You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

176 lines
5.3 KiB

  1. #!/bin/bash
  2. # By Brielle Bruns <bruns@2mbit.com>
  3. # URL: http://www.sosdg.org/freestuff/firewall
  4. # License: GPLv3
  5. #
  6. # Copyright (C) 2009 - 2010 Brielle Bruns
  7. # Copyright (C) 2009 - 2010 The Summit Open Source Development Group
  8. #
  9. # This program is free software: you can redistribute it and/or modify
  10. # it under the terms of the GNU General Public License as published by
  11. # the Free Software Foundation, either version 3 of the License, or
  12. # (at your option) any later version.
  13. #
  14. # This program is distributed in the hope that it will be useful,
  15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. # GNU General Public License for more details.
  18. # You should have received a copy of the GNU General Public License
  19. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  20. # display_c $COLOR $TEXT BOOL(YN)
  21. # $COLOR being bash colors
  22. # $TEXT being what to output (make sure to put " " around text)
  23. # BOOL being (Y or N) to do newline at end or not
  24. function display_c {
  25. unset COLOR_CODE TEXT NEWLINE
  26. DEFAULT_COLOR="\E[39m"
  27. COLOR_CODE=`pick_color $1`
  28. TEXT="$2"
  29. if [ "$3" == "N" ]; then
  30. NEWLINE="-n"
  31. fi
  32. echo -e $NEWLINE "$COLOR_CODE$TEXT$DEFAULT_COLOR"
  33. }
  34. # display_m $COLOR(IGNORED) $TEXT BOOL(YN)
  35. # Non-color version of display_c
  36. function display_m {
  37. unset TEXT NEWLINE
  38. TEXT="$2"
  39. if [ "$3" == "N" ]; then
  40. NEWLINE="-n"
  41. fi
  42. echo -e $NEWLINE "$TEXT"
  43. }
  44. # pick_color $COLOR
  45. # returns appropriate color codes for use in display_c and such
  46. function pick_color {
  47. case $1 in
  48. BLUE) COLOR="\E[34m" ;;
  49. GREEN) COLOR="\E[32m" ;;
  50. RED) COLOR="\E[31m" ;;
  51. YELLOW) COLOR="\E[33m" ;;
  52. PURPLE) COLOR="\E[35m" ;;
  53. AQUA) COLOR="\E[36m" ;;
  54. WHITE) COLOR="\E[1m" ;;
  55. GREY) COLOR="\E[37m" ;;
  56. *) COLOR="\E[37m" ;;
  57. esac
  58. echo "$COLOR"
  59. }
  60. # reset_color
  61. function reset_color {
  62. unset NEWLINE
  63. DEFAULT_COLOR="\E[39m"
  64. if [ "$1" == "N" ]; then
  65. NEWLINE="-n"
  66. fi
  67. echo $NEWLINE -e "$DEFAULT_COLOR"
  68. }
  69. # iptables_rules_flush (ipv6|ipv4)
  70. # Clear all rules from iptables - be very careful in how this is called as it
  71. # could easily lock out the user from the network. Best way to be safe, is to
  72. # call iptables_policy_reset first then this function.
  73. function iptables_rules_flush {
  74. IP_VERSION=$1
  75. case $IP_VERSION in
  76. ipv6) VER_IPTABLES=$IP6TABLES ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
  77. ipv4|*) VER_IPTABLES=$IPTABLES ; TABLE_NAMES=/proc/net/ip_tables_names ;;
  78. esac
  79. display_c RED "Flushing ${IP_VERSION} rules..."
  80. $VER_IPTABLES --flush &>/dev/null
  81. $VER_IPTABLES -F OUTPUT &>/dev/null
  82. $VER_IPTABLES -F PREROUTING &>/dev/null
  83. $VER_IPTABLES -F POSTROUTING &>/dev/null
  84. for i in `cat $TABLE_NAMES`; do
  85. $VER_IPTABLES -F -t $i &>/dev/null
  86. done
  87. $VER_IPTABLES -X
  88. #if [ $NAT ] && [ $IP_VERSION == "ipv4" ]; then
  89. # $VER_IPTABLES -F -t nat &>/dev/null
  90. #fi
  91. #$VER_IPTABLES -F -t raw &>/dev/null
  92. }
  93. # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
  94. # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
  95. # If no policy given, assume ACCEPT
  96. function iptables_policy_reset {
  97. IP_VERSION=$1
  98. SET_POLICY=${2=ACCEPT}
  99. case $IP_VERSION in
  100. ipv6) VER_IPTABLES=$IP6TABLES ;;
  101. ipv4|*) VER_IPTABLES=$IPTABLES ;;
  102. esac
  103. display_c RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
  104. $VER_IPTABLES --policy INPUT $SET_POLICY
  105. $VER_IPTABLES --policy OUTPUT $SET_POLICY
  106. $VER_IPTABLES --policy FORWARD $SET_POLICY
  107. }
  108. # show_help
  109. # Show command line options help
  110. function show_help {
  111. echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns <bruns@2mbit.com>"
  112. echo -e "\t--help\t\tShows this info"
  113. echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT"
  114. echo -e "\t--generate-cache\tGenerate cached rule file"
  115. }
  116. # apply_ipv4_hack $HACKS
  117. function apply_ipv4_hack {
  118. display_c YELLOW "Applying IPv4 hack/fix:" N
  119. while [ $# -gt 0 ]; do
  120. case "$1" in
  121. NS-IN-DDOS)
  122. # NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
  123. # http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
  124. display_c PURPLE " ./NS/IN-DDOS-FIX" N
  125. if `$MODPROBE --quiet $MOD_U32 &>/dev/null`; then
  126. $IPTABLES -A INPUT -j DROP -p udp --dport 53 -m u32 --u32 \
  127. "0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
  128. else
  129. display_c RED "\nError: could not load $MOD_U32 module into the kernel. Not using fix."
  130. fi
  131. ;;
  132. MULTI-NIC-ARP-LOCK)
  133. # MULTI-NIC-ARP-LOCK - By default, in Linux, arp requests may be answered by interfaces that
  134. # do not actually have the IP in question. In some (alot in my case),
  135. # I have things going through specific wires for a reason. This fixes
  136. # that and makes it behave as expected.
  137. display_c PURPLE " MULTI-NIC-ARP-LOCK" N
  138. for i in default all; do
  139. if [ -w ${PROC_NET_IPV4}/$i/arp_ignore ]; then
  140. echo "1" > ${PROC_NET_IPV4}/$i/arp_ignore
  141. else
  142. display_c RED "\nError: Could not write to ${PROC_NET_IPV4}/$i/arp_ignore"
  143. fi
  144. if [ -w ${PROC_NET_IPV4}/$i/arp_announce ]; then
  145. echo "2" > ${PROC_NET_IPV4}/$i/arp_announce
  146. else
  147. display_c RED "\nError: Could not write to ${PROC_NET_IPV4}/$i/arp_announce"
  148. fi
  149. done
  150. ;;
  151. esac
  152. shift
  153. done
  154. echo -en "\n"
  155. }
  156. # write_out_rules(_v6)
  157. function write_out_rules {
  158. echo "$*" >> "$RULE_CACHE"
  159. }
  160. function write_out_rules_v6 {
  161. echo "$*" >> "$RULE_CACHE_V6"
  162. }