Browse Source

added examples for firewall machine in the middle scenario

pull/17/head
Niels Werensteijn 7 years ago
parent
commit
02b7004879
  1. 136
      examples/complex-forward/create-fw.sh
  2. 60
      examples/complex-forward/delete-fw.sh

136
examples/complex-forward/create-fw.sh

@ -0,0 +1,136 @@ @@ -0,0 +1,136 @@
#!/bin/bash
#This example is meant as en example of using this module on a seperate
#machine. That is, the ts3server is on a different machine
#The traffic will be split up into "unknown" / authorizing / authorized
#We use packets from the ts3 server for extra state info
#We also limit the concurrent connection to file transfer tcp port to 20/ip
sudo modprobe xt_ts3init
if [ "$1" == "4" ]
then
IPTABLES=iptables
IPFAMILY=inet
FRAGMENT_FLAG="! -f "
elif [ "$1" == "6" ]
then
IPTABLES=ip6tables
IPFAMILY=inet6
FRAGMENT_FLAG=""
else
echo "specify either 4 or 6 as a parameter for ipv4 or ipv6";
exit -1
fi
if [ "$2" == "" ]
then
echo "need the interface name where client packets will enter as 2nd parameter"
exit -1
fi
CLIENT_SIDE_IF=$2
if [ "$3" == "" ]
then
echo "need the interface name where server is located as 3rd parameter"
exit -1
fi
SERVER_SIDE_IF=$3
#create an autorized ts3 client ip set.
#perhaps create the set with more than the default 1024 entries
sudo ipset create ts3_authorizing${1} hash:ip,port family ${IPFAMILY} timeout 8 || { echo "ipset not installed or there is a problem with it (1)"; exit -1; }
sudo ipset create ts3_authorized${1} hash:ip,port family ${IPFAMILY} timeout 30 || { echo "ipset not installed or there is a problem with it (2)"; exit -1; }
sudo ipset create ts3_authorized_ft${1} hash:ip family ${IPFAMILY} timeout 30 || { echo "ipset not installed or there is a problem with it (3)"; exit -1; }
#create new chains that handles ts3
sudo ${IPTABLES} -N TS3_UDP_TRAFFIC
sudo ${IPTABLES} -N TS3_UDP_TRAFFIC_AUTHORIZING
sudo ${IPTABLES} -N TS3_UDP_TRAFFIC_AUTHORIZED
sudo ${IPTABLES} -N TS3_TCP_TRAFFIC
sudo ${IPTABLES} -N TS3_ACCEPT_AUTHORIZING
sudo ${IPTABLES} -N OUT_TS3
sudo ${IPTABLES} -N OUT_TS3_AUTHORIZING
sudo ${IPTABLES} -N OUT_TS3_AUTHORIZED
sudo ${IPTABLES} -N OUT_TS3_ACCEPT_AUTHORIZED
RANDOM_FILE_NAME=random.data
if [ ! -f "${RANDOM_FILE_NAME}" ]
then
xxd -l 60 -c 60 -p /dev/urandom > "${RANDOM_FILE_NAME}" || { echo "could not use xxd to create random data"; exit -1; }
fi
RANDOM_FILE=`pwd`/${RANDOM_FILE_NAME}
#disable connection tracking for ts3 client->server
sudo ${IPTABLES} -t raw -A PREROUTING -i $CLIENT_SIDE_IF -p udp --dport 9987 -j CT --notrack
#disable connection tracking for ts3 server->client
sudo ${IPTABLES} -t raw -A PREROUTING -i $SERVER_SIDE_IF -p udp --sport 9987 -j CT --notrack
#move ts3 traffic to TS3_UDP_TRAFFIC chain (do not allow fragments)
sudo ${IPTABLES} -A FORWARD -i $CLIENT_SIDE_IF -p udp --dport 9987 ${FRAGMENT_FLAG} -j TS3_UDP_TRAFFIC
#move filetransfer to TS3_TCP_TRAFFIC chain
sudo ${IPTABLES} -A FORWARD -i $CLIENT_SIDE_IF -p tcp --dport 30033 -j TS3_TCP_TRAFFIC
#move authorized clients to TS3_UDP_TRAFFIC_AUTHORIZED chain
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -m set --match-set ts3_authorized${1} src,src -j TS3_UDP_TRAFFIC_AUTHORIZED
#move authorizing clients to TS3_UDP_TRAFFIC_AUTHORIZING chain
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -m set --match-set ts3_authorizing${1} src,src -j TS3_UDP_TRAFFIC_AUTHORIZING
#Allow 3.0.19 and up clients. If its get cookie, send back a cookie
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -p udp -m ts3init_get_cookie --min-client 1459504131 -j TS3INIT_SET_COOKIE --random-seed-file ${RANDOM_FILE}
#add new connection if cookie is valid
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -p udp -m ts3init_get_puzzle --check-cookie --random-seed-file ${RANDOM_FILE} -j TS3_ACCEPT_AUTHORIZING
#drop the rest
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -j DROP
#accept autorized/authorizing. Here is the time to rate limit per ip for autorized (connected) streams
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC_AUTHORIZED -j ACCEPT
#accept autorized/authorizing. Here is the time to rate limit per ip for authorizing (ip checked, but not connected)
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC_AUTHORIZING -j ACCEPT
#add new connection to authorizing src, and send the ts3 server a get cookie request
sudo ${IPTABLES} -A TS3_ACCEPT_AUTHORIZING -j SET --add-set ts3_authorizing${1} src,src
sudo ${IPTABLES} -A TS3_ACCEPT_AUTHORIZING -p udp -j TS3INIT_GET_COOKIE
#Allow authorized clients on TCP only
sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -m set ! --match-set ts3_authorized_ft${1} src,src -j DROP
#only allow 20 connections
sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -p tcp --syn -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
#accept
sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -j ACCEPT
#watch server->client traffic
sudo ${IPTABLES} -A FORWARD -i $SERVER_SIDE_IF -p udp --sport 9987 ${FRAGMENT_FLAG} -j OUT_TS3
#Move clients in the authorized phase to the OUT_TS3_AUTHORIZED chain.
sudo ${IPTABLES} -A OUT_TS3 -m set --match-set ts3_authorized${1} dst,dst -j OUT_TS3_AUTHORIZED
#Move clients in the authorizing phase to the OUT_TS3_AUTHORIZING chain.
sudo ${IPTABLES} -A OUT_TS3 -m set --match-set ts3_authorizing${1} dst,dst -j OUT_TS3_AUTHORIZING
#These are packets from TS3INIT_SET_COOKIE
sudo ${IPTABLES} -A OUT_TS3 -j ACCEPT
#Is this still ts3init (not fully connected)
sudo ${IPTABLES} -A OUT_TS3_AUTHORIZING -p udp -m ts3init --server -j ACCEPT
#else this connection is accepeted(authorized) now.
#Note that this is not really true. This only means the server accepted the client puzzle.
#The conection request could still be rejected, because of a wrong password or other reasons.
sudo ${IPTABLES} -A OUT_TS3_AUTHORIZING -j OUT_TS3_ACCEPT_AUTHORIZED
#update/add timeout in set and allow traffic
sudo ${IPTABLES} -A OUT_TS3_AUTHORIZED -j SET --add-set ts3_authorized${1} dst,dst --exist
sudo ${IPTABLES} -A OUT_TS3_AUTHORIZED -j SET --add-set ts3_authorized_ft${1} dst --exist
sudo ${IPTABLES} -A OUT_TS3_AUTHORIZED -j ACCEPT
#accept connection as authorized. Remove from authorizing and treat as accepted
sudo ${IPTABLES} -A OUT_TS3_ACCEPT_AUTHORIZED -j SET --del-set ts3_authorizing${1} dst,dst
sudo ${IPTABLES} -A OUT_TS3_ACCEPT_AUTHORIZED -j OUT_TS3_AUTHORIZED

60
examples/complex-forward/delete-fw.sh

@ -0,0 +1,60 @@ @@ -0,0 +1,60 @@
#!/bin/bash
if [ "$1" == "4" ]
then
IPTABLES=iptables
FRAGMENT_FLAG="! -f "
elif [ "$1" == "6" ]
then
IPTABLES=ip6tables
FRAGMENT_FLAG=""
else
echo "specify either 4 or 6 as a parameter for ipv4 or ipv6";
exit -1
fi
if [ "$2" == "" ]
then
echo "need the interface name where client packets will enter as 2nd parameter"
exit -1
fi
CLIENT_SIDE_IF=$2
if [ "$3" == "" ]
then
echo "need the interface name where server is located as 3rd parameter"
exit -1
fi
SERVER_SIDE_IF=$3
#clear up ${IPTABLES}
sudo ${IPTABLES} -t raw -D PREROUTING -i $CLIENT_SIDE_IF -p udp --dport 9987 -j CT --notrack
sudo ${IPTABLES} -t raw -D PREROUTING -i $SERVER_SIDE_IF -p udp --sport 9987 -j CT --notrack
sudo ${IPTABLES} -D FORWARD -i $CLIENT_SIDE_IF -p udp --dport 9987 ${FRAGMENT_FLAG} -j TS3_UDP_TRAFFIC
sudo ${IPTABLES} -D FORWARD -i $CLIENT_SIDE_IF -p tcp --dport 30033 -j TS3_TCP_TRAFFIC
sudo ${IPTABLES} -D FORWARD -i $SERVER_SIDE_IF -p udp --sport 9987 ${FRAGMENT_FLAG} -j OUT_TS3
sudo ${IPTABLES} -F TS3_UDP_TRAFFIC
sudo ${IPTABLES} -F TS3_UDP_TRAFFIC_AUTHORIZING
sudo ${IPTABLES} -F TS3_UDP_TRAFFIC_AUTHORIZED
sudo ${IPTABLES} -F TS3_TCP_TRAFFIC
sudo ${IPTABLES} -F TS3_ACCEPT_AUTHORIZING
sudo ${IPTABLES} -F OUT_TS3
sudo ${IPTABLES} -F OUT_TS3_AUTHORIZING
sudo ${IPTABLES} -F OUT_TS3_AUTHORIZED
sudo ${IPTABLES} -F OUT_TS3_ACCEPT_AUTHORIZED
sudo ${IPTABLES} -X TS3_UDP_TRAFFIC
sudo ${IPTABLES} -X TS3_UDP_TRAFFIC_AUTHORIZING
sudo ${IPTABLES} -X TS3_UDP_TRAFFIC_AUTHORIZED
sudo ${IPTABLES} -X TS3_TCP_TRAFFIC
sudo ${IPTABLES} -X TS3_ACCEPT_AUTHORIZING
sudo ${IPTABLES} -X OUT_TS3
sudo ${IPTABLES} -X OUT_TS3_AUTHORIZING
sudo ${IPTABLES} -X OUT_TS3_AUTHORIZED
sudo ${IPTABLES} -X OUT_TS3_ACCEPT_AUTHORIZED
#delete the ipset
sudo ipset destroy ts3_authorized${1}
sudo ipset destroy ts3_authorized_ft${1}
sudo ipset destroy ts3_authorizing${1}
Loading…
Cancel
Save