2014-03-30 16:16:22 +00:00 · 2014-03-30 16:16:22 +00:00 · ac31e43197
commit ac31e43197
parent 75472cf87f
6 changed files with 104 additions and 22 deletions
--- a/bin/srfirewall
+++ b/bin/srfirewall
@ -49,16 +49,24 @@ fi

 # Swap out display_c command for dummy command if they don't want
 # output when command is run.
-if [[ "${DisplayDetailedOutput}" == "yes" ]]; then
-	display="display_c"
-else
+if [ "${DisplayDetailedOutput}" == "yes" ]; then
+	if [ "${ColorizeOut}" == "yes" ]; then
+		display="display_c"
+	else
+		display="display_m"
+	fi
+	else
 	display="true"
 fi

 # Swap out display_c command for dummy command if they don't want
 # debug output when command is run.
-if [[ "${DisplayDebugInfo}" == "yes" ]]; then
-	debug="display_c"
+if [ "${DisplayDebugInfo}" == "yes" ]; then
+	if [ "${ColorizeOut}" == "yes" ]; then
+		debug="display_c"
+	else
+		debug="display_m"
+	fi
 else
 	debug="true"
 fi
@ -68,6 +76,8 @@ fi
 #	exit 2
 #fi

+
+# Basic sanity tests for ip{6}tables binaries and modules
 if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
 	${display} RED "iptables command not found.  Please make sure you have the iptables"
 	${display} RED "installed (package or source) and you have the IPTABLES option properly"
@ -105,21 +115,44 @@ if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "$
 	fi
 fi

-if [[ "${EnableIPv4}" == "yes" ]]; then
+# Set up proper state matching variables, since there is old and new style.
+if [ "$StateMatching" ]; then
+	case $StateMatching in
+		conntrack|CONNTRACK|*)
+			M_STATE="-m conntrack"
+			C_STATE="--ctstate"
+			;;
+		state|STATE)
+			M_STATE="-m state"
+			C_STATE="--state"
+	esac
+else
+	M_STATE="-m conntrack"
+	C_STATE="--ctstate"
+fi
+
+
+# Do IPv4 IPTables Rules
+if [ "${EnableIPv4}" == "yes" ]; then
 	# First flush all rules
 	iptables_rules_flush ipv4
 	
 	# Create the chain sets we'll need and the ones that can be
 	# customized by users in their custom rules
 	setup_iptables_chains ipv4
+	
+	if [ "${AllowAllv4Loopback}" == "yes" ]; then allow_all_loopback ipv4; fi
 fi

-if [[ "${EnableIPv6}" == "yes" ]]; then
+# Do IPv4 IPTables Rules
+if [ "${EnableIPv6}" == "yes" ]; then
 	# First flush all rules
 	iptables_rules_flush ipv6
 	
 	# Create the chain sets we'll need and the ones that can be
 	# customized by users in their custom rules
 	setup_iptables_chains ipv6
+	
+	if [ "${AllowAllv6Loopback}" == "yes" ]; then allow_all_loopback ipv6; fi
 fi

--- a/etc/ipv4.conf
+++ b/etc/ipv4.conf
@ -1,2 +1,7 @@
 # IPv4 Specific Configuration File
-#
+#
+
+# Allow everything over loopback (lo/127.0.0.0/8)
+# Good idea to keep this turned on, but if you so wish to,
+# you can disable it here.
+AllowAllv4Loopback="yes"
--- a/etc/ipv6.conf
+++ b/etc/ipv6.conf
@ -1,2 +1,7 @@
 # IPv4 Specific Configuration File
-#
+#
+
+# Allow everything over loopback (lo ::1/28)
+# Good idea to keep this turned on, but if you so wish to,
+# you can disable it here.
+AllowAllv6Loopback="yes"
--- a/etc/main.conf
+++ b/etc/main.conf
@ -4,22 +4,38 @@
 PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}"

 # Enable / Disable IPv4 and IPv6 support (yes/no)
+# Values: no | yes (both default)
 EnableIPv4="yes"
 EnableIPv6="yes"

 # Display detailed output while running script?
+# Values: no | yes (default)
 DisplayDetailedOutput="yes"

 # Display alot of extra debugging info?
+# Values: no (default) | yes
 DisplayDebugInfo="yes"

 # Debug Override?
 # I use this command to disable checks while debugging scripts
 # where I don't want certain sanity checks to run.  Normally,
 # keep this off in production
+# Values: no (default) | yes
 DebugOverride="no"

+# Colorize output?
+# Values: no | yes (default)
+ColorizeOut="yes"
+
+# Color of debug output?
+DebugColor="PURPLE"
+
 # Manually override location of iptables/ip6tables if needed
 # otherwise detect automatically with 'which'
 #IPTABLES="/sbin/iptables"
 #IP6TABLES="/sbin/ip6tables"
+
+# There are two types of state matches available, old style
+# state matching using '--state' and new style '--ctstate'
+# Values: state | conntrack (default)
+StateMatching="conntrack"
--- a/lib/display.inc
+++ b/lib/display.inc
@ -45,6 +45,16 @@ function display_c {
 	echo -e ${NEWLINE} "${COLOR_CODE}${TEXT}${DEFAULT_COLOR}"
 }

+# Monochrome version of above
+function display_m {
+	unset TEXT NEWLINE
+	TEXT="$2"
+	if [ "$3" == "N" ]; then
+		NEWLINE="-n"
+	fi
+	echo -e $NEWLINE "$TEXT"
+}
+
 # pick_color $COLOR
 # returns appropriate color codes for use in display_c and such
 function pick_color {
--- a/lib/iptables.inc
+++ b/lib/iptables.inc
@ -29,7 +29,7 @@ function iptables_rules_flush {
 		ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
 		ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
 	esac
-	${display} RED "Flushing ${IP_VERSION} rules..."
+	${display} GREEN "Flushing ${IP_VERSION} rules..."
 	${VER_IPTABLES} --flush &>/dev/null
 	${VER_IPTABLES} -F OUTPUT &>/dev/null
 	${VER_IPTABLES} -F PREROUTING &>/dev/null
@ -84,34 +84,47 @@ function setup_iptables_chains {
 	# Set up rules - the order matters - we do it separately here
 	# for easy viewing of order
 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
-	${debug} PURPLE "Setting up InPreRules"
+	${debug} ${DebugColor} "Setting up InPreRules"
 	${VER_IPTABLES} -A INPUT -j ${InPreRules}
-	${debug} PURPLE "Setting up OutPreRules"
+	${debug} ${DebugColor} "Setting up OutPreRules"
 	${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh; fi
-	${debug} PURPLE "Setting up Trusted"
+	${debug} ${DebugColor} "Setting up Trusted"
 	${VER_IPTABLES} -A INPUT -j ${Trusted}
 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
-	${debug} PURPLE "Setting up InEasyBlock"
+	${debug} ${DebugColor} "Setting up InEasyBlock"
 	${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
-	${debug} PURPLE "Setting up OutEasyBlock"
+	${debug} ${DebugColor} "Setting up OutEasyBlock"
 	${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
-	${debug} PURPLE "Setting up InFilter"
+	${debug} ${DebugColor} "Setting up InFilter"
 	${VER_IPTABLES} -A INPUT -j ${InFilter}
-	${debug} PURPLE "Setting up OutFilter"
+	${debug} ${DebugColor} "Setting up OutFilter"
 	${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
-	${debug} PURPLE "Setting up FwdFilter"
+	${debug} ${DebugColor} "Setting up FwdFilter"
 	${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
-	${debug} PURPLE "Setting up NAT"
+	${debug} ${DebugColor} "Setting up NAT"
 	${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
-	${debug} PURPLE "Setting up PortForward"
+	${debug} ${DebugColor} "Setting up PortForward"
 	${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
-	${debug} PURPLE "Setting up InPostRules"
+	${debug} ${DebugColor} "Setting up InPostRules"
 	${VER_IPTABLES} -A INPUT -j ${InPostRules}
-	${debug} PURPLE "Setting up OutPostRules"
+	${debug} ${DebugColor} "Setting up OutPostRules"
 	${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
+}
+
+function allow_all_loopback {
+	IP_VERSION=$1
+	case $IP_VERSION in
+		ipv6) VER_IPTABLES=${IP6TABLES};
+				IPVER="6" ;;
+		ipv4|*) VER_IPTABLES=${IPTABLES}
+				IPVER="4" ;;
+	esac
+	${debug} ${DebugColor} "allow_all_loopback: loaded"
+	${VER_IPTABLES} -A ${InPreRules} -i lo -j ACCEPT
+	${VER_IPTABLES} -A ${OutPreRules} -o lo -j ACCEPT
 }