From 7bced4abdbe8cade2f9a93dd4f77ff4225f7761a Mon Sep 17 00:00:00 2001 From: Dinko Korunic Date: Sun, 9 Sep 2007 13:59:34 +0000 Subject: [PATCH] r1: [svn-inject] Installing original source of iptables-cn --- README.CARNet | 7 ++ changelog.CARNet | 45 +++++++++++ debian/changelog | 45 +++++++++++ debian/compat | 1 + debian/control | 19 +++++ debian/default | 74 ++++++++++++++++++ debian/dirs | 3 + debian/docs | 2 + debian/examples | 3 + debian/init | 218 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ debian/postinst | 64 ++++++++++++++++ debian/postrm | 35 +++++++++ debian/rules | 73 ++++++++++++++++++ masquerade | 4 + squid-redirect | 6 ++ ssh-bruteforce | 10 +++ 16 files changed, 609 insertions(+) create mode 100644 README.CARNet create mode 100644 changelog.CARNet create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/default create mode 100644 debian/dirs create mode 100644 debian/docs create mode 100644 debian/examples create mode 100755 debian/init create mode 100755 debian/postinst create mode 100755 debian/postrm create mode 100755 debian/rules create mode 100755 masquerade create mode 100755 squid-redirect create mode 100755 ssh-bruteforce diff --git a/README.CARNet b/README.CARNet new file mode 100644 index 0000000..ef60769 --- /dev/null +++ b/README.CARNet @@ -0,0 +1,7 @@ +iptables-cn +~~~~~~~~~~~ + +Ovaj paket donosi System V init skriptu za iptables paket, kao i set nekih +prirucnih primjera za koristenje Netfilter paketa. + + -- Dinko Korunic at Sun, 9 Sep 2007 15:51:32 +0200 diff --git a/changelog.CARNet b/changelog.CARNet new file mode 100644 index 0000000..8eadb5a --- /dev/null +++ b/changelog.CARNet @@ -0,0 +1,45 @@ +iptables-cn (2:1.2.11-5) sarge; urgency=low + + * primjeri za koristenje iptables naredbe + * instalacija SSH anti-bruteforce pravila u slucaju da nema aktivnih pravila + za iptables + + -- Dinko Korunic Sun, 9 Sep 2007 15:49:43 +0200 + +iptables-cn (2:1.2.11-4) sarge; urgency=high + + * bugfix: popravljene krive dozvole datoteka u 1.2.11-3 paketu + + -- Dinko Korunic Sat, 27 Jan 2007 22:03:52 +0100 + +iptables-cn (2:1.2.11-3) sarge; urgency=medium + + * depend iskljucivo genericki, tako da ovisi o originalnom Debianovom + iptables paketu + * manji popravci + + -- Dinko Korunic Thu, 12 May 2005 11:25:59 +0200 + +iptables-cn (2:1.2.11-2) sarge; urgency=high + + * verzija za CARNet, odnosno depends koji treba za iptables-cn + * splitan dosadasnji iptables-cn u iptables [originalni Debian paket] i + iptables-cn [nosi stealth iptables modul za upravljanje grsecovim kernel + hookovima] + * nova upstream verzija, bugfix za iptables DoS [CAN-2004-0986] + + -- Dinko Korunic Wed, 17 Nov 2004 00:48:33 +0100 + +iptables-cn (2:1.2.9-6) sarge; urgency=low + + * popravljeno mjesto dokumentacije u /usr/share/* + * omogucena init.d skripta (za razliku od Debian paketa) + + -- Dinko Korunic Mon, 8 Mar 2004 20:52:00 +0100 + +iptables-cn (2:1.2.9-5) sarge; urgency=low + + * full-blown iptables paket, backportan i patch prepravljen za 1.2.9 + * podrzava i Woody i Sarge + + -- Dinko Korunic Thu, 4 Mar 2004 23:53:40 +0100 diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..8eadb5a --- /dev/null +++ b/debian/changelog @@ -0,0 +1,45 @@ +iptables-cn (2:1.2.11-5) sarge; urgency=low + + * primjeri za koristenje iptables naredbe + * instalacija SSH anti-bruteforce pravila u slucaju da nema aktivnih pravila + za iptables + + -- Dinko Korunic Sun, 9 Sep 2007 15:49:43 +0200 + +iptables-cn (2:1.2.11-4) sarge; urgency=high + + * bugfix: popravljene krive dozvole datoteka u 1.2.11-3 paketu + + -- Dinko Korunic Sat, 27 Jan 2007 22:03:52 +0100 + +iptables-cn (2:1.2.11-3) sarge; urgency=medium + + * depend iskljucivo genericki, tako da ovisi o originalnom Debianovom + iptables paketu + * manji popravci + + -- Dinko Korunic Thu, 12 May 2005 11:25:59 +0200 + +iptables-cn (2:1.2.11-2) sarge; urgency=high + + * verzija za CARNet, odnosno depends koji treba za iptables-cn + * splitan dosadasnji iptables-cn u iptables [originalni Debian paket] i + iptables-cn [nosi stealth iptables modul za upravljanje grsecovim kernel + hookovima] + * nova upstream verzija, bugfix za iptables DoS [CAN-2004-0986] + + -- Dinko Korunic Wed, 17 Nov 2004 00:48:33 +0100 + +iptables-cn (2:1.2.9-6) sarge; urgency=low + + * popravljeno mjesto dokumentacije u /usr/share/* + * omogucena init.d skripta (za razliku od Debian paketa) + + -- Dinko Korunic Mon, 8 Mar 2004 20:52:00 +0100 + +iptables-cn (2:1.2.9-5) sarge; urgency=low + + * full-blown iptables paket, backportan i patch prepravljen za 1.2.9 + * podrzava i Woody i Sarge + + -- Dinko Korunic Thu, 4 Mar 2004 23:53:40 +0100 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..b8626c4 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +4 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..94f59d3 --- /dev/null +++ b/debian/control @@ -0,0 +1,19 @@ +Source: iptables-cn +Section: net +Priority: optional +Maintainer: Dinko Korunic +Build-Depends: debhelper (>= 4) +Standards-Version: 3.7.2 + +Package: iptables-cn +Architecture: any +Depends: iptables (>= 1.2.11-10) +Conflicts: iptables-cn (<< 2:1.2.11-4) +Description: Linux kernel 2.4+ iptables administration tools + netfilter and iptables provide a Linux kernel framework for + stateful and stateless packet filtering, network and port addresss + translation, and other IP packet manipulation. The framework is the + successor to ipchains. + . + This is a basic CARNet Debian customization package which brings + back old System V init script functionality. diff --git a/debian/default b/debian/default new file mode 100644 index 0000000..6c5f323 --- /dev/null +++ b/debian/default @@ -0,0 +1,74 @@ +# /etc/init.d/iptables-cn defaults file + +# INTRODUCTION: First thing first, I must warn you. The iptables +# init.d setup and iptables tools themselves are VERY much capable +# of locking you out of network services. This includes remote and +# local network services, even localhost. You can even block local +# console logins if authentication is network based. And please do +# not be lulled into a false sense of security because you simply +# installed the iptables package. It really does not provide a +# firewall or any system security. +# +# Now for a short question and answer session: +# +# Q: You concocted this init.d setup, but you do not like it? +# A: I was pretty much hounded into providing it. I do not like it. +# Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/ +# scripts use /etc/ppp/ip-*.d/ script. Create your own custom +# init.d script -- no need to even name it iptables. Use ferm, +# ipmasq, ipmenu, guarddog, firestarter, or one of the many other +# firewall configuration tools available. Do not use the init.d +# script. +# +# Q: What is this iptables init.d setup all about? +# A: The iptables init.d setup saves and restores whole iptables's +# table rulesets. That's basically it. It doesn't create any +# iptables rules nor provide for running any iptables rules. +# That also implies no support at all for dynamic rules. +# +# Q: How do I get started? +# A: (Did I mention "do not use it" already? Oh well.) +# 1. Setup your normal iptables rules -- firewalling, port forwarding +# NAT, etc. When everything is configured the way you like, run: +# +# /etc/init.d/iptables-cn save active +# +# 2. Setup your your inactive firewall rules -- this can be something +# like clear all rules and set all policy defaults to accept (which +# can be done with /etc/init.d/iptables-cn clear). When that is ready, +# save the inactive ruleset: +# +# /etc/init.d/iptables-cn save inactive +# +# 3. Controlling the script itself is done through runlevels configured +# with debconf for package installation. Run "dpkg-reconfigure iptables" +# to enable or disable after installation. +# +# Q: Is that all? +# A: Mostly. You can save additional rulesets and restore them by name. As +# an example: +# +# /etc/init.d/iptables-cn save midnight +# /etc/init.d/iptables-cn load midnight +# +# +# Autosave only works with start followed by stop. +# +# Also, take great care with the halt option. It's almost as good as +# pulling the network cable, except it disrupts localhost too. + +# deprecated default values: +# enable_iptables_initd - use the debconf setup +# preload_default - probably not necessary for iptables-restore +# and user modified init.d scripts cannot trusted anyway + +# set iptables_command to "iptables" (default) or "ip6tables" +iptables_command=iptables + +# set enable_autosave to "true" to autosave the active ruleset +# when going from start to stop +enable_autosave=false + +# set enable_save_counters to "true" to save table counters with +# rulesets +enable_save_counters=true diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 0000000..94de6ed --- /dev/null +++ b/debian/dirs @@ -0,0 +1,3 @@ +etc/default +etc/init.d +var/lib/iptables diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..ef5ce6c --- /dev/null +++ b/debian/docs @@ -0,0 +1,2 @@ +changelog.CARNet +README.CARNet diff --git a/debian/examples b/debian/examples new file mode 100644 index 0000000..a5e7585 --- /dev/null +++ b/debian/examples @@ -0,0 +1,3 @@ +ssh-bruteforce +masquerade +squid-redirect diff --git a/debian/init b/debian/init new file mode 100755 index 0000000..822f8fa --- /dev/null +++ b/debian/init @@ -0,0 +1,218 @@ +#!/bin/sh + +set -e + +# Q: How do I get started? +# A: (Did I mention "do not use it" already? Oh well.) +# 1. Setup your normal iptables rules -- firewalling, port forwarding +# NAT, etc. When everything is configured the way you like, run: +# +# /etc/init.d/iptables save active +# +# 2. Setup your your inactive firewall rules -- this can be something +# like clear all rules and set all policy defaults to accept (which +# can be done with /etc/init.d/iptables clear). When that is ready, +# save the inactive ruleset: +# +# /etc/init.d/iptables save inactive +# +# 3. Controlling the script itself is done through runlevels configured +# with debconf for package installation. Run "dpkg-reconfigure iptables" +# to enable or disable after installation. +# +# Q: Is that all? +# A: Mostly. You can save additional rulesets and restore them by name. As +# an example: +# +# /etc/init.d/iptables save midnight +# /etc/init.d/iptables load midnight +# +# +# Autosave only works with start followed by stop. +# +# Also, take great care with the halt option. It's almost as good as +# pulling the network cable, except it disrupts localhost too. +# +# Also, create the /var/lib/iptables and /var/lib/ip6tables dirs +# as necessary. + +# enable ipv6 support +enable_ipv6=false + +# set enable_autosave to "true" to autosave the active ruleset +# when going from start to stop +enable_autosave=false + +# set enable_save_counters to "true" to save table counters with +# rulesets +enable_save_counters=true + +if test -f /etc/default/iptables-cn; then + . /etc/default/iptables-cn +fi + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +initd="$0" +default="$0" + +initd_abort () { + cmd=$1 + shift + echo "Aborting iptables $cmd: $@." + echo + usage + exit 0 +} + +initd_have_a_cow_man () { + for i in $@; do + if ! command -v "$i" >/dev/null 2>&1; then + echo "Aborting iptables initd: no $i executable" + exit 0 + fi + done +} + +initd_clear () { + rm -f "$autosave" + echo -n "Clearing ${iptables_command} ruleset: default ACCEPT policy" + $iptables_save | sed "/-/d;/^#/d;s/DROP/ACCEPT/" | $iptables_restore + echo "." +} + +initd_halt () { + rm -f $autosave + echo -n "Clearing ${iptables_command} ruleset: default DROP policy" + $iptables_save | sed "/-/d;/^#/d;s/ACCEPT/DROP/" | $iptables_restore + echo "." +} + +initd_load () { + ruleset="$libdir/$@" + if ! test -f "$ruleset"; then + initd_abort load "unknown ruleset, \"$@\"" + fi + if test "$@" = inactive; then + initd_autosave + fi + rm -f "$autosave" + echo -n "Loading ${iptables_command} ruleset: load \"$@\"" + $iptables_restore < "$ruleset" + echo "." +} + +initd_counters () { + if test "${enable_save_counters:-false}" = true; then + echo -n " with counters" + $iptables_save -c > "$ruleset" + else + $iptables_save | sed '/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g' > "$ruleset" + fi +} + +initd_save () { + rm -f $autosave + ruleset="${libdir}/$@" + echo -n "Saving ${iptables_command} ruleset: save \"$@\"" + initd_counters + echo "." +} + +initd_autosave () { + if test -f $autosave -a ${enable_autosave-false} = true; then + ruleset="${libdir}/active" + echo -n "Autosaving ${iptables_command} ruleset: save \"active\"" + initd_counters + echo "." + fi +} + +usage () { +# current="$(ls -m ${libdir} \ +# | sed 's/ \{0,1\}autosave,\{0,1\} \{0,1\}//')" +cat << END +$initd options: + start|restart|reload|force-reload + load the "active" ruleset + save + save the current ruleset + load + load a ruleset + stop + load the "inactive" ruleset + clear + remove all rules and user-defined chains, set default policy to ACCEPT + halt + remove all rules and user-defined chains, set default policy to DROP + +Saved ruleset locations: /var/lib/iptables/ and /var/lib/ip6tables/ + +Please read: $default + +END +} + +initd_main () { + case "$1" in + start|restart|reload|force-reload) + initd_load active + if test ${enable_autosave-false} = true; then + touch $autosave + fi + ;; + stop) + initd_load inactive + ;; + clear) + initd_clear + ;; + halt) + initd_halt + ;; + save) + shift + if test -z "$*"; then + initd_abort save "no ruleset name given" + else + initd_save "$*" + fi + ;; + load) + shift + if test -z "$*"; then + initd_abort load "no ruleset name given" + else + initd_load "$*" + fi + ;; + save_active) #legacy option + initd_save active + ;; + save_inactive) #legacy option + initd_save inactive + ;; + *) + echo "$initd: unknown command: \"$*\"" + usage + ;; + esac +} + +initd_preload() { + iptables="/sbin/${iptables_command}" + iptables_save="${iptables}-save" + iptables_restore="${iptables}-restore" + libdir="/var/lib/${iptables_command}" + autosave="${libdir}/autosave" + initd_have_a_cow_man "$iptables_save" "$iptables_restore" + ${iptables_command} -nL >/dev/null + initd_main $* +} + +iptables_command=iptables initd_preload $* +if test "$enable_ipv6" = "true"; then + iptables_command=ip6tables initd_preload $* +fi + +exit 0 diff --git a/debian/postinst b/debian/postinst new file mode 100755 index 0000000..43d25c5 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,64 @@ +#!/bin/sh +# postinst script for bind9-cn +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package +# + +case "$1" in + configure|reconfigure) + # continue below + ;; + + *) + exit 0 + ;; +esac + +# fix problem with permissions from the old package +if dpkg --compare-versions "$2" lt "2:1.2.11-4"; then + chown -f -Rh root:root /var/lib/iptables /etc/init.d/iptables \ + /etc/default/iptables >/dev/null 2>&1 +fi + +# remove old iptables init script +if [ -e /etc/init.d/iptables ]; then + rm -f /etc/init.d/iptables + update-rc.d iptables remove +fi + +# check if old default file exists and import it +if [ -e /etc/default/iptables ]; then + mv /etc/default/iptables /etc/default/iptables-cn +fi + +# check if there is any default netfilter policy and install default SSH +# REJECT recent if there is none.. +# also, save current set of rules into active and inactive configuration +if [ ! -e /var/lib/iptables/active ]; then + . /usr/share/doc/iptables-cn/examples/ssh-bruteforce + iptables-save > /var/lib/iptables/active +fi +if [ ! -e /var/lib/iptables/inactive ]; then + . /usr/share/doc/iptables-cn/examples/ssh-bruteforce + iptables-save > /var/lib/iptables/inactive +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/postrm b/debian/postrm new file mode 100755 index 0000000..6fb8eb0 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,35 @@ +#!/bin/sh +# postrm script for bind9-cn +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' overwrit>r> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +case "$1" in + purge) + # continue below + ;; + + *) + exit 0 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..4e3c6e9 --- /dev/null +++ b/debian/rules @@ -0,0 +1,73 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# This file is public domain software, originally written by Joey Hess. +# +# This version is for packages that are architecture independent. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +build: build-stamp +build-stamp: + dh_testdir + + # Add here commands to compile the package. + #$(MAKE) + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + + # Add here commands to clean up after the build process. + #-$(MAKE) clean + #-$(MAKE) distclean + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/. + #$(MAKE) prefix=`pwd`/debian/`dh_listpackages`/usr install + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_installexamples +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installcatalogs +# dh_installpam +# dh_installmime + dh_installinit +# dh_installcron +# dh_installinfo +# dh_undocumented + dh_installman + dh_link + dh_compress + dh_fixperms +# dh_perl +# dh_python + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +# Build architecture-dependent files here. +binary-arch: build install +# We have nothing to do by default. + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install diff --git a/masquerade b/masquerade new file mode 100755 index 0000000..fe0da71 --- /dev/null +++ b/masquerade @@ -0,0 +1,4 @@ +#!/bin/sh +# NAT MASQUERADE for all traffic leaving eth0 + +iptables -t nat -o eth0 -A POSTROUTING -j MASQUERADE diff --git a/squid-redirect b/squid-redirect new file mode 100755 index 0000000..1bdd12b --- /dev/null +++ b/squid-redirect @@ -0,0 +1,6 @@ +#!/bin/sh +# redirect tcp/80 traffic (eth1 LAN -> eth0 WAN) to local port 3128 +# (Squid) + +iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ + -j REDIRECT --to-port 3128 diff --git a/ssh-bruteforce b/ssh-bruteforce new file mode 100755 index 0000000..e3ccd4d --- /dev/null +++ b/ssh-bruteforce @@ -0,0 +1,10 @@ +#!/bin/sh +# SSH bruteforce detection and REJECT + +iptables -N SSH_Brute_Force +iptables -A INPUT -p tcp -m tcp --dport 22 -m state \ + --state NEW -m recent --set --name SSH --rsource -j SSH_Brute_Force +iptables -A SSH_Brute_Force -m recent ! --rcheck --seconds 90 \ + --hitcount 3 --name SSH --rsource -j RETURN +iptables -A SSH_Brute_Force -p tcp -j REJECT \ + --reject-with icmp-port-unreachable -- 1.7.10.4