bbruns@gmail.com 2014-03-01 18:23:05 +00:00
parent 6161f8d978
commit c94af28d78
4 changed files with 108 additions and 4 deletions

View File

@ -23,8 +23,8 @@ FW_VERSION="2.0"
# Important directory locations # Important directory locations
FWPREFIX="/usr/local" FWPREFIX="/usr/local"
FWCONFIGDIR="${FWPREFIX}/etc/firewall-sosdg" FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
FWLIBDIR="${FWPREFIX}/lib/firewall-sosdg" FWLIBDIR="${FWPREFIX}/lib/srfirewall"
FWBINDIR="${FWPREFIX}/bin" FWBINDIR="${FWPREFIX}/bin"
# Begin sourcing critical files, because we need things like path right away # Begin sourcing critical files, because we need things like path right away
@ -33,6 +33,10 @@ source "${FWLIBDIR}/binaries.inc"
source "${FWLIBDIR}/iptables.inc" source "${FWLIBDIR}/iptables.inc"
source "${FWLIBDIR}/display.inc" source "${FWLIBDIR}/display.inc"
source "${FWCONFIGDIR}/chains.conf"
source "${FWCONFIGDIR}/ipv4.conf"
source "${FWCONFIGDIR}/ipv6.conf"
# We require at least bash v3 or later at this point given some of the more complex # We require at least bash v3 or later at this point given some of the more complex
# operations we do to make the firewall script work. # operations we do to make the firewall script work.
if (( ${BASH_VERSINFO[0]} <= "2" )); then if (( ${BASH_VERSINFO[0]} <= "2" )); then
@ -41,3 +45,27 @@ if (( ${BASH_VERSINFO[0]} <= "2" )); then
echo "writing, 4.x" echo "writing, 4.x"
exit 1 exit 1
fi fi
# Swap out display_c command for dummy command if they don't want
# output when command is run.
if [[ "${DisplayDetailedOutput" == "yes" ]]; then
display="display_c"
else
display="true"
fi
if [[ "${EnableIPv4}" == "yes" ]]; then
# First flush all rules
iptables_rules_flush ipv4
# Create the chain sets we'll need and the ones that can be
# customized by users in their custom rules
fi
if [[ "${EnableIPv6}" == "yes" ]]; then
# First flush all rules
iptables_rules_flush ipv6
fi

42
etc/chains.conf Normal file
View File

@ -0,0 +1,42 @@
# Chain name mapping
# Don't change these unless you know what your doing
InCustomPreRules="In-CustomPreRules"
InPreRules="In-PreRules"
OutCustomPreRules="Out-CustomPreRules"
OutPreRules="Out-PreRules"
Trusted="In-Trusted"
InEasyBlock="In-EasyBlock"
OutEasyBlock="Out-EasyBlock"
InCustomFilter="In-CustomFilter"
OutCustomFilter="Out-CustomFilter"
FwdCustomFilter="Fwd-CustomFilter"
InFilter="In-Filter"
OutFilter="Out-Filter"
CustomNAT="CustomNAT"
NAT="NAT"
CustomPortForward="Custom-PortFW"
PortForward="PortForward"
InCustomPostRules="In-CustomPostRules"
InPostRules="In-PostRules"
OutCustomOstRules="Out-CustomPostRules"
OutPostRules="Out-PostRules"

View File

@ -7,3 +7,5 @@ PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}"
EnableIPv4=yes EnableIPv4=yes
EnableIPv6=yes EnableIPv6=yes
# Display detailed output while running script?
EnableDetailedOutput=yes

View File

@ -28,7 +28,7 @@ function iptables_rules_flush {
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;; ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;; ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
esac esac
display_c RED "Flushing ${IP_VERSION} rules..." ${display_c} RED "Flushing ${IP_VERSION} rules..."
${VER_IPTABLES} --flush &>/dev/null ${VER_IPTABLES} --flush &>/dev/null
${VER_IPTABLES} -F OUTPUT &>/dev/null ${VER_IPTABLES} -F OUTPUT &>/dev/null
${VER_IPTABLES} -F PREROUTING &>/dev/null ${VER_IPTABLES} -F PREROUTING &>/dev/null
@ -49,8 +49,40 @@ function iptables_policy_reset {
ipv6) VER_IPTABLES=${IP6TABLES} ;; ipv6) VER_IPTABLES=${IP6TABLES} ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ;; ipv4|*) VER_IPTABLES=${IPTABLES} ;;
esac esac
display_c RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." ${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
${VER_IPTABLES} --policy INPUT ${SET_POLICY} ${VER_IPTABLES} --policy INPUT ${SET_POLICY}
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY} ${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
${VER_IPTABLES} --policy FORWARD ${SET_POLICY} ${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
} }
# setup_iptables_chains (ipv4|ipv6)
# Creates the default chains when called
function setup_uptables_chains {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES} ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
esac
${display_c} GREEN "Setting up default chains for ${IP_VERSION}..."
${VER_IPTABLES} -N ${InCustomPreRules}
${VER_IPTABLES} -N ${InPreRules}
${VER_IPTABLES} -N ${OutCustomPreRules}
${VER_IPTABLES} -N ${OutPreRules}
${VER_IPTABLES} -N ${Trusted}
${VER_IPTABLES} -N ${InEasyBlock}
${VER_IPTABLES} -N ${OutEasyBlock}
${VER_IPTABLES} -N ${InCustomFilter}
${VER_IPTABLES} -N ${InFilter}
${VER_IPTABLES} -N ${OutCustomFilter}
${VER_IPTABLES} -N ${OutFilter}
${VER_IPTABLES} -N ${FwdCustomFilter}
${VER_IPTABLES} -N ${FwdFilter}
${VER_IPTABLES} -N ${CustomNAT}
${VER_IPTABLES} -N ${NAT}
${VER_IPTABLES} -N ${CustomPortForward}
${VER_IPTABLES} -N ${PortForward}
${VER_IPTABLES} -N ${InCustomPostRules}
${VER_IPTABLES} -N ${InPostRules}
${VER_IPTABLES} -N ${OutCustomPostRules}
${VER_IPTABLES} -N ${InPostRules}
}