Add TCP Flags Checking

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@324 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-11-10 21:34:20 +00:00
parent 7b8ddbea8e
commit 8c3af56566
3 changed files with 93 additions and 1 deletions

View File

@ -529,7 +529,7 @@ validate_interfaces_file() {
for option in `separate_list $options`; do
case $option in
dhcp|noping|filterping|routestopped|norfc1918|multi)
dhcp|noping|filterping|routestopped|norfc1918|multi|tcpflags)
;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;;
@ -3211,6 +3211,47 @@ add_common_rules() {
done
fi
interfaces=`find_interfaces_by_option tcpflags`
if [ -n "$interfaces" ]; then
echo "Setting up TCP Flags checking..."
createchain tcpflags no
if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then
createchain logflags no
run_iptables -A logflags -j LOG $LOGPARMS \
--log-level $TCP_FLAGS_LOG_LEVEL \
--log-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \
--log-tcp-options --log-ip-options
case $TCP_FLAGS_DISPOSITION in
REJECT)
run_iptables -A logflags -j REJECT --reject-with tcp-reset
;;
*)
run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION
;;
esac
disposition="-j logflags"
else
disposition="-j $TCP_FLAGS_DISPOSITION"
fi
run_iptables -A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH $disposition
run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE $disposition
run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition
run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition
for interface in $interfaces; do
for chain in `first_chains $interface`; do
run_iptables -A $chain -p tcp -j tcpflags
done
done
fi
#
# Process Black List
#
@ -3723,6 +3764,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
blacklist_interfaces=`find_interfaces_by_option blacklist`
filterping_interfaces=`find_interfaces_by_option filterping`
maclist_interfaces=`find_interfaces_by_maclist`
tcpflags_interfaces=`find_interfaces_by_option tcpflags`
#
# Normalize the first argument to this function
#
@ -3786,6 +3828,10 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
rulenum=$(($rulenum + 1))
fi
if ! list_search $interface $tcpflags_interfaces; then
rulenum=$(($rulenum + 1))
fi
do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain
else
#
@ -3810,6 +3856,10 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
if ! list_search $interface $maclist_interfaces; then
rulenum=$(($rulenum + 1))
fi
if ! list_search $interface $tcpflags_interfaces; then
rulenum=$(($rulenum + 1))
fi
fi
for h in $dest_hosts; do
@ -4076,6 +4126,8 @@ do_initialize() {
FORWARDPING=
MACLIST_DISPOSITION=
MACLIST_LOG_LEVEL=
TCP_FLAGS_DISPOSITION=
TCP_FLAGS_LOG_LEVEL=
stopping=
have_mutex=
masq_seq=1
@ -4173,6 +4225,18 @@ do_initialize() {
MACLIST_DISPOSITION=REJECT
fi
if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
case $TCP_FLAGS_DISPOSITION in
REJECT|ACCEPT|DROP)
;;
*)
startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
;;
esac
else
TCP_FLAGS_DISPOSITION=DROP
fi
}
#

View File

@ -89,6 +89,14 @@
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.

View File

@ -404,4 +404,24 @@ MACLIST_DISPOSITION=REJECT
MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Disposition
#
# This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
TCP_FLAGS_DISPOSITION=DROP
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
TCP_FLAGS_LOG_LEVEL=info
#LAST LINE -- DO NOT REMOVE