Browse files

Checkin of semi sort of working fw code

This is table driven from something I'd written a few years back
that used awk a lot, and later lex/yacc, to parse the tables
the rules generator worked from.

Regrettably I can't find the .y file!!!! so it's back to awk or
making this work or making the default better
  • Loading branch information...
1 parent 7fcfe2b commit 8a20a66f90ffa79e37cd5ec7808d7f81c25a5f35 Dave Taht committed Jun 29, 2011
Showing with 537 additions and 43 deletions.
  1. +11 −3 ame/ame.conf
  2. +54 −0 ame/classify.conf
  3. +2 −2 ame/dhcprule
  4. +23 −10 ame/doc/ame.org
  5. +21 −0 ame/doc/classify.conf.org
  6. +66 −28 ame/functions.sh
  7. +305 −0 ame/fw
  8. +41 −0 ame/ifnamefix
  9. +14 −0 ame/sed
View
14 ame/ame.conf
@@ -1,5 +1,11 @@
# Diffserv Configuration File
+#WIRELESS_DEVS=`ip link | grep wlan | awk '{print $2}' | cut -f1 -d:`
+#WIRED_DEVS=`ip link | grep eth | awk '{print $2}' | cut -f1 -d:`
+
+WIRELESS_DEVS="sw+ gw+"
+WIRED_DEVS="se+ ge+"
+
DEBUG_LOG=/dev/null
PRIOIP=
PRIOIPV6=
@@ -14,9 +20,12 @@ NTPIPS=""
ROBUST_STATS=0
# FIXME: Handle Vlans
+# FIXME: Handle new naming scheme
-WIRELESS_DEVS=`ip link | grep wlan | awk '{print $2}' | cut -f1 -d:`
-WIRED_DEVS=`ip link | grep eth | awk '{print $2}' | cut -f1 -d:`
+#WIRELESS_DEVS=`ip link | grep wlan | awk '{print $2}' | cut -f1 -d:`
+#WIRED_DEVS=`ip link | grep eth | awk '{print $2}' | cut -f1 -d:`
+WIRELESS_DEVS="sw+ gw+"
+WIRED_DEVS="se+ ge+"
# FIXME: Figure out link rate somehow for wired, at least
@@ -123,7 +132,6 @@ BULKPORTS="25,873,20:21,109:110,119,631,4559"
FILEPORTS="137:139,369:370,445,2049,7000:7009"
# The lowest priority traffic: eDonkey, Bittorrent, etc.
P2PPORTS="110,143,445,4662:4664,6881:6999,540,1214,4031,6346:6347"
-
XWINPORTS="177,6000:6010,7100"
DBPORTS="1433:1434,3050,3306,5432:5433,5984"
BACKUPPORTS="9101:9103,10080,13720:13721,13782:13783,2988:2989,10081:10083"
View
54 ame/classify.conf
@@ -0,0 +1,54 @@
+# freq from-net to-net from-portrange to-portrange proto tag MODE type FLAG prio classes-from classes-to "COMMENT"
+
+1 0 0 0 81 tcp ROUTER ADMIN USE 0 0 0 0 CS1 BE AF33 AF32 "Router admin port"
+9 0 0 0 80,8080 tcp WEB NORMAL USE 0 0 0 0 CS1 BE AF33 AF32 "The port 80 rathole"
+8 0 0 0 433 tcp SWEB NORMAL USE 0 0 0 0 CS1 BE AF32 AF31 "https"
+6 0 0 0 8123,3128,8118,1080,6127 tcp 0 0 0 0 CS1 BE AF31 AF32 "Proxy Ports"
+7 0 0 0 22,222 tcp ADMIN BIMODAL USE 0 0 0 0 CS1 IT CS1 IT "ssh"
+5 0 0 0 8600,8048,9010,8884,8384,8010,9000 tcp ASTREAMING NORMAL USE 0 0 CS1 BE AF42 AF43 "Audio Streaming"
+1 0 0 0 2600:2608 tcp ADMIN NORMAL IGN 0 0 CS1 BE CS1 BE "ZEBRA"
+4 0 0 0 6667,7000,194,5190,5222,5269 CHAT BIMODAL USE 0 0 CS1 IT CS1 IT "Chat"
+# NOT DONE YET
+4 0 0 0 371,2401,3690,9418 "SCM"
+3 0 0 0 143,220,993,587,465 "BULK"
+2 0 0 0 25,873,20:21,109,110,119,631,4559 "Bulk ports"
+1 0 0 0 177,6000:6010,7100 "Xwindows"
+4 0 0 0 1433:1434,3050,3306,5432,5433,5984 "Databases"
+1 0 0 0 9101:9103,10080,13720:13721,13782:13783,2988:2989,10081:10083 "Backup tools"
+
+# UDP stuff
+
+4 0 0 0 1194 0 udp VPN KEEP KEEP KEEP KEEP KEEP
+5 0 0 0 3389,5900,5688 0 udp Gaming ANT KEEP KEEP KEEP KEEP #
+7 0 0 0 123 0 udp BE:EF EF:EF NORMAL ANT #
+8 0 0 0 67,68 0 udp BE:EF EF:EF NORMAL ANT # DHCP
+6 0 0 0 5004,5005 0 udp CS1:EF AF43:AF42 NORMAL NORMAL # RTP
+9 0 0 0 5060:5062 0 udp CS1:EF AF43:AF42 NORMAL NORMAL # VOIP Signalling
+7 0 0 0 5063:5100,10000:11000,5000:5059,8000:8016,1720,1731,4569 0 udp # VOIP
+8 0 0 0 500,4500 0 udp KEEP KEEP KEEP KEEP
+
+0 0 0 0 6667,7000,194,5190,5222,5269 0 # chat
+0 0 0 0 560 0 # good ole ntalk I think
+0 0 0 0 554 0 VSTREAMING
+0 0 0 0 161,162,199,5777 0 # Monitoring
+0 0 0 0 179 0 # BGP Routing
+0 0 0 0 137:139,369:370,445,2049,7000:7009 0 # Traditional filesharing
+0 0 0 0 110,143,445,4662:4664,6881:6999,540,1214,4031,6346:6347 0 # PTP filesharing
+0 0 0 0 5001:5002 0 # Bandwidth tests
+
+# ICMP
+
+# ICMP6
+
+# Classify these
+# talk, ntalk 517, 518
+# nntps 563
+# ldaps 636
+# webster 765
+# Radius 1812:1813
+# l2p
+# dict 2628
+# Distcc 3632
+# Daap 3689
+# mdns 5353
+# RTP?
View
4 ame/dhcprule
@@ -16,8 +16,8 @@ do
net=`echo $ipaddr | cut -f2 -d/`
[ "$net" = 24 ] && {
ip=`echo $ipaddr | cut -f1-3 -d.`
-ip route del $ip/24 dev $DEV table $dhcp
-ip route add $ip/24 dev $DEV table $dhcp
+ip route del $ip/27 dev $DEV table $dhcp
+ip route add $ip/27 dev $DEV table $dhcp
}
done
View
33 ame/doc/ame.org
@@ -3,7 +3,8 @@
An attempt a simpler yet comprehensive classifier and firewall system than diffserv, and one more comprehensive, faster and simpler than the existing firewall and qos system in openwrt
** Ame (pronounced - "Aim")
** Intended to be pluggable
- We need a testbed for alternate QoS systems
+ We need a testbed for alternate QoS systems that exists cleanly outside the firewall rules
+ We need to allow multiple protocols through cleanly
* Major change: Device Naming Scheme
@@ -13,26 +14,34 @@ Network devices are now renamed according to function, in the format:
[s|g|d] Secure, guest (or gateway), DMZ
[e|w] Ethernet or wireless
-[0-Z] radio number or vlan
+[0-Z] radio number
[0-Z] interface number
+.X vlan (I hope)
** Examples:
ge00 Internet gateway
+gw00 Wireless internet gateway
se00 secured local network
-sw00 secured local wireless radio 0 network
sw10 secured local wireless radio 1 network
+sw20 secured local wireless radio 2 network
+
+gw0X
+gw0
ge10 local wired guest vlan
-gw00 local wireless radio 0 guest 0
-gw01 local wireless radio 0 guest 1
-gw10 local wireless mesh
-gw11 local wireless mesh
+
+gw10 local wireless radio 1 guest 0
+gw11 local wireless radio 2 guest 1
+gw20 local wireless mesh
+gw21 local wireless mesh
** Advantages
*** The relationship between wireless interface and radio is preserved
-*** The network no longer makes a distinction between gateways to the internet and gateways to other people
+*** The network no longer makes root distinction between gateways to the internet and gateways to other people
Makes mesh routing work better, in particular.
+*** Short chains
+*** Support for multiport matches
*** Firewall rules for many networks are made MUCH shorter and simpler
By what looks to be an order of magnitude
*** You almost never have to restart the firewall
@@ -51,12 +60,16 @@ $iptables -t mangle -A POSTROUTING -o s+ -g PROCESS_THREATS \
$iptables -t mangle -A POSTROUTING -o d+ -g PROCESS_THREATS \
-m comment 'Potential problems'
-** Disavantages
+** Disadvantages
+*** Not quite a drop in replacement for existing zone rules
*** Device naming needs to be enforced consistently
Very hard to enforce. Many pieces of code have the idea of a specific device name embedded deep within them.
- Renaming the core ethernet devices is hard to get right.
+ Renaming the core ethernet devices is hard to get right. Multiple packages need to be modified to support this
+ properly: ppp, openvpn, 6in4, 6to4, strongswan, notably. Bridging and vlans are made more difficult
*** Hard for humans
Humans like names like eth0 and wlan0 which make more sense than sw10 by a LOT.
+**** Makes writing firewall rules and classifiers much simpler
+ This is also very hard for humans, so...
**** Fix - ip supports labeling devices in addition to their name.
ip link set $DEV alias whatever
*** GWXX is confusing
View
21 ame/doc/classify.conf.org
@@ -0,0 +1,21 @@
+* Classifier Table explanations
+
+FREQ 0-9 How much relative traffic this rule gets 0 - lowest 9 highest
+FROM-NET IPv4 or 6 address/subnet
+TO-NET IPv4 or 6 address/subnet
+FROM-PORTRANGE port,port,port:range
+TO-PORTRANGE port,port,port:range
+PROTO tcp,tcp4,tcp6,udp,udp4,udp6,icmp,icmp6, or proto number
+TAG User definable tag
+MODE Process mode Currently NORMAL,ADMIN,BIMODAL,ASTREAM,VSTREAM
+TYPE ANT,ELEPHANT
+FLAG USE or IGN (ignore)
+8021D1-IN 8021D priority
+8021D2-IN 8021D priority
+8021D1-OUT 8021D priority
+8021D2-OUT 8021D priority
+DSCP1-IN DIFFSERV
+DSCP2-IN DIFFSERV
+DSCP1-OUT DIFFSERV
+DSCP2-OUT DIFFSERV
+COMMENT "Comment"
View
94 ame/functions.sh
@@ -72,9 +72,9 @@ dscp_WEB() {
# if the vast majority of websites out there want to classify
# as bulk, let them.
# Arguably allowing a range here would be good.
- [ "$p80_stats" = 1 ] &&
- $iptables -t mangle -A D_CLASSIFIER -p tcp -m tcp -m multiport \
- --ports $BROWSINGPORTS -j P80RATHOLE
+
+ [ "$p80_stats" = "1" ] && p80_rathole $iptables
+ [ "$p80_stats" = "1" ] && $iptables -t mangle -A WEB -j P80RATHOLE
$iptables -t mangle -A WEB -m dscp ! --dscp-class CS1 -j DSCP \
--set-dscp-class AF22 \
@@ -215,26 +215,29 @@ fi
# 98% of traffic these days is on the web
# FIXME: Actually reclassifying web traffic needs a new idea
- [ "$p80_stats" = "1" ] && p80_rathole $iptables
dscp_WEB $iptables
+# This set of rules cuts performance down to less that 50Mbit/sec
+# for the bottommost rules. Since we're trying to get to where we
+# have CPU left over AND can see bufferbloat, do the test match first
+
+ $iptables -t mangle -A D_CLASSIFIER -p tcp -m tcp -m multiport \
+ --ports $TESTPORTS -g TESTS \
+
$iptables -t mangle -A D_CLASSIFIER -p tcp -m tcp -m multiport \
--ports $BROWSINGPORTS -g WEB -m comment --comment 'BROWSING'
$iptables -t mangle -A D_CLASSIFIER -p tcp -m tcp -m multiport \
--ports $PROXYPORTS -g SWEB \
-m comment --comment 'Proxies/433'
- $iptables -t mangle -A D_CLASSIFIER -p tcp -m tcp -m multiport \
- --ports $TESTPORTS -g TESTS \
-
# Making everything walk all this is bad, and we need to be cleverer
# about traffic coming from the machine itself
# SSH is bimodal inside a connection
$iptables -t mangle -A D_CLASSIFIER -p tcp -m tcp -m multiport \
- --ports $INTERACTIVEPORTS -j BIMODAL -m comment --comment 'SSH'
+ --ports $INTERACTIVEPORTS -g BIMODAL -m comment --comment 'SSH'
# CS4 for Xwin almost makes sense
$iptables -t mangle -A D_CLASSIFIER -p tcp -m tcp -m multiport \
--ports $XWINPORTS -j DSCP --set-dscp-class CS4 \
@@ -319,6 +322,8 @@ icmpv6() {
ip6tables -t mangle -A C_ICMP6 -p icmpv6 -m comment --comment 'ICMPv6 ANT' -j DSCP --set-dscp $ANT
}
+# More or less sorted by frequency
+
icmpv6_stats() {
recreate_filter ip6tables filter ICMP6_STATS
ip6tables -A ICMP6_STATS -p icmpv6 --icmpv6-type 128 -m comment --comment 'ping' -j RETURN
@@ -327,7 +332,7 @@ icmpv6_stats() {
ip6tables -A ICMP6_STATS -p icmpv6 --icmpv6-type 136 -m comment --comment 'Neighbor Advertisement' -j RETURN
ip6tables -A ICMP6_STATS -p icmpv6 --icmpv6-type 1 -m comment --comment 'dest unreachable' -j RETURN
ip6tables -A ICMP6_STATS -p icmpv6 --icmpv6-type 2 -m comment --comment 'packet too big' -j RETURN
- ip6tables -A ICMP6_STATS -p icmpv6 --icmpv6-type 3 -m comment --comment 'parameter problem'
+ ip6tables -A ICMP6_STATS -p icmpv6 --icmpv6-type 3 -m comment --comment 'parameter problem' -j RETURN
ip6tables -A ICMP6_STATS -p icmpv6 --icmpv6-type 133 -m comment --comment 'Router Solicitation' -j RETURN
ip6tables -A ICMP6_STATS -p icmpv6 --icmpv6-type 134 -m comment --comment 'Router Advertisement' -j RETURN
ip6tables -A ICMP6_STATS -p icmpv6 --icmpv6-type 130 -m comment --comment 'Group Membership query' -j RETURN
@@ -371,9 +376,32 @@ icmpv6_stats() {
# E and D can be the same, actually
+# FIXME: These theoretically are priority << 13, don't match with
+# the fixed stuff in the vlan kernel
+
+mac8021q() {
+ local iptables
+ for iptables in iptables ip6tables
+ do
+ recreate_filter $iptables mangle W8021q
+ $iptables -t mangle -A W8021q -j CLASSIFY --set-class 0:103 -m comment --comment 'Reclassify BE'
+ $iptables -t mangle -A W8021q -m dscp --dscp-class EF -j CLASSIFY --set-class 0:107 -m comment --comment 'Voice (VO)(EF)'
+ $iptables -t mangle -A W8021q -m dscp --dscp-class CS6 -j CLASSIFY --set-class 0:106 -m comment --comment 'Critical (VO)'
+ $iptables -t mangle -A W8021q -m dscp --dscp $ANT -j CLASSIFY --set-class 0:105 -m comment --comment 'Ants(VI)'
+ $iptables -t mangle -A W8021q -m dscp --dscp $BOFH -j CLASSIFY --set-class 0:105 -m comment --comment 'Typing (VI)'
+ $iptables -t mangle -A W8021q -m dscp --dscp-class AF41 -j CLASSIFY --set-class 0:104 -m comment --comment 'Net Radio(VI)'
+ $iptables -t mangle -A W8021q -m dscp --dscp-class CS3 -j CLASSIFY --set-class 0:104 -m comment --comment 'Video (VI)'
+ $iptables -t mangle -A W8021q -m dscp --dscp-class CS1 -j CLASSIFY --set-class 0:102 -m comment --comment 'Background (BK)'
+ $iptables -t mangle -A W8021q -m dscp --dscp-class CS5 -j CLASSIFY --set-class 0:101 -m comment --comment 'General Stuff (BK)'
+ $iptables -t mangle -A W8021q -m dscp --dscp $P2P -j CLASSIFY --set-class 0:101 -m comment --comment 'P2P (BK)'
+ $iptables -t mangle -A W8021q -m dscp --dscp-class CS2 -j CLASSIFY --set-class 0:102 -m comment --comment 'Background (BK)'
+ $iptables -t mangle -A W8021q -m dscp --dscp-class AF33 -j CLASSIFY --set-class 0:102 -m comment --comment 'Background (AF33)'
+ done
+}
+
+# FIXME
mac80211e() {
local iptables
- local device=$1
for iptables in iptables ip6tables
do
recreate_filter $iptables mangle W80211e
@@ -392,18 +420,6 @@ mac80211e() {
done
}
-# FIXME
-mac8021d() {
- local device=$1
- local iptables
- for iptables in iptables ip6tables
- do
- recreate_filter $iptables filter Wired
- :
- # finish me
- done
-}
-
# This attempts to keep track of DSCP classified packets in one chain.
# It's sorted by frequency of occurence to mimimize overhead
@@ -461,9 +477,30 @@ clean() {
iptables -t filter -F
iptables -t mangle -F
iptables -t raw -F
+
# iptables -t nat -F
+
+ ip6tables -t filter -X
+ ip6tables -t mangle -X
+ iptables -t filter -X
+ iptables -t mangle -X
+ iptables -t raw -X
+
}
+# Send various interfaces to last classifier
+
+addoifs() {
+ local iptables=$1
+ local table=$2
+ local chain=$3
+ local target=$4
+ local devs="$5"
+ for d in $devs
+ do
+ $iptables -t $table -A $chain -o $d -j $target
+ done
+}
finalize() {
for iptables in iptables ip6tables
@@ -487,14 +524,16 @@ finalize() {
ip6tables -t mangle -A OUTPUT -p 58 -s fe80::/10 -j C_ICMP6
ip6tables -t mangle -A FORWARD -p 58 -s fe80::/10 -j C_ICMP6
fi
- $iptables -t mangle -A OUTPUT -o wlan+ -j W80211e
- $iptables -t mangle -A FORWARD -o wlan+ -j W80211e
+ addoifs $iptables mangle OUTPUT W80211e "$WIRELESS_DEVS"
+ addoifs $iptables mangle FORWARD W80211e "$WIRELESS_DEVS"
+ addoifs $iptables mangle OUTPUT W8021q "$WIRED_DEVS"
+ addoifs $iptables mangle FORWARD W8021q "$WIRED_DEVS"
[ "$dscp_stats" = 1 ] && {
$iptables -A OUTPUT -j DSCP_STATS
$iptables -A FORWARD -j DSCP_STATS
}
done
- [ "$icmp6_stats" = 1 ] && {
+ [ "$icmp6_stats" = "1" ] && {
ip6tables -A OUTPUT -p 58 -j ICMP6_STATS
ip6tables -A FORWARD -p 58 -j ICMP6_STATS
}
@@ -506,9 +545,8 @@ start() {
icmpv6_stats
dscp_stats
classify
-# Ultimately drive these with variables
- mac80211e sw+ gw+
- mac8021d se+ ge+
+ mac80211e
+ mac8021q
finalize
}
View
305 ame/fw
@@ -0,0 +1,305 @@
+#!/bin/sh
+# CEROWRT firewall rules
+# See documentation for details
+
+FWTOOLS="iptables ip6tables"
+NATDEVS="ge0+" # Allow multiple nats
+DEBUG_LOG=/dev/null
+CONNTRACK=1
+BLOCK_RFC1918_OUT=2
+FWCHATTY=2
+FWLOG=1
+RFC1918="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
+BLOCK_NETS="$RFC1918"
+MCAST=""
+
+# Do we have secured networks and/or a DMZ?
+
+SYSDDIR=/sys/class/net
+HAVE_S=`ls -d $SYSDDIR/s* 2> /dev/null | wc -l`
+HAVE_D=`ls -d $SYSDDIR/d* 2> /dev/null | wc -l`
+HAVE_G=`ls -d $SYSDDIR/g* 2> /dev/null | wc -l`
+
+# Make sure nat devs exist
+
+HAVE_N=0
+
+if [ ! -z "$NATDEVS" ]
+then
+local dcheck=`echo $NATDEVS | tr + \*`
+HAVE_N=`ls -d $SYSDDIR/$dcheck 2> /dev/null | wc -l`
+fi
+
+# FIXME, USE IPSET if available
+# nethash
+# FIXME, SELECTIVELY DROP
+# IPv6 supported by ipsets?
+
+rfc1918_check(){
+ local CHAIN=$1
+ local SET=$2
+ local NETS=$3
+ local d
+ if [ "$HAVE_IPSET" = "1" ]
+ then
+ ipset --create $table nethash
+ for d in $NETS
+ do
+ ipset --add $CHAIN $d
+ done
+ iptables -A $CHAIN -m set --match-set $SET -j REJECT
+ else
+ for d in $NETS
+ do
+ iptables -A $CHAIN -d $d -j REJECT
+ done
+ fi
+}
+
+create_filter_if_not_exist() {
+ local iptables=$1
+ local filter=$2
+ local chain=$3
+ $iptables -t $filter -F $chain 2>> $DEBUG_LOG
+ $iptables -t $filter -X $chain 2>> $DEBUG_LOG
+ $iptables -t $filter -N $chain 2>> $DEBUG_LOG
+}
+
+recreate_filter() {
+ local iptables=$1
+ local filter=$2
+ local chain=$3
+ $iptables -t $filter -F $chain 2>> $DEBUG_LOG
+ $iptables -t $filter -X $chain 2>> $DEBUG_LOG
+ $iptables -t $filter -N $chain 2>> $DEBUG_LOG
+}
+
+
+# Multiport matches support 16 total ports
+# But this includes ":" port range syntax, which counts as 2
+
+calc_multiport() {
+ local ports=$1
+ local range=""
+ local c=0
+ local plist=""
+ local i
+ local t
+ range=`echo $ports | tr , \ `
+ for i in $range
+ do
+ t=`echo $i | tr : \ | wc -w`
+ if [ "$t" -ne '1' ]
+ then
+ c=$(($c + 2))
+ else
+ c=$(($c + 1))
+ fi
+ if [ "$c" -gt 15 ]
+ then
+ plist="${plist}\n$i"
+ c=$(($c - 15))
+ else
+ case $c in
+ 1) plist="${plist}$i" ;;
+ 2) [ "$t" = "1" ] && plist="${plist},$i" ;
+ [ "$t" = "2" ] && plist="${plist}$i" ;;
+ *) plist="${plist},$i" ;;
+ esac
+ fi
+ done
+ echo $plist
+}
+
+multiport_test() {
+ A="1,2,3,4,5,6,7,8,9,10,11,12,13"
+ echo "Should output one line"
+ calc_multiport "$A,14,15"
+ echo "Should output two lines"
+ calc_multiport "$A,14,15,16"
+ echo "Should output one line"
+ calc_multiport "$A,15:16"
+ echo "Should output two lines"
+ calc_multiport "$A,14,15:16,2"
+ echo "Should output one line"
+ calc_multiport "1:2,3:4,5:6,7:8,9:10,11:12,13:14,15"
+ echo "Should output two lines"
+ calc_multiport "1:2,3:4,5:6,7:8,9:10,11:12,13:14,15:16,17,18:19"
+}
+
+# ALWAYS be chatty. Filter out, block, or throttle the ICMP messages *later*
+# network-unreachable
+# host-unreachable
+# network-prohibited
+# host-prohibited
+# What the heck is I've always kind of wondered what source-quench would do nowadays
+# timestamp-request?
+
+
+threats() {
+ local iptables=$1
+ local target=$2
+
+ recreate_filter $iptables mangle $target
+ calc_multiport "81" | while read x
+ do
+ $iptables -t mangle -A $target -p tcp -m multiport --dports $x -j REJECT --reject-with icmp-admin-prohibited
+ done
+}
+
+
+setup() {
+local iptables
+for iptables in $FWTOOLS
+do
+
+$iptables --policy INPUT ACCEPT
+$iptables --policy OUTPUT ACCEPT
+$iptables --policy FORWARD ACCEPT
+# $iptables -i g+ --policy INPUT ACCEPT # this would be nice
+
+[ "$HAVE_S" -gt "0" ] && {
+
+recreate_filter $iptables mangle S_CLASSIFIER
+threats $iptables S_THREATS
+
+$iptables -t mangle -A PREROUTING -i s+ -j MARK --set-mark 0x80000000 \
+ -m comment --comment 'Mark secured networks'
+
+$iptables -t mangle -A POSTROUTING -o s+ -m mark --mark 0x80000000/0x80000000 -g S_CLASSIFIER \
+ -m comment --comment 'Good Traffic from/to our secured networks'
+
+$iptables -t mangle -A POSTROUTING -o s+ -g S_THREATS \
+ -m comment --comment 'Potential network threats'
+
+}
+
+[ "$HAVE_D" -gt "0" ] && {
+
+threats $iptables D_THREATS
+recreate_filter $iptables mangle D_CLASSIFIER
+
+$iptables -t mangle -A PREROUTING -i d+ -j MARK --set-mark 0x40000000 \
+ -m comment --comment 'Mark dmz networks'
+
+$iptables -t mangle -A POSTROUTING -o d+ -m mark --mark 0x40000000/0x40000000 -g D_CLASSIFIER \
+ -m comment --comment 'Good Traffic from/to our dmz networks'
+
+$iptables -t mangle -A POSTROUTING -o d+ -g D_THREATS \
+ -m comment --comment 'Potential network threats'
+
+}
+
+[ "$HAVE_G" -gt "0" ] && {
+
+threats $iptables G_THREATS
+recreate_filter $iptables mangle G_CLASSIFIER
+
+$iptables -t mangle -A PREROUTING -i g+ -j MARK --set-mark 0x20000000 \
+ -m comment --comment 'Mark guest networks'
+
+$iptables -t mangle -A POSTROUTING -o g+ -m mark --mark 0x20000000/0x20000000 -g G_CLASSIFIER \
+ -m comment --comment 'Good Traffic from/to our guest networks'
+
+$iptables -t mangle -A POSTROUTING -o g+ -g G_THREATS \
+ -m comment --comment 'Potential network threats'
+
+}
+
+
+if [ "$HAVE_N" -gt 0 ]
+then
+
+ if [ "$iptables" = "iptables" ]
+ then
+
+# I'm totally unconvinced this is the right thing
+
+
+# Here's one way
+#iptables -t nat -A POSTROUTING -o $d -j MASQUERADE -m comment --comment 'Natted connections'
+#iptables -A FORWARD -i $d -m state --state RELATED,ESTABLISHED -j ACCEPT
+#iptables -A FORWARD ! -i $d -o $d -j ACCEPT #
+
+# Another way, which I think is problematic
+
+#iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
+#iptables -A block -m state --state NEW ! -i $d -j ACCEPT
+#iptables -A block -j LOG
+#iptables -A block -j DROP
+#iptables -A INPUT -j block
+
+# Another way, which I think lets udp and other protocols run wild
+# WE DO want to accept new connections to the firewall in certain
+# cases, however. DNS, Web Server, Etc
+# FIXME: Make sure we can connect to useful services on FW
+# Need DNS to work
+
+ iptables -t nat -A POSTROUTING -o $d -j MASQUERADE -m comment --comment 'Natted connections'
+
+ if [ "$CONNTRACK" = "1" ]
+ then
+ recreate_filter iptables filter BLOCK
+ recreate_filter iptables filter STATEFUL
+
+ iptables -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A BLOCK -m state --state NEW ! -i $d -j ACCEPT
+
+ [ "$FWLOG" = 1 ] && iptables -A BLOCK -j LOG
+
+ case "$FWCHATTY" in
+ 0) iptables -A BLOCK -j DROP ;;
+ 1) iptables -A BLOCK -j REJECT --reject-with icmp-port-unreachable ;;
+ 2) iptables -A BLOCK -j REJECT --reject-with icmp-port-unreachable ;;
+ *) iptables -A BLOCK -j DROP ; break ;;
+ esac
+
+ iptables -A STATEFUL -p tcp -g BLOCK
+ iptables -A STATEFUL -p udp -g BLOCK
+ iptables -A STATEFUL -p icmp -g BLOCK
+
+ iptables -A STATEFUL -i $d -j STATEFUL
+
+ fi
+
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+ iptables -A INPUT -j ACCEPT
+
+ # The internet is a wild and wooly place, try to make sure we work better there
+ iptables -A FORWARD -o $d -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ fi
+ fi
+done
+
+
+# Fixme, do the right thing for ip6tables for the gateway devs
+
+}
+
+# BRUTE FORCE
+OLDCHAINS="BLOCK S_THREATS S_CLASSIFIER D_THREATS D_CLASSIFIER G_THREATS G_CLASSIFIER"
+
+clean() {
+ ip6tables -t filter -F
+ ip6tables -t mangle -F
+ iptables -t filter -F
+ iptables -t mangle -F
+ iptables -t raw -F
+ iptables -t nat -F
+
+ ip6tables -t filter -X
+ ip6tables -t mangle -X
+ iptables -t filter -X
+ iptables -t mangle -X
+ iptables -t raw -X
+ iptables -t nat -X
+
+#for i in $OLDCHAINS
+# do
+# iptables -t mangle
+}
+
+
+# multiport_test
+clean
+setup
View
41 ame/ifnamefix
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Not clear when we can run this
+# So we try to be robust
+
+MACTAB=/etc/mactab
+TEMP=/tmp/nameif.$$
+TEMP=/tmp/nameif2.$$
+
+downup() {
+ local mac=$1
+ awk '{print $5,$7}' $TEMP | while read oif nif
+ do
+ MSG="$oif is busy. Trying rename to $nif: "
+ nif=`echo $nif | cut -f1 -d:`
+ ifconfig $oif down
+ nameif $nif $mac 2> $TEMP2
+ ifconfig $nif up
+ if [ -h /sys/class/net/$nif/address ]
+ then
+ logger "${MSG} Success"
+ else
+ logger "${MSG} Failed, " `cat $TEMP2`
+ fi
+ done
+}
+
+[ ! -s $MACTAB ] && exit 0
+
+cat $MACTAB | while read ifname mac
+do
+if [ ! -h /sys/class/net/$ifname/address ]
+then
+ nameif $ifname $mac 2> $TEMP
+ [ $? -ne 0 ] && downup $mac
+fi
+done
+
+rm -f $TEMP $TEMP@
+
+exit 0
+
View
14 ame/sed
@@ -0,0 +1,14 @@
+People like web interfaces for some reason.
+
+So you wanna change the default routing scheme
+
+You COULD do it via the web interface, changing the babel configuration
+changing he network interfaces, by clicking on a lot of stuff, ahcp,
+etc...
+
+OR you could just login to the router and, assuming X.Y is your new address...
+
+sed -i 's/30.42/X.Y/gp' /etc/config/*; reboot; exit
+
+Your choice.
+

0 comments on commit 8a20a66

Please sign in to comment.