254 lines
		
	
	
		
			9.6 KiB
		
	
	
	
		
			Plaintext
		
	
	
		
			Executable File
		
	
	
	
	
			
		
		
	
	
			254 lines
		
	
	
		
			9.6 KiB
		
	
	
	
		
			Plaintext
		
	
	
		
			Executable File
		
	
	
	
	
| #/bin/bash
 | |
| # By Brielle Bruns <bruns@2mbit.com>
 | |
| # URL: http://www.sosdg.org/freestuff/firewall
 | |
| # License: GPLv3
 | |
| #
 | |
| #    Copyright (C) 2009 - 2014  Brielle Bruns
 | |
| #    Copyright (C) 2009 - 2014  The Summit Open Source Development Group
 | |
| #
 | |
| #    This program is free software: you can redistribute it and/or modify
 | |
| #    it under the terms of the GNU General Public License as published by
 | |
| #    the Free Software Foundation, either version 3 of the License, or
 | |
| #    (at your option) any later version.
 | |
| #
 | |
| #    This program is distributed in the hope that it will be useful,
 | |
| #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
| #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
| #    GNU General Public License for more details.
 | |
| #    You should have received a copy of the GNU General Public License
 | |
| #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | |
| 
 | |
| # Static config options, normally do not need to change
 | |
| FW_VERSION="2.2"
 | |
| 
 | |
| # Important directory locations
 | |
| FWPREFIX="/usr/local"
 | |
| FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
 | |
| FWLIBDIR="${FWPREFIX}/lib/srfirewall"
 | |
| FWBINDIR="${FWPREFIX}/bin"
 | |
| 
 | |
| # Begin sourcing critical files, because we need things like path right away
 | |
| source "${FWLIBDIR}/binaries.inc"
 | |
| source "${FWLIBDIR}/iptables.inc"
 | |
| source "${FWLIBDIR}/display.inc"
 | |
| source "${FWLIBDIR}/kernel.inc"
 | |
| 
 | |
| source "${FWCONFIGDIR}/main.conf"
 | |
| 
 | |
| source "${FWCONFIGDIR}/chains.conf"
 | |
| source "${FWCONFIGDIR}/ipv4.conf"
 | |
| source "${FWCONFIGDIR}/ipv6.conf"
 | |
| 
 | |
| # The local.conf file can be used to override any of the above files without having to worry
 | |
| # about changes being overwritten when upgrading.  Mostly useful for people who use a package
 | |
| # manager.
 | |
| [[ -e "${FWCONFIGDIR}/local.conf" ]] && source "${FWCONFIGDIR}/local.conf"
 | |
| [[ -e "${FWCONFIGDIR}/ipv4/local.conf" ]] && source "${FWCONFIGDIR}/ipv4/local.conf"
 | |
| [[ -e "${FWCONFIGDIR}/ipv6/local.conf" ]] && source "${FWCONFIGDIR}/ipv6/local.conf"
 | |
| 
 | |
| 
 | |
| # We require at least bash v2 or later at this point given some of the more complex
 | |
| # operations we do to make the firewall script work.
 | |
| if (( ${BASH_VERSINFO[0]} <= "2" )); then
 | |
| 	echo "Error: We can only run with bash 2.0 or higher.  Please upgrade your version"
 | |
| 	echo "of bash to something more recent, preferably the latest which is, as of this"
 | |
| 	echo "writing, 4.x"
 | |
| 	exit 1
 | |
| fi
 | |
| 
 | |
| 
 | |
| 
 | |
| # Swap out display_c command for dummy command if they don't want
 | |
| # output when command is run.
 | |
| if [ "${DisplayDetailedOutput}" == "yes" ]; then
 | |
| 	if [ "${ColorizeOut}" == "yes" ]; then
 | |
| 		display="display_c"
 | |
| 	else
 | |
| 		display="display_m"
 | |
| 	fi
 | |
| 	else
 | |
| 	display="true"
 | |
| fi
 | |
| 
 | |
| # Swap out debug command for dummy command if they don't want
 | |
| # debug output when command is run.
 | |
| if [ "${DisplayDebugInfo}" == "yes" ]; then
 | |
| 	if [ "${ColorizeOut}" == "yes" ]; then
 | |
| 		debug="display_c"
 | |
| 	else
 | |
| 		debug="display_m"
 | |
| 	fi
 | |
| else
 | |
| 	debug="true"
 | |
| fi
 | |
| 
 | |
| # Parse command line args
 | |
| while getopts "hfgv" opt; do
 | |
|   case $opt in
 | |
|     h)
 | |
|       show_help
 | |
| 	  exit 0
 | |
|       ;;
 | |
| 	v)
 | |
| 	  show_version
 | |
| 	  exit 0
 | |
| 	  ;;
 | |
| 	f)
 | |
| 	  [[ ${EnableIPv4} == "yes" ]] && iptables_rules_flush ipv4
 | |
| 	  [[ ${EnableIPv6} == "yes" ]] && iptables_rules_flush ipv6
 | |
| 	  [[ ${EnableIPv6} == "yes" ]] && default_policy_set ipv6 ACCEPT ACCEPT ACCEPT
 | |
| 	  [[ ${EnableIPv4} == "yes" ]] && default_policy_set ipv4 ACCEPT ACCEPT ACCEPT
 | |
| 	  exit 0
 | |
| 	  ;;
 | |
|     \?)
 | |
|       echo "Invalid option: -$OPTARG" >&2
 | |
|       ;;
 | |
|   esac
 | |
| done
 | |
| 
 | |
| #if [ "$UID" != "0" ] && [ "${DebugOverride}" != "yes" ]; then
 | |
| #	${display} RED "You must be root to run this script."
 | |
| #	exit 2
 | |
| #fi
 | |
| 
 | |
| # We can't function without certain cli binaries being available
 | |
| if [ ! -x "${GREP}" ]; then
 | |
| 	${display} RED "Error: grep command not found.  Please define GREP variable in main.conf manually."
 | |
| 	exit 3
 | |
| fi
 | |
| 
 | |
| # Basic sanity tests for ip{6}tables binaries and modules
 | |
| if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
 | |
| 	${display} RED "iptables command not found.  Please make sure you have the iptables"
 | |
| 	${display} RED "installed (package or source) and you have the IPTABLES option properly"
 | |
| 	${display} RED "defined in the 'main.conf' file if needed."
 | |
| 	exit 3
 | |
| fi
 | |
| 
 | |
| 
 | |
| if [ ! -x "${IP6TABLES}" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
 | |
| 	${display} RED "ip6tables command not found.  Please make sure you have the iptables"
 | |
| 	${display} RED "installed (package or source) and you have the IP6TABLES option properly"
 | |
| 	${display} RED "defined in the 'main.conf' file if needed."
 | |
| 	exit 3
 | |
| fi
 | |
| 
 | |
| if [ ! -e "/proc/net/ip_tables_names" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
 | |
| 	${display} RED "IPv4 Netfilter modules do not appear to be loaded.  Attempting to load now..."
 | |
| 	if ! `${MODPROBE} ${IP4TablesMod} &>/dev/null`; then
 | |
| 		${display} RED "Module ${IP4TablesMod} failed to load."
 | |
| 		${display} RED "Will continue with IPv4 disabled."
 | |
| 		EnableIPv4="no"
 | |
| 	else
 | |
| 		${display} GREEN "Module successfully loaded."
 | |
| 	fi
 | |
| fi
 | |
| 
 | |
| if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
 | |
| 	${display} RED "IPv6 Netfilter modules do not appear to be loaded.  Attempting to load now..."
 | |
| 	if ! `${MODPROBE} ${IP6TablesMod} &>/dev/null`; then
 | |
| 		${display} RED "Module ${IP6TablesMod} failed to load."
 | |
| 		${display} RED "Will continue with IPv6 disabled."
 | |
| 		EnableIPv6="no"
 | |
| 	else
 | |
| 		${display} GREEN "Module successfully loaded."
 | |
| 	fi
 | |
| fi
 | |
| 
 | |
| # Set up proper state matching variables, since there is old and new style.
 | |
| if [ "$StateMatching" ]; then
 | |
| 	case $StateMatching in
 | |
| 		conntrack|CONNTRACK|*)
 | |
| 			M_STATE="-m conntrack"
 | |
| 			C_STATE="--ctstate"
 | |
| 			;;
 | |
| 		state|STATE)
 | |
| 			M_STATE="-m state"
 | |
| 			C_STATE="--state"
 | |
| 	esac
 | |
| else
 | |
| 	M_STATE="-m conntrack"
 | |
| 	C_STATE="--ctstate"
 | |
| fi
 | |
| 
 | |
| 
 | |
| # Do IPv4 IPTables Rules
 | |
| if [ "${EnableIPv4}" == "yes" ]; then
 | |
| 
 | |
| 	# Commands to run before everything else
 | |
| 	if [ -x ${FWCONFIGDIR}/ipv4/custom/runbefore.sh ]; then . ${FWCONFIGDIR}/ipv4/custom/runbefore.sh; fi
 | |
| 	
 | |
| 	# First flush all rules
 | |
| 	iptables_rules_flush ipv4
 | |
| 	
 | |
| 	# Create the chain sets we'll need and the ones that can be
 | |
| 	# customized by users in their custom rules
 | |
| 	setup_iptables_chains ipv4
 | |
| 	
 | |
| 	[[ ${AllowAllv4Loopback} == "yes" ]] && allow_all_loopback ipv4
 | |
| 	[[ ${EnableTrustedv4Hosts} == "yes" ]] && allow_trusted_hosts ipv4
 | |
| 	Defaultv4InPolicy=${Defaultv4InPolicy=ACCEPT}
 | |
| 	Defaultv4OutPolicy=${Defaultv4OutPolicy=ACCEPT}
 | |
| 	Defaultv4FwdPolicy=${Defaultv4FwdPolicy=ACCEPT}
 | |
| 	default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy}
 | |
| 	([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
 | |
| 		&& load_kernel_modules "${Loadv4NetfilterModules}"
 | |
| 	([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] \
 | |
| 		&& [[ ${Enablev4NAT} == "yes" ]]) && load_kernel_modules "${Loadv4NetfilterModulesNAT}"
 | |
| 	[[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4
 | |
| 	([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
 | |
| 			&& enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}"
 | |
| 	[[ ${DNSClientUsev4ResolvConf} == "yes" ]] && allow_resolvconf_servers ipv4
 | |
| 	[[ ${DNSClientManualv4Servers} ]] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}"
 | |
| 	[[ ${Enablev4EasyBlock} == "yes" ]] && enable_easyblock ipv4
 | |
| 	[[ ${Enablev4Filtering} == "yes" ]] && enable_filtering ipv4
 | |
| 	[[ ${Enablev4Services} == "yes" ]] && enable_services ipv4
 | |
| 	[[ ${Enablev4Forwarding} == "yes" ]] && enable_forwarding ipv4
 | |
| 	[[ ${Enablev4NAT} == "yes" ]] && enable_nat ipv4
 | |
| 	[[ ${Enablev4PortForwarding} == "yes" ]] && enable_portfw ipv4
 | |
| 	
 | |
| 	# Commands to run after everything else
 | |
| 	if [ -x ${FWCONFIGDIR}/ipv4/custom/runafter.sh ]; then . ${FWCONFIGDIR}/ipv4/custom/runafter.sh; fi
 | |
| 	
 | |
| fi
 | |
| 
 | |
| # Do IPv6 IPTables Rules
 | |
| if [ "${EnableIPv6}" == "yes" ]; then
 | |
| 	# Commands to run before everything else
 | |
| 	if [ -x ${FWCONFIGDIR}/ipv6/custom/runbefore.sh ]; then . ${FWCONFIGDIR}/ipv6/custom/runbefore.sh; fi
 | |
| 	
 | |
| 	# First flush all rules
 | |
| 	iptables_rules_flush ipv6
 | |
| 	
 | |
| 	# Create the chain sets we'll need and the ones that can be
 | |
| 	# customized by users in their custom rules
 | |
| 	setup_iptables_chains ipv6
 | |
| 	
 | |
| 	[[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6
 | |
| 	[[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6
 | |
| 	enable_v6_critical_icmp
 | |
| 	Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT}
 | |
| 	Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT}
 | |
| 	Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT}
 | |
| 	default_policy_set ipv6 ${Defaultv6InPolicy} ${Defaultv6OutPolicy} ${Defaultv6FwdPolicy}
 | |
| 	([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
 | |
| 		&& load_kernel_modules "${Loadv6NetfilterModules}"
 | |
| 	([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] \
 | |
| 		&& [[ ${Enablev6NAT} == "yes" ]]) && load_kernel_modules "${Loadv6NetfilterModulesNAT}"
 | |
| 	[[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6
 | |
| 	([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
 | |
| 			&& enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}"
 | |
| 	[[ ${DNSClientUsev6ResolvConf} == "yes" ]] && allow_resolvconf_servers ipv6
 | |
| 	[[ ${DNSClientManualv6Servers} ]] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}"
 | |
| 	[[ ${Enablev6EasyBlock} == "yes" ]] && enable_easyblock ipv6
 | |
| 	[[ ${Enablev6Filtering} == "yes" ]] && enable_filtering ipv6
 | |
| 	[[ ${Enablev6Services} == "yes" ]] && enable_services ipv6
 | |
| 	[[ ${Enablev6Forwarding} == "yes" ]] && enable_forwarding ipv6
 | |
| 	[[ ${Enablev6NAT} == "yes" ]] && enable_nat ipv6
 | |
| 	[[ ${Enablev6PortForwarding} == "yes" ]] && enable_portfw ipv6
 | |
| 	[[ ${EnableSysctlTweaks} == "yes" ]] && sysctl_tweaks
 | |
| 	# Commands to run after everything else
 | |
| 	if [ -x ${FWCONFIGDIR}/ipv6/custom/runafter.sh ]; then . ${FWCONFIGDIR}/ipv6/custom/runafter.sh; fi
 | |
| fi
 | |
| 
 |