holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add destination IP blacklisting

Browse Source
This commit is contained in:
Tom Eastep 2010-08-10 17:33:50 -07:00
parent d9cbbea36a
commit 0234564a1b
10 changed files with 226 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -261,14 +261,23 @@ sub setup_blacklist() {
$first_entry = 0;
}
my ( $networks, $protocol, $ports ) = split_line 1, 3, 'blacklist file';
my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
my $direction = 'from';
$options = 'from' if $options eq '-';
for ( split /,/, $options ) {
fatal_error "Invalid OPTION ($_)" unless /^(from|to)$/;
$direction = $_;
}
expand_rule(
$chainref ,
NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) ,
$networks ,
'' ,
$direction eq 'from' ? $networks : '',
$direction eq 'to' ? $networks : '',
'' ,
"-j $target" ,
'' ,

2
Shorewall/changelog.txt
View File

@ -20,6 +20,8 @@ Changes in Shorewall 4.4.12
10) Support new set match syntax.
11) Blacklisting by DEST IP.
Changes in Shorewall 4.4.11
1) Apply patch from Gabriel.

3
Shorewall/configfiles/blacklist
View File

@ -7,4 +7,5 @@
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#ADDRESS/SUBNET PROTOCOL PORT OPTIONS

67
Shorewall/lib.cli
View File

@ -1066,6 +1066,10 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
chain=$1
local finished
finished=$2
local which
which='-s'
local range
range='--src-range'
if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@ -1077,19 +1081,31 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
while [ $# -gt 0 ]; do
case $1 in
from)
which='-s'
range='--src-range'
shift
continue
;;
to)
which='-d'
range='--dst-range'
shift
continue
;;
*-*)
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop
$IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
qt $IPTABLES -D dynamic -m iprange $range $1 -j reject
qt $IPTABLES -D dynamic -m iprange $range $1 -j DROP
qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop
$IPTABLES -A dynamic -m iprange $range $1 -j $chain || break 1
;;
*)
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j $chain || break 1
qt $IPTABLES -D dynamic $which $1 -j reject
qt $IPTABLES -D dynamic $which $1 -j DROP
qt $IPTABLES -D dynamic $which $1 -j logreject
qt $IPTABLES -D dynamic $which $1 -j logdrop
$IPTABLES -A dynamic $which $1 -j $chain || break 1
;;
esac
@ -1379,6 +1395,11 @@ allow_command() {
[ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && usage 1
if shorewall_is_started ; then
local which
which='-s'
local range
range='--src-range'
if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
exit 2
@ -1388,11 +1409,21 @@ allow_command() {
while [ $# -gt 1 ]; do
shift
case $1 in
from)
which='-s'
range='--src-range'
continue
;;
to)
which='-d'
range='--dst-range'
continue
;;
*-*)
if qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop ||\
qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
if qt $IPTABLES -D dynamic -m iprange $range $1 -j reject ||\
qt $IPTABLES -D dynamic -m iprange $range $1 -j DROP ||\
qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop ||\
qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
then
echo "$1 Allowed"
else
@ -1400,10 +1431,10 @@ allow_command() {
fi
;;
*)
if qt $IPTABLES -D dynamic -s $1 -j reject ||\
qt $IPTABLES -D dynamic -s $1 -j DROP ||\
qt $IPTABLES -D dynamic -s $1 -j logdrop ||\
qt $IPTABLES -D dynamic -s $1 -j logreject
if qt $IPTABLES -D dynamic $which $1 -j reject ||\
qt $IPTABLES -D dynamic $which $1 -j DROP ||\
qt $IPTABLES -D dynamic $which $1 -j logdrop ||\
qt $IPTABLES -D dynamic $which $1 -j logreject
then
echo "$1 Allowed"
else

27
Shorewall/releasenotes.txt
View File

@ -314,6 +314,33 @@ None.
you use a capabilities file, be sure to regenerate it with 4.4.12
shorewall-lite or shorewall6-lite.
6) Blacklisting can now be done by destination IP address as well as
by source address.
The /etc/shorewall/blacklist and /etc/shorewall6/blacklist files
now have an optional OPTIONS column. Initially, this column can
contain either 'from' (the default) or 'to'; the latter causes the
address(es) in the ADDRESS/SUBNET column to be interpreted as a
DESTINATION address rather than a source address.
Note that static blacklisting is still restricted to traffic
ARRIVING on an interface that has the 'blacklist' option set. So to
block traffic from your local network to an internet host, you must
specify 'blacklist' on your internal interface.
Similarly, dynamic blacklisting has been enhanced to recognize the
'from' and 'to' keywords.
Example:
shorewall drop to 1.2.3.4
This command will silently drop connection requests from 1.2.3.4.
The reciprocal of that command would be:
shorewall allow to 1.2.3.4
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S

2
Shorewall6/blacklist
View File

@ -7,4 +7,4 @@
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#ADDRESS/SUBNET PROTOCOL PORT OPTIONS

67
Shorewall6/lib.cli
View File

@ -958,6 +958,10 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
chain=$1
local finished
finished=$2
local which
which='-s'
local range
range='--src-range'
if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@ -969,19 +973,31 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
while [ $# -gt 0 ]; do
case $1 in
from)
which='-s'
range='--src-range'
shift
continue
;;
to)
which='-d'
range='--dst-range'
shift
continue
;;
*-*)
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j DROP
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop
$IP6TABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject
qt $IP6TABLES -D dynamic -m iprange $range $1 -j DROP
qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop
$IP6TABLES -A dynamic -m iprange $range $1 -j $chain || break 1
;;
*)
qt $IP6TABLES -D dynamic -s $1 -j reject
qt $IP6TABLES -D dynamic -s $1 -j DROP
qt $IP6TABLES -D dynamic -s $1 -j logreject
qt $IP6TABLES -D dynamic -s $1 -j logdrop
$IP6TABLES -A dynamic -s $1 -j $chain || break 1
qt $IP6TABLES -D dynamic $which $1 -j reject
qt $IP6TABLES -D dynamic $which $1 -j DROP
qt $IP6TABLES -D dynamic $which $1 -j logreject
qt $IP6TABLES -D dynamic $which $1 -j logdrop
$IP6TABLES -A dynamic $which $1 -j $chain || break 1
;;
esac
@ -1086,6 +1102,11 @@ allow_command() {
[ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && usage 1
if shorewall6_is_started ; then
local which
which='-s'
local range
range='--src-range'
if ! chain_exists dynamic; then
echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
exit 2
@ -1095,11 +1116,21 @@ allow_command() {
while [ $# -gt 1 ]; do
shift
case $1 in
from)
which='-s'
range='--src-range'
continue
;;
to)
which='-d'
range='--dst-range'
continue
;;
*-*)
if qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject ||\
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j DROP ||\
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop ||\
qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
if qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject ||\
qt $IP6TABLES -D dynamic -m iprange $range $1 -j DROP ||\
qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop ||\
qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
then
echo "$1 Allowed"
else
@ -1107,10 +1138,10 @@ allow_command() {
fi
;;
*)
if qt $IP6TABLES -D dynamic -s $1 -j reject ||\
qt $IP6TABLES -D dynamic -s $1 -j DROP ||\
qt $IP6TABLES -D dynamic -s $1 -j logdrop ||\
qt $IP6TABLES -D dynamic -s $1 -j logreject
if qt $IP6TABLES -D dynamic $which $1 -j reject ||\
qt $IP6TABLES -D dynamic $which $1 -j DROP ||\
qt $IP6TABLES -D dynamic $which $1 -j logdrop ||\
qt $IP6TABLES -D dynamic $which $1 -j logreject
then
echo "$1 Allowed"
else

59
docs/blacklisting_support.xml
View File

@ -20,6 +20,8 @@
<copyright>
<year>2002-2006</year>
<year>2010</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -61,6 +63,20 @@
the blacklists</emphasis>. Blacklists only stop blacklisted hosts from
connecting to you — they do not stop you or your users from connecting
to blacklisted hosts .</para>
<variablelist>
<varlistentry>
<term>UPDATE</term>
<listitem>
<para>Beginning with Shorewall 4.4.12, you can also blacklist by
destination address. See <ulink
url="manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
(5) and <ulink url="manpages/shorewall.html">shorewall</ulink> (8)
for details.</para>
</listitem>
</varlistentry>
</variablelist>
</important>
<important>
@ -161,25 +177,28 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
Prior to that release, the feature is always enabled.</para>
<para>Once enabled, dynamic blacklisting doesn't use any configuration
parameters but is rather controlled using /sbin/shorewall[-lite]
commands:</para>
parameters but is rather controlled using /sbin/shorewall[-lite] commands.
<emphasis role="bold">Note</emphasis> that <emphasis
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
later</emphasis>.</para>
<itemizedlist>
<listitem>
<para>drop <emphasis>&lt;ip address list&gt;</emphasis> - causes
packets from the listed IP addresses to be silently dropped by the
<para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be silently dropped by
the firewall.</para>
</listitem>
<listitem>
<para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be rejected by the
firewall.</para>
</listitem>
<listitem>
<para>reject <emphasis>&lt;ip address list&gt;</emphasis> - causes
packets from the listed IP addresses to be rejected by the
firewall.</para>
</listitem>
<listitem>
<para>allow <emphasis>&lt;ip address list&gt;</emphasis> - re-enables
receipt of packets from hosts previously blacklisted by a
<para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
re-enables receipt of packets from hosts previously blacklisted by a
<emphasis>drop</emphasis> or <emphasis>reject</emphasis>
command.</para>
</listitem>
@ -201,19 +220,19 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
</listitem>
<listitem>
<para>logdrop <emphasis>&lt;ip address list&gt;</emphasis> - causes
packets from the listed IP addresses to be dropped and logged by the
firewall. Logging will occur at the level specified by the
<para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be dropped and logged
by the firewall. Logging will occur at the level specified by the
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem>
<listitem>
<para>logreject <emphasis>&lt;ip address list&gt;</emphasis> - causes
packets from the listed IP addresses to be rejected and logged by the
firewall. Logging will occur at the level specified by the
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
<para>logreject [to|from}<emphasis>&lt;ip address list&gt;</emphasis>
- causes packets from the listed IP addresses to be rejected and
logged by the firewall. Logging will occur at the level specified by
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem>
</itemizedlist>

22
manpages/shorewall-blacklist.xml
View File

@ -72,6 +72,28 @@
from services(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) - {-|to|from|}</term>
<listitem>
<para>If specified, indicates whether traffic <emphasis
role="bold">to</emphasis> or <emphasis role="bold">from</emphasis>
the ADDRESS/SUBNET should be blacklisted. The default is <emphasis
role="bold">from</emphasis>. If the ADDRESS/SUBNET column is empty,
then this column has no effect on the generated rule.</para>
<note>
<para>Blacklisting is still restricted to traffic
<emphasis>arriving</emphasis> on an interface that has the
'blacklist' option set. So to block traffic from your local
network to an internet host, you must specify
<option>blacklist</option> on your internal interface in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para>
</note>
</listitem>
</varlistentry>
</variablelist>
<para>When a packet arrives on an interface that has the <emphasis

23
manpages6/shorewall6-blacklist.xml
View File

@ -73,6 +73,29 @@
destination port numbers or service names from services(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>OPTIONS (Optional - Added in Shorewall 4.4.12) -
{-|to|from|}</term>
<listitem>
<para>If specified, indicates whether traffic <option>to</option> or
<option>from</option> the ADDRESS/SUBNET should be blacklisted. The
default is <emphasis role="bold">from</emphasis>. If the
ADDRESS/SUBNET column is empty, then this column has no effect on
the generated rule.</para>
<note>
<para>Blacklisting is still restricted to traffic
<emphasis>arriving</emphasis> on an interface that has the
'blacklist' option set. So to block traffic from your local
network to an internet host, you must specify
<option>blacklist</option> on your internal interface in <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
(5).</para>
</note>
</listitem>
</varlistentry>
</variablelist>
<para>When a packet arrives on an interface that has the <emphasis