Enviado em 23/07/2015 - 22:59h
PREFÁCIO:user@OpenWRT:~$ sudo iptables -L -t raw --line-numbers
opkg install knockd
user@OpenWRT:~$ sudo chmod 755 /etc/uciknockd.sh /etc/forward.sh /etc/init.d/knockd
[options]
logfile = /var/log/knockd.log
interface = br-lan
[openSSH]
sequence = <porta 1>,<porta 2>,<porta 3>
seq_timeout = 5
command = /etc/uciknockd.sh open-port KnockdSSH %IP% <porta SSH>
tcpflags = syn
[closeSSH]
sequence = <porta 3>,<porta 2>,<porta 1>
seq_timeout = 5
command = /etc/uciknockd.sh close-port KnockdSSH %IP% <porta SSH>
tcpflags = syn
iptables -A INPUT -p tcp --dport <porta SSH> -j DROP
user@OpenWRT:~$ sudo /etc/init.d/knockd enable && sudo /etc/init.d/knockd start
cliente@GNULinux:~$ knock 192.168.1.1 <porta 1> <porta 2> <porta 3>
[...]
command = /etc/uciknockd.sh close-port KnockdSSH %IP% <porta SSH>
[...]
DROP tcp -- anywhere anywhere tcp dpt:<porta SSH>
[...]
[OpenPort]
sequence = <porta 1>,<porta 2>,<porta 3>
seq_timeout = 5
command = /sbin/uci add firewall rule
command = /sbin/uci set firewall.@rule[-1].name=KnockdSSH
command = /sbin/uci set firewall.@rule[-1].src=wan
command = /sbin/uci set firewall.@rule[-1].src_ip=%IP%
command = /sbin/uci set firewall.@rule[-1].dest_port=<porta SSH>
command = /sbin/uci set firewall.@rule[-1].target=ACCEPT
command = /sbin/uci set firewall.@rule[-1].proto=tcp
command = /sbin/uci commit firewall
command = /etc/init.d/firewall restart
tcpflags = syn
[...]
[...]
command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport <porta SSH> -j ACCEPT
[...]
command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport <porta SSH> -j ACCEPT
[...]
#!/bin/sh
# This is uciknockd.sh script, place it in /etc directory
. /lib/functions.sh
# callback for config_foreach
handle_delete()
{
local config="$1"
local option="$2"
local value="$3"
local optionVal=""
config_get optionVal "$config" "$option"
if [ "$optionVal" == "$value" ]; then
uci delete firewall.$config
return 1
fi
}
# to delete firewall.@rule[x].name="test"
# delete_rule firewall rule name test
#
delete_rule()
{
local config="$1"
local section="$2"
local name="$3"
local value="$4"
config_load $config
config_foreach handle_delete $section $name $value
}
# Opening ports
# This example enables machines on the internet to use SSH to access your router.
#
#config rule
# option src wan
# option dest_port 22
# option target ACCEPT
# option proto tcp
open_port()
{
local name=$1
local src_ip=$2
local dest_port=$3
uci batch <<EOF
add firewall rule
set firewall.@rule[-1].name=$name
set firewall.@rule[-1].src='wan'
set firewall.@rule[-1].src_ip=$src_ip
set firewall.@rule[-1].dest_port=$dest_port
set firewall.@rule[-1].target='ACCEPT'
set firewall.@rule[-1].proto='tcp'
EOF
uci commit firewall
/etc/init.d/firewall restart
}
close_port()
{
local name=$1
delete_rule firewall rule name $name
uci commit firewall
/etc/init.d/firewall restart
}
# Forwarding ports (Destination NAT/DNAT)
# This example forwards one arbitrary port that you define to a box running ssh.
#
#config 'redirect'
# option 'name' 'ssh'
# option 'src' 'wan'
# option 'proto' 'tcpudp'
# option 'src_dport' '5555'
# option 'dest_ip' '192.168.1.100'
# option 'dest_port' '22'
# option 'target' 'DNAT'
# option 'dest' 'lan'
forward_port()
{
local name=$1
local src_ip=$2
local src_dport=$3
local dest_ip=$4
local dest_port=$5
uci batch <<EOF
add firewall redirect
set firewall.@redirect[-1].name=$name
set firewall.@redirect[-1].src='wan'
set firewall.@redirect[-1].src_ip=$src_ip
set firewall.@redirect[-1].proto='tcp'
set firewall.@redirect[-1].src_dport=$src_dport
set firewall.@redirect[-1].dest_ip=$dest_ip
set firewall.@redirect[-1].dest_port=$dest_port
set firewall.@redirect[-1].target='DNAT'
set firewall.@redirect[-1].dest='lan'
EOF
uci commit firewall
/etc/init.d/firewall restart
}
remove_forward_port()
{
local name=$1
delete_rule firewall redirect name $name
uci commit firewall
/etc/init.d/firewall restart
}
case "$1" in
open-port)
#name=$1
#src_ip=$2
#dest_port=$3
name="$2_$3_$4"
open_port $name $3 $4
;;
close-port)
name="$2_$3_$4"
close_port $name $3 $4
;;
forward-port)
#name=$1
#src_ip=$2
#src_dport=$3
#dest_ip=$4
#dest_port=$5
name="$2_$3_$4"
forward_port $name $3 $4 $5 $6
;;
remove-forward-port)
name="$2_$3_$4"
remove_forward_port $name $3 $4
stop
;;
*)
echo "Usage:"
echo " $0 open-port namePrefix src_ip dest_port"
echo " $0 close-port namePrefix src_ip dest_port"
echo " $0 forward-port namePrefix src_ip src_dport dest_ip dest_port"
echo " $0 remove-forward-port namePrefix src_ip src_dport"
exit 1
esac
exit 0
Melhorando o tempo de boot do Fedora e outras distribuições
Como instalar as extensões Dash To Dock e Hide Top Bar no Gnome 45/46
E a guerra contra bots continua
Tradução do artigo do filósofo Gottfried Wilhelm Leibniz sobre o sistema binário
Conheça o firewall OpenGFW, uma implementação do (Great Firewall of China).
Instalando o FreeOffice no LMDE 6
Anki: Remover Tags de Estilo HTML de Todas as Cartas
Colocando uma opção de redimensionamento de imagem no menu de contexto do KDE
Não consigo acessar os modos de desempenho (2)
Ubuntu — tentando iniciar o windows? (0)
[Shell Script] Script para desinstalar pacotes desnecessários no OpenSuse
[Shell Script] Script para criar certificados de forma automatizada no OpenVpn
[Shell Script] Conversor de vídeo com opção de legenda
[C/C++] BRT - Bulk Renaming Tool
[Shell Script] Criação de Usuarios , Grupo e instalação do servidor de arquivos samba