r4sas/ts3init_linux_netfilter_module
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated "simple" examples to be ipv4 and ipv6 capable

Browse Source
This commit is contained in:
Niels Werensteijn 2016-10-13 17:11:03 +02:00
parent 716f509066
commit ab7478727b
2 changed files with 55 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
examples/simple/create-fw.sh
View File

@ -1,15 +1,28 @@
#!/bin/bash
sudo modprobe xt_ts3init
if [ "$1" == "4" ]
then
IPTABLES=iptables
IPFAMILY=inet
elif [ "$1" == "6" ]
then
IPTABLES=ip6tables
IPFAMILY=inet6
else
echo "specify either 4 or 6 as a parameter for ipv4 or ipv6";
exit -1
fi
#create an autorized ts3 client ip set.
#perhaps create the set with more than the default 1024 entries
sudo ipset create ts3_authorized hash:ip timeout 30 || { echo "ipset not installed or there is a problem with it"; exit -1; }
sudo ipset create ts3_authorized${1} hash:ip family ${IPFAMILY} timeout 30 || { echo "ipset not installed or there is a problem with it"; exit -1; }
#create new chain that handles ts3
sudo iptables -N TS3_UDP_TRAFFIC
sudo iptables -N TS3_TCP_TRAFFIC
sudo iptables -N TS3_ACCEPT_NEW
sudo iptables -N TS3_UPDATE_AUTHORIZED
sudo ${IPTABLES} -N TS3_UDP_TRAFFIC
sudo ${IPTABLES} -N TS3_TCP_TRAFFIC
sudo ${IPTABLES} -N TS3_ACCEPT_NEW
sudo ${IPTABLES} -N TS3_UPDATE_AUTHORIZED
RANDOM_FILE_NAME=random.data
if [ ! -f "${RANDOM_FILE_NAME}" ]
@ -20,34 +33,34 @@ fi
RANDOM_FILE=`pwd`/${RANDOM_FILE_NAME}
#disable connection tracking for ts3 server
sudo iptables -t raw -A PREROUTING -p udp --dport 9987 -j CT --notrack
sudo ${IPTABLES} -t raw -A PREROUTING -p udp --dport 9987 -j CT --notrack
#move ts3 traffic to TS3_TRAFFIC chain, and filetransfer to TCP chain
sudo iptables -A INPUT -p udp --dport 9987 -j TS3_UDP_TRAFFIC
sudo iptables -A INPUT -p tcp --dport 30033 -j TS3_TCP_TRAFFIC
sudo ${IPTABLES} -A INPUT -p udp --dport 9987 -j TS3_UDP_TRAFFIC
sudo ${IPTABLES} -A INPUT -p tcp --dport 30033 -j TS3_TCP_TRAFFIC
#Allow authorized clients on UDP
sudo iptables -A TS3_UDP_TRAFFIC -m set --match-set ts3_authorized src -j TS3_UPDATE_AUTHORIZED
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -m set --match-set ts3_authorized${1} src -j TS3_UPDATE_AUTHORIZED
#Allow 3.0.19 and up clients
sudo iptables -A TS3_UDP_TRAFFIC -p udp -m ts3init_get_cookie --min-client 1459504131 -j TS3INIT_SET_COOKIE --seed-file ${RANDOM_FILE}
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -p udp -m ts3init_get_cookie --min-client 1459504131 -j TS3INIT_SET_COOKIE --seed-file ${RANDOM_FILE}
#add new connection if cookie is valid
sudo iptables -A TS3_UDP_TRAFFIC -p udp -m ts3init_get_puzzle --check-cookie --seed-file ${RANDOM_FILE} -j TS3_ACCEPT_NEW
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -p udp -m ts3init_get_puzzle --check-cookie --seed-file ${RANDOM_FILE} -j TS3_ACCEPT_NEW
#drop the rest
sudo iptables -A TS3_UDP_TRAFFIC -j DROP
sudo ${IPTABLES} -A TS3_UDP_TRAFFIC -j DROP
#add new connection to authorized src
sudo iptables -A TS3_ACCEPT_NEW -j SET --add-set ts3_authorized src
sudo iptables -A TS3_ACCEPT_NEW -p udp -j TS3INIT_RESET
sudo ${IPTABLES} -A TS3_ACCEPT_NEW -j SET --add-set ts3_authorized${1} src
sudo ${IPTABLES} -A TS3_ACCEPT_NEW -p udp -j TS3INIT_RESET
#Allow authorized clients on TCP
sudo iptables -A TS3_TCP_TRAFFIC -m set --match-set ts3_authorized src -j ACCEPT
sudo iptables -A TS3_TCP_TRAFFIC -j DROP
sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -m set --match-set ts3_authorized${1} src -j ACCEPT
sudo ${IPTABLES} -A TS3_TCP_TRAFFIC -j DROP
#update timeout in set and allow traffic
sudo iptables -A TS3_UPDATE_AUTHORIZED -j SET --add-set ts3_authorized src --exist
sudo iptables -A TS3_UPDATE_AUTHORIZED -j ACCEPT
sudo ${IPTABLES} -A TS3_UPDATE_AUTHORIZED -j SET --add-set ts3_authorized${1} src --exist
sudo ${IPTABLES} -A TS3_UPDATE_AUTHORIZED -j ACCEPT

37
examples/simple/delete-fw.sh
View File

@ -1,19 +1,30 @@
#!/bin/bash
#clear up iptables
sudo iptables -t raw -D PREROUTING -p udp --dport 9987 -j CT --notrack
sudo iptables -D INPUT -p udp --dport 9987 -j TS3_UDP_TRAFFIC
sudo iptables -D INPUT -p tcp --dport 30033 -j TS3_TCP_TRAFFIC
if [ "$1" == "4" ]
then
IPTABLES=iptables
elif [ "$1" == "6" ]
then
IPTABLES=ip6tables
else
echo "specify either 4 or 6 as a parameter for ipv4 or ipv6";
exit -1
fi
sudo iptables -F TS3_UDP_TRAFFIC
sudo iptables -F TS3_TCP_TRAFFIC
sudo iptables -F TS3_ACCEPT_NEW
sudo iptables -F TS3_UPDATE_AUTHORIZED
#clear up ${IPTABLES}
sudo ${IPTABLES} -t raw -D PREROUTING -p udp --dport 9987 -j CT --notrack
sudo ${IPTABLES} -D INPUT -p udp --dport 9987 -j TS3_UDP_TRAFFIC
sudo ${IPTABLES} -D INPUT -p tcp --dport 30033 -j TS3_TCP_TRAFFIC
sudo iptables -X TS3_UDP_TRAFFIC
sudo iptables -X TS3_TCP_TRAFFIC
sudo iptables -X TS3_ACCEPT_NEW
sudo iptables -X TS3_UPDATE_AUTHORIZED
sudo ${IPTABLES} -F TS3_UDP_TRAFFIC
sudo ${IPTABLES} -F TS3_TCP_TRAFFIC
sudo ${IPTABLES} -F TS3_ACCEPT_NEW
sudo ${IPTABLES} -F TS3_UPDATE_AUTHORIZED
sudo ${IPTABLES} -X TS3_UDP_TRAFFIC
sudo ${IPTABLES} -X TS3_TCP_TRAFFIC
sudo ${IPTABLES} -X TS3_ACCEPT_NEW
sudo ${IPTABLES} -X TS3_UPDATE_AUTHORIZED
#delete the ipset
sudo ipset destroy ts3_authorized
sudo ipset destroy ts3_authorized${1}