Firewall-SOSDG/include/functions

164 lines
5.0 KiB
Bash

#!/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2010 Brielle Bruns
# Copyright (C) 2009 - 2010 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# display_c $COLOR $TEXT BOOL(YN)
# $COLOR being bash colors
# $TEXT being what to output (make sure to put " " around text)
# BOOL being (Y or N) to do newline at end or not
function display_c {
unset COLOR_CODE TEXT NEWLINE
DEFAULT_COLOR="\E[39m"
COLOR_CODE=`pick_color $1`
TEXT="$2"
if [ "$3" == "N" ]; then
NEWLINE="-n"
fi
echo -e $NEWLINE "$COLOR_CODE$TEXT$DEFAULT_COLOR"
}
# display_m $COLOR(IGNORED) $TEXT BOOL(YN)
# Non-color version of display_c
function display_m {
unset TEXT NEWLINE
TEXT="$2"
if [ "$3" == "N" ]; then
NEWLINE="-n"
fi
echo -e $NEWLINE "$TEXT"
}
# pick_color $COLOR
# returns appropriate color codes for use in display_c and such
function pick_color {
case $1 in
BLUE) COLOR="\E[34m" ;;
GREEN) COLOR="\E[32m" ;;
RED) COLOR="\E[31m" ;;
YELLOW) COLOR="\E[33m" ;;
PURPLE) COLOR="\E[35m" ;;
AQUA) COLOR="\E[36m" ;;
WHITE) COLOR="\E[1m" ;;
GREY) COLOR="\E[37m" ;;
*) COLOR="\E[37m" ;;
esac
echo "$COLOR"
}
# reset_color
function reset_color {
unset NEWLINE
DEFAULT_COLOR="\E[39m"
if [ "$1" == "N" ]; then
NEWLINE="-n"
fi
echo $NEWLINE -e "$DEFAULT_COLOR"
}
# iptables_rules_flush (ipv6|ipv4)
# Clear all rules from iptables - be very careful in how this is called as it
# could easily lock out the user from the network. Best way to be safe, is to
# call iptables_policy_reset first then this function.
function iptables_rules_flush {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=$IP6TABLES ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
ipv4|*) VER_IPTABLES=$IPTABLES ; TABLE_NAMES=/proc/net/ip_tables_names ;;
esac
display_c RED "Flushing ${IP_VERSION} rules..."
$VER_IPTABLES --flush &>/dev/null
$VER_IPTABLES -F OUTPUT &>/dev/null
$VER_IPTABLES -F PREROUTING &>/dev/null
$VER_IPTABLES -F POSTROUTING &>/dev/null
for i in `cat $TABLE_NAMES`; do
$VER_IPTABLES -F -t $i &>/dev/null
done
#if [ $NAT ] && [ $IP_VERSION == "ipv4" ]; then
# $VER_IPTABLES -F -t nat &>/dev/null
#fi
#$VER_IPTABLES -F -t raw &>/dev/null
}
# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
# If no policy given, assume ACCEPT
function iptables_policy_reset {
IP_VERSION=$1
SET_POLICY=${2=ACCEPT}
case $IP_VERSION in
ipv6) VER_IPTABLES=$IP6TABLES ;;
ipv4|*) VER_IPTABLES=$IPTABLES ;;
esac
display_c RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
$VER_IPTABLES --policy INPUT $SET_POLICY
$VER_IPTABLES --policy OUTPUT $SET_POLICY
$VER_IPTABLES --policy FORWARD $SET_POLICY
}
# show_help
# Show command line options help
function show_help {
echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns <bruns@2mbit.com>"
echo -e "\t--help\t\tShows this info"
echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT"
}
# apply_ipv4_hack $HACKS
function apply_ipv4_hack {
display_c YELLOW "Applying IPv4 hack/fix:" N
while [ $# -gt 0 ]; do
case "$1" in
NS-IN-DDOS)
# NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
# http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
display_c PURPLE " ./NS/IN-DDOS-FIX"
if `$MODPROBE --quiet $MOD_U32 &>/dev/null`; then
$IPTABLES -A INPUT -j DROP -p udp --dport 53 -m u32 --u32 \
"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
else
display_c RED "\nError: could not load $MOD_U32 module into the kernel. Not using fix."
fi
;;
MULTI-NIC-ARP-LOCK)
# MULTI-NIC-ARP-LOCK - By default, in Linux, arp requests may be answered by interfaces that
# do not actually have the IP in question. In some (alot in my case),
# I have things going through specific wires for a reason. This fixes
# that and makes it behave as expected.
display_c PURPLE " MULTI-NIC-ARP-LOCK"
for i in default all; do
if [ -w ${PROC_NET_IPV4}/$i/arp_ignore ]; then
echo "1" > ${PROC_NET_IPV4}/$i/arp_ignore
else
display_c RED "\nError: Could not write to ${PROC_NET_IPV4}/$i/arp_ignore"
fi
if [ -w ${PROC_NET_IPV4}/$i/arp_announce ]; then
echo "2" > ${PROC_NET_IPV4}/$i/arp_announce
else
display_c RED "\nError: Could not write to ${PROC_NET_IPV4}/$i/arp_announce"
fi
done
;;
esac
shift
done
}