Commit c4f2e112 authored by Branko Mikić's avatar Branko Mikić
Browse files

~ BugFix! IsNumber() now returns TRUE only on any number format known instead...

~ BugFix! IsNumber() now returns TRUE only on any number format known instead of returning TRUE when a string just contains a digit char.
~ Man page revised to reflect the new implemented (FORWARD_PORT|FORWARD_ROUTING, ALLOW_TUNNEL, ...) functions available or functions (FORWARD_SUBNET_*, REMOVE_RULES) those subnet ID creation has changed.
parent caf9aa22
......@@ -8,10 +8,13 @@ firewalls easily.
.SH
SYNOPSIS
ipturntables.sh [-4|-6]
[KERNEL_PARAMS \fIparam1,param2,...,paramN\fR]
[PROBE_KERNEL_MODS \fImod1,mod2,...,modN\fR] [RESET] [BASE_RULE_SET] [ALLOW_SUBNETS \fIlink\fR] [ALLOW_SERVICE_DISCOVERY \fIlink\fR]
[FORWARD_SUBNET \fIsubnet/mask\fR \fIdestination_link\fR]
[POSTROUTING_MASQUERADE \fIsubnet/mask\fR \fIdestination_link\fR] [ALLOW_DHCPV6_CLIENT \fIlink\fR]
[KERNEL_PARAMS param1,param2,...,paramN]
[PROBE_KERNEL_MODS mod1,mod2,...,modN] [RESET [default_policy]] [BASE_RULE_SET]
[ALLOW_SUBNETS on_link] [ALLOW_DHCP_CLIENT on_link] [ALLOW_LINK_LOCAL on_link] [ALLOW_SERVICE_DISCOVERY on_link] [ALLOW_TUNNEL mode on_link from_address]
[FORWARD_SUBNET subnet/mask to_link] [FORWARD_SUBNET_PROTECTIVE subnet/mask to_link] [FORWARD_PORT|FORWARD_ROUTING ip|link port(s) to_address[:to_port]]
[MAC_FILTER chain mac_address]
[POSTROUTING_MASQUERADE subnet/mask to_link]
[DEBUG_CHAIN chain_name] [REMOVE_RULES pattern]
.SH DESCRIPTION
.B ipturntables.sh
......@@ -215,9 +218,8 @@ chains.
Other arguments may use those chains too. For IPv4-only firewalls also a
LOCAL chain is created. Access to local loopback (lo) is allowed. Also
related and established connections are allowed to return. Any INVALID
packet is blocked. Most ICMP types are allowed. There's a syn-flood
protection and port scanners are slowed down by ANTI-FLOOD but _not_
blocked completely. Also \fBbootp\fR and \fBssh\fR is allowed by default anything
packet is blocked. Most ICMP types are allowed. There's a syn-flood protection
and port scanners are blocked by ANTI-FLOOD. Also \fBbootp\fR and \fBssh\fR is allowed by default anything
else is dropped. Your custom rules can be configured in the USER-* chains.
The FORWARD chain is left empty but will be used when calling additional
FORWARD_SUBNET or FORWARD_SUBNET_PROTECTIVE calls. OUTPUT allows local
......@@ -242,12 +244,58 @@ on the USER-IN and USER-OUT chains created by BASE_RULE_SET therefore that
should have been created before. Additionally use FORWARD_SUBNET,
FORWARD_SUBNET_PROTECTIVE and PREROUTING_MASQUERADE to setup forwarding
internally only or to a WAN device.
.P
.RS 2
Attention!
.br
This doesn't implcitly allow link-local or service discovery!
These need to be allowed explicitly by ALLOW_LINK_LOCAL or ALLOW_SERVICE_DISCOVERY calls.
.SS ALLOW_LINK_LOCAL \fRlink
Allow link-local traffic on the given interface for the 169.254.0.0/16 or
fe80::/10 subnets. This call depends on the USER-IN and USER-OUT chains. A
call like ALLOW_SUBNETS doesn't allow link-local implicitly and needs to be
enabled explicitly as even for IPv6 although mandatory there can be scenarios
in which you don't want to talk with your immediate neighbours on your LAN
interface.
For IPv4 link local addresses are only useful in DHCP-less subnets (IPv4ll)
where it should be still possible to configure a host with an usable IP address.
.SS ALLOW_SERVICE_DISCOVERY \fRlink
Allow multicast subnet traffic (224.0.0.251/32, 239.255.255.250/32 or
ff02::f(b)/128) for the mDNS (5353) and UPnP (1900) ports on the desired
link only. This call also depends on the USER-IN chain and needs a
BASE_RULE_SET setup created previously.
BASE_RULE_SET setup created previously. This can be useful when using subnets
with Apple's ZeroConf network technology (former Bonjour) or the Linux
implementation named avahi which provides stuff like DNS-based service
discovery of DLNA hosts. Usally these are services which should be run on
internal links on private subnets _only_. It's not recommended to allow service
discovery on a WAN interface.
.SS ALLOW_DHCP_CLIENT \fRlink
Allows a DHCP client request (Ports 67, 68 (IPv4) & 546, 547 (IPv6)) to pass on the desired link only. Is some cases this is necessary before calling ALLOW_SUBNET as that would require a fully configured IP address.
Another scenario is that providers may use dynamically created net prefixes for IPv6 on the WAN link. In order to get router & neighbour solicication working this rule allows the router himself to obtain a dhcp lease from a provider via link local only before the interface has acquired an IP address.
.P
eg: ALLOW_DHCP_CLIENT ppp0
.P
.RS 2
Attention!
.br
It's not sufficient for a link to have just ALLOW_DHCP_CLIENT set as this allows DHCP client requests (on that interface) only. When the interface has acquired an IP address from it's DHCP server an ALLOW_SUBNET call is additionally necessary to allow traffic passing otherwise the interface is just allowed to retrieve an IP address but not using it.
On the other hand for a virtual WAN interface this may be even a requirement before allowing anything.
.SS ALLOW_TUNNEL \fR"ipip|gre|sit" on_link from_address
Allows ipip, gre or sit bidirectional tunnel ethernet raw frame packets to
reach and leave the router on the given link from a server with the specified
\fIfrom_address\fR _only_.
Usally there's another interface (eg: sit1) on which the embedded packet gets
unfolded as default policy is DROP keep in mind that it may be necessary to
allow such subnet traffic explicitly via FORWARD_SUBNET or FORWARD_SUBNET_PROTECTIVE
calls. It's even possible to forward the tunnel packets themselves. This call
can not use any mode for IPv4 or IPv6 protocols eg. ipip tunnel packets
logically can't be used on IPv6 firewalls.
.P
eg: ALLOW_TUNNEL sit eth2 2001:DB8::1
.SS FORWARD_SUBNET \fRsubnet/mask destination_link
Allows any outbound traffic of the desired subnet to the desired
......@@ -272,14 +320,13 @@ which limits traffic permission by only forwarding non-critical traffic.
.SS FORWARD_SUBNET_PROTECTIVE \fRsubnet/mask destination_link
Forwards the desired subnet to the desired destination interface and allows only related and established packets back in from that interface
but additionally filters critical traffic. Useful for allowing a subnet to talk to the outer world via a WAN device. To be easily distinguishable
from usual forward rules two new chains are created and linked in the FORWARD chain. These can be identified by it's subnet/mask ID prefix
encoded in hex notation eg. \fB192.168.0.0/16\fR would become \fIc0a8000010\fR and for IPv6 addresses where \fB2001:DB8::/32\fR would become
2001DB820, etc. etc.
.br
Both chains can be distinguished by the appended device node names like the inbound traffic chain (assuming the subnet to be on eth0) would become
\fIc0a8000010-ppp0-eth0\fR and the outbound traffic is called likewise \fIc0a8000010-eth0-ppp0\fR. This makes it possible to configure multiple
forward pathes of a subnet among different links seperately. An additional forwarding for the same subnet to another link (eg. wan0) would create
two new chains called respectively \fIc0a8000010-eth0-wan0\fR and \fIc0a8000010-wan0-eth0\fR.
from usual forward rules two new chains are created and linked in the FORWARD chain.
For any forwarded subnet/mask/link combination an unique ID is created like eg:
A273DBBD-IN or A273DBBD-OUT where both chains can be distinguished by the IN and
OUT suffix. This makes it possible to configure multiple forward pathes of a subnet
among different links seperately. An additional forwarding for the same subnet to
another link (eg. wan0) would create two new chains with a differen ID string.
.br
To protect hosts of the forwarded subnet from the outer world the usual measures are taken the same way the router uses on it's INPUT chain to
protect itself. For inbound traffic any \fIINVALID\fR packets are dropped explicitly and only packets with the state \fIRELATED\fR, \fIESTABLISHED\fR
......@@ -289,6 +336,32 @@ the ANTI-SPOOF chains. Any UDP & TCP packets with the \fINEW\fR, \fIRELATED\fR o
eg: FORWARD_SUBNET_PROTECTIVE 192.168.0.0/16 ppp0
FORWARD_SUBNET_PROTECTIVE 2001:DB8::/32 eth1
.SS FORWARD_PORT|FORWARD_ROUTING \fRwan_(address|link) port[,port,port,...] to_address[:to_port]
Allows port forwarding (aka port triggering) by passing a packet through
a router's WAN device to a specified host inside a private subnet on an
internal interface and not only allowing to pass the firewall but also
gets forwarded over interface borders. In common setups this is often used
to provide (eg: http, sftp, ssh or ports like 27015) services on an stealth
host instead of having the router to process those requests on it's own.
Even the packet can be rerouted to a different destination port on the
specified destination host by giving an optional port number for the
\fIto_address\fR argument. Further this call allows to give an interface name as
the first argument instead of an ip address to forward anything on that port
regardless of it's subnet but be warned. Use this with care as it may open up
more then probably intended.
.P
eg: FORWARD_PORT 200.201.202.203 80,443 192.168.1.10 or (assuming a WAN IP of 200.201.202.203)
FORWARD_PORT eth2 80,443 192.168.1.10 or (assuming your WAN interface sits on eth2)
FORWARD_PORT eth2 443 192.168.1.10:4433 or
FORWARD_PORT eth2 27015 192.168.1.10
.P
.RS 2
Attention!
.br
Instead of a single port it's also possible to forward a list of ports. When
passing a list of ports omit any whitespace on the argument, multiple ports must
be delimitied by commas only to be seen as a single argument!
.SS POSTROUTING_MASQUERADE \fRsubnet/mask destination_link
Allows outgoing traffic of the desired subnet to be masqueraded in SNAT
fashion when leaving through the desired destination link which is usally a
......@@ -308,28 +381,28 @@ FORWARD_SUBNET_PROTECTIVE to allow a subnet to reach the outgoing WAN link
or FORWARD_SUBNET when subnets should be masqueraded internally which is
an unusual setup but nevertheless possible.
.SS FORWARD_MAC_FILTER \fRmac address
Filters any traffic with the desired mac address on the FORWARD chain may it be either in- or outbound traffic. This suppresses any routing of the specified host through the router. To avoid interference with the FORWARD_SUBNET and FORWARD_SUBNET_PROTECTIVE calls FORWARD_MAC_FILTER calls will remain at the top of the FORWARD chain to be executed before any of these forwarder rules even when those are added while some mac filters already exist.
.SS MAC_FILTER \fRchain_name ether_address
Filters any traffic (silently!) with the desired ether address (aka mac address) on the given chain may it be either
in- or outbound traffic. When using the FORWARD chain _any_ routing of the host with the given ether
address through the router is suppressed regardless of the interface the traffic occurs on.
To avoid interference with other calls like FORWARD_SUBNET and FORWARD_SUBNET_PROTECTIVE the rules
of a MAC_FILTER will remain at the top of the specified chain to be executed before any of these
forwarder rules even when those are added while some mac filters already exist.
.P
eg: FORWARD_MAC_FILTER 00:de:ea:be:ef:00
This is useful for isolating a specific host behind a firewall where any traffic between the host
with the given mac to the outer world must be prevented while traffic in the local network is still possible.
Even other scenarios are possible when placing the mac filter on different chains eg supressing the router
to talk to a specific host.
.P
This is useful for isolating a specific host behind a firewall where any traffic between the host with the given mac to the outer world must be prevented while traffic in the local network is still possible.
.SS ALLOW_DHCP_CLIENT \fRlink
Allows a DHCP client request (Ports 67, 68 (IPv4) & 546, 547 (IPv6)) to pass on the desired link only. Is some cases this is necessary before calling ALLOW_SUBNET as that would require a fully configured IP address.
Another scenario is that providers may use dynamically created net prefixes for IPv6 on the WAN link. In order to get router & neighbour solicication working this rule allows the router himself to obtain a dhcp lease from a provider via link local only before the interface has acquired an IP address.
.P
eg: ALLOW_DHCP_CLIENT ppp0
eg: MAC_FILTER FORWARD 00:de:ea:be:ef:00
.P
.RS 2
Attention!
.br
It's not sufficient for a link to have just ALLOW_DHCP_CLIENT set as this allows DHCP client requests (on that interface) only. When the interface has acquired an IP address from it's DHCP server an ALLOW_SUBNET call is additionally necessary to allow traffic passing otherwise the interface is just allowed to retrieve an IP address but not using it.
iptables allows only a single ether address. So this function can't be used to filter raw ether packets
in long notation eg. ipip, grep or sit tunnel packets.
.SS REMOVE_RULES \fR"ID matching string"
For a dynamic approach altering rules on the fly (eg. in (pre-|post)-up|down events this call removes any rule matching the given ID string in it's comment in \fIany\fR chain found (even in the nat table!). It may be possible that on such an operation some chains are left orphaned (with no rule referencing them anymore). To keep the rules table clean these chains are deallocated (removed) from the rules table completely.
.P
eg: REMOVE_RULES "ALLOW_SUBNETS on 0x0700a721a8d7"
......@@ -346,14 +419,14 @@ This created three rules in two chains
.RS 2
Chain FORWARD (policy DROP 5 packets, 606 bytes)
pkts bytes target prot opt in out source destination
... ... 0A0A0A0018-eth1-eth2 ... ... ... /* \fBFORWARD_SUBNET_PROTECTIVE eth1_0A0A0A0018_eth2\fR */
... ... 0A0A0A0018-eth2-eth1 ... ... ... /* \fBFORWARD_SUBNET_PROTECTIVE eth1_0A0A0A0018_eth2\fR */
... ... A273DBBD-OUT ... ... ... /* \fBFORWARD_SUBNET_PROTECTIVE eth1_0A0A0A0018_eth2\fR */
... ... A273DBBD-IN ... ... ... /* \fBFORWARD_SUBNET_PROTECTIVE eth1_0A0A0A0018_eth2\fR */
Chain 0A02010018-eth0-eth2 (1 references)
Chain A273DBBD-OUT (1 references)
pkts bytes target prot opt in out source destination
[...]
Chain 0A02010018-eth2-eth0 (1 references)
Chain A273DBBD-IN (1 references)
pkts bytes target prot opt in out source destination
[...]
......
......@@ -46,11 +46,10 @@ error()
}
# some helpers
function isNaturalNumber() { [[ ${1} =~ ^[0-9]+$ ]]; }
function isInteger() { [[ ${1} == ?(-)+([0-9]) ]]; }
function isFloat() { [[ ${1} == ?(-)@(+([0-9]).*([0-9])|*([0-9]).+([0-9]))?(E?(-|+)+([0-9])) ]]; }
function isNumber() { [[ ${1} == *[[:digit:]]* ]]; }
function isNumber() { isNaturalNumber $1 || isInteger $1 || isFloat $1; }
###
### Command environment setup for either IPv(4|6)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment