diff --git a/examples/complex-forward/create-fw.sh b/examples/complex-forward/create-fw.sh new file mode 100755 index 0000000..1bd8fb2 --- /dev/null +++ b/examples/complex-forward/create-fw.sh @@ -0,0 +1,136 @@ +#!/bin/bash + +#This example is meant as en example of using this module on a seperate +#machine. That is, the ts3server is on a different machine +#The traffic will be split up into "unknown" / authorizing / authorized +#We use packets from the ts3 server for extra state info +#We also limit the concurrent connection to file transfer tcp port to 20/ip + +sudo modprobe xt_ts3init + +if [ "$1" == "4" ] +then + IPTABLES=iptables + IPFAMILY=inet + FRAGMENT_FLAG="! -f " +elif [ "$1" == "6" ] +then + IPTABLES=ip6tables + IPFAMILY=inet6 + FRAGMENT_FLAG="" +else + echo "specify either 4 or 6 as a parameter for ipv4 or ipv6"; + exit -1 +fi + +if [ "$2" == "" ] +then + echo "need the interface name where client packets will enter as 2nd parameter" + exit -1 +fi +CLIENT_SIDE_IF=$2 + +if [ "$3" == "" ] +then + echo "need the interface name where server is located as 3rd parameter" + exit -1 +fi +SERVER_SIDE_IF=$3 + +#create an autorized ts3 client ip set. +#perhaps create the set with more than the default 1024 entries +sudo ipset create ts3_authorizing${1} hash:ip,port family ${IPFAMILY} timeout 8 || { echo "ipset not installed or there is a problem with it (1)"; exit -1; } +sudo ipset create ts3_authorized${1} hash:ip,port family ${IPFAMILY} timeout 30 || { echo "ipset not installed or there is a problem with it (2)"; exit -1; } +sudo ipset create ts3_authorized_ft${1} hash:ip family ${IPFAMILY} timeout 30 || { echo "ipset not installed or there is a problem with it (3)"; exit -1; } + +#create new chains that handles ts3 +sudo ${IPTABLES} -N TS3_UDP_TRAFFIC +sudo ${IPTABLES} -N TS3_UDP_TRAFFIC_AUTHORIZING +sudo ${IPTABLES} -N TS3_UDP_TRAFFIC_AUTHORIZED +sudo ${IPTABLES} -N TS3_TCP_TRAFFIC +sudo ${IPTABLES} -N TS3_ACCEPT_AUTHORIZING +sudo ${IPTABLES} -N OUT_TS3 +sudo ${IPTABLES} -N OUT_TS3_AUTHORIZING +sudo ${IPTABLES} -N OUT_TS3_AUTHORIZED +sudo ${IPTABLES} -N OUT_TS3_ACCEPT_AUTHORIZED + + +RANDOM_FILE_NAME=random.data +if [ ! -f "${RANDOM_FILE_NAME}" ] +then + xxd -l 60 -c 60 -p /dev/urandom > "${RANDOM_FILE_NAME}" || { echo "could not use xxd to create random data"; exit -1; } +fi + +RANDOM_FILE=`pwd`/${RANDOM_FILE_NAME} + +#disable connection tracking for ts3 client->server +sudo ${IPTABLES} -t raw -A PREROUTING -i $CLIENT_SIDE_IF -p udp --dport 9987 -j CT --notrack + +#disable connection tracking for ts3 server->client +sudo ${IPTABLES} -t raw -A PREROUTING -i $SERVER_SIDE_IF -p udp --sport 9987 -j CT --notrack + +#move ts3 traffic to TS3_UDP_TRAFFIC chain (do not allow fragments) +sudo ${IPTABLES} -A FORWARD -i $CLIENT_SIDE_IF -p udp --dport 9987 ${FRAGMENT_FLAG} -j TS3_UDP_TRAFFIC + +#move filetransfer to TS3_TCP_TRAFFIC chain +sudo ${IPTABLES} -A FORWARD -i $CLIENT_SIDE_IF -p tcp --dport 30033 -j TS3_TCP_TRAFFIC + +#move authorized clients to TS3_UDP_TRAFFIC_AUTHORIZED chain +sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -m set --match-set ts3_authorized${1} src,src -j TS3_UDP_TRAFFIC_AUTHORIZED + +#move authorizing clients to TS3_UDP_TRAFFIC_AUTHORIZING chain +sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -m set --match-set ts3_authorizing${1} src,src -j TS3_UDP_TRAFFIC_AUTHORIZING + +#Allow 3.0.19 and up clients. If its get cookie, send back a cookie +sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -p udp -m ts3init_get_cookie --min-client 1459504131 -j TS3INIT_SET_COOKIE --random-seed-file ${RANDOM_FILE} + +#add new connection if cookie is valid +sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -p udp -m ts3init_get_puzzle --check-cookie --random-seed-file ${RANDOM_FILE} -j TS3_ACCEPT_AUTHORIZING + +#drop the rest +sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -j DROP + +#accept autorized/authorizing. Here is the time to rate limit per ip for autorized (connected) streams +sudo ${IPTABLES} -A TS3_UDP_TRAFFIC_AUTHORIZED -j ACCEPT + +#accept autorized/authorizing. Here is the time to rate limit per ip for authorizing (ip checked, but not connected) +sudo ${IPTABLES} -A TS3_UDP_TRAFFIC_AUTHORIZING -j ACCEPT + +#add new connection to authorizing src, and send the ts3 server a get cookie request +sudo ${IPTABLES} -A TS3_ACCEPT_AUTHORIZING -j SET --add-set ts3_authorizing${1} src,src +sudo ${IPTABLES} -A TS3_ACCEPT_AUTHORIZING -p udp -j TS3INIT_GET_COOKIE + +#Allow authorized clients on TCP only +sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -m set ! --match-set ts3_authorized_ft${1} src,src -j DROP + +#only allow 20 connections +sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -p tcp --syn -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset + +#accept +sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -j ACCEPT + +#watch server->client traffic +sudo ${IPTABLES} -A FORWARD -i $SERVER_SIDE_IF -p udp --sport 9987 ${FRAGMENT_FLAG} -j OUT_TS3 + +#Move clients in the authorized phase to the OUT_TS3_AUTHORIZED chain. +sudo ${IPTABLES} -A OUT_TS3 -m set --match-set ts3_authorized${1} dst,dst -j OUT_TS3_AUTHORIZED +#Move clients in the authorizing phase to the OUT_TS3_AUTHORIZING chain. +sudo ${IPTABLES} -A OUT_TS3 -m set --match-set ts3_authorizing${1} dst,dst -j OUT_TS3_AUTHORIZING +#These are packets from TS3INIT_SET_COOKIE +sudo ${IPTABLES} -A OUT_TS3 -j ACCEPT + +#Is this still ts3init (not fully connected) +sudo ${IPTABLES} -A OUT_TS3_AUTHORIZING -p udp -m ts3init --server -j ACCEPT +#else this connection is accepeted(authorized) now. +#Note that this is not really true. This only means the server accepted the client puzzle. +#The conection request could still be rejected, because of a wrong password or other reasons. +sudo ${IPTABLES} -A OUT_TS3_AUTHORIZING -j OUT_TS3_ACCEPT_AUTHORIZED + +#update/add timeout in set and allow traffic +sudo ${IPTABLES} -A OUT_TS3_AUTHORIZED -j SET --add-set ts3_authorized${1} dst,dst --exist +sudo ${IPTABLES} -A OUT_TS3_AUTHORIZED -j SET --add-set ts3_authorized_ft${1} dst --exist +sudo ${IPTABLES} -A OUT_TS3_AUTHORIZED -j ACCEPT + +#accept connection as authorized. Remove from authorizing and treat as accepted +sudo ${IPTABLES} -A OUT_TS3_ACCEPT_AUTHORIZED -j SET --del-set ts3_authorizing${1} dst,dst +sudo ${IPTABLES} -A OUT_TS3_ACCEPT_AUTHORIZED -j OUT_TS3_AUTHORIZED diff --git a/examples/complex-forward/delete-fw.sh b/examples/complex-forward/delete-fw.sh new file mode 100755 index 0000000..480751e --- /dev/null +++ b/examples/complex-forward/delete-fw.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +if [ "$1" == "4" ] +then + IPTABLES=iptables + FRAGMENT_FLAG="! -f " +elif [ "$1" == "6" ] +then + IPTABLES=ip6tables + FRAGMENT_FLAG="" +else + echo "specify either 4 or 6 as a parameter for ipv4 or ipv6"; + exit -1 +fi + +if [ "$2" == "" ] +then + echo "need the interface name where client packets will enter as 2nd parameter" + exit -1 +fi +CLIENT_SIDE_IF=$2 + +if [ "$3" == "" ] +then + echo "need the interface name where server is located as 3rd parameter" + exit -1 +fi +SERVER_SIDE_IF=$3 + +#clear up ${IPTABLES} +sudo ${IPTABLES} -t raw -D PREROUTING -i $CLIENT_SIDE_IF -p udp --dport 9987 -j CT --notrack +sudo ${IPTABLES} -t raw -D PREROUTING -i $SERVER_SIDE_IF -p udp --sport 9987 -j CT --notrack +sudo ${IPTABLES} -D FORWARD -i $CLIENT_SIDE_IF -p udp --dport 9987 ${FRAGMENT_FLAG} -j TS3_UDP_TRAFFIC +sudo ${IPTABLES} -D FORWARD -i $CLIENT_SIDE_IF -p tcp --dport 30033 -j TS3_TCP_TRAFFIC +sudo ${IPTABLES} -D FORWARD -i $SERVER_SIDE_IF -p udp --sport 9987 ${FRAGMENT_FLAG} -j OUT_TS3 + +sudo ${IPTABLES} -F TS3_UDP_TRAFFIC +sudo ${IPTABLES} -F TS3_UDP_TRAFFIC_AUTHORIZING +sudo ${IPTABLES} -F TS3_UDP_TRAFFIC_AUTHORIZED +sudo ${IPTABLES} -F TS3_TCP_TRAFFIC +sudo ${IPTABLES} -F TS3_ACCEPT_AUTHORIZING +sudo ${IPTABLES} -F OUT_TS3 +sudo ${IPTABLES} -F OUT_TS3_AUTHORIZING +sudo ${IPTABLES} -F OUT_TS3_AUTHORIZED +sudo ${IPTABLES} -F OUT_TS3_ACCEPT_AUTHORIZED + +sudo ${IPTABLES} -X TS3_UDP_TRAFFIC +sudo ${IPTABLES} -X TS3_UDP_TRAFFIC_AUTHORIZING +sudo ${IPTABLES} -X TS3_UDP_TRAFFIC_AUTHORIZED +sudo ${IPTABLES} -X TS3_TCP_TRAFFIC +sudo ${IPTABLES} -X TS3_ACCEPT_AUTHORIZING +sudo ${IPTABLES} -X OUT_TS3 +sudo ${IPTABLES} -X OUT_TS3_AUTHORIZING +sudo ${IPTABLES} -X OUT_TS3_AUTHORIZED +sudo ${IPTABLES} -X OUT_TS3_ACCEPT_AUTHORIZED + +#delete the ipset +sudo ipset destroy ts3_authorized${1} +sudo ipset destroy ts3_authorized_ft${1} +sudo ipset destroy ts3_authorizing${1}