From 8840c3c630aec44f2e2f8660a645e68e1ce635e5 Mon Sep 17 00:00:00 2001 From: bbruns Date: Wed, 6 Oct 2010 18:23:08 +0000 Subject: [PATCH] Advanced blocking added --- ChangeLog | 3 +++ bin/firewall-sosdg | 52 +++++++++++++++++++++++++++++++++++++++++--- blocked.default | 1 - ipv4-blocked.default | 10 +++++++++ options.default | 4 +++- 5 files changed, 65 insertions(+), 5 deletions(-) delete mode 100644 blocked.default create mode 100644 ipv4-blocked.default diff --git a/ChangeLog b/ChangeLog index 4a8b527..9884958 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ - Cleanups - No longer display list of blocked IPs, considering if they are as long as my list is, they'll take 4 pages to display... + - New block file format, much more capable now, thanks to + an hour or two of improving my bash scripting skills to the + point where I can do more complex breakdowns of formats 0.9.7 - Brielle Bruns - Support for marking packets, uses new config file and diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index e9a2b4b..4005fdf 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -139,8 +139,54 @@ if [ $BLOCKEDIP ]; then display_c YELLOW "Adding blocked IPs... " for i in `grep -v "\#" $BLOCKEDIP`; do #echo -n "$i " - $IPTABLES -A INPUT -s $i -j DROP - $IPTABLES -A OUTPUT -d $i -j DROP + if [[ "$i" =~ ":" ]]; then + IFS_OLD=${IFS};IFS=: + ADVBLKIP=($BLOCK) + IFS=${IFS_OLD} + SRCIF=${ADVBLKIP[0]} + SRCIP=${ADVBLKIP[1]} + SRCPORT=${ADVBLKIP[2]} + DSTIF=${ADVBLKIP[3]} + DSTIP=${ADVBLKIP[4]} + DSTPORT=${ADVBLKIP[5]} + DIRECTION=${ADVBLKIP[6]} + PROTO=${ADVBLKIP[7]} + if [ "$SRCIF" ]; then + SRCIF="-i ${SRCIF} " + fi + if [ "$SRCIP" ]; then + SRCIP="-s ${SRCIP} " + fi + if [ "$SRCPORT" ]; then + SRCPORT="--sport ${SRCPORT/-/:} " + fi + if [ "$DSTIF" ]; then + DSTIF="-o ${DSTIF} " + fi + if [ "$DSTIP" ]; then + DSTIP="-d ${DSTIP} " + fi + if [ "$DSTPORT" ]; then + DSTPORT="--dport ${DSTPORT/-/:} " + fi + if [ "$PROTO" ]; then + case $PROTO in + TCP|tcp) PROTO="-p tcp";; + UDP|udp) PROTO="-p udp";; + *) PROTO="-p ${PROTO}";; + esac + fi + case $DIRECTION in + IN) DIRECTION="INPUT" ;; + OUT) DIRECTION="OUTPUT" ;; + FWD) DIRECTION="FORWARD" ;; + *) DIRECTION="INPUT" ;; + esac + ${IPTABLES} -A ${DIRECTION} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} ${PROTO} -j DROP" + else + $IPTABLES -A INPUT -s $i -j DROP + $IPTABLES -A OUTPUT -d $i -j DROP + fi done fi @@ -385,7 +431,7 @@ if [ -s "$BASEDIR/include/ipv4_custom_portforward" ]; then . "$BASEDIR/include/ipv4_custom_portforward" fi -if [ $PORTFW ] && [ $NAT ]; then +if [ "$PORTFW" ] && [ "$NAT" ]; then display_c YELLOW "Adding port forward for:" for i in `grep -v "\#" $PORTFW`; do PORTADD=( ${i//:/ } ) diff --git a/blocked.default b/blocked.default deleted file mode 100644 index bd47c05..0000000 --- a/blocked.default +++ /dev/null @@ -1 +0,0 @@ -# List of IPs to block outright diff --git a/ipv4-blocked.default b/ipv4-blocked.default new file mode 100644 index 0000000..d4f6f29 --- /dev/null +++ b/ipv4-blocked.default @@ -0,0 +1,10 @@ +# List of IPs to block outright +# Two formats: +# 1) One IP or range per line +# 2) One ip or range per line with added specific IN/OUT/FWD and TCP/UDP port (added in 0.9.8) +# ::::::: +# One can leave out +# if you want to apply to all ports/interfaces/etc +# Example: +# - Block SRC of eth1 192.168.0.5:80 from contacting DST eth0 192.168.1.10:20 through 21, TCP +# eth1:192.168.0.5:80:eth0:192.168.1.10:20-21:IN:TCP diff --git a/options.default b/options.default index 836f1ed..b2fdf21 100755 --- a/options.default +++ b/options.default @@ -89,9 +89,11 @@ HACK_IPV4="NS-IN-DDOS" #NAT_RANGE= # IP Ranges to block all traffic incoming/outgoing -BLOCKEDIP=$BASEDIR/blocked +# New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS +BLOCKEDIP=$BASEDIR/ipv4-blocked # Block outgoing traffic on these TCP/UDP ports +# Obsoleted: Use BLOCKEDIP above in new format. Going away in 1.0 #BLOCKTCPPORTS="6881" #BLOCKUDPPORTS="6881"