Thread: Firewall Builder
after working proxmox recently, have been interested in different way make firewalls. after struggling ufw, stuck iptables directly. after practice, have built webapp using php, javascript, , html creating linux script run , filter , log. merely in alpha stages i'd appreciate it. supports tcp(apart udp dns, , icmp pings.) assumes have iptables chain called logging(iptables -n logging), default policies drop, , internet , dns access host , it's "guests." guest virtual machine in proxmox, or other virtual machine host, type in of predefined ip address , services, including client services.
program works quite normal computer setup. if using client services, must define them(ssh, ftp, etc.)
code:<!doctype html> <html> <head> <script> function show() { var mach = ["host","first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"]; var serv = ["first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"]; for(var = 0; < 11; i++) { for(var j = 0; j < 9; j++) { if(document.getelementbyid(mach[i]+serv[j]+"name").value != "") document.getelementbyid(mach[i]+serv[j+1]+"servicediv").style.display='inline'; else document.getelementbyid(mach[i]+serv[j+1]+"servicediv").style.display='none'; } } for(var = 1; < 10; i++) { if(document.getelementbyid(mach[i]+"nickname").value != "nickname") document.getelementbyid(mach[i+1]+"div").style.display='block'; else document.getelementbyid(mach[i+1]+"div").style.display='none'; } } function build() { document.getelementbyid("builddisplay").innerhtml="iptables -f\n"; var white = new array(); var whitecount = 0; if(document.getelementbyid("firstwhitelist").value!="") white[whitecount++] = document.getelementbyid("firstwhitelist").value; if(document.getelementbyid("secondwhitelist").value!="") white[whitecount++] = document.getelementbyid("secondwhitelist").value; if(document.getelementbyid("thirdwhitelist").value!="") white[whitecount++] = document.getelementbyid("thirdwhitelist").value; if(document.getelementbyid("fourthwhitelist").value!="") white[whitecount++] = document.getelementbyid("fourthwhitelist").value; if(document.getelementbyid("fifthwhitelist").value!="") white[whitecount++] = document.getelementbyid("fifthwhitelist").value; if(document.getelementbyid("sixthwhitelist").value!="") white[whitecount++] = document.getelementbyid("sixthwhitelist").value; if(document.getelementbyid("seventhwhitelist").value!="") white[whitecount++] = document.getelementbyid("seventhwhitelist").value; if(document.getelementbyid("eighthwhitelist").value!="") white[whitecount++] = document.getelementbyid("eighthwhitelist").value; //host document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p udp --sport 53 -j accept\niptables -a output -p udp --dport 53 -j accept\niptables -a input -p tcp --sport 80 -m state --state established -j accept\niptables -a output -p tcp --dport 80 -m state --state new,established -j accept\niptables -a output -p tcp --dport 443 -m state --state new,established -j accept\niptables -a input -p tcp --sport 443 -m state --state established -j accept\n"; if(document.getelementbyid("hosticmp").checked) document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p icmp --icmp-type echo-request -j accept\niptables -a output -p icmp --icmp-type echo-reply -j accept\niptables -a output -p icmp --icmp-type echo-request -j accept\niptables -a input -p icmp --icmp-type echo-reply -j accept\n"; <?php $services=array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); $guests= array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); foreach($services &$i) { echo ' if(document.getelementbyid("host'.$i.'name").value!="") { var dport, sport, list, listcount, inp, out; if(document.getelementbyid("host'.$i.'server").checked) { dport=document.getelementbyid("host'.$i.'port").value; sport="1024:65535"; } else { sport=document.getelementbyid("host'.$i.'port").value; dport="1024:65535"; } if(document.getelementbyid("host'.$i.'whitelist").checked) { list=white; listcount=whitecount; } else { list=new array(); list[0]="0.0.0.0/0"; listcount=1; } for(var = 0; < listcount; i++) { document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+" -m state --state established -j accept\n"; document.getelementbyid("builddisplay").innerhtml+="iptables -a output -p tcp --sport "+dport+" --dport "+sport+" -d "+list[i]+" -m state --state established,new -j accept\n"; document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp --dport "+dport+" --sport "+sport+" -m state --state new -m limit --limit "+document.getelementbyid("host'.$i.'limit").value+"/min --limit-burst "+document.getelementbyid("host'.$i.'limit").value*2+" -s "+list[i]+" -j accept\n"; document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp --dport "+dport+" --sport "+sport+" -m state --state new -m limit -s "+list[i]+" -j logging\n"; document.getelementbyid("builddisplay").innerhtml+="iptables -a logging -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+\' -j log --log-prefix "host \'+document.getelementbyid("host'.$i.'name").value+\' has had many new connections!!!"\n\'; document.getelementbyid("builddisplay").innerhtml+="iptables -a logging -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+\' -j drop\n\'; } }'; } foreach($guests &$z) { echo 'if(document.getelementbyid("'.$z.'nickname").value!="nickname") { document.getelementbyid("builddisplay").innerhtml+="iptables -a forward -p udp --sport 53 --dport 1024:65535 -d "+document.getelementbyid(\''.$z.'ip\').value+" -j accept\niptables -a forward -s "+document.getelementbyid(\''.$z.'ip\').value+" -j accept\niptables -a forward -p tcp --sport 80 -d "+document.getelementbyid(\''.$z.'ip\').value+" -m state --state established -j accept\niptables -a forward -p tcp --sport 443 -d "+document.getelementbyid(\''.$z.'ip\').value+" -m state --state established -j accept\n"; document.getelementbyid("builddisplay").innerhtml+="iptables -a forward -p icmp --icmp-type echo-request -j accept\niptables -a forward -p icmp --icmp-type echo-reply -j accept\n"; '; foreach($services &$i) { echo ' if(document.getelementbyid("'.$z.$i.'name").value!="") { var dport, sport, list, listcount, inp, out; if(document.getelementbyid("'.$z.$i.'server").checked) { dport=document.getelementbyid("'.$z.$i.'port").value; sport="1024:65535"; } else { sport=document.getelementbyid("'.$z.$i.'port").value; dport="1024:65535"; } if(document.getelementbyid("'.$z.$i.'whitelist").checked) { list=white; listcount=whitecount; } else { list=new array(); list[0]="0.0.0.0/0"; listcount=1; } for(var = 0; < listcount; i++) { document.getelementbyid("builddisplay").innerhtml+="iptables -a forward -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+" -d "+document.getelementbyid(\''.$z.'ip\').value+" -m state --state established -j accept\n"; document.getelementbyid("builddisplay").innerhtml+="iptables -a forward -p tcp --dport "+dport+" --sport "+sport+" -d "+document.getelementbyid(\''.$z.'ip\').value+" -m state --state new -m limit --limit "+document.getelementbyid("host'.$i.'limit").value+"/min --limit-burst "+document.getelementbyid("host'.$i.'limit").value*2+" -s "+list[i]+" -j accept\n"; document.getelementbyid("builddisplay").innerhtml+="iptables -a forward -p tcp --dport "+dport+" --sport "+sport+" -d "+document.getelementbyid(\''.$z.'ip\').value+" -m state --state new -m limit -s "+list[i]+" -j logging\n"; document.getelementbyid("builddisplay").innerhtml+="iptables -a logging -p tcp --dport "+dport+" --sport "+sport+" -d "+document.getelementbyid(\''.$z.'ip\').value+" -s "+list[i]+\' -j log --log-prefix "guest \'+document.getelementbyid("'.$z.'nickname").value+"\'s "+document.getelementbyid("'.$z.$i.'name").value+\' has had many new connections!!"\n\'; document.getelementbyid("builddisplay").innerhtml+="iptables -a logging -p tcp --dport "+dport+" --sport "+sport+" -d "+document.getelementbyid(\''.$z.'ip\').value+" -s "+list[i]+\' -j drop\n\'; } //end forloop } //end if service active ';} //end foreach service echo '}'; //end if guest active } //end foreach guest ?> }; </script> </head> <body onload="show()"> <form> <input type="button" id="submitbutton" value="build" onclick="build()"> <div style="border: 1px solid grey; overflow: hidden"> <div style="float: left"><pre>whitelist <?php //$guests= array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); foreach ($guests $i) { echo ' <input type="text" id="'.$i.'whitelist">'; } echo " "; ?> </div> <textarea id="builddisplay" style="float: left"></textarea> </div> <pre> <div style="overflow: hidden; border: 1px solid black"> host's ip address <input type="text" id="hostip"> allow icmp?<input type="checkbox" id="hosticmp" value="yes"> <?php $services=array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); //$guests= array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); foreach ($services &$i){ echo '<div id="host'.$i.'servicediv" style="float: left; border: 1px solid red;">'.$i.' service name <input onchange="show()" type="text" id="host'.$i.'name"> port <input type="text" id="host'.$i.'port"> limit <input type="text" id="host'.$i.'limit"> server? <input type="checkbox" id="host'.$i.'server" value="yes"> whitelist?<input type="checkbox" id="host'.$i.'whitelist" value="yes"></div>'; } echo '</pre></div>'; foreach ($guests &$i){ echo "<br>"; echo '<pre><div id="'.$i.'div" style="overflow: hidden; border: 1px solid green"><b>'.$i.' guest</b> <input onchange="show()" type="text" id="'.$i.'nickname" value="nickname"> guest ip address<input type="text" id="'.$i.'ip"> '; foreach ($services &$j){ echo '<div id="'.$i.$j.'servicediv" style="float: left; border: 1px solid red">'.$j.' service name <input onchange="show()" type="text" id="'.$i.$j.'name"> port <input type="text" id="'.$i.$j.'port"> limit <input type="text" id="'.$i.$j.'limit"> server? <input type="checkbox" id="'.$i.$j.'server" value="yes"> whitelist?<input type="checkbox" id="'.$i.$j.'whitelist" value="yes"></div>'; } echo '</form></pre></div>';} ?> <br> <a rel="license" href="http://creativecommons.org/licenses/by-nc-sa/3.0/deed.en_us"><img alt="creative commons license" style="border-width:0" src="http://i.creativecommons.org/l/by-nc-sa/3.0/88x31.png" /></a><br /><span xmlns:dct="http://purl.org/dc/terms/" href="http://purl.org/dc/dcmitype/text" property="dct:title" rel="dct:type">iptables script builder</span> <span xmlns:cc="http://creativecommons.org/ns#" property="cc:attributionname">michael smith</span> licensed under <a rel="license" href="http://creativecommons.org/licenses/by-nc-sa/3.0/deed.en_us">creative commons attribution-noncommercial-sharealike 3.0 unported license</a>. </body> </html>
or simplified version computers
code:<!doctype html> <html> <head> <script> function build() { document.getelementbyid("builddisplay").innerhtml="iptables -f\n"; var white = new array(); var whitecount = 0; if(document.getelementbyid("firstwhitelist").value!="") white[whitecount++] = document.getelementbyid("firstwhitelist").value; if(document.getelementbyid("secondwhitelist").value!="") white[whitecount++] = document.getelementbyid("secondwhitelist").value; if(document.getelementbyid("thirdwhitelist").value!="") white[whitecount++] = document.getelementbyid("thirdwhitelist").value; if(document.getelementbyid("fourthwhitelist").value!="") white[whitecount++] = document.getelementbyid("fourthwhitelist").value; if(document.getelementbyid("fifthwhitelist").value!="") white[whitecount++] = document.getelementbyid("fifthwhitelist").value; if(document.getelementbyid("sixthwhitelist").value!="") white[whitecount++] = document.getelementbyid("sixthwhitelist").value; if(document.getelementbyid("seventhwhitelist").value!="") white[whitecount++] = document.getelementbyid("seventhwhitelist").value; if(document.getelementbyid("eighthwhitelist").value!="") white[whitecount++] = document.getelementbyid("eighthwhitelist").value; document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p udp --sport 53 -j accept\niptables -a output -p udp --dport 53 -j accept\niptables -a input -p tcp --sport 80 -m state --state established -j accept\niptables -a output -p tcp --dport 80 -m state --state new,established -j accept\niptables -a output -p tcp --dport 443 -m state --state new,established -j accept\niptables -a input -p tcp --sport 443 -m state --state established -j accept\n"; if(document.getelementbyid("hosticmp").checked) document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p icmp --icmp-type echo-request -j accept\niptables -a output -p icmp --icmp-type echo-reply -j accept\niptables -a output -p icmp --icmp-type echo-request -j accept\niptables -a input -p icmp --icmp-type echo-reply -j accept\n"; <?php $services=array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); $guests= array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); foreach($services &$i) { echo ' if(document.getelementbyid("host'.$i.'name").value!="") { var dport, sport, list, listcount, inp, out; if(document.getelementbyid("host'.$i.'server").checked) { dport=document.getelementbyid("host'.$i.'port").value; sport="1024:65535"; } else { sport=document.getelementbyid("host'.$i.'port").value; dport="1024:65535"; } if(document.getelementbyid("host'.$i.'whitelist").checked) { list=white; listcount=whitecount; } else { list=new array(); list[0]="0.0.0.0/0"; listcount=1; } for(var = 0; < listcount; i++) { document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+" -m state --state established -j accept\n"; document.getelementbyid("builddisplay").innerhtml+="iptables -a output -p tcp --sport "+dport+" --dport "+sport+" -d "+list[i]+" -m state --state established,new -j accept\n"; document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp --dport "+dport+" --sport "+sport+" -m state --state new -m limit --limit "+document.getelementbyid("host'.$i.'limit").value+"/min --limit-burst "+document.getelementbyid("host'.$i.'limit").value*2+" -s "+list[i]+" -j accept\n"; document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp --dport "+dport+" --sport "+sport+" -m state --state new -m limit -s "+list[i]+" -j logging\n"; document.getelementbyid("builddisplay").innerhtml+="iptables -a logging -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+\' -j log --log-prefix "host \'+document.getelementbyid("host'.$i.'name").value+\' hit limit"\n\'; document.getelementbyid("builddisplay").innerhtml+="iptables -a logging -p tcp --dport "+dport+" --sport "+sport+" -s "+list[i]+\' -j drop\n\'; } }'; } ?> document.getelementbyid("builddisplay").innerhtml+="iptables -a input -p tcp -j reject --reject-with tcp-reset\niptables -a input -p icmp -j reject\niptables -a input -j drop\niptables -a output -j drop\n"; }; </script> </head> <body> <form> <input type="button" id="submitbutton" value="build" onclick="build()"> <pre>whitelist <?php //$guests= array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); foreach ($guests $i) { echo ' <input type="text" id="'.$i.'whitelist">'; } echo " "; ?> <textarea id="builddisplay" style="float: left"></textarea> <br> <pre> allow icmp?<input type="checkbox" id="hosticmp" value="yes"> <?php $services=array("first","second","third","fourth","fifth","sixth","seventh","eighth","ninth","tenth"); foreach ($services &$i){ echo $i.' service name <input onchange="show()" type="text" id="host'.$i.'name"> port <input type="text" id="host'.$i.'port"> limit <input type="text" id="host'.$i.'limit"> server? <input type="checkbox" id="host'.$i.'server" value="yes"> whitelist?<input type="checkbox" id="host'.$i.'whitelist" value="yes">'; } echo '</pre>'; ?>
Forum The Ubuntu Forum Community Ubuntu Official Flavours Support Networking & Wireless [ubuntu] Firewall Builder
Ubuntu
Comments
Post a Comment