2014-03-29 10:53:22 -06:00
#!/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2014 Brielle Bruns
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
2014-03-29 11:06:08 -06:00
2014-03-29 10:53:22 -06:00
# iptables_rules_flush (ipv6|ipv4)
# Clear all rules from iptables - be very careful in how this is called as it
# could easily lock out the user from the network. Best way to be safe, is to
# call iptables_policy_reset first then this function.
function iptables_rules_flush {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES } ; TABLE_NAMES =/ proc / net / ip6_tables_names ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES } ; TABLE_NAMES =/ proc / net / ip_tables_names ;;
esac
2014-03-30 10:16:22 -06:00
$ { display } GREEN " Flushing ${ IP_VERSION } rules... "
2014-03-30 10:31:02 -06:00
$ { VER_IPTABLES } - F &>/ dev / null
$ { VER_IPTABLES } - X &>/ dev / null
$ { VER_IPTABLES } - F INPUT &>/ dev / null
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - F OUTPUT &>/ dev / null
2014-03-30 10:31:02 -06:00
$ { VER_IPTABLES } - F FORWARD &>/ dev / null
$ { VER_IPTABLES } - t nat - F &>/ dev / null
$ { VER_IPTABLES } - t nat - X &>/ dev / null
$ { VER_IPTABLES } - t mangle - F &>/ dev / null
$ { VER_IPTABLES } - t mangle - X &>/ dev / null
$ { VER_IPTABLES } - P INPUT ACCEPT &>/ dev / null
$ { VER_IPTABLES } - P OUTPUT ACCEPT &>/ dev / null
$ { VER_IPTABLES } - P FORWARD ACCEPT &>/ dev / null
#for i in `cat $TABLE_NAMES`; do
# ${VER_IPTABLES} -F -t $i &>/dev/null
#done
#${VER_IPTABLES} -X
2014-03-29 10:53:22 -06:00
}
# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
# If no policy given, assume ACCEPT
function iptables_policy_reset {
IP_VERSION = $ 1
SET_POLICY = $ { 2 = ACCEPT }
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES } ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES } ;;
esac
$ { display_c } RED " Setting ${ IP_VERSION } policies to ${ SET_POLICY } ... "
$ { VER_IPTABLES } -- policy INPUT $ { SET_POLICY }
$ { VER_IPTABLES } -- policy OUTPUT $ { SET_POLICY }
$ { VER_IPTABLES } -- policy FORWARD $ { SET_POLICY }
}
# setup_iptables_chains (ipv4|ipv6)
# Creates the default chains when called
function setup_iptables_chains {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
# Create the actual chains
2014-03-29 11:11:26 -06:00
$ { display } GREEN " Setting up chains for ${ IP_VERSION } ... "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - N $ { InPreRules }
$ { VER_IPTABLES } - N $ { OutPreRules }
$ { VER_IPTABLES } - N $ { InEasyBlock }
$ { VER_IPTABLES } - N $ { OutEasyBlock }
$ { VER_IPTABLES } - N $ { InFilter }
$ { VER_IPTABLES } - N $ { OutFilter }
$ { VER_IPTABLES } - N $ { FwdFilter }
2014-03-29 12:04:41 -06:00
$ { VER_IPTABLES } - N $ { NAT } - t nat
$ { VER_IPTABLES } - N $ { PortForward } - t nat
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - N $ { InPostRules }
$ { VER_IPTABLES } - N $ { OutPostRules }
# Set up rules - the order matters - we do it separately here
# for easy viewing of order
2014-03-29 11:51:58 -06:00
if [ - x $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / prerun . sh ]; then . $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / prerun . sh ; fi
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up InPreRules "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A INPUT - j $ { InPreRules }
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up OutPreRules "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A OUTPUT - j $ { OutPreRules }
2014-03-29 11:51:58 -06:00
if [ - x $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / easyblock . sh ]; then . $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / easyblock . sh ; fi
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up InEasyBlock "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A INPUT - j $ { InEasyBlock }
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up OutEasyBlock "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A OUTPUT - j $ { OutEasyBlock }
2014-03-29 11:51:58 -06:00
if [ - x $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / filter . sh ]; then . $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / filter . sh ; fi
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up InFilter "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A INPUT - j $ { InFilter }
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up OutFilter "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A OUTPUT - j $ { OutFilter }
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up FwdFilter "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A FORWARD - j $ { FwdFilter }
2014-03-29 11:51:58 -06:00
if [ - x $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / nat . sh ]; then . $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / nat . sh ; fi
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up NAT "
2014-03-29 12:02:46 -06:00
$ { VER_IPTABLES } - A POSTROUTING - t nat - j $ { NAT }
2014-03-29 11:51:58 -06:00
if [ - x $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / portfw . sh ]; then . $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / portfw . sh ; fi
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up PortForward "
2014-03-29 12:02:46 -06:00
$ { VER_IPTABLES } - A PREROUTING - t nat - j $ { PortForward }
2014-03-29 11:51:58 -06:00
if [ - x $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / postrun . sh ]; then . $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / postrun . sh ; fi
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up InPostRules "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A INPUT - j $ { InPostRules }
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up OutPostRules "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A OUTPUT - j $ { OutPostRules }
2014-03-30 10:16:22 -06:00
}
function allow_all_loopback {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loaded "
2014-03-30 10:16:22 -06:00
$ { VER_IPTABLES } - A $ { InPreRules } - i lo - j ACCEPT
$ { VER_IPTABLES } - A $ { OutPreRules } - o lo - j ACCEPT
2014-03-30 10:53:31 -06:00
}
function allow_trusted_hosts {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
2014-03-30 10:53:31 -06:00
if [ - e " ${ FWCONFIGDIR}/ipv${IPVER } /trusted.conf " ]; then
for i in `grep -v "\#" "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"` ; do
$ { VER_IPTABLES } - A $ { InPreRules } - s $i - j ACCEPT
$ { VER_IPTABLES } - A $ { OutPreRules } - d $i - j ACCEPT
done
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
2014-03-30 10:53:31 -06:00
else
$ { display } RED " File Missing: ${ FWCONFIGDIR}/ipv${IPVER } /trusted.conf "
$ { display } RED " Error: can not load trusted hosts file. "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } failed "
2014-03-30 12:18:26 -06:00
fi
}
function enable_mss_clamp {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
2014-03-30 12:18:26 -06:00
if [ - e " ${ FWCONFIGDIR}/ipv${IPVER } /mss-clamp.conf " ]; then
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } read ${ FWCONFIGDIR}/ipv${IPVER } /mss-clamp.conf successful "
2014-03-30 12:32:52 -06:00
while read - r interface mss type ; do
[[ $ { interface } = \ #* ]] && continue
2014-03-31 18:46:35 -06:00
[[ $ { interface } = " " ]] && continue
2014-03-30 12:32:52 -06:00
[[ $ { mss } == " - " ]] && mss = " 1400:1536 "
[[ $ { type } == " - " ]] && type = " ${ OutFilter } "
[[ $ { type } == " out " ]] && type = " ${ OutFilter } "
[[ $ { type } == " fwd " ]] && type = " ${ FwdFilter } "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Read: ${ interface } ${ mss } ${ type } "
2014-03-30 12:32:52 -06:00
$ { VER_IPTABLES } - A $ { type } - p tcp -- tcp - flags SYN , RST SYN - j TCPMSS \
2014-03-30 12:35:02 -06:00
-- clamp - mss - to - pmtu - o $ { interface } - m tcpmss -- mss $ { mss }
2014-03-30 12:32:52 -06:00
done < " ${ FWCONFIGDIR}/ipv${IPVER } /mss-clamp.conf "
2014-03-30 12:18:26 -06:00
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
2014-03-30 12:18:26 -06:00
else
$ { display } RED " File Missing: ${ FWCONFIGDIR}/ipv${IPVER } /mss-clamp.conf "
$ { display } RED " Error: can not load mss clamp file. "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } failed "
2014-03-30 10:53:31 -06:00
fi
2014-03-30 13:18:45 -06:00
}
function allow_resolvconf_servers {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
2014-04-05 17:15:19 -06:00
[[ $ { IP_VERSION } == " ipv4 " ]] && ResolvConfFile = " ${ ResolvConfv4File } "
[[ $ { IP_VERSION } == " ipv6 " ]] && ResolvConfFile = " ${ ResolvConfv6File } "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Using ${ ResolvConfFile } as resolv.conf "
2014-03-30 13:18:45 -06:00
while read - r type server ; do
[[ $ { type } != " nameserver " ]] && continue
2014-03-31 18:46:35 -06:00
[[ $ { type } = " " ]] && continue
2014-03-30 13:18:45 -06:00
([[ $ { server } =~ " : " ]] && [[ $ { IP_VERSION } = " ipv4 " ]]) && continue
2014-03-31 17:52:56 -06:00
([[ ! $ { server } =~ " : " ]] && [[ $ { IP_VERSION } = " ipv6 " ]]) && continue
2014-04-05 17:15:19 -06:00
use_conntrack = " no "
2014-04-05 17:16:51 -06:00
([[ $ { IP_VERSION } == " ipv4 " ]] && [[ $ { Enablev4ConnectionTracking } == " yes " ]]) && use_conntrack = " yes "
([[ $ { IP_VERSION } == " ipv6 " ]] && [[ $ { Enablev6ConnectionTracking } == " yes " ]]) && use_conntrack = " yes "
if [[ $ { use_conntrack } == " yes " ]]; then
2014-04-05 17:21:55 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Added ${ server } to conntrack list for DNS traffic "
2014-04-05 17:15:19 -06:00
$ { VER_IPTABLES } - A $ { OutPreRules } - p udp - d $ { server } -- dport 53 $ { M_STATE } $ { C_STATE } NEW , ESTABLISHED - j ACCEPT
$ { VER_IPTABLES } - A $ { InPreRules } - p udp - s $ { server } -- sport 53 $ { M_STATE } $ { C_STATE } ESTABLISHED , RELATED - j ACCEPT
else
2014-04-05 17:21:55 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Added ${ server } to DNS client trusted list "
2014-04-05 17:15:19 -06:00
$ { VER_IPTABLES } - A $ { OutPreRules } - p udp - s $ { server } -- sport 1024 : 65535 -- dport 53 - j ACCEPT
$ { VER_IPTABLES } - A $ { InPreRules } - p udp - d $ { server } -- dport 1024 : 65535 -- sport 53 - j ACCEPT
#${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
#${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
fi
done < " ${ ResolvConfFile } "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
2014-03-30 13:36:55 -06:00
}
function allow_dnsclient_manual {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
2014-03-30 13:47:03 -06:00
DNS_SERVERS = " $ 2 "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
2014-04-06 10:22:42 -06:00
use_conntrack = " no "
([[ $ { IP_VERSION } == " ipv4 " ]] && [[ $ { Enablev4ConnectionTracking } == " yes " ]]) && use_conntrack = " yes "
([[ $ { IP_VERSION } == " ipv6 " ]] && [[ $ { Enablev6ConnectionTracking } == " yes " ]]) && use_conntrack = " yes "
2014-03-30 13:36:55 -06:00
for i in $ { DNS_SERVERS }; do
2014-04-06 10:22:42 -06:00
if [[ $ { use_conntrack } == " yes " ]]; then
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Added ${ server } to conntrack list for DNS traffic "
$ { VER_IPTABLES } - A $ { OutPreRules } - p udp - d $ { i } -- dport 53 $ { M_STATE } $ { C_STATE } NEW , ESTABLISHED - j ACCEPT
$ { VER_IPTABLES } - A $ { InPreRules } - p udp - s $ { i } -- sport 53 $ { M_STATE } $ { C_STATE } ESTABLISHED , RELATED - j ACCEPT
else
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Added ${ i } to DNS client trusted list "
$ { VER_IPTABLES } - A $ { OutPreRules } - p udp - s $ { i } -- sport 1024 : 65535 -- dport 53 - j ACCEPT
$ { VER_IPTABLES } - A $ { InPreRules } - p udp - d $ { i } -- dport 1024 : 65535 -- sport 53 - j ACCEPT
#${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
#${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
fi
2014-03-30 13:36:55 -06:00
done
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
2014-03-31 17:37:38 -06:00
}
function enable_easyblock {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
2014-03-31 17:37:38 -06:00
if [ - e " ${ FWCONFIGDIR}/ipv${IPVER } /easyblock.conf " ]; then
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } read ${ FWCONFIGDIR}/ipv${IPVER } /easyblock.conf successful "
2014-03-31 17:50:42 -06:00
while read - r direction interface address port protocol ; do
2014-03-31 17:37:38 -06:00
[[ $ { direction } = \ #* ]] && continue
2014-03-31 18:46:35 -06:00
[[ $ { direction } = " " ]] && continue
2014-03-31 19:16:17 -06:00
([[ $ { direction } != " IN " ]] && [[ $ { direction } != " OUT " ]]) \
&& $ { display } RED " easyblock.conf: Error - must begin with IN/OUT: ${ DEFAULT_COLOR}${direction } ${ interface } ${ address } ${ port } ${ protocol } " && continue
2014-03-31 17:37:38 -06:00
# Do some creative work with variables to make building the iptables rules fairly painless
[[ $ { port } != " - " ]] && port = " --dport ${ port } "
2014-03-31 18:46:35 -06:00
([[ $ { address } != " - " ]] && [[ $ { direction } == " IN " ]]) && address = " -s ${ address } "
([[ $ { address } != " - " ]] && [[ $ { direction } == " OUT " ]]) && address = " -d ${ address } "
([[ $ { interface } != " - " ]] && [[ $ { direction } == " IN " ]]) && interface = " -i ${ interface } "
([[ $ { interface } != " - " ]] && [[ $ { direction } == " OUT " ]]) && interface = " -o ${ interface } "
2014-03-31 17:37:38 -06:00
[[ $ { direction } == " OUT " ]] && chain = " ${ OutEasyBlock } "
[[ $ { direction } == " IN " ]] && chain = " ${ InEasyBlock } "
2014-03-31 17:50:42 -06:00
[[ $ { protocol } != " - " ]] && protocol = " -p ${ protocol } "
2014-03-31 17:37:38 -06:00
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Read: ${ direction } ${ interface } ${ address } ${ port } ${ protocol } "
2014-03-31 17:37:38 -06:00
# Blank variables that we're not going to use.
[[ $ { interface } == " - " ]] && interface = " "
[[ $ { port } == " - " ]] && port = " "
[[ $ { address } == " - " ]] && address = " "
2014-03-31 17:50:42 -06:00
[[ $ { protocol } == " - " ]] && protocol = " "
2014-03-31 17:37:38 -06:00
2014-04-05 11:40:00 -06:00
$ { VER_IPTABLES } - A $ { chain } $ { interface } $ { address } $ { protocol } $ { port } - j DROP
2014-03-31 18:46:35 -06:00
2014-03-31 17:37:38 -06:00
done < " ${ FWCONFIGDIR}/ipv${IPVER } /easyblock.conf "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
2014-03-31 18:46:35 -06:00
fi
2014-04-05 11:26:08 -06:00
}
function enable_filtering {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
if [ - e " ${ FWCONFIGDIR}/ipv${IPVER } /acl.conf " ]; then
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } read ${ FWCONFIGDIR}/ipv${IPVER } /acl.conf successful "
2014-04-05 11:40:00 -06:00
while read - r direction action interface srcaddress srcport dstaddress dstport protocol ; do
[[ $ { direction } = \ #* ]] && continue
[[ $ { direction } = " " ]] && continue
([[ $ { direction } != " IN " ]] && [[ $ { direction } != " OUT " ]]) \
2014-04-05 16:39:57 -06:00
&& $ { display } RED " acl.conf: Error - must begin with IN/OUT: ${ DEFAULT_COLOR}${direction } ${ action } ${ interface } ${ srcaddress } ${ srcport } ${ dstaddress } ${ dstport } ${ protocol } " && continue
2014-04-06 11:06:11 -06:00
([[ $ { action } != " ACCEPT " ]] && [[ $ { action } != " DROP " ]] && [[ $ { action } != " REJECT " ]]) \
&& $ { display } RED " acl.conf: Error - action must be either ACCEPT, DROP, or REJECT : ${ DEFAULT_COLOR}${direction } ${ action } ${ interface } ${ srcaddress } ${ srcport } ${ dstaddress } ${ dstport } ${ protocol } " && continue
2014-04-05 11:40:00 -06:00
# Do some creative work with variables to make building the iptables rules fairly painless
[[ $ { dstport } != " - " ]] && dstport = " --dport ${ dstport } "
[[ $ { srcport } != " - " ]] && srcport = " --sport ${ srcport } "
[[ $ { srcaddress } != " - " ]] && srcaddress = " -s ${ srcaddress } "
[[ $ { dstaddress } != " - " ]] && dstaddress = " -d ${ dstaddress } "
([[ $ { interface } != " - " ]] && [[ $ { direction } == " IN " ]]) && interface = " -i ${ interface } "
([[ $ { interface } != " - " ]] && [[ $ { direction } == " OUT " ]]) && interface = " -o ${ interface } "
[[ $ { direction } == " OUT " ]] && chain = " ${ OutFilter } "
[[ $ { direction } == " IN " ]] && chain = " ${ InFilter } "
[[ $ { protocol } != " - " ]] && protocol = " -p ${ protocol } "
2014-04-06 11:06:11 -06:00
[[ $ { action } == " REJECT " ]] && action = " REJECT --reject-with tcp-reset "
2014-04-05 11:40:00 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR}${direction } ${ action } ${ interface } ${ srcaddress } ${ srcport } ${ dstaddress } ${ dstport } ${ protocol } "
# Blank variables that we're not going to use.
[[ $ { interface } == " - " ]] && interface = " "
[[ $ { dstport } == " - " ]] && dstport = " "
[[ $ { srcport } == " - " ]] && srcport = " "
[[ $ { dstaddress } == " - " ]] && dstaddress = " "
[[ $ { srcaddress } == " - " ]] && srcaddress = " "
[[ $ { protocol } == " - " ]] && protocol = " "
$ { VER_IPTABLES } - A $ { chain } $ { interface } $ { protocol } $ { srcaddress } $ { srcport } $ { dstaddress } $ { dstport } - j $ { action }
2014-04-05 11:26:08 -06:00
done < " ${ FWCONFIGDIR}/ipv${IPVER } /acl.conf "
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
fi
2014-04-05 14:53:01 -06:00
}
2014-04-05 16:39:57 -06:00
function enable_forwarding {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
if [ - e " ${ FWCONFIGDIR}/ipv${IPVER } /forward.conf " ]; then
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } read ${ FWCONFIGDIR}/ipv${IPVER } /forward.conf successful "
2014-04-06 11:52:32 -06:00
use_conntrack = " no "
([[ $ { IP_VERSION } == " ipv4 " ]] && [[ $ { Enablev4ConnectionTracking } == " yes " ]]) && conntrack_state = " ${ M_STATE } ${ C_STATE } ESTABLISHED,RELATED "
([[ $ { IP_VERSION } == " ipv6 " ]] && [[ $ { Enablev6ConnectionTracking } == " yes " ]]) && conntrack_state = " ${ M_STATE } ${ C_STATE } ESTABLISHED,RELATED "
2014-04-05 16:39:57 -06:00
while read - r action srcinterface srcaddress dstinterface dstaddress bidirectional ; do
[[ $ { action } = \ #* ]] && continue
[[ $ { action } = " " ]] && continue
([[ $ { action } != " ACCEPT " ]] && [[ $ { action } != " DROP " ]]) \
&& $ { display } RED " acl.conf: Error - action must be either ACCEPT or DROP : ${ DEFAULT_COLOR}${action } ${ srcinterface } ${ srcaddress } ${ dstinterface } ${ srcaddress } " && continue
# Do some creative work with variables to make building the iptables rules fairly painless
([[ $ { bidirectional } == " yes " ]] && [[ $ { srcaddress } != " - " ]]) && revsrcaddress = " -d ${ srcaddress } "
([[ $ { bidirectional } == " yes " ]] && [[ $ { dstaddress } != " - " ]]) && revdstaddress = " -s ${ dstaddress } "
([[ $ { bidirectional } == " yes " ]] && [[ $ { dstinterface } != " - " ]]) && revdstinterface = " -i ${ dstinterface } "
([[ $ { bidirectional } == " yes " ]] && [[ $ { srcinterface } != " - " ]]) && revsrcinterface = " -o ${ srcinterface } "
[[ $ { srcaddress } != " - " ]] && srcaddress = " -s ${ srcaddress } "
[[ $ { dstaddress } != " - " ]] && dstaddress = " -d ${ dstaddress } "
[[ $ { srcinterface } != " - " ]] && srcinterface = " -i ${ srcinterface } "
[[ $ { dstinterface } != " - " ]] && dstinterface = " -o ${ dstinterface } "
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR}${action } ${ srcinterface } ${ srcaddress } ${ dstinterface } ${ srcaddress } "
# Blank variables that we're not going to use.
[[ $ { srcinterface } == " - " ]] && srcinterface = " "
[[ $ { dstinterface } == " - " ]] && dstinterface = " "
[[ $ { dstaddress } == " - " ]] && dstaddress = " "
[[ $ { srcaddress } == " - " ]] && srcaddress = " "
[[ $ { bidirectional } == " - " ]] && bidirectional = " no "
2014-04-06 11:52:32 -06:00
[[ $ { action } == " DROP " ]] && conntrack_state = " "
$ { VER_IPTABLES } - A $ { FwdFilter } $ { srcinterface } $ { srcaddress } $ { dstinterface } $ { dstaddress } $ { conntrack_state } - j $ { action }
[[ $ { bidirectional } == " yes " ]] && $ { VER_IPTABLES } - A $ { FwdFilter } $ { revsrcinterface } $ { revsrcaddress } $ { revdstinterface } $ { revdstaddress } $ { conntrack_state } - j $ { action }
2014-04-05 16:39:57 -06:00
done < " ${ FWCONFIGDIR}/ipv${IPVER } /forward.conf "
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
fi
}
2014-04-05 14:53:01 -06:00
function enable_nat {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
2014-04-05 16:56:00 -06:00
([[ $ { IPVER } == " 4 " ]] && [[ $ { Enablev4ConnectionTracking } != " yes " ]]) && $ { display } RED " ${ FUNCNAME } : ERROR: ${ DEFAULT_COLOR } Unable to load NAT rules if Enablev4ConnectionTracking=no " && return 1
([[ $ { IPVER } == " 6 " ]] && [[ $ { Enablev6ConnectionTracking } != " yes " ]]) && $ { display } RED " ${ FUNCNAME } : ERROR: ${ DEFAULT_COLOR } Unable to load NAT rules if Enablev6ConnectionTracking=no " && return 1
2014-04-05 14:53:01 -06:00
if [ - e " ${ FWCONFIGDIR}/ipv${IPVER } /nat.conf " ]; then
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } read ${ FWCONFIGDIR}/ipv${IPVER } /nat.conf successful "
while read - r type srcinterface srcaddress dstinterface dstaddress ; do
[[ $ { type } = \ #* ]] && continue
[[ $ { type } = " " ]] && continue
([[ $ { type } != " SNAT " ]] && [[ $ { type } != " MASQ " ]] && [[ $ { type } != " NETMAP " ]]) \
&& $ { display } RED " nat.conf: Error - must begin with SNAT/MASQ/NETMAP: ${ DEFAULT_COLOR}${type } ${ srcinterface } ${ srcaddress } ${ dstinterface } ${ dstaddress } " && continue
# Do some creative work with variables to make building the iptables rules fairly painless
[[ $ { srcinterface } != " - " ]] && srcinterface = " -i ${ srcinterface } "
[[ $ { dstinterface } != " - " ]] && dstinterface = " -o ${ dstinterface } "
2014-04-05 15:11:01 -06:00
([[ $ { srcaddress } != " - " ]] && [[ $ { type } != " NETMAP " ]]) && srcaddress = " -s ${ srcaddress } "
2014-04-05 14:53:01 -06:00
2014-04-05 15:11:01 -06:00
([[ $ { dstinterface } != " - " ]] && [[ $ { type } == " MASQ " ]]) && action = " -j MASQUERADE "
2014-04-05 14:53:01 -06:00
([[ $ { dstinterface } == " - " ]] && [[ $ { type } == " MASQ " ]]) && \
$ { display } RED " nat.conf: Error - MASQ rule can not have empty destination interface: ${ DEFAULT_COLOR}${type } ${ srcinterface } ${ srcaddress } ${ dstinterface } ${ dstaddress } " \
&& continue
([[ $ { dstaddress } != " - " ]] && [[ $ { type } == " SNAT " ]]) && action = " -j SNAT " && dstaddress = " --to-source ${ dstaddress } "
([[ $ { dstaddress } == " - " ]] && [[ $ { type } == " SNAT " ]]) && \
$ { display } RED " nat.conf: Error - SNAT rule can not have empty destination address: ${ DEFAULT_COLOR}${type } ${ srcinterface } ${ srcaddress } ${ dstinterface } ${ dstaddress } " \
&& continue
([[ $ { srcaddress } != " - " ]] && [[ $ { dstaddress } != " - " ]] && [[ $ { type } == " NETMAP " ]]) && action = " -j NETMAP " && srcaddress = " -d ${ srcaddress } " && dstaddress = " --to ${ dstaddress } "
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR}${direction } ${ action } ${ interface } ${ srcaddress } ${ srcport } ${ dstaddress } ${ dstport } ${ protocol } "
# Blank variables that we're not going to use.
[[ $ { srcinterface } == " - " ]] && srcinterface = " "
[[ $ { dstinterface } == " - " ]] && dstinterface = " "
[[ $ { dstaddress } == " - " ]] && dstaddress = " "
[[ $ { srcaddress } == " - " ]] && srcaddress = " "
2014-04-05 15:11:01 -06:00
$ { VER_IPTABLES } - A $ { NAT } - t nat $ { srcaddress } $ { action } $ { dstinterface } $ { dstaddress }
2014-04-05 14:53:01 -06:00
$ { VER_IPTABLES } - A $ { FwdFilter } $ { M_STATE } $ { C_STATE } RELATED , ESTABLISHED $ { srcinterface } $ { srcaddress } $ { dstinterface } - j ACCEPT
done < " ${ FWCONFIGDIR}/ipv${IPVER } /nat.conf "
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
fi
2014-04-05 16:56:00 -06:00
2014-04-06 10:41:59 -06:00
}
function enable_services {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
if [ - e " ${ FWCONFIGDIR}/ipv${IPVER } /services.conf " ]; then
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } read ${ FWCONFIGDIR}/ipv${IPVER } /services.conf successful "
use_conntrack = " no "
([[ $ { IP_VERSION } == " ipv4 " ]] && [[ $ { Enablev4ConnectionTracking } == " yes " ]]) && conntrack_state = " ${ M_STATE } ${ C_STATE } NEW "
([[ $ { IP_VERSION } == " ipv6 " ]] && [[ $ { Enablev6ConnectionTracking } == " yes " ]]) && conntrack_state = " ${ M_STATE } ${ C_STATE } NEW "
2014-04-06 11:06:11 -06:00
while read - r service protocol interface address srcaddress ; do
multiport = " no "
2014-04-06 10:41:59 -06:00
[[ $ { service } = \ #* ]] && continue
[[ $ { service } = " " ]] && continue
[[ $ { service } == " - " ]] \
2014-04-06 11:06:11 -06:00
&& $ { display } RED " service.conf: Error - must begin with service name or port number: ${ DEFAULT_COLOR}${service } ${ protocol } ${ interface } ${ address } ${ srcaddress } " && continue
2014-04-06 10:41:59 -06:00
[[ $ { protocol } == " - " ]] \
2014-04-06 11:06:11 -06:00
&& $ { display } RED " service.conf: Error - protocol can not be empty: ${ DEFAULT_COLOR}${service } ${ protocol } ${ interface } ${ address } ${ srcaddress } " && continue
[[ $ { service } =~ " , " ]] && multiport = " yes "
2014-04-06 10:41:59 -06:00
# Do some creative work with variables to make building the iptables rules fairly painless
2014-04-06 11:06:11 -06:00
([[ $ { service } != " - " ]] && [[ $ { multiport } != " yes " ]]) && service = " --dport ${ service } "
2014-04-06 11:14:35 -06:00
([[ $ { service } != " - " ]] && [[ $ { multiport } == " yes " ]]) && service = " -m multiport --dports ${ service } "
2014-04-06 10:41:59 -06:00
[[ $ { protocol } != " - " ]] && protocol = " -p ${ protocol } "
[[ $ { interface } != " - " ]] && interface = " -i ${ interface } "
2014-04-06 11:06:11 -06:00
[[ $ { address } != " - " ]] && srcaddress = " -d ${ address } "
2014-04-06 10:41:59 -06:00
[[ $ { srcaddress } != " - " ]] && srcaddress = " -s ${ srcaddress } "
2014-04-06 11:06:11 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Read: ${ service } ${ protocol } ${ interface } ${ address } ${ srcaddress } "
2014-04-06 10:41:59 -06:00
# Blank variables that we're not going to use.
[[ $ { interface } == " - " ]] && interface = " "
2014-04-06 11:06:11 -06:00
[[ $ { address } == " - " ]] && address = " "
2014-04-06 10:41:59 -06:00
[[ $ { srcaddress } == " - " ]] && srcaddress = " "
2014-04-06 11:18:30 -06:00
$ { VER_IPTABLES } - A $ { InFilter } $ { protocol } $ { service } $ { interface } $ { address } $ { srcaddress } $ { conntrack_state } - j ACCEPT
2014-04-06 10:41:59 -06:00
done < " ${ FWCONFIGDIR}/ipv${IPVER } /services.conf "
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
fi
}
2014-04-06 11:52:32 -06:00
function enable_conntrack_int {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
conntrack_int = " $ 2 "
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
if [[ $ { conntrack_int } == " all " ]]; then
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Enabling conntrack on all interfaces "
$ { VER_IPTABLES } - A $ { OutPreRules } $ { M_STATE } $ { C_STATE } ESTABLISHED , RELATED - j ACCEPT
$ { VER_IPTABLES } - A $ { InPreRules } $ { M_STATE } $ { C_STATE } ESTABLISHED , RELATED - j ACCEPT
$ { VER_IPTABLES } - A $ { OutPreRules } $ { M_STATE } $ { C_STATE } INVALID - j DROP
$ { VER_IPTABLES } - A $ { InPreRules } $ { M_STATE } $ { C_STATE } INVALID - j DROP
else
for i in $ { conntrack_int }; do
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Enabling conntrack on ${ i } "
$ { VER_IPTABLES } - A $ { OutPreRules } - o $ { i } $ { M_STATE } $ { C_STATE } ESTABLISHED , RELATED - j ACCEPT
$ { VER_IPTABLES } - A $ { InPreRules } - i $ { i } $ { M_STATE } $ { C_STATE } ESTABLISHED , RELATED - j ACCEPT
$ { VER_IPTABLES } - A $ { OutPreRules } - o $ { i } $ { M_STATE } $ { C_STATE } INVALID - j DROP
$ { VER_IPTABLES } - A $ { InPreRules } - i $ { i } $ { M_STATE } $ { C_STATE } INVALID - j DROP
done
fi
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
fi
}
