Mercurial > mbse-firewall / file comparison
comparison: sbin/mbse-firewall
sbin/mbse-firewall
- changeset 9
- 2e298d35241f
- parent 8
- c8e957eb1b36
- child 10
- 798ac120a09e
equal
deleted
inserted
replaced
| 8:c8e957eb1b36 | 9:2e298d35241f |
|---|---|
| 20 # You should have received a copy of the GNU General Public License | 20 # You should have received a copy of the GNU General Public License |
| 21 # along with this program; see the file COPYING. If not, write to the Free | 21 # along with this program; see the file COPYING. If not, write to the Free |
| 22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. | 22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
| 23 # --------------------------------------------------------------------------- | 23 # --------------------------------------------------------------------------- |
| 24 | 24 |
| 25 MBSEFW_VERSION="0.0.19" | 25 MBSEFW_VERSION="0.0.20" |
| 26 | 26 |
| 27 # Sanity checks | 27 # Sanity checks |
| 28 if [ "$(id -u)" != "0" ]; then | 28 if [ "$(id -u)" != "0" ]; then |
| 29 echo "** You must be root to run this program" | 29 echo "** You must be root to run this program" |
| 30 exit 1 | 30 exit 1 |
| 360 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | 360 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
| 361 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | 361 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
| 362 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | 362 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
| 363 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | 363 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
| 364 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | 364 $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
| 365 $IPTABLES -A INPUT -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_INPUT " | 365 $IPTABLES -A INPUT -p icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_INPUT " |
| 366 $IPTABLES -A INPUT -p icmp -j DROP | 366 $IPTABLES -A INPUT -p icmp -j DROP |
| 367 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT | 367 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT |
| 368 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 0/0 -j ACCEPT | 368 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 0/0 -j ACCEPT |
| 369 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT | 369 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT |
| 370 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/0 -j ACCEPT | 370 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/0 -j ACCEPT |
| 371 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/1 -j ACCEPT | 371 $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/1 -j ACCEPT |
| 372 $IPTABLES -A OUTPUT -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_OUTPUT " | 372 $IPTABLES -A OUTPUT -p icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_OUTPUT " |
| 373 $IPTABLES -A OUTPUT -p icmp -j DROP | 373 $IPTABLES -A OUTPUT -p icmp -j DROP |
| 374 if [ "$FW_FORWARD" = "1" ]; then | 374 if [ "$FW_FORWARD" = "1" ]; then |
| 375 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | 375 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
| 376 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | 376 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 0/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
| 377 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | 377 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
| 378 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | 378 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
| 379 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT | 379 $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT |
| 380 $IPTABLES -A FORWARD -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_FORWARD " | 380 $IPTABLES -A FORWARD -p icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_FORWARD " |
| 381 $IPTABLES -A FORWARD -p icmp -j DROP | 381 $IPTABLES -A FORWARD -p icmp -j DROP |
| 382 fi | 382 fi |
| 383 | 383 |
| 384 # If this system has enabled IPv6 ... | 384 # If this system has enabled IPv6 ... |
| 385 if [ "$USE_IPV6" == "1" ]; then | 385 if [ "$USE_IPV6" == "1" ]; then |
| 433 $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j DROP | 433 $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j DROP |
| 434 fi | 434 fi |
| 435 $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j ACCEPT | 435 $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j ACCEPT |
| 436 | 436 |
| 437 # Drop unmatched icmpv6 but log them so we can debug | 437 # Drop unmatched icmpv6 but log them so we can debug |
| 438 $IP6TABLES -A INPUT -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_INPUT " | 438 $IP6TABLES -A INPUT -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_INPUT " |
| 439 $IP6TABLES -A INPUT -p ipv6-icmp -j DROP | 439 $IP6TABLES -A INPUT -p ipv6-icmp -j DROP |
| 440 $IP6TABLES -A OUTPUT -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_OUTPUT " | 440 $IP6TABLES -A OUTPUT -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_OUTPUT " |
| 441 $IP6TABLES -A OUTPUT -p ipv6-icmp -j DROP | 441 $IP6TABLES -A OUTPUT -p ipv6-icmp -j DROP |
| 442 [ "$FW_FORWARD" = "1" ] && { | 442 [ "$FW_FORWARD" = "1" ] && { |
| 443 $IP6TABLES -A FORWARD -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_FORWARD " | 443 $IP6TABLES -A FORWARD -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_FORWARD " |
| 444 $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP | 444 $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP |
| 445 } | 445 } |
| 446 fi | 446 fi |
| 447 | 447 |
| 448 if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then | 448 if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then |
| 649 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ | 649 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ |
| 650 -j SET --add-set ${HOST}-mbsefw-auto6 src | 650 -j SET --add-set ${HOST}-mbsefw-auto6 src |
| 651 fi | 651 fi |
| 652 fi | 652 fi |
| 653 # deny and log the rest | 653 # deny and log the rest |
| 654 $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " | 654 $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=$NCHAIN " |
| 655 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " | 655 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=$NCHAIN " |
| 656 $IPTABLES -A $NCHAIN $iodir ${INTF} -j DROP | 656 $IPTABLES -A $NCHAIN $iodir ${INTF} -j DROP |
| 657 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -j DROP | 657 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -j DROP |
| 658 echo -n "." | 658 echo -n "." |
| 659 fi | 659 fi |
| 660 } | 660 } |
| 692 # Deny and log everything else | 692 # Deny and log everything else |
| 693 $IPTABLES -N FINAL_RULE | 693 $IPTABLES -N FINAL_RULE |
| 694 $IPTABLES -A OUTPUT -j FINAL_RULE | 694 $IPTABLES -A OUTPUT -j FINAL_RULE |
| 695 $IPTABLES -A INPUT -j FINAL_RULE | 695 $IPTABLES -A INPUT -j FINAL_RULE |
| 696 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -j FINAL_RULE | 696 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -j FINAL_RULE |
| 697 $IPTABLES -A FINAL_RULE -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=999 " | 697 $IPTABLES -A FINAL_RULE -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=999 " |
| 698 $IPTABLES -A FINAL_RULE -j DROP | 698 $IPTABLES -A FINAL_RULE -j DROP |
| 699 if [ "$USE_IPV6" = "1" ]; then | 699 if [ "$USE_IPV6" = "1" ]; then |
| 700 $IP6TABLES -N FINAL_RULE | 700 $IP6TABLES -N FINAL_RULE |
| 701 $IP6TABLES -A OUTPUT -j FINAL_RULE | 701 $IP6TABLES -A OUTPUT -j FINAL_RULE |
| 702 $IP6TABLES -A INPUT -j FINAL_RULE | 702 $IP6TABLES -A INPUT -j FINAL_RULE |
| 703 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -j FINAL_RULE | 703 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -j FINAL_RULE |
| 704 $IP6TABLES -A FINAL_RULE -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=999 " | 704 $IP6TABLES -A FINAL_RULE -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=999 " |
| 705 $IP6TABLES -A FINAL_RULE -j DROP | 705 $IP6TABLES -A FINAL_RULE -j DROP |
| 706 fi | 706 fi |
| 707 echo "Firewall installed" | $LOGGER | 707 echo "Firewall installed" | $LOGGER |
| 708 } | 708 } |
| 709 | 709 |
| 908 # See how we were called | 908 # See how we were called |
| 909 cmd=$1 | 909 cmd=$1 |
| 910 | 910 |
| 911 case "$cmd" in | 911 case "$cmd" in |
| 912 start) | 912 start) |
| 913 [ -x /etc/rc.d/rc.ulogd ] && /etc/rc.d/rc.ulogd start | |
| 913 fw_start | 914 fw_start |
| 914 ;; | 915 ;; |
| 915 | 916 |
| 916 stop) | 917 stop) |
| 917 fw_stop | 918 fw_stop |
| 919 [ -x /etc/rc.d/rc.ulogd ] && /etc/rc.d/rc.ulogd stop | |
| 918 ;; | 920 ;; |
| 919 | 921 |
| 920 restart) | 922 restart) |
| 921 fw_stop | 923 fw_stop |
| 924 [ -x /etc/rc.d/rc.ulogd ] && /etc/rc.d/rc.ulogd restart | |
| 922 fw_start | 925 fw_start |
| 923 ;; | 926 ;; |
| 924 | 927 |
| 925 save) | 928 save) |
| 926 fw_save | 929 fw_save |
