| die letzten Änderungen * Seitenstruktur * Stichwortsuche :


logo_puschin.jpg

Startseite

Knowledge base



Kontakt

Impressum

Knowledge base - Firewall

Knowledge base

4 Benutzer online Druckversion




zurück



Firewall
QUEUE-Script bei iptables

Voraussetzung :
libipq für iptables muss installiert sein.

Das u.a. Skript wird mit folgender Befehlszeile kompiliert :

# gcc knock.c -o knock /usr/lib/libipq.a



knock.c :

/*

        ================================================
        open sesame - simple port knocking with iptables
        ================================================
        v 0.1 -> Frank Puschin, 10.11.2006

*/
#include <linux/netfilter.h>
#include <libipq.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/wait.h>

#define BUFSIZE 2048
#define PATH_DEVNULL "/dev/null"

static int lifeline[2] = { -1, -1 };
static int fd_null = -1;

void sigfunc(int sig) {
        system("echo 'SESAME shutdown' | logger");
        system("iptables -F INPUT");
        exit(1);
}

void
daemonize_start(void)
{
   pid_t f, w;

   if (pipe(lifeline) == -1)
      err(1, "pipe(lifeline)");

   fd_null = open(PATH_DEVNULL, O_RDWR, 0);
   if (fd_null == -1)
      err(1, "open(" PATH_DEVNULL ")");

   f = fork();
   if (f == -1)
      err(1, "fork");
   else if (f != 0) {
      /* parent: wait for child */
      char tmp[1];
      int status;

//      printf("parent waiting");
      if (close(lifeline[1]) == -1)
         warn("close lifeline in parent");
      read(lifeline[0], tmp, sizeof(tmp));
//      printf("parent done reading, calling waitpid");
      w = waitpid(f, &status, WNOHANG);
//      printf("waitpid ret %d, status is %d", w, status);
      if (w == -1)
         err(1, "waitpid");
      else if (w == 0)
         /* child is running happily */
         exit(EXIT_SUCCESS);
      else
         /* child init failed, pass on its exit status */
         exit(WEXITSTATUS(status));
   }
   /* else we are the child: continue initializing */
}

void
daemonize_finish(void)
{
   if (fd_null == -1)
      return; /* didn't daemonize_start(), i.e. we're not daemonizing */

   if (setsid() == -1)
      err(1, "setsid");
   if (close(lifeline[0]) == -1)
      warn("close read end of lifeline in child");
   if (close(lifeline[1]) == -1)
      warn("couldn't cut the lifeline");

   /* close all our std fds */
   if (dup2(fd_null, STDIN_FILENO) == -1)
      warn("dup2(stdin)");
   if (dup2(fd_null, STDOUT_FILENO) == -1)
      warn("dup2(stdout)");
   if (dup2(fd_null, STDERR_FILENO) == -1)
      warn("dup2(stderr)");
   if (fd_null > 2)
      close(fd_null);
}

static void die(struct ipq_handle *h)
{
        ipq_perror("passer");
        ipq_destroy_handle(h);
        exit(1);
}

int main(int argc, char **argv)
{
        daemonize_start();

        signal(SIGTERM, sigfunc);

        // Die Firewall wird jetzt initialisiert und der Port 22 nur von innen zugaenglich gemacht
        system("modprobe ip_queue");
        system("iptables -F INPUT");
        system("iptables -A INPUT -p udp --dport 666 -j QUEUE");
        system("iptables -A INPUT -p tcp --dport 22 -s 192.168.178.0/24 -j ACCEPT");
        system("iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j REJECT");

        system("echo 'SESAME ready' | logger");

        int status;
        unsigned char buf[BUFSIZE];
        struct ipq_handle *h;

        h = ipq_create_handle(0, PF_INET);
        if (!h)
                die(h);


        status = ipq_set_mode(h, IPQ_COPY_PACKET, BUFSIZE);
        if (status < 0)
                die(h);

        daemonize_finish();

        do{
                status = ipq_read(h, buf, BUFSIZE, 0);
                if (status < 0)
                        die(h);

                switch (ipq_message_type(buf)) {
                        case NLMSG_ERROR:
                                fprintf(stderr, "Received error message %d\n",
                                ipq_get_msgerr(buf));
                                break;

                        case IPQM_PACKET: {
                                ipq_packet_msg_t *m = ipq_get_packet(buf);

                                int a;
                                int ret;

                                for (a=0; a<m->data_len; a++) {
                                        ret = strncasecmp(m->payload+a, "open sesame", 11);
                                        // printf("--> debug [%d] = %d => %d\n", a, m->payload[a], ret);
                                        if (ret == 0) {
                                                system("iptables -F INPUT");
                                                system("iptables -A INPUT -p udp --dport 666 -j QUEUE");
                                                system("echo 'OPEN SESAME' | logger");
                                                sleep(5);
                                                system("echo 'CLOSING SESAME' | logger");
                                                system("iptables -A INPUT -p tcp --dport 22 -s 192.168.178.0/24 -j ACCEPT");
                                                system("iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j REJECT");
                                        }
                                }

                                status = ipq_set_verdict(h, m->packet_id, NF_ACCEPT, 0, NULL);
                                if (status < 0)
                                        die(h);

                                break;
                        }

                        default:
                                fprintf(stderr, "Unknown message type!\n");
                                break;
                        }
        } while (1);

        ipq_destroy_handle(h);
        return 0;
}


zurück



Knowledge base wurde zuletzt bearbeitet am 12.07.13 durch Frank

www.puschin.de
login

<body bgcolor='#FFFFFF' link='#000000' vlink='#000000' alink='#000000' text='#000000'><font face='Verdana' size='2'><strong>www.puschin.de</strong><br>Die Webseite http://www.puschin.de bietet eine interessante Webseite zu vielen Themen aus dem Bereich Linux und Windows. Man findet hier Tipps und Tricks zu cms php apache postfix openxchange tomcat windows linux firewall <br><br><font face='Verdana' size='2'><li><a href='cms.php?print=&aktion=thema_anzeigen&menue_id=191'>Startseite</a><font face='Verdana' size='2'><li><a href='cms.php?print=&aktion=thema_anzeigen&menue_id=63'>Knowledge base</a><font face='Verdana' size='2'><li><a href='cms.php?print=&aktion=thema_anzeigen&menue_id=57'>Kontakt</a><font face='Verdana' size='2'><li><a href='cms.php?print=&aktion=thema_anzeigen&menue_id=9'>Impressum</a></body>