Niels Werensteijn
8 years ago
2 changed files with 196 additions and 0 deletions
@ -0,0 +1,136 @@
@@ -0,0 +1,136 @@
|
||||
#!/bin/bash |
||||
|
||||
#This example is meant as en example of using this module on a seperate |
||||
#machine. That is, the ts3server is on a different machine |
||||
#The traffic will be split up into "unknown" / authorizing / authorized |
||||
#We use packets from the ts3 server for extra state info |
||||
#We also limit the concurrent connection to file transfer tcp port to 20/ip |
||||
|
||||
sudo modprobe xt_ts3init |
||||
|
||||
if [ "$1" == "4" ] |
||||
then |
||||
IPTABLES=iptables |
||||
IPFAMILY=inet |
||||
FRAGMENT_FLAG="! -f " |
||||
elif [ "$1" == "6" ] |
||||
then |
||||
IPTABLES=ip6tables |
||||
IPFAMILY=inet6 |
||||
FRAGMENT_FLAG="" |
||||
else |
||||
echo "specify either 4 or 6 as a parameter for ipv4 or ipv6"; |
||||
exit -1 |
||||
fi |
||||
|
||||
if [ "$2" == "" ] |
||||
then |
||||
echo "need the interface name where client packets will enter as 2nd parameter" |
||||
exit -1 |
||||
fi |
||||
CLIENT_SIDE_IF=$2 |
||||
|
||||
if [ "$3" == "" ] |
||||
then |
||||
echo "need the interface name where server is located as 3rd parameter" |
||||
exit -1 |
||||
fi |
||||
SERVER_SIDE_IF=$3 |
||||
|
||||
#create an autorized ts3 client ip set. |
||||
#perhaps create the set with more than the default 1024 entries |
||||
sudo ipset create ts3_authorizing${1} hash:ip,port family ${IPFAMILY} timeout 8 || { echo "ipset not installed or there is a problem with it (1)"; exit -1; } |
||||
sudo ipset create ts3_authorized${1} hash:ip,port family ${IPFAMILY} timeout 30 || { echo "ipset not installed or there is a problem with it (2)"; exit -1; } |
||||
sudo ipset create ts3_authorized_ft${1} hash:ip family ${IPFAMILY} timeout 30 || { echo "ipset not installed or there is a problem with it (3)"; exit -1; } |
||||
|
||||
#create new chains that handles ts3 |
||||
sudo ${IPTABLES} -N TS3_UDP_TRAFFIC |
||||
sudo ${IPTABLES} -N TS3_UDP_TRAFFIC_AUTHORIZING |
||||
sudo ${IPTABLES} -N TS3_UDP_TRAFFIC_AUTHORIZED |
||||
sudo ${IPTABLES} -N TS3_TCP_TRAFFIC |
||||
sudo ${IPTABLES} -N TS3_ACCEPT_AUTHORIZING |
||||
sudo ${IPTABLES} -N OUT_TS3 |
||||
sudo ${IPTABLES} -N OUT_TS3_AUTHORIZING |
||||
sudo ${IPTABLES} -N OUT_TS3_AUTHORIZED |
||||
sudo ${IPTABLES} -N OUT_TS3_ACCEPT_AUTHORIZED |
||||
|
||||
|
||||
RANDOM_FILE_NAME=random.data |
||||
if [ ! -f "${RANDOM_FILE_NAME}" ] |
||||
then |
||||
xxd -l 60 -c 60 -p /dev/urandom > "${RANDOM_FILE_NAME}" || { echo "could not use xxd to create random data"; exit -1; } |
||||
fi |
||||
|
||||
RANDOM_FILE=`pwd`/${RANDOM_FILE_NAME} |
||||
|
||||
#disable connection tracking for ts3 client->server |
||||
sudo ${IPTABLES} -t raw -A PREROUTING -i $CLIENT_SIDE_IF -p udp --dport 9987 -j CT --notrack |
||||
|
||||
#disable connection tracking for ts3 server->client |
||||
sudo ${IPTABLES} -t raw -A PREROUTING -i $SERVER_SIDE_IF -p udp --sport 9987 -j CT --notrack |
||||
|
||||
#move ts3 traffic to TS3_UDP_TRAFFIC chain (do not allow fragments) |
||||
sudo ${IPTABLES} -A FORWARD -i $CLIENT_SIDE_IF -p udp --dport 9987 ${FRAGMENT_FLAG} -j TS3_UDP_TRAFFIC |
||||
|
||||
#move filetransfer to TS3_TCP_TRAFFIC chain |
||||
sudo ${IPTABLES} -A FORWARD -i $CLIENT_SIDE_IF -p tcp --dport 30033 -j TS3_TCP_TRAFFIC |
||||
|
||||
#move authorized clients to TS3_UDP_TRAFFIC_AUTHORIZED chain |
||||
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -m set --match-set ts3_authorized${1} src,src -j TS3_UDP_TRAFFIC_AUTHORIZED |
||||
|
||||
#move authorizing clients to TS3_UDP_TRAFFIC_AUTHORIZING chain |
||||
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -m set --match-set ts3_authorizing${1} src,src -j TS3_UDP_TRAFFIC_AUTHORIZING |
||||
|
||||
#Allow 3.0.19 and up clients. If its get cookie, send back a cookie |
||||
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -p udp -m ts3init_get_cookie --min-client 1459504131 -j TS3INIT_SET_COOKIE --random-seed-file ${RANDOM_FILE} |
||||
|
||||
#add new connection if cookie is valid |
||||
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -p udp -m ts3init_get_puzzle --check-cookie --random-seed-file ${RANDOM_FILE} -j TS3_ACCEPT_AUTHORIZING |
||||
|
||||
#drop the rest |
||||
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -j DROP |
||||
|
||||
#accept autorized/authorizing. Here is the time to rate limit per ip for autorized (connected) streams |
||||
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC_AUTHORIZED -j ACCEPT |
||||
|
||||
#accept autorized/authorizing. Here is the time to rate limit per ip for authorizing (ip checked, but not connected) |
||||
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC_AUTHORIZING -j ACCEPT |
||||
|
||||
#add new connection to authorizing src, and send the ts3 server a get cookie request |
||||
sudo ${IPTABLES} -A TS3_ACCEPT_AUTHORIZING -j SET --add-set ts3_authorizing${1} src,src |
||||
sudo ${IPTABLES} -A TS3_ACCEPT_AUTHORIZING -p udp -j TS3INIT_GET_COOKIE |
||||
|
||||
#Allow authorized clients on TCP only |
||||
sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -m set ! --match-set ts3_authorized_ft${1} src,src -j DROP |
||||
|
||||
#only allow 20 connections |
||||
sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -p tcp --syn -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset |
||||
|
||||
#accept |
||||
sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -j ACCEPT |
||||
|
||||
#watch server->client traffic |
||||
sudo ${IPTABLES} -A FORWARD -i $SERVER_SIDE_IF -p udp --sport 9987 ${FRAGMENT_FLAG} -j OUT_TS3 |
||||
|
||||
#Move clients in the authorized phase to the OUT_TS3_AUTHORIZED chain. |
||||
sudo ${IPTABLES} -A OUT_TS3 -m set --match-set ts3_authorized${1} dst,dst -j OUT_TS3_AUTHORIZED |
||||
#Move clients in the authorizing phase to the OUT_TS3_AUTHORIZING chain. |
||||
sudo ${IPTABLES} -A OUT_TS3 -m set --match-set ts3_authorizing${1} dst,dst -j OUT_TS3_AUTHORIZING |
||||
#These are packets from TS3INIT_SET_COOKIE |
||||
sudo ${IPTABLES} -A OUT_TS3 -j ACCEPT |
||||
|
||||
#Is this still ts3init (not fully connected) |
||||
sudo ${IPTABLES} -A OUT_TS3_AUTHORIZING -p udp -m ts3init --server -j ACCEPT |
||||
#else this connection is accepeted(authorized) now. |
||||
#Note that this is not really true. This only means the server accepted the client puzzle. |
||||
#The conection request could still be rejected, because of a wrong password or other reasons. |
||||
sudo ${IPTABLES} -A OUT_TS3_AUTHORIZING -j OUT_TS3_ACCEPT_AUTHORIZED |
||||
|
||||
#update/add timeout in set and allow traffic |
||||
sudo ${IPTABLES} -A OUT_TS3_AUTHORIZED -j SET --add-set ts3_authorized${1} dst,dst --exist |
||||
sudo ${IPTABLES} -A OUT_TS3_AUTHORIZED -j SET --add-set ts3_authorized_ft${1} dst --exist |
||||
sudo ${IPTABLES} -A OUT_TS3_AUTHORIZED -j ACCEPT |
||||
|
||||
#accept connection as authorized. Remove from authorizing and treat as accepted |
||||
sudo ${IPTABLES} -A OUT_TS3_ACCEPT_AUTHORIZED -j SET --del-set ts3_authorizing${1} dst,dst |
||||
sudo ${IPTABLES} -A OUT_TS3_ACCEPT_AUTHORIZED -j OUT_TS3_AUTHORIZED |
@ -0,0 +1,60 @@
@@ -0,0 +1,60 @@
|
||||
#!/bin/bash |
||||
|
||||
if [ "$1" == "4" ] |
||||
then |
||||
IPTABLES=iptables |
||||
FRAGMENT_FLAG="! -f " |
||||
elif [ "$1" == "6" ] |
||||
then |
||||
IPTABLES=ip6tables |
||||
FRAGMENT_FLAG="" |
||||
else |
||||
echo "specify either 4 or 6 as a parameter for ipv4 or ipv6"; |
||||
exit -1 |
||||
fi |
||||
|
||||
if [ "$2" == "" ] |
||||
then |
||||
echo "need the interface name where client packets will enter as 2nd parameter" |
||||
exit -1 |
||||
fi |
||||
CLIENT_SIDE_IF=$2 |
||||
|
||||
if [ "$3" == "" ] |
||||
then |
||||
echo "need the interface name where server is located as 3rd parameter" |
||||
exit -1 |
||||
fi |
||||
SERVER_SIDE_IF=$3 |
||||
|
||||
#clear up ${IPTABLES} |
||||
sudo ${IPTABLES} -t raw -D PREROUTING -i $CLIENT_SIDE_IF -p udp --dport 9987 -j CT --notrack |
||||
sudo ${IPTABLES} -t raw -D PREROUTING -i $SERVER_SIDE_IF -p udp --sport 9987 -j CT --notrack |
||||
sudo ${IPTABLES} -D FORWARD -i $CLIENT_SIDE_IF -p udp --dport 9987 ${FRAGMENT_FLAG} -j TS3_UDP_TRAFFIC |
||||
sudo ${IPTABLES} -D FORWARD -i $CLIENT_SIDE_IF -p tcp --dport 30033 -j TS3_TCP_TRAFFIC |
||||
sudo ${IPTABLES} -D FORWARD -i $SERVER_SIDE_IF -p udp --sport 9987 ${FRAGMENT_FLAG} -j OUT_TS3 |
||||
|
||||
sudo ${IPTABLES} -F TS3_UDP_TRAFFIC |
||||
sudo ${IPTABLES} -F TS3_UDP_TRAFFIC_AUTHORIZING |
||||
sudo ${IPTABLES} -F TS3_UDP_TRAFFIC_AUTHORIZED |
||||
sudo ${IPTABLES} -F TS3_TCP_TRAFFIC |
||||
sudo ${IPTABLES} -F TS3_ACCEPT_AUTHORIZING |
||||
sudo ${IPTABLES} -F OUT_TS3 |
||||
sudo ${IPTABLES} -F OUT_TS3_AUTHORIZING |
||||
sudo ${IPTABLES} -F OUT_TS3_AUTHORIZED |
||||
sudo ${IPTABLES} -F OUT_TS3_ACCEPT_AUTHORIZED |
||||
|
||||
sudo ${IPTABLES} -X TS3_UDP_TRAFFIC |
||||
sudo ${IPTABLES} -X TS3_UDP_TRAFFIC_AUTHORIZING |
||||
sudo ${IPTABLES} -X TS3_UDP_TRAFFIC_AUTHORIZED |
||||
sudo ${IPTABLES} -X TS3_TCP_TRAFFIC |
||||
sudo ${IPTABLES} -X TS3_ACCEPT_AUTHORIZING |
||||
sudo ${IPTABLES} -X OUT_TS3 |
||||
sudo ${IPTABLES} -X OUT_TS3_AUTHORIZING |
||||
sudo ${IPTABLES} -X OUT_TS3_AUTHORIZED |
||||
sudo ${IPTABLES} -X OUT_TS3_ACCEPT_AUTHORIZED |
||||
|
||||
#delete the ipset |
||||
sudo ipset destroy ts3_authorized${1} |
||||
sudo ipset destroy ts3_authorized_ft${1} |
||||
sudo ipset destroy ts3_authorizing${1} |
Loading…
Reference in new issue