brielle
/
SRFirewall
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Default policy support, which I believe makes this release Alpha 1 quality

master
bbruns 2014-04-10 02:21:41 +00:00
parent 6dfe77b118
commit d71e8794c6
4 changed files with 40 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
bin/srfirewall
View File

@ -175,6 +175,10 @@ if [ "${EnableIPv4}" == "yes" ]; then
[[ ${AllowAllv4Loopback} == "yes" ]] && allow_all_loopback ipv4 [[ ${AllowAllv4Loopback} == "yes" ]] && allow_all_loopback ipv4
[[ ${EnableTrustedv4Hosts} == "yes" ]] && allow_trusted_hosts ipv4 [[ ${EnableTrustedv4Hosts} == "yes" ]] && allow_trusted_hosts ipv4
Defaultv4InPolicy=${Defaultv4InPolicy=ACCEPT}
Defaultv4OutPolicy=${Defaultv4OutPolicy=ACCEPT}
Defaultv4FwdPolicy=${Defaultv4FwdPolicy=ACCEPT}
default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy}
[[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4 [[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4
([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \ ([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
&& enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}" && enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}"
@ -200,6 +204,10 @@ if [ "${EnableIPv6}" == "yes" ]; then
[[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6 [[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6
[[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6 [[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6
Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT}
Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT}
Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT}
default_policy_set ipv6 ${Defaultv6InPolicy} ${Defaultv6OutPolicy} ${Defaultv6FwdPolicy}
[[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6 [[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6
([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \ ([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
&& enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}" && enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}"

10
etc/ipv4.conf
View File

@ -96,3 +96,13 @@ Enablev4NAT="yes"
# Config file: ipv4/portfw.conf # Config file: ipv4/portfw.conf
# Values: no | yes (default) # Values: no | yes (default)
Enablev4PortForwarding="yes" Enablev4PortForwarding="yes"
# Default policy for filtering rules
# netfilter/iptables has a default policy that can be set, such as
# DROP all unless it is explicitly allowed via rules.
# Values: ACCEPT (default) | DROP
# Please note if you do not specify policies, they will default to
# ACCEPT, which may not be what you want.
Defaultv4InPolicy="ACCEPT"
Defaultv4OutPolicy="ACCEPT"
Defaultv4FwdPolicy="ACCEPT"

10
etc/ipv6.conf
View File

@ -96,3 +96,13 @@ Enablev6NAT="yes"
# Config file: ipv6/portfw.conf # Config file: ipv6/portfw.conf
# Values: no | yes (default) # Values: no | yes (default)
Enablev6PortForwarding="yes" Enablev6PortForwarding="yes"
# Default policy for filtering rules
# netfilter/iptables has a default policy that can be set, such as
# DROP all unless it is explicitly allowed via rules.
# Values: ACCEPT (default) | DROP
# Please note if you do not specify policies, they will default to
# ACCEPT, which may not be what you want.
Defaultv6InPolicy="ACCEPT"
Defaultv6OutPolicy="ACCEPT"
Defaultv6FwdPolicy="ACCEPT"

18
lib/iptables.inc
View File

@ -30,6 +30,9 @@ function iptables_rules_flush {
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;; ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
esac esac
${display} GREEN "Flushing ${IP_VERSION} rules..." ${display} GREEN "Flushing ${IP_VERSION} rules..."
${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null
${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null
${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null
${VER_IPTABLES} -F &>/dev/null ${VER_IPTABLES} -F &>/dev/null
${VER_IPTABLES} -X &>/dev/null ${VER_IPTABLES} -X &>/dev/null
${VER_IPTABLES} -F INPUT &>/dev/null ${VER_IPTABLES} -F INPUT &>/dev/null
@ -39,9 +42,6 @@ function iptables_rules_flush {
${VER_IPTABLES} -t nat -X &>/dev/null ${VER_IPTABLES} -t nat -X &>/dev/null
${VER_IPTABLES} -t mangle -F &>/dev/null ${VER_IPTABLES} -t mangle -F &>/dev/null
${VER_IPTABLES} -t mangle -X &>/dev/null ${VER_IPTABLES} -t mangle -X &>/dev/null
${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null
${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null
${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null
#for i in `cat $TABLE_NAMES`; do #for i in `cat $TABLE_NAMES`; do
# ${VER_IPTABLES} -F -t $i &>/dev/null # ${VER_IPTABLES} -F -t $i &>/dev/null
#done #done
@ -51,17 +51,19 @@ function iptables_rules_flush {
# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP) # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6 # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
# If no policy given, assume ACCEPT # If no policy given, assume ACCEPT
function iptables_policy_reset { function default_policy_set {
IP_VERSION=$1 IP_VERSION=$1
SET_POLICY=${2=ACCEPT} INPOLICY=${2=ACCEPT}
OUTPOLICY=${3=ACCEPT}
FWDPOLICY=${4=ACCEPT}
case $IP_VERSION in case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES} ;; ipv6) VER_IPTABLES=${IP6TABLES} ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ;; ipv4|*) VER_IPTABLES=${IPTABLES} ;;
esac esac
${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." ${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
${VER_IPTABLES} --policy INPUT ${SET_POLICY} ${VER_IPTABLES} --policy INPUT ${INPOLICY}
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY} ${VER_IPTABLES} --policy OUTPUT ${OUTPOLICY}
${VER_IPTABLES} --policy FORWARD ${SET_POLICY} ${VER_IPTABLES} --policy FORWARD ${FWDPOLICY}
} }
# setup_iptables_chains (ipv4|ipv6) # setup_iptables_chains (ipv4|ipv6)