|
if [ -f /var/lib/shorewall/save ]; then
|
||||||
progress_message2 "Setting up dynamic rules..."
|
progress_message2 "Setting up dynamic rules..."
|
||||||
while read target ignore1 ignore2 address rest; do
|
while read target ignore1 ignore2 address rest; do
|
||||||
case \$target in
|
case \$target in
|
||||||
DROP|reject)
|
DROP|reject|logdrop|logreject)
|
||||||
run_iptables -A dynamic -s \$address -j \$target
|
run_iptables -A dynamic -s \$address -j \$target
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
@ -161,7 +161,7 @@ drop)
|
|||||||
echo "$1: $1 <address> ...
|
echo "$1: $1 <address> ...
|
||||||
Causes packets from the specified <address> to be ignored
|
Causes packets from the specified <address> to be ignored
|
||||||
|
|
||||||
Shorewall allow, drop, reject and save implement dynamic blacklisting.
|
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||||
|
|
||||||
See also \"help address\""
|
See also \"help address\""
|
||||||
;;
|
;;
|
||||||
@ -215,12 +215,30 @@ iprange)
|
|||||||
equivalent list of network/host addresses."
|
equivalent list of network/host addresses."
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
logdrop)
|
||||||
|
echo "$1: $1 <address> ...
|
||||||
|
Causes packets from the specified <address> to be ignored and loged.
|
||||||
|
|
||||||
|
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||||
|
|
||||||
|
See also \"help address\""
|
||||||
|
;;
|
||||||
|
|
||||||
logwatch)
|
logwatch)
|
||||||
echo "logwatch: logwatch [<refresh interval>]
|
echo "logwatch: logwatch [<refresh interval>]
|
||||||
Monitors the LOGFILE, $LOGFILE,
|
Monitors the LOGFILE, $LOGFILE,
|
||||||
and produces an audible alarm when new Shorewall messages are logged."
|
and produces an audible alarm when new Shorewall messages are logged."
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
logreject)
|
||||||
|
echo "$1: $1 <address> ...
|
||||||
|
Causes packets from the specified <address> to be rejected and logged.
|
||||||
|
|
||||||
|
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||||
|
|
||||||
|
See also \"help address\""
|
||||||
|
;;
|
||||||
|
|
||||||
refresh)
|
refresh)
|
||||||
echo "refresh: refresh
|
echo "refresh: refresh
|
||||||
The rules involving the broadcast addresses of firewall interfaces,
|
The rules involving the broadcast addresses of firewall interfaces,
|
||||||
@ -232,7 +250,7 @@ reject)
|
|||||||
echo "$1: $1 <address> ...
|
echo "$1: $1 <address> ...
|
||||||
Causes packets from the specified <address> to be rejected
|
Causes packets from the specified <address> to be rejected
|
||||||
|
|
||||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||||
|
|
||||||
See also \"help address\""
|
See also \"help address\""
|
||||||
;;
|
;;
|
||||||
@ -283,7 +301,7 @@ save)
|
|||||||
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
|
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
|
||||||
in the file specified by the RESTOREFILE option in shorewall.conf.
|
in the file specified by the RESTOREFILE option in shorewall.conf.
|
||||||
|
|
||||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||||
|
|
||||||
See also \"help restore\" and \"help forget\""
|
See also \"help restore\" and \"help forget\""
|
||||||
;;
|
;;
|
||||||
|
@ -43,6 +43,17 @@ Other changes in 3.2.0 Beta 2
|
|||||||
1) A 'refreshed' extension script has been added -- it is executed after
|
1) A 'refreshed' extension script has been added -- it is executed after
|
||||||
"shorewall refresh" has finished.
|
"shorewall refresh" has finished.
|
||||||
|
|
||||||
|
2) Two new dynamic blacklisting commands have been added:
|
||||||
|
|
||||||
|
logdrop -- like 'drop' but causes the dropped packets to be logged.
|
||||||
|
|
||||||
|
logreject -- like 'reject' but causes the rejected packets to be
|
||||||
|
logged.
|
||||||
|
|
||||||
|
Packets are logged at the BLACKLIST_LOGLEVEL if one was specified at the
|
||||||
|
last "shorewall [re]start"; otherwise, they are logged at the 'info'
|
||||||
|
log level.
|
||||||
|
|
||||||
Migration Considerations:
|
Migration Considerations:
|
||||||
|
|
||||||
1) A number of macros have been split into two. The macros affected are:
|
1) A number of macros have been split into two. The macros affected are:
|
||||||
|
@ -1314,6 +1314,8 @@ usage() # $1 = exit status
|
|||||||
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
|
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
|
||||||
echo " ipdecimal { <address> | <integer> }"
|
echo " ipdecimal { <address> | <integer> }"
|
||||||
echo " iprange <address>-<address>"
|
echo " iprange <address>-<address>"
|
||||||
|
echo " logdrop <address> ..."
|
||||||
|
echo " logreject <address> ..."
|
||||||
echo " logwatch [<refresh interval>]"
|
echo " logwatch [<refresh interval>]"
|
||||||
echo " refresh"
|
echo " refresh"
|
||||||
echo " reject <address> ..."
|
echo " reject <address> ..."
|
||||||
@ -1777,6 +1779,8 @@ case "$COMMAND" in
|
|||||||
shift
|
shift
|
||||||
qt $IPTABLES -D dynamic -s $1 -j reject
|
qt $IPTABLES -D dynamic -s $1 -j reject
|
||||||
qt $IPTABLES -D dynamic -s $1 -j DROP
|
qt $IPTABLES -D dynamic -s $1 -j DROP
|
||||||
|
qt $IPTABLES -D dynamic -s $1 -j logreject
|
||||||
|
qt $IPTABLES -D dynamic -s $1 -j logdrop
|
||||||
$IPTABLES -A dynamic -s $1 -j DROP || break 1
|
$IPTABLES -A dynamic -s $1 -j DROP || break 1
|
||||||
echo "$1 Dropped"
|
echo "$1 Dropped"
|
||||||
done
|
done
|
||||||
@ -1786,7 +1790,7 @@ case "$COMMAND" in
|
|||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
reject)
|
logdrop)
|
||||||
[ -n "$debugging" ] && set -x
|
[ -n "$debugging" ] && set -x
|
||||||
[ $# -eq 1 ] && usage 1
|
[ $# -eq 1 ] && usage 1
|
||||||
if shorewall_is_started ; then
|
if shorewall_is_started ; then
|
||||||
@ -1795,7 +1799,29 @@ case "$COMMAND" in
|
|||||||
shift
|
shift
|
||||||
qt $IPTABLES -D dynamic -s $1 -j reject
|
qt $IPTABLES -D dynamic -s $1 -j reject
|
||||||
qt $IPTABLES -D dynamic -s $1 -j DROP
|
qt $IPTABLES -D dynamic -s $1 -j DROP
|
||||||
$IPTABLES -A dynamic -s $1 -j reject || break 1
|
qt $IPTABLES -D dynamic -s $1 -j logreject
|
||||||
|
qt $IPTABLES -D dynamic -s $1 -j logdrop
|
||||||
|
$IPTABLES -A dynamic -s $1 -j logdrop || break 1
|
||||||
|
echo "$1 Dropped"
|
||||||
|
done
|
||||||
|
mutex_off
|
||||||
|
else
|
||||||
|
error_message "ERROR: Shorewall is not started"
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
reject|logreject)
|
||||||
|
[ -n "$debugging" ] && set -x
|
||||||
|
[ $# -eq 1 ] && usage 1
|
||||||
|
if shorewall_is_started ; then
|
||||||
|
mutex_on
|
||||||
|
while [ $# -gt 1 ]; do
|
||||||
|
shift
|
||||||
|
qt $IPTABLES -D dynamic -s $1 -j reject
|
||||||
|
qt $IPTABLES -D dynamic -s $1 -j DROP
|
||||||
|
qt $IPTABLES -D dynamic -s $1 -j logreject
|
||||||
|
qt $IPTABLES -D dynamic -s $1 -j logdrop
|
||||||
|
$IPTABLES -A dynamic -s $1 -j $COMMAND || break 1
|
||||||
echo "$1 Rejected"
|
echo "$1 Rejected"
|
||||||
done
|
done
|
||||||
mutex_off
|
mutex_off
|
||||||
@ -1811,7 +1837,11 @@ case "$COMMAND" in
|
|||||||
mutex_on
|
mutex_on
|
||||||
while [ $# -gt 1 ]; do
|
while [ $# -gt 1 ]; do
|
||||||
shift
|
shift
|
||||||
if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
|
if qt $IPTABLES -D dynamic -s $1 -j reject ||\
|
||||||
|
qt $IPTABLES -D dynamic -s $1 -j DROP ||\
|
||||||
|
qt $IPTABLES -D dynamic -s $1 -j logdrop ||\
|
||||||
|
qt $IPTABLES -D dynamic -s $1 -j logreject
|
||||||
|
then
|
||||||
echo "$1 Allowed"
|
echo "$1 Allowed"
|
||||||
else
|
else
|
||||||
echo "$1 Not Dropped or Rejected"
|
echo "$1 Not Dropped or Rejected"
|
||||||
|
Loading…
Reference in New Issue
Block a user