mirror of
https://github.com/firehol/firehol.git
synced 2024-06-30 19:02:21 +00:00
Added "blacklist" helper to create blacklists.
Abstract from the documentation: blacklist [option] <IP> The blacklist helper creates a blacklist for the IP addresses given. It supports two modes of operation based on the option given (or the absence of it). The option can be: * one of the words them, him, her, it, this, these, input in which case it will generate a unidirectional statefull blacklist, meaning that you will be able to ask (initiate connections) anything from them, but they will not be able to ask (initiate connections) anything from you or the remote hosts you protect (routing). * one of the words all, full or ommitted (no option given), in which case FireHOL will create bidirectional stateless rules that will DROP all traffic comming in from these IPs and will REJECT all traffic going to them. The blacklist helper affects both interfaces and routers. Example 1: blacklist this 195.97.5.202 Example 2: blacklist full 195.97.5.202 Suggested by: Mikkel Schubert
This commit is contained in:
parent
c0b8faf23d
commit
8cda3dc360
@ -57,6 +57,7 @@ automatically. FireHOL is extremely easy to understand, configure and audit.
|
||||
<li><a href="#snat">snat</a>, setup a Source NAT rule for routed traffic</li>
|
||||
<li><a href="#redirect">redirect</a>, setup a port redirection rule</li>
|
||||
<li><a href="#mac">mac</a>, setup a source mac address with IP match</li>
|
||||
<li><a href="#blacklist">blackilist</a>, setup a unidirectional or bidirectional blacklist</li>
|
||||
</ul>
|
||||
|
||||
</li>
|
||||
@ -594,6 +595,31 @@ Subcommands must be given within <a href="#primary_commands">Primary commands</a
|
||||
<p>
|
||||
Example: <b>mac 195.97.5.202 00:02:8a:21:a9:d8</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="blacklist"><h3><b>blacklist</b> [option] <font color="red"><IP></font></h3></a>
|
||||
The <b>blacklist</b> helper creates a blacklist for the <b>IP</b> addresses given. It supports two modes of operation
|
||||
based on the option given (or the absence of it).
|
||||
<p>
|
||||
The option can be:
|
||||
<ul>
|
||||
<li>one of the words <b>them, him, her, it, this, these, input</b> in which case it will generate a unidirectional
|
||||
statefull blacklist, meaning that you will be able to ask (initiate connections) anything from them,
|
||||
but they will not be able to ask (initiate connections) anything from you or the remote hosts you protect (routing).
|
||||
<br>
|
||||
</li>
|
||||
<li>one of the words <b>all, full</b> or ommitted (no option given), in which case FireHOL will create bidirectional
|
||||
stateless rules that will DROP all traffic comming in from these IPs and will REJECT all traffic going to them.
|
||||
</li>
|
||||
<p>
|
||||
</ul>
|
||||
The blacklist helper affects both interfaces and routers.
|
||||
<p>
|
||||
|
||||
Example 1: <b>blacklist this 195.97.5.202</b><br>
|
||||
Example 2: <b>blacklist full 195.97.5.202</b>
|
||||
<p>
|
||||
|
||||
<table border=0 cellpadding=10 cellspacing=0 width="100%"><tr bgcolor="#777777"><td align=center><font color="white"><b><big><a name="actions">Actions</a></td</tr></table>
|
||||
<small>
|
||||
@ -1225,7 +1251,7 @@ about optional rule parameters that should not be used in certain commands.
|
||||
<tr><td align=center valign=middle>
|
||||
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
|
||||
</td><td align=center valign=middle>
|
||||
<small>$Id: commands.html,v 1.35 2003/08/19 22:49:50 ktsaou Exp $</small>
|
||||
<small>$Id: commands.html,v 1.36 2003/08/23 21:42:35 ktsaou Exp $</small>
|
||||
<p>
|
||||
<b>FireHOL</b>, a firewall for humans...<br>
|
||||
© Copyright 2003
|
||||
|
59
firehol.sh
59
firehol.sh
@ -10,7 +10,7 @@
|
||||
#
|
||||
# config: /etc/firehol/firehol.conf
|
||||
#
|
||||
# $Id: firehol.sh,v 1.148 2003/08/19 22:21:32 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.149 2003/08/23 21:42:35 ktsaou Exp $
|
||||
#
|
||||
FIREHOL_FILE="${0}"
|
||||
|
||||
@ -1262,6 +1262,53 @@ mac() {
|
||||
return 0
|
||||
}
|
||||
|
||||
# blacklist creates two types of blacklists: unidirectional or bidirectional
|
||||
blacklist() {
|
||||
work_realcmd=(${FUNCNAME} "$@")
|
||||
|
||||
set_work_function -ne "Initializing $FUNCNAME"
|
||||
|
||||
require_work clear || ( error "$FUNCNAME cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
|
||||
|
||||
local full=1
|
||||
if [ "${1}" = "them" -o "${1}" = "him" -o "${1}" = "her" -o "${1}" = "it" -o "${1}" = "this" -o "${1}" = "these" -o "${1}" = "input" ]
|
||||
then
|
||||
shift
|
||||
full=0
|
||||
elif [ "${1}" = "all" -o "${1}" = "full" ]
|
||||
then
|
||||
shift
|
||||
full=1
|
||||
fi
|
||||
|
||||
set_work_function "Generating blacklist rules"
|
||||
|
||||
local z=
|
||||
for z in $@
|
||||
do
|
||||
local x=
|
||||
for x in ${z}
|
||||
do
|
||||
set_work_function "Blacklisting '${x}'"
|
||||
|
||||
if [ ${full} -eq 1 ]
|
||||
then
|
||||
iptables -I INPUT -s ${x} -j DROP
|
||||
iptables -I OUTPUT -d ${x} -j REJECT
|
||||
iptables -I FORWARD -s ${x} -j DROP
|
||||
iptables -I FORWARD -d ${x} -j REJECT
|
||||
else
|
||||
iptables -I INPUT -s ${x} -m state --state NEW -j DROP
|
||||
iptables -I FORWARD -s ${x} -m state --state NEW -j DROP
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
# ------------------------------------------------------------------------------
|
||||
@ -3536,7 +3583,7 @@ case "${arg}" in
|
||||
else
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
$Id: firehol.sh,v 1.148 2003/08/19 22:21:32 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.149 2003/08/23 21:42:35 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
|
||||
@ -3722,7 +3769,7 @@ then
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
|
||||
$Id: firehol.sh,v 1.148 2003/08/19 22:21:32 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.149 2003/08/23 21:42:35 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -4017,7 +4064,7 @@ then
|
||||
|
||||
${CAT_CMD} >&2 <<EOF
|
||||
|
||||
$Id: firehol.sh,v 1.148 2003/08/19 22:21:32 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.149 2003/08/23 21:42:35 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -4110,7 +4157,7 @@ EOF
|
||||
echo "# "
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
# $Id: firehol.sh,v 1.148 2003/08/19 22:21:32 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.149 2003/08/23 21:42:35 ktsaou Exp $
|
||||
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
# FireHOL is distributed under GPL.
|
||||
# Home Page: http://firehol.sourceforge.net
|
||||
@ -4632,6 +4679,8 @@ ${CAT_CMD} >"${FIREHOL_TMP}.awk" <<"EOF"
|
||||
/^[[:space:]]*snat[[:space:]]/ { printf "FIREHOL_LINEID=${LINENO} " }
|
||||
/^[[:space:]]*dnat[[:space:]]/ { printf "FIREHOL_LINEID=${LINENO} " }
|
||||
/^[[:space:]]*redirect[[:space:]]/ { printf "FIREHOL_LINEID=${LINENO} " }
|
||||
/^[[:space:]]*mac[[:space:]]/ { printf "FIREHOL_LINEID=${LINENO} " }
|
||||
/^[[:space:]]*blacklist[[:space:]]/ { printf "FIREHOL_LINEID=${LINENO} " }
|
||||
{ print }
|
||||
EOF
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user