Sun, 19 Apr 2015 11:13:22 +0200
Hosts blocked by the ipset global tables are now stateless blocked. Version 0.0.19.
0 | 1 | #!/bin/bash |
2 | ||
3 | # --------------------------------------------------------------------------- | |
7
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
4 | # Copyright (C) 2013-2015 by Michiel Broek. |
0 | 5 | # Homepage http://www.mbse.eu |
6 | # Email mbse At mbse dOt eu | |
7 | # | |
8 | # This file is part of mbse-firewall. | |
9 | # | |
10 | # This program is free software; you can redistribute it and/or modify it | |
11 | # under the terms of the GNU General Public License as published by the | |
12 | # Free Software Foundation; either version 2, or (at your option) any | |
13 | # later version. | |
14 | # | |
15 | # This program is distributed in the hope that it will be useful, but | |
16 | # WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | # General Public License for more details. | |
19 | # | |
20 | # You should have received a copy of the GNU General Public License | |
21 | # along with this program; see the file COPYING. If not, write to the Free | |
22 | # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. | |
23 | # --------------------------------------------------------------------------- | |
24 | ||
8
c8e957eb1b36
Hosts blocked by the ipset global tables are now stateless blocked. Version 0.0.19.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
25 | MBSEFW_VERSION="0.0.19" |
0 | 26 | |
27 | # Sanity checks | |
28 | if [ "$(id -u)" != "0" ]; then | |
29 | echo "** You must be root to run this program" | |
30 | exit 1 | |
31 | fi | |
32 | ||
33 | # If possible, log events in /var/log/messages: | |
34 | if [ -f /var/run/syslogd.pid -a -x /usr/bin/logger ]; then | |
35 | LOGGER=/usr/bin/logger | |
36 | else # output to stdout/stderr: | |
37 | LOGGER=/bin/cat | |
38 | fi | |
39 | ||
40 | ||
41 | # IPv6 enabled? | |
42 | USE_IPV6="0" | |
43 | if [ -f /proc/sys/net/ipv6/conf/all/disable_ipv6 ] && [ "$(cat /proc/sys/net/ipv6/conf/all/disable_ipv6)" == "0" ]; then | |
44 | USE_IPV6="1" | |
45 | fi | |
46 | ||
47 | # Find programs | |
48 | IPTABLES=$(which iptables 2>/dev/null) | |
49 | IPTABLES_SAVE=$(which iptables-save 2>/dev/null) | |
50 | IPTABLES_RESTORE=$(which iptables-restore 2>/dev/null) | |
51 | LSMOD=$(which lsmod 2>/dev/null) | |
52 | AWK=$(which awk 2>/dev/null) | |
53 | GREP=$(which grep 2>/dev/null) | |
54 | IPSET=$(which ipset 2>/dev/null) | |
55 | SYSCTL=$(which sysctl 2>/dev/null) | |
2
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
56 | NFACCT=$(which nfacct 2>/dev/null) |
0 | 57 | |
58 | if [ "$USE_IPV6" = "1" ]; then | |
59 | IP6TABLES=$(which ip6tables 2>/dev/null) | |
60 | IP6TABLES_SAVE=$(which ip6tables-save 2>/dev/null) | |
61 | IP6TABLES_RESTORE=$(which ip6tables-restore 2>/dev/null) | |
62 | fi | |
63 | ||
64 | ||
65 | # Load configuration | |
66 | if [ ! -f /etc/mbse-firewall/firewall.conf ]; then | |
67 | echo "** /etc/mbse-firewall/firewall.conf not found, abort" | |
68 | exit 1 | |
69 | fi | |
70 | . /etc/mbse-firewall/firewall.conf | |
71 | ||
72 | # Some defaults, they are replaced when configured in | |
73 | # /etc/mbse-firewall/firewall.conf | |
74 | ||
75 | IF_EXT_AUTO_TO=${IF_EXT_AUTO_TO:=3600} | |
76 | IF_EXT_AUTO_LIMIT=${IF_EXT_AUTO_LIMIT:=5/hour} | |
77 | IF_EXT_AUTO_BURST=${IF_EXT_AUTO_BURST:=10} | |
78 | ||
79 | # --------------------------------------------------------------------------- | |
80 | # | |
81 | # Functions | |
82 | # | |
83 | # --------------------------------------------------------------------------- | |
84 | ||
85 | ||
86 | # Reset iptables back to Slackware default. | |
87 | reset_iptables() { | |
88 | ||
89 | if [ -f /proc/net/ip_tables_names ]; then | |
90 | cat /proc/net/ip_tables_names | while read table; do | |
91 | $IPTABLES -t $table -L -n | while read c chain rest; do | |
92 | if test "X$c" = "XChain" ; then | |
93 | $IPTABLES -t $table -F $chain | |
94 | fi | |
95 | done | |
96 | $IPTABLES -t $table -X | |
97 | done | |
98 | ||
99 | $IPTABLES -P INPUT $1 | |
100 | $IPTABLES -P OUTPUT $1 | |
101 | $IPTABLES -P FORWARD $1 | |
102 | echo "Reset iptables default policy $1" | $LOGGER | |
103 | fi | |
104 | ||
105 | if [ "$USE_IPV6" == "1" ] && [ -f /proc/net/ip6_tables_names ]; then | |
106 | cat /proc/net/ip6_tables_names | while read table; do | |
107 | $IP6TABLES -t $table -L -n | while read c chain rest; do | |
108 | if test "X$c" = "XChain" ; then | |
109 | $IP6TABLES -t $table -F $chain | |
110 | fi | |
111 | done | |
112 | $IP6TABLES -t $table -X | |
113 | done | |
114 | $IP6TABLES -P OUTPUT $1 | |
115 | $IP6TABLES -P INPUT $1 | |
116 | $IP6TABLES -P FORWARD $1 | |
117 | echo "Reset ip6tables default policy $1" | $LOGGER | |
118 | fi | |
119 | ||
120 | # Remove any ipset tables. | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
121 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
122 | SETS="$(${IPSET} list -n | grep ${HOST})" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
123 | for MySET in ${SETS}; do |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
124 | $IPSET flush ${MySET} |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
125 | $IPSET destroy ${MySET} |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
126 | echo "Destroyed IPSET table ${MySET}" | $LOGGER |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
127 | done |
0 | 128 | } |
129 | ||
130 | ||
131 | ||
132 | is_external_if4() { | |
133 | [ "x${IF_EXT}" == "x$1" ] && return 1 | |
134 | ||
135 | return 0 | |
136 | } | |
137 | ||
138 | ||
139 | ||
140 | is_external_if6() { | |
141 | if [ "$USE_IPV6" == "1" ]; then | |
142 | [ "x${IF_EXT6}" == "x$1" ] && return 1 | |
143 | [ "x${IF_EXT}" == "x$1" -a -z "${IF_EXT6}" ] && return 1 | |
144 | fi | |
145 | ||
146 | return 0 | |
147 | } | |
148 | ||
149 | ||
150 | ||
151 | reload_blocklist4() { | |
152 | ||
153 | BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
154 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
155 | |
0 | 156 | if [ -f $BLOCKLIST ]; then |
157 | echo "Reload $BLOCKLIST" | $LOGGER | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
158 | $IPSET create ${HOST}-new-mbsefw-blk4ip hash:ip counters -exist |
6
be2d7c142726
Fixed an error when reloading blocklists. Version 0.0.17
Michiel Broek <mbroek@mbse.eu>
parents:
5
diff
changeset
|
159 | $IPSET create ${HOST}-new-mbsefw-blk4net hash:net counters -exist |
0 | 160 | $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
161 | set $L | |
162 | if echo $1 | $GREP -q "/" ; then | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
163 | $IPSET add ${HOST}-new-mbsefw-blk4net $1 -exist |
0 | 164 | else |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
165 | $IPSET add ${HOST}-new-mbsefw-blk4ip $1 -exist |
0 | 166 | fi |
167 | done | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
168 | $IPSET swap ${HOST}-mbsefw-blk4net ${HOST}-new-mbsefw-blk4net |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
169 | $IPSET flush ${HOST}-new-mbsefw-blk4net |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
170 | $IPSET destroy ${HOST}-new-mbsefw-blk4net |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
171 | $IPSET swap ${HOST}-mbsefw-blk4ip ${HOST}-new-mbsefw-blk4ip |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
172 | $IPSET flush ${HOST}-new-mbsefw-blk4ip |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
173 | $IPSET destroy ${HOST}-new-mbsefw-blk4ip |
0 | 174 | fi |
175 | } | |
176 | ||
177 | ||
178 | ||
179 | reload_blocklist6() { | |
180 | ||
181 | BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
182 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
183 | |
0 | 184 | if [ -f $BLOCKLIST ]; then |
185 | echo "Reload $BLOCKLIST" | $LOGGER | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
186 | $IPSET create ${HOST}-new-mbsefw-blk6 hash:net family inet6 counters -exist |
0 | 187 | $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
188 | set $L ; $IPSET add ${HOST}-new-mbsefw-blk6 $1 -exist |
0 | 189 | done |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
190 | $IPSET swap ${HOST}-mbsefw-blk6 ${HOST}-new-mbsefw-blk6 |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
191 | $IPSET flush ${HOST}-new-mbsefw-blk6 |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
192 | $IPSET destroy ${HOST}-new-mbsefw-blk6 |
0 | 193 | fi |
194 | } | |
195 | ||
196 | ||
197 | ||
2
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
198 | fw_init_nfacct() { |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
199 | NFACCTCONF="/etc/mbse-firewall/conf.d/nfacct.conf" |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
200 | if [ -f $NFACCTCONF ]; then |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
201 | echo "Init netfilter accounting" | $LOGGER |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
202 | $GREP -Ev '^#|^;|^\s*$' $NFACCTCONF | while read L ; do |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
203 | set $L |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
204 | if [ -z "$($NFACCT list | $GREP $1)" ]; then |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
205 | $NFACCT add $1 |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
206 | fi |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
207 | done |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
208 | fi |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
209 | } |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
210 | |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
211 | |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
212 | |
0 | 213 | fw_init_sysctl() { |
214 | # If we have bridges and don't want iptables to work between | |
215 | # the physical interfaces, turn it off. | |
216 | if [ "$FW_NO_BRIDGE_NF_CALL" = "1" ]; then | |
217 | $SYSCTL -e -q -w net.bridge.bridge-nf-call-arptables=0 | |
218 | $SYSCTL -e -q -w net.bridge.bridge-nf-call-ip6tables=0 | |
219 | $SYSCTL -e -q -w net.bridge.bridge-nf-call-iptables=0 | |
220 | fi | |
221 | ||
222 | # No arp about internal interfaces across the border. | |
223 | if [ "$IF_EXT_IS_BORDER_GW" = "1" ]; then | |
224 | $SYSCTL -q -w net.ipv4.conf.${IF_EXT}.arp_ignore=1 | |
225 | $SYSCTL -q -w net.ipv4.conf.${IF_EXT}.arp_announce=1 | |
226 | fi | |
227 | } | |
228 | ||
229 | ||
230 | ||
231 | fw_start_init() { | |
232 | ||
233 | echo "Init new firewall" | $LOGGER | |
234 | ||
235 | BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
236 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
237 | |
0 | 238 | if [ -f $BLOCKLIST -a -n "$IF_EXT" ]; then |
239 | echo " Install $BLOCKLIST" | $LOGGER | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
240 | $IPSET create ${HOST}-mbsefw-blk4ip hash:ip counters -exist |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
241 | $IPSET create ${HOST}-mbsefw-blk4net hash:net counters -exist |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
242 | $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4ip src -j DROP |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
243 | $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4net src -j DROP |
0 | 244 | if [ "$FW_FORWARD" = "1" ]; then |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
245 | $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4ip src -j DROP |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
246 | $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4net src -j DROP |
0 | 247 | fi |
248 | $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | |
249 | set $L | |
250 | if echo $1 | $GREP -q "/" ; then | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
251 | $IPSET add ${HOST}-mbsefw-blk4net $1 -exist |
0 | 252 | else |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
253 | $IPSET add ${HOST}-mbsefw-blk4ip $1 -exist |
0 | 254 | fi |
255 | done | |
256 | echo -n "." | |
257 | fi | |
258 | ||
259 | BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" | |
260 | if [ -f $BLOCKLIST ]; then | |
261 | echo " Install $BLOCKLIST" | $LOGGER | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
262 | $IPSET create ${HOST}-mbsefw-blk6 hash:net family inet6 counters -exist |
0 | 263 | if [ -n "$IF_EXT6" ]; then |
264 | IF6=$IF_EXT6 | |
265 | else | |
266 | IF6=$IF_EXT | |
267 | fi | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
268 | $IP6TABLES -A INPUT -i $IF6 -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk6 src -j DROP |
0 | 269 | if [ "$FW_FORWARD" = "1" ]; then |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
270 | $IP6TABLES -A FORWARD -i $IF6 -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk6 src -j DROP |
0 | 271 | fi |
272 | $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | |
273 | set $L | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
274 | $IPSET add ${HOST}-mbsefw-blk6 $1 -exist |
0 | 275 | done |
276 | echo -n "." | |
277 | fi | |
278 | ||
7
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
279 | # If we use the global blocktables. |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
280 | if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then |
8
c8e957eb1b36
Hosts blocked by the ipset global tables are now stateless blocked. Version 0.0.19.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
281 | $IPTABLES -A INPUT -i $IF_EXT -m set --match-set global-blk4 src -j DROP |
7
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
282 | if [ "$FW_FORWARD" = "1" ]; then |
8
c8e957eb1b36
Hosts blocked by the ipset global tables are now stateless blocked. Version 0.0.19.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
283 | $IPTABLES -A FORWARD -i $IF_EXT -m set --match-set global-blk4 src -j DROP |
7
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
284 | fi |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
285 | if [ "$USE_IPV6" == "1" ]; then |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
286 | if [ -n "$IF_EXT6" ]; then |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
287 | IF6=$IF_EXT6 |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
288 | else |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
289 | IF6=$IF_EXT |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
290 | fi |
8
c8e957eb1b36
Hosts blocked by the ipset global tables are now stateless blocked. Version 0.0.19.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
291 | $IP6TABLES -A INPUT -i $IF6 -m set --match-set global-blk6 src -j DROP |
7
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
292 | if [ "$FW_FORWARD" = "1" ]; then |
8
c8e957eb1b36
Hosts blocked by the ipset global tables are now stateless blocked. Version 0.0.19.
Michiel Broek <mbroek@mbse.eu>
parents:
7
diff
changeset
|
293 | $IP6TABLES -A FORWARD -i $IF6 -m set --match-set global-blk6 src -j DROP |
7
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
294 | fi |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
295 | fi |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
296 | echo -n "." |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
297 | fi |
c846ebedfff3
Added global block ipset tables. Bumped to version 0.0.18
Michiel Broek <mbroek@mbse.eu>
parents:
6
diff
changeset
|
298 | |
2
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
299 | fw_init_nfacct |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
300 | echo -n "." |
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
301 | |
0 | 302 | # accept established and related connections |
303 | $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
304 | $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
305 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
306 | if [ "$USE_IPV6" == "1" ]; then | |
307 | $IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
308 | $IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
309 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
310 | fi | |
311 | ||
312 | # drop packets that do not match any valid state. This also blocks invalid | |
313 | # flag combinations that are used by portscans. | |
314 | $IPTABLES -A OUTPUT -m state --state INVALID -j DROP | |
315 | $IPTABLES -A INPUT -m state --state INVALID -j DROP | |
316 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state INVALID -j DROP | |
317 | if [ "$USE_IPV6" == "1" ]; then | |
318 | $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP | |
319 | $IP6TABLES -A INPUT -m state --state INVALID -j DROP | |
320 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m state --state INVALID -j DROP | |
321 | fi | |
322 | ||
323 | # Allow everything on the loopback interface | |
324 | $IPTABLES -A INPUT -i lo -j ACCEPT | |
325 | $IPTABLES -A OUTPUT -o lo -j ACCEPT | |
326 | if [ "$USE_IPV6" == "1" ]; then | |
327 | $IP6TABLES -A INPUT -i lo -j ACCEPT | |
328 | $IP6TABLES -A OUTPUT -o lo -j ACCEPT | |
329 | fi | |
330 | ||
331 | # Anti spoofing on the external interface. Methods since the 3.3 kernel! | |
332 | if [ -n "$IF_EXT" ]; then | |
333 | for f in $(ls /proc/sys/net/ipv4/conf/*/rp_filter); do | |
334 | echo 1 > $f | |
335 | done | |
336 | $IPTABLES -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP | |
337 | if [ "$USE_IPV6" == "1" ]; then | |
338 | if [ -n "$IF_EXT6" ]; then | |
339 | $IP6TABLES -A PREROUTING -t raw -i $IF_EXT6 -m rpfilter --invert -j DROP | |
340 | else | |
341 | $IP6TABLES -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP | |
342 | fi | |
343 | fi | |
344 | # Manual anti spoofing on the interfaces is configured using the | |
345 | # interfaces configuration and only if the system is a router. | |
346 | fi | |
347 | ||
348 | # IPv4 ssh backdoor | |
349 | if [ -n "$IPV4_BACKDOOR_SSH" ]; then | |
350 | $IPTABLES -A INPUT -p tcp -m tcp -s $IPV4_BACKDOOR_SSH --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
351 | $IPTABLES -A OUTPUT -p tcp -m tcp -d $IPV4_BACKDOOR_SSH --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
352 | fi | |
353 | # IPv6 ssh backdoor | |
354 | if [ "$USE_IPV6" == "1" ] && [ -n "$IPV6_BACKDOOR_SSH" ]; then | |
355 | $IP6TABLES -A INPUT -p tcp -m tcp -s $IPV6_BACKDOOR_SSH --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
356 | $IP6TABLES -A OUTPUT -p tcp -m tcp -d $IPV6_BACKDOOR_SSH --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
357 | fi | |
358 | ||
359 | # Usefull ICMPv4 | |
360 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
361 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
362 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
363 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
364 | $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
365 | $IPTABLES -A INPUT -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_INPUT " | |
366 | $IPTABLES -A INPUT -p icmp -j DROP | |
367 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT | |
368 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 0/0 -j ACCEPT | |
369 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT | |
370 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/0 -j ACCEPT | |
371 | $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/1 -j ACCEPT | |
372 | $IPTABLES -A OUTPUT -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_OUTPUT " | |
373 | $IPTABLES -A OUTPUT -p icmp -j DROP | |
374 | if [ "$FW_FORWARD" = "1" ]; then | |
375 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
376 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
377 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
378 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
379 | $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | |
380 | $IPTABLES -A FORWARD -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_FORWARD " | |
381 | $IPTABLES -A FORWARD -p icmp -j DROP | |
382 | fi | |
383 | ||
384 | # If this system has enabled IPv6 ... | |
385 | if [ "$USE_IPV6" == "1" ]; then | |
386 | # ICMPv6 | |
387 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT | |
388 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT | |
389 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT | |
390 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT | |
391 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT | |
392 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT | |
393 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT | |
394 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT | |
395 | if [ "$FW_FORWARD" = "1" ]; then | |
396 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT | |
397 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type packet-too-big -j ACCEPT | |
398 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT | |
399 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type parameter-problem -j ACCEPT | |
400 | fi | |
401 | ||
402 | # Rate limited icmpv6 | |
403 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -m limit --limit 15/second -j ACCEPT | |
404 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT | |
405 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT | |
406 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -j ACCEPT | |
407 | if [ "$FW_FORWARD" = "1" ]; then | |
408 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -m limit --limit 15/second -j ACCEPT | |
409 | $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT | |
410 | fi | |
411 | ||
412 | # rules to permit IPv6 Neighbor discovery | |
413 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
414 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j DROP # Silent drop HOPLIMIT <> 255 |
0 | 415 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT |
416 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
417 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j DROP # Silent drop HOPLIMIT <> 255 |
0 | 418 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT |
419 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT | |
420 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT | |
421 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT | |
422 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT | |
5
2340826a516b
Allow inverse neighbour discovery solicitation (141) / advertisement (142)
Michiel Broek <mbroek@mbse.eu>
parents:
4
diff
changeset
|
423 | # Allow inverse neighbour discovery solicitation (141) / advertisement (142) |
2340826a516b
Allow inverse neighbour discovery solicitation (141) / advertisement (142)
Michiel Broek <mbroek@mbse.eu>
parents:
4
diff
changeset
|
424 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT |
2340826a516b
Allow inverse neighbour discovery solicitation (141) / advertisement (142)
Michiel Broek <mbroek@mbse.eu>
parents:
4
diff
changeset
|
425 | $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT |
2340826a516b
Allow inverse neighbour discovery solicitation (141) / advertisement (142)
Michiel Broek <mbroek@mbse.eu>
parents:
4
diff
changeset
|
426 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT |
2340826a516b
Allow inverse neighbour discovery solicitation (141) / advertisement (142)
Michiel Broek <mbroek@mbse.eu>
parents:
4
diff
changeset
|
427 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT |
0 | 428 | |
429 | # MLD messages. DROP on external interface, but ACCEPT on others. | |
430 | if [ -n "$IF_EXT6" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then | |
431 | $IP6TABLES -A OUTPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j DROP | |
432 | elif [ -n "$IF_EXT" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then | |
433 | $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j DROP | |
434 | fi | |
435 | $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j ACCEPT | |
436 | ||
437 | # Drop unmatched icmpv6 but log them so we can debug | |
438 | $IP6TABLES -A INPUT -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_INPUT " | |
439 | $IP6TABLES -A INPUT -p ipv6-icmp -j DROP | |
440 | $IP6TABLES -A OUTPUT -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_OUTPUT " | |
441 | $IP6TABLES -A OUTPUT -p ipv6-icmp -j DROP | |
442 | [ "$FW_FORWARD" = "1" ] && { | |
443 | $IP6TABLES -A FORWARD -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_FORWARD " | |
444 | $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP | |
445 | } | |
446 | fi | |
447 | ||
448 | if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then | |
449 | # ================ Table 'mangle', automatic rules | |
450 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
451 | if [ "$USE_IPV6" == "1" ]; then | |
452 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
453 | fi | |
454 | fi | |
455 | ||
456 | # Filter all packets that have RH0 header | |
457 | if [ "$USE_IPV6" == "1" ]; then | |
458 | # Filter all packets that have RH0 header | |
459 | $IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP | |
460 | $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP | |
461 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP | |
462 | ||
463 | # Allow Link-Local sddresses | |
464 | $IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT | |
465 | $IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT | |
466 | ||
467 | # Allow Multicast | |
468 | $IP6TABLES -A INPUT -d ff00::/8 -j ACCEPT | |
469 | $IP6TABLES -A OUTPUT -d ff00::/8 -j ACCEPT | |
470 | fi | |
471 | ||
472 | # Traceroute | |
473 | if [ "$FW_TRACEROUTE" = "1" ]; then | |
474 | $IPTABLES -A OUTPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
475 | $IPTABLES -A INPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
476 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
477 | if [ "$USE_IPV6" == "1" ]; then | |
478 | $IP6TABLES -A OUTPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
479 | $IP6TABLES -A INPUT -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
480 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -p udp -m udp --dport 33434:33524 -m state --state NEW -j ACCEPT | |
481 | fi | |
482 | fi | |
483 | ||
484 | echo -n "." | |
485 | } | |
486 | ||
487 | ||
488 | ||
489 | fw_start_interface_chain() | |
490 | { | |
491 | local multi iodir IFS=\; | |
492 | ||
493 | INTF=$1 | |
494 | FCHAIN=$2 | |
495 | NCHAIN=$3 | |
496 | SCHAIN=$4 | |
497 | CONFFILE="/etc/mbse-firewall/conf.d/${INTF}-${FCHAIN}.conf" | |
498 | is_external_if4 $1 | |
499 | EXTERN4=$? | |
500 | is_external_if6 $1 | |
501 | EXTERN6=$? | |
502 | ||
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
503 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
504 | |
0 | 505 | # TODO: use subchains, but we need to do 2 passes on the config |
506 | # files to make it work. | |
507 | ||
508 | # Are there rules for this chain? | |
509 | if [ -f $CONFFILE ]; then | |
510 | echo " Start chain ${NCHAIN} on interface ${INTF} is external ipv4: ${EXTERN4} ipv6: ${EXTERN6}" | $LOGGER | |
511 | ||
512 | # Install auto blacklisting if set for this interface and this is the | |
513 | # INPUT or FORWARD chain. In /etc/mbse-firewall/firewall.conf set then | |
514 | # IF_EXT_AUTO_TO value for the block timeout. Default is 3600 seconds. | |
515 | # See the end of this function for the actual test. | |
516 | if [ "$NCHAIN" = "INPUT" -o "$NCHAIN" = "FORWARD" ]; then | |
517 | if [ "$IF_EXT_AUTO_BLOCK" = "1" ]; then | |
518 | if [ "$EXTERN4" = "1" ]; then | |
519 | echo " Installing IPv4 auto blacklisting on interface ${INTF}" | $LOGGER | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
520 | $IPSET create ${HOST}-mbsefw-auto4 hash:ip timeout $IF_EXT_AUTO_TO counters -exist |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
521 | $IPTABLES -I $NCHAIN -m set --match-set ${HOST}-mbsefw-auto4 src -j DROP |
0 | 522 | fi |
523 | if [ "$EXTERN6" = "1" ]; then | |
524 | echo " Installing IPv6 auto blacklisting on interface ${INTF}" | $LOGGER | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
525 | $IPSET create ${HOST}-mbsefw-auto6 hash:ip family inet6 timeout $IF_EXT_AUTO_TO counters -exist |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
526 | $IP6TABLES -I $NCHAIN -m set --match-set ${HOST}-mbsefw-auto6 src -j DROP |
0 | 527 | fi |
528 | fi | |
529 | fi | |
530 | ||
531 | # Adjust for the direction of the chain | |
532 | if [ "$NCHAIN" = "OUTPUT" -o "$NCHAIN" = "POSTROUTING" ]; then | |
533 | iodir="-o" | |
534 | else | |
535 | iodir="-i" | |
536 | fi | |
537 | ||
538 | # Read the configuration | |
539 | $GREP -Ev '^#|^\s*$' $CONFFILE | while read L ; do | |
540 | set $L | |
541 | # Build command | |
542 | if [ "$1" = "6" ]; then | |
543 | CMD=$IP6TABLES | |
544 | else | |
545 | CMD=$IPTABLES | |
546 | fi | |
547 | ||
548 | if [ -n "$2" ]; then | |
549 | args=("-t" "$2" "-A" "$NCHAIN" "$iodir" "${INTF}") | |
550 | else | |
551 | args=("-A" "$NCHAIN" "$iodir" "${INTF}") | |
552 | fi | |
553 | ||
554 | # Protocol | |
555 | [ -n "$3" ] && args+=("-p" "$3" "-m" "$3") | |
556 | ||
557 | # Test for multiport | |
558 | multi=0 | |
559 | [ -n "$5$7" ] && { | |
560 | [[ $5$7 == *","* ]] && multi=1 | |
561 | [[ $5$7 == *":"* ]] && multi=1 | |
562 | } | |
563 | [ "$multi" = "1" ] && args+=("-m" "multiport") | |
564 | ||
565 | # Source address | |
566 | [ -n "$4" ] && args+=("-s" "$4") | |
567 | ||
568 | # Source port(s) | |
569 | [ -n "$5" ] && { | |
570 | multi=0 | |
571 | [[ $5 == *","* ]] && multi=1 | |
572 | [[ $5 == *":"* ]] && multi=1 | |
573 | if [ "$multi" = "1" ]; then | |
574 | args+=("--sports" "$5") | |
575 | else | |
576 | args+=("--sport" "$5") | |
577 | fi | |
578 | } | |
579 | ||
580 | # Destination address | |
581 | [ -n "$6" ] && args+=("-d" "$6") | |
582 | ||
583 | # Destination port(s) | |
584 | [ -n "$7" ] && { | |
585 | multi=0 | |
586 | [[ $7 == *","* ]] && multi=1 | |
587 | [[ $7 == *":"* ]] && multi=1 | |
588 | if [ "$multi" = "1" ]; then | |
589 | args+=("--dports" "$7") | |
590 | else | |
591 | args+=("--dport" "$7") | |
592 | fi | |
593 | } | |
594 | ||
595 | # Rule options | |
596 | [ -n "$9" ] && { | |
597 | IFS=' ' | |
598 | for arg in $9; do | |
599 | args+=("$arg") | |
600 | done | |
601 | IFS=\; | |
602 | } | |
603 | ||
604 | # Rule action | |
605 | [ -n "$8" ] && { | |
606 | IFS=' ' | |
607 | args+=("-j") | |
608 | for arg in $8; do | |
609 | args+=("$arg") | |
610 | done | |
611 | IFS=\; | |
612 | } | |
613 | ||
614 | $CMD "${args[@]}" | |
615 | rc=$? | |
616 | echo " " $CMD "${args[@]}" | $LOGGER | |
617 | if [ $rc -ne 0 ]; then | |
618 | echo "Error in $CONFFILE" | $LOGGER | |
619 | fi | |
620 | done | |
621 | ||
622 | # In PREROUTING or POSTROUTING chains we are done here. | |
623 | if [ "$NCHAIN" = "PREROUTING" -o "$NCHAIN" = "POSTROUTING" ]; then | |
624 | return | |
625 | fi | |
626 | ||
627 | # Ignore timing problems with old connections | |
628 | $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP | |
629 | [ "$USE_IPV6" = "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP | |
630 | ||
631 | # Install the final autoblock rule if this is the INPUT or FORWARD chain. | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
632 | # We allow upto 5 probes per minute or a burst of 10 probes. This should be |
0 | 633 | # a good balance to catch the real bad guys. Note that until the IP is |
634 | # blocked these systems are logged using the rule below this one. | |
635 | if [ "$IF_EXT_AUTO_BLOCK" = "1" -a "$NCHAIN" != "OUTPUT" ]; then | |
636 | if [ "${EXTERN4}" = "1" ]; then | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
637 | # First, ignore these. Can happen after a temporary network problem. |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
638 | $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
639 | # Now the real rule. |
0 | 640 | $IPTABLES -A $NCHAIN $iodir ${INTF} \ |
641 | -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto4 \ | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
642 | -j SET --add-set ${HOST}-mbsefw-auto4 src |
0 | 643 | fi |
644 | if [ "${EXTERN6}" = "1" ]; then | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
645 | # First, ignore these. Can happen after a temporary network problem. |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
646 | $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
647 | # Now the real rule. |
0 | 648 | $IP6TABLES -A $NCHAIN $iodir ${INTF} \ |
649 | -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
650 | -j SET --add-set ${HOST}-mbsefw-auto6 src |
0 | 651 | fi |
652 | fi | |
653 | # deny and log the rest | |
654 | $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " | |
655 | [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " | |
656 | $IPTABLES -A $NCHAIN $iodir ${INTF} -j DROP | |
657 | [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -j DROP | |
658 | echo -n "." | |
659 | fi | |
660 | } | |
661 | ||
662 | ||
663 | ||
664 | fw_start_interface() | |
665 | { | |
666 | fw_start_interface_chain $1 "prerouting" "PREROUTING" "pre" | |
667 | fw_start_interface_chain $1 "input" "INPUT" "in" | |
668 | fw_start_interface_chain $1 "output" "OUTPUT" "out" | |
669 | fw_start_interface_chain $1 "forward" "FORWARD" "fwd" | |
670 | fw_start_interface_chain $1 "postrouting" "POSTROUTING" "post" | |
671 | } | |
672 | ||
673 | ||
674 | ||
675 | fw_start_main() { | |
676 | i=0 | |
677 | ||
678 | [ -n "$IF_EXT" ] && fw_start_interface "$IF_EXT" | |
679 | [ -n "$IF_EXT6" ] && fw_start_interface "$IF_EXT6" | |
680 | ||
681 | while [ $i -lt 50 ]; | |
682 | do | |
683 | [ -z "${IF_TRUNK[$i]}" ] && break | |
684 | fw_start_interface "${IF_TRUNK[$i]}" | |
685 | i=$(($i+1)) | |
686 | done | |
687 | } | |
688 | ||
689 | ||
690 | ||
691 | fw_start_final() { | |
692 | # Deny and log everything else | |
693 | $IPTABLES -N FINAL_RULE | |
694 | $IPTABLES -A OUTPUT -j FINAL_RULE | |
695 | $IPTABLES -A INPUT -j FINAL_RULE | |
696 | [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -j FINAL_RULE | |
697 | $IPTABLES -A FINAL_RULE -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=999 " | |
698 | $IPTABLES -A FINAL_RULE -j DROP | |
699 | if [ "$USE_IPV6" = "1" ]; then | |
700 | $IP6TABLES -N FINAL_RULE | |
701 | $IP6TABLES -A OUTPUT -j FINAL_RULE | |
702 | $IP6TABLES -A INPUT -j FINAL_RULE | |
703 | [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -j FINAL_RULE | |
704 | $IP6TABLES -A FINAL_RULE -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=999 " | |
705 | $IP6TABLES -A FINAL_RULE -j DROP | |
706 | fi | |
707 | echo "Firewall installed" | $LOGGER | |
708 | } | |
709 | ||
710 | ||
711 | ||
712 | fw_install() { | |
713 | echo -n "Installing $(basename $0) $MBSEFW_VERSION: " | |
714 | reset_iptables DROP | |
715 | echo -n "." | |
716 | fw_init_sysctl | |
717 | echo -n "." | |
718 | fw_start_init | |
719 | fw_start_main | |
720 | fw_start_final | |
721 | echo " done." | |
722 | } | |
723 | ||
724 | ||
725 | ||
726 | fw_start() { | |
727 | if [ -f /etc/mbse-firewall/data/firewall-ipv4.data -a \ | |
728 | -f /etc/mbse-firewall/data/firewall-ipv6.data -a \ | |
729 | -f /etc/mbse-firewall/data/firewall-ipset.data ]; then | |
730 | # Do a full restore of all saved data | |
731 | echo -n "Starting $(basename $0) $MBSEFW_VERSION: " | |
732 | echo "Start new firewall" | $LOGGER | |
2
7c794ae9f4de
Added support for nfacct objects. Version 0.0.13
Michiel Broek <mbroek@mbse.eu>
parents:
0
diff
changeset
|
733 | fw_init_nfacct |
0 | 734 | reset_iptables DROP |
735 | echo -n "." | |
736 | fw_init_sysctl | |
737 | $IPSET restore < /etc/mbse-firewall/data/firewall-ipset.data | |
738 | echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER | |
739 | echo -n "." | |
740 | $IPTABLES_RESTORE < /etc/mbse-firewall/data/firewall-ipv4.data | |
741 | echo " Restored /etc/mbse-firewall/data/firewall-ipv4.data" | $LOGGER | |
742 | echo -n "." | |
743 | $IP6TABLES_RESTORE < /etc/mbse-firewall/data/firewall-ipv6.data | |
744 | echo " Restored /etc/mbse-firewall/data/firewall-ipv6.data" | $LOGGER | |
745 | echo " done." | |
746 | echo -n "New firewall active" | $LOGGER | |
747 | else | |
748 | # If there is no saved firewall, install a new one and save it. | |
749 | fw_install | |
750 | fw_save | |
751 | fi | |
752 | } | |
753 | ||
754 | ||
755 | ||
756 | fw_stop() { | |
757 | echo -n "Stopping $(basename $0) $MBSEFW_VERSION: " | |
758 | # Slackware defaults to ACCEPT when no firewall is active. | |
759 | reset_iptables ACCEPT | |
760 | echo "done." | |
761 | } | |
762 | ||
763 | ||
764 | ||
765 | # If there are blocklist tables, reload them. | |
766 | fw_reload() { | |
767 | echo -n "Reload $(basename $0) $MBSEFW_VERSION: " | |
768 | reload_blocklist4 | |
769 | reload_blocklist6 | |
770 | echo done. | |
771 | } | |
772 | ||
773 | ||
774 | ||
775 | fw_save() { | |
776 | echo -n "Saving $(basename $0) $MBSEFW_VERSION: " | |
777 | echo "Saving firewall" | $LOGGER | |
778 | mkdir -p /etc/mbse-firewall/data | |
779 | [ -n "$IPTABLES_SAVE" ] && $IPTABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv4.data | |
780 | echo -n "." | |
781 | [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data | |
782 | echo -n "." | |
783 | ||
784 | rm -f /etc/mbse-firewall/data/firewall-ipset.data | |
785 | touch /etc/mbse-firewall/data/firewall-ipset.data | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
786 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
787 | SETS="$($IPSET list -n | grep ${HOST})" |
0 | 788 | for set in $SETS ; do |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
789 | if [ "$set" = "${HOST}-mbsefw-auto4" -o "$set" = "${HOST}-mbsefw-auto6" ]; then |
0 | 790 | # Only save structure for auto blocklists |
791 | $IPSET save $set -t >> /etc/mbse-firewall/data/firewall-ipset.data | |
792 | else | |
793 | $IPSET save $set >> /etc/mbse-firewall/data/firewall-ipset.data | |
794 | fi | |
795 | echo -n "." | |
796 | done | |
797 | echo " done." | |
798 | echo "Save firewall done in /etc/mbse-firewall/data" | $LOGGER | |
799 | } | |
800 | ||
801 | ||
802 | ||
803 | fw_status() { | |
804 | ||
805 | echo -n "$(basename $0) $MBSEFW_VERSION" | |
806 | ||
807 | IP_MODULES=$($LSMOD | $AWK '{print $1}' | $GREP '^ip') | |
808 | if [ "${IP_MODULES}x" = "x" ]; then | |
809 | echo " - You do not have any iptables loaded." | |
810 | return | |
811 | else | |
812 | echo " - You have the following ip modules loaded:" | |
813 | echo -n " " | |
814 | echo ${IP_MODULES} | |
815 | fi | |
816 | ||
817 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_filter )" ]; then | |
818 | echo | |
819 | echo ' FILTER TABLE IPv4' | |
820 | echo | |
821 | $IPTABLES -t filter -L -n -v --line-numbers | |
822 | fi | |
823 | ||
824 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_filter )" ]; then | |
825 | echo | |
826 | echo ' FILTER TABLE IPv6' | |
827 | echo | |
828 | $IP6TABLES -t filter -L -n -v --line-numbers | |
829 | fi | |
830 | ||
831 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_nat )" ]; then | |
832 | echo | |
833 | echo ' NAT TABLE IPv4' | |
834 | echo | |
835 | $IPTABLES -t nat -L -v -n --line-numbers | |
836 | fi | |
837 | ||
838 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_nat )" ]; then | |
839 | echo | |
840 | echo ' NAT TABLE IPv6' | |
841 | echo | |
842 | $IP6TABLES -t nat -L -v -n --line-numbers | |
843 | fi | |
844 | ||
845 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_raw )" ]; then | |
846 | echo | |
847 | echo ' RAW TABLE IPv4' | |
848 | echo | |
849 | $IPTABLES -t raw -L -v -n --line-numbers | |
850 | fi | |
851 | ||
852 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_raw )" ]; then | |
853 | echo | |
854 | echo ' RAW TABLE IPv6' | |
855 | echo | |
856 | $IP6TABLES -t raw -L -v -n --line-numbers | |
857 | fi | |
858 | ||
859 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_mangle )" ]; then | |
860 | echo | |
861 | echo ' MANGLE TABLE IPv4' | |
862 | echo | |
863 | $IPTABLES -t mangle -L -v -n --line-numbers | |
864 | fi | |
865 | ||
866 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_mangle )" ]; then | |
867 | echo | |
868 | echo ' MANGLE TABLE IPv6' | |
869 | echo | |
870 | $IP6TABLES -t mangle -L -v -n --line-numbers | |
871 | fi | |
872 | ||
873 | if [ ! -z "$( echo $IP_MODULES | $GREP iptable_security )" ]; then | |
874 | echo | |
875 | echo ' SECURITY TABLE IPv4' | |
876 | echo | |
877 | $IPTABLES -t security -L -v -n --line-numbers | |
878 | fi | |
879 | ||
880 | if [ ! -z "$( echo $IP_MODULES | $GREP ip6table_security )" ]; then | |
881 | echo | |
882 | echo ' SECURITY TABLE IPv6' | |
883 | echo | |
884 | $IP6TABLES -t security -L -v -n --line-numbers | |
885 | fi | |
886 | ||
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
887 | HOST="$(hostname)" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
888 | if [ -n "$IPSET" ] && [ ! -z "$($IPSET list -n | grep ${HOST})" ]; then |
0 | 889 | echo |
890 | echo ' IPSET listing' | |
4
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
891 | SETS="$(${IPSET} list -n | grep ${HOST})" |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
892 | for MySET in ${SETS}; do |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
893 | echo |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
894 | ${IPSET} list ${MySET} |
92045b0e8e17
ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16
Michiel Broek <mbroek@mbse.eu>
parents:
3
diff
changeset
|
895 | done |
0 | 896 | fi |
897 | } | |
898 | ||
899 | ||
900 | ||
901 | # --------------------------------------------------------------------------- | |
902 | # | |
903 | # MAIN program part | |
904 | # | |
905 | # --------------------------------------------------------------------------- | |
906 | ||
907 | ||
908 | # See how we were called | |
909 | cmd=$1 | |
910 | ||
911 | case "$cmd" in | |
912 | start) | |
913 | fw_start | |
914 | ;; | |
915 | ||
916 | stop) | |
917 | fw_stop | |
918 | ;; | |
919 | ||
920 | restart) | |
921 | fw_stop | |
922 | fw_start | |
923 | ;; | |
924 | ||
925 | save) | |
926 | fw_save | |
927 | ;; | |
928 | install) | |
929 | fw_install | |
930 | ;; | |
931 | reload) | |
932 | fw_reload | |
933 | ;; | |
934 | status) | |
935 | fw_status | |
936 | ;; | |
937 | ||
938 | *) | |
3
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
939 | echo "Usage $0 [start|stop|restart|save|install|reload|status]" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
940 | echo |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
941 | echo "start start a saved firewall" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
942 | echo "stop stop firewall and set default ACCEPT state" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
943 | echo "restart stop and start the firewall" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
944 | echo "save save current installed firewall rules" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
945 | echo "install install new firewall from configuration" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
946 | echo "reload reload the blocklists" |
6b45cf9df8cf
Upgrades to version 0.0.14 and 0.0.15
Michiel Broek <mbroek@mbse.eu>
parents:
2
diff
changeset
|
947 | echo "status show the firewall rules and counters" |
0 | 948 | ;; |
949 | esac | |
950 | ||
951 |