master
parent
cfec384825
commit
75472cf87f
|
@ -28,11 +28,12 @@ FWLIBDIR="${FWPREFIX}/lib/srfirewall"
|
||||||
FWBINDIR="${FWPREFIX}/bin"
|
FWBINDIR="${FWPREFIX}/bin"
|
||||||
|
|
||||||
# Begin sourcing critical files, because we need things like path right away
|
# Begin sourcing critical files, because we need things like path right away
|
||||||
source "${FWCONFIGDIR}/main.conf"
|
|
||||||
source "${FWLIBDIR}/binaries.inc"
|
source "${FWLIBDIR}/binaries.inc"
|
||||||
source "${FWLIBDIR}/iptables.inc"
|
source "${FWLIBDIR}/iptables.inc"
|
||||||
source "${FWLIBDIR}/display.inc"
|
source "${FWLIBDIR}/display.inc"
|
||||||
|
|
||||||
|
source "${FWCONFIGDIR}/main.conf"
|
||||||
|
|
||||||
source "${FWCONFIGDIR}/chains.conf"
|
source "${FWCONFIGDIR}/chains.conf"
|
||||||
source "${FWCONFIGDIR}/ipv4.conf"
|
source "${FWCONFIGDIR}/ipv4.conf"
|
||||||
source "${FWCONFIGDIR}/ipv6.conf"
|
source "${FWCONFIGDIR}/ipv6.conf"
|
||||||
|
@ -54,6 +55,56 @@ else
|
||||||
display="true"
|
display="true"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Swap out display_c command for dummy command if they don't want
|
||||||
|
# debug output when command is run.
|
||||||
|
if [[ "${DisplayDebugInfo}" == "yes" ]]; then
|
||||||
|
debug="display_c"
|
||||||
|
else
|
||||||
|
debug="true"
|
||||||
|
fi
|
||||||
|
|
||||||
|
#if [ "$UID" != "0" ] && [ "${DebugOverride}" != "yes" ]; then
|
||||||
|
# ${display} RED "You must be root to run this script."
|
||||||
|
# exit 2
|
||||||
|
#fi
|
||||||
|
|
||||||
|
if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
|
||||||
|
${display} RED "iptables command not found. Please make sure you have the iptables"
|
||||||
|
${display} RED "installed (package or source) and you have the IPTABLES option properly"
|
||||||
|
${display} RED "defined in the 'main.conf' file if needed."
|
||||||
|
exit 3
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ ! -x "${IP6TABLES}" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
|
||||||
|
${display} RED "ip6tables command not found. Please make sure you have the iptables"
|
||||||
|
${display} RED "installed (package or source) and you have the IP6TABLES option properly"
|
||||||
|
${display} RED "defined in the 'main.conf' file if needed."
|
||||||
|
exit 3
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -e "/proc/net/ip_tables_names" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
|
||||||
|
${display} RED "IPv4 Netfilter modules do not appear to be loaded. Attempting to load now..."
|
||||||
|
if ! `${MODPROBE} ${IP4TablesMod} &>/dev/null`; then
|
||||||
|
${display} RED "Module ${IP4TablesMod} failed to load."
|
||||||
|
${display} RED "Will continue with IPv4 disabled."
|
||||||
|
EnableIPv4="no"
|
||||||
|
else
|
||||||
|
${display} GREEN "Module successfully loaded."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
|
||||||
|
${display} RED "IPv6 Netfilter modules do not appear to be loaded. Attempting to load now..."
|
||||||
|
if ! `${MODPROBE} ${IP6TablesMod} &>/dev/null`; then
|
||||||
|
${display} RED "Module ${IP6TablesMod} failed to load."
|
||||||
|
${display} RED "Will continue with IPv6 disabled."
|
||||||
|
EnableIPv6="no"
|
||||||
|
else
|
||||||
|
${display} GREEN "Module successfully loaded."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ "${EnableIPv4}" == "yes" ]]; then
|
if [[ "${EnableIPv4}" == "yes" ]]; then
|
||||||
# First flush all rules
|
# First flush all rules
|
||||||
iptables_rules_flush ipv4
|
iptables_rules_flush ipv4
|
||||||
|
@ -71,3 +122,4 @@ if [[ "${EnableIPv6}" == "yes" ]]; then
|
||||||
# customized by users in their custom rules
|
# customized by users in their custom rules
|
||||||
setup_iptables_chains ipv6
|
setup_iptables_chains ipv6
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
# This file is sourced by the main srfirewall program to inject
|
|
||||||
# custom commands/rules during specific moments of the firewall
|
|
||||||
# setup.
|
|
||||||
#
|
|
||||||
# In particular this file injects/commands rules:
|
|
||||||
# Before the main chains are setup.
|
|
|
@ -8,4 +8,18 @@ EnableIPv4="yes"
|
||||||
EnableIPv6="yes"
|
EnableIPv6="yes"
|
||||||
|
|
||||||
# Display detailed output while running script?
|
# Display detailed output while running script?
|
||||||
DisplayDetailedOutput="yes"
|
DisplayDetailedOutput="yes"
|
||||||
|
|
||||||
|
# Display alot of extra debugging info?
|
||||||
|
DisplayDebugInfo="yes"
|
||||||
|
|
||||||
|
# Debug Override?
|
||||||
|
# I use this command to disable checks while debugging scripts
|
||||||
|
# where I don't want certain sanity checks to run. Normally,
|
||||||
|
# keep this off in production
|
||||||
|
DebugOverride="no"
|
||||||
|
|
||||||
|
# Manually override location of iptables/ip6tables if needed
|
||||||
|
# otherwise detect automatically with 'which'
|
||||||
|
#IPTABLES="/sbin/iptables"
|
||||||
|
#IP6TABLES="/sbin/ip6tables"
|
||||||
|
|
|
@ -22,3 +22,6 @@
|
||||||
MODPROBE=`which modprobe`
|
MODPROBE=`which modprobe`
|
||||||
IPTABLES=`which iptables`
|
IPTABLES=`which iptables`
|
||||||
IP6TABLES=`which ip6tables`
|
IP6TABLES=`which ip6tables`
|
||||||
|
|
||||||
|
IPTablesMod="ip_tables"
|
||||||
|
IP6TablesMod="ip6_tables"
|
|
@ -84,34 +84,34 @@ function setup_iptables_chains {
|
||||||
# Set up rules - the order matters - we do it separately here
|
# Set up rules - the order matters - we do it separately here
|
||||||
# for easy viewing of order
|
# for easy viewing of order
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
|
||||||
${display} GREEN "Setting up InPreRules"
|
${debug} PURPLE "Setting up InPreRules"
|
||||||
${VER_IPTABLES} -A INPUT -j ${InPreRules}
|
${VER_IPTABLES} -A INPUT -j ${InPreRules}
|
||||||
${display} GREEN "Setting up OutPreRules"
|
${debug} PURPLE "Setting up OutPreRules"
|
||||||
${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
|
${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh; fi
|
||||||
${display} GREEN "Setting up Trusted"
|
${debug} PURPLE "Setting up Trusted"
|
||||||
${VER_IPTABLES} -A INPUT -j ${Trusted}
|
${VER_IPTABLES} -A INPUT -j ${Trusted}
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
|
||||||
${display} GREEN "Setting up InEasyBlock"
|
${debug} PURPLE "Setting up InEasyBlock"
|
||||||
${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
|
${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
|
||||||
${display} GREEN "Setting up OutEasyBlock"
|
${debug} PURPLE "Setting up OutEasyBlock"
|
||||||
${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
|
${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
|
||||||
${display} GREEN "Setting up InFilter"
|
${debug} PURPLE "Setting up InFilter"
|
||||||
${VER_IPTABLES} -A INPUT -j ${InFilter}
|
${VER_IPTABLES} -A INPUT -j ${InFilter}
|
||||||
${display} GREEN "Setting up OutFilter"
|
${debug} PURPLE "Setting up OutFilter"
|
||||||
${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
|
${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
|
||||||
${display} GREEN "Setting up FwdFilter"
|
${debug} PURPLE "Setting up FwdFilter"
|
||||||
${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
|
${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
|
||||||
${display} GREEN "Setting up NAT"
|
${debug} PURPLE "Setting up NAT"
|
||||||
${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
|
${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
|
||||||
${display} GREEN "Setting up PortForward"
|
${debug} PURPLE "Setting up PortForward"
|
||||||
${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
|
${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
|
||||||
${display} GREEN "Setting up InPostRules"
|
${debug} PURPLE "Setting up InPostRules"
|
||||||
${VER_IPTABLES} -A INPUT -j ${InPostRules}
|
${VER_IPTABLES} -A INPUT -j ${InPostRules}
|
||||||
${display} GREEN "Setting up OutPostRules"
|
${debug} PURPLE "Setting up OutPostRules"
|
||||||
${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
|
${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
|
||||||
}
|
}
|
Loading…
Reference in New Issue