Added examples to Readme and update comment in complex example

2016-10-24 11:11:58 +02:00 · 2016-10-24 11:11:58 +02:00 · d948bad7e7
commit d948bad7e7
parent d5cca28c30
2 changed files with 30 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -62,7 +62,7 @@ ts3init_get_cookie match options:
  on the server. If they differ too much, the packet is not matched.

 ts3init_get_puzzle
--------------------
+------------------
 Matches if the packet in question is a valid TeamSpeak 3 *get puzzle* packet
 from the client.
 There are additional parameters that can be set:
@ -88,7 +88,7 @@ ts3init_get_puzzle match options:
  to be specified too.

 ts3init
--------------------
+-------
 Matches a ts3init packet, by checking if the packet starts with the *TS3INIT1*.
 Additional header checks for client and server packets can be specified:
 ```
@ -139,7 +139,7 @@ TS3INIT_SET_COOKIE target options:
  a 120 character long hexstring, without any newlines.

 TS3INIT_RESET
--------------- 
+-------------
 Drops the packet and sends a *reset* packet back to the sender. The
 sender should always be the TeamSpeak 3 client. Starting with the TeamSpeak 3.1
 client, the client will react to the reset packet by resending the *get cookie*
@ -161,9 +161,31 @@ as follows:
  reply with `TS3INIT_RESET`
 * Drop all other packets

-It is even possible to make a more detailed firewall. Perhaps connection
-tracking could be used instead of ipset.
+It is possible to make a more detailed firewall.

 Example iptables setup
 ======================
+There are two examples included: _simple_ and _complex_. Both use ipset to
+create a set of whitelisted ip addresses that are allowed to send packets to the
+TeamSpeak3 server. The simple example does the bare minimum to do the ip
+addresss authentication on the firewall, and to protect the file transfer (tcp)
+port from traffic from unverified ip addresses.
+
+The complex example is a bit more advanced. It keeps three ipsets. Authorizing
+authorized and authorized_ft.
+
+The autorizing set stores ip addresses and ports for connections that have
+verified ip addresses, but did not yet complete the puzzle phase on the ts3
+server.
+
+The authorized set keeps ip addresses and ports that have completed the puzzle
+phase on the server and are assumed to be authorized. It is technically not
+true that the server has accepted this connection. It could still reject it
+because the password is wrong, or the server is full, or other reasons. But for
+this example, it is good enough.
+
+The authorized_ft set keeps a list of authorized ip addresses (not ports). Only
+these ip addresses are allowed to send traffic to the file transfer
+port. Since there is no way to know in advance what source port the TeamSpeak 3
+client is going to use for file transfer, this is the best we can do.

--- a/examples/complex/create-fw.sh
+++ b/examples/complex/create-fw.sh
@ -106,7 +106,9 @@ sudo ${IPTABLES} -A OUT_TS3 -j ACCEPT

 #Is this still ts3init (not fully connected)
 sudo ${IPTABLES} -A OUT_TS3_AUTHORIZING -p udp -m ts3init --server -j ACCEPT
-#else this connection is accepeted(authorized) now
+#else this connection is accepeted(authorized) now.
+#Note that this is not really true. This only means the server accepted the client puzzle.
+#The conection request could still be rejected, because of a wrong password or other reasons.
 sudo ${IPTABLES} -A OUT_TS3_AUTHORIZING -j OUT_TS3_ACCEPT_AUTHORIZED

 #update/add timeout in set and allow traffic
@ -117,4 +119,3 @@ sudo ${IPTABLES} -A  OUT_TS3_AUTHORIZED -j ACCEPT
 #accept connection as authorized. Remove from authorizing and treat as accepted
 sudo ${IPTABLES} -A OUT_TS3_ACCEPT_AUTHORIZED -j SET --del-set ts3_authorizing${1} dst,dst
 sudo ${IPTABLES} -A OUT_TS3_ACCEPT_AUTHORIZED -j OUT_TS3_AUTHORIZED
-