master
parent
6161f8d978
commit
c94af28d78
|
@ -23,8 +23,8 @@ FW_VERSION="2.0"
|
||||||
|
|
||||||
# Important directory locations
|
# Important directory locations
|
||||||
FWPREFIX="/usr/local"
|
FWPREFIX="/usr/local"
|
||||||
FWCONFIGDIR="${FWPREFIX}/etc/firewall-sosdg"
|
FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
|
||||||
FWLIBDIR="${FWPREFIX}/lib/firewall-sosdg"
|
FWLIBDIR="${FWPREFIX}/lib/srfirewall"
|
||||||
FWBINDIR="${FWPREFIX}/bin"
|
FWBINDIR="${FWPREFIX}/bin"
|
||||||
|
|
||||||
# Begin sourcing critical files, because we need things like path right away
|
# Begin sourcing critical files, because we need things like path right away
|
||||||
|
@ -33,6 +33,10 @@ source "${FWLIBDIR}/binaries.inc"
|
||||||
source "${FWLIBDIR}/iptables.inc"
|
source "${FWLIBDIR}/iptables.inc"
|
||||||
source "${FWLIBDIR}/display.inc"
|
source "${FWLIBDIR}/display.inc"
|
||||||
|
|
||||||
|
source "${FWCONFIGDIR}/chains.conf"
|
||||||
|
source "${FWCONFIGDIR}/ipv4.conf"
|
||||||
|
source "${FWCONFIGDIR}/ipv6.conf"
|
||||||
|
|
||||||
# We require at least bash v3 or later at this point given some of the more complex
|
# We require at least bash v3 or later at this point given some of the more complex
|
||||||
# operations we do to make the firewall script work.
|
# operations we do to make the firewall script work.
|
||||||
if (( ${BASH_VERSINFO[0]} <= "2" )); then
|
if (( ${BASH_VERSINFO[0]} <= "2" )); then
|
||||||
|
@ -41,3 +45,27 @@ if (( ${BASH_VERSINFO[0]} <= "2" )); then
|
||||||
echo "writing, 4.x"
|
echo "writing, 4.x"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Swap out display_c command for dummy command if they don't want
|
||||||
|
# output when command is run.
|
||||||
|
if [[ "${DisplayDetailedOutput" == "yes" ]]; then
|
||||||
|
display="display_c"
|
||||||
|
else
|
||||||
|
display="true"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ "${EnableIPv4}" == "yes" ]]; then
|
||||||
|
# First flush all rules
|
||||||
|
iptables_rules_flush ipv4
|
||||||
|
|
||||||
|
# Create the chain sets we'll need and the ones that can be
|
||||||
|
# customized by users in their custom rules
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ "${EnableIPv6}" == "yes" ]]; then
|
||||||
|
# First flush all rules
|
||||||
|
iptables_rules_flush ipv6
|
||||||
|
fi
|
|
@ -0,0 +1,42 @@
|
||||||
|
# Chain name mapping
|
||||||
|
# Don't change these unless you know what your doing
|
||||||
|
|
||||||
|
InCustomPreRules="In-CustomPreRules"
|
||||||
|
|
||||||
|
InPreRules="In-PreRules"
|
||||||
|
|
||||||
|
OutCustomPreRules="Out-CustomPreRules"
|
||||||
|
|
||||||
|
OutPreRules="Out-PreRules"
|
||||||
|
|
||||||
|
Trusted="In-Trusted"
|
||||||
|
|
||||||
|
InEasyBlock="In-EasyBlock"
|
||||||
|
|
||||||
|
OutEasyBlock="Out-EasyBlock"
|
||||||
|
|
||||||
|
InCustomFilter="In-CustomFilter"
|
||||||
|
|
||||||
|
OutCustomFilter="Out-CustomFilter"
|
||||||
|
|
||||||
|
FwdCustomFilter="Fwd-CustomFilter"
|
||||||
|
|
||||||
|
InFilter="In-Filter"
|
||||||
|
|
||||||
|
OutFilter="Out-Filter"
|
||||||
|
|
||||||
|
CustomNAT="CustomNAT"
|
||||||
|
|
||||||
|
NAT="NAT"
|
||||||
|
|
||||||
|
CustomPortForward="Custom-PortFW"
|
||||||
|
|
||||||
|
PortForward="PortForward"
|
||||||
|
|
||||||
|
InCustomPostRules="In-CustomPostRules"
|
||||||
|
|
||||||
|
InPostRules="In-PostRules"
|
||||||
|
|
||||||
|
OutCustomOstRules="Out-CustomPostRules"
|
||||||
|
|
||||||
|
OutPostRules="Out-PostRules"
|
|
@ -7,3 +7,5 @@ PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}"
|
||||||
EnableIPv4=yes
|
EnableIPv4=yes
|
||||||
EnableIPv6=yes
|
EnableIPv6=yes
|
||||||
|
|
||||||
|
# Display detailed output while running script?
|
||||||
|
EnableDetailedOutput=yes
|
|
@ -28,7 +28,7 @@ function iptables_rules_flush {
|
||||||
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
|
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
|
||||||
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
|
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
|
||||||
esac
|
esac
|
||||||
display_c RED "Flushing ${IP_VERSION} rules..."
|
${display_c} RED "Flushing ${IP_VERSION} rules..."
|
||||||
${VER_IPTABLES} --flush &>/dev/null
|
${VER_IPTABLES} --flush &>/dev/null
|
||||||
${VER_IPTABLES} -F OUTPUT &>/dev/null
|
${VER_IPTABLES} -F OUTPUT &>/dev/null
|
||||||
${VER_IPTABLES} -F PREROUTING &>/dev/null
|
${VER_IPTABLES} -F PREROUTING &>/dev/null
|
||||||
|
@ -49,8 +49,40 @@ function iptables_policy_reset {
|
||||||
ipv6) VER_IPTABLES=${IP6TABLES} ;;
|
ipv6) VER_IPTABLES=${IP6TABLES} ;;
|
||||||
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
|
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
|
||||||
esac
|
esac
|
||||||
display_c RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
|
${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
|
||||||
${VER_IPTABLES} --policy INPUT ${SET_POLICY}
|
${VER_IPTABLES} --policy INPUT ${SET_POLICY}
|
||||||
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
|
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
|
||||||
${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
|
${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# setup_iptables_chains (ipv4|ipv6)
|
||||||
|
# Creates the default chains when called
|
||||||
|
function setup_uptables_chains {
|
||||||
|
IP_VERSION=$1
|
||||||
|
case $IP_VERSION in
|
||||||
|
ipv6) VER_IPTABLES=${IP6TABLES} ;;
|
||||||
|
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
|
||||||
|
esac
|
||||||
|
${display_c} GREEN "Setting up default chains for ${IP_VERSION}..."
|
||||||
|
${VER_IPTABLES} -N ${InCustomPreRules}
|
||||||
|
${VER_IPTABLES} -N ${InPreRules}
|
||||||
|
${VER_IPTABLES} -N ${OutCustomPreRules}
|
||||||
|
${VER_IPTABLES} -N ${OutPreRules}
|
||||||
|
${VER_IPTABLES} -N ${Trusted}
|
||||||
|
${VER_IPTABLES} -N ${InEasyBlock}
|
||||||
|
${VER_IPTABLES} -N ${OutEasyBlock}
|
||||||
|
${VER_IPTABLES} -N ${InCustomFilter}
|
||||||
|
${VER_IPTABLES} -N ${InFilter}
|
||||||
|
${VER_IPTABLES} -N ${OutCustomFilter}
|
||||||
|
${VER_IPTABLES} -N ${OutFilter}
|
||||||
|
${VER_IPTABLES} -N ${FwdCustomFilter}
|
||||||
|
${VER_IPTABLES} -N ${FwdFilter}
|
||||||
|
${VER_IPTABLES} -N ${CustomNAT}
|
||||||
|
${VER_IPTABLES} -N ${NAT}
|
||||||
|
${VER_IPTABLES} -N ${CustomPortForward}
|
||||||
|
${VER_IPTABLES} -N ${PortForward}
|
||||||
|
${VER_IPTABLES} -N ${InCustomPostRules}
|
||||||
|
${VER_IPTABLES} -N ${InPostRules}
|
||||||
|
${VER_IPTABLES} -N ${OutCustomPostRules}
|
||||||
|
${VER_IPTABLES} -N ${InPostRules}
|
||||||
|
}
|
Loading…
Reference in New Issue