mirror of
https://github.com/firehol/firehol.git
synced 2024-06-30 19:02:21 +00:00
removed from iptrap the functionality to create actions; now the action helper can create a list of action with logic in them; updated docs
This commit is contained in:
parent
a58365d6f5
commit
cf8b510095
@ -4,17 +4,56 @@
|
||||
|
||||
# NAME
|
||||
|
||||
firehol-action - set up custom filter actions
|
||||
firehol-action - set up custom filtering actions
|
||||
|
||||
# SYNOPSIS
|
||||
|
||||
action chain *name* *action*
|
||||
action *name* [table *table_name*] *type* *type_params* [ next [ type *type_params* [ next ... ] ] ]
|
||||
|
||||
# DESCRIPTION
|
||||
|
||||
|
||||
The `action` helper command creates an iptables(8) chain which can be used
|
||||
to control the action of other firewall rules once the firewall is
|
||||
The `action` helper creates custom actions that can be used everywhere
|
||||
in FireHOL, like this:
|
||||
|
||||
~~~~
|
||||
action ACT1 chain accept
|
||||
|
||||
interface any world
|
||||
server smtp ACT1
|
||||
|
||||
router myrouter
|
||||
policy ACT1
|
||||
~~~~
|
||||
|
||||
The `action` helper allows linking multiple actions together and having
|
||||
some logic to select which action to execute, like this:
|
||||
|
||||
~~~~
|
||||
action ACT1 \
|
||||
rule src 192.168.0.0/16 action reject \
|
||||
next rule dst 192.168.0.0/16 action reject \
|
||||
next rule inface eth2 action drop \
|
||||
next rule outface eth2 action drop \
|
||||
next action accept
|
||||
|
||||
interface any world
|
||||
server smtp ACT1
|
||||
|
||||
router myrouter
|
||||
policy ACT1
|
||||
~~~~
|
||||
|
||||
There is no limit on the number of actions that can be linked together.
|
||||
|
||||
`type` can be `chain` or `action` (`chain` and `action` are aliases),
|
||||
`rule` or `ipset`.
|
||||
|
||||
|
||||
## Chain type actions
|
||||
|
||||
This is the simpler action. It creates an iptables(8) chain which can be
|
||||
used to control the action of other firewall rules once the firewall is
|
||||
running.
|
||||
|
||||
For example, you can setup the custom action ACT1, which by default is
|
||||
@ -32,20 +71,16 @@ The *action* can be any of those supported by FireHOL (see
|
||||
[firehol-actions(5)][]). Only ACCEPT, REJECT, DROP,
|
||||
RETURN have any meaning in this instance.
|
||||
|
||||
# EXAMPLES
|
||||
|
||||
To create a custom chain and have some rules use it:
|
||||
Once the firewall is running you can dynamically modify the behaviour of
|
||||
the chain from the Linux command-line, as detailed below:
|
||||
|
||||
~~~~
|
||||
action chain ACT1 accept
|
||||
action ACT1 chain accept
|
||||
|
||||
interface any world
|
||||
server smtp ACT1
|
||||
client smtp ACT1
|
||||
~~~~
|
||||
|
||||
Once the firewall is running you can dynamically modify the behaviour of
|
||||
the chain from the Linux command-line, as detailed below:
|
||||
|
||||
To insert a DROP action at the start of the chain to override the
|
||||
default action (ACCEPT):
|
||||
@ -63,14 +98,81 @@ default action:
|
||||
> RETURN, in which case the behaviour will be as if any rules with the
|
||||
> action were not present in the configuration file.
|
||||
|
||||
You can also create multiple chains simultaneously. To create 3 ACCEPT
|
||||
and 3 DROP chains you can do the following:
|
||||
|
||||
## Rule type actions
|
||||
|
||||
`rule` type actions define a few conditions that will lead to an action.
|
||||
|
||||
All optional rule parameters FireHOL supports can be used here (see
|
||||
[firehol-params(5)][]).
|
||||
|
||||
|
||||
~~~~
|
||||
action chain "ACT1 ACT2 ACT3" accept
|
||||
action chain "ACT4 ACT5 ACT6" drop
|
||||
action ACT1 \
|
||||
rule inface eth0 action accept
|
||||
next rule outface eth0 action accept
|
||||
next action reject
|
||||
|
||||
interface any world
|
||||
server smtp ACT1
|
||||
~~~~
|
||||
|
||||
In the above example the smtp server can only be accessed from eth0.
|
||||
|
||||
It is important to remember that actions will be applied for all the
|
||||
traffic, both requests and replies. The type of traffic can be filtered
|
||||
with the `state` optional rule parameter, like this:
|
||||
|
||||
~~~~
|
||||
action ACT1 \
|
||||
rule inface eth0 state NEW action reject
|
||||
next action accept
|
||||
|
||||
interface any world
|
||||
server smtp ACT1
|
||||
client smtp ACT1
|
||||
~~~~
|
||||
|
||||
In the above example, the smtp server will not accept NEW connections
|
||||
from eth0, but the smtp client will be able to connect to servers on eth0
|
||||
(and everywhere else).
|
||||
|
||||
|
||||
## iptrap type actions
|
||||
|
||||
`iptrap` (see [firehol-iptrap(5)][]) is a helper than copies (traps)
|
||||
an IP to an ipset (see [firehol-ipset(5)][]). It does not perform any
|
||||
action on the traffic.
|
||||
|
||||
Using the `iptrap` action, the `iptrap` helper can be linked to filtering
|
||||
actions, like this:
|
||||
|
||||
|
||||
~~~~
|
||||
action TRAP_AND_REJECT \
|
||||
rule iptrap src policytrap 30 inface wan0 \
|
||||
src not "${UNROUTABLE_IPS} ipset:whitelist" \
|
||||
state NEW log "POLICY TRAP" \
|
||||
next action reject
|
||||
|
||||
interface any world
|
||||
policy TRAP_AND_REJECT
|
||||
server smtp accept
|
||||
~~~~
|
||||
|
||||
Since we used the action TRAP_AND_REJECT as an interface policy, it will
|
||||
get all the traffic not accepted, rejected, or droped by the server and
|
||||
client statements.
|
||||
|
||||
For all these packets, the action TRAP_AND_REJECT will first check that
|
||||
they are coming in from wan0, that their src IP is not in `UNROUTABLE_IPS`
|
||||
list and in the `whitelist` ipset, that they are NEW connections, and if
|
||||
all these conditions are met, it will log with the tag `POLICY TRAP` and
|
||||
add the src IP of the packets in the `policytrap` ipset for 30 seconds.
|
||||
|
||||
All traffic not matched by the above, will be just rejected.
|
||||
|
||||
|
||||
# SEE ALSO
|
||||
|
||||
* [firehol(1)][] - FireHOL program
|
||||
|
@ -34,6 +34,12 @@ time expires. The user may monitor the remaining time for each IP, by running
|
||||
`ipset list NAME` (where `NAME` is the `ipset` parameter given in the `iptrap`
|
||||
command).
|
||||
|
||||
The timeout value `default` will not set any timeout. The ipset default will be
|
||||
used.
|
||||
|
||||
A timeout of `0` (zero), writes to the ipset permanently (this is a feature of
|
||||
the ipset command, not the ipset FireHOL helper).
|
||||
|
||||
The *rule-params* define a set of rule parameters to restrict
|
||||
the traffic that is matched to this helper. See
|
||||
[firehol-params(5)][] for more details.
|
||||
|
107
sbin/firehol.in
107
sbin/firehol.in
@ -3213,6 +3213,9 @@ ecn_shame() {
|
||||
}
|
||||
|
||||
# define custom actions
|
||||
action4() { ipv4 action "${@}"; }
|
||||
action6() { ipv6 action "${@}"; }
|
||||
action46() { both action "${@}"; }
|
||||
action() {
|
||||
work_realcmd_helper ${FUNCNAME} "${@}"
|
||||
|
||||
@ -3220,40 +3223,65 @@ action() {
|
||||
|
||||
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
|
||||
|
||||
local name="${1}" type= tables="filter" t=
|
||||
local -a args=()
|
||||
shift
|
||||
|
||||
if [ "${1}" = "table" -o "${1}" = "tables" ]
|
||||
then
|
||||
tables="${2}"
|
||||
shift 2
|
||||
fi
|
||||
|
||||
create_chain filter ${name} || return 1
|
||||
|
||||
while [ ! -z "${1}" ]
|
||||
do
|
||||
local what="${1}"; shift
|
||||
|
||||
case "${what}" in
|
||||
chain) local name="${1}"; shift
|
||||
local act="${1}"; shift
|
||||
|
||||
if [ -z "${name}" ]
|
||||
then
|
||||
error "Cannot create an action chain without a name."
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ -z "${act}" ]
|
||||
then
|
||||
error "Cannot create the action chain(s) '$name' without a default action."
|
||||
return 1
|
||||
fi
|
||||
|
||||
local nm=
|
||||
for nm in $name
|
||||
type="${1}"
|
||||
shift
|
||||
|
||||
args=()
|
||||
while [ ! -z "${1}" -a ! "${1}" = "next" ]
|
||||
do
|
||||
args=( "${args[@]}" "${1}" )
|
||||
shift
|
||||
done
|
||||
[ "${1}" = "next" ] && shift
|
||||
|
||||
case "${type}" in
|
||||
chain|action)
|
||||
for t in ${tables//,/ }
|
||||
do
|
||||
create_chain filter ${nm}
|
||||
rule table filter chain ${nm} action "${act}"
|
||||
set_work_function "${FUNCNAME}: rules for type ${type} under table ${t}: ${args[@]}"
|
||||
rule table ${t} chain "${name}" action "${args[0]}" || return 1
|
||||
done
|
||||
;;
|
||||
|
||||
*) error "Cannot understand ${FUNCNAME} '${what}'."
|
||||
|
||||
rule)
|
||||
for t in ${tables//,/ }
|
||||
do
|
||||
set_work_function "${FUNCNAME}: rules for type ${type} under table ${t}: ${args[@]}"
|
||||
rule table ${t} chain "${name}" "${args[@]}" || return 1
|
||||
done
|
||||
;;
|
||||
|
||||
iptrap)
|
||||
local ipt1="${args[0]}" ipt2="${args[1]}" ipt3="${args[2]}"
|
||||
unset args[0] args[1] args[2]
|
||||
for t in ${tables//,/ }
|
||||
do
|
||||
set_work_function "${FUNCNAME}: rules for type ${type} under table ${t}: ${args[@]}"
|
||||
iptrap "${ipt1}" "${ipt2}" "${ipt3}" chain "${name}" table ${t} "${args[@]}" || return 1
|
||||
done
|
||||
;;
|
||||
|
||||
*)
|
||||
error "${FUNCNAME}: Unknown action type '${type}'. Format is: ${FUNCNAME} name type type_parameters"
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
@ -3785,7 +3813,7 @@ iptrap() {
|
||||
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
|
||||
running_both && error "${FUNCNAME} cannot be used in both IPv4 and IPv6. Please give use either iptrap4 or iptrap6." && return 1
|
||||
|
||||
local type= ipset= timeout= chain= tables="mangle" undo=0 action="RETURN" define_action= t=
|
||||
local type= ipset= timeout= chain= tables="mangle" undo=0 action="RETURN" t= link_to="PREROUTING"
|
||||
local -a args=() logopts_arg=()
|
||||
|
||||
if [ "$1" = "undo" ]
|
||||
@ -3811,8 +3839,8 @@ iptrap() {
|
||||
while [ ! -z "${1}" ]
|
||||
do
|
||||
case "${1}" in
|
||||
define_action)
|
||||
define_action="${2}"
|
||||
chain)
|
||||
link_to="${2}"
|
||||
shift
|
||||
;;
|
||||
|
||||
@ -3856,13 +3884,8 @@ iptrap() {
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -z "${define_action}" ]
|
||||
then
|
||||
chain="${define_action}"
|
||||
else
|
||||
FIREHOL_IPTRAP_COUNTER=$[ FIREHOL_IPTRAP_COUNTER + 1 ]
|
||||
chain="IPTRAP.${FIREHOL_IPTRAP_COUNTER}"
|
||||
fi
|
||||
FIREHOL_IPTRAP_COUNTER=$[ FIREHOL_IPTRAP_COUNTER + 1 ]
|
||||
chain="IPTRAP.${FIREHOL_IPTRAP_COUNTER}"
|
||||
|
||||
for t in ${tables//,/ }
|
||||
do
|
||||
@ -3894,18 +3917,8 @@ iptrap() {
|
||||
|
||||
# ---
|
||||
|
||||
if [ ! -z "${define_action}" ]
|
||||
then
|
||||
if [ ! -z "${args[*]}" ]
|
||||
then
|
||||
error "${FUNCNAME}: there cannot be link parameters when creating just an action. Link params given found: ${args[*]}"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
set_work_function "Generating iptrap matching rules in table ${t} PREROUTING"
|
||||
|
||||
rule table ${t} chain PREROUTING in "${args[@]}" action "${chain}" || return 1
|
||||
fi
|
||||
set_work_function "Generating iptrap matching rules in table ${t} chain ${link_to}"
|
||||
rule table ${t} chain ${link_to} in "${args[@]}" action "${chain}" || return 1
|
||||
done
|
||||
|
||||
return 0
|
||||
|
Loading…
Reference in New Issue
Block a user