From 2d6cfe469edf65e5d8edb0ec045551a7030b21b7 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 28 Oct 2007 19:17:37 +0000 Subject: [PATCH] Add example to Manual Chains document git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7560 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/Documentation_Index.xml | 119 +++++++++++++++--------------- docs/ManualChains.xml | 138 ++++++++++++++++++++++++++++++++++- docs/PortKnocking.xml | 3 + 3 files changed, 197 insertions(+), 63 deletions(-) diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index 81a25f3ef..ec3428b5a 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -54,23 +54,13 @@ - - - - Limiting per-IPaddress - Connection Rate - - Scalability and - Performance - - Accounting Logging - Shorewall - Lite + Scalability and + Performance @@ -78,8 +68,8 @@ Macros - Shorewall - Modularization + Shorewall + Lite @@ -89,8 +79,8 @@ MAC Verification - Shorewall 4.x -- - What's new + Shorewall + Modularization @@ -99,14 +89,26 @@ Man Pages - Shorewall - Perl + Shorewall 4.x -- + What's new Bandwidth Control (Russian) + Manual + Chains + + Shorewall + Perl + + + + Blacklisting + (Russian) + Masquerading @@ -115,9 +117,8 @@ - Blacklisting - (Russian) + Bridge: Shorewall-perl Multiple Internet Connections from a Single Firewall ( - Bridge: Shorewall-perl + Bridge: No control of + traffic through the bridge Multiple Zones Through One Interface @@ -139,8 +140,7 @@ - Bridge: No control of - traffic through the bridge + Commands My Shorewall Configuration @@ -150,8 +150,8 @@ - Commands + Compiled + Firewall Programs Netfilter Overview @@ -162,8 +162,8 @@ - Compiled Firewall - Programs + Configuration File + Basics Network Mapping @@ -172,8 +172,8 @@ - Configuration - File Basics + DHCP One-to-one NAT (Static NAT) @@ -182,7 +182,9 @@ - DHCP + DNAT (Destination + Network Address Translation) OpenVPN @@ -192,9 +194,7 @@ - DNAT - (Destination Network Address - Translation) + ECN Disabling by host or subnet Operating Shorewall @@ -205,8 +205,9 @@ - ECN Disabling by host or - subnet + Extension Scripts + (User Exits) Packet Marking @@ -215,8 +216,8 @@ - Extension - Scripts (User Exits) + Fallback/Uninstall Packet Processing in a Shorewall-based Firewall @@ -226,8 +227,7 @@ - Fallback/Uninstall + FAQs 'Ping' Management @@ -235,7 +235,8 @@ - FAQs + Features Port Forwarding @@ -244,8 +245,8 @@ - Features + Forwarding Traffic on the + Same Interface Port Information @@ -254,8 +255,7 @@ - Forwarding Traffic on the - Same Interface + FTP and Shorewall Port Knocking and Other Uses of the 'Recent Match' @@ -265,7 +265,8 @@ - FTP and Shorewall + Getting help or answers to + questions PPTP @@ -274,8 +275,8 @@ - Getting help or answers to - questions + Installation/Upgrade + (Français) Proxy ARP @@ -283,8 +284,7 @@ - Installation/Upgrade - (Français) + IPP2P QuickStart Guides @@ -293,7 +293,8 @@ - IPP2P + IPSEC using Kernel 2.6 and + Shorewall 2.1 or Later Release Model @@ -302,8 +303,7 @@ - IPSEC using Kernel 2.6 and - Shorewall 2.1 or Later + Ipsets Requirements @@ -312,7 +312,8 @@ - Ipsets + Kazaa + Filtering Routing and Shorewall @@ -321,8 +322,8 @@ - Kazaa - Filtering + Kernel + Configuration Routing on One Interface @@ -331,8 +332,8 @@ - Kernel - Configuration + Limiting per-IPaddress + Connection Rate Samba diff --git a/docs/ManualChains.xml b/docs/ManualChains.xml index 992acc915..d1d1de60b 100644 --- a/docs/ManualChains.xml +++ b/docs/ManualChains.xml @@ -34,13 +34,13 @@ -
+
Introduction Manual chains were introduced in Shorewall-perl 4.0.6; for Perl programmers, manual chains provide an alternative to Actions with extension scripts. Manual chains are chains which you create and populate - yourself using the low-level functions in Shorewall::Chains. + yourself using the low-level functions in Shorewall::Chains. Manual chains work in conjunction with the compile
-
+
Example - + This example provides an alternative to the Port Knocking example. + + In this example, a Knock.pm module is created and placed in + /etc/shorewall: + + package Knock; + +use strict; +use warnings; +use base qw{Exporter}; +use Carp; +use Shorewall::Chains; +use Scalar::Util qw{reftype}; +use Shorewall::Config qw{shorewall}; + +our @EXPORT = qw{Knock}; + +my %recent_names; +my %chains_created; + +sub scalar_or_array { + my $arg = shift; + my $name = shift; + return () unless defined $arg; + return ($arg) unless reftype($arg); + return @$arg if reftype($arg) eq 'ARRAY'; + croak "Expecting argument '$name' to be scalar or array ref"; +} + +sub Knock { + my $src = shift; + my $dest = shift; + my $args = shift; + + my $proto = $args->{proto} || 'tcp'; + my $seconds = $args->{seconds} || 60; + my $original_dest = $args->{original_dest} || '-'; + my @target = scalar_or_array($args->{target}, 'target'); + my @knocker_ports = scalar_or_array($args->{knocker}, 'knocker'); + my @trap_ports = scalar_or_array($args->{trap}, 'trap'); + + if (not defined $args->{name}) { + # If you don't supply a name, then this must be the single-call + # variant, so you have to specify all the arguments + unless (scalar @target) { + croak "No 'target' ports specified"; + } + + unless (scalar @knocker_ports) { + croak "No 'knock' ports specified"; + } + } + + # We'll need a unique name for the recent match list. Construct one + # from the port and a serial number, if the user didn't supply one. + my $name = $args->{name} || ($target[0] . '_' . ++$recent_names{$target[0]}); + $name = 'Knock' . $name; + + # We want one chain for all Knock rules that share a 'name' field + my $chainref = $chains_created{$name}; + unless (defined $chainref) { + $chainref = $chains_created{$name} = new_manual_chain($name); + } + + # Logging + if ($args->{log_level}) { + foreach my $port (@target) { + log_rule_limit($args->{log_level}, + $chainref, + 'Knock', + 'ACCEPT', + '', + $args->{log_tag} || '', + 'add', + "-p $proto --dport $port -m recent --rcheck --name $name" + ); + + log_rule_limit($args->{log_level}, + $chainref, + 'Knock', + 'DROP', + '', + $args->{log_tag} || '', + 'add', + "-p $proto --dport ! $port" + ); + } + } + + # Add the recent match rules to the manual chain + foreach my $knock (@knocker_ports) { + add_rule($chainref, "-p $proto --dport $knock -m recent --name $name --set -j DROP"); + } + + foreach my $trap (@trap_ports) { + add_rule($chainref, "-p $proto --dport $trap -m recent --name $name --remove -j DROP"); + } + + foreach my $port (@target) { + add_rule($chainref, "-p $proto --dport $port -m recent --rcheck --seconds $seconds --name $name -j ACCEPT"); + } + + # And add a rule to the main chain(s) to jump into the manual chain at the appropriate points + my $all_dest_ports = join(',', @target, @knocker_ports, @trap_ports); + shorewall "$chainref->{name} $src $dest $proto $all_dest_ports - $original_dest"; + + return 1; +} + +1; + + This simplifies /etc/shorewall/compile:use Knock; +1; + + The rule from the Port Knocking article: + + #ACTION SOURCE DEST PROTO DEST PORT(S) +SSHKnock net $FW tcp 22,1599,1600,1601 + + + becomes:PERL Knock 'net', 'loc:192.168.1.5', {target => 22, knocker => 1600, trap => [1599, 1601]};Similarly#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL +# PORT(S) DEST +DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178 +SSHKnock net $FW tcp 1599,1600,1601 +SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178becomes:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL +# PORT(S) DEST +DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178 + +PERL Knock 'net', '$FW', {name => 'SSH', knocker => 1600, trap => [1599, 1601]}; +PERL Knock 'net', 'loc:192.168.1.5', {name => 'SSH', target => 22, original_dest => '206.124.136.178'};
\ No newline at end of file diff --git a/docs/PortKnocking.xml b/docs/PortKnocking.xml index d2203e3de..35863a784 100644 --- a/docs/PortKnocking.xml +++ b/docs/PortKnocking.xml @@ -165,6 +165,9 @@ SSHKnock net loc:192.168.1.5 tcp 22 - + + For another way to implement Port Knocking, see the Manual Chain documentation.