20 # You should have received a copy of the GNU General Public License |
20 # You should have received a copy of the GNU General Public License |
21 # along with this program; see the file COPYING. If not, write to the Free |
21 # along with this program; see the file COPYING. If not, write to the Free |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
23 # --------------------------------------------------------------------------- |
23 # --------------------------------------------------------------------------- |
24 |
24 |
25 MBSEFW_VERSION="0.0.19" |
25 MBSEFW_VERSION="0.0.20" |
26 |
26 |
27 # Sanity checks |
27 # Sanity checks |
28 if [ "$(id -u)" != "0" ]; then |
28 if [ "$(id -u)" != "0" ]; then |
29 echo "** You must be root to run this program" |
29 echo "** You must be root to run this program" |
30 exit 1 |
30 exit 1 |
360 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
360 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
361 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
361 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
362 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
362 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
363 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
363 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
364 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
364 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
365 $IPTABLES -A INPUT -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_INPUT " |
365 $IPTABLES -A INPUT -p icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_INPUT " |
366 $IPTABLES -A INPUT -p icmp -j DROP |
366 $IPTABLES -A INPUT -p icmp -j DROP |
367 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT |
367 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT |
368 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 0/0 -j ACCEPT |
368 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 0/0 -j ACCEPT |
369 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT |
369 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT |
370 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/0 -j ACCEPT |
370 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/0 -j ACCEPT |
371 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/1 -j ACCEPT |
371 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/1 -j ACCEPT |
372 $IPTABLES -A OUTPUT -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_OUTPUT " |
372 $IPTABLES -A OUTPUT -p icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_OUTPUT " |
373 $IPTABLES -A OUTPUT -p icmp -j DROP |
373 $IPTABLES -A OUTPUT -p icmp -j DROP |
374 if [ "$FW_FORWARD" = "1" ]; then |
374 if [ "$FW_FORWARD" = "1" ]; then |
375 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
375 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
376 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
376 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
377 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
377 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
378 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
378 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
379 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
379 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
380 $IPTABLES -A FORWARD -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_FORWARD " |
380 $IPTABLES -A FORWARD -p icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_FORWARD " |
381 $IPTABLES -A FORWARD -p icmp -j DROP |
381 $IPTABLES -A FORWARD -p icmp -j DROP |
382 fi |
382 fi |
383 |
383 |
384 # If this system has enabled IPv6 ... |
384 # If this system has enabled IPv6 ... |
385 if [ "$USE_IPV6" == "1" ]; then |
385 if [ "$USE_IPV6" == "1" ]; then |
433 $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j DROP |
433 $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j DROP |
434 fi |
434 fi |
435 $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j ACCEPT |
435 $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j ACCEPT |
436 |
436 |
437 # Drop unmatched icmpv6 but log them so we can debug |
437 # Drop unmatched icmpv6 but log them so we can debug |
438 $IP6TABLES -A INPUT -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_INPUT " |
438 $IP6TABLES -A INPUT -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_INPUT " |
439 $IP6TABLES -A INPUT -p ipv6-icmp -j DROP |
439 $IP6TABLES -A INPUT -p ipv6-icmp -j DROP |
440 $IP6TABLES -A OUTPUT -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_OUTPUT " |
440 $IP6TABLES -A OUTPUT -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_OUTPUT " |
441 $IP6TABLES -A OUTPUT -p ipv6-icmp -j DROP |
441 $IP6TABLES -A OUTPUT -p ipv6-icmp -j DROP |
442 [ "$FW_FORWARD" = "1" ] && { |
442 [ "$FW_FORWARD" = "1" ] && { |
443 $IP6TABLES -A FORWARD -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_FORWARD " |
443 $IP6TABLES -A FORWARD -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_FORWARD " |
444 $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP |
444 $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP |
445 } |
445 } |
446 fi |
446 fi |
447 |
447 |
448 if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then |
448 if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then |
649 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ |
649 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ |
650 -j SET --add-set ${HOST}-mbsefw-auto6 src |
650 -j SET --add-set ${HOST}-mbsefw-auto6 src |
651 fi |
651 fi |
652 fi |
652 fi |
653 # deny and log the rest |
653 # deny and log the rest |
654 $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " |
654 $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=$NCHAIN " |
655 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " |
655 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=$NCHAIN " |
656 $IPTABLES -A $NCHAIN $iodir ${INTF} -j DROP |
656 $IPTABLES -A $NCHAIN $iodir ${INTF} -j DROP |
657 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -j DROP |
657 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -j DROP |
658 echo -n "." |
658 echo -n "." |
659 fi |
659 fi |
660 } |
660 } |
692 # Deny and log everything else |
692 # Deny and log everything else |
693 $IPTABLES -N FINAL_RULE |
693 $IPTABLES -N FINAL_RULE |
694 $IPTABLES -A OUTPUT -j FINAL_RULE |
694 $IPTABLES -A OUTPUT -j FINAL_RULE |
695 $IPTABLES -A INPUT -j FINAL_RULE |
695 $IPTABLES -A INPUT -j FINAL_RULE |
696 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -j FINAL_RULE |
696 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -j FINAL_RULE |
697 $IPTABLES -A FINAL_RULE -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=999 " |
697 $IPTABLES -A FINAL_RULE -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=999 " |
698 $IPTABLES -A FINAL_RULE -j DROP |
698 $IPTABLES -A FINAL_RULE -j DROP |
699 if [ "$USE_IPV6" = "1" ]; then |
699 if [ "$USE_IPV6" = "1" ]; then |
700 $IP6TABLES -N FINAL_RULE |
700 $IP6TABLES -N FINAL_RULE |
701 $IP6TABLES -A OUTPUT -j FINAL_RULE |
701 $IP6TABLES -A OUTPUT -j FINAL_RULE |
702 $IP6TABLES -A INPUT -j FINAL_RULE |
702 $IP6TABLES -A INPUT -j FINAL_RULE |
703 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -j FINAL_RULE |
703 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -j FINAL_RULE |
704 $IP6TABLES -A FINAL_RULE -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=999 " |
704 $IP6TABLES -A FINAL_RULE -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=999 " |
705 $IP6TABLES -A FINAL_RULE -j DROP |
705 $IP6TABLES -A FINAL_RULE -j DROP |
706 fi |
706 fi |
707 echo "Firewall installed" | $LOGGER |
707 echo "Firewall installed" | $LOGGER |
708 } |
708 } |
709 |
709 |