master
bbruns@gmail.com
parent
6161f8d978
commit
c94af28d78
|
|
@ -23,8 +23,8 @@ FW_VERSION="2.0"
|
|||
|
||||
# Important directory locations
|
||||
FWPREFIX="/usr/local"
|
||||
FWCONFIGDIR="${FWPREFIX}/etc/firewall-sosdg"
|
||||
FWLIBDIR="${FWPREFIX}/lib/firewall-sosdg"
|
||||
FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
|
||||
FWLIBDIR="${FWPREFIX}/lib/srfirewall"
|
||||
FWBINDIR="${FWPREFIX}/bin"
|
||||
|
||||
# Begin sourcing critical files, because we need things like path right away
|
||||
|
|
@ -33,6 +33,10 @@ source "${FWLIBDIR}/binaries.inc"
|
|||
source "${FWLIBDIR}/iptables.inc"
|
||||
source "${FWLIBDIR}/display.inc"
|
||||
|
||||
source "${FWCONFIGDIR}/chains.conf"
|
||||
source "${FWCONFIGDIR}/ipv4.conf"
|
||||
source "${FWCONFIGDIR}/ipv6.conf"
|
||||
|
||||
# We require at least bash v3 or later at this point given some of the more complex
|
||||
# operations we do to make the firewall script work.
|
||||
if (( ${BASH_VERSINFO[0]} <= "2" )); then
|
||||
|
|
@ -40,4 +44,28 @@ if (( ${BASH_VERSINFO[0]} <= "2" )); then
|
|||
echo "of bash to something more recent, preferably the latest which is, as of this"
|
||||
echo "writing, 4.x"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Swap out display_c command for dummy command if they don't want
|
||||
# output when command is run.
|
||||
if [[ "${DisplayDetailedOutput" == "yes" ]]; then
|
||||
display="display_c"
|
||||
else
|
||||
display="true"
|
||||
fi
|
||||
|
||||
if [[ "${EnableIPv4}" == "yes" ]]; then
|
||||
# First flush all rules
|
||||
iptables_rules_flush ipv4
|
||||
|
||||
# Create the chain sets we'll need and the ones that can be
|
||||
# customized by users in their custom rules
|
||||
|
||||
|
||||
|
||||
fi
|
||||
|
||||
if [[ "${EnableIPv6}" == "yes" ]]; then
|
||||
# First flush all rules
|
||||
iptables_rules_flush ipv6
|
||||
fi
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
# Chain name mapping
|
||||
# Don't change these unless you know what your doing
|
||||
|
||||
InCustomPreRules="In-CustomPreRules"
|
||||
|
||||
InPreRules="In-PreRules"
|
||||
|
||||
OutCustomPreRules="Out-CustomPreRules"
|
||||
|
||||
OutPreRules="Out-PreRules"
|
||||
|
||||
Trusted="In-Trusted"
|
||||
|
||||
InEasyBlock="In-EasyBlock"
|
||||
|
||||
OutEasyBlock="Out-EasyBlock"
|
||||
|
||||
InCustomFilter="In-CustomFilter"
|
||||
|
||||
OutCustomFilter="Out-CustomFilter"
|
||||
|
||||
FwdCustomFilter="Fwd-CustomFilter"
|
||||
|
||||
InFilter="In-Filter"
|
||||
|
||||
OutFilter="Out-Filter"
|
||||
|
||||
CustomNAT="CustomNAT"
|
||||
|
||||
NAT="NAT"
|
||||
|
||||
CustomPortForward="Custom-PortFW"
|
||||
|
||||
PortForward="PortForward"
|
||||
|
||||
InCustomPostRules="In-CustomPostRules"
|
||||
|
||||
InPostRules="In-PostRules"
|
||||
|
||||
OutCustomOstRules="Out-CustomPostRules"
|
||||
|
||||
OutPostRules="Out-PostRules"
|
||||
|
|
@ -7,3 +7,5 @@ PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}"
|
|||
EnableIPv4=yes
|
||||
EnableIPv6=yes
|
||||
|
||||
# Display detailed output while running script?
|
||||
EnableDetailedOutput=yes
|
||||
|
|
@ -28,7 +28,7 @@ function iptables_rules_flush {
|
|||
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
|
||||
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
|
||||
esac
|
||||
display_c RED "Flushing ${IP_VERSION} rules..."
|
||||
${display_c} RED "Flushing ${IP_VERSION} rules..."
|
||||
${VER_IPTABLES} --flush &>/dev/null
|
||||
${VER_IPTABLES} -F OUTPUT &>/dev/null
|
||||
${VER_IPTABLES} -F PREROUTING &>/dev/null
|
||||
|
|
@ -49,8 +49,40 @@ function iptables_policy_reset {
|
|||
ipv6) VER_IPTABLES=${IP6TABLES} ;;
|
||||
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
|
||||
esac
|
||||
display_c RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
|
||||
${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
|
||||
${VER_IPTABLES} --policy INPUT ${SET_POLICY}
|
||||
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
|
||||
${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
|
||||
}
|
||||
|
||||
# setup_iptables_chains (ipv4|ipv6)
|
||||
# Creates the default chains when called
|
||||
function setup_uptables_chains {
|
||||
IP_VERSION=$1
|
||||
case $IP_VERSION in
|
||||
ipv6) VER_IPTABLES=${IP6TABLES} ;;
|
||||
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
|
||||
esac
|
||||
${display_c} GREEN "Setting up default chains for ${IP_VERSION}..."
|
||||
${VER_IPTABLES} -N ${InCustomPreRules}
|
||||
${VER_IPTABLES} -N ${InPreRules}
|
||||
${VER_IPTABLES} -N ${OutCustomPreRules}
|
||||
${VER_IPTABLES} -N ${OutPreRules}
|
||||
${VER_IPTABLES} -N ${Trusted}
|
||||
${VER_IPTABLES} -N ${InEasyBlock}
|
||||
${VER_IPTABLES} -N ${OutEasyBlock}
|
||||
${VER_IPTABLES} -N ${InCustomFilter}
|
||||
${VER_IPTABLES} -N ${InFilter}
|
||||
${VER_IPTABLES} -N ${OutCustomFilter}
|
||||
${VER_IPTABLES} -N ${OutFilter}
|
||||
${VER_IPTABLES} -N ${FwdCustomFilter}
|
||||
${VER_IPTABLES} -N ${FwdFilter}
|
||||
${VER_IPTABLES} -N ${CustomNAT}
|
||||
${VER_IPTABLES} -N ${NAT}
|
||||
${VER_IPTABLES} -N ${CustomPortForward}
|
||||
${VER_IPTABLES} -N ${PortForward}
|
||||
${VER_IPTABLES} -N ${InCustomPostRules}
|
||||
${VER_IPTABLES} -N ${InPostRules}
|
||||
${VER_IPTABLES} -N ${OutCustomPostRules}
|
||||
${VER_IPTABLES} -N ${InPostRules}
|
||||
}
|
||||
Loading…
Reference in New Issue