Line 51: |
Line 51: |
| signal-event remoteaccess-update | | signal-event remoteaccess-update |
| | | |
− | | + | {| border="1" width="100%" cellspacing="0" cellpadding="5" |
− | {| width="100%" border="1" cellpadding="5" cellspacing="0" | |
| |+Affected file: /etc/rc.d/init.d/masq | | |+Affected file: /etc/rc.d/init.d/masq |
| !Variable | | !Variable |
| !Target | | !Target |
| !Default | | !Default |
| + | !Expected values |
| |- | | |- |
| |TCPPort | | |TCPPort |
| | --proto tcp --dport <Ports> | | | --proto tcp --dport <Ports> |
| |Pre-configured for default services; no default for custom services | | |Pre-configured for default services; no default for custom services |
| + | |empty or a numerical or coma separated numbers |
| |- | | |- |
| |TCPPorts | | |TCPPorts |
| | --proto tcp --dports <Ports> | | | --proto tcp --dports <Ports> |
| |No default for custom services; Ranges of ports are defined with a : not a - | | |No default for custom services; Ranges of ports are defined with a : not a - |
| + | |empty or a numerical or coma separated numbers |
| |- | | |- |
| |UDPPort | | |UDPPort |
| | --proto udp --dport <Ports> | | | --proto udp --dport <Ports> |
| |Pre-configured for default services; no default for custom services | | |Pre-configured for default services; no default for custom services |
| + | |empty or a numerical or coma separated numbers |
| |- | | |- |
| |UDPPorts | | |UDPPorts |
| | --proto udp --dports <Ports> | | | --proto udp --dports <Ports> |
| |No default for custom services; Ranges of ports are defined with a : not a - | | |No default for custom services; Ranges of ports are defined with a : not a - |
| + | |empty or a numerical or coma separated numbers |
| |- | | |- |
| |status | | |status |
− | |enabled | disabled | + | | enabled | disabled |
| |AllowHosts is set to "" (an empty string) unless the status is 'enabled' | | |AllowHosts is set to "" (an empty string) unless the status is 'enabled' |
| + | |'enabled' or 'disabled' |
| |- | | |- |
| |access | | |access |
− | |public | private | + | | public | private |
| |AllowHosts is set to "" (an empty string) unless access is 'public' | | |AllowHosts is set to "" (an empty string) unless access is 'public' |
| + | |'private' for localhost and local network only (Server and gateway mode), 'public' for everywhere, 'localhost' for localhost only |
| |- | | |- |
| |AllowHosts | | |AllowHosts |
| | --src ..... --jump ACCEPT | | | --src ..... --jump ACCEPT |
| |Pre-configured for default services; no default for custom services. Default is '0.0.0.0/0' if service is ''enabled'' and ''public''. | | |Pre-configured for default services; no default for custom services. Default is '0.0.0.0/0' if service is ''enabled'' and ''public''. |
| + | |IP and netmask with this format 0.0.0.0/0, or coma separated list of these elements |
| |- | | |- |
| |DenyHosts | | |DenyHosts |
| | --src ..... --jump denylog | | | --src ..... --jump denylog |
| |Pre-configured for default services; no default for custom services. If 'DenyHosts' is empty or does not exist then there are no '... --jump denylog' entries created in /etc/init.d/masq. | | |Pre-configured for default services; no default for custom services. If 'DenyHosts' is empty or does not exist then there are no '... --jump denylog' entries created in /etc/init.d/masq. |
| + | |IP and netmask with this format 0.0.0.0/0, or coma separated list of these elements |
| |} | | |} |
| | | |
| ==Custom templates== | | ==Custom templates== |
| ===Block incoming IP address=== | | ===Block incoming IP address=== |
| + | |
| *I want to block All traffic from some ip-addresses to my server. | | *I want to block All traffic from some ip-addresses to my server. |
| + | |
| + | ====Manual Method==== |
| + | |
| Create a custom template and list the IP's | | Create a custom template and list the IP's |
| mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/ | | mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/ |
Line 109: |
Line 121: |
| To check the new block use the following command and look for the IP address you just DROP'ed. It should be listed in the "source" column. | | To check the new block use the following command and look for the IP address you just DROP'ed. It should be listed in the "source" column. |
| iptables -L INPUT -v -n | | iptables -L INPUT -v -n |
| + | |
| + | ====Automated method==== |
| + | |
| + | The above can be automated slightly. |
| + | |
| + | First lets create a key where we can add IPs that we want to block: |
| + | |
| + | config set ipblock configuration status enabled DenyHosts 208.100.26.0/24 logging disabled |
| + | |
| + | As above, create the following template: |
| + | |
| + | mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/ |
| + | nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff |
| + | |
| + | Paste this code: |
| + | |
| + | { |
| + | use esmith::ConfigDB; |
| + | my $db = esmith::ConfigDB->open_ro |
| + | || die 'Could not open configuration database'; |
| + | # Completely block any riff raff |
| + | if ( ( my $status = $db->get_prop( 'ipblock', 'status' ) ) eq 'enabled' ) |
| + | { |
| + | my $DenyHosts = $db->get_prop( 'ipblock', 'DenyHosts' ) || <nowiki>''</nowiki>''; |
| + | if ( $DenyHosts ne <nowiki>''</nowiki> ) { |
| + | my $logging = $db->get_prop( 'ipblock', 'logging' ) || 'disabled'; |
| + | foreach my $host ( split( ',', $DenyHosts ) ) { |
| + | $OUT .= "\n"; |
| + | $OUT .= "# Simple ipblock for riff raff\n\n"; |
| + | if ( $logging eq 'enabled' ) { |
| + | $OUT .= "/sbin/iptables -A INPUT -s $host -j denylog\n"; |
| + | } |
| + | else { |
| + | $OUT .= "/sbin/iptables -A INPUT -s $host -j DROP\n"; |
| + | } |
| + | } |
| + | $OUT .= "\n"; |
| + | } |
| + | else { |
| + | $OUT .= "# ipblock no DenyHosts set\n"; |
| + | } |
| + | } |
| + | else { |
| + | $OUT .= "# ipblock disabled\n"; |
| + | } |
| + | } |
| + | |
| + | You can add multiple addresses separated by commas: |
| + | |
| + | config setprop ipblock DenyHosts 208.100.26.0/24,1.2.3.4,5.6.0.0/16 |
| + | |
| + | You can disable this blocking with: |
| + | |
| + | config setprop ipblock status disabled |
| + | |
| + | If you want to log the dropped packets rather than just drop them: |
| + | |
| + | config setprop ipblock logging enabled |
| + | |
| + | Then expand and restart your firewall: |
| + | |
| + | /sbin/e-smith/expand-template /etc/rc.d/init.d/masq |
| + | /etc/init.d/masq restart |
| | | |
| ===Block outgoing IPs or mac addresses=== | | ===Block outgoing IPs or mac addresses=== |
Line 243: |
Line 318: |
| [[Category:Howto]] | | [[Category:Howto]] |
| [[Category:Administration]] | | [[Category:Administration]] |
− | [[Category:Security]]</noinclude> | + | [[Category:Security]] |
| + | </noinclude> |