Adding custom code files

master
bbruns 2010-07-15 04:55:09 +00:00
parent 9a9ff7c3cd
commit 7124d93bfb
13 changed files with 61 additions and 66 deletions

View File

@ -1,23 +0,0 @@
0.0.0.0/7
5.0.0.0/8
14.0.0.0/8
23.0.0.0/8
27.0.0.0/8
31.0.0.0/8
36.0.0.0/7
39.0.0.0/8
42.0.0.0/8
49.0.0.0/8
50.0.0.0/8
100.0.0.0/6
104.0.0.0/6
127.0.0.0/8
169.254.0.0/16
176.0.0.0/7
179.0.0.0/8
181.0.0.0/8
185.0.0.0/8
192.0.2.0/24
198.18.0.0/15
223.0.0.0/8
224.0.0.0/3

View File

View File

View File

View File

View File

0
include/ipv4_custom_nat Normal file
View File

View File

View File

View File

View File

View File

@ -1,41 +0,0 @@
#!/bin/bash
# Script to auto update bogons file for use with firewall script
VERSION="0.1"
WGET=/usr/bin/wget
PREFIX=`pwd`
BOGONSFILE=$PREFIX/bogon-bn-agg.txt
BOGONSURL="http://www.cymru.com/Documents/bogon-bn-agg.txt"
REMOVECIDR="(192.168.0.0|10.0.0.0|172.16.0.0)"
if [ ! -x $WGET ]; then
echo "wget command not found or executable. Please"
echo "edit the update-bogons script."
exit 1
fi
echo "Bogons update script - Version $VERSION"
echo -e "Part of Firewall/SOSDG - http://www.sosdg.org \n"
echo "Uses The Team Cymru Bogon List located at:"
echo -e "http://www.cymru.com/Documents/bogon-list.html\n"
if `wget -q -O $BOGONSFILE.new $BOGONSURL`; then
echo "Downloaded new bogons file..."
mv $BOGONSFILE $BOGONSFILE.old &>/dev/null
echo "Backed up $BOGONSFILE to .old..."
if [ $REMOVECIDR ]; then
grep -vE -e "$REMOVECIDR" $BOGONSFILE.new > $BOGONSFILE
echo "Removed blocks listed in REMOVECIDR..."
rm -f $BOGONSFILE.new
else
mv $BOGONSFILE.new $BOGONSFILE
echo "Replaced old bogons file with new one."
fi
else
echo "Error downloading bogons file. Please try again later."
rm -f $BOGONSFILE.new
exit 1
fi
exit 0

View File

@ -61,6 +61,12 @@ if [ "$STRIPECN" ]; then
echo -ne "\n" echo -ne "\n"
fi fi
if [ -s "$BASEDIR/include/ipv4_custom_mssclamp" ]; then
echo -e "\E[33mLoading custom MSS Clamp rules...\E[37m"
. "$BASEDIR/include/ipv4_custom_mssclamp"
echo -ne "\n"
fi
if [ "$CLAMPMSS" ]; then if [ "$CLAMPMSS" ]; then
echo -e "\E[33mClamping MSS to PMTU...\E[37m" echo -e "\E[33mClamping MSS to PMTU...\E[37m"
for i in $CLAMPMSS; do for i in $CLAMPMSS; do
@ -84,6 +90,12 @@ fi
$IPTABLES -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \ $IPTABLES -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001" "0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then
echo -e "\E[33mLoading custom conntrack rules...\E[37m"
. "$BASEDIR/include/ipv4_custom_conntrack"
echo -ne "\n"
fi
if [ $CONNTRACK ]; then if [ $CONNTRACK ]; then
$IPTABLES -A INPUT -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
@ -96,6 +108,12 @@ if [ $CONNTRACK ]; then
$IPTABLES -A FORWARD -m state --state INVALID -j DROP $IPTABLES -A FORWARD -m state --state INVALID -j DROP
fi fi
if [ -s "$BASEDIR/include/ipv4_custom_blockports" ]; then
echo -e "\E[33mLoading custom blocked port rules...\E[37m"
. "$BASEDIR/include/ipv4_custom_blockports"
echo -ne "\n"
fi
if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then
echo -en "\E[33mBlocking outbound port:\E[37m " echo -en "\E[33mBlocking outbound port:\E[37m "
@ -124,6 +142,12 @@ if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then
echo -en "\n" echo -en "\n"
fi fi
if [ -s "$BASEDIR/include/ipv4_custom_allowedports" ]; then
echo -e "\E[33mLoading custom allowed port rules...\E[37m"
. "$BASEDIR/include/ipv4_custom_allowedports"
echo -ne "\n"
fi
if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then
echo -en "\E[33mAdding allowed port:\E[37m " echo -en "\E[33mAdding allowed port:\E[37m "
@ -147,6 +171,12 @@ fi
if [ -s "$BASEDIR/include/ipv4_custom_proto" ]; then
echo -e "\E[33mLoading custom protocol rules...\E[37m"
. "$BASEDIR/include/ipv4_custom_proto"
echo -ne "\n"
fi
if [ "$ALLOWEDPROTO" ]; then if [ "$ALLOWEDPROTO" ]; then
echo -en "\E[33mAdding allowed protocols:\E[37m " echo -en "\E[33mAdding allowed protocols:\E[37m "
for i in $ALLOWEDPROTO; do for i in $ALLOWEDPROTO; do
@ -157,6 +187,13 @@ if [ "$ALLOWEDPROTO" ]; then
echo -en "\n\E[37m" echo -en "\n\E[37m"
fi fi
if [ -s "$BASEDIR/include/ipv4_custom_notrack" ]; then
echo -e "\E[33mLoading custom NOTRACK rules...\E[37m"
. "$BASEDIR/include/ipv4_custom_notrack"
echo -ne "\n"
fi
if [ $CONNTRACK ]; then if [ $CONNTRACK ]; then
for i in $DONTTRACK; do for i in $DONTTRACK; do
$IPTABLES -t raw -I PREROUTING -s $i -j NOTRACK $IPTABLES -t raw -I PREROUTING -s $i -j NOTRACK
@ -167,6 +204,12 @@ if [ $CONNTRACK ]; then
fi fi
if [ -s "$BASEDIR/include/ipv4_custom_routing" ]; then
echo -e "\E[33mLoading custom routing rules...\E[37m"
. "$BASEDIR/include/ipv4_custom_routing"
echo -ne "\n"
fi
if [ $ROUTING ]; then if [ $ROUTING ]; then
echo -en "\E[33mAdding route:\E[37m " echo -en "\E[33mAdding route:\E[37m "
for i in `grep -v "\#" $ROUTING`; do for i in `grep -v "\#" $ROUTING`; do
@ -196,6 +239,12 @@ echo -ne "\n"
fi fi
if [ -s "$BASEDIR/include/ipv4_custom_portforward" ]; then
echo -e "\E[33mLoading custom port forwarding rules...\E[37m"
. "$BASEDIR/include/ipv4_custom_portforward"
echo -ne "\n"
fi
if [ $PORTFW ] && [ $NAT ]; then if [ $PORTFW ] && [ $NAT ]; then
echo -en "\E[33mAdding port forward for:\E[37m " echo -en "\E[33mAdding port forward for:\E[37m "
for i in `grep -v "\#" $PORTFW`; do for i in `grep -v "\#" $PORTFW`; do
@ -215,8 +264,11 @@ if [ $LANDHCPSERVER ]; then
fi fi
if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then
echo -e "\E[33mLoading custom nat rules...\E[37m"
. "$BASEDIR/include/ipv4_custom_nat"
echo -ne "\n"
fi
if [ $NAT ]; then if [ $NAT ]; then
for i in $NATRANGE; do for i in $NATRANGE; do
@ -233,6 +285,13 @@ $IPTABLES --policy INPUT ACCEPT
$IPTABLES --policy OUTPUT ACCEPT $IPTABLES --policy OUTPUT ACCEPT
$IPTABLES --policy FORWARD DROP $IPTABLES --policy FORWARD DROP
if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then
echo -e "\E[33mLoading custom incoming blocked rules...\E[37m"
. "$BASEDIR/include/ipv4_custom_blockincoming"
echo -ne "\n"
fi
if [ $BLOCKINCOMING ]; then if [ $BLOCKINCOMING ]; then
$IPTABLES -A INPUT -p tcp --syn -j DROP $IPTABLES -A INPUT -p tcp --syn -j DROP
$IPTABLES -A INPUT -p udp -j DROP $IPTABLES -A INPUT -p udp -j DROP