230 lines
9.2 KiB
Bash
230 lines
9.2 KiB
Bash
#!/bin/bash
|
|
# By Brielle Bruns <bruns@2mbit.com>
|
|
# URL: http://www.sosdg.org/freestuff/firewall
|
|
# License: GPLv3
|
|
#
|
|
# Copyright (C) 2009 - 2014 Brielle Bruns
|
|
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
# iptables_rules_flush (ipv6|ipv4)
|
|
# Clear all rules from iptables - be very careful in how this is called as it
|
|
# could easily lock out the user from the network. Best way to be safe, is to
|
|
# call iptables_policy_reset first then this function.
|
|
function iptables_rules_flush {
|
|
IP_VERSION=$1
|
|
case $IP_VERSION in
|
|
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
|
|
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
|
|
esac
|
|
${display} GREEN "Flushing ${IP_VERSION} rules..."
|
|
${VER_IPTABLES} -F &>/dev/null
|
|
${VER_IPTABLES} -X &>/dev/null
|
|
${VER_IPTABLES} -F INPUT &>/dev/null
|
|
${VER_IPTABLES} -F OUTPUT &>/dev/null
|
|
${VER_IPTABLES} -F FORWARD &>/dev/null
|
|
${VER_IPTABLES} -t nat -F &>/dev/null
|
|
${VER_IPTABLES} -t nat -X &>/dev/null
|
|
${VER_IPTABLES} -t mangle -F &>/dev/null
|
|
${VER_IPTABLES} -t mangle -X &>/dev/null
|
|
${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null
|
|
${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null
|
|
${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null
|
|
#for i in `cat $TABLE_NAMES`; do
|
|
# ${VER_IPTABLES} -F -t $i &>/dev/null
|
|
#done
|
|
#${VER_IPTABLES} -X
|
|
}
|
|
|
|
# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
|
|
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
|
|
# If no policy given, assume ACCEPT
|
|
function iptables_policy_reset {
|
|
IP_VERSION=$1
|
|
SET_POLICY=${2=ACCEPT}
|
|
case $IP_VERSION in
|
|
ipv6) VER_IPTABLES=${IP6TABLES} ;;
|
|
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
|
|
esac
|
|
${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
|
|
${VER_IPTABLES} --policy INPUT ${SET_POLICY}
|
|
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
|
|
${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
|
|
}
|
|
|
|
# setup_iptables_chains (ipv4|ipv6)
|
|
# Creates the default chains when called
|
|
function setup_iptables_chains {
|
|
IP_VERSION=$1
|
|
case $IP_VERSION in
|
|
ipv6) VER_IPTABLES=${IP6TABLES};
|
|
IPVER="6" ;;
|
|
ipv4|*) VER_IPTABLES=${IPTABLES}
|
|
IPVER="4" ;;
|
|
esac
|
|
# Create the actual chains
|
|
${display} GREEN "Setting up chains for ${IP_VERSION}..."
|
|
${VER_IPTABLES} -N ${InPreRules}
|
|
${VER_IPTABLES} -N ${OutPreRules}
|
|
${VER_IPTABLES} -N ${InEasyBlock}
|
|
${VER_IPTABLES} -N ${OutEasyBlock}
|
|
${VER_IPTABLES} -N ${InFilter}
|
|
${VER_IPTABLES} -N ${OutFilter}
|
|
${VER_IPTABLES} -N ${FwdFilter}
|
|
${VER_IPTABLES} -N ${NAT} -t nat
|
|
${VER_IPTABLES} -N ${PortForward} -t nat
|
|
${VER_IPTABLES} -N ${InPostRules}
|
|
${VER_IPTABLES} -N ${OutPostRules}
|
|
|
|
# Set up rules - the order matters - we do it separately here
|
|
# for easy viewing of order
|
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
|
|
${debug} ${DebugColor} "${FUNCNAME}: Setting up InPreRules"
|
|
${VER_IPTABLES} -A INPUT -j ${InPreRules}
|
|
${debug} ${DebugColor} "${FUNCNAME}: Setting up OutPreRules"
|
|
${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
|
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
|
|
${debug} ${DebugColor} "${FUNCNAME}: Setting up InEasyBlock"
|
|
${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
|
|
${debug} ${DebugColor} "${FUNCNAME}: Setting up OutEasyBlock"
|
|
${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
|
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
|
|
${debug} ${DebugColor} "${FUNCNAME}: Setting up InFilter"
|
|
${VER_IPTABLES} -A INPUT -j ${InFilter}
|
|
${debug} ${DebugColor} "${FUNCNAME}: Setting up OutFilter"
|
|
${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
|
|
${debug} ${DebugColor} "${FUNCNAME}: Setting up FwdFilter"
|
|
${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
|
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
|
|
${debug} ${DebugColor} "${FUNCNAME}: Setting up NAT"
|
|
${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
|
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
|
|
${debug} ${DebugColor} "${FUNCNAME}: Setting up PortForward"
|
|
${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
|
|
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
|
|
${debug} ${DebugColor} "${FUNCNAME}: Setting up InPostRules"
|
|
${VER_IPTABLES} -A INPUT -j ${InPostRules}
|
|
${debug} ${DebugColor} "${FUNCNAME}: Setting up OutPostRules"
|
|
${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
|
|
}
|
|
|
|
function allow_all_loopback {
|
|
IP_VERSION=$1
|
|
case $IP_VERSION in
|
|
ipv6) VER_IPTABLES=${IP6TABLES};
|
|
IPVER="6" ;;
|
|
ipv4|*) VER_IPTABLES=${IPTABLES}
|
|
IPVER="4" ;;
|
|
esac
|
|
${debug} ${DebugColor} "allow_all_loopback: loaded"
|
|
${VER_IPTABLES} -A ${InPreRules} -i lo -j ACCEPT
|
|
${VER_IPTABLES} -A ${OutPreRules} -o lo -j ACCEPT
|
|
}
|
|
|
|
function allow_trusted_hosts {
|
|
IP_VERSION=$1
|
|
case $IP_VERSION in
|
|
ipv6) VER_IPTABLES=${IP6TABLES};
|
|
IPVER="6" ;;
|
|
ipv4|*) VER_IPTABLES=${IPTABLES}
|
|
IPVER="4" ;;
|
|
esac
|
|
${debug} ${DebugColor} "${FUNCNAME}: loading"
|
|
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf" ]; then
|
|
for i in `grep -v "\#" "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"`; do
|
|
${VER_IPTABLES} -A ${InPreRules} -s $i -j ACCEPT
|
|
${VER_IPTABLES} -A ${OutPreRules} -d $i -j ACCEPT
|
|
done
|
|
${debug} ${DebugColor} "${FUNCNAME}: done"
|
|
else
|
|
${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"
|
|
${display} RED "Error: can not load trusted hosts file."
|
|
${debug} ${DebugColor} "${FUNCNAME}: failed"
|
|
fi
|
|
}
|
|
function enable_mss_clamp {
|
|
IP_VERSION=$1
|
|
case $IP_VERSION in
|
|
ipv6) VER_IPTABLES=${IP6TABLES};
|
|
IPVER="6" ;;
|
|
ipv4|*) VER_IPTABLES=${IPTABLES}
|
|
IPVER="4" ;;
|
|
esac
|
|
${debug} ${DebugColor} "${FUNCNAME}: loading"
|
|
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf" ]; then
|
|
${debug} ${DebugColor} "${FUNCNAME}: read ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf successful"
|
|
while read -r interface mss type; do
|
|
[[ ${interface} = \#* ]] && continue
|
|
[[ ${mss} == "-" ]] && mss="1400:1536"
|
|
[[ ${type} == "-" ]] && type="${OutFilter}"
|
|
[[ ${type} == "out" ]] && type="${OutFilter}"
|
|
[[ ${type} == "fwd" ]] && type="${FwdFilter}"
|
|
${debug} ${DebugColor} "${FUNCNAME}: Read: ${interface} ${mss} ${type}"
|
|
${VER_IPTABLES} -A ${type} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
|
--clamp-mss-to-pmtu -o ${interface} -m tcpmss --mss ${mss}
|
|
done < "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
|
|
|
|
${debug} ${DebugColor} "${FUNCNAME}: done"
|
|
else
|
|
${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
|
|
${display} RED "Error: can not load mss clamp file."
|
|
${debug} ${DebugColor} "${FUNCNAME}: failed"
|
|
fi
|
|
}
|
|
|
|
function allow_resolvconf_servers {
|
|
IP_VERSION=$1
|
|
case $IP_VERSION in
|
|
ipv6) VER_IPTABLES=${IP6TABLES};
|
|
IPVER="6" ;;
|
|
ipv4|*) VER_IPTABLES=${IPTABLES}
|
|
IPVER="4" ;;
|
|
esac
|
|
${debug} ${DebugColor} "${FUNCNAME}: loading"
|
|
[[ ${IP_VERSION} = "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}"
|
|
[[ ${IP_VERSION} = "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}"
|
|
${debug} ${DebugColor} "${FUNCNAME}: Using ${ResolvConfFile} as resolv.conf"
|
|
while read -r type server; do
|
|
[[ ${type} != "nameserver" ]] && continue
|
|
# If we see a : in the server variable, we are most likely dealing with an ipv6 address
|
|
([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue
|
|
${debug} ${DebugColor} "${FUNCNAME}: Added ${server} to DNS client trusted list"
|
|
${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
|
|
${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
|
|
${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
|
|
${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
|
|
done < "${ResolvConfFile}"
|
|
${debug} ${DebugColor} "${FUNCNAME}: done"
|
|
}
|
|
|
|
function allow_dnsclient_manual {
|
|
IP_VERSION=$1
|
|
case $IP_VERSION in
|
|
ipv6) VER_IPTABLES=${IP6TABLES};
|
|
IPVER="6" ;;
|
|
ipv4|*) VER_IPTABLES=${IPTABLES}
|
|
IPVER="4" ;;
|
|
esac
|
|
DNS_SERVERS="$2"
|
|
${debug} ${DebugColor} "${FUNCNAME}: loading"
|
|
for i in ${DNS_SERVERS}; do
|
|
${debug} ${DebugColor} "${FUNCNAME}: Added ${i} to DNS client trusted list"
|
|
${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
|
|
${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
|
|
${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
|
|
${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
|
|
done
|
|
${debug} ${DebugColor} "${FUNCNAME}: done"
|
|
} |