176 lines
5.3 KiB
Bash
Executable File
176 lines
5.3 KiB
Bash
Executable File
#!/bin/bash
|
|
# By Brielle Bruns <bruns@2mbit.com>
|
|
# URL: http://www.sosdg.org/freestuff/firewall
|
|
# License: GPLv3
|
|
#
|
|
# Copyright (C) 2009 - 2010 Brielle Bruns
|
|
# Copyright (C) 2009 - 2010 The Summit Open Source Development Group
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
# display_c $COLOR $TEXT BOOL(YN)
|
|
# $COLOR being bash colors
|
|
# $TEXT being what to output (make sure to put " " around text)
|
|
# BOOL being (Y or N) to do newline at end or not
|
|
function display_c {
|
|
unset COLOR_CODE TEXT NEWLINE
|
|
DEFAULT_COLOR="\E[39m"
|
|
COLOR_CODE=`pick_color $1`
|
|
TEXT="$2"
|
|
if [ "$3" == "N" ]; then
|
|
NEWLINE="-n"
|
|
fi
|
|
echo -e $NEWLINE "$COLOR_CODE$TEXT$DEFAULT_COLOR"
|
|
}
|
|
|
|
|
|
# display_m $COLOR(IGNORED) $TEXT BOOL(YN)
|
|
# Non-color version of display_c
|
|
function display_m {
|
|
unset TEXT NEWLINE
|
|
TEXT="$2"
|
|
if [ "$3" == "N" ]; then
|
|
NEWLINE="-n"
|
|
fi
|
|
echo -e $NEWLINE "$TEXT"
|
|
}
|
|
|
|
# pick_color $COLOR
|
|
# returns appropriate color codes for use in display_c and such
|
|
function pick_color {
|
|
case $1 in
|
|
BLUE) COLOR="\E[34m" ;;
|
|
GREEN) COLOR="\E[32m" ;;
|
|
RED) COLOR="\E[31m" ;;
|
|
YELLOW) COLOR="\E[33m" ;;
|
|
PURPLE) COLOR="\E[35m" ;;
|
|
AQUA) COLOR="\E[36m" ;;
|
|
WHITE) COLOR="\E[1m" ;;
|
|
GREY) COLOR="\E[37m" ;;
|
|
*) COLOR="\E[37m" ;;
|
|
esac
|
|
echo "$COLOR"
|
|
}
|
|
|
|
# reset_color
|
|
function reset_color {
|
|
unset NEWLINE
|
|
DEFAULT_COLOR="\E[39m"
|
|
if [ "$1" == "N" ]; then
|
|
NEWLINE="-n"
|
|
fi
|
|
echo $NEWLINE -e "$DEFAULT_COLOR"
|
|
}
|
|
|
|
# iptables_rules_flush (ipv6|ipv4)
|
|
# Clear all rules from iptables - be very careful in how this is called as it
|
|
# could easily lock out the user from the network. Best way to be safe, is to
|
|
# call iptables_policy_reset first then this function.
|
|
function iptables_rules_flush {
|
|
IP_VERSION=$1
|
|
case $IP_VERSION in
|
|
ipv6) VER_IPTABLES=$IP6TABLES ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
|
|
ipv4|*) VER_IPTABLES=$IPTABLES ; TABLE_NAMES=/proc/net/ip_tables_names ;;
|
|
esac
|
|
display_c RED "Flushing ${IP_VERSION} rules..."
|
|
$VER_IPTABLES --flush &>/dev/null
|
|
$VER_IPTABLES -F OUTPUT &>/dev/null
|
|
$VER_IPTABLES -F PREROUTING &>/dev/null
|
|
$VER_IPTABLES -F POSTROUTING &>/dev/null
|
|
for i in `cat $TABLE_NAMES`; do
|
|
$VER_IPTABLES -F -t $i &>/dev/null
|
|
done
|
|
$VER_IPTABLES -X
|
|
#if [ $NAT ] && [ $IP_VERSION == "ipv4" ]; then
|
|
# $VER_IPTABLES -F -t nat &>/dev/null
|
|
#fi
|
|
#$VER_IPTABLES -F -t raw &>/dev/null
|
|
}
|
|
|
|
# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
|
|
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
|
|
# If no policy given, assume ACCEPT
|
|
function iptables_policy_reset {
|
|
IP_VERSION=$1
|
|
SET_POLICY=${2=ACCEPT}
|
|
case $IP_VERSION in
|
|
ipv6) VER_IPTABLES=$IP6TABLES ;;
|
|
ipv4|*) VER_IPTABLES=$IPTABLES ;;
|
|
esac
|
|
display_c RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
|
|
$VER_IPTABLES --policy INPUT $SET_POLICY
|
|
$VER_IPTABLES --policy OUTPUT $SET_POLICY
|
|
$VER_IPTABLES --policy FORWARD $SET_POLICY
|
|
}
|
|
|
|
# show_help
|
|
# Show command line options help
|
|
function show_help {
|
|
echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns <bruns@2mbit.com>"
|
|
echo -e "\t--help\t\tShows this info"
|
|
echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT"
|
|
echo -e "\t--generate-cache\tGenerate cached rule file"
|
|
}
|
|
|
|
|
|
|
|
# apply_ipv4_hack $HACKS
|
|
function apply_ipv4_hack {
|
|
display_c YELLOW "Applying IPv4 hack/fix:" N
|
|
while [ $# -gt 0 ]; do
|
|
case "$1" in
|
|
NS-IN-DDOS)
|
|
# NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
|
|
# http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
|
|
display_c PURPLE " ./NS/IN-DDOS-FIX" N
|
|
if `$MODPROBE --quiet $MOD_U32 &>/dev/null`; then
|
|
$IPTABLES -A INPUT -j DROP -p udp --dport 53 -m u32 --u32 \
|
|
"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
|
|
else
|
|
display_c RED "\nError: could not load $MOD_U32 module into the kernel. Not using fix."
|
|
fi
|
|
;;
|
|
MULTI-NIC-ARP-LOCK)
|
|
# MULTI-NIC-ARP-LOCK - By default, in Linux, arp requests may be answered by interfaces that
|
|
# do not actually have the IP in question. In some (alot in my case),
|
|
# I have things going through specific wires for a reason. This fixes
|
|
# that and makes it behave as expected.
|
|
display_c PURPLE " MULTI-NIC-ARP-LOCK" N
|
|
for i in default all; do
|
|
if [ -w ${PROC_NET_IPV4}/$i/arp_ignore ]; then
|
|
echo "1" > ${PROC_NET_IPV4}/$i/arp_ignore
|
|
else
|
|
display_c RED "\nError: Could not write to ${PROC_NET_IPV4}/$i/arp_ignore"
|
|
fi
|
|
if [ -w ${PROC_NET_IPV4}/$i/arp_announce ]; then
|
|
echo "2" > ${PROC_NET_IPV4}/$i/arp_announce
|
|
else
|
|
display_c RED "\nError: Could not write to ${PROC_NET_IPV4}/$i/arp_announce"
|
|
fi
|
|
done
|
|
;;
|
|
esac
|
|
shift
|
|
done
|
|
echo -en "\n"
|
|
}
|
|
|
|
# write_out_rules(_v6)
|
|
function write_out_rules {
|
|
echo "$*" >> "$RULE_CACHE"
|
|
}
|
|
function write_out_rules_v6 {
|
|
echo "$*" >> "$RULE_CACHE_V6"
|
|
}
|