|
1
|
- Skyter Lin
- Rev1 : 2009/07/20
- Rev2 : 2009/08/03
- Rev3 : 2009/08/17
- Rev4: 2009/12/31
|
|
2
|
- When ?
- During the init of streaming server
- system(“/usr/sbin/IpFilter.sh”);
- IP_FILTER_RULE changing
- system(“/usr/sbin/IpFilter.sh”);
|
|
3
|
- Files
- /usr/sbin/IpFilter.sh
- /etc/IpFilter.conf
|
|
4
|
|
|
5
|
- for RULE in $IP_FILTER_RULE ;
- do
-
STAT=`echo -n $RULE|cut -d ',' -f 2`
-
IP=`echo -n $RULE|cut -d ',' -f 3`
-
MASK=`echo -n $RULE|cut -d ',' -f 4`
-
if [ $STAT -eq 1 ]; then
-
#1 means matched need to be pass
-
if [ $IP_FILTER_TYPE = "1" ]; then
-
$IPTABLES -A IP_FILTER -s $IP/$MASK -j RETURN
-
else
-
$IPTABLES -A IP_FILTER -s $IP/$MASK -j DROP
-
fi
-
fi
- done
- #The not matched rest's need to be DROP
- if [ $IP_FILTER_TYPE = "1" ]; then
-
$IPTABLES -A IP_FILTER -j DROP
- fi
- # if TYPE:0 Deny means those packets matched is needed
- # to be DROP, otherwise will return to the caller chain
- # (ACCEPT and continueing on).
- #!/bin/sh
- . /etc/IpFilter.conf
- IPTABLES="/sbin/iptables -t mangle "
- #Checking if there is a existed IP_FILTER chain
- $IPTABLES -L IP_FILTER > /dev/null 2>&1
- if [ $? -eq 1 ]; then
-
$IPTABLES -N IP_FILTER
- fi
- $IPTABLES -F
- $IPTABLES -A INPUT -j IP_FILTER
- if [ $IP_FILTER_STATE = "0" ]; then
-
exit 0
- fi
|
|
6
|
- /usr/sbin $ date;IpFilter.sh ;date
- / $ date;IpFilter.sh ;date
- Mon Jan 1 00:06:51 UTC 2007
- Mon Jan 1 00:06:53 UTC 2007
- WHY? (still needs 2 second)
- ….
- + [ 1 -lt 10 ]
- + eval NAME=$IP_FILTER_RULE01
- + NAME=1,1,172.16.3.72,32
- + let i=1+1
- + NAME=1,1,172.16.3.72,32,
- + echo -n 1,1,172.16.3.72,32,
- + cut -d , -f 1
- + INDEX=1
- + cut -d , -f 2
- + echo -n 1,1,172.16.3.72,32,
- + STAT=1
- + echo -n 1,1,172.16.3.72,32,
- + cut -d , -f 3
- + IP=172.16.3.72
- + echo -n 1,1,172.16.3.72,32,
- + cut -d , -f 4
- + MASK=32
- + [ 1 -eq 1 ]
- …..
|
|
7
|
- void IpFilterInit (void)
- {
- FILE *fd;
- int i;
- fd = fopen
("/etc/IpFilter.conf", "w+");
- if (!fd)
-
return;
- fprintf (fd,
"IP_FILTER_STATE=%s\n",
nvram_safe_get("IP_FILTER_STATE"));
- fprintf (fd,
"IP_FILTER_TYPE=%s\n",
nvram_safe_get("IP_FILTER_TYPE"));
- fprintf (fd,
"IP_FILTER_RULE=\"");
- for (i=1;
i<=16; i++)
-
fprintf (fd, "%s, ", nvram_safe_getf
("IP_FILTER_RULE%02d", i));
- fprintf (fd, "\"\n");
- fclose (fd);
- my_system
("/usr/sbin/IpFilter.sh", 0);
- return;
- }
|
|
8
|
- /etc $ cat /etc/IpFilter.conf
- IP_FILTER_STATE=1
- IP_FILTER_TYPE=1
- IP_FILTER_RULE="1,1,192.168.10.1,24, 2,1,192.168.1.1,24,
3,0,0.0.0.0,0, 4,0,0.0.0.0,0, 5,0,0.0.0.0,0, 6,0,0.0.0.0,0,
7,0,0.0.0.0,0, 8,0,0.0.0.0,0, 9,0,0.0.0.0,0, 10,0,0.0.0.0,0,
11,0,0.0.0.0,0, 12,0,0.0.0.0,0, 13,0,0.0.0.0,0, 14,0,0.0.0.0,0, 15,0,0.0.0.0,0,
16,0,0.0.0.0,0, "
- /etc/config/update.conf
- IP_FILTER_STATE='1'
- IP_FILTER_TYPE='0'
- IP_FILTER_RULE='1,1,172.16.3.82,32'
- IP_FILTER_RULE='2,0,0.0.0.0,0'
- IP_FILTER_RULE='3,0,0.0.0.0,0'
- IP_FILTER_RULE='4,0,0.0.0.0,0'
- IP_FILTER_RULE='5,0,0.0.0.0,0'
- IP_FILTER_RULE='6,0,0.0.0.0,0'
- IP_FILTER_RULE='7,0,0.0.0.0,0'
- IP_FILTER_RULE='8,0,0.0.0.0,0'
- IP_FILTER_RULE='9,0,0.0.0.0,0'
- IP_FILTER_RULE='10,0,0.0.0.0,0'
- IP_FILTER_RULE='11,0,0.0.0.0,0'
- IP_FILTER_RULE='12,0,0.0.0.0,0'
- IP_FILTER_RULE='13,0,0.0.0.0,0'
- IP_FILTER_RULE='14,0,0.0.0.0,0'
- IP_FILTER_RULE='15,0,0.0.0.0,0'
- IP_FILTER_RULE='16,0,0.0.0.0,0'
|
|
9
|
- /etc $ iptables -L -t mangle
- Chain PREROUTING (policy ACCEPT)
- target
prot opt source
destination
- Chain INPUT (policy ACCEPT)
- target
prot opt source
destination
- IP_FILTER all -- 0.0.0.0/0
0.0.0.0/0
- Chain FORWARD (policy ACCEPT)
- target
prot opt source
destination
- Chain OUTPUT (policy ACCEPT)
- target
prot opt source
destination
- Chain POSTROUTING (policy ACCEPT)
- target
prot opt source
destination
- Chain IP_FILTER (1 references)
- target
prot opt source
destination
- RETURN
all -- 192.168.10.0/24 0.0.0.0/0
- RETURN
all -- 192.168.1.0/24 0.0.0.0/0
- DROP
all -- 0.0.0.0/0
0.0.0.0/0
|
|
10
|
- /etc $ iptables -L -t mangle
-v -n
- Chain PREROUTING (policy ACCEPT 26688 packets, 4100K bytes)
- pkts bytes target prot opt
in
out
source
destination
- Chain INPUT (policy ACCEPT 25042 packets, 4019K bytes)
- pkts bytes target prot opt
in
out
source
destination
- 60 12638
IP_FILTER all -- * *
0.0.0.0/0
0.0.0.0/0
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt
in
out
source
destination
- Chain OUTPUT (policy ACCEPT 56233 packets, 66M bytes)
- pkts bytes target prot opt
in
out
source
destination
- Chain POSTROUTING (policy ACCEPT 56233 packets, 66M bytes)
- pkts bytes target prot opt
in
out
source
destination
- Chain IP_FILTER (1 references)
- pkts bytes target prot opt
in
out
source
destination
- 0 0 RETURN all -- any any
192.168.10.0/24 anywhere
- 1429 129K RETURN all -- any any
192.168.1.0/24
anywhere
- 591 75007 DROP
all -- any any anywhere
anywhere
|
|
11
|
- Usage:
- During the init of streaming server
- PORTs changing
- Ex: PORT_STREAM, PORT_SEARCH1
- (Be aware not to invoke DefaultRules.sh when PORT_HTTP and PORT_HTTPS
is changed)
- system(“/usr/sbin/DefaultRules.sh”);
|
|
12
|
- Files
- /usr/sbin/DefaultRules.sh
- /etc/DefaultRules.conf
|
|
13
|
|
|
14
|
- # drop port scan ...
- # NMAP FIN/URG/PSH
- $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- # Xmas Tree
- $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
- # Another Xmas Tree
- $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- # Null Scan(possibly)
- $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
- # SYN/RST
- $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- # SYN/FIN -- Scan(possibly)
- $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- $IPTABLES -A INPUT -i lo -j ACCEPT
- $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Web server is running on port 80,443,6001,6002,7070
- PORTS=`echo $SERVER_TCP_PORTS|sed "s/,/ /g"`
- for port in $PORTS ;
- do
-
$IPTABLES -A INPUT -p tcp --dport $port -j RATE_LIMIT
- done
- $IPTABLES -A INPUT -p tcp --dport 20 -j RATE_LIMIT
- $IPTABLES -A INPUT -p tcp --dport 21 -j RATE_LIMIT
- PORTS=`echo $SERVER_UDP_PORTS|sed "s/,/ /g"`
- for port in $PORTS ;
- do
-
$IPTABLES -A INPUT -p udp --dport $port -j RATE_LIMIT
- done
- # Being specific about who we allow to use ssh from the local subnet
- LOCAL_SUBNET=`ip addr show eth0|grep "inet "|sed "s/ */ /g"|cut -d ' ' -f 3`
- $IPTABLES -A INPUT -m state --state NEW -s $LOCAL_SUBNET -p tcp --dport 22 -j RATE_LIMIT
|
|
15
|
- /usr/sbin $ date;DefaultRules.sh ;date
- Mon Jan 1 00:14:46 UTC 2007
- Mon Jan 1 00:14:47 UTC 2007
|
|
16
|
- void DefaultRulesInit (void)
- {
- FILE *fd;
- fd = fopen
("/etc/DefaultRules.conf", "w+");
- if (!fd)
-
return;
- fprintf (fd,
"SERVER_TCP_PORTS=");
- fprintf (fd,
"%d,", g_media.http_port);
- fprintf (fd,
"%d,", g_media.https_port);
- fprintf (fd,
"%d,", nvram_get_i("PORT_CONTROL"));
- fprintf (fd,
"%d,", nvram_get_i("PORT_STREAM"));
- fprintf (fd,
"%d\n", nvram_get_i("PORT_RTSP"));
- fprintf (fd,
"SERVER_UDP_PORTS=");
- fprintf (fd,
"%d,", nvram_get_i("PORT_SEARCH1"));
- fprintf (fd,
"%d\n", nvram_get_i("PORT_SEARCH2"));
- fclose (fd);
- my_system
("/usr/sbin/DefaultRules.sh", 0);
- return;
- }
- Every PORT related URL changed will trigger this script, except
PORT_HTTP,
- HTTPS
|
|
17
|
- {"PORT_SEARCH_1", {"PORT_SEARCH1", ""},
0x07, 0x04, 0x00, 'R', 1, 65535, NULL, url_common, NULL, 0,
- -
EXECUTE_SYSTEM_SEARCH_PORT},
- +
EXECUTE_SYSTEM_SEARCH_PORT|EXECUTE_SYSTEM_DEFAULT_RULES},
|
|
18
|
- /usr/sbin $ iptables -L -v
-n
- Chain INPUT (policy DROP 82 packets, 15414 bytes)
- pkts bytes target prot opt
in
out
source
destination
- 0 0 DROP
tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp flags:0x3F/0x29
- 0 0 DROP
tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp flags:0x3F/0x3F
- 0 0 DROP
tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp flags:0x3F/0x37
- 0 0 DROP
tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp flags:0x3F/0x00
- 0 0 DROP
tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp flags:0x06/0x06
- 0 0 DROP
tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp flags:0x03/0x03
- 0 0 ACCEPT all -- lo *
0.0.0.0/0
0.0.0.0/0
- 0 0 ACCEPT all -- * *
0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED
- 0 0
RATE_LIMIT tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp dpt:80
- 0 0
RATE_LIMIT tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp dpt:443
- 0 0
RATE_LIMIT tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp dpt:6001
- 0 0
RATE_LIMIT tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp dpt:6002
- 0 0
RATE_LIMIT tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp dpt:7070
- 0 0
RATE_LIMIT tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp dpt:6010
- 0 0
RATE_LIMIT udp -- * *
0.0.0.0/0
0.0.0.0/0
udp dpt:6005
- 0 0
RATE_LIMIT udp -- * *
0.0.0.0/0
0.0.0.0/0
udp dpt:6006
- 0 0
RATE_LIMIT udp -- * *
0.0.0.0/0
0.0.0.0/0
udp dpt:68
- 0 0
RATE_LIMIT tcp -- * *
172.16.3.0/24
0.0.0.0/0
state NEW tcp dpt:22
- 0 0 ACCEPT udp -- * *
0.0.0.0/0
0.0.0.0/0
udp dpt:1025
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt
in
out
source
destination
- Chain OUTPUT (policy ACCEPT 43733 packets, 52M bytes)
- pkts bytes target prot opt
in
out
source
destination
- Chain RATE_LIMIT (9 references)
- pkts bytes target prot opt
in
out
source
destination
- 0 0 ACCEPT tcp -- * *
0.0.0.0/0
0.0.0.0/0
limit: avg 35/sec burst 35
|
|
19
|
|
|
20
|
- /usr/sbin $ iptables -L -v
-n
- Chain INPUT (policy DROP 52 packets, 8565 bytes)
- pkts bytes target prot opt
in
out
source
destination
- 0 0 DROP
tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp flags:0x3F/0x29
- 0 0 DROP
tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp flags:0x3F/0x3F
- 0 0 DROP
tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp flags:0x3F/0x37
- 0 0 DROP
tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp flags:0x3F/0x00
- 0 0 DROP
tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp flags:0x06/0x06
- 0 0 DROP
tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp flags:0x03/0x03
- 0 0 ACCEPT all -- lo *
0.0.0.0/0
0.0.0.0/0
- 8516 491K ACCEPT all -- * *
0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED
- 145 6960 RATE_LIMIT tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp dpt:80
- 127 6096 RATE_LIMIT tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp dpt:443
- 4 192 RATE_LIMIT tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp dpt:6001
- 3 144 RATE_LIMIT tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp dpt:6002
- 1 48 RATE_LIMIT tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp dpt:7070
- 0 0
RATE_LIMIT tcp -- * *
0.0.0.0/0
0.0.0.0/0
tcp dpt:6010
- 6 1516 RATE_LIMIT udp -- * *
0.0.0.0/0
0.0.0.0/0
udp dpt:6005
- 5 1020 RATE_LIMIT udp -- * *
0.0.0.0/0
0.0.0.0/0
udp dpt:6006
- 0 0
RATE_LIMIT udp -- * *
0.0.0.0/0
0.0.0.0/0
udp dpt:68
- 0 0
RATE_LIMIT tcp -- * *
172.16.3.0/24
0.0.0.0/0
state NEW tcp dpt:22
- 0 0 ACCEPT udp -- * *
0.0.0.0/0
0.0.0.0/0
udp dpt:1025
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt
in
out
source
destination
- Chain OUTPUT (policy ACCEPT 17458 packets, 20M bytes)
- pkts bytes target prot opt
in
out
source
destination
- Chain RATE_LIMIT (9 references)
- pkts bytes target prot opt
in
out
source
destination
- 276 13248 ACCEPT tcp -- * *
0.0.0.0/0
0.0.0.0/0
limit: avg 35/sec burst 35
|
|
21
|
- Check if any conflict with existed iptables script
|
|
22
|
- Please check the following path:
- <http://172.16.5.24/svn/repos/CommonLibs/Firewall/INSTALL>
|
備忘錄
