175 lines
		
	
	
		
			5.3 KiB
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
			
		
		
	
	
			175 lines
		
	
	
		
			5.3 KiB
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
| #!/bin/bash
 | |
| # By Brielle Bruns <bruns@2mbit.com>
 | |
| # URL: http://www.sosdg.org/freestuff/firewall
 | |
| # License: GPLv3
 | |
| #
 | |
| #    Copyright (C) 2009 - 2010  Brielle Bruns
 | |
| #    Copyright (C) 2009 - 2010  The Summit Open Source Development Group
 | |
| #
 | |
| #    This program is free software: you can redistribute it and/or modify
 | |
| #    it under the terms of the GNU General Public License as published by
 | |
| #    the Free Software Foundation, either version 3 of the License, or
 | |
| #    (at your option) any later version.
 | |
| #
 | |
| #    This program is distributed in the hope that it will be useful,
 | |
| #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
| #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
| #    GNU General Public License for more details.
 | |
| #    You should have received a copy of the GNU General Public License
 | |
| #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | |
| 
 | |
| 
 | |
| # display_c $COLOR $TEXT BOOL(YN)
 | |
| # $COLOR being bash colors
 | |
| # $TEXT being what to output (make sure to put " " around text)
 | |
| # BOOL being (Y or N) to do newline at end or not
 | |
| function display_c {
 | |
| 	unset COLOR_CODE TEXT NEWLINE
 | |
| 	DEFAULT_COLOR="\E[39m"
 | |
| 	COLOR_CODE=`pick_color $1`
 | |
| 	TEXT="$2"
 | |
| 	if [ "$3" == "N" ]; then
 | |
| 		NEWLINE="-n"
 | |
| 	fi
 | |
| 	echo -e $NEWLINE "$COLOR_CODE$TEXT$DEFAULT_COLOR"
 | |
| }
 | |
| 
 | |
| 
 | |
| # display_m $COLOR(IGNORED) $TEXT BOOL(YN)
 | |
| # Non-color version of display_c
 | |
| function display_m {
 | |
| 	unset TEXT NEWLINE
 | |
| 	TEXT="$2"
 | |
| 	if [ "$3" == "N" ]; then
 | |
| 		NEWLINE="-n"
 | |
| 	fi
 | |
| 	echo -e $NEWLINE "$TEXT"
 | |
| }
 | |
| 
 | |
| # pick_color $COLOR
 | |
| # returns appropriate color codes for use in display_c and such
 | |
| function pick_color {
 | |
| 	case $1 in
 | |
| 		BLUE) COLOR="\E[34m" ;;
 | |
| 		GREEN) COLOR="\E[32m" ;;
 | |
| 		RED) COLOR="\E[31m" ;;
 | |
| 		YELLOW) COLOR="\E[33m" ;;
 | |
| 		PURPLE) COLOR="\E[35m" ;;
 | |
| 		AQUA) COLOR="\E[36m" ;;
 | |
| 		WHITE) COLOR="\E[1m" ;;
 | |
| 		GREY) COLOR="\E[37m" ;;
 | |
| 		*) COLOR="\E[37m" ;;
 | |
| 	esac
 | |
| 	echo "$COLOR"
 | |
| }
 | |
| 
 | |
| # reset_color
 | |
| function reset_color {
 | |
| 	unset NEWLINE
 | |
| 	DEFAULT_COLOR="\E[39m"
 | |
| 	if [ "$1" == "N" ]; then
 | |
| 		NEWLINE="-n"
 | |
| 	fi
 | |
| 	echo $NEWLINE -e "$DEFAULT_COLOR"
 | |
| }
 | |
| 
 | |
| # iptables_rules_flush (ipv6|ipv4)
 | |
| # Clear all rules from iptables - be very careful in how this is called as it
 | |
| # could easily lock out the user from the network.  Best way to be safe, is to
 | |
| # call iptables_policy_reset first then this function.
 | |
| function iptables_rules_flush {
 | |
| 	IP_VERSION=$1
 | |
| 	case $IP_VERSION in
 | |
| 		ipv6) VER_IPTABLES=$IP6TABLES ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
 | |
| 		ipv4|*) VER_IPTABLES=$IPTABLES ; TABLE_NAMES=/proc/net/ip_tables_names ;;
 | |
| 	esac
 | |
| 	display_c RED "Flushing ${IP_VERSION} rules..."
 | |
| 	$VER_IPTABLES --flush &>/dev/null
 | |
| 	$VER_IPTABLES -F OUTPUT &>/dev/null
 | |
| 	$VER_IPTABLES -F PREROUTING &>/dev/null
 | |
| 	$VER_IPTABLES -F POSTROUTING &>/dev/null
 | |
| 	for i in `cat $TABLE_NAMES`; do
 | |
| 		$VER_IPTABLES -F -t $i &>/dev/null
 | |
| 	done
 | |
| 	#if [ $NAT ] && [ $IP_VERSION == "ipv4" ]; then
 | |
| 	#	$VER_IPTABLES -F -t nat &>/dev/null
 | |
| 	#fi
 | |
| 	#$VER_IPTABLES -F -t raw &>/dev/null
 | |
| }
 | |
| 
 | |
| # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
 | |
| # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
 | |
| # If no policy given, assume ACCEPT
 | |
| function iptables_policy_reset {
 | |
| 	IP_VERSION=$1
 | |
| 	SET_POLICY=${2=ACCEPT}
 | |
| 	case $IP_VERSION in
 | |
| 		ipv6) VER_IPTABLES=$IP6TABLES ;;
 | |
| 		ipv4|*) VER_IPTABLES=$IPTABLES ;;
 | |
| 	esac
 | |
| 	display_c RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
 | |
| 	$VER_IPTABLES --policy INPUT $SET_POLICY
 | |
| 	$VER_IPTABLES --policy OUTPUT $SET_POLICY
 | |
| 	$VER_IPTABLES --policy FORWARD $SET_POLICY
 | |
| }
 | |
| 
 | |
| # show_help
 | |
| # Show command line options help
 | |
| function show_help {
 | |
| 	 echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns <bruns@2mbit.com>"
 | |
|  	 echo -e "\t--help\t\tShows this info"
 | |
|  	 echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT"
 | |
|  	 echo -e "\t--generate-cache\tGenerate cached rule file"
 | |
|  }
 | |
|  
 | |
|  
 | |
|  
 | |
| # apply_ipv4_hack $HACKS
 | |
| function apply_ipv4_hack {
 | |
| 	display_c YELLOW "Applying IPv4 hack/fix:" N
 | |
| 	while [ $# -gt 0 ]; do
 | |
| 		case "$1" in
 | |
| 		NS-IN-DDOS)
 | |
| 			# NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
 | |
| 			# http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
 | |
| 			display_c PURPLE " ./NS/IN-DDOS-FIX" N
 | |
| 			if `$MODPROBE --quiet $MOD_U32 &>/dev/null`; then
 | |
| 				$IPTABLES -A INPUT -j DROP -p udp --dport 53 -m u32 --u32 \
 | |
| 				"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
 | |
| 			else
 | |
| 				display_c RED "\nError: could not load $MOD_U32 module into the kernel.  Not using fix."
 | |
| 			fi
 | |
| 		;;
 | |
| 		MULTI-NIC-ARP-LOCK)
 | |
| 			# MULTI-NIC-ARP-LOCK - By default, in Linux, arp requests may be answered by interfaces that
 | |
| 			#						do not actually have the IP in question.  In some (alot in my case),
 | |
| 			#						I have things going through specific wires for a reason.  This fixes
 | |
| 			#						that and makes it behave as expected.
 | |
| 			display_c PURPLE " MULTI-NIC-ARP-LOCK" N
 | |
| 			for i in default all; do
 | |
| 				if [ -w ${PROC_NET_IPV4}/$i/arp_ignore ]; then
 | |
| 					echo "1" > ${PROC_NET_IPV4}/$i/arp_ignore
 | |
| 				else
 | |
| 					display_c RED "\nError: Could not write to ${PROC_NET_IPV4}/$i/arp_ignore"
 | |
| 				fi
 | |
| 				if [ -w ${PROC_NET_IPV4}/$i/arp_announce ]; then
 | |
| 					echo "2" > ${PROC_NET_IPV4}/$i/arp_announce
 | |
| 				else
 | |
| 					display_c RED "\nError: Could not write to ${PROC_NET_IPV4}/$i/arp_announce"
 | |
| 				fi
 | |
| 			done
 | |
| 		;;
 | |
| 		esac
 | |
| 		shift
 | |
| 	done
 | |
| 	echo -en "\n"
 | |
| }
 | |
| 
 | |
| # write_out_rules(_v6)
 | |
| function write_out_rules {
 | |
| 	echo "$*" >> "$RULE_CACHE"
 | |
| }
 | |
| function write_out_rules_v6 {
 | |
| 	echo "$*" >> "$RULE_CACHE_V6"
 | |
| }
 |