More custom rule support

master
bbruns 2010-07-15 05:44:42 +00:00
parent 6b9a442edf
commit b86926bd13
3 changed files with 73 additions and 11 deletions

View File

@ -15,6 +15,11 @@ out of your own system from the network.
Hope you read this before running rc.firewall! Hope you read this before running rc.firewall!
[Update 7/14/2010]
You can now place custom rules in at specific points of the firewall
rule loading. See include/README for more details.
This is a script in progress, and is nowhere near complete. If you This is a script in progress, and is nowhere near complete. If you
find obvious bugs or have a patch to add new features/remove bugs, find obvious bugs or have a patch to add new features/remove bugs,
please send them to me. please send them to me.

View File

@ -3,5 +3,10 @@ custom rules at each section of the firewall script:
ipv4_custom_allowedports ipv4_custom_mssclamp ipv4_custom_proto ipv4_custom_allowedports ipv4_custom_mssclamp ipv4_custom_proto
ipv4_custom_blockincoming ipv4_custom_nat ipv4_custom_routing ipv4_custom_blockincoming ipv4_custom_nat ipv4_custom_routing
ipv4_custom_blockports ipv4_custom_notrack ipv4_custom_blockoutports ipv4_custom_notrack ipv4_custom_flush
ipv4_custom_conntrack ipv4_custom_portforward ipv4_custom_conntrack ipv4_custom_portforward ipv4_custom_trust
ipv4_custom_blockip
ipv6_custom_flush ipv6_custom_trust ipv6_custom_mssclamp
ipv6_custom_blockoutports ipv6_custom_allowedports ipv6_custom_conntrack
ipv6_custom_routing ipv6_custom_blockincoming

View File

@ -1,10 +1,10 @@
#/bin/bash #/bin/bash
# v0.9 # v0.9.3
# By Brielle Bruns <bruns@2mbit.com> # By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall # URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3 # License: GPLv3
echo -e "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" echo -e "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
echo -e "SOSDG/Firewall v0.9" echo -e "SOSDG/Firewall v0.9.3"
echo -e "Brielle Bruns <bruns@2mbit.com>" echo -e "Brielle Bruns <bruns@2mbit.com>"
echo -e "http://www.sosdg.org/freestuff/firewall" echo -e "http://www.sosdg.org/freestuff/firewall"
echo -e "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n" echo -e "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"
@ -24,12 +24,20 @@ if [ $NAT ]; then
$IPTABLES -F -t nat &>/dev/null $IPTABLES -F -t nat &>/dev/null
fi fi
$IPTABLES -F -t raw &>/dev/null $IPTABLES -F -t raw &>/dev/null
if [ -s "$BASEDIR/include/ipv4_custom_flush" ]; then
echo -e "\E[33mLoading custom flush rules...\E[37m"
. "$BASEDIR/include/ipv4_custom_flush"
fi
$BASEDIR/prerun $BASEDIR/prerun
$IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT
if [ -s "$BASEDIR/include/ipv4_custom_trust" ]; then
echo -e "\E[33mLoading custom trust rules...\E[37m"
. "$BASEDIR/include/ipv4_custom_trust"
fi
if [ "$TRUSTEDIP" ]; then if [ "$TRUSTEDIP" ]; then
echo -ne "\E[33mAdding trusted IP:\E[37m " echo -ne "\E[33mAdding trusted IP:\E[37m "
@ -41,6 +49,11 @@ if [ "$TRUSTEDIP" ]; then
echo -ne "\n" echo -ne "\n"
fi fi
if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then
echo -e "\E[33mLoading custom ip block rules...\E[37m"
. "$BASEDIR/include/ipv6_custom_blockip"
fi
if [ $BLOCKEDIP ]; then if [ $BLOCKEDIP ]; then
echo -en "\E[33mAdding blocked IPs:\E[37m " echo -en "\E[33mAdding blocked IPs:\E[37m "
for i in `grep -v "\#" $BLOCKEDIP`; do for i in `grep -v "\#" $BLOCKEDIP`; do
@ -106,9 +119,9 @@ if [ $CONNTRACK ]; then
$IPTABLES -A FORWARD -m state --state INVALID -j DROP $IPTABLES -A FORWARD -m state --state INVALID -j DROP
fi fi
if [ -s "$BASEDIR/include/ipv4_custom_blockports" ]; then if [ -s "$BASEDIR/include/ipv4_custom_blockoutports" ]; then
echo -e "\E[33mLoading custom blocked port rules...\E[37m" echo -e "\E[33mLoading custom blocked outbound port rules...\E[37m"
. "$BASEDIR/include/ipv4_custom_blockports" . "$BASEDIR/include/ipv4_custom_blockoutports"
fi fi
if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then
@ -294,12 +307,20 @@ if [ $IPV6 ]; then
$IP6TABLES -F OUTPUT &>/dev/null $IP6TABLES -F OUTPUT &>/dev/null
$IP6TABLES -F PREROUTING &>/dev/null $IP6TABLES -F PREROUTING &>/dev/null
$IP6TABLES -F POSTROUTING &>/dev/null $IP6TABLES -F POSTROUTING &>/dev/null
if [ -s "$BASEDIR/include/ipv6_custom_flush" ]; then
echo -e "\E[33mLoading custom IPv6 flush rules...\E[37m"
. "$BASEDIR/include/ipv6_custom_flush"
fi
echo -ne "\E[33mAdding trusted IPv6:\E[37m " echo -ne "\E[33mAdding trusted IPv6:\E[37m "
$IP6TABLES -A INPUT -i lo -j ACCEPT $IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -j ACCEPT $IP6TABLES -A OUTPUT -o lo -j ACCEPT
if [ -s "$BASEDIR/include/ipv6_custom_trust" ]; then
echo -e "\E[33mLoading custom IPv6 trust rules...\E[37m"
. "$BASEDIR/include/ipv6_custom_trust"
fi
for i in $IPV6TRUSTED; do for i in $IPV6TRUSTED; do
echo -n "$i " echo -n "$i "
$IP6TABLES -A INPUT -s $i -j ACCEPT $IP6TABLES -A INPUT -s $i -j ACCEPT
@ -307,6 +328,10 @@ if [ $IPV6 ]; then
done done
echo -ne "\n\E[37m" echo -ne "\n\E[37m"
if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
echo -e "\E[33mLoading custom IPv6 MSS Clamp rules...\E[37m"
. "$BASEDIR/include/ipv6_custom_mssclamp"
fi
if [ "$CLAMPMSSIPV6" ]; then if [ "$CLAMPMSSIPV6" ]; then
echo -e "\E[33mClamping IPV6 MSS to PMTU...\E[37m" echo -e "\E[33mClamping IPV6 MSS to PMTU...\E[37m"
@ -329,6 +354,10 @@ if [ $IPV6 ]; then
done done
fi fi
if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then
echo -e "\E[33mLoading custom IPv6 blocked outbound port rules...\E[37m"
. "$BASEDIR/include/ipv6_custom_blockoutports"
fi
if [ "$BLOCKIPV6TCPPORTS" ] || [ "$BLOCKIPV6UDPPORTS" ]; then if [ "$BLOCKIPV6TCPPORTS" ] || [ "$BLOCKIPV6UDPPORTS" ]; then
echo -en "\E[33mBlocking outbound port:\E[37m " echo -en "\E[33mBlocking outbound port:\E[37m "
if [ "$BLOCKIPV6TCPPORTS" ]; then if [ "$BLOCKIPV6TCPPORTS" ]; then
@ -346,6 +375,10 @@ if [ $IPV6 ]; then
echo -en "\n\E[37m" echo -en "\n\E[37m"
fi fi
if [ -s "$BASEDIR/include/ipv6_custom_allowedports" ]; then
echo -e "\E[33mLoading custom IPv6 allowed port rules...\E[37m"
. "$BASEDIR/include/ipv6_custom_allowedports"
fi
if [ "$IPV6TCP" ] || [ "$IPV6UDP" ]; then if [ "$IPV6TCP" ] || [ "$IPV6UDP" ]; then
echo -en "\E[33mAdding allowed IPv6 port:\E[37m " echo -en "\E[33mAdding allowed IPv6 port:\E[37m "
@ -367,11 +400,22 @@ if [ $IPV6 ]; then
echo -en "\n\E[37m" echo -en "\n\E[37m"
fi fi
fi fi
if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
echo -e "\E[33mLoading custom IPv6 conntrack rules...\E[37m"
. "$BASEDIR/include/ipv6_custom_conntrack"
fi
if [ $IPV6ROUTEDCLIENTBLOCK ]; then if [ $IPV6ROUTEDCLIENTBLOCK ]; then
$IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A INPUT -m state --state NEW -j ACCEPT
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A FORWARD -m state --state NEW -j ACCEPT
$IP6TABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IP6TABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT $IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT
$IP6TABLES -A INPUT -m state --state INVALID -j DROP
$IP6TABLES -A OUTPUT -m state --state INVALID -j DROP
$IP6TABLES -A FORWARD -m state --state INVALID -j DROP
$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP $IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP
$IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP $IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP
$IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP $IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP
@ -380,6 +424,10 @@ if [ $IPV6 ]; then
if [ -s "$BASEDIR/include/ipv6_custom_routing" ]; then
echo -e "\E[33mLoading custom IPv6 routing rules...\E[37m"
. "$BASEDIR/include/ipv6_custom_routing"
fi
if [ $IPV6FORWARDRANGE ]; then if [ $IPV6FORWARDRANGE ]; then
for i in $IPV6FORWARDRANGE; do for i in $IPV6FORWARDRANGE; do
$IP6TABLES -A FORWARD -s $i -j ACCEPT $IP6TABLES -A FORWARD -s $i -j ACCEPT
@ -387,6 +435,10 @@ if [ $IPV6 ]; then
done done
fi fi
if [ -s "$BASEDIR/include/ipv6_custom_blockincoming" ]; then
echo -e "\E[33mLoading custom IPv6 incoming blocked port rules...\E[37m"
. "$BASEDIR/include/ipv6_custom_blockincoming"
fi
if [ $IPV6BLOCKINCOMING ]; then if [ $IPV6BLOCKINCOMING ]; then
$IP6TABLES -A INPUT -p tcp --syn -j DROP $IP6TABLES -A INPUT -p tcp --syn -j DROP
$IP6TABLES -A INPUT -p udp -j DROP $IP6TABLES -A INPUT -p udp -j DROP