Thu, 06 Nov 2014 14:10:08 +0100
Upgrades to version 0.0.14 and 0.0.15
0 | 1 | #!/bin/bash |
2 | ||
3 | # --------------------------------------------------------------------------- | |
4 | # Copyright (C) 2013-2014 by Michiel Broek. | |
5 | # Homepage http://www.mbse.eu | |
6 | # Email mbse At mbse dOt eu | |
7 | # | |
8 | # This file is part of mbse-firewall. | |
9 | # | |
10 | # This program is free software; you can redistribute it and/or modify it | |
11 | # under the terms of the GNU General Public License as published by the | |
12 | # Free Software Foundation; either version 2, or (at your option) any | |
13 | # later version. | |
14 | # | |
15 | # This program is distributed in the hope that it will be useful, but | |
16 | # WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | # General Public License for more details. | |
19 | # | |
20 | # You should have received a copy of the GNU General Public License | |
21 | # along with this program; see the file COPYING. If not, write to the Free | |
22 | # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. | |
23 | # --------------------------------------------------------------------------- | |
24 | ||
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
25 | MBSEFW_VERSION="0.0.15" |
0 | 26 | |
27 | # Sanity checks | |
28 | if [ "$(id -u)" != "0" ]; then | |
29 | echo "** You must be root to run this program" | |
30 | exit 1 | |
31 | fi | |
32 | ||
33 | # If possible, log events in /var/log/messages: | |
34 | if [ -f /var/run/syslogd.pid -a -x /usr/bin/logger ]; then | |
35 | LOGGER=/usr/bin/logger | |
36 | else # output to stdout/stderr: | |
37 | LOGGER=/bin/cat | |
38 | fi | |
39 | ||
40 | ||
41 | # IPv6 enabled? | |
42 | USE_IPV6="0" | |
43 | if [ -f /proc/sys/net/ipv6/conf/all/disable_ipv6 ] && [ "$(cat /proc/sys/net/ipv6/conf/all/disable_ipv6)" == "0" ]; then | |
44 | USE_IPV6="1" | |
45 | fi | |
46 | ||
47 | # Find programs | |
48 | IPTABLES=$(which iptables 2>/dev/null) | |
49 | IPTABLES_SAVE=$(which iptables-save 2>/dev/null) | |
50 | IPTABLES_RESTORE=$(which iptables-restore 2>/dev/null) | |
51 | LSMOD=$(which lsmod 2>/dev/null) | |
52 | AWK=$(which awk 2>/dev/null) | |
53 | GREP=$(which grep 2>/dev/null) | |
54 | IPSET=$(which ipset 2>/dev/null) | |
55 | SYSCTL=$(which sysctl 2>/dev/null) | |
2
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
56 | NFACCT=$(which nfacct 2>/dev/null) |
0 | 57 | |
58 | if [ "$USE_IPV6" = "1" ]; then | |
59 | IP6TABLES=$(which ip6tables 2>/dev/null) | |
60 | IP6TABLES_SAVE=$(which ip6tables-save 2>/dev/null) | |
61 | IP6TABLES_RESTORE=$(which ip6tables-restore 2>/dev/null) | |
62 | fi | |
63 | ||
64 | ||
65 | # Load configuration | |
66 | if [ ! -f /etc/mbse-firewall/firewall.conf ]; then | |
67 | echo "** /etc/mbse-firewall/firewall.conf not found, abort" | |
68 | exit 1 | |
69 | fi | |
70 | . /etc/mbse-firewall/firewall.conf | |
71 | ||
72 | # Some defaults, they are replaced when configured in | |
73 | # /etc/mbse-firewall/firewall.conf | |
74 | ||
75 | IF_EXT_AUTO_TO=${IF_EXT_AUTO_TO:=3600} | |
76 | IF_EXT_AUTO_LIMIT=${IF_EXT_AUTO_LIMIT:=5/hour} | |
77 | IF_EXT_AUTO_BURST=${IF_EXT_AUTO_BURST:=10} | |
78 | ||
79 | # --------------------------------------------------------------------------- | |
80 | # | |
81 | # Functions | |
82 | # | |
83 | # --------------------------------------------------------------------------- | |
84 | ||
85 | ||
86 | # Reset iptables back to Slackware default. | |
87 | reset_iptables() { | |
88 | ||
89 | if [ -f /proc/net/ip_tables_names ]; then | |
90 | cat /proc/net/ip_tables_names | while read table; do | |
91 | $IPTABLES -t $table -L -n | while read c chain rest; do | |
92 | if test "X$c" = "XChain" ; then | |
93 | $IPTABLES -t $table -F $chain | |
94 | fi | |
95 | done | |
96 | $IPTABLES -t $table -X | |
97 | done | |
98 | ||
99 | $IPTABLES -P INPUT $1 | |
100 | $IPTABLES -P OUTPUT $1 | |
101 | $IPTABLES -P FORWARD $1 | |
102 | echo "Reset iptables default policy $1" | $LOGGER | |
103 | fi | |
104 | ||
105 | if [ "$USE_IPV6" == "1" ] && [ -f /proc/net/ip6_tables_names ]; then | |
106 | cat /proc/net/ip6_tables_names | while read table; do | |
107 | $IP6TABLES -t $table -L -n | while read c chain rest; do | |
108 | if test "X$c" = "XChain" ; then | |
109 | $IP6TABLES -t $table -F $chain | |
110 | fi | |
111 | done | |
112 | $IP6TABLES -t $table -X | |
113 | done | |
114 | $IP6TABLES -P OUTPUT $1 | |
115 | $IP6TABLES -P INPUT $1 | |
116 | $IP6TABLES -P FORWARD $1 | |
117 | echo "Reset ip6tables default policy $1" | $LOGGER | |
118 | fi | |
119 | ||
120 | # Remove any ipset tables. | |
121 | $IPSET flush | |
122 | $IPSET destroy | |
123 | } | |
124 | ||
125 | ||
126 | ||
127 | is_external_if4() { | |
128 | [ "x${IF_EXT}" == "x$1" ] && return 1 | |
129 | ||
130 | return 0 | |
131 | } | |
132 | ||
133 | ||
134 | ||
135 | is_external_if6() { | |
136 | if [ "$USE_IPV6" == "1" ]; then | |
137 | [ "x${IF_EXT6}" == "x$1" ] && return 1 | |
138 | [ "x${IF_EXT}" == "x$1" -a -z "${IF_EXT6}" ] && return 1 | |
139 | fi | |
140 | ||
141 | return 0 | |
142 | } | |
143 | ||
144 | ||
145 | ||
146 | reload_blocklist4() { | |
147 | ||
148 | BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" | |
149 | if [ -f $BLOCKLIST ]; then | |
150 | echo "Reload $BLOCKLIST" | $LOGGER | |
151 | $IPSET create new-mbsefw-blk4ip hash:ip counters -exist | |
152 | $IPSET create new-mbsefw-blk4net hash:net counters -exist | |
153 | $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | |
154 | set $L | |
155 | if echo $1 | $GREP -q "/" ; then | |
156 | $IPSET add new-mbsefw-blk4net $1 -exist | |
157 | else | |
158 | $IPSET add new-mbsefw-blk4ip $1 -exist | |
159 | fi | |
160 | done | |
161 | $IPSET swap mbsefw-blk4net new-mbsefw-blk4net | |
162 | $IPSET flush new-mbsefw-blk4net | |
163 | $IPSET destroy new-mbsefw-blk4net | |
164 | $IPSET swap mbsefw-blk4ip new-mbsefw-blk4ip | |
165 | $IPSET flush new-mbsefw-blk4ip | |
166 | $IPSET destroy new-mbsefw-blk4ip | |
167 | fi | |
168 | } | |
169 | ||
170 | ||
171 | ||
172 | reload_blocklist6() { | |
173 | ||
174 | BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" | |
175 | if [ -f $BLOCKLIST ]; then | |
176 | echo "Reload $BLOCKLIST" | $LOGGER | |
177 | $IPSET create new-mbsefw-blk6 hash:net family inet6 counters -exist | |
178 | $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | |
179 | set $L ; $IPSET add new-mbsefw-blk6 $1 -exist | |
180 | done | |
181 | $IPSET swap mbsefw-blk6 new-mbsefw-blk6 | |
182 | $IPSET flush new-mbsefw-blk6 | |
183 | $IPSET destroy new-mbsefw-blk6 | |
184 | fi | |
185 | } | |
186 | ||
187 | ||
188 | ||
2
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
189 | fw_init_nfacct() { |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
190 | NFACCTCONF="/etc/mbse-firewall/conf.d/nfacct.conf" |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
191 | if [ -f $NFACCTCONF ]; then |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
192 | echo "Init netfilter accounting" | $LOGGER |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
193 | $GREP -Ev '^#|^;|^\s*$' $NFACCTCONF | while read L ; do |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
194 | set $L |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
195 | if [ -z "$($NFACCT list | $GREP $1)" ]; then |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
196 | $NFACCT add $1 |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
197 | fi |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
198 | done |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
199 | fi |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
200 | } |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
201 | |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
202 | |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
203 | |
0 | 204 | fw_init_sysctl() { |
205 | # If we have bridges and don't want iptables to work between | |
206 | # the physical interfaces, turn it off. | |
207 | if [ "$FW_NO_BRIDGE_NF_CALL" = "1" ]; then | |
208 | $SYSCTL -e -q -w net.bridge.bridge-nf-call-arptables=0 | |
209 | $SYSCTL -e -q -w net.bridge.bridge-nf-call-ip6tables=0 | |
210 | $SYSCTL -e -q -w net.bridge.bridge-nf-call-iptables=0 | |
211 | fi | |
212 | ||
213 | # No arp about internal interfaces across the border. | |
214 | if [ "$IF_EXT_IS_BORDER_GW" = "1" ]; then | |
215 | $SYSCTL -q -w net.ipv4.conf.${IF_EXT}.arp_ignore=1 | |
216 | $SYSCTL -q -w net.ipv4.conf.${IF_EXT}.arp_announce=1 | |
217 | fi | |
218 | } | |
219 | ||
220 | ||
221 | ||
222 | fw_start_init() { | |
223 | ||
224 | echo "Init new firewall" | $LOGGER | |
225 | ||
226 | BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" | |
227 | if [ -f $BLOCKLIST -a -n "$IF_EXT" ]; then | |
228 | echo " Install $BLOCKLIST" | $LOGGER | |
229 | $IPSET create mbsefw-blk4ip hash:ip counters -exist | |
230 | $IPSET create mbsefw-blk4net hash:net counters -exist | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
231 | $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4ip src -j DROP |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
232 | $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4net src -j DROP |
0 | 233 | if [ "$FW_FORWARD" = "1" ]; then |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
234 | $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4ip src -j DROP |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
235 | $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4net src -j DROP |
0 | 236 | fi |
237 | $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | |
238 | set $L | |
239 | if echo $1 | $GREP -q "/" ; then | |
240 | $IPSET add mbsefw-blk4net $1 -exist | |
241 | else | |
242 | $IPSET add mbsefw-blk4ip $1 -exist | |
243 | fi | |
244 | done | |
245 | echo -n "." | |
246 | fi | |
247 | ||
248 | BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" | |
249 | if [ -f $BLOCKLIST ]; then | |
250 | echo " Install $BLOCKLIST" | $LOGGER | |
251 | $IPSET create mbsefw-blk6 hash:net family inet6 counters -exist | |
252 | if [ -n "$IF_EXT6" ]; then | |
253 | IF6=$IF_EXT6 | |
254 | else | |
255 | IF6=$IF_EXT | |
256 | fi | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
257 | $IP6TABLES -A INPUT -i $IF6 -m state --state NEW -m set --match-set mbsefw-blk6 src -j DROP |
0 | 258 | if [ "$FW_FORWARD" = "1" ]; then |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
259 | $IP6TABLES -A FORWARD -i $IF6 -m state --state NEW -m set --match-set mbsefw-blk6 src -j DROP |
0 | 260 | fi |
261 | $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | |
262 | set $L | |
263 | $IPSET add mbsefw-blk6 $1 -exist | |
264 | done | |
265 | echo -n "." | |
266 | fi | |
267 | ||
2
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
268 | fw_init_nfacct |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
269 | echo -n "." |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
270 | |
0 | 271 | # accept established and related connections |
272 | $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
273 | $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
274 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
275 | if [ "$USE_IPV6" == "1" ]; then | |
276 | $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
277 | $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
278 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
279 | fi | |
280 | ||
281 | # drop packets that do not match any valid state. This also blocks invalid | |
282 | # flag combinations that are used by portscans. | |
283 | $IPTABLES -A OUTPUT -m state --state INVALID -j DROP | |
284 | $IPTABLES -A INPUT -m state --state INVALID -j DROP | |
285 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state INVALID -j DROP | |
286 | if [ "$USE_IPV6" == "1" ]; then | |
287 | $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP | |
288 | $IP6TABLES -A INPUT -m state --state INVALID -j DROP | |
289 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m state --state INVALID -j DROP | |
290 | fi | |
291 | ||
292 | # Allow everything on the loopback interface | |
293 | $IPTABLES -A INPUT -i lo -j ACCEPT | |
294 | $IPTABLES -A OUTPUT -o lo -j ACCEPT | |
295 | if [ "$USE_IPV6" == "1" ]; then | |
296 | $IP6TABLES -A INPUT -i lo -j ACCEPT | |
297 | $IP6TABLES -A OUTPUT -o lo -j ACCEPT | |
298 | fi | |
299 | ||
300 | # Anti spoofing on the external interface. Methods since the 3.3 kernel! | |
301 | if [ -n "$IF_EXT" ]; then | |
302 | for f in $(ls /proc/sys/net/ipv4/conf/*/rp_filter); do | |
303 | echo 1 > $f | |
304 | done | |
305 | $IPTABLES -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP | |
306 | if [ "$USE_IPV6" == "1" ]; then | |
307 | if [ -n "$IF_EXT6" ]; then | |
308 | $IP6TABLES -A PREROUTING -t raw -i $IF_EXT6 -m rpfilter --invert -j DROP | |
309 | else | |
310 | $IP6TABLES -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP | |
311 | fi | |
312 | fi | |
313 | # Manual anti spoofing on the interfaces is configured using the | |
314 | # interfaces configuration and only if the system is a router. | |
315 | fi | |
316 | ||
317 | # IPv4 ssh backdoor | |
318 | if [ -n "$IPV4_BACKDOOR_SSH" ]; then | |
319 | $IPTABLES -A INPUT -p tcp -m tcp -s $IPV4_BACKDOOR_SSH --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
320 | $IPTABLES -A OUTPUT -p tcp -m tcp -d $IPV4_BACKDOOR_SSH --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
321 | fi | |
322 | # IPv6 ssh backdoor | |
323 | if [ "$USE_IPV6" == "1" ] && [ -n "$IPV6_BACKDOOR_SSH" ]; then | |
324 | $IP6TABLES -A INPUT -p tcp -m tcp -s $IPV6_BACKDOOR_SSH --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
325 | $IP6TABLES -A OUTPUT -p tcp -m tcp -d $IPV6_BACKDOOR_SSH --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
326 | fi | |
327 | ||
328 | # Usefull ICMPv4 | |
329 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
330 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
331 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
332 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
333 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
334 | $IPTABLES -A INPUT -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_INPUT " | |
335 | $IPTABLES -A INPUT -p icmp -j DROP | |
336 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT | |
337 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 0/0 -j ACCEPT | |
338 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT | |
339 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/0 -j ACCEPT | |
340 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/1 -j ACCEPT | |
341 | $IPTABLES -A OUTPUT -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_OUTPUT " | |
342 | $IPTABLES -A OUTPUT -p icmp -j DROP | |
343 | if [ "$FW_FORWARD" = "1" ]; then | |
344 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
345 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
346 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
347 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
348 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
349 | $IPTABLES -A FORWARD -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_FORWARD " | |
350 | $IPTABLES -A FORWARD -p icmp -j DROP | |
351 | fi | |
352 | ||
353 | # If this system has enabled IPv6 ... | |
354 | if [ "$USE_IPV6" == "1" ]; then | |
355 | # ICMPv6 | |
356 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT | |
357 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT | |
358 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT | |
359 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT | |
360 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT | |
361 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT | |
362 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT | |
363 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT | |
364 | if [ "$FW_FORWARD" = "1" ]; then | |
365 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT | |
366 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT | |
367 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT | |
368 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT | |
369 | fi | |
370 | ||
371 | # Rate limited icmpv6 | |
372 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -m limit --limit 15/second -j ACCEPT | |
373 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT | |
374 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT | |
375 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -j ACCEPT | |
376 | if [ "$FW_FORWARD" = "1" ]; then | |
377 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -m limit --limit 15/second -j ACCEPT | |
378 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT | |
379 | fi | |
380 | ||
381 | # rules to permit IPv6 Neighbor discovery | |
382 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT | |
383 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT | |
384 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT | |
385 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT | |
386 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT | |
387 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT | |
388 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT | |
389 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT | |
390 | ||
391 | # MLD messages. DROP on external interface, but ACCEPT on others. | |
392 | if [ -n "$IF_EXT6" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then | |
393 | $IP6TABLES -A OUTPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j DROP | |
394 | elif [ -n "$IF_EXT" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then | |
395 | $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j DROP | |
396 | fi | |
397 | $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j ACCEPT | |
398 | ||
399 | # Drop unmatched icmpv6 but log them so we can debug | |
400 | $IP6TABLES -A INPUT -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_INPUT " | |
401 | $IP6TABLES -A INPUT -p ipv6-icmp -j DROP | |
402 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_OUTPUT " | |
403 | $IP6TABLES -A OUTPUT -p ipv6-icmp -j DROP | |
404 | [ "$FW_FORWARD" = "1" ] && { | |
405 | $IP6TABLES -A FORWARD -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_FORWARD " | |
406 | $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP | |
407 | } | |
408 | fi | |
409 | ||
410 | if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then | |
411 | # ================ Table 'mangle', automatic rules | |
412 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
413 | if [ "$USE_IPV6" == "1" ]; then | |
414 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
415 | fi | |
416 | fi | |
417 | ||
418 | # Filter all packets that have RH0 header | |
419 | if [ "$USE_IPV6" == "1" ]; then | |
420 | # Filter all packets that have RH0 header | |
421 | $IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP | |
422 | $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP | |
423 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP | |
424 | ||
425 | # Allow Link-Local sddresses | |
426 | $IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT | |
427 | $IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT | |
428 | ||
429 | # Allow Multicast | |
430 | $IP6TABLES -A INPUT -d ff00::/8 -j ACCEPT | |
431 | $IP6TABLES -A OUTPUT -d ff00::/8 -j ACCEPT | |
432 | fi | |
433 | ||
434 | # Traceroute | |
435 | if [ "$FW_TRACEROUTE" = "1" ]; then | |
436 | $IPTABLES -A OUTPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
437 | $IPTABLES -A INPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
438 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
439 | if [ "$USE_IPV6" == "1" ]; then | |
440 | $IP6TABLES -A OUTPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
441 | $IP6TABLES -A INPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
442 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
443 | fi | |
444 | fi | |
445 | ||
446 | echo -n "." | |
447 | } | |
448 | ||
449 | ||
450 | ||
451 | fw_start_interface_chain() | |
452 | { | |
453 | local multi iodir IFS=\; | |
454 | ||
455 | INTF=$1 | |
456 | FCHAIN=$2 | |
457 | NCHAIN=$3 | |
458 | SCHAIN=$4 | |
459 | CONFFILE="/etc/mbse-firewall/conf.d/${INTF}-${FCHAIN}.conf" | |
460 | is_external_if4 $1 | |
461 | EXTERN4=$? | |
462 | is_external_if6 $1 | |
463 | EXTERN6=$? | |
464 | ||
465 | # TODO: use subchains, but we need to do 2 passes on the config | |
466 | # files to make it work. | |
467 | ||
468 | # Are there rules for this chain? | |
469 | if [ -f $CONFFILE ]; then | |
470 | echo " Start chain ${NCHAIN} on interface ${INTF} is external ipv4: ${EXTERN4} ipv6: ${EXTERN6}" | $LOGGER | |
471 | ||
472 | # Install auto blacklisting if set for this interface and this is the | |
473 | # INPUT or FORWARD chain. In /etc/mbse-firewall/firewall.conf set then | |
474 | # IF_EXT_AUTO_TO value for the block timeout. Default is 3600 seconds. | |
475 | # See the end of this function for the actual test. | |
476 | if [ "$NCHAIN" = "INPUT" -o "$NCHAIN" = "FORWARD" ]; then | |
477 | if [ "$IF_EXT_AUTO_BLOCK" = "1" ]; then | |
478 | if [ "$EXTERN4" = "1" ]; then | |
479 | echo " Installing IPv4 auto blacklisting on interface ${INTF}" | $LOGGER | |
480 | $IPSET create mbsefw-auto4 hash:ip timeout $IF_EXT_AUTO_TO counters -exist | |
481 | $IPTABLES -I $NCHAIN -m set --match-set mbsefw-auto4 src -j DROP | |
482 | fi | |
483 | if [ "$EXTERN6" = "1" ]; then | |
484 | echo " Installing IPv6 auto blacklisting on interface ${INTF}" | $LOGGER | |
485 | $IPSET create mbsefw-auto6 hash:ip family inet6 timeout $IF_EXT_AUTO_TO counters -exist | |
486 | $IP6TABLES -I $NCHAIN -m set --match-set mbsefw-auto6 src -j DROP | |
487 | fi | |
488 | fi | |
489 | fi | |
490 | ||
491 | # Adjust for the direction of the chain | |
492 | if [ "$NCHAIN" = "OUTPUT" -o "$NCHAIN" = "POSTROUTING" ]; then | |
493 | iodir="-o" | |
494 | else | |
495 | iodir="-i" | |
496 | fi | |
497 | ||
498 | # Read the configuration | |
499 | $GREP -Ev '^#|^\s*$' $CONFFILE | while read L ; do | |
500 | set $L | |
501 | # Build command | |
502 | if [ "$1" = "6" ]; then | |
503 | CMD=$IP6TABLES | |
504 | else | |
505 | CMD=$IPTABLES | |
506 | fi | |
507 | ||
508 | if [ -n "$2" ]; then | |
509 | args=("-t" "$2" "-A" "$NCHAIN" "$iodir" "${INTF}") | |
510 | else | |
511 | args=("-A" "$NCHAIN" "$iodir" "${INTF}") | |
512 | fi | |
513 | ||
514 | # Protocol | |
515 | [ -n "$3" ] && args+=("-p" "$3" "-m" "$3") | |
516 | ||
517 | # Test for multiport | |
518 | multi=0 | |
519 | [ -n "$5$7" ] && { | |
520 | [[ $5$7 == *","* ]] && multi=1 | |
521 | [[ $5$7 == *":"* ]] && multi=1 | |
522 | } | |
523 | [ "$multi" = "1" ] && args+=("-m" "multiport") | |
524 | ||
525 | # Source address | |
526 | [ -n "$4" ] && args+=("-s" "$4") | |
527 | ||
528 | # Source port(s) | |
529 | [ -n "$5" ] && { | |
530 | multi=0 | |
531 | [[ $5 == *","* ]] && multi=1 | |
532 | [[ $5 == *":"* ]] && multi=1 | |
533 | if [ "$multi" = "1" ]; then | |
534 | args+=("--sports" "$5") | |
535 | else | |
536 | args+=("--sport" "$5") | |
537 | fi | |
538 | } | |
539 | ||
540 | # Destination address | |
541 | [ -n "$6" ] && args+=("-d" "$6") | |
542 | ||
543 | # Destination port(s) | |
544 | [ -n "$7" ] && { | |
545 | multi=0 | |
546 | [[ $7 == *","* ]] && multi=1 | |
547 | [[ $7 == *":"* ]] && multi=1 | |
548 | if [ "$multi" = "1" ]; then | |
549 | args+=("--dports" "$7") | |
550 | else | |
551 | args+=("--dport" "$7") | |
552 | fi | |
553 | } | |
554 | ||
555 | # Rule options | |
556 | [ -n "$9" ] && { | |
557 | IFS=' ' | |
558 | for arg in $9; do | |
559 | args+=("$arg") | |
560 | done | |
561 | IFS=\; | |
562 | } | |
563 | ||
564 | # Rule action | |
565 | [ -n "$8" ] && { | |
566 | IFS=' ' | |
567 | args+=("-j") | |
568 | for arg in $8; do | |
569 | args+=("$arg") | |
570 | done | |
571 | IFS=\; | |
572 | } | |
573 | ||
574 | $CMD "${args[@]}" | |
575 | rc=$? | |
576 | echo " " $CMD "${args[@]}" | $LOGGER | |
577 | if [ $rc -ne 0 ]; then | |
578 | echo "Error in $CONFFILE" | $LOGGER | |
579 | fi | |
580 | done | |
581 | ||
582 | # In PREROUTING or POSTROUTING chains we are done here. | |
583 | if [ "$NCHAIN" = "PREROUTING" -o "$NCHAIN" = "POSTROUTING" ]; then | |
584 | return | |
585 | fi | |
586 | ||
587 | # Ignore timing problems with old connections | |
588 | $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP | |
589 | [ "$USE_IPV6" = "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP | |
590 | ||
591 | # Install the final autoblock rule if this is the INPUT or FORWARD chain. | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
592 | # We allow upto 5 probes per minute or a burst of 10 probes. This should be |
0 | 593 | # a good balance to catch the real bad guys. Note that until the IP is |
594 | # blocked these systems are logged using the rule below this one. | |
595 | if [ "$IF_EXT_AUTO_BLOCK" = "1" -a "$NCHAIN" != "OUTPUT" ]; then | |
596 | if [ "${EXTERN4}" = "1" ]; then | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
597 | # First, ignore these. Can happen after a temporary network problem. |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
598 | $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
599 | # Now the real rule. |
0 | 600 | $IPTABLES -A $NCHAIN $iodir ${INTF} \ |
601 | -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto4 \ | |
602 | -j SET --add-set mbsefw-auto4 src | |
603 | fi | |
604 | if [ "${EXTERN6}" = "1" ]; then | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
605 | # First, ignore these. Can happen after a temporary network problem. |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
606 | $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
607 | # Now the real rule. |
0 | 608 | $IP6TABLES -A $NCHAIN $iodir ${INTF} \ |
609 | -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ | |
610 | -j SET --add-set mbsefw-auto6 src | |
611 | fi | |
612 | fi | |
613 | # deny and log the rest | |
614 | $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " | |
615 | [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " | |
616 | $IPTABLES -A $NCHAIN $iodir ${INTF} -j DROP | |
617 | [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -j DROP | |
618 | echo -n "." | |
619 | fi | |
620 | } | |
621 | ||
622 | ||
623 | ||
624 | fw_start_interface() | |
625 | { | |
626 | fw_start_interface_chain $1 "prerouting" "PREROUTING" "pre" | |
627 | fw_start_interface_chain $1 "input" "INPUT" "in" | |
628 | fw_start_interface_chain $1 "output" "OUTPUT" "out" | |
629 | fw_start_interface_chain $1 "forward" "FORWARD" "fwd" | |
630 | fw_start_interface_chain $1 "postrouting" "POSTROUTING" "post" | |
631 | } | |
632 | ||
633 | ||
634 | ||
635 | fw_start_main() { | |
636 | i=0 | |
637 | ||
638 | [ -n "$IF_EXT" ] && fw_start_interface "$IF_EXT" | |
639 | [ -n "$IF_EXT6" ] && fw_start_interface "$IF_EXT6" | |
640 | ||
641 | while [ $i -lt 50 ]; | |
642 | do | |
643 | [ -z "${IF_TRUNK[$i]}" ] && break | |
644 | fw_start_interface "${IF_TRUNK[$i]}" | |
645 | i=$(($i+1)) | |
646 | done | |
647 | } | |
648 | ||
649 | ||
650 | ||
651 | fw_start_final() { | |
652 | # Deny and log everything else | |
653 | $IPTABLES -N FINAL_RULE | |
654 | $IPTABLES -A OUTPUT -j FINAL_RULE | |
655 | $IPTABLES -A INPUT -j FINAL_RULE | |
656 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -j FINAL_RULE | |
657 | $IPTABLES -A FINAL_RULE -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=999 " | |
658 | $IPTABLES -A FINAL_RULE -j DROP | |
659 | if [ "$USE_IPV6" = "1" ]; then | |
660 | $IP6TABLES -N FINAL_RULE | |
661 | $IP6TABLES -A OUTPUT -j FINAL_RULE | |
662 | $IP6TABLES -A INPUT -j FINAL_RULE | |
663 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -j FINAL_RULE | |
664 | $IP6TABLES -A FINAL_RULE -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=999 " | |
665 | $IP6TABLES -A FINAL_RULE -j DROP | |
666 | fi | |
667 | echo "Firewall installed" | $LOGGER | |
668 | } | |
669 | ||
670 | ||
671 | ||
672 | fw_install() { | |
673 | echo -n "Installing $(basename $0) $MBSEFW_VERSION: " | |
674 | reset_iptables DROP | |
675 | echo -n "." | |
676 | fw_init_sysctl | |
677 | echo -n "." | |
678 | fw_start_init | |
679 | fw_start_main | |
680 | fw_start_final | |
681 | echo " done." | |
682 | } | |
683 | ||
684 | ||
685 | ||
686 | fw_start() { | |
687 | if [ -f /etc/mbse-firewall/data/firewall-ipv4.data -a \ | |
688 | -f /etc/mbse-firewall/data/firewall-ipv6.data -a \ | |
689 | -f /etc/mbse-firewall/data/firewall-ipset.data ]; then | |
690 | # Do a full restore of all saved data | |
691 | echo -n "Starting $(basename $0) $MBSEFW_VERSION: " | |
692 | echo "Start new firewall" | $LOGGER | |
2
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
693 | fw_init_nfacct |
0 | 694 | reset_iptables DROP |
695 | echo -n "." | |
696 | fw_init_sysctl | |
697 | $IPSET restore < /etc/mbse-firewall/data/firewall-ipset.data | |
698 | echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER | |
699 | echo -n "." | |
700 | $IPTABLES_RESTORE < /etc/mbse-firewall/data/firewall-ipv4.data | |
701 | echo " Restored /etc/mbse-firewall/data/firewall-ipv4.data" | $LOGGER | |
702 | echo -n "." | |
703 | $IP6TABLES_RESTORE < /etc/mbse-firewall/data/firewall-ipv6.data | |
704 | echo " Restored /etc/mbse-firewall/data/firewall-ipv6.data" | $LOGGER | |
705 | echo " done." | |
706 | echo -n "New firewall active" | $LOGGER | |
707 | else | |
708 | # If there is no saved firewall, install a new one and save it. | |
709 | fw_install | |
710 | fw_save | |
711 | fi | |
712 | } | |
713 | ||
714 | ||
715 | ||
716 | fw_stop() { | |
717 | echo -n "Stopping $(basename $0) $MBSEFW_VERSION: " | |
718 | # Slackware defaults to ACCEPT when no firewall is active. | |
719 | reset_iptables ACCEPT | |
720 | echo "done." | |
721 | } | |
722 | ||
723 | ||
724 | ||
725 | # If there are blocklist tables, reload them. | |
726 | fw_reload() { | |
727 | echo -n "Reload $(basename $0) $MBSEFW_VERSION: " | |
728 | reload_blocklist4 | |
729 | reload_blocklist6 | |
730 | echo done. | |
731 | } | |
732 | ||
733 | ||
734 | ||
735 | fw_save() { | |
736 | echo -n "Saving $(basename $0) $MBSEFW_VERSION: " | |
737 | echo "Saving firewall" | $LOGGER | |
738 | mkdir -p /etc/mbse-firewall/data | |
739 | [ -n "$IPTABLES_SAVE" ] && $IPTABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv4.data | |
740 | echo -n "." | |
741 | [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data | |
742 | echo -n "." | |
743 | ||
744 | rm -f /etc/mbse-firewall/data/firewall-ipset.data | |
745 | touch /etc/mbse-firewall/data/firewall-ipset.data | |
746 | SETS="$($IPSET list -n)" | |
747 | for set in $SETS ; do | |
748 | if [ "$set" = "mbsefw-auto4" -o "$set" = "mbsefw-auto6" ]; then | |
749 | # Only save structure for auto blocklists | |
750 | $IPSET save $set -t >> /etc/mbse-firewall/data/firewall-ipset.data | |
751 | else | |
752 | $IPSET save $set >> /etc/mbse-firewall/data/firewall-ipset.data | |
753 | fi | |
754 | echo -n "." | |
755 | done | |
756 | echo " done." | |
757 | echo "Save firewall done in /etc/mbse-firewall/data" | $LOGGER | |
758 | } | |
759 | ||
760 | ||
761 | ||
762 | fw_status() { | |
763 | ||
764 | echo -n "$(basename $0) $MBSEFW_VERSION" | |
765 | ||
766 | IP_MODULES=$($LSMOD | $AWK '{print $1}' | $GREP '^ip') | |
767 | if [ "${IP_MODULES}x" = "x" ]; then | |
768 | echo " - You do not have any iptables loaded." | |
769 | return | |
770 | else | |
771 | echo " - You have the following ip modules loaded:" | |
772 | echo -n " " | |
773 | echo ${IP_MODULES} | |
774 | fi | |
775 | ||
776 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_filter )" ]; then | |
777 | echo | |
778 | echo ' FILTER TABLE IPv4' | |
779 | echo | |
780 | $IPTABLES -t filter -L -n -v --line-numbers | |
781 | fi | |
782 | ||
783 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_filter )" ]; then | |
784 | echo | |
785 | echo ' FILTER TABLE IPv6' | |
786 | echo | |
787 | $IP6TABLES -t filter -L -n -v --line-numbers | |
788 | fi | |
789 | ||
790 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_nat )" ]; then | |
791 | echo | |
792 | echo ' NAT TABLE IPv4' | |
793 | echo | |
794 | $IPTABLES -t nat -L -v -n --line-numbers | |
795 | fi | |
796 | ||
797 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_nat )" ]; then | |
798 | echo | |
799 | echo ' NAT TABLE IPv6' | |
800 | echo | |
801 | $IP6TABLES -t nat -L -v -n --line-numbers | |
802 | fi | |
803 | ||
804 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_raw )" ]; then | |
805 | echo | |
806 | echo ' RAW TABLE IPv4' | |
807 | echo | |
808 | $IPTABLES -t raw -L -v -n --line-numbers | |
809 | fi | |
810 | ||
811 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_raw )" ]; then | |
812 | echo | |
813 | echo ' RAW TABLE IPv6' | |
814 | echo | |
815 | $IP6TABLES -t raw -L -v -n --line-numbers | |
816 | fi | |
817 | ||
818 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_mangle )" ]; then | |
819 | echo | |
820 | echo ' MANGLE TABLE IPv4' | |
821 | echo | |
822 | $IPTABLES -t mangle -L -v -n --line-numbers | |
823 | fi | |
824 | ||
825 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_mangle )" ]; then | |
826 | echo | |
827 | echo ' MANGLE TABLE IPv6' | |
828 | echo | |
829 | $IP6TABLES -t mangle -L -v -n --line-numbers | |
830 | fi | |
831 | ||
832 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_security )" ]; then | |
833 | echo | |
834 | echo ' SECURITY TABLE IPv4' | |
835 | echo | |
836 | $IPTABLES -t security -L -v -n --line-numbers | |
837 | fi | |
838 | ||
839 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_security )" ]; then | |
840 | echo | |
841 | echo ' SECURITY TABLE IPv6' | |
842 | echo | |
843 | $IP6TABLES -t security -L -v -n --line-numbers | |
844 | fi | |
845 | ||
846 | if [ -n "$IPSET" ] && [ ! -z "$($IPSET list)" ]; then | |
847 | echo | |
848 | echo ' IPSET listing' | |
849 | echo | |
850 | $IPSET list | |
851 | fi | |
852 | } | |
853 | ||
854 | ||
855 | ||
856 | # --------------------------------------------------------------------------- | |
857 | # | |
858 | # MAIN program part | |
859 | # | |
860 | # --------------------------------------------------------------------------- | |
861 | ||
862 | ||
863 | # See how we were called | |
864 | cmd=$1 | |
865 | ||
866 | case "$cmd" in | |
867 | start) | |
868 | fw_start | |
869 | ;; | |
870 | ||
871 | stop) | |
872 | fw_stop | |
873 | ;; | |
874 | ||
875 | restart) | |
876 | fw_stop | |
877 | fw_start | |
878 | ;; | |
879 | ||
880 | save) | |
881 | fw_save | |
882 | ;; | |
883 | install) | |
884 | fw_install | |
885 | ;; | |
886 | reload) | |
887 | fw_reload | |
888 | ;; | |
889 | status) | |
890 | fw_status | |
891 | ;; | |
892 | ||
893 | *) | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
894 | echo "Usage $0 [start|stop|restart|save|install|reload|status]" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
895 | echo |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
896 | echo "start start a saved firewall" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
897 | echo "stop stop firewall and set default ACCEPT state" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
898 | echo "restart stop and start the firewall" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
899 | echo "save save current installed firewall rules" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
900 | echo "install install new firewall from configuration" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
901 | echo "reload reload the blocklists" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
902 | echo "status show the firewall rules and counters" |
0 | 903 | ;; |
904 | esac | |
905 | ||
906 |