--- /dev/null
+iptables-cn
+~~~~~~~~~~~
+
+Ovaj paket donosi System V init skriptu za iptables paket, kao i set nekih
+prirucnih primjera za koristenje Netfilter paketa.
+
+ -- Dinko Korunic <kreator@carnet.hr> at Sun, 9 Sep 2007 15:51:32 +0200
--- /dev/null
+iptables-cn (2:1.2.11-5) sarge; urgency=low
+
+ * primjeri za koristenje iptables naredbe
+ * instalacija SSH anti-bruteforce pravila u slucaju da nema aktivnih pravila
+ za iptables
+
+ -- Dinko Korunic <kreator@carnet.hr> Sun, 9 Sep 2007 15:49:43 +0200
+
+iptables-cn (2:1.2.11-4) sarge; urgency=high
+
+ * bugfix: popravljene krive dozvole datoteka u 1.2.11-3 paketu
+
+ -- Dinko Korunic <kreator@carnet.hr> Sat, 27 Jan 2007 22:03:52 +0100
+
+iptables-cn (2:1.2.11-3) sarge; urgency=medium
+
+ * depend iskljucivo genericki, tako da ovisi o originalnom Debianovom
+ iptables paketu
+ * manji popravci
+
+ -- Dinko Korunic <kreator@srce.hr> Thu, 12 May 2005 11:25:59 +0200
+
+iptables-cn (2:1.2.11-2) sarge; urgency=high
+
+ * verzija za CARNet, odnosno depends koji treba za iptables-cn
+ * splitan dosadasnji iptables-cn u iptables [originalni Debian paket] i
+ iptables-cn [nosi stealth iptables modul za upravljanje grsecovim kernel
+ hookovima]
+ * nova upstream verzija, bugfix za iptables DoS [CAN-2004-0986]
+
+ -- Dinko Korunic <kreator@srce.hr> Wed, 17 Nov 2004 00:48:33 +0100
+
+iptables-cn (2:1.2.9-6) sarge; urgency=low
+
+ * popravljeno mjesto dokumentacije u /usr/share/*
+ * omogucena init.d skripta (za razliku od Debian paketa)
+
+ -- Dinko Korunic <kreator@srce.hr> Mon, 8 Mar 2004 20:52:00 +0100
+
+iptables-cn (2:1.2.9-5) sarge; urgency=low
+
+ * full-blown iptables paket, backportan i patch prepravljen za 1.2.9
+ * podrzava i Woody i Sarge
+
+ -- Dinko Korunic <kreator@srce.hr> Thu, 4 Mar 2004 23:53:40 +0100
--- /dev/null
+iptables-cn (2:1.2.11-5) sarge; urgency=low
+
+ * primjeri za koristenje iptables naredbe
+ * instalacija SSH anti-bruteforce pravila u slucaju da nema aktivnih pravila
+ za iptables
+
+ -- Dinko Korunic <kreator@carnet.hr> Sun, 9 Sep 2007 15:49:43 +0200
+
+iptables-cn (2:1.2.11-4) sarge; urgency=high
+
+ * bugfix: popravljene krive dozvole datoteka u 1.2.11-3 paketu
+
+ -- Dinko Korunic <kreator@carnet.hr> Sat, 27 Jan 2007 22:03:52 +0100
+
+iptables-cn (2:1.2.11-3) sarge; urgency=medium
+
+ * depend iskljucivo genericki, tako da ovisi o originalnom Debianovom
+ iptables paketu
+ * manji popravci
+
+ -- Dinko Korunic <kreator@srce.hr> Thu, 12 May 2005 11:25:59 +0200
+
+iptables-cn (2:1.2.11-2) sarge; urgency=high
+
+ * verzija za CARNet, odnosno depends koji treba za iptables-cn
+ * splitan dosadasnji iptables-cn u iptables [originalni Debian paket] i
+ iptables-cn [nosi stealth iptables modul za upravljanje grsecovim kernel
+ hookovima]
+ * nova upstream verzija, bugfix za iptables DoS [CAN-2004-0986]
+
+ -- Dinko Korunic <kreator@srce.hr> Wed, 17 Nov 2004 00:48:33 +0100
+
+iptables-cn (2:1.2.9-6) sarge; urgency=low
+
+ * popravljeno mjesto dokumentacije u /usr/share/*
+ * omogucena init.d skripta (za razliku od Debian paketa)
+
+ -- Dinko Korunic <kreator@srce.hr> Mon, 8 Mar 2004 20:52:00 +0100
+
+iptables-cn (2:1.2.9-5) sarge; urgency=low
+
+ * full-blown iptables paket, backportan i patch prepravljen za 1.2.9
+ * podrzava i Woody i Sarge
+
+ -- Dinko Korunic <kreator@srce.hr> Thu, 4 Mar 2004 23:53:40 +0100
--- /dev/null
+Source: iptables-cn
+Section: net
+Priority: optional
+Maintainer: Dinko Korunic <kreator@carnet.hr>
+Build-Depends: debhelper (>= 4)
+Standards-Version: 3.7.2
+
+Package: iptables-cn
+Architecture: any
+Depends: iptables (>= 1.2.11-10)
+Conflicts: iptables-cn (<< 2:1.2.11-4)
+Description: Linux kernel 2.4+ iptables administration tools
+ netfilter and iptables provide a Linux kernel framework for
+ stateful and stateless packet filtering, network and port addresss
+ translation, and other IP packet manipulation. The framework is the
+ successor to ipchains.
+ .
+ This is a basic CARNet Debian customization package which brings
+ back old System V init script functionality.
--- /dev/null
+# /etc/init.d/iptables-cn defaults file
+
+# INTRODUCTION: First thing first, I must warn you. The iptables
+# init.d setup and iptables tools themselves are VERY much capable
+# of locking you out of network services. This includes remote and
+# local network services, even localhost. You can even block local
+# console logins if authentication is network based. And please do
+# not be lulled into a false sense of security because you simply
+# installed the iptables package. It really does not provide a
+# firewall or any system security.
+#
+# Now for a short question and answer session:
+#
+# Q: You concocted this init.d setup, but you do not like it?
+# A: I was pretty much hounded into providing it. I do not like it.
+# Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
+# scripts use /etc/ppp/ip-*.d/ script. Create your own custom
+# init.d script -- no need to even name it iptables. Use ferm,
+# ipmasq, ipmenu, guarddog, firestarter, or one of the many other
+# firewall configuration tools available. Do not use the init.d
+# script.
+#
+# Q: What is this iptables init.d setup all about?
+# A: The iptables init.d setup saves and restores whole iptables's
+# table rulesets. That's basically it. It doesn't create any
+# iptables rules nor provide for running any iptables rules.
+# That also implies no support at all for dynamic rules.
+#
+# Q: How do I get started?
+# A: (Did I mention "do not use it" already? Oh well.)
+# 1. Setup your normal iptables rules -- firewalling, port forwarding
+# NAT, etc. When everything is configured the way you like, run:
+#
+# /etc/init.d/iptables-cn save active
+#
+# 2. Setup your your inactive firewall rules -- this can be something
+# like clear all rules and set all policy defaults to accept (which
+# can be done with /etc/init.d/iptables-cn clear). When that is ready,
+# save the inactive ruleset:
+#
+# /etc/init.d/iptables-cn save inactive
+#
+# 3. Controlling the script itself is done through runlevels configured
+# with debconf for package installation. Run "dpkg-reconfigure iptables"
+# to enable or disable after installation.
+#
+# Q: Is that all?
+# A: Mostly. You can save additional rulesets and restore them by name. As
+# an example:
+#
+# /etc/init.d/iptables-cn save midnight
+# /etc/init.d/iptables-cn load midnight
+#
+#
+# Autosave only works with start followed by stop.
+#
+# Also, take great care with the halt option. It's almost as good as
+# pulling the network cable, except it disrupts localhost too.
+
+# deprecated default values:
+# enable_iptables_initd - use the debconf setup
+# preload_default - probably not necessary for iptables-restore
+# and user modified init.d scripts cannot trusted anyway
+
+# set iptables_command to "iptables" (default) or "ip6tables"
+iptables_command=iptables
+
+# set enable_autosave to "true" to autosave the active ruleset
+# when going from start to stop
+enable_autosave=false
+
+# set enable_save_counters to "true" to save table counters with
+# rulesets
+enable_save_counters=true
--- /dev/null
+etc/default
+etc/init.d
+var/lib/iptables
--- /dev/null
+changelog.CARNet
+README.CARNet
--- /dev/null
+ssh-bruteforce
+masquerade
+squid-redirect
--- /dev/null
+#!/bin/sh
+
+set -e
+
+# Q: How do I get started?
+# A: (Did I mention "do not use it" already? Oh well.)
+# 1. Setup your normal iptables rules -- firewalling, port forwarding
+# NAT, etc. When everything is configured the way you like, run:
+#
+# /etc/init.d/iptables save active
+#
+# 2. Setup your your inactive firewall rules -- this can be something
+# like clear all rules and set all policy defaults to accept (which
+# can be done with /etc/init.d/iptables clear). When that is ready,
+# save the inactive ruleset:
+#
+# /etc/init.d/iptables save inactive
+#
+# 3. Controlling the script itself is done through runlevels configured
+# with debconf for package installation. Run "dpkg-reconfigure iptables"
+# to enable or disable after installation.
+#
+# Q: Is that all?
+# A: Mostly. You can save additional rulesets and restore them by name. As
+# an example:
+#
+# /etc/init.d/iptables save midnight
+# /etc/init.d/iptables load midnight
+#
+#
+# Autosave only works with start followed by stop.
+#
+# Also, take great care with the halt option. It's almost as good as
+# pulling the network cable, except it disrupts localhost too.
+#
+# Also, create the /var/lib/iptables and /var/lib/ip6tables dirs
+# as necessary.
+
+# enable ipv6 support
+enable_ipv6=false
+
+# set enable_autosave to "true" to autosave the active ruleset
+# when going from start to stop
+enable_autosave=false
+
+# set enable_save_counters to "true" to save table counters with
+# rulesets
+enable_save_counters=true
+
+if test -f /etc/default/iptables-cn; then
+ . /etc/default/iptables-cn
+fi
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+initd="$0"
+default="$0"
+
+initd_abort () {
+ cmd=$1
+ shift
+ echo "Aborting iptables $cmd: $@."
+ echo
+ usage
+ exit 0
+}
+
+initd_have_a_cow_man () {
+ for i in $@; do
+ if ! command -v "$i" >/dev/null 2>&1; then
+ echo "Aborting iptables initd: no $i executable"
+ exit 0
+ fi
+ done
+}
+
+initd_clear () {
+ rm -f "$autosave"
+ echo -n "Clearing ${iptables_command} ruleset: default ACCEPT policy"
+ $iptables_save | sed "/-/d;/^#/d;s/DROP/ACCEPT/" | $iptables_restore
+ echo "."
+}
+
+initd_halt () {
+ rm -f $autosave
+ echo -n "Clearing ${iptables_command} ruleset: default DROP policy"
+ $iptables_save | sed "/-/d;/^#/d;s/ACCEPT/DROP/" | $iptables_restore
+ echo "."
+}
+
+initd_load () {
+ ruleset="$libdir/$@"
+ if ! test -f "$ruleset"; then
+ initd_abort load "unknown ruleset, \"$@\""
+ fi
+ if test "$@" = inactive; then
+ initd_autosave
+ fi
+ rm -f "$autosave"
+ echo -n "Loading ${iptables_command} ruleset: load \"$@\""
+ $iptables_restore < "$ruleset"
+ echo "."
+}
+
+initd_counters () {
+ if test "${enable_save_counters:-false}" = true; then
+ echo -n " with counters"
+ $iptables_save -c > "$ruleset"
+ else
+ $iptables_save | sed '/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g' > "$ruleset"
+ fi
+}
+
+initd_save () {
+ rm -f $autosave
+ ruleset="${libdir}/$@"
+ echo -n "Saving ${iptables_command} ruleset: save \"$@\""
+ initd_counters
+ echo "."
+}
+
+initd_autosave () {
+ if test -f $autosave -a ${enable_autosave-false} = true; then
+ ruleset="${libdir}/active"
+ echo -n "Autosaving ${iptables_command} ruleset: save \"active\""
+ initd_counters
+ echo "."
+ fi
+}
+
+usage () {
+# current="$(ls -m ${libdir} \
+# | sed 's/ \{0,1\}autosave,\{0,1\} \{0,1\}//')"
+cat << END
+$initd options:
+ start|restart|reload|force-reload
+ load the "active" ruleset
+ save <ruleset>
+ save the current ruleset
+ load <ruleset>
+ load a ruleset
+ stop
+ load the "inactive" ruleset
+ clear
+ remove all rules and user-defined chains, set default policy to ACCEPT
+ halt
+ remove all rules and user-defined chains, set default policy to DROP
+
+Saved ruleset locations: /var/lib/iptables/ and /var/lib/ip6tables/
+
+Please read: $default
+
+END
+}
+
+initd_main () {
+ case "$1" in
+ start|restart|reload|force-reload)
+ initd_load active
+ if test ${enable_autosave-false} = true; then
+ touch $autosave
+ fi
+ ;;
+ stop)
+ initd_load inactive
+ ;;
+ clear)
+ initd_clear
+ ;;
+ halt)
+ initd_halt
+ ;;
+ save)
+ shift
+ if test -z "$*"; then
+ initd_abort save "no ruleset name given"
+ else
+ initd_save "$*"
+ fi
+ ;;
+ load)
+ shift
+ if test -z "$*"; then
+ initd_abort load "no ruleset name given"
+ else
+ initd_load "$*"
+ fi
+ ;;
+ save_active) #legacy option
+ initd_save active
+ ;;
+ save_inactive) #legacy option
+ initd_save inactive
+ ;;
+ *)
+ echo "$initd: unknown command: \"$*\""
+ usage
+ ;;
+ esac
+}
+
+initd_preload() {
+ iptables="/sbin/${iptables_command}"
+ iptables_save="${iptables}-save"
+ iptables_restore="${iptables}-restore"
+ libdir="/var/lib/${iptables_command}"
+ autosave="${libdir}/autosave"
+ initd_have_a_cow_man "$iptables_save" "$iptables_restore"
+ ${iptables_command} -nL >/dev/null
+ initd_main $*
+}
+
+iptables_command=iptables initd_preload $*
+if test "$enable_ipv6" = "true"; then
+ iptables_command=ip6tables initd_preload $*
+fi
+
+exit 0
--- /dev/null
+#!/bin/sh
+# postinst script for bind9-cn
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+#
+
+case "$1" in
+ configure|reconfigure)
+ # continue below
+ ;;
+
+ *)
+ exit 0
+ ;;
+esac
+
+# fix problem with permissions from the old package
+if dpkg --compare-versions "$2" lt "2:1.2.11-4"; then
+ chown -f -Rh root:root /var/lib/iptables /etc/init.d/iptables \
+ /etc/default/iptables >/dev/null 2>&1
+fi
+
+# remove old iptables init script
+if [ -e /etc/init.d/iptables ]; then
+ rm -f /etc/init.d/iptables
+ update-rc.d iptables remove
+fi
+
+# check if old default file exists and import it
+if [ -e /etc/default/iptables ]; then
+ mv /etc/default/iptables /etc/default/iptables-cn
+fi
+
+# check if there is any default netfilter policy and install default SSH
+# REJECT recent if there is none..
+# also, save current set of rules into active and inactive configuration
+if [ ! -e /var/lib/iptables/active ]; then
+ . /usr/share/doc/iptables-cn/examples/ssh-bruteforce
+ iptables-save > /var/lib/iptables/active
+fi
+if [ ! -e /var/lib/iptables/inactive ]; then
+ . /usr/share/doc/iptables-cn/examples/ssh-bruteforce
+ iptables-save > /var/lib/iptables/inactive
+fi
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+#!/bin/sh
+# postrm script for bind9-cn
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postrm> `remove'
+# * <postrm> `purge'
+# * <old-postrm> `upgrade' <new-version>
+# * <new-postrm> `failed-upgrade' <old-version>
+# * <new-postrm> `abort-install'
+# * <new-postrm> `abort-install' <old-version>
+# * <new-postrm> `abort-upgrade' <old-version>
+# * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+ purge)
+ # continue below
+ ;;
+
+ *)
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+#!/usr/bin/make -f
+# Sample debian/rules that uses debhelper.
+# This file is public domain software, originally written by Joey Hess.
+#
+# This version is for packages that are architecture independent.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+build: build-stamp
+build-stamp:
+ dh_testdir
+
+ # Add here commands to compile the package.
+ #$(MAKE)
+
+ touch build-stamp
+
+clean:
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp
+
+ # Add here commands to clean up after the build process.
+ #-$(MAKE) clean
+ #-$(MAKE) distclean
+
+ dh_clean
+
+install: build
+ dh_testdir
+ dh_testroot
+ dh_clean -k
+ dh_installdirs
+
+ # Add here commands to install the package into debian/<packagename>.
+ #$(MAKE) prefix=`pwd`/debian/`dh_listpackages`/usr install
+
+# Build architecture-independent files here.
+binary-indep: build install
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs
+ dh_installdocs
+ dh_installexamples
+# dh_installmenu
+# dh_installdebconf
+# dh_installlogrotate
+# dh_installemacsen
+# dh_installcatalogs
+# dh_installpam
+# dh_installmime
+ dh_installinit
+# dh_installcron
+# dh_installinfo
+# dh_undocumented
+ dh_installman
+ dh_link
+ dh_compress
+ dh_fixperms
+# dh_perl
+# dh_python
+ dh_installdeb
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+# Build architecture-dependent files here.
+binary-arch: build install
+# We have nothing to do by default.
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install
--- /dev/null
+#!/bin/sh
+# NAT MASQUERADE for all traffic leaving eth0
+
+iptables -t nat -o eth0 -A POSTROUTING -j MASQUERADE
--- /dev/null
+#!/bin/sh
+# redirect tcp/80 traffic (eth1 LAN -> eth0 WAN) to local port 3128
+# (Squid)
+
+iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
+ -j REDIRECT --to-port 3128
--- /dev/null
+#!/bin/sh
+# SSH bruteforce detection and REJECT
+
+iptables -N SSH_Brute_Force
+iptables -A INPUT -p tcp -m tcp --dport 22 -m state \
+ --state NEW -m recent --set --name SSH --rsource -j SSH_Brute_Force
+iptables -A SSH_Brute_Force -m recent ! --rcheck --seconds 90 \
+ --hitcount 3 --name SSH --rsource -j RETURN
+iptables -A SSH_Brute_Force -p tcp -j REJECT \
+ --reject-with icmp-port-unreachable
projects / iptables-cn.git / commitdiff