196 lines
6.3 KiB
Plaintext
Executable File
196 lines
6.3 KiB
Plaintext
Executable File
#/bin/bash
|
|
# By Brielle Bruns <bruns@2mbit.com>
|
|
# URL: http://www.sosdg.org/freestuff/firewall
|
|
# License: GPLv3
|
|
#
|
|
# Copyright (C) 2009 - 2014 Brielle Bruns
|
|
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
# Static config options, normally do not need to change
|
|
FW_VERSION="2.0 PreAlpha 1"
|
|
|
|
# Important directory locations
|
|
FWPREFIX="/usr/local"
|
|
FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
|
|
FWLIBDIR="${FWPREFIX}/lib/srfirewall"
|
|
FWBINDIR="${FWPREFIX}/bin"
|
|
|
|
# Begin sourcing critical files, because we need things like path right away
|
|
source "${FWLIBDIR}/binaries.inc"
|
|
source "${FWLIBDIR}/iptables.inc"
|
|
source "${FWLIBDIR}/display.inc"
|
|
|
|
source "${FWCONFIGDIR}/main.conf"
|
|
|
|
source "${FWCONFIGDIR}/chains.conf"
|
|
source "${FWCONFIGDIR}/ipv4.conf"
|
|
source "${FWCONFIGDIR}/ipv6.conf"
|
|
|
|
# We require at least bash v3 or later at this point given some of the more complex
|
|
# operations we do to make the firewall script work.
|
|
if (( ${BASH_VERSINFO[0]} <= "2" )); then
|
|
echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version"
|
|
echo "of bash to something more recent, preferably the latest which is, as of this"
|
|
echo "writing, 4.x"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
|
|
# Swap out display_c command for dummy command if they don't want
|
|
# output when command is run.
|
|
if [ "${DisplayDetailedOutput}" == "yes" ]; then
|
|
if [ "${ColorizeOut}" == "yes" ]; then
|
|
display="display_c"
|
|
else
|
|
display="display_m"
|
|
fi
|
|
else
|
|
display="true"
|
|
fi
|
|
|
|
# Swap out debug command for dummy command if they don't want
|
|
# debug output when command is run.
|
|
if [ "${DisplayDebugInfo}" == "yes" ]; then
|
|
if [ "${ColorizeOut}" == "yes" ]; then
|
|
debug="display_c"
|
|
else
|
|
debug="display_m"
|
|
fi
|
|
else
|
|
debug="true"
|
|
fi
|
|
|
|
# Parse command line args
|
|
while getopts "hfgv" opt; do
|
|
case $opt in
|
|
h)
|
|
show_help
|
|
exit 0
|
|
;;
|
|
v)
|
|
show_version
|
|
exit 0
|
|
;;
|
|
\?)
|
|
echo "Invalid option: -$OPTARG" >&2
|
|
;;
|
|
esac
|
|
done
|
|
|
|
#if [ "$UID" != "0" ] && [ "${DebugOverride}" != "yes" ]; then
|
|
# ${display} RED "You must be root to run this script."
|
|
# exit 2
|
|
#fi
|
|
|
|
# We can't function without certain cli binaries being available
|
|
if [ ! -x "${GREP}" ]; then
|
|
${display} RED "Error: grep command not found. Please define GREP variable in main.conf manually."
|
|
exit 3
|
|
fi
|
|
|
|
# Basic sanity tests for ip{6}tables binaries and modules
|
|
if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
|
|
${display} RED "iptables command not found. Please make sure you have the iptables"
|
|
${display} RED "installed (package or source) and you have the IPTABLES option properly"
|
|
${display} RED "defined in the 'main.conf' file if needed."
|
|
exit 3
|
|
fi
|
|
|
|
|
|
if [ ! -x "${IP6TABLES}" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
|
|
${display} RED "ip6tables command not found. Please make sure you have the iptables"
|
|
${display} RED "installed (package or source) and you have the IP6TABLES option properly"
|
|
${display} RED "defined in the 'main.conf' file if needed."
|
|
exit 3
|
|
fi
|
|
|
|
if [ ! -e "/proc/net/ip_tables_names" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
|
|
${display} RED "IPv4 Netfilter modules do not appear to be loaded. Attempting to load now..."
|
|
if ! `${MODPROBE} ${IP4TablesMod} &>/dev/null`; then
|
|
${display} RED "Module ${IP4TablesMod} failed to load."
|
|
${display} RED "Will continue with IPv4 disabled."
|
|
EnableIPv4="no"
|
|
else
|
|
${display} GREEN "Module successfully loaded."
|
|
fi
|
|
fi
|
|
|
|
if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
|
|
${display} RED "IPv6 Netfilter modules do not appear to be loaded. Attempting to load now..."
|
|
if ! `${MODPROBE} ${IP6TablesMod} &>/dev/null`; then
|
|
${display} RED "Module ${IP6TablesMod} failed to load."
|
|
${display} RED "Will continue with IPv6 disabled."
|
|
EnableIPv6="no"
|
|
else
|
|
${display} GREEN "Module successfully loaded."
|
|
fi
|
|
fi
|
|
|
|
# Set up proper state matching variables, since there is old and new style.
|
|
if [ "$StateMatching" ]; then
|
|
case $StateMatching in
|
|
conntrack|CONNTRACK|*)
|
|
M_STATE="-m conntrack"
|
|
C_STATE="--ctstate"
|
|
;;
|
|
state|STATE)
|
|
M_STATE="-m state"
|
|
C_STATE="--state"
|
|
esac
|
|
else
|
|
M_STATE="-m conntrack"
|
|
C_STATE="--ctstate"
|
|
fi
|
|
|
|
|
|
# Do IPv4 IPTables Rules
|
|
if [ "${EnableIPv4}" == "yes" ]; then
|
|
# First flush all rules
|
|
iptables_rules_flush ipv4
|
|
|
|
# Create the chain sets we'll need and the ones that can be
|
|
# customized by users in their custom rules
|
|
setup_iptables_chains ipv4
|
|
|
|
[ "${AllowAllv4Loopback}" == "yes" ] && allow_all_loopback ipv4
|
|
[ "${EnableTrustedv4Hosts}" == "yes" ] && allow_trusted_hosts ipv4
|
|
[ "${Enablev4MSSClamp}" == "yes" ] && enable_mss_clamp ipv4
|
|
[ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4
|
|
[ "${DNSClientManualv4Servers}" ] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}"
|
|
[ "${Enablev4EasyBlock}" == "yes" ] && enable_easyblock ipv4
|
|
[ "${Enablev4Filtering}" == "yes" ] && enable_filtering ipv4
|
|
|
|
fi
|
|
|
|
# Do IPv6 IPTables Rules
|
|
if [ "${EnableIPv6}" == "yes" ]; then
|
|
# First flush all rules
|
|
iptables_rules_flush ipv6
|
|
|
|
# Create the chain sets we'll need and the ones that can be
|
|
# customized by users in their custom rules
|
|
setup_iptables_chains ipv6
|
|
|
|
[ "${AllowAllv6Loopback}" == "yes" ] && allow_all_loopback ipv6
|
|
[ "${EnableTrustedv6Hosts}" == "yes" ] && allow_trusted_hosts ipv6
|
|
[ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6
|
|
[ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6
|
|
[ "${DNSClientManualv6Servers}" ] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}"
|
|
[ "${Enablev6EasyBlock}" == "yes" ] && enable_easyblock ipv6
|
|
[ "${Enablev6Filtering}" == "yes" ] && enable_filtering ipv6
|
|
fi
|
|
|