Mercurial > mbse-firewall / annotate

sbin/mbse-firewall@6b45cf9df8cf (annotated)

sbin/mbse-firewall

Thu, 06 Nov 2014 14:10:08 +0100

author
Michiel Broek <mbroek@mbse.eu>
date
Thu, 06 Nov 2014 14:10:08 +0100
changeset 3
6b45cf9df8cf
parent 2
7c794ae9f4de
child 4
92045b0e8e17
permissions
-rwxr-xr-x

Upgrades to version 0.0.14 and 0.0.15

0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
1 #!/bin/bash
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
2
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
3 # ---------------------------------------------------------------------------
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
4 # Copyright (C) 2013-2014 by Michiel Broek.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
5 # Homepage http://www.mbse.eu
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
6 # Email mbse At mbse dOt eu
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
7 #
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
8 # This file is part of mbse-firewall.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
9 #
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
10 # This program is free software; you can redistribute it and/or modify it
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
11 # under the terms of the GNU General Public License as published by the
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
12 # Free Software Foundation; either version 2, or (at your option) any
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
13 # later version.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
14 #
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
15 # This program is distributed in the hope that it will be useful, but
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
16 # WITHOUT ANY WARRANTY; without even the implied warranty of
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
18 # General Public License for more details.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
19 #
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
20 # You should have received a copy of the GNU General Public License
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
21 # along with this program; see the file COPYING. If not, write to the Free
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
23 # ---------------------------------------------------------------------------
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
24
3
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
25 MBSEFW_VERSION="0.0.15"
0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
26
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
27 # Sanity checks
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
28 if [ "$(id -u)" != "0" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
29 echo "** You must be root to run this program"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
30 exit 1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
31 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
32
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
33 # If possible, log events in /var/log/messages:
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
34 if [ -f /var/run/syslogd.pid -a -x /usr/bin/logger ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
35 LOGGER=/usr/bin/logger
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
36 else # output to stdout/stderr:
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
37 LOGGER=/bin/cat
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
38 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
39
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
40
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
41 # IPv6 enabled?
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
42 USE_IPV6="0"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
43 if [ -f /proc/sys/net/ipv6/conf/all/disable_ipv6 ] && [ "$(cat /proc/sys/net/ipv6/conf/all/disable_ipv6)" == "0" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
44 USE_IPV6="1"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
45 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
46
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
47 # Find programs
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
48 IPTABLES=$(which iptables 2>/dev/null)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
49 IPTABLES_SAVE=$(which iptables-save 2>/dev/null)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
50 IPTABLES_RESTORE=$(which iptables-restore 2>/dev/null)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
51 LSMOD=$(which lsmod 2>/dev/null)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
52 AWK=$(which awk 2>/dev/null)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
53 GREP=$(which grep 2>/dev/null)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
54 IPSET=$(which ipset 2>/dev/null)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
55 SYSCTL=$(which sysctl 2>/dev/null)
2
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
56 NFACCT=$(which nfacct 2>/dev/null)
0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
57
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
58 if [ "$USE_IPV6" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
59 IP6TABLES=$(which ip6tables 2>/dev/null)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
60 IP6TABLES_SAVE=$(which ip6tables-save 2>/dev/null)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
61 IP6TABLES_RESTORE=$(which ip6tables-restore 2>/dev/null)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
62 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
63
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
64
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
65 # Load configuration
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
66 if [ ! -f /etc/mbse-firewall/firewall.conf ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
67 echo "** /etc/mbse-firewall/firewall.conf not found, abort"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
68 exit 1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
69 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
70 . /etc/mbse-firewall/firewall.conf
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
71
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
72 # Some defaults, they are replaced when configured in
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
73 # /etc/mbse-firewall/firewall.conf
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
74
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
75 IF_EXT_AUTO_TO=${IF_EXT_AUTO_TO:=3600}
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
76 IF_EXT_AUTO_LIMIT=${IF_EXT_AUTO_LIMIT:=5/hour}
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
77 IF_EXT_AUTO_BURST=${IF_EXT_AUTO_BURST:=10}
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
78
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
79 # ---------------------------------------------------------------------------
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
80 #
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
81 # Functions
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
82 #
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
83 # ---------------------------------------------------------------------------
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
84
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
85
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
86 # Reset iptables back to Slackware default.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
87 reset_iptables() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
88
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
89 if [ -f /proc/net/ip_tables_names ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
90 cat /proc/net/ip_tables_names | while read table; do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
91 $IPTABLES -t $table -L -n | while read c chain rest; do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
92 if test "X$c" = "XChain" ; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
93 $IPTABLES -t $table -F $chain
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
94 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
95 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
96 $IPTABLES -t $table -X
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
97 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
98
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
99 $IPTABLES -P INPUT $1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
100 $IPTABLES -P OUTPUT $1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
101 $IPTABLES -P FORWARD $1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
102 echo "Reset iptables default policy $1" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
103 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
104
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
105 if [ "$USE_IPV6" == "1" ] && [ -f /proc/net/ip6_tables_names ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
106 cat /proc/net/ip6_tables_names | while read table; do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
107 $IP6TABLES -t $table -L -n | while read c chain rest; do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
108 if test "X$c" = "XChain" ; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
109 $IP6TABLES -t $table -F $chain
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
110 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
111 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
112 $IP6TABLES -t $table -X
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
113 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
114 $IP6TABLES -P OUTPUT $1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
115 $IP6TABLES -P INPUT $1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
116 $IP6TABLES -P FORWARD $1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
117 echo "Reset ip6tables default policy $1" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
118 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
119
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
120 # Remove any ipset tables.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
121 $IPSET flush
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
122 $IPSET destroy
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
123 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
124
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
125
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
126
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
127 is_external_if4() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
128 [ "x${IF_EXT}" == "x$1" ] && return 1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
129
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
130 return 0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
131 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
132
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
133
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
134
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
135 is_external_if6() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
136 if [ "$USE_IPV6" == "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
137 [ "x${IF_EXT6}" == "x$1" ] && return 1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
138 [ "x${IF_EXT}" == "x$1" -a -z "${IF_EXT6}" ] && return 1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
139 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
140
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
141 return 0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
142 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
143
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
144
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
145
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
146 reload_blocklist4() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
147
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
148 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
149 if [ -f $BLOCKLIST ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
150 echo "Reload $BLOCKLIST" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
151 $IPSET create new-mbsefw-blk4ip hash:ip counters -exist
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
152 $IPSET create new-mbsefw-blk4net hash:net counters -exist
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
153 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
154 set $L
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
155 if echo $1 | $GREP -q "/" ; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
156 $IPSET add new-mbsefw-blk4net $1 -exist
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
157 else
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
158 $IPSET add new-mbsefw-blk4ip $1 -exist
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
159 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
160 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
161 $IPSET swap mbsefw-blk4net new-mbsefw-blk4net
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
162 $IPSET flush new-mbsefw-blk4net
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
163 $IPSET destroy new-mbsefw-blk4net
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
164 $IPSET swap mbsefw-blk4ip new-mbsefw-blk4ip
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
165 $IPSET flush new-mbsefw-blk4ip
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
166 $IPSET destroy new-mbsefw-blk4ip
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
167 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
168 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
169
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
170
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
171
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
172 reload_blocklist6() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
173
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
174 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
175 if [ -f $BLOCKLIST ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
176 echo "Reload $BLOCKLIST" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
177 $IPSET create new-mbsefw-blk6 hash:net family inet6 counters -exist
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
178 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
179 set $L ; $IPSET add new-mbsefw-blk6 $1 -exist
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
180 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
181 $IPSET swap mbsefw-blk6 new-mbsefw-blk6
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
182 $IPSET flush new-mbsefw-blk6
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
183 $IPSET destroy new-mbsefw-blk6
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
184 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
185 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
186
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
187
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
188
2
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
189 fw_init_nfacct() {
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
190 NFACCTCONF="/etc/mbse-firewall/conf.d/nfacct.conf"
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
191 if [ -f $NFACCTCONF ]; then
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
192 echo "Init netfilter accounting" | $LOGGER
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
193 $GREP -Ev '^#|^;|^\s*$' $NFACCTCONF | while read L ; do
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
194 set $L
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
195 if [ -z "$($NFACCT list | $GREP $1)" ]; then
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
196 $NFACCT add $1
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
197 fi
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
198 done
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
199 fi
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
200 }
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
201
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
202
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
203
0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
204 fw_init_sysctl() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
205 # If we have bridges and don't want iptables to work between
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
206 # the physical interfaces, turn it off.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
207 if [ "$FW_NO_BRIDGE_NF_CALL" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
208 $SYSCTL -e -q -w net.bridge.bridge-nf-call-arptables=0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
209 $SYSCTL -e -q -w net.bridge.bridge-nf-call-ip6tables=0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
210 $SYSCTL -e -q -w net.bridge.bridge-nf-call-iptables=0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
211 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
212
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
213 # No arp about internal interfaces across the border.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
214 if [ "$IF_EXT_IS_BORDER_GW" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
215 $SYSCTL -q -w net.ipv4.conf.${IF_EXT}.arp_ignore=1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
216 $SYSCTL -q -w net.ipv4.conf.${IF_EXT}.arp_announce=1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
217 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
218 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
219
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
220
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
221
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
222 fw_start_init() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
223
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
224 echo "Init new firewall" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
225
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
226 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
227 if [ -f $BLOCKLIST -a -n "$IF_EXT" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
228 echo " Install $BLOCKLIST" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
229 $IPSET create mbsefw-blk4ip hash:ip counters -exist
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
230 $IPSET create mbsefw-blk4net hash:net counters -exist
3
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
231 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4ip src -j DROP
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
232 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4net src -j DROP
0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
233 if [ "$FW_FORWARD" = "1" ]; then
3
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
234 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4ip src -j DROP
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
235 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4net src -j DROP
0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
236 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
237 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
238 set $L
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
239 if echo $1 | $GREP -q "/" ; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
240 $IPSET add mbsefw-blk4net $1 -exist
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
241 else
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
242 $IPSET add mbsefw-blk4ip $1 -exist
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
243 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
244 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
245 echo -n "."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
246 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
247
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
248 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
249 if [ -f $BLOCKLIST ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
250 echo " Install $BLOCKLIST" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
251 $IPSET create mbsefw-blk6 hash:net family inet6 counters -exist
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
252 if [ -n "$IF_EXT6" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
253 IF6=$IF_EXT6
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
254 else
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
255 IF6=$IF_EXT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
256 fi
3
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
257 $IP6TABLES -A INPUT -i $IF6 -m state --state NEW -m set --match-set mbsefw-blk6 src -j DROP
0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
258 if [ "$FW_FORWARD" = "1" ]; then
3
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
259 $IP6TABLES -A FORWARD -i $IF6 -m state --state NEW -m set --match-set mbsefw-blk6 src -j DROP
0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
260 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
261 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
262 set $L
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
263 $IPSET add mbsefw-blk6 $1 -exist
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
264 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
265 echo -n "."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
266 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
267
2
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
268 fw_init_nfacct
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
269 echo -n "."
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
270
0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
271 # accept established and related connections
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
272 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
273 $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
274 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
275 if [ "$USE_IPV6" == "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
276 $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
277 $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
278 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
279 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
280
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
281 # drop packets that do not match any valid state. This also blocks invalid
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
282 # flag combinations that are used by portscans.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
283 $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
284 $IPTABLES -A INPUT -m state --state INVALID -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
285 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state INVALID -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
286 if [ "$USE_IPV6" == "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
287 $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
288 $IP6TABLES -A INPUT -m state --state INVALID -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
289 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m state --state INVALID -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
290 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
291
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
292 # Allow everything on the loopback interface
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
293 $IPTABLES -A INPUT -i lo -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
294 $IPTABLES -A OUTPUT -o lo -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
295 if [ "$USE_IPV6" == "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
296 $IP6TABLES -A INPUT -i lo -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
297 $IP6TABLES -A OUTPUT -o lo -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
298 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
299
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
300 # Anti spoofing on the external interface. Methods since the 3.3 kernel!
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
301 if [ -n "$IF_EXT" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
302 for f in $(ls /proc/sys/net/ipv4/conf/*/rp_filter); do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
303 echo 1 > $f
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
304 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
305 $IPTABLES -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
306 if [ "$USE_IPV6" == "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
307 if [ -n "$IF_EXT6" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
308 $IP6TABLES -A PREROUTING -t raw -i $IF_EXT6 -m rpfilter --invert -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
309 else
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
310 $IP6TABLES -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
311 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
312 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
313 # Manual anti spoofing on the interfaces is configured using the
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
314 # interfaces configuration and only if the system is a router.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
315 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
316
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
317 # IPv4 ssh backdoor
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
318 if [ -n "$IPV4_BACKDOOR_SSH" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
319 $IPTABLES -A INPUT -p tcp -m tcp -s $IPV4_BACKDOOR_SSH --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
320 $IPTABLES -A OUTPUT -p tcp -m tcp -d $IPV4_BACKDOOR_SSH --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
321 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
322 # IPv6 ssh backdoor
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
323 if [ "$USE_IPV6" == "1" ] && [ -n "$IPV6_BACKDOOR_SSH" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
324 $IP6TABLES -A INPUT -p tcp -m tcp -s $IPV6_BACKDOOR_SSH --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
325 $IP6TABLES -A OUTPUT -p tcp -m tcp -d $IPV6_BACKDOOR_SSH --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
326 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
327
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
328 # Usefull ICMPv4
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
329 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
330 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
331 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
332 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
333 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
334 $IPTABLES -A INPUT -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_INPUT "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
335 $IPTABLES -A INPUT -p icmp -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
336 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
337 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 0/0 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
338 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
339 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/0 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
340 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/1 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
341 $IPTABLES -A OUTPUT -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_OUTPUT "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
342 $IPTABLES -A OUTPUT -p icmp -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
343 if [ "$FW_FORWARD" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
344 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
345 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
346 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
347 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
348 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
349 $IPTABLES -A FORWARD -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_FORWARD "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
350 $IPTABLES -A FORWARD -p icmp -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
351 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
352
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
353 # If this system has enabled IPv6 ...
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
354 if [ "$USE_IPV6" == "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
355 # ICMPv6
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
356 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
357 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
358 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
359 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
360 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
361 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
362 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
363 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
364 if [ "$FW_FORWARD" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
365 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
366 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
367 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
368 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
369 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
370
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
371 # Rate limited icmpv6
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
372 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -m limit --limit 15/second -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
373 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
374 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
375 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
376 if [ "$FW_FORWARD" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
377 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -m limit --limit 15/second -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
378 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
379 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
380
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
381 # rules to permit IPv6 Neighbor discovery
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
382 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
383 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
384 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
385 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
386 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
387 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
388 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
389 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
390
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
391 # MLD messages. DROP on external interface, but ACCEPT on others.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
392 if [ -n "$IF_EXT6" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
393 $IP6TABLES -A OUTPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
394 elif [ -n "$IF_EXT" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
395 $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
396 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
397 $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
398
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
399 # Drop unmatched icmpv6 but log them so we can debug
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
400 $IP6TABLES -A INPUT -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_INPUT "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
401 $IP6TABLES -A INPUT -p ipv6-icmp -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
402 $IP6TABLES -A OUTPUT -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_OUTPUT "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
403 $IP6TABLES -A OUTPUT -p ipv6-icmp -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
404 [ "$FW_FORWARD" = "1" ] && {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
405 $IP6TABLES -A FORWARD -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_FORWARD "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
406 $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
407 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
408 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
409
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
410 if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
411 # ================ Table 'mangle', automatic rules
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
412 [ "$FW_FORWARD" = "1" ] && $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
413 if [ "$USE_IPV6" == "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
414 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
415 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
416 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
417
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
418 # Filter all packets that have RH0 header
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
419 if [ "$USE_IPV6" == "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
420 # Filter all packets that have RH0 header
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
421 $IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
422 $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
423 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
424
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
425 # Allow Link-Local sddresses
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
426 $IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
427 $IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
428
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
429 # Allow Multicast
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
430 $IP6TABLES -A INPUT -d ff00::/8 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
431 $IP6TABLES -A OUTPUT -d ff00::/8 -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
432 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
433
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
434 # Traceroute
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
435 if [ "$FW_TRACEROUTE" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
436 $IPTABLES -A OUTPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
437 $IPTABLES -A INPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
438 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
439 if [ "$USE_IPV6" == "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
440 $IP6TABLES -A OUTPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
441 $IP6TABLES -A INPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
442 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
443 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
444 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
445
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
446 echo -n "."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
447 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
448
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
449
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
450
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
451 fw_start_interface_chain()
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
452 {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
453 local multi iodir IFS=\;
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
454
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
455 INTF=$1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
456 FCHAIN=$2
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
457 NCHAIN=$3
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
458 SCHAIN=$4
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
459 CONFFILE="/etc/mbse-firewall/conf.d/${INTF}-${FCHAIN}.conf"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
460 is_external_if4 $1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
461 EXTERN4=$?
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
462 is_external_if6 $1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
463 EXTERN6=$?
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
464
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
465 # TODO: use subchains, but we need to do 2 passes on the config
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
466 # files to make it work.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
467
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
468 # Are there rules for this chain?
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
469 if [ -f $CONFFILE ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
470 echo " Start chain ${NCHAIN} on interface ${INTF} is external ipv4: ${EXTERN4} ipv6: ${EXTERN6}" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
471
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
472 # Install auto blacklisting if set for this interface and this is the
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
473 # INPUT or FORWARD chain. In /etc/mbse-firewall/firewall.conf set then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
474 # IF_EXT_AUTO_TO value for the block timeout. Default is 3600 seconds.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
475 # See the end of this function for the actual test.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
476 if [ "$NCHAIN" = "INPUT" -o "$NCHAIN" = "FORWARD" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
477 if [ "$IF_EXT_AUTO_BLOCK" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
478 if [ "$EXTERN4" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
479 echo " Installing IPv4 auto blacklisting on interface ${INTF}" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
480 $IPSET create mbsefw-auto4 hash:ip timeout $IF_EXT_AUTO_TO counters -exist
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
481 $IPTABLES -I $NCHAIN -m set --match-set mbsefw-auto4 src -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
482 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
483 if [ "$EXTERN6" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
484 echo " Installing IPv6 auto blacklisting on interface ${INTF}" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
485 $IPSET create mbsefw-auto6 hash:ip family inet6 timeout $IF_EXT_AUTO_TO counters -exist
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
486 $IP6TABLES -I $NCHAIN -m set --match-set mbsefw-auto6 src -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
487 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
488 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
489 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
490
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
491 # Adjust for the direction of the chain
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
492 if [ "$NCHAIN" = "OUTPUT" -o "$NCHAIN" = "POSTROUTING" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
493 iodir="-o"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
494 else
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
495 iodir="-i"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
496 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
497
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
498 # Read the configuration
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
499 $GREP -Ev '^#|^\s*$' $CONFFILE | while read L ; do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
500 set $L
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
501 # Build command
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
502 if [ "$1" = "6" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
503 CMD=$IP6TABLES
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
504 else
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
505 CMD=$IPTABLES
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
506 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
507
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
508 if [ -n "$2" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
509 args=("-t" "$2" "-A" "$NCHAIN" "$iodir" "${INTF}")
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
510 else
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
511 args=("-A" "$NCHAIN" "$iodir" "${INTF}")
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
512 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
513
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
514 # Protocol
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
515 [ -n "$3" ] && args+=("-p" "$3" "-m" "$3")
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
516
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
517 # Test for multiport
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
518 multi=0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
519 [ -n "$5$7" ] && {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
520 [[ $5$7 == *","* ]] && multi=1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
521 [[ $5$7 == *":"* ]] && multi=1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
522 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
523 [ "$multi" = "1" ] && args+=("-m" "multiport")
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
524
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
525 # Source address
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
526 [ -n "$4" ] && args+=("-s" "$4")
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
527
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
528 # Source port(s)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
529 [ -n "$5" ] && {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
530 multi=0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
531 [[ $5 == *","* ]] && multi=1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
532 [[ $5 == *":"* ]] && multi=1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
533 if [ "$multi" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
534 args+=("--sports" "$5")
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
535 else
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
536 args+=("--sport" "$5")
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
537 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
538 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
539
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
540 # Destination address
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
541 [ -n "$6" ] && args+=("-d" "$6")
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
542
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
543 # Destination port(s)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
544 [ -n "$7" ] && {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
545 multi=0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
546 [[ $7 == *","* ]] && multi=1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
547 [[ $7 == *":"* ]] && multi=1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
548 if [ "$multi" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
549 args+=("--dports" "$7")
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
550 else
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
551 args+=("--dport" "$7")
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
552 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
553 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
554
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
555 # Rule options
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
556 [ -n "$9" ] && {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
557 IFS=' '
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
558 for arg in $9; do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
559 args+=("$arg")
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
560 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
561 IFS=\;
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
562 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
563
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
564 # Rule action
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
565 [ -n "$8" ] && {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
566 IFS=' '
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
567 args+=("-j")
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
568 for arg in $8; do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
569 args+=("$arg")
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
570 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
571 IFS=\;
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
572 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
573
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
574 $CMD "${args[@]}"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
575 rc=$?
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
576 echo " " $CMD "${args[@]}" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
577 if [ $rc -ne 0 ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
578 echo "Error in $CONFFILE" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
579 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
580 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
581
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
582 # In PREROUTING or POSTROUTING chains we are done here.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
583 if [ "$NCHAIN" = "PREROUTING" -o "$NCHAIN" = "POSTROUTING" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
584 return
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
585 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
586
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
587 # Ignore timing problems with old connections
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
588 $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
589 [ "$USE_IPV6" = "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
590
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
591 # Install the final autoblock rule if this is the INPUT or FORWARD chain.
3
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
592 # We allow upto 5 probes per minute or a burst of 10 probes. This should be
0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
593 # a good balance to catch the real bad guys. Note that until the IP is
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
594 # blocked these systems are logged using the rule below this one.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
595 if [ "$IF_EXT_AUTO_BLOCK" = "1" -a "$NCHAIN" != "OUTPUT" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
596 if [ "${EXTERN4}" = "1" ]; then
3
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
597 # First, ignore these. Can happen after a temporary network problem.
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
598 $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
599 # Now the real rule.
0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
600 $IPTABLES -A $NCHAIN $iodir ${INTF} \
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
601 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto4 \
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
602 -j SET --add-set mbsefw-auto4 src
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
603 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
604 if [ "${EXTERN6}" = "1" ]; then
3
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
605 # First, ignore these. Can happen after a temporary network problem.
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
606 $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
607 # Now the real rule.
0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
608 $IP6TABLES -A $NCHAIN $iodir ${INTF} \
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
609 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
610 -j SET --add-set mbsefw-auto6 src
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
611 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
612 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
613 # deny and log the rest
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
614 $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
615 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
616 $IPTABLES -A $NCHAIN $iodir ${INTF} -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
617 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
618 echo -n "."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
619 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
620 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
621
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
622
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
623
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
624 fw_start_interface()
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
625 {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
626 fw_start_interface_chain $1 "prerouting" "PREROUTING" "pre"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
627 fw_start_interface_chain $1 "input" "INPUT" "in"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
628 fw_start_interface_chain $1 "output" "OUTPUT" "out"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
629 fw_start_interface_chain $1 "forward" "FORWARD" "fwd"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
630 fw_start_interface_chain $1 "postrouting" "POSTROUTING" "post"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
631 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
632
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
633
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
634
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
635 fw_start_main() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
636 i=0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
637
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
638 [ -n "$IF_EXT" ] && fw_start_interface "$IF_EXT"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
639 [ -n "$IF_EXT6" ] && fw_start_interface "$IF_EXT6"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
640
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
641 while [ $i -lt 50 ];
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
642 do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
643 [ -z "${IF_TRUNK[$i]}" ] && break
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
644 fw_start_interface "${IF_TRUNK[$i]}"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
645 i=$(($i+1))
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
646 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
647 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
648
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
649
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
650
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
651 fw_start_final() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
652 # Deny and log everything else
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
653 $IPTABLES -N FINAL_RULE
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
654 $IPTABLES -A OUTPUT -j FINAL_RULE
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
655 $IPTABLES -A INPUT -j FINAL_RULE
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
656 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -j FINAL_RULE
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
657 $IPTABLES -A FINAL_RULE -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=999 "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
658 $IPTABLES -A FINAL_RULE -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
659 if [ "$USE_IPV6" = "1" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
660 $IP6TABLES -N FINAL_RULE
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
661 $IP6TABLES -A OUTPUT -j FINAL_RULE
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
662 $IP6TABLES -A INPUT -j FINAL_RULE
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
663 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -j FINAL_RULE
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
664 $IP6TABLES -A FINAL_RULE -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=999 "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
665 $IP6TABLES -A FINAL_RULE -j DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
666 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
667 echo "Firewall installed" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
668 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
669
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
670
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
671
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
672 fw_install() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
673 echo -n "Installing $(basename $0) $MBSEFW_VERSION: "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
674 reset_iptables DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
675 echo -n "."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
676 fw_init_sysctl
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
677 echo -n "."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
678 fw_start_init
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
679 fw_start_main
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
680 fw_start_final
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
681 echo " done."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
682 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
683
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
684
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
685
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
686 fw_start() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
687 if [ -f /etc/mbse-firewall/data/firewall-ipv4.data -a \
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
688 -f /etc/mbse-firewall/data/firewall-ipv6.data -a \
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
689 -f /etc/mbse-firewall/data/firewall-ipset.data ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
690 # Do a full restore of all saved data
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
691 echo -n "Starting $(basename $0) $MBSEFW_VERSION: "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
692 echo "Start new firewall" | $LOGGER
2
7c794ae9f4de Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents: 0
diff changeset
693 fw_init_nfacct
0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
694 reset_iptables DROP
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
695 echo -n "."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
696 fw_init_sysctl
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
697 $IPSET restore < /etc/mbse-firewall/data/firewall-ipset.data
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
698 echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
699 echo -n "."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
700 $IPTABLES_RESTORE < /etc/mbse-firewall/data/firewall-ipv4.data
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
701 echo " Restored /etc/mbse-firewall/data/firewall-ipv4.data" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
702 echo -n "."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
703 $IP6TABLES_RESTORE < /etc/mbse-firewall/data/firewall-ipv6.data
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
704 echo " Restored /etc/mbse-firewall/data/firewall-ipv6.data" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
705 echo " done."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
706 echo -n "New firewall active" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
707 else
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
708 # If there is no saved firewall, install a new one and save it.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
709 fw_install
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
710 fw_save
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
711 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
712 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
713
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
714
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
715
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
716 fw_stop() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
717 echo -n "Stopping $(basename $0) $MBSEFW_VERSION: "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
718 # Slackware defaults to ACCEPT when no firewall is active.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
719 reset_iptables ACCEPT
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
720 echo "done."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
721 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
722
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
723
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
724
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
725 # If there are blocklist tables, reload them.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
726 fw_reload() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
727 echo -n "Reload $(basename $0) $MBSEFW_VERSION: "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
728 reload_blocklist4
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
729 reload_blocklist6
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
730 echo done.
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
731 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
732
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
733
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
734
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
735 fw_save() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
736 echo -n "Saving $(basename $0) $MBSEFW_VERSION: "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
737 echo "Saving firewall" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
738 mkdir -p /etc/mbse-firewall/data
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
739 [ -n "$IPTABLES_SAVE" ] && $IPTABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv4.data
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
740 echo -n "."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
741 [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
742 echo -n "."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
743
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
744 rm -f /etc/mbse-firewall/data/firewall-ipset.data
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
745 touch /etc/mbse-firewall/data/firewall-ipset.data
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
746 SETS="$($IPSET list -n)"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
747 for set in $SETS ; do
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
748 if [ "$set" = "mbsefw-auto4" -o "$set" = "mbsefw-auto6" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
749 # Only save structure for auto blocklists
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
750 $IPSET save $set -t >> /etc/mbse-firewall/data/firewall-ipset.data
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
751 else
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
752 $IPSET save $set >> /etc/mbse-firewall/data/firewall-ipset.data
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
753 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
754 echo -n "."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
755 done
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
756 echo " done."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
757 echo "Save firewall done in /etc/mbse-firewall/data" | $LOGGER
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
758 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
759
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
760
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
761
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
762 fw_status() {
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
763
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
764 echo -n "$(basename $0) $MBSEFW_VERSION"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
765
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
766 IP_MODULES=$($LSMOD | $AWK '{print $1}' | $GREP '^ip')
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
767 if [ "${IP_MODULES}x" = "x" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
768 echo " - You do not have any iptables loaded."
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
769 return
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
770 else
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
771 echo " - You have the following ip modules loaded:"
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
772 echo -n " "
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
773 echo ${IP_MODULES}
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
774 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
775
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
776 if [ ! -z "$( echo $IP_MODULES | $GREP iptable_filter )" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
777 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
778 echo ' FILTER TABLE IPv4'
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
779 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
780 $IPTABLES -t filter -L -n -v --line-numbers
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
781 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
782
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
783 if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_filter )" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
784 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
785 echo ' FILTER TABLE IPv6'
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
786 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
787 $IP6TABLES -t filter -L -n -v --line-numbers
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
788 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
789
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
790 if [ ! -z "$( echo $IP_MODULES | $GREP iptable_nat )" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
791 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
792 echo ' NAT TABLE IPv4'
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
793 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
794 $IPTABLES -t nat -L -v -n --line-numbers
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
795 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
796
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
797 if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_nat )" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
798 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
799 echo ' NAT TABLE IPv6'
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
800 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
801 $IP6TABLES -t nat -L -v -n --line-numbers
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
802 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
803
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
804 if [ ! -z "$( echo $IP_MODULES | $GREP iptable_raw )" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
805 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
806 echo ' RAW TABLE IPv4'
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
807 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
808 $IPTABLES -t raw -L -v -n --line-numbers
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
809 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
810
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
811 if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_raw )" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
812 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
813 echo ' RAW TABLE IPv6'
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
814 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
815 $IP6TABLES -t raw -L -v -n --line-numbers
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
816 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
817
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
818 if [ ! -z "$( echo $IP_MODULES | $GREP iptable_mangle )" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
819 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
820 echo ' MANGLE TABLE IPv4'
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
821 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
822 $IPTABLES -t mangle -L -v -n --line-numbers
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
823 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
824
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
825 if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_mangle )" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
826 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
827 echo ' MANGLE TABLE IPv6'
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
828 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
829 $IP6TABLES -t mangle -L -v -n --line-numbers
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
830 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
831
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
832 if [ ! -z "$( echo $IP_MODULES | $GREP iptable_security )" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
833 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
834 echo ' SECURITY TABLE IPv4'
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
835 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
836 $IPTABLES -t security -L -v -n --line-numbers
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
837 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
838
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
839 if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_security )" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
840 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
841 echo ' SECURITY TABLE IPv6'
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
842 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
843 $IP6TABLES -t security -L -v -n --line-numbers
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
844 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
845
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
846 if [ -n "$IPSET" ] && [ ! -z "$($IPSET list)" ]; then
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
847 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
848 echo ' IPSET listing'
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
849 echo
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
850 $IPSET list
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
851 fi
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
852 }
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
853
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
854
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
855
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
856 # ---------------------------------------------------------------------------
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
857 #
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
858 # MAIN program part
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
859 #
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
860 # ---------------------------------------------------------------------------
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
861
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
862
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
863 # See how we were called
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
864 cmd=$1
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
865
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
866 case "$cmd" in
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
867 start)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
868 fw_start
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
869 ;;
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
870
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
871 stop)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
872 fw_stop
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
873 ;;
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
874
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
875 restart)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
876 fw_stop
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
877 fw_start
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
878 ;;
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
879
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
880 save)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
881 fw_save
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
882 ;;
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
883 install)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
884 fw_install
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
885 ;;
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
886 reload)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
887 fw_reload
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
888 ;;
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
889 status)
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
890 fw_status
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
891 ;;
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
892
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
893 *)
3
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
894 echo "Usage $0 [start|stop|restart|save|install|reload|status]"
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
895 echo
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
896 echo "start start a saved firewall"
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
897 echo "stop stop firewall and set default ACCEPT state"
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
898 echo "restart stop and start the firewall"
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
899 echo "save save current installed firewall rules"
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
900 echo "install install new firewall from configuration"
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
901 echo "reload reload the blocklists"
6b45cf9df8cf Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents: 2
diff changeset
902 echo "status show the firewall rules and counters"
0
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
903 ;;
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
904 esac
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
905
d4d23e51be4f Initial import
Michiel Broek <mbroek@mbse.eu>
parents:
diff changeset
906

Mercurial Repository: mbse-firewall

mercurial