You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

1144 lines
35 KiB

  1. #/bin/bash
  2. # By Brielle Bruns <bruns@2mbit.com>
  3. # URL: http://www.sosdg.org/freestuff/firewall
  4. # License: GPLv3
  5. #
  6. # Copyright (C) 2009 - 2011 Brielle Bruns
  7. # Copyright (C) 2009 - 2011 The Summit Open Source Development Group
  8. #
  9. # This program is free software: you can redistribute it and/or modify
  10. # it under the terms of the GNU General Public License as published by
  11. # the Free Software Foundation, either version 3 of the License, or
  12. # (at your option) any later version.
  13. #
  14. # This program is distributed in the hope that it will be useful,
  15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. # GNU General Public License for more details.
  18. # You should have received a copy of the GNU General Public License
  19. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  20. FW_VERSION="1.1"
  21. # These option is here to help pre-1.0 users easily upgrade, defines critical defaults
  22. # that would otherwise require remaking their options file. I leave this on by default,
  23. # but if you want to make sure you have a current options file, define this to 0.
  24. COMPAT_CONFIG=1
  25. BASEDIR=/etc/firewall-sosdg
  26. PATH=/usr/sbin:/usr/bin:/sbin:/bin
  27. #BASEDIR=`pwd`
  28. # We require at least bash v3 or later at this point given some of the more complex
  29. # operations we do to make the firewall script work.
  30. if (( ${BASH_VERSINFO[0]} <= "2" )); then
  31. echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version"
  32. echo "of bash to something more recent, preferably the latest which is, as of this"
  33. echo "writing, 4.x"
  34. exit 1
  35. fi
  36. TWEAKS=$BASEDIR/tweaks
  37. if [ ! -r $BASEDIR/include/static ] || [ ! -r $BASEDIR/include/functions ]; then
  38. echo "Error: Missing either include/static or include/functions. These are critical to operation"
  39. echo "of this script. Please make sure they are readable and exist!"
  40. exit 1
  41. fi
  42. if [ -r $BASEDIR/include/static ]; then
  43. . $BASEDIR/include/static
  44. else
  45. echo -e "${RED}Error: Can not load static variables file. There is no way to make this tool work without it."
  46. exit 1
  47. fi
  48. if [ -r $BASEDIR/options ]; then
  49. . $BASEDIR/options
  50. else
  51. echo -e "${RED}Error: Can not load options file. Did you forget to rename options.default?"
  52. exit 1
  53. fi
  54. if [ -r $BASEDIR/include/functions ]; then
  55. . $BASEDIR/include/functions
  56. else
  57. echo -e "${RED}Error: Can not load functions library file. There is no way to make this tool work without it."
  58. exit 1
  59. fi
  60. while [ $# -gt 0 ]; do
  61. case "$1" in
  62. -f|--flush)
  63. iptables_policy_reset ipv4 ACCEPT
  64. iptables_policy_reset ipv6 ACCEPT
  65. iptables_rules_flush ipv4
  66. iptables_rules_flush ipv6
  67. exit 0
  68. ;;
  69. -h|--help)
  70. show_help
  71. exit 0
  72. ;;
  73. --generate-cache)
  74. GEN_CACHE="force"
  75. ;;
  76. esac
  77. shift
  78. done
  79. if [ ${PORTFW} ] && [ ! -r "${PORTFW}" ]; then
  80. display_c RED "Error: Missing ${PORTFW} as defined in the PORTFW option. Please make sure"
  81. display_c RED "it exists, or comment out the PORTFW line in options."
  82. exit 1
  83. fi
  84. echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  85. Firewall/SOSDG ${FW_VERSION}
  86. Brielle Bruns <bruns@2mbit.com>
  87. http://www.sosdg.org/freestuff/firewall
  88. This program comes with ABSOLUTELY NO WARRANTY.
  89. This is free software, and you are welcome to
  90. redistribute it under certain conditions.
  91. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
  92. if [ "$UID" != "0" ]; then
  93. display_c RED "You must be root to run this script."
  94. exit 2
  95. fi
  96. if [ ! -x "${IPTABLES}" ]; then
  97. display_c RED "iptables command not found. Please make sure you have the iptables"
  98. display_c RED "installed (package or source) and you have the IPTABLES option properly"
  99. display_c RED "defined in the 'options' file."
  100. exit 3
  101. fi
  102. if [ ! -x "${IP6TABLES}" ] && [ $IPV6 == "1" ]; then
  103. display_c RED "ip6tables command not found. Please make sure you have the iptables"
  104. display_c RED "installed (package or source) and you have the IP6TABLES option properly"
  105. display_c RED "defined in the 'options' file."
  106. exit 3
  107. fi
  108. if [[ "${EXTIF}" == "auto" ]]; then
  109. EXTIF=`$EXTIF_FIND`
  110. display_c YELLOW "Found default interface at: ${BLUE}${EXTIF}${DEFAULT_COLOR}"
  111. fi
  112. if [[ "${EXTIP}" == "auto" ]]; then
  113. EXTIP=`$EXTIP_FIND ${EXTIF}`
  114. display_c YELLOW "Found default interface IP at: ${BLUE}${EXTIP}${DEFAULT_COLOR}"
  115. fi
  116. iptables_rules_flush ipv4
  117. if [ -s "${BASEDIR}/include/ipv4_custom_flush" ]; then
  118. display_c YELLOW "Loading custom flush rules..."
  119. . "${BASEDIR}/include/ipv4_custom_flush"
  120. fi
  121. if [ -x "${PRERUN}" ]; then
  122. ${PRERUN}
  123. fi
  124. if [ "$MODULES_LOAD" ]; then
  125. display_c YELLOW "Loading modules: " N
  126. for i in $MODULES_LOAD; do
  127. display_c BLUE "$i " N
  128. ${MODPROBE} $i
  129. done
  130. echo -ne "\n"
  131. fi
  132. if [ "$STATE_TYPE" ]; then
  133. case $STATE_TYPE in
  134. conntrack|CONNTRACK|*)
  135. M_STATE="-m conntrack"
  136. C_STATE="--ctstate"
  137. ;;
  138. state|STATE)
  139. M_STATE="-m state"
  140. C_STATE="--state"
  141. esac
  142. else
  143. M_STATE="-m conntrack"
  144. C_STATE="--ctstate"
  145. fi
  146. # This function currently isn't implemented entirely or properly. It's mostly
  147. # used for debugging purposes, and to see what iptables rules will be generated
  148. # before running.
  149. if [ "$GEN_CACHE" ]; then
  150. case $GEN_CACHE in
  151. force)
  152. IPTABLES="write_out_rules"
  153. if [ "$IPV6" ]; then
  154. IP6TABLES="write_out_rules_v6"
  155. rm -f "${RULE_CACHE_V6}" &>/dev/null
  156. fi
  157. rm -f "${RULE_CACHE}" &>/dev/null
  158. ;;
  159. esac
  160. fi
  161. if [ "$IPTABLES_MULTIPORT" ]; then
  162. case $IPTABLES_MULTIPORT in
  163. auto|AUTO|Auto)
  164. if `${MODPROBE} ${NF_MULTIPORT} &>/dev/null`; then
  165. display_c YELLOW "Multiport successfully loaded."
  166. IPTABLES_MULTIPORT="yes"
  167. else
  168. display_c RED "Multiport was not loaded successfully. Disabling."
  169. IPTABLES_MULTIPORT="no"
  170. fi ;;
  171. yes|YES|Yes)
  172. ${MODPROBE} ${NF_MULTIPORT}
  173. display_c PURPLE "Multiport loading forced, not error checking."
  174. IPTABLES_MULTIPORT="yes" ;;
  175. *) IPTABLES_MULTIPORT="no"
  176. esac
  177. fi
  178. # Trying to better clean up some of my code, so lets try using a blackhole target
  179. $IPTABLES -N BLACKHOLE-IN
  180. $IPTABLES -N BLACKHOLE-OUT
  181. $IPTABLES -A INPUT -i lo -j ACCEPT
  182. $IPTABLES -A OUTPUT -o lo -j ACCEPT
  183. if [ -s "$BASEDIR/include/ipv4_custom_trust" ]; then
  184. display_c YELLOW "Loading custom trust rules..."
  185. . "$BASEDIR/include/ipv4_custom_trust"
  186. fi
  187. if [ "$TRUSTEDIP" ]; then
  188. display_c YELLOW "Adding trusted IP: " N
  189. for i in $TRUSTEDIP; do
  190. echo -n "$i "
  191. $IPTABLES -A INPUT -s $i -j ACCEPT
  192. $IPTABLES -A OUTPUT -d $i -j ACCEPT
  193. done
  194. echo -ne "\n"
  195. fi
  196. if [ "$CLAMPMSS" ]; then
  197. display_c YELLOW "Clamping MSS to PMTU..."
  198. for i in $CLAMPMSS; do
  199. $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
  200. --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
  201. $IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
  202. --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
  203. done
  204. echo -en "\n"
  205. fi
  206. if [ "$DNS_REQUESTS_OUT" ]; then
  207. display_c YELLOW "Adding DNS reply allows for trusted DNS servers.."
  208. for i in $DNS_REQUESTS_OUT; do
  209. if [[ "$i" =~ "|" ]]; then
  210. IFS_OLD=${IFS};IFS=\|
  211. DNSREQ=($i)
  212. IFS=${IFS_OLD}
  213. SRCIF=${DNSREQ[0]}
  214. DNSIP_NUM=${#DNSREQ[@]}
  215. DNSIP_COUNT_CURR=1
  216. for ((i=$DNSIP_COUNT_CURR; i <= $DNSIP_NUM; i++)); do
  217. if [ ${DNSREQ[$i]} ]; then
  218. ${IPTABLES} -A INPUT -i ${SRCIF} -p udp --sport 53 -s ${DNSREQ[$i]} --destination-port 1024:65535 -j ACCEPT
  219. fi
  220. done
  221. else
  222. ${IPTABLES} -A INPUT -i $i -p udp --sport 53 --destination-port 1024:65535 -j ACCEPT
  223. fi
  224. done
  225. fi
  226. if [ -s "$BASEDIR/include/ipv4_custom_allowedports" ]; then
  227. display_c YELLOW "Loading custom allowed port rules..."
  228. . "$BASEDIR/include/ipv4_custom_allowedports"
  229. fi
  230. if [ "$IPV4_ALLOWED" ]; then
  231. display_c YELLOW "Adding allowed IPs and ports... "
  232. for i in `grep -v "\#" $IPV4_ALLOWED`; do
  233. if [[ "$i" =~ "|" ]]; then
  234. IFS_OLD=${IFS};IFS=\|
  235. ADVALLOWIP=($i)
  236. IFS=${IFS_OLD}
  237. SRCIF=${ADVALLOWIP[0]}
  238. SRCIP=${ADVALLOWIP[1]}
  239. SRCPORT=${ADVALLOWIP[2]}
  240. DSTIF=${ADVALLOWIP[3]}
  241. DSTIP=${ADVALLOWIP[4]}
  242. DSTPORT=${ADVALLOWIP[5]}
  243. DIRECTION=${ADVALLOWIP[6]}
  244. PROTO=${ADVALLOWIP[7]}
  245. if [ "$SRCIF" ]; then
  246. SRCIF="-i ${SRCIF} "
  247. fi
  248. if [ "$SRCIP" ]; then
  249. SRCIP="-s ${SRCIP} "
  250. fi
  251. if [ "$SRCPORT" ]; then
  252. SRCPORT="--sport ${SRCPORT/-/:} "
  253. fi
  254. if [ "$DSTIF" ]; then
  255. DSTIF="-o ${DSTIF} "
  256. fi
  257. if [ "$DSTIP" ]; then
  258. DSTIP="-d ${DSTIP} "
  259. fi
  260. if [ "$DSTPORT" ]; then
  261. DSTPORT="--dport ${DSTPORT/-/:} "
  262. fi
  263. if [ "$PROTO" ]; then
  264. case $PROTO in
  265. TCP|tcp) PROTO="-p tcp";;
  266. UDP|udp) PROTO="-p udp";;
  267. *) PROTO="-p ${PROTO}";;
  268. esac
  269. fi
  270. case $DIRECTION in
  271. IN) DIRECTION="INPUT" ;;
  272. OUT) DIRECTION="OUTPUT" ;;
  273. FWD) DIRECTION="FORWARD" ;;
  274. *) DIRECTION="INPUT" ;;
  275. esac
  276. ${IPTABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j ACCEPT
  277. fi
  278. done
  279. fi
  280. if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then
  281. display_c YELLOW "Loading custom ip block rules..."
  282. . "$BASEDIR/include/ipv4_custom_blockip"
  283. fi
  284. if [ "$BLOCKEDIP" ]; then
  285. display_c YELLOW "Adding blocked IPs... "
  286. for i in `grep -v "\#" $BLOCKEDIP`; do
  287. #echo -n "$i "
  288. if [[ "$i" =~ "|" ]]; then
  289. IFS_OLD=${IFS};IFS=\|
  290. ADVBLKIP=($i)
  291. IFS=${IFS_OLD}
  292. SRCIF=${ADVBLKIP[0]}
  293. SRCIP=${ADVBLKIP[1]}
  294. SRCPORT=${ADVBLKIP[2]}
  295. DSTIF=${ADVBLKIP[3]}
  296. DSTIP=${ADVBLKIP[4]}
  297. DSTPORT=${ADVBLKIP[5]}
  298. DIRECTION=${ADVBLKIP[6]}
  299. PROTO=${ADVBLKIP[7]}
  300. if [ "$SRCIF" ]; then
  301. SRCIF="-i ${SRCIF} "
  302. fi
  303. if [ "$SRCIP" ]; then
  304. SRCIP="-s ${SRCIP} "
  305. fi
  306. if [ "$SRCPORT" ]; then
  307. SRCPORT="--sport ${SRCPORT/-/:} "
  308. fi
  309. if [ "$DSTIF" ]; then
  310. DSTIF="-o ${DSTIF} "
  311. fi
  312. if [ "$DSTIP" ]; then
  313. DSTIP="-d ${DSTIP} "
  314. fi
  315. if [ "$DSTPORT" ]; then
  316. DSTPORT="--dport ${DSTPORT/-/:} "
  317. fi
  318. if [ "$PROTO" ]; then
  319. case $PROTO in
  320. TCP|tcp) PROTO="-p tcp";;
  321. UDP|udp) PROTO="-p udp";;
  322. *) PROTO="-p ${PROTO}";;
  323. esac
  324. fi
  325. case $DIRECTION in
  326. IN) DIRECTION="INPUT" ;;
  327. OUT) DIRECTION="OUTPUT" ;;
  328. FWD) DIRECTION="FORWARD" ;;
  329. *) DIRECTION="INPUT" ;;
  330. esac
  331. ${IPTABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j DROP
  332. else
  333. $IPTABLES -A INPUT -s $i -j DROP
  334. $IPTABLES -A OUTPUT -d $i -j DROP
  335. fi
  336. done
  337. fi
  338. if [ "$BLOCK_OUTGOING_RFC1918" ]; then
  339. display_c YELLOW "Blocking RFC1918 space going out on: " N
  340. for i in $BLOCK_OUTGOING_RFC1918; do
  341. display_c BLUE "$i " N
  342. for x in $RFC1918_SPACE; do
  343. $IPTABLES -A INPUT -i $i -s $x -j DROP
  344. $IPTABLES -A FORWARD -i $i -s $x -j DROP
  345. done
  346. done
  347. echo -ne "\n"
  348. unset i x
  349. fi
  350. if [ "$BLOCK_INCOMING_RFC1918" ]; then
  351. display_c YELLOW "Blocking RFC1918 space coming in on: " N
  352. for i in $BLOCK_INCOMING_RFC1918; do
  353. display_c BLUE "$i " N
  354. for x in $RFC1918_SPACE; do
  355. $IPTABLES -A INPUT -i $i -s $x -j DROP
  356. $IPTABLES -A FORWARD -i $i -s $x -j DROP
  357. done
  358. done
  359. echo -ne "\n"
  360. unset i x
  361. fi
  362. if [ "$STRIPECN" ]; then
  363. display_c YELLOW "Stripping ECN off of TCP packets to " N
  364. for i in $STRIPECN; do
  365. echo -en "$i "
  366. $IPTABLES -A PREROUTING -t mangle -p tcp -d $i -j ECN \
  367. --ecn-tcp-remove
  368. done
  369. echo -ne "\n"
  370. fi
  371. if [ -s "$BASEDIR/include/ipv4_custom_mssclamp" ]; then
  372. display_c YELLOW "Loading custom MSS Clamp rules..."
  373. . "$BASEDIR/include/ipv4_custom_mssclamp"
  374. fi
  375. if [ "$HACK_IPV4" ]; then
  376. apply_ipv4_hack $HACK_IPV4
  377. fi
  378. if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then
  379. display_c YELLOW "Loading custom conntrack rules..."
  380. . "$BASEDIR/include/ipv4_custom_conntrack"
  381. fi
  382. if [ "$CONNTRACK" ]; then
  383. #$IPTABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
  384. $IPTABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
  385. # Now in the NAT rules
  386. #$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
  387. #$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
  388. $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -j ACCEPT
  389. #$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
  390. $IPTABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
  391. $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
  392. #$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
  393. fi
  394. if [ -s "$BASEDIR/include/ipv4_custom_blockoutports" ]; then
  395. display_c YELLOW "Loading custom blocked outbound port rules..."
  396. . "$BASEDIR/include/ipv4_custom_blockoutports"
  397. fi
  398. if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then
  399. display_c YELLOW "Blocking outbound port: " N
  400. if [ "$BLOCKTCPPORTS" ]; then
  401. for i in $BLOCKTCPPORTS; do
  402. echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
  403. $IPTABLES -A OUTPUT -p tcp --dport $i --syn -j DROP
  404. done
  405. fi
  406. if [ "$BLOCKUDPPORTS" ]; then
  407. for i in $BLOCKUDPPORTS; do
  408. echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
  409. $IPTABLES -A OUTPUT -p udp --dport $i -j DROP
  410. done
  411. fi
  412. reset_color
  413. fi
  414. if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then
  415. display_c YELLOW "Adding allowed port: " N
  416. if [ "$TCPPORTS" ]; then
  417. if [ "$IPTABLES_MULTIPORT" == "yes" ] && [ "$NF_MULTIPORT_MAX_PORTS" ]; then
  418. TCPPORTS=($TCPPORTS)
  419. PORTS_COUNT=${#TCPPORTS[@]}
  420. PORTS_COUNT_CURR=0
  421. while (( "$PORTS_COUNT_CURR" < "$PORTS_COUNT" )); do
  422. for ((i=$PORTS_COUNT_CURR; i <=(($PORTS_COUNT_CURR+(($NF_MULTIPORT_MAX_PORTS-1)))); i++)); do
  423. if [ ${TCPPORTS[$i]} ]; then
  424. PORTS="${PORTS},${TCPPORTS[$i]}"
  425. fi
  426. done
  427. echo -en "${PURPLE}Multiport-TCP${DEFAULT_COLOR}/${GREEN}${PORTS#,} "
  428. $IPTABLES -A INPUT -p tcp -m multiport --dports ${PORTS#,} -j ACCEPT
  429. unset PORTS
  430. PORTS_COUNT_CURR=$i
  431. done
  432. unset i PORTS PORTS_COUNT_CURR PORTS_COUNT
  433. else
  434. for i in $TCPPORTS; do
  435. echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
  436. $IPTABLES -A INPUT -p tcp --dport $i -j ACCEPT
  437. done
  438. fi
  439. fi
  440. if [ "$UDPPORTS" ]; then
  441. for i in $UDPPORTS; do
  442. echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
  443. #$IPTABLES -A INPUT -p udp --dport $i -j ACCEPT
  444. $IPTABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT
  445. $IPTABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT
  446. $IPTABLES -A INPUT -p udp --sport $i --dport 1:65535 -j ACCEPT
  447. done
  448. fi
  449. reset_color
  450. fi
  451. if [ -s "$BASEDIR/include/ipv4_custom_proto" ]; then
  452. display_c YELLOW "Loading custom protocol rules..."
  453. . "$BASEDIR/include/ipv4_custom_proto"
  454. fi
  455. if [ "$ALLOWEDPROTO" ]; then
  456. display_c YELLOW "Adding allowed protocols: " N
  457. for i in $ALLOWEDPROTO; do
  458. echo -n "$i "
  459. $IPTABLES -A INPUT -p $i -j ACCEPT
  460. $IPTABLES -A OUTPUT -p $i -j ACCEPT
  461. done
  462. reset_color
  463. fi
  464. if [ "$IPV4_INTERCEPT" ]; then
  465. display_c YELLOW "Adding packet interception rules: "
  466. for i in `grep -v "\#" $IPV4_INTERCEPT`; do
  467. IFS_OLD=${IFS};IFS=\|
  468. INTERCEPTADD=($i)
  469. IFS=${IFS_OLD}
  470. SRCIF=${INTERCEPTADD[0]}
  471. SRCIP=${INTERCEPTADD[1]}
  472. DSTIP=${INTERCEPTADD[2]}
  473. DSTPROTO=${INTERCEPTADD[3]}
  474. DSTPORT=${INTERCEPTADD[4]}
  475. PROXY=${INTERCEPTADD[5]}
  476. if [ "$SRCIF" ]; then
  477. SRCIF="-i ${SRCIF}"
  478. fi
  479. if [ "$SRCIP" ]; then
  480. SRCIP="-s ${SRCIP}"
  481. fi
  482. if [ "$DSTIP" ]; then
  483. DSTIP="-d $DSTIP"
  484. fi
  485. if [ "$PROXY" != "BYPASS" ]; then
  486. FINAL_RULE="-j DNAT --to-destination ${PROXY}"
  487. else
  488. FINAL_RULE="-j ACCEPT"
  489. fi
  490. $IPTABLES -t nat -A PREROUTING ${SRCIF} ${SRCIP} ${DSTIP} -p ${DSTPROTO} --dport ${DSTPORT} \
  491. ${FINAL_RULE}
  492. display_c DEFAULT "\t${GREEN}${INTERCEPTADD[0]}:${BLUE}${INTERCEPTADD[1]}:${PURPLE}${INTERCEPTADD[2]}->${INTERCEPTADD[3]}:${INTERCEPTADD[4]}${AQUA}:proxy->${BLUE}${INTERCEPTADD[5]} "
  493. done
  494. reset_color
  495. fi
  496. if [ -s "$BASEDIR/include/ipv4_custom_notrack" ]; then
  497. display_c YELLOW "Loading custom NOTRACK rules..."
  498. . "$BASEDIR/include/ipv4_custom_notrack"
  499. fi
  500. if [ $CONNTRACK ]; then
  501. for i in $DONTTRACK; do
  502. $IPTABLES -t raw -I PREROUTING -s $i -j NOTRACK
  503. $IPTABLES -t raw -I PREROUTING -d $i -j NOTRACK
  504. $IPTABLES -t raw -I OUTPUT -s $i -j NOTRACK
  505. $IPTABLES -t raw -I OUTPUT -d $i -j NOTRACK
  506. done
  507. fi
  508. if [ -s "$BASEDIR/include/ipv4_custom_routing" ]; then
  509. display_c YELLOW "Loading custom routing rules..."
  510. . "$BASEDIR/include/ipv4_custom_routing"
  511. fi
  512. if [ $ROUTING ]; then
  513. display_c YELLOW "Adding route: "
  514. for i in `grep -v "\#" $ROUTING`; do
  515. ROUTE=( ${i//:/ } )
  516. FWINT1=${ROUTE[0]}
  517. FWINT2=${ROUTE[2]}
  518. FWIP1=${ROUTE[1]}
  519. FWIP2=${ROUTE[3]}
  520. if [ -e "/proc/sys/net/ipv4/conf/$FWINT1/forwarding" ]; then
  521. echo 1 > /proc/sys/net/ipv4/conf/$FWINT1/forwarding
  522. fi
  523. if [ -e "/proc/sys/net/ipv4/conf/$FWINT2/forwarding" ]; then
  524. echo 1 > /proc/sys/net/ipv4/conf/$FWINT2/forwarding
  525. fi
  526. $IPTABLES -A FORWARD -i $FWINT1 -o $FWINT2 \
  527. -s $FWIP1 -d $FWIP2 -j ACCEPT
  528. if [ ${ROUTE[4]} == "1" ]; then
  529. display_c DEFAULT "\t${GREEN}$FWINT1:${PURPLE}$FWIP1${AQUA}<->${BLUE}$FWINT2:$FWIP2"
  530. $IPTABLES -A FORWARD -o $FWINT1 -i $FWINT2 \
  531. -d $FWIP1 -s $FWIP2 -j ACCEPT
  532. else
  533. display_c DEFAULT "\t${GREEN}$FWINT1:${PURPLE}$FWIP1${AQUA}->${BLUE}$FWINT2:$FWIP2"
  534. fi
  535. done
  536. echo -ne "\n"
  537. fi
  538. if [ -s "$BASEDIR/include/ipv4_custom_portforward" ]; then
  539. display_c YELLOW "Loading custom port forwarding rules..."
  540. . "$BASEDIR/include/ipv4_custom_portforward"
  541. fi
  542. if [ "$PORTFW" ] && [ "$NAT" ]; then
  543. display_c YELLOW "Adding port forward for:"
  544. for i in `grep -v "\#" $PORTFW`; do
  545. IFS_OLD=${IFS};IFS=\:
  546. PORTFWADD=($i)
  547. IFS=${IFS_OLD}
  548. DSTIF=${PORTFWADD[0]}
  549. SRCIP=${PORTFWADD[1]}
  550. DSTIP=${PORTFWADD[2]}
  551. DSTPORT=${PORTFWADD[3]}
  552. DSTPROTO=${PORTFWADD[4]}
  553. DSTINTIP=${PORTFWADD[5]}
  554. DSTINTPORT=${PORTFWADD[6]}
  555. if [ "$DSTIF" ]; then
  556. DSTIF="-i ${DSTIF}"
  557. fi
  558. if [ "$SRCIP" ]; then
  559. SRCIP="-s ${SRCIP}"
  560. fi
  561. if [ "$DSTIP" ]; then
  562. DSTIP="-d $DSTIP"
  563. fi
  564. if [ ! "$DSTIP" ] && [ ! "$DSTIF" ]; then
  565. DSTIP="-d $EXTIP"
  566. fi
  567. #PORTADD=( ${i//:/ } )
  568. $IPTABLES -A PREROUTING -t nat ${DSTIF} -p ${DSTPROTO} ${SRCIP} \
  569. --dport ${DSTPORT} ${DSTIP} -j DNAT --to \
  570. ${DSTINTIP}:${DSTINTPORT}
  571. $IPTABLES -A INPUT -p ${DSTPROTO} ${M_STATE} ${C_STATE} NEW ${DSTIF} ${SRCIP} \
  572. --dport ${DSTPORT} ${DSTIP} -j ACCEPT
  573. display_c DEFAULT "\t${GREEN}${PORTFWADD[0]}:${BLUE}${PORTFWADD[1]}:${PURPLE}${PORTFWADD[2]}:${PORTFWADD[3]}:${PORTFWADD[4]}${AQUA}->${BLUE}${PORTFWADD[5]}:${PORTFWADD[6]} "
  574. done
  575. reset_color
  576. fi
  577. if [ "$LANDHCPSERVER" ]; then
  578. for i in $LANDHCPSERVER; do
  579. $IPTABLES -A INPUT -i $i -p udp --sport 67:68 --dport 67:68 -j ACCEPT
  580. $IPTABLES -A OUTPUT -o $i -p udp --sport 67:68 --dport 67:68 -j ACCEPT
  581. #$IPTABLES -A INPUT -i $i -s 0.0.0.0 -j ACCEPT
  582. #$IPTABLES -A INPUT -i $i -p udp --dport 67:68 -j ACCEPT
  583. #$IPTABLES -A INPUT -i $i -p tcp --dport 67:68 -j ACCEPT
  584. #$IPTABLES -A OUTPUT -o $i -p udp --dport 67:68 -j ACCEPT
  585. #$IPTABLES -A OUTPUT -o $i -p tcp --dport 67:68 -j ACCEPT
  586. #$IPTABLES -A INPUT -i $i -p udp -d 255.255.255.255 --dport 67:68 -j ACCEPT
  587. #$IPTABLES -A INPUT -i $i -p tcp -d 255.255.255.255 --dport 67:68 -j ACCEPT
  588. #$IPTABLES -A OUTPUT -o $i -p udp -d 255.255.255.255 --dport 67:68 -j ACCEPT
  589. #$IPTABLES -A OUTPUT -o $i -p tcp -d 255.255.255.255 --dport 67:68 -j ACCEPT
  590. done
  591. fi
  592. if [ -s "$BASEDIR/include/ipv4_custom_mark" ]; then
  593. display_c YELLOW "Loading custom mark rules..."
  594. . "$BASEDIR/include/ipv4_custom_mark"
  595. fi
  596. if [ -r "$IPv4_MARK" ]; then
  597. display_c YELLOW "Adding mark: "
  598. for i in `grep -v "\#" $IPv4_MARK`; do
  599. MARK=( ${i//|/ } )
  600. INIF=${MARK[0]}
  601. INIP=${MARK[1]}
  602. DSTIP=${MARK[2]}
  603. IPMARK=${MARK[3]}
  604. case $INIP in
  605. !*) INNEG="!"
  606. INIP=${INIP#\!};;
  607. esac
  608. case $DSTIP in
  609. !*) DSTNEG="!"
  610. DSTIP=${DSTIP#\!};;
  611. esac
  612. $IPTABLES -t mangle -A PREROUTING -i ${INIF} ${INNEG} -s ${INIP} \
  613. ${DSTNEG} -d ${DSTIP} -j MARK --set-mark=${IPMARK}
  614. display_c DEFAULT "\t${GREEN}${INNEG}${INIF}:${PURPLE}${INIP}${AQUA}->${BLUE}${DSTNEG}${DSTIP}:${RED}${IPMARK}"
  615. unset INNEG DSTNEG
  616. done
  617. echo -ne "\n"
  618. fi
  619. if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then
  620. display_c YELLOW "Loading custom nat rules..."
  621. . "$BASEDIR/include/ipv4_custom_nat"
  622. fi
  623. if [ $NAT ]; then
  624. if [ "$NAT_RANGE" ]; then
  625. display_c YELLOW "Adding NAT rule:"
  626. unset INIF_EXISTS FWDIF_EXISTS
  627. for i in $NAT_RANGE; do
  628. NAT_RULE=( ${i//:/ } )
  629. case ${NAT_RULE[0]} in
  630. SNAT)
  631. $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \
  632. -o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]}
  633. $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
  634. $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j ACCEPT
  635. $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j DROP
  636. display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}"
  637. if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
  638. $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
  639. -s ${NAT_RULE[2]} -j ACCEPT
  640. $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \
  641. -s ${NAT_RULE[2]} -j ACCEPT
  642. INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}"
  643. fi
  644. if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then
  645. $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
  646. -o ${NAT_RULE[3]} -j ACCEPT
  647. $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
  648. -o ${NAT_RULE[3]} -j ACCEPT
  649. FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}"
  650. fi
  651. ;;
  652. MASQ)
  653. $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]}
  654. $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
  655. $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j ACCEPT
  656. $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j DROP
  657. display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}"
  658. if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
  659. $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
  660. -s ${NAT_RULE[2]} -j ACCEPT
  661. $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \
  662. -s ${NAT_RULE[2]} -j ACCEPT
  663. INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}"
  664. fi
  665. if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then
  666. $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
  667. -o ${NAT_RULE[3]} -j ACCEPT
  668. $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
  669. -o ${NAT_RULE[3]} -j ACCEPT
  670. FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}"
  671. fi
  672. ;;
  673. NETMAP)
  674. $IPTABLES -A PREROUTING -t nat -s ${NAT_RULE[2]} -j NETMAP --to ${NAT_RULE[4]}
  675. $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
  676. $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j ACCEPT
  677. $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j DROP
  678. display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}"
  679. if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
  680. $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
  681. -s ${NAT_RULE[2]} -j ACCEPT
  682. $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \
  683. -s ${NAT_RULE[2]} -j ACCEPT
  684. INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}"
  685. fi
  686. if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then
  687. $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
  688. -o ${NAT_RULE[3]} -j ACCEPT
  689. $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
  690. -o ${NAT_RULE[3]} -j ACCEPT
  691. FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}"
  692. fi
  693. ;;
  694. *) display_c RED "Invalid NAT rule in NAT_RANGE" ;;
  695. esac
  696. done
  697. reset_color
  698. fi
  699. fi
  700. $IPTABLES --policy INPUT ${IPV4_PINPUT}
  701. $IPTABLES --policy OUTPUT ${IPV4_POUTPUT}
  702. $IPTABLES --policy FORWARD ${IPV4_PFORWARD}
  703. if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then
  704. display_c YELLOW "Loading custom incoming blocked rules..."
  705. . "$BASEDIR/include/ipv4_custom_blockincoming"
  706. fi
  707. if [ $BLOCKINCOMING ]; then
  708. $IPTABLES -A INPUT -p tcp --syn -j DROP
  709. $IPTABLES -A INPUT -p udp -j DROP
  710. fi
  711. #================[IPv6]================
  712. if [ $IPV6 ]; then
  713. iptables_rules_flush ipv6
  714. if [ -s "$BASEDIR/include/ipv6_custom_flush" ]; then
  715. display_c YELLOW "Loading custom IPv6 flush rules..."
  716. . "$BASEDIR/include/ipv6_custom_flush"
  717. fi
  718. display_c YELLOW "Adding trusted IPv6: " N
  719. $IP6TABLES -A INPUT -i lo -j ACCEPT
  720. $IP6TABLES -A OUTPUT -o lo -j ACCEPT
  721. if [ -s "$BASEDIR/include/ipv6_custom_trust" ]; then
  722. display_c YELLOW "Loading custom IPv6 trust rules..."
  723. . "$BASEDIR/include/ipv6_custom_trust"
  724. fi
  725. if [ "$IPV6_TRUSTED" ]; then
  726. for i in $IPV6_TRUSTED; do
  727. echo -n "$i "
  728. $IP6TABLES -A INPUT -s $i -j ACCEPT
  729. $IP6TABLES -A OUTPUT -d $i -j ACCEPT
  730. done
  731. fi
  732. reset_color
  733. if [ -s "$BASEDIR/include/ipv6_custom_blockip" ]; then
  734. display_c YELLOW "Loading custom IPv6 block rules..."
  735. . "$BASEDIR/include/ipv6_custom_blockip"
  736. fi
  737. if [ "$IPV6_LANDHCPSERVER" ]; then
  738. for i in $IPV6_LANDHCPSERVER; do
  739. $IP6TABLES -A INPUT -i $i -p udp --sport 546:547 --dport 546:547 -j ACCEPT
  740. #$IP6TABLES -A INPUT -i $i -p tcp --sport 546:547 --dport 546:547 -j ACCEPT
  741. $IP6TABLES -A OUTPUT -o $i -p udp --sport 546:547 --dport 546:547 -j ACCEPT
  742. #$IP6TABLES -A OUTPUT -o $i -p tcp --sport 546:547 --dport 546:547 -j ACCEPT
  743. #$IP6TABLES -A INPUT -i $i -p udp -d ff02::1:2 --sport 546:547 --dport 546:547 -j ACCEPT
  744. #$IP6TABLES -A INPUT -i $i -p tcp -d ff02::1:2 --sport 546:547 --dport 546:547 -j ACCEPT
  745. #$IP6TABLES -A OUTPUT -o $i -p udp -d fe80::/16 --sport 546:547 --dport 546:547 -j ACCEPT
  746. #$IP6TABLES -A OUTPUT -o $i -p tcp -d fe80::/16 --sport 546:547 --dport 546:547 -j ACCEPT
  747. done
  748. fi
  749. if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
  750. display_c YELLOW "Loading custom IPv6 conntrack rules..."
  751. . "$BASEDIR/include/ipv6_custom_conntrack"
  752. fi
  753. if [ "$IPV6_CONNTRACK" ]; then
  754. #$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
  755. $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
  756. $IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
  757. #$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
  758. $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
  759. $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
  760. $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
  761. $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
  762. $IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
  763. fi
  764. if [ "$IPV6_DNS_REQUESTS_OUT" ]; then
  765. display_c YELLOW "Adding IPv6 DNS reply allows for trusted DNS servers.."
  766. for i in $DNS_REQUESTS_OUT; do
  767. if [[ "$i" =~ "|" ]]; then
  768. IFS_OLD=${IFS};IFS=\|
  769. DNSREQ=($i)
  770. IFS=${IFS_OLD}
  771. SRCIF=${DNSREQ[0]}
  772. DNSIP_NUM=${#DNSREQ[@]}
  773. DNSIP_COUNT_CURR=1
  774. for ((i=$DNSIP_COUNT_CURR; i <= $DNSIP_NUM; i++)); do
  775. if [ ${DNSREQ[$i]} ]; then
  776. ${IP6TABLES} -A INPUT -i ${SRCIF} -p udp --sport 53 -s ${DNSREQ[$i]} --destination-port 1024:65535 -j ACCEPT
  777. fi
  778. done
  779. else
  780. ${IP6TABLES} -A INPUT -i $i -p udp --sport 53 --destination-port 1024:65535 -j ACCEPT
  781. fi
  782. done
  783. fi
  784. if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then
  785. display_c YELLOW "Loading custom IPv6 blocked outbound port rules..."
  786. . "$BASEDIR/include/ipv6_custom_blockoutports"
  787. fi
  788. if [ "$IPV6_BLOCKEDIP" ]; then
  789. display_c YELLOW "Adding blocked IPv6 addresses... "
  790. for i in `grep -v "\#" $IPV6_BLOCKEDIP`; do
  791. if [[ "$i" =~ "|" ]]; then
  792. IFS_OLD=${IFS};IFS=\|
  793. ADVBLKIP=($i)
  794. IFS=${IFS_OLD}
  795. SRCIF=${ADVBLKIP[0]}
  796. SRCIP=${ADVBLKIP[1]}
  797. SRCPORT=${ADVBLKIP[2]}
  798. DSTIF=${ADVBLKIP[3]}
  799. DSTIP=${ADVBLKIP[4]}
  800. DSTPORT=${ADVBLKIP[5]}
  801. DIRECTION=${ADVBLKIP[6]}
  802. PROTO=${ADVBLKIP[7]}
  803. if [ "$SRCIF" ]; then
  804. SRCIF="-i ${SRCIF} "
  805. fi
  806. if [ "$SRCIP" ]; then
  807. SRCIP="-s ${SRCIP} "
  808. fi
  809. if [ "$SRCPORT" ]; then
  810. SRCPORT="--sport ${SRCPORT/-/:} "
  811. fi
  812. if [ "$DSTIF" ]; then
  813. DSTIF="-o ${DSTIF} "
  814. fi
  815. if [ "$DSTIP" ]; then
  816. DSTIP="-d ${DSTIP} "
  817. fi
  818. if [ "$DSTPORT" ]; then
  819. DSTPORT="--dport ${DSTPORT/-/:} "
  820. fi
  821. if [ "$PROTO" ]; then
  822. case $PROTO in
  823. TCP|tcp) PROTO="-p tcp";;
  824. UDP|udp) PROTO="-p udp";;
  825. *) PROTO="-p ${PROTO}";;
  826. esac
  827. fi
  828. case $DIRECTION in
  829. IN) DIRECTION="INPUT" ;;
  830. OUT) DIRECTION="OUTPUT" ;;
  831. FWD) DIRECTION="FORWARD" ;;
  832. *) DIRECTION="INPUT" ;;
  833. esac
  834. ${IP6TABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j DROP
  835. else
  836. $IP6TABLES -A INPUT -s $i -j DROP
  837. $IP6TABLES -A OUTPUT -d $i -j DROP
  838. fi
  839. done
  840. fi
  841. if [ "$IPV6_ICMP_CRITICAL" ]; then
  842. # This is necessary to make sure that PMTU works
  843. $IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \
  844. -j ACCEPT
  845. $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \
  846. -j ACCEPT
  847. $IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \
  848. -j ACCEPT
  849. $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \
  850. -j ACCEPT
  851. if [ "$IPV6_FORWARDRANGE" ]; then
  852. $IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
  853. $IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
  854. fi
  855. fi
  856. if [ "$IPV6_ICMP_OPT" ]; then
  857. $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
  858. $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
  859. $IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
  860. $IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
  861. if [ "$IPV6_FORWARDRANGE" ]; then
  862. $IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
  863. $IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
  864. fi
  865. fi
  866. if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
  867. display_c YELLOW "Loading custom IPv6 MSS Clamp rules..."
  868. . "$BASEDIR/include/ipv6_custom_mssclamp"
  869. fi
  870. if [ "$IPV6_CLAMPMSS" ]; then
  871. display_c YELLOW "Clamping IPV6 MSS to PMTU..."
  872. for i in $IPV6_CLAMPMSS; do
  873. $IP6TABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
  874. -j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
  875. --mss 1280:1536
  876. $IP6TABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN \
  877. -j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
  878. --mss 1280:1536
  879. done
  880. fi
  881. if [ -s "$BASEDIR/include/ipv6_custom_allowedports" ]; then
  882. display_c YELLOW "Loading custom IPv6 allowed port rules..."
  883. . "$BASEDIR/include/ipv6_custom_allowedports"
  884. fi
  885. if [ "$IPV6_ALLOWED" ]; then
  886. display_c YELLOW "Adding allowed IPv6 IPs and ports... "
  887. for i in `grep -v "\#" $IPV6_ALLOWED`; do
  888. if [[ "$i" =~ "|" ]]; then
  889. IFS_OLD=${IFS};IFS=\|
  890. ADVALLOWIP=($i)
  891. IFS=${IFS_OLD}
  892. SRCIF=${ADVALLOWIP[0]}
  893. SRCIP=${ADVALLOWIP[1]}
  894. SRCPORT=${ADVALLOWIP[2]}
  895. DSTIF=${ADVALLOWIP[3]}
  896. DSTIP=${ADVALLOWIP[4]}
  897. DSTPORT=${ADVALLOWIP[5]}
  898. DIRECTION=${ADVALLOWIP[6]}
  899. PROTO=${ADVALLOWIP[7]}
  900. if [ "$SRCIF" ]; then
  901. SRCIF="-i ${SRCIF} "
  902. fi
  903. if [ "$SRCIP" ]; then
  904. SRCIP="-s ${SRCIP} "
  905. fi
  906. if [ "$SRCPORT" ]; then
  907. SRCPORT="--sport ${SRCPORT/-/:} "
  908. fi
  909. if [ "$DSTIF" ]; then
  910. DSTIF="-o ${DSTIF} "
  911. fi
  912. if [ "$DSTIP" ]; then
  913. DSTIP="-d ${DSTIP} "
  914. fi
  915. if [ "$DSTPORT" ]; then
  916. DSTPORT="--dport ${DSTPORT/-/:} "
  917. fi
  918. if [ "$PROTO" ]; then
  919. case $PROTO in
  920. TCP|tcp) PROTO="-p tcp";;
  921. UDP|udp) PROTO="-p udp";;
  922. *) PROTO="-p ${PROTO}";;
  923. esac
  924. fi
  925. case $DIRECTION in
  926. IN) DIRECTION="INPUT" ;;
  927. OUT) DIRECTION="OUTPUT" ;;
  928. FWD) DIRECTION="FORWARD" ;;
  929. *) DIRECTION="INPUT" ;;
  930. esac
  931. ${IP6TABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j ACCEPT
  932. fi
  933. done
  934. fi
  935. if [ "$IPV6_TCPPORTS" ] || [ "$IPV6_UDPPORTS" ]; then
  936. display_c YELLOW "Adding allowed IPv6 port: " N
  937. if [ "$IPV6_TCPPORTS" ]; then
  938. if [ "$IPTABLES_MULTIPORT" == "yes" ] && [ "$NF_MULTIPORT_MAX_PORTS" ]; then
  939. IPV6_TCPPORTS=($IPV6_TCPPORTS)
  940. PORTS_COUNT=${#IPV6_TCPPORTS[@]}
  941. PORTS_COUNT_CURR=0
  942. while (( "$PORTS_COUNT_CURR" < "$PORTS_COUNT" )); do
  943. for ((i=$PORTS_COUNT_CURR; i <=(($PORTS_COUNT_CURR+(($NF_MULTIPORT_MAX_PORTS-1)))); i++)); do
  944. if [ ${IPV6_TCPPORTS[$i]} ]; then
  945. PORTS="${PORTS},${IPV6_TCPPORTS[$i]}"
  946. fi
  947. done
  948. echo -en "${PURPLE}Multiport-TCP${DEFAULT_COLOR}/${GREEN}${PORTS#,} "
  949. $IP6TABLES -A INPUT -p tcp -m multiport --dports ${PORTS#,} -j ACCEPT
  950. unset PORTS
  951. PORTS_COUNT_CURR=$i
  952. done
  953. unset i PORTS PORTS_COUNT_CURR PORTS_COUNT
  954. else
  955. for i in $IPV6_TCPPORTS; do
  956. echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
  957. $IP6TABLES -A INPUT -p tcp --dport $i -j ACCEPT
  958. done
  959. fi
  960. fi
  961. if [ "$IPV6_UDPPORTS" ]; then
  962. for i in $IPV6_UDPPORTS; do
  963. echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
  964. $IP6TABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT
  965. $IP6TABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT
  966. $IP6TABLES -A INPUT -p udp --sport $i --dport 1:65535 -j ACCEPT
  967. done
  968. fi
  969. reset_color
  970. fi
  971. if [ -s "$BASEDIR/include/ipv6_custom_mark" ]; then
  972. display_c YELLOW "Loading custom IPv6 mark rules..."
  973. . "$BASEDIR/include/ipv6_custom_mark"
  974. fi
  975. if [ -r "$IPV6_MARK" ]; then
  976. display_c YELLOW "Adding IPv6 mark: "
  977. for i in `grep -v "\#" $IPV6_MARK`; do
  978. MARK=( ${i//|/ } )
  979. INIF=${MARK[0]}
  980. INIP=${MARK[1]}
  981. DSTIP=${MARK[2]}
  982. IPMARK=${MARK[3]}
  983. case $INIP in
  984. !*) INNEG="!"
  985. INIP=${INIP#\!};;
  986. esac
  987. case $DSTIP in
  988. !*) DSTNEG="!"
  989. DSTIP=${DSTIP#\!};;
  990. esac
  991. ${IP6TABLES} -t mangle -A PREROUTING -i ${INIF} ${INNEG} -s ${INIP} \
  992. ${DSTNEG} -d ${DSTIP} -j MARK --set-mark=${IPMARK}
  993. display_c DEFAULT "\t${GREEN}${INNEG}${INIF};${PURPLE}${INIP}${AQUA}->${BLUE}${DSTNEG}${DSTIP};${RED}${IPMARK}"
  994. unset INNEG DSTNEG
  995. done
  996. echo -ne "\n"
  997. fi
  998. if [ "$IPV6_ROUTEDCLIENTBLOCK" ]; then
  999. for i in $IPV6_ROUTEDCLIENTBLOCK; do
  1000. $IP6TABLES -A OUTPUT -d $i -p tcp --syn -j DROP
  1001. $IP6TABLES -A OUTPUT -d $i -p udp ! --dport 32768:65535 -j DROP
  1002. $IP6TABLES -A FORWARD -d $i -p tcp --syn -j DROP
  1003. $IP6TABLES -A FORWARD -d $i -p udp ! --dport 32768:65535 -j DROP
  1004. done
  1005. fi
  1006. if [ -s "$BASEDIR/include/ipv6_custom_routing" ]; then
  1007. display_c YELLOW "Loading custom IPv6 routing rules..."
  1008. . "$BASEDIR/include/ipv6_custom_routing"
  1009. fi
  1010. if [ "$IPV6_FORWARDRANGE" ]; then
  1011. for i in $IPV6_FORWARDRANGE; do
  1012. $IP6TABLES -A FORWARD -s $i -j ACCEPT
  1013. $IP6TABLES -A FORWARD -d $i -j ACCEPT
  1014. done
  1015. fi
  1016. if [ -s "$BASEDIR/include/ipv6_custom_blockincoming" ]; then
  1017. display_c YELLOW "Loading custom IPv6 incoming blocked port rules..."
  1018. . "$BASEDIR/include/ipv6_custom_blockincoming"
  1019. fi
  1020. if [ $IPV6_BLOCKINCOMING ]; then
  1021. $IP6TABLES -A INPUT -p tcp --syn -j DROP
  1022. $IP6TABLES -A INPUT -p udp -j DROP
  1023. fi
  1024. $IP6TABLES --policy INPUT ${IPV6_PINPUT}
  1025. $IP6TABLES --policy OUTPUT ${IPV6_POUTPUT}
  1026. $IP6TABLES --policy FORWARD ${IPV6_PFORWARD}
  1027. fi
  1028. if [ $TWEAKS ]; then
  1029. for i in `grep -v "\#" $TWEAKS`; do
  1030. PROCOPT=( ${i//=/ } )
  1031. echo ${PROCOPT[1]} > /proc/sys/net/${PROCOPT[0]}
  1032. done
  1033. fi
  1034. if [ -x $POSTRUN ]; then
  1035. $POSTRUN
  1036. fi