#/bin/bash # By Brielle Bruns # URL: http://www.sosdg.org/freestuff/firewall # License: GPLv3 # # Copyright (C) 2009 - 2010 Brielle Bruns # Copyright (C) 2009 - 2010 The Summit Open Source Development Group # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program. If not, see . FW_VERSION="0.9.11" # These option is here to help pre-1.0 users easily upgrade, defines critical defaults # that would otherwise require remaking their options file. I leave this on by default, # but if you want to make sure you have a current options file, define this to 0. COMPAT_CONFIG=1 BASEDIR=/etc/firewall-sosdg PATH=/usr/sbin:/usr/bin:/sbin:/bin #BASEDIR=`pwd` TWEAKS=$BASEDIR/tweaks if [ ! -r $BASEDIR/include/static ] || [ ! -r $BASEDIR/include/functions ]; then echo "Error: Missing either include/static or include/functions. These are critical to operation" echo "of this script. Please make sure they are readable and exist!" exit 1 fi . $BASEDIR/include/static if [ -r $BASEDIR/options ]; then . $BASEDIR/options else echo -e "${RED}Error: Can not load options file. Did you forget to rename options.default?" exit 1 fi . $BASEDIR/include/functions while [ $# -gt 0 ]; do case "$1" in -f|--flush) iptables_policy_reset ipv4 ACCEPT iptables_policy_reset ipv6 ACCEPT iptables_rules_flush ipv4 iptables_rules_flush ipv6 exit 0 ;; -h|--help) show_help exit 0 ;; --generate-cache) GEN_CACHE="force" ;; esac shift done if [ ${PORTFW} ] && [ ! -r "${PORTFW}" ]; then display_c RED "Error: Missing ${PORTFW} as defined in the PORTFW option. Please make sure" display_c RED "it exists, or comment out the PORTFW line in options." exit 1 fi echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Firewall/SOSDG ${FW_VERSION} Brielle Bruns http://www.sosdg.org/freestuff/firewall This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" if [ "$UID" != "0" ]; then display_c RED "You must be root to run this script." exit 2 fi if [ ! -x "$IPTABLES" ]; then display_c RED "iptables command not found. Please make sure you have the iptables" display_c RED "installed (package or source) and you have the IPTABLES option properly" display_c RED "defined in the 'options' file." exit 3 fi if [ ! -x "$IP6TABLES" ] && [ $IPV6 == "1" ]; then display_c RED "ip6tables command not found. Please make sure you have the iptables" display_c RED "installed (package or source) and you have the IP6TABLES option properly" display_c RED "defined in the 'options' file." exit 3 fi if [[ "$EXTIF" == "auto" ]]; then EXTIF=`$EXTIF_FIND` display_c YELLOW "Found default interface at: ${BLUE}${EXTIF}${DEFAULT_COLOR}" fi if [[ "$EXTIP" == "auto" ]]; then EXTIP=`$EXTIP_FIND ${EXTIF}` display_c YELLOW "Found default interface IP at: ${BLUE}${EXTIP}${DEFAULT_COLOR}" fi iptables_rules_flush ipv4 if [ -s "$BASEDIR/include/ipv4_custom_flush" ]; then display_c YELLOW "Loading custom flush rules..." . "$BASEDIR/include/ipv4_custom_flush" fi if [ -x "$PRERUN" ]; then $PRERUN fi if [ "$MODULES_LOAD" ]; then display_c YELLOW "Loading modules: " N for i in $MODULES_LOAD; do display_c BLUE "$i " N ${MODPROBE} $i done echo -ne "\n" fi if [ "$STATE_TYPE" ]; then case $STATE_TYPE in conntrack|CONNTRACK|*) M_STATE="-m conntrack" C_STATE="--ctstate" ;; state|STATE) M_STATE="-m state" C_STATE="--state" esac else M_STATE="-m conntrack" C_STATE="--ctstate" fi if [ "$GEN_CACHE" ]; then case $GEN_CACHE in force) IPTABLES="write_out_rules" if [ "$IPV6" ]; then IP6TABLES="write_out_rules_v6" rm -f "${RULE_CACHE_V6}" &>/dev/null fi rm -f "${RULE_CACHE}" &>/dev/null ;; esac fi $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT if [ -s "$BASEDIR/include/ipv4_custom_trust" ]; then display_c YELLOW "Loading custom trust rules..." . "$BASEDIR/include/ipv4_custom_trust" fi if [ "$TRUSTEDIP" ]; then display_c YELLOW "Adding trusted IP: " N for i in $TRUSTEDIP; do echo -n "$i " $IPTABLES -A INPUT -s $i -j ACCEPT $IPTABLES -A OUTPUT -d $i -j ACCEPT done echo -ne "\n" fi if [ "$CLAMPMSS" ]; then display_c YELLOW "Clamping MSS to PMTU..." for i in $CLAMPMSS; do $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536 $IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536 done echo -en "\n" fi if [ "$DNS_REQUESTS_OUT" ]; then display_c YELLOW "Adding DNS reply allows for trusted DNS servers.." for i in $DNS_REQUESTS_OUT; do if [[ "$i" =~ "|" ]]; then IFS_OLD=${IFS};IFS=\| DNSREQ=($i) IFS=${IFS_OLD} SRCIF=${DNSREQ[0]} DNSIP_NUM=${#DNSREQ[@]} DNSIP_COUNT_CURR=1 for ((i=$DNSIP_COUNT_CURR; i <= $DNSIP_NUM; i++)); do if [ ${DNSREQ[$i]} ]; then ${IPTABLES} -A INPUT -i ${SRCIF} -p udp --sport 53 -s ${DNSREQ[$i]} --destination-port 1024:65535 -j ACCEPT fi done else ${IPTABLES} -A INPUT -i $i -p udp --sport 53 --destination-port 1024:65535 -j ACCEPT fi done fi if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then display_c YELLOW "Loading custom ip block rules..." . "$BASEDIR/include/ipv4_custom_blockip" fi if [ "$BLOCKEDIP" ]; then display_c YELLOW "Adding blocked IPs... " for i in `grep -v "\#" $BLOCKEDIP`; do #echo -n "$i " if [[ "$i" =~ "|" ]]; then IFS_OLD=${IFS};IFS=\| ADVBLKIP=($i) IFS=${IFS_OLD} SRCIF=${ADVBLKIP[0]} SRCIP=${ADVBLKIP[1]} SRCPORT=${ADVBLKIP[2]} DSTIF=${ADVBLKIP[3]} DSTIP=${ADVBLKIP[4]} DSTPORT=${ADVBLKIP[5]} DIRECTION=${ADVBLKIP[6]} PROTO=${ADVBLKIP[7]} if [ "$SRCIF" ]; then SRCIF="-i ${SRCIF} " fi if [ "$SRCIP" ]; then SRCIP="-s ${SRCIP} " fi if [ "$SRCPORT" ]; then SRCPORT="--sport ${SRCPORT/-/:} " fi if [ "$DSTIF" ]; then DSTIF="-o ${DSTIF} " fi if [ "$DSTIP" ]; then DSTIP="-d ${DSTIP} " fi if [ "$DSTPORT" ]; then DSTPORT="--dport ${DSTPORT/-/:} " fi if [ "$PROTO" ]; then case $PROTO in TCP|tcp) PROTO="-p tcp";; UDP|udp) PROTO="-p udp";; *) PROTO="-p ${PROTO}";; esac fi case $DIRECTION in IN) DIRECTION="INPUT" ;; OUT) DIRECTION="OUTPUT" ;; FWD) DIRECTION="FORWARD" ;; *) DIRECTION="INPUT" ;; esac ${IPTABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j DROP else $IPTABLES -A INPUT -s $i -j DROP $IPTABLES -A OUTPUT -d $i -j DROP fi done fi if [ "$BLOCK_OUTGOING_RFC1918" ]; then display_c YELLOW "Blocking RFC1918 space going out on: " N for i in $BLOCK_OUTGOING_RFC1918; do display_c BLUE "$i " N for x in $RFC1918_SPACE; do $IPTABLES -A INPUT -i $i -s $x -j DROP $IPTABLES -A FORWARD -i $i -s $x -j DROP done done echo -ne "\n" unset i x fi if [ "$BLOCK_INCOMING_RFC1918" ]; then display_c YELLOW "Blocking RFC1918 space coming in on: " N for i in $BLOCK_INCOMING_RFC1918; do display_c BLUE "$i " N for x in $RFC1918_SPACE; do $IPTABLES -A INPUT -i $i -s $x -j DROP $IPTABLES -A FORWARD -i $i -s $x -j DROP done done echo -ne "\n" unset i x fi if [ "$STRIPECN" ]; then display_c YELLOW "Stripping ECN off of TCP packets to " N for i in $STRIPECN; do echo -en "$i " $IPTABLES -A PREROUTING -t mangle -p tcp -d $i -j ECN \ --ecn-tcp-remove done echo -ne "\n" fi if [ -s "$BASEDIR/include/ipv4_custom_mssclamp" ]; then display_c YELLOW "Loading custom MSS Clamp rules..." . "$BASEDIR/include/ipv4_custom_mssclamp" fi if [ "$HACK_IPV4" ]; then apply_ipv4_hack $HACK_IPV4 fi if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then display_c YELLOW "Loading custom conntrack rules..." . "$BASEDIR/include/ipv4_custom_conntrack" fi if [ "$CONNTRACK" ]; then $IPTABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT $IPTABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT #$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT $IPTABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP fi if [ -s "$BASEDIR/include/ipv4_custom_blockoutports" ]; then display_c YELLOW "Loading custom blocked outbound port rules..." . "$BASEDIR/include/ipv4_custom_blockoutports" fi if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then display_c YELLOW "Blocking outbound port: " N if [ "$BLOCKTCPPORTS" ]; then for i in $BLOCKTCPPORTS; do echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i " $IPTABLES -A OUTPUT -p tcp --dport $i --syn -j DROP done fi if [ "$BLOCKUDPPORTS" ]; then for i in $BLOCKUDPPORTS; do echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i " $IPTABLES -A OUTPUT -p udp --dport $i -j DROP done fi reset_color fi if [ -s "$BASEDIR/include/ipv4_custom_allowedports" ]; then display_c YELLOW "Loading custom allowed port rules..." . "$BASEDIR/include/ipv4_custom_allowedports" fi if [ "$IPTABLES_MULTIPORT" ]; then case $IPTABLES_MULTIPORT in auto|AUTO|Auto) if `${MODPROBE} ${NF_MULTIPORT} &>/dev/null`; then display_c YELLOW "Multiport successfully loaded." IPTABLES_MULTIPORT="yes" else display_c RED "Multiport was not loaded successfully. Disabling." IPTABLES_MULTIPORT="no" fi ;; yes|YES|Yes) ${MODPROBE} ${NF_MULTIPORT} display_c PURPLE "Multiport loading forced, not error checking." IPTABLES_MULTIPORT="yes" ;; *) IPTABLES_MULTIPORT="no" esac fi if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then display_c YELLOW "Adding allowed port: " N if [ "$TCPPORTS" ]; then if [ "$IPTABLES_MULTIPORT" == "yes" ] && [ "$NF_MULTIPORT_MAX_PORTS" ]; then TCPPORTS=($TCPPORTS) PORTS_COUNT=${#TCPPORTS[@]} PORTS_COUNT_CURR=0 while (( "$PORTS_COUNT_CURR" < "$PORTS_COUNT" )); do for ((i=$PORTS_COUNT_CURR; i <=(($PORTS_COUNT_CURR+(($NF_MULTIPORT_MAX_PORTS-1)))); i++)); do if [ ${TCPPORTS[$i]} ]; then PORTS="${PORTS},${TCPPORTS[$i]}" fi done echo -en "${PURPLE}Multiport-TCP${DEFAULT_COLOR}/${GREEN}${PORTS#,} " $IPTABLES -A INPUT -p tcp -m multiport --dports ${PORTS#,} -j ACCEPT unset PORTS PORTS_COUNT_CURR=$i done unset i PORTS PORTS_COUNT_CURR PORTS_COUNT else for i in $TCPPORTS; do echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i " $IPTABLES -A INPUT -p tcp --dport $i -j ACCEPT done fi fi if [ "$UDPPORTS" ]; then for i in $UDPPORTS; do echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i " #$IPTABLES -A INPUT -p udp --dport $i -j ACCEPT $IPTABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT $IPTABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT $IPTABLES -A INPUT -p udp --sport $i --dport 1:65535 -j ACCEPT done fi reset_color fi if [ -s "$BASEDIR/include/ipv4_custom_proto" ]; then display_c YELLOW "Loading custom protocol rules..." . "$BASEDIR/include/ipv4_custom_proto" fi if [ "$ALLOWEDPROTO" ]; then display_c YELLOW "Adding allowed protocols: " N for i in $ALLOWEDPROTO; do echo -n "$i " $IPTABLES -A INPUT -p $i -j ACCEPT $IPTABLES -A OUTPUT -p $i -j ACCEPT done reset_color fi if [ -s "$BASEDIR/include/ipv4_custom_notrack" ]; then display_c YELLOW "Loading custom NOTRACK rules..." . "$BASEDIR/include/ipv4_custom_notrack" fi if [ $CONNTRACK ]; then for i in $DONTTRACK; do $IPTABLES -t raw -I PREROUTING -s $i -j NOTRACK $IPTABLES -t raw -I PREROUTING -d $i -j NOTRACK $IPTABLES -t raw -I OUTPUT -s $i -j NOTRACK $IPTABLES -t raw -I OUTPUT -d $i -j NOTRACK done fi if [ -s "$BASEDIR/include/ipv4_custom_routing" ]; then display_c YELLOW "Loading custom routing rules..." . "$BASEDIR/include/ipv4_custom_routing" fi if [ $ROUTING ]; then display_c YELLOW "Adding route: " for i in `grep -v "\#" $ROUTING`; do ROUTE=( ${i//:/ } ) FWINT1=${ROUTE[0]} FWINT2=${ROUTE[2]} FWIP1=${ROUTE[1]} FWIP2=${ROUTE[3]} if [ -e "/proc/sys/net/ipv4/conf/$FWINT1/forwarding" ]; then echo 1 > /proc/sys/net/ipv4/conf/$FWINT1/forwarding fi if [ -e "/proc/sys/net/ipv4/conf/$FWINT2/forwarding" ]; then echo 1 > /proc/sys/net/ipv4/conf/$FWINT2/forwarding fi $IPTABLES -A FORWARD -i $FWINT1 -o $FWINT2 \ -s $FWIP1 -d $FWIP2 -j ACCEPT if [ ${ROUTE[4]} == "1" ]; then display_c DEFAULT "\t${GREEN}$FWINT1:${PURPLE}$FWIP1${AQUA}<->${BLUE}$FWINT2:$FWIP2" $IPTABLES -A FORWARD -o $FWINT1 -i $FWINT2 \ -d $FWIP1 -s $FWIP2 -j ACCEPT else display_c DEFAULT "\t${GREEN}$FWINT1:${PURPLE}$FWIP1${AQUA}->${BLUE}$FWINT2:$FWIP2" fi done echo -ne "\n" fi if [ -s "$BASEDIR/include/ipv4_custom_portforward" ]; then display_c YELLOW "Loading custom port forwarding rules..." . "$BASEDIR/include/ipv4_custom_portforward" fi if [ "$PORTFW" ] && [ "$NAT" ]; then display_c YELLOW "Adding port forward for:" for i in `grep -v "\#" $PORTFW`; do IFS_OLD=${IFS};IFS=\: PORTFWADD=($i) IFS=${IFS_OLD} DSTIF=${PORTFWADD[0]} SRCIP=${PORTFWADD[1]} DSTIP=${PORTFWADD[2]} DSTPORT=${PORTFWADD[3]} DSTPROTO=${PORTFWADD[4]} DSTINTIP=${PORTFWADD[5]} DSTINTPORT=${PORTFWADD[6]} if [ "$DSTIF" ]; then DSTIF="-i ${DSTIF}" fi if [ "$SRCIP" ]; then SRCIP="-s ${SRCIP}" fi if [ "$DSTIP" ]; then DSTIP="-d $DSTIP" elif [ ! "$DSTIP" ] && [ ! "$DSTIF" ]; then DSTIP="-d $EXTIP" fi #PORTADD=( ${i//:/ } ) $IPTABLES -A PREROUTING -t nat ${DSTIF} -p ${DSTPROTO} ${SRCIP} \ --dport ${DSTPORT} -d ${DSTIP} -j DNAT --to \ ${DSTINTIP}:${DSTINTPORT} $IPTABLES -A INPUT -p ${DSTPROTO} ${M_STATE} ${C_STATE} NEW ${DSTIF} ${SRCIP} \ --dport ${DSTPORT} ${DSTIP} -j ACCEPT display_c DEFAULT "\t${GREEN}${PORTFWADD[0]}:${BLUE}${PORTFWADD[1]}:${PURPLE}${PORTFWADD[2]}:${PORTFWADD[3]}:${PORTFWADD[4]}${AQUA}->${BLUE}${PORTFWADD[5]}:${PORTFWADD[6]} " done reset_color fi if [ "$LANDHCPSERVER" ]; then for i in $LANDHCPSERVER; do $IPTABLES -A INPUT -i $i -s 0.0.0.0 -j ACCEPT $IPTABLES -A INPUT -i $i -p udp --dport 67:68 -j ACCEPT $IPTABLES -A INPUT -i $i -p tcp --dport 67:68 -j ACCEPT $IPTABLES -A OUTPUT -o $i -p udp --dport 67:68 -j ACCEPT $IPTABLES -A OUTPUT -o $i -p tcp --dport 67:68 -j ACCEPT $IPTABLES -A INPUT -i $i -p udp -d 255.255.255.255 --dport 67:68 -j ACCEPT $IPTABLES -A INPUT -i $i -p tcp -d 255.255.255.255 --dport 67:68 -j ACCEPT $IPTABLES -A OUTPUT -o $i -p udp -d 255.255.255.255 --dport 67:68 -j ACCEPT $IPTABLES -A OUTPUT -o $i -p tcp -d 255.255.255.255 --dport 67:68 -j ACCEPT done fi if [ -s "$BASEDIR/include/ipv4_custom_mark" ]; then display_c YELLOW "Loading custom mark rules..." . "$BASEDIR/include/ipv4_custom_mark" fi if [ -r "$IPv4_MARK" ]; then display_c YELLOW "Adding mark: " for i in `grep -v "\#" $IPv4_MARK`; do MARK=( ${i//|/ } ) INIF=${MARK[0]} INIP=${MARK[1]} DSTIP=${MARK[2]} IPMARK=${MARK[3]} case $INIP in !*) INNEG="!" INIP=${INIP#\!};; esac case $DSTIP in !*) DSTNEG="!" DSTIP=${DSTIP#\!};; esac $IPTABLES -t mangle -A PREROUTING -i ${INIF} ${INNEG} -s ${INIP} \ ${DSTNEG} -d ${DSTIP} -j MARK --set-mark=${IPMARK} display_c DEFAULT "\t${GREEN}${INNEG}${INIF}:${PURPLE}${INIP}${AQUA}->${BLUE}${DSTNEG}${DSTIP}:${RED}${IPMARK}" unset INNEG DSTNEG done echo -ne "\n" fi if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then display_c YELLOW "Loading custom nat rules..." . "$BASEDIR/include/ipv4_custom_nat" fi if [ $NAT ]; then if [ "$NAT_RANGE" ]; then display_c YELLOW "Adding NAT rule:" unset INIF_EXISTS FWDIF_EXISTS for i in $NAT_RANGE; do NAT_RULE=( ${i//:/ } ) case ${NAT_RULE[0]} in SNAT) $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \ -o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]} display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}" if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \ -s ${NAT_RULE[2]} -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \ -s ${NAT_RULE[2]} -j ACCEPT INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}" fi # This code seems pointless, anyone else have an opinion? #if [[ ! "$OUTIF_EXISTS" =~ "${NAT_RULE[3]}:${NAT_RULE[4]}" ]]; then # $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT # $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT # OUTIF_EXISTS="${OUTIF_EXISTS} ${NAT_RULE[3]}:${NAT_RULE[4]}" #fi if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \ -o ${NAT_RULE[3]} -j ACCEPT $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \ -o ${NAT_RULE[3]} -j ACCEPT FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" fi ;; MASQ) $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]} display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}" if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \ -s ${NAT_RULE[2]} -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \ -s ${NAT_RULE[2]} -j ACCEPT INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}" fi if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \ -o ${NAT_RULE[3]} -j ACCEPT $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \ -o ${NAT_RULE[3]} -j ACCEPT FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" fi ;; NETMAP) $IPTABLES -A PREROUTING -t nat -s ${NAT_RULE[2]} -j NETMAP --to ${NAT_RULE[4]} display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}" if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \ -s ${NAT_RULE[2]} -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \ -s ${NAT_RULE[2]} -j ACCEPT INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}" fi if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \ -o ${NAT_RULE[3]} -j ACCEPT $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \ -o ${NAT_RULE[3]} -j ACCEPT FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" fi ;; *) display_c RED "Invalid NAT rule in NAT_RANGE" ;; esac done reset_color fi fi $IPTABLES --policy INPUT ACCEPT $IPTABLES --policy OUTPUT ACCEPT $IPTABLES --policy FORWARD DROP if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then display_c YELLOW "Loading custom incoming blocked rules..." . "$BASEDIR/include/ipv4_custom_blockincoming" fi if [ $BLOCKINCOMING ]; then $IPTABLES -A INPUT -p tcp --syn -j DROP $IPTABLES -A INPUT -p udp -j DROP fi #================[IPv6]================ if [ $IPV6 ]; then iptables_rules_flush ipv6 if [ -s "$BASEDIR/include/ipv6_custom_flush" ]; then display_c YELLOW "Loading custom IPv6 flush rules..." . "$BASEDIR/include/ipv6_custom_flush" fi display_c YELLOW "Adding trusted IPv6: " N $IP6TABLES -A INPUT -i lo -j ACCEPT $IP6TABLES -A OUTPUT -o lo -j ACCEPT if [ -s "$BASEDIR/include/ipv6_custom_trust" ]; then display_c YELLOW "Loading custom IPv6 trust rules..." . "$BASEDIR/include/ipv6_custom_trust" fi if [ "$IPV6_TRUSTED" ]; then for i in $IPV6_TRUSTED; do echo -n "$i " $IP6TABLES -A INPUT -s $i -j ACCEPT $IP6TABLES -A OUTPUT -d $i -j ACCEPT done fi reset_color if [ -s "$BASEDIR/include/ipv6_custom_blockip" ]; then display_c YELLOW "Loading custom ip block rules..." . "$BASEDIR/include/ipv6_custom_blockip" fi if [ "$IPV6_DNS_REQUESTS_OUT" ]; then display_c YELLOW "Adding IPv6 DNS reply allows for trusted DNS servers.." for i in $DNS_REQUESTS_OUT; do if [[ "$i" =~ "|" ]]; then IFS_OLD=${IFS};IFS=\| DNSREQ=($i) IFS=${IFS_OLD} SRCIF=${DNSREQ[0]} DNSIP_NUM=${#DNSREQ[@]} DNSIP_COUNT_CURR=1 for ((i=$DNSIP_COUNT_CURR; i <= $DNSIP_NUM; i++)); do if [ ${DNSREQ[$i]} ]; then ${IP6TABLES} -A INPUT -i ${SRCIF} -p udp --sport 53 -s ${DNSREQ[$i]} --destination-port 1024:65535 -j ACCEPT fi done else ${IP6TABLES} -A INPUT -i $i -p udp --sport 53 --destination-port 1024:65535 -j ACCEPT fi done fi if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then display_c YELLOW "Loading custom IPv6 blocked outbound port rules..." . "$BASEDIR/include/ipv6_custom_blockoutports" fi if [ "$IPV6_BLOCKEDIP" ]; then display_c YELLOW "Adding blocked IPv6 addresses... " for i in `grep -v "\#" $IPV6_BLOCKEDIP`; do if [[ "$i" =~ "|" ]]; then IFS_OLD=${IFS};IFS=\| ADVBLKIP=($i) IFS=${IFS_OLD} SRCIF=${ADVBLKIP[0]} SRCIP=${ADVBLKIP[1]} SRCPORT=${ADVBLKIP[2]} DSTIF=${ADVBLKIP[3]} DSTIP=${ADVBLKIP[4]} DSTPORT=${ADVBLKIP[5]} DIRECTION=${ADVBLKIP[6]} PROTO=${ADVBLKIP[7]} if [ "$SRCIF" ]; then SRCIF="-i ${SRCIF} " fi if [ "$SRCIP" ]; then SRCIP="-s ${SRCIP} " fi if [ "$SRCPORT" ]; then SRCPORT="--sport ${SRCPORT/-/:} " fi if [ "$DSTIF" ]; then DSTIF="-o ${DSTIF} " fi if [ "$DSTIP" ]; then DSTIP="-d ${DSTIP} " fi if [ "$DSTPORT" ]; then DSTPORT="--dport ${DSTPORT/-/:} " fi if [ "$PROTO" ]; then case $PROTO in TCP|tcp) PROTO="-p tcp";; UDP|udp) PROTO="-p udp";; *) PROTO="-p ${PROTO}";; esac fi case $DIRECTION in IN) DIRECTION="INPUT" ;; OUT) DIRECTION="OUTPUT" ;; FWD) DIRECTION="FORWARD" ;; *) DIRECTION="INPUT" ;; esac ${IP6TABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j DROP else $IP6TABLES -A INPUT -s $i -j DROP $IP6TABLES -A OUTPUT -d $i -j DROP fi done fi if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then display_c YELLOW "Loading custom IPv6 MSS Clamp rules..." . "$BASEDIR/include/ipv6_custom_mssclamp" fi if [ "$IPV6_CLAMPMSS" ]; then display_c YELLOW "Clamping IPV6 MSS to PMTU..." for i in $IPV6_CLAMPMSS; do $IP6TABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \ --mss 1280:1536 $IP6TABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \ --mss 1280:1536 # This is necessary to make sure that PMTU works $IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \ -o $i -j ACCEPT $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \ -i $i -j ACCEPT $IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \ -o $i -j ACCEPT $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \ -i $i -j ACCEPT done fi if [ -s "$BASEDIR/include/ipv6_custom_allowedports" ]; then display_c YELLOW "Loading custom IPv6 allowed port rules..." . "$BASEDIR/include/ipv6_custom_allowedports" fi if [ "$IPV6_TCPPORTS" ] || [ "$IPV6_UDPPORTS" ]; then display_c YELLOW "Adding allowed IPv6 port: " N if [ "$IPV6_TCPPORTS" ]; then if [ "$IPTABLES_MULTIPORT" == "yes" ] && [ "$NF_MULTIPORT_MAX_PORTS" ]; then IPV6_TCPPORTS=($IPV6_TCPPORTS) PORTS_COUNT=${#IPV6_TCPPORTS[@]} PORTS_COUNT_CURR=0 while (( "$PORTS_COUNT_CURR" < "$PORTS_COUNT" )); do for ((i=$PORTS_COUNT_CURR; i <=(($PORTS_COUNT_CURR+(($NF_MULTIPORT_MAX_PORTS-1)))); i++)); do if [ ${IPV6_TCPPORTS[$i]} ]; then PORTS="${PORTS},${IPV6_TCPPORTS[$i]}" fi done echo -en "${PURPLE}Multiport-TCP${DEFAULT_COLOR}/${GREEN}${PORTS#,} " $IP6TABLES -A INPUT -p tcp -m multiport --dports ${PORTS#,} -j ACCEPT unset PORTS PORTS_COUNT_CURR=$i done unset i PORTS PORTS_COUNT_CURR PORTS_COUNT else for i in $IPV6_TCPPORTS; do echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i " $IP6TABLES -A INPUT -p tcp --dport $i -j ACCEPT done fi fi if [ "$IPV6_UDPPORTS" ]; then for i in $IPV6_UDPPORTS; do echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i " $IP6TABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT $IP6TABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT $IP6TABLES -A INPUT -p udp --sport $i --dport 1:65535 -j ACCEPT done fi reset_color fi fi if [ -s "$BASEDIR/include/ipv6_custom_mark" ]; then display_c YELLOW "Loading custom IPv6 mark rules..." . "$BASEDIR/include/ipv6_custom_mark" fi if [ -r "$IPV6_MARK" ]; then display_c YELLOW "Adding IPv6 mark: " for i in `grep -v "\#" $IPV6_MARK`; do MARK=( ${i//|/ } ) INIF=${MARK[0]} INIP=${MARK[1]} DSTIP=${MARK[2]} IPMARK=${MARK[3]} case $INIP in !*) INNEG="!" INIP=${INIP#\!};; esac case $DSTIP in !*) DSTNEG="!" DSTIP=${DSTIP#\!};; esac ${IP6TABLES} -t mangle -A PREROUTING -i ${INIF} ${INNEG} -s ${INIP} \ ${DSTNEG} -d ${DSTIP} -j MARK --set-mark=${IPMARK} display_c DEFAULT "\t${GREEN}${INNEG}${INIF};${PURPLE}${INIP}${AQUA}->${BLUE}${DSTNEG}${DSTIP};${RED}${IPMARK}" unset INNEG DSTNEG done echo -ne "\n" fi if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then display_c YELLOW "Loading custom IPv6 conntrack rules..." . "$BASEDIR/include/ipv6_custom_conntrack" fi if [ "$IPV6_CONNTRACK" ]; then $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT $IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT #$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP $IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP fi if [ $IPV6_ROUTEDCLIENTBLOCK ]; then $IP6TABLES -A FORWARD -i $IPV6_INT -o $IPV6_LAN -p tcp --syn -j DROP $IP6TABLES -A INPUT -i $IPV6_INT -p tcp --syn -j DROP $IP6TABLES -A INPUT -i $IPV6_INT -p udp ! --dport 32768:65535 -j DROP $IP6TABLES -A FORWARD -i $IPV6_INT -o $IPV6_LAN -p udp ! --dport 32768:65535 -j DROP fi if [ -s "$BASEDIR/include/ipv6_custom_routing" ]; then display_c YELLOW "Loading custom IPv6 routing rules..." . "$BASEDIR/include/ipv6_custom_routing" fi if [ "$IPV6_FORWARDRANGE" ]; then for i in $IPV6_FORWARDRANGE; do $IP6TABLES -A FORWARD -s $i -j ACCEPT $IP6TABLES -A FORWARD -d $i -j ACCEPT done fi if [ -s "$BASEDIR/include/ipv6_custom_blockincoming" ]; then display_c YELLOW "Loading custom IPv6 incoming blocked port rules..." . "$BASEDIR/include/ipv6_custom_blockincoming" fi if [ $IPV6_BLOCKINCOMING ]; then $IP6TABLES -A INPUT -p tcp --syn -j DROP $IP6TABLES -A INPUT -p udp -j DROP fi if [ $TWEAKS ]; then for i in `grep -v "\#" $TWEAKS`; do PROCOPT=( ${i//=/ } ) echo ${PROCOPT[1]} > /proc/sys/net/${PROCOPT[0]} &>/dev/null done fi if [ -x $POSTRUN ]; then $POSTRUN fi