brielle
/
SRFirewall
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

master
bbruns@gmail.com 2014-03-01 18:23:05 +00:00
parent 6161f8d978
commit c94af28d78
4 changed files with 108 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
bin/srfirewall
View File

@ -23,8 +23,8 @@ FW_VERSION="2.0"
# Important directory locations # Important directory locations
FWPREFIX="/usr/local" FWPREFIX="/usr/local"
FWCONFIGDIR="${FWPREFIX}/etc/firewall-sosdg" FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
FWLIBDIR="${FWPREFIX}/lib/firewall-sosdg" FWLIBDIR="${FWPREFIX}/lib/srfirewall"
FWBINDIR="${FWPREFIX}/bin" FWBINDIR="${FWPREFIX}/bin"
# Begin sourcing critical files, because we need things like path right away # Begin sourcing critical files, because we need things like path right away
@ -33,6 +33,10 @@ source "${FWLIBDIR}/binaries.inc"
source "${FWLIBDIR}/iptables.inc" source "${FWLIBDIR}/iptables.inc"
source "${FWLIBDIR}/display.inc" source "${FWLIBDIR}/display.inc"
source "${FWCONFIGDIR}/chains.conf"
source "${FWCONFIGDIR}/ipv4.conf"
source "${FWCONFIGDIR}/ipv6.conf"
# We require at least bash v3 or later at this point given some of the more complex # We require at least bash v3 or later at this point given some of the more complex
# operations we do to make the firewall script work. # operations we do to make the firewall script work.
if (( ${BASH_VERSINFO[0]} <= "2" )); then if (( ${BASH_VERSINFO[0]} <= "2" )); then
@ -40,4 +44,28 @@ if (( ${BASH_VERSINFO[0]} <= "2" )); then
echo "of bash to something more recent, preferably the latest which is, as of this" echo "of bash to something more recent, preferably the latest which is, as of this"
echo "writing, 4.x" echo "writing, 4.x"
exit 1 exit 1
fi
# Swap out display_c command for dummy command if they don't want
# output when command is run.
if [[ "${DisplayDetailedOutput" == "yes" ]]; then
display="display_c"
else
display="true"
fi
if [[ "${EnableIPv4}" == "yes" ]]; then
# First flush all rules
iptables_rules_flush ipv4
# Create the chain sets we'll need and the ones that can be
# customized by users in their custom rules
fi
if [[ "${EnableIPv6}" == "yes" ]]; then
# First flush all rules
iptables_rules_flush ipv6
fi fi

42
etc/chains.conf Normal file
View File

@ -0,0 +1,42 @@
# Chain name mapping
# Don't change these unless you know what your doing
InCustomPreRules="In-CustomPreRules"
InPreRules="In-PreRules"
OutCustomPreRules="Out-CustomPreRules"
OutPreRules="Out-PreRules"
Trusted="In-Trusted"
InEasyBlock="In-EasyBlock"
OutEasyBlock="Out-EasyBlock"
InCustomFilter="In-CustomFilter"
OutCustomFilter="Out-CustomFilter"
FwdCustomFilter="Fwd-CustomFilter"
InFilter="In-Filter"
OutFilter="Out-Filter"
CustomNAT="CustomNAT"
NAT="NAT"
CustomPortForward="Custom-PortFW"
PortForward="PortForward"
InCustomPostRules="In-CustomPostRules"
InPostRules="In-PostRules"
OutCustomOstRules="Out-CustomPostRules"
OutPostRules="Out-PostRules"

2
etc/main.conf
View File

@ -7,3 +7,5 @@ PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}"
EnableIPv4=yes EnableIPv4=yes
EnableIPv6=yes EnableIPv6=yes
# Display detailed output while running script?
EnableDetailedOutput=yes

36
lib/iptables.inc
View File

@ -28,7 +28,7 @@ function iptables_rules_flush {
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;; ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;; ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
esac esac
display_c RED "Flushing ${IP_VERSION} rules..." ${display_c} RED "Flushing ${IP_VERSION} rules..."
${VER_IPTABLES} --flush &>/dev/null ${VER_IPTABLES} --flush &>/dev/null
${VER_IPTABLES} -F OUTPUT &>/dev/null ${VER_IPTABLES} -F OUTPUT &>/dev/null
${VER_IPTABLES} -F PREROUTING &>/dev/null ${VER_IPTABLES} -F PREROUTING &>/dev/null
@ -49,8 +49,40 @@ function iptables_policy_reset {
ipv6) VER_IPTABLES=${IP6TABLES} ;; ipv6) VER_IPTABLES=${IP6TABLES} ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ;; ipv4|*) VER_IPTABLES=${IPTABLES} ;;
esac esac
display_c RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." ${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
${VER_IPTABLES} --policy INPUT ${SET_POLICY} ${VER_IPTABLES} --policy INPUT ${SET_POLICY}
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY} ${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
${VER_IPTABLES} --policy FORWARD ${SET_POLICY} ${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
}
# setup_iptables_chains (ipv4|ipv6)
# Creates the default chains when called
function setup_uptables_chains {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES} ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
esac
${display_c} GREEN "Setting up default chains for ${IP_VERSION}..."
${VER_IPTABLES} -N ${InCustomPreRules}
${VER_IPTABLES} -N ${InPreRules}
${VER_IPTABLES} -N ${OutCustomPreRules}
${VER_IPTABLES} -N ${OutPreRules}
${VER_IPTABLES} -N ${Trusted}
${VER_IPTABLES} -N ${InEasyBlock}
${VER_IPTABLES} -N ${OutEasyBlock}
${VER_IPTABLES} -N ${InCustomFilter}
${VER_IPTABLES} -N ${InFilter}
${VER_IPTABLES} -N ${OutCustomFilter}
${VER_IPTABLES} -N ${OutFilter}
${VER_IPTABLES} -N ${FwdCustomFilter}
${VER_IPTABLES} -N ${FwdFilter}
${VER_IPTABLES} -N ${CustomNAT}
${VER_IPTABLES} -N ${NAT}
${VER_IPTABLES} -N ${CustomPortForward}
${VER_IPTABLES} -N ${PortForward}
${VER_IPTABLES} -N ${InCustomPostRules}
${VER_IPTABLES} -N ${InPostRules}
${VER_IPTABLES} -N ${OutCustomPostRules}
${VER_IPTABLES} -N ${InPostRules}
} }