master
parent
75472cf87f
commit
ac31e43197
|
@ -49,16 +49,24 @@ fi
|
||||||
|
|
||||||
# Swap out display_c command for dummy command if they don't want
|
# Swap out display_c command for dummy command if they don't want
|
||||||
# output when command is run.
|
# output when command is run.
|
||||||
if [[ "${DisplayDetailedOutput}" == "yes" ]]; then
|
if [ "${DisplayDetailedOutput}" == "yes" ]; then
|
||||||
display="display_c"
|
if [ "${ColorizeOut}" == "yes" ]; then
|
||||||
else
|
display="display_c"
|
||||||
|
else
|
||||||
|
display="display_m"
|
||||||
|
fi
|
||||||
|
else
|
||||||
display="true"
|
display="true"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Swap out display_c command for dummy command if they don't want
|
# Swap out display_c command for dummy command if they don't want
|
||||||
# debug output when command is run.
|
# debug output when command is run.
|
||||||
if [[ "${DisplayDebugInfo}" == "yes" ]]; then
|
if [ "${DisplayDebugInfo}" == "yes" ]; then
|
||||||
debug="display_c"
|
if [ "${ColorizeOut}" == "yes" ]; then
|
||||||
|
debug="display_c"
|
||||||
|
else
|
||||||
|
debug="display_m"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
debug="true"
|
debug="true"
|
||||||
fi
|
fi
|
||||||
|
@ -68,6 +76,8 @@ fi
|
||||||
# exit 2
|
# exit 2
|
||||||
#fi
|
#fi
|
||||||
|
|
||||||
|
|
||||||
|
# Basic sanity tests for ip{6}tables binaries and modules
|
||||||
if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
|
if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
|
||||||
${display} RED "iptables command not found. Please make sure you have the iptables"
|
${display} RED "iptables command not found. Please make sure you have the iptables"
|
||||||
${display} RED "installed (package or source) and you have the IPTABLES option properly"
|
${display} RED "installed (package or source) and you have the IPTABLES option properly"
|
||||||
|
@ -105,21 +115,44 @@ if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "$
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "${EnableIPv4}" == "yes" ]]; then
|
# Set up proper state matching variables, since there is old and new style.
|
||||||
|
if [ "$StateMatching" ]; then
|
||||||
|
case $StateMatching in
|
||||||
|
conntrack|CONNTRACK|*)
|
||||||
|
M_STATE="-m conntrack"
|
||||||
|
C_STATE="--ctstate"
|
||||||
|
;;
|
||||||
|
state|STATE)
|
||||||
|
M_STATE="-m state"
|
||||||
|
C_STATE="--state"
|
||||||
|
esac
|
||||||
|
else
|
||||||
|
M_STATE="-m conntrack"
|
||||||
|
C_STATE="--ctstate"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# Do IPv4 IPTables Rules
|
||||||
|
if [ "${EnableIPv4}" == "yes" ]; then
|
||||||
# First flush all rules
|
# First flush all rules
|
||||||
iptables_rules_flush ipv4
|
iptables_rules_flush ipv4
|
||||||
|
|
||||||
# Create the chain sets we'll need and the ones that can be
|
# Create the chain sets we'll need and the ones that can be
|
||||||
# customized by users in their custom rules
|
# customized by users in their custom rules
|
||||||
setup_iptables_chains ipv4
|
setup_iptables_chains ipv4
|
||||||
|
|
||||||
|
if [ "${AllowAllv4Loopback}" == "yes" ]; then allow_all_loopback ipv4; fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "${EnableIPv6}" == "yes" ]]; then
|
# Do IPv4 IPTables Rules
|
||||||
|
if [ "${EnableIPv6}" == "yes" ]; then
|
||||||
# First flush all rules
|
# First flush all rules
|
||||||
iptables_rules_flush ipv6
|
iptables_rules_flush ipv6
|
||||||
|
|
||||||
# Create the chain sets we'll need and the ones that can be
|
# Create the chain sets we'll need and the ones that can be
|
||||||
# customized by users in their custom rules
|
# customized by users in their custom rules
|
||||||
setup_iptables_chains ipv6
|
setup_iptables_chains ipv6
|
||||||
|
|
||||||
|
if [ "${AllowAllv6Loopback}" == "yes" ]; then allow_all_loopback ipv6; fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -1,2 +1,7 @@
|
||||||
# IPv4 Specific Configuration File
|
# IPv4 Specific Configuration File
|
||||||
#
|
#
|
||||||
|
|
||||||
|
# Allow everything over loopback (lo/127.0.0.0/8)
|
||||||
|
# Good idea to keep this turned on, but if you so wish to,
|
||||||
|
# you can disable it here.
|
||||||
|
AllowAllv4Loopback="yes"
|
|
@ -1,2 +1,7 @@
|
||||||
# IPv4 Specific Configuration File
|
# IPv4 Specific Configuration File
|
||||||
#
|
#
|
||||||
|
|
||||||
|
# Allow everything over loopback (lo ::1/28)
|
||||||
|
# Good idea to keep this turned on, but if you so wish to,
|
||||||
|
# you can disable it here.
|
||||||
|
AllowAllv6Loopback="yes"
|
|
@ -4,22 +4,38 @@
|
||||||
PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}"
|
PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}"
|
||||||
|
|
||||||
# Enable / Disable IPv4 and IPv6 support (yes/no)
|
# Enable / Disable IPv4 and IPv6 support (yes/no)
|
||||||
|
# Values: no | yes (both default)
|
||||||
EnableIPv4="yes"
|
EnableIPv4="yes"
|
||||||
EnableIPv6="yes"
|
EnableIPv6="yes"
|
||||||
|
|
||||||
# Display detailed output while running script?
|
# Display detailed output while running script?
|
||||||
|
# Values: no | yes (default)
|
||||||
DisplayDetailedOutput="yes"
|
DisplayDetailedOutput="yes"
|
||||||
|
|
||||||
# Display alot of extra debugging info?
|
# Display alot of extra debugging info?
|
||||||
|
# Values: no (default) | yes
|
||||||
DisplayDebugInfo="yes"
|
DisplayDebugInfo="yes"
|
||||||
|
|
||||||
# Debug Override?
|
# Debug Override?
|
||||||
# I use this command to disable checks while debugging scripts
|
# I use this command to disable checks while debugging scripts
|
||||||
# where I don't want certain sanity checks to run. Normally,
|
# where I don't want certain sanity checks to run. Normally,
|
||||||
# keep this off in production
|
# keep this off in production
|
||||||
|
# Values: no (default) | yes
|
||||||
DebugOverride="no"
|
DebugOverride="no"
|
||||||
|
|
||||||
|
# Colorize output?
|
||||||
|
# Values: no | yes (default)
|
||||||
|
ColorizeOut="yes"
|
||||||
|
|
||||||
|
# Color of debug output?
|
||||||
|
DebugColor="PURPLE"
|
||||||
|
|
||||||
# Manually override location of iptables/ip6tables if needed
|
# Manually override location of iptables/ip6tables if needed
|
||||||
# otherwise detect automatically with 'which'
|
# otherwise detect automatically with 'which'
|
||||||
#IPTABLES="/sbin/iptables"
|
#IPTABLES="/sbin/iptables"
|
||||||
#IP6TABLES="/sbin/ip6tables"
|
#IP6TABLES="/sbin/ip6tables"
|
||||||
|
|
||||||
|
# There are two types of state matches available, old style
|
||||||
|
# state matching using '--state' and new style '--ctstate'
|
||||||
|
# Values: state | conntrack (default)
|
||||||
|
StateMatching="conntrack"
|
|
@ -45,6 +45,16 @@ function display_c {
|
||||||
echo -e ${NEWLINE} "${COLOR_CODE}${TEXT}${DEFAULT_COLOR}"
|
echo -e ${NEWLINE} "${COLOR_CODE}${TEXT}${DEFAULT_COLOR}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Monochrome version of above
|
||||||
|
function display_m {
|
||||||
|
unset TEXT NEWLINE
|
||||||
|
TEXT="$2"
|
||||||
|
if [ "$3" == "N" ]; then
|
||||||
|
NEWLINE="-n"
|
||||||
|
fi
|
||||||
|
echo -e $NEWLINE "$TEXT"
|
||||||
|
}
|
||||||
|
|
||||||
# pick_color $COLOR
|
# pick_color $COLOR
|
||||||
# returns appropriate color codes for use in display_c and such
|
# returns appropriate color codes for use in display_c and such
|
||||||
function pick_color {
|
function pick_color {
|
||||||
|
|
|
@ -29,7 +29,7 @@ function iptables_rules_flush {
|
||||||
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
|
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
|
||||||
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
|
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
|
||||||
esac
|
esac
|
||||||
${display} RED "Flushing ${IP_VERSION} rules..."
|
${display} GREEN "Flushing ${IP_VERSION} rules..."
|
||||||
${VER_IPTABLES} --flush &>/dev/null
|
${VER_IPTABLES} --flush &>/dev/null
|
||||||
${VER_IPTABLES} -F OUTPUT &>/dev/null
|
${VER_IPTABLES} -F OUTPUT &>/dev/null
|
||||||
${VER_IPTABLES} -F PREROUTING &>/dev/null
|
${VER_IPTABLES} -F PREROUTING &>/dev/null
|
||||||
|
@ -84,34 +84,47 @@ function setup_iptables_chains {
|
||||||
# Set up rules - the order matters - we do it separately here
|
# Set up rules - the order matters - we do it separately here
|
||||||
# for easy viewing of order
|
# for easy viewing of order
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
|
||||||
${debug} PURPLE "Setting up InPreRules"
|
${debug} ${DebugColor} "Setting up InPreRules"
|
||||||
${VER_IPTABLES} -A INPUT -j ${InPreRules}
|
${VER_IPTABLES} -A INPUT -j ${InPreRules}
|
||||||
${debug} PURPLE "Setting up OutPreRules"
|
${debug} ${DebugColor} "Setting up OutPreRules"
|
||||||
${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
|
${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh; fi
|
||||||
${debug} PURPLE "Setting up Trusted"
|
${debug} ${DebugColor} "Setting up Trusted"
|
||||||
${VER_IPTABLES} -A INPUT -j ${Trusted}
|
${VER_IPTABLES} -A INPUT -j ${Trusted}
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
|
||||||
${debug} PURPLE "Setting up InEasyBlock"
|
${debug} ${DebugColor} "Setting up InEasyBlock"
|
||||||
${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
|
${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
|
||||||
${debug} PURPLE "Setting up OutEasyBlock"
|
${debug} ${DebugColor} "Setting up OutEasyBlock"
|
||||||
${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
|
${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
|
||||||
${debug} PURPLE "Setting up InFilter"
|
${debug} ${DebugColor} "Setting up InFilter"
|
||||||
${VER_IPTABLES} -A INPUT -j ${InFilter}
|
${VER_IPTABLES} -A INPUT -j ${InFilter}
|
||||||
${debug} PURPLE "Setting up OutFilter"
|
${debug} ${DebugColor} "Setting up OutFilter"
|
||||||
${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
|
${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
|
||||||
${debug} PURPLE "Setting up FwdFilter"
|
${debug} ${DebugColor} "Setting up FwdFilter"
|
||||||
${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
|
${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
|
||||||
${debug} PURPLE "Setting up NAT"
|
${debug} ${DebugColor} "Setting up NAT"
|
||||||
${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
|
${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
|
||||||
${debug} PURPLE "Setting up PortForward"
|
${debug} ${DebugColor} "Setting up PortForward"
|
||||||
${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
|
${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
|
||||||
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
|
||||||
${debug} PURPLE "Setting up InPostRules"
|
${debug} ${DebugColor} "Setting up InPostRules"
|
||||||
${VER_IPTABLES} -A INPUT -j ${InPostRules}
|
${VER_IPTABLES} -A INPUT -j ${InPostRules}
|
||||||
${debug} PURPLE "Setting up OutPostRules"
|
${debug} ${DebugColor} "Setting up OutPostRules"
|
||||||
${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
|
${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
|
||||||
|
}
|
||||||
|
|
||||||
|
function allow_all_loopback {
|
||||||
|
IP_VERSION=$1
|
||||||
|
case $IP_VERSION in
|
||||||
|
ipv6) VER_IPTABLES=${IP6TABLES};
|
||||||
|
IPVER="6" ;;
|
||||||
|
ipv4|*) VER_IPTABLES=${IPTABLES}
|
||||||
|
IPVER="4" ;;
|
||||||
|
esac
|
||||||
|
${debug} ${DebugColor} "allow_all_loopback: loaded"
|
||||||
|
${VER_IPTABLES} -A ${InPreRules} -i lo -j ACCEPT
|
||||||
|
${VER_IPTABLES} -A ${OutPreRules} -o lo -j ACCEPT
|
||||||
}
|
}
|
Loading…
Reference in New Issue