Tag for final 1.x release, v1.1. No more updates to old code

ChangeLog

@@ -1,3 +1,8 @@
+1.1 - Brielle Bruns <bruns@2mbit.com>
+	- Reorder rules, place allow before block to allow overrides
+	- Fixes for conntrack rules for better security (added -o/-i)
+	- Correct some incorrect info in options.default
+
 1.0 - Brielle Bruns <bruns@2mbit.com>
 	- Minor tweaks to various config files
 	- Fix issue with tweaks loading

bin/firewall-sosdg

@@ -18,7 +18,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FW_VERSION="1.0"
+FW_VERSION="1.1"
 
 # These option is here to help pre-1.0 users easily upgrade, defines critical defaults
 # that would otherwise require remaking their options file.  I leave this on by default,
@@ -184,6 +184,24 @@ if [ "$GEN_CACHE" ]; then
 	esac
 fi
 
+if [ "$IPTABLES_MULTIPORT" ]; then
+	case $IPTABLES_MULTIPORT in
+	  auto|AUTO|Auto)
+	  		if `${MODPROBE} ${NF_MULTIPORT} &>/dev/null`; then
+	  			display_c YELLOW "Multiport successfully loaded."
+	  			IPTABLES_MULTIPORT="yes"
+	  		else
+	  			display_c RED "Multiport was not loaded successfully.  Disabling."
+	  			IPTABLES_MULTIPORT="no"
+	  		fi ;;
+	  yes|YES|Yes)
+	  		${MODPROBE} ${NF_MULTIPORT}
+	  		display_c PURPLE "Multiport loading forced, not error checking."
+	  		IPTABLES_MULTIPORT="yes" ;;
+	  *)  IPTABLES_MULTIPORT="no"
+	  esac
+fi
+
 $IPTABLES -A INPUT -i lo -j ACCEPT
 $IPTABLES -A OUTPUT -o lo -j ACCEPT
 
@@ -234,7 +252,61 @@ if [ "$DNS_REQUESTS_OUT" ]; then
 	done
 fi
 
+if [ -s "$BASEDIR/include/ipv4_custom_allowedports" ]; then
+	display_c YELLOW "Loading custom allowed port rules..."
+	. "$BASEDIR/include/ipv4_custom_allowedports"
+fi
 
+if [ "$IPV4_ALLOWED" ]; then
+	display_c YELLOW "Adding allowed IPs and ports... "
+	for i in `grep -v "\#" $IPV4_ALLOWED`; do
+		if [[ "$i" =~ "|" ]]; then
+			IFS_OLD=${IFS};IFS=\|
+			ADVALLOWIP=($i)
+			IFS=${IFS_OLD}
+			SRCIF=${ADVALLOWIP[0]}
+			SRCIP=${ADVALLOWIP[1]}
+			SRCPORT=${ADVALLOWIP[2]}
+			DSTIF=${ADVALLOWIP[3]}
+			DSTIP=${ADVALLOWIP[4]}
+			DSTPORT=${ADVALLOWIP[5]}
+			DIRECTION=${ADVALLOWIP[6]}
+			PROTO=${ADVALLOWIP[7]}
+			if [ "$SRCIF" ]; then
+				SRCIF="-i ${SRCIF} "
+			fi
+			if [ "$SRCIP" ]; then
+				SRCIP="-s ${SRCIP} "
+			fi
+			if [ "$SRCPORT" ]; then
+				SRCPORT="--sport ${SRCPORT/-/:} "
+			fi
+			if [ "$DSTIF" ]; then
+				DSTIF="-o ${DSTIF} "
+			fi
+			if [ "$DSTIP" ]; then
+				DSTIP="-d ${DSTIP} "
+			fi
+			if [ "$DSTPORT" ]; then
+				DSTPORT="--dport ${DSTPORT/-/:} "
+			fi
+			if [ "$PROTO" ]; then
+				case $PROTO in
+					TCP|tcp) PROTO="-p tcp";;
+					UDP|udp) PROTO="-p udp";;
+					*) PROTO="-p ${PROTO}";;
+				esac
+			fi
+			case $DIRECTION in
+				IN) DIRECTION="INPUT" ;;
+				OUT) DIRECTION="OUTPUT" ;;
+				FWD) DIRECTION="FORWARD" ;;
+				*) DIRECTION="INPUT" ;;
+			esac
+			${IPTABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j ACCEPT
+		fi
+	done
+fi
 
 if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then
 	display_c YELLOW "Loading custom ip block rules..."
@@ -384,79 +456,6 @@ if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then
 	reset_color
 fi
 
-if [ -s "$BASEDIR/include/ipv4_custom_allowedports" ]; then
-	display_c YELLOW "Loading custom allowed port rules..."
-	. "$BASEDIR/include/ipv4_custom_allowedports"
-fi
-
-if [ "$IPTABLES_MULTIPORT" ]; then
-	case $IPTABLES_MULTIPORT in
-	  auto|AUTO|Auto)
-	  		if `${MODPROBE} ${NF_MULTIPORT} &>/dev/null`; then
-	  			display_c YELLOW "Multiport successfully loaded."
-	  			IPTABLES_MULTIPORT="yes"
-	  		else
-	  			display_c RED "Multiport was not loaded successfully.  Disabling."
-	  			IPTABLES_MULTIPORT="no"
-	  		fi ;;
-	  yes|YES|Yes)
-	  		${MODPROBE} ${NF_MULTIPORT}
-	  		display_c PURPLE "Multiport loading forced, not error checking."
-	  		IPTABLES_MULTIPORT="yes" ;;
-	  *)  IPTABLES_MULTIPORT="no"
-	  esac
-fi
-
-if [ "$IPV4_ALLOWED" ]; then
-	display_c YELLOW "Adding allowed IPs and ports... "
-	for i in `grep -v "\#" $IPV4_ALLOWED`; do
-		if [[ "$i" =~ "|" ]]; then
-			IFS_OLD=${IFS};IFS=\|
-			ADVALLOWIP=($i)
-			IFS=${IFS_OLD}
-			SRCIF=${ADVALLOWIP[0]}
-			SRCIP=${ADVALLOWIP[1]}
-			SRCPORT=${ADVALLOWIP[2]}
-			DSTIF=${ADVALLOWIP[3]}
-			DSTIP=${ADVALLOWIP[4]}
-			DSTPORT=${ADVALLOWIP[5]}
-			DIRECTION=${ADVALLOWIP[6]}
-			PROTO=${ADVALLOWIP[7]}
-			if [ "$SRCIF" ]; then
-				SRCIF="-i ${SRCIF} "
-			fi
-			if [ "$SRCIP" ]; then
-				SRCIP="-s ${SRCIP} "
-			fi
-			if [ "$SRCPORT" ]; then
-				SRCPORT="--sport ${SRCPORT/-/:} "
-			fi
-			if [ "$DSTIF" ]; then
-				DSTIF="-o ${DSTIF} "
-			fi
-			if [ "$DSTIP" ]; then
-				DSTIP="-d ${DSTIP} "
-			fi
-			if [ "$DSTPORT" ]; then
-				DSTPORT="--dport ${DSTPORT/-/:} "
-			fi
-			if [ "$PROTO" ]; then
-				case $PROTO in
-					TCP|tcp) PROTO="-p tcp";;
-					UDP|udp) PROTO="-p udp";;
-					*) PROTO="-p ${PROTO}";;
-				esac
-			fi
-			case $DIRECTION in
-				IN) DIRECTION="INPUT" ;;
-				OUT) DIRECTION="OUTPUT" ;;
-				FWD) DIRECTION="FORWARD" ;;
-				*) DIRECTION="INPUT" ;;
-			esac
-			${IPTABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j ACCEPT
-		fi
-	done
-fi
 
 if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then
 	display_c YELLOW "Adding allowed port: " N
@@ -701,9 +700,9 @@ if [ $NAT ]; then
 			SNAT)
 				$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \
 					-o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]} 
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j ACCEPT
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j ACCEPT
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j DROP
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j DROP
 				display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}"
 				if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
 					$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
@@ -722,9 +721,9 @@ if [ $NAT ]; then
 					;;
 			MASQ)
 				$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]}
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j ACCEPT
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j ACCEPT
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j DROP
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j DROP
 				display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}"
 				if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
 					$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
@@ -743,9 +742,9 @@ if [ $NAT ]; then
 					;;
 			NETMAP)
 				$IPTABLES -A PREROUTING -t nat -s ${NAT_RULE[2]} -j NETMAP --to ${NAT_RULE[4]}
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j ACCEPT
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j ACCEPT
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j DROP
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j DROP
 				display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}"
 				if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
 					$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \

include/functions

@@ -91,6 +91,7 @@ function iptables_rules_flush {
 	for i in `cat $TABLE_NAMES`; do
 		$VER_IPTABLES -F -t $i &>/dev/null
 	done
+	$VER_IPTABLES -X
 	#if [ $NAT ] && [ $IP_VERSION == "ipv4" ]; then
 	#	$VER_IPTABLES -F -t nat &>/dev/null
 	#fi

options.default

@@ -150,12 +150,7 @@ DONTTRACK="127.0.0.1"
 #						I have things going through specific wires for a reason.  This fixes
 #						that and makes it behave as expected.
 #
-HACK_IPV4="NS-IN-DDOS"
+#HACK_IPV4="NS-IN-DDOS"
-
-# IP NAT Rules
-# SNAT:<INT IF>:<INT IP>:<EXT IF>:<EXT IP>
-# MASQ:<INT IF>:<INT IP>:<EXT IF>
-#NAT_RANGE=
 
 # IP Ranges to block all traffic incoming/outgoing
 # New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS