bbruns@gmail.com 2014-03-30 15:46:26 +00:00
parent cfec384825
commit 75472cf87f
5 changed files with 83 additions and 20 deletions

View File

@ -28,11 +28,12 @@ FWLIBDIR="${FWPREFIX}/lib/srfirewall"
FWBINDIR="${FWPREFIX}/bin" FWBINDIR="${FWPREFIX}/bin"
# Begin sourcing critical files, because we need things like path right away # Begin sourcing critical files, because we need things like path right away
source "${FWCONFIGDIR}/main.conf"
source "${FWLIBDIR}/binaries.inc" source "${FWLIBDIR}/binaries.inc"
source "${FWLIBDIR}/iptables.inc" source "${FWLIBDIR}/iptables.inc"
source "${FWLIBDIR}/display.inc" source "${FWLIBDIR}/display.inc"
source "${FWCONFIGDIR}/main.conf"
source "${FWCONFIGDIR}/chains.conf" source "${FWCONFIGDIR}/chains.conf"
source "${FWCONFIGDIR}/ipv4.conf" source "${FWCONFIGDIR}/ipv4.conf"
source "${FWCONFIGDIR}/ipv6.conf" source "${FWCONFIGDIR}/ipv6.conf"
@ -54,6 +55,56 @@ else
display="true" display="true"
fi fi
# Swap out display_c command for dummy command if they don't want
# debug output when command is run.
if [[ "${DisplayDebugInfo}" == "yes" ]]; then
debug="display_c"
else
debug="true"
fi
#if [ "$UID" != "0" ] && [ "${DebugOverride}" != "yes" ]; then
# ${display} RED "You must be root to run this script."
# exit 2
#fi
if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
${display} RED "iptables command not found. Please make sure you have the iptables"
${display} RED "installed (package or source) and you have the IPTABLES option properly"
${display} RED "defined in the 'main.conf' file if needed."
exit 3
fi
if [ ! -x "${IP6TABLES}" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
${display} RED "ip6tables command not found. Please make sure you have the iptables"
${display} RED "installed (package or source) and you have the IP6TABLES option properly"
${display} RED "defined in the 'main.conf' file if needed."
exit 3
fi
if [ ! -e "/proc/net/ip_tables_names" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
${display} RED "IPv4 Netfilter modules do not appear to be loaded. Attempting to load now..."
if ! `${MODPROBE} ${IP4TablesMod} &>/dev/null`; then
${display} RED "Module ${IP4TablesMod} failed to load."
${display} RED "Will continue with IPv4 disabled."
EnableIPv4="no"
else
${display} GREEN "Module successfully loaded."
fi
fi
if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
${display} RED "IPv6 Netfilter modules do not appear to be loaded. Attempting to load now..."
if ! `${MODPROBE} ${IP6TablesMod} &>/dev/null`; then
${display} RED "Module ${IP6TablesMod} failed to load."
${display} RED "Will continue with IPv6 disabled."
EnableIPv6="no"
else
${display} GREEN "Module successfully loaded."
fi
fi
if [[ "${EnableIPv4}" == "yes" ]]; then if [[ "${EnableIPv4}" == "yes" ]]; then
# First flush all rules # First flush all rules
iptables_rules_flush ipv4 iptables_rules_flush ipv4
@ -71,3 +122,4 @@ if [[ "${EnableIPv6}" == "yes" ]]; then
# customized by users in their custom rules # customized by users in their custom rules
setup_iptables_chains ipv6 setup_iptables_chains ipv6
fi fi

View File

@ -1,6 +0,0 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the main chains are setup.

View File

@ -8,4 +8,18 @@ EnableIPv4="yes"
EnableIPv6="yes" EnableIPv6="yes"
# Display detailed output while running script? # Display detailed output while running script?
DisplayDetailedOutput="yes" DisplayDetailedOutput="yes"
# Display alot of extra debugging info?
DisplayDebugInfo="yes"
# Debug Override?
# I use this command to disable checks while debugging scripts
# where I don't want certain sanity checks to run. Normally,
# keep this off in production
DebugOverride="no"
# Manually override location of iptables/ip6tables if needed
# otherwise detect automatically with 'which'
#IPTABLES="/sbin/iptables"
#IP6TABLES="/sbin/ip6tables"

View File

@ -22,3 +22,6 @@
MODPROBE=`which modprobe` MODPROBE=`which modprobe`
IPTABLES=`which iptables` IPTABLES=`which iptables`
IP6TABLES=`which ip6tables` IP6TABLES=`which ip6tables`
IPTablesMod="ip_tables"
IP6TablesMod="ip6_tables"

View File

@ -84,34 +84,34 @@ function setup_iptables_chains {
# Set up rules - the order matters - we do it separately here # Set up rules - the order matters - we do it separately here
# for easy viewing of order # for easy viewing of order
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
${display} GREEN "Setting up InPreRules" ${debug} PURPLE "Setting up InPreRules"
${VER_IPTABLES} -A INPUT -j ${InPreRules} ${VER_IPTABLES} -A INPUT -j ${InPreRules}
${display} GREEN "Setting up OutPreRules" ${debug} PURPLE "Setting up OutPreRules"
${VER_IPTABLES} -A OUTPUT -j ${OutPreRules} ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh; fi
${display} GREEN "Setting up Trusted" ${debug} PURPLE "Setting up Trusted"
${VER_IPTABLES} -A INPUT -j ${Trusted} ${VER_IPTABLES} -A INPUT -j ${Trusted}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
${display} GREEN "Setting up InEasyBlock" ${debug} PURPLE "Setting up InEasyBlock"
${VER_IPTABLES} -A INPUT -j ${InEasyBlock} ${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
${display} GREEN "Setting up OutEasyBlock" ${debug} PURPLE "Setting up OutEasyBlock"
${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock} ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
${display} GREEN "Setting up InFilter" ${debug} PURPLE "Setting up InFilter"
${VER_IPTABLES} -A INPUT -j ${InFilter} ${VER_IPTABLES} -A INPUT -j ${InFilter}
${display} GREEN "Setting up OutFilter" ${debug} PURPLE "Setting up OutFilter"
${VER_IPTABLES} -A OUTPUT -j ${OutFilter} ${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
${display} GREEN "Setting up FwdFilter" ${debug} PURPLE "Setting up FwdFilter"
${VER_IPTABLES} -A FORWARD -j ${FwdFilter} ${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
${display} GREEN "Setting up NAT" ${debug} PURPLE "Setting up NAT"
${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT} ${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
${display} GREEN "Setting up PortForward" ${debug} PURPLE "Setting up PortForward"
${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward} ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
${display} GREEN "Setting up InPostRules" ${debug} PURPLE "Setting up InPostRules"
${VER_IPTABLES} -A INPUT -j ${InPostRules} ${VER_IPTABLES} -A INPUT -j ${InPostRules}
${display} GREEN "Setting up OutPostRules" ${debug} PURPLE "Setting up OutPostRules"
${VER_IPTABLES} -A OUTPUT -j ${OutPostRules} ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
} }