Mercurial > mbse-firewall / file comparison
comparison: sbin/mbse-firewall
sbin/mbse-firewall
- changeset 3
- 6b45cf9df8cf
- parent 2
- 7c794ae9f4de
- child 4
- 92045b0e8e17
equal
deleted
inserted
replaced
| 2:7c794ae9f4de | 3:6b45cf9df8cf |
|---|---|
| 20 # You should have received a copy of the GNU General Public License | 20 # You should have received a copy of the GNU General Public License |
| 21 # along with this program; see the file COPYING. If not, write to the Free | 21 # along with this program; see the file COPYING. If not, write to the Free |
| 22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. | 22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
| 23 # --------------------------------------------------------------------------- | 23 # --------------------------------------------------------------------------- |
| 24 | 24 |
| 25 MBSEFW_VERSION="0.0.13" | 25 MBSEFW_VERSION="0.0.15" |
| 26 | 26 |
| 27 # Sanity checks | 27 # Sanity checks |
| 28 if [ "$(id -u)" != "0" ]; then | 28 if [ "$(id -u)" != "0" ]; then |
| 29 echo "** You must be root to run this program" | 29 echo "** You must be root to run this program" |
| 30 exit 1 | 30 exit 1 |
| 226 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" | 226 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" |
| 227 if [ -f $BLOCKLIST -a -n "$IF_EXT" ]; then | 227 if [ -f $BLOCKLIST -a -n "$IF_EXT" ]; then |
| 228 echo " Install $BLOCKLIST" | $LOGGER | 228 echo " Install $BLOCKLIST" | $LOGGER |
| 229 $IPSET create mbsefw-blk4ip hash:ip counters -exist | 229 $IPSET create mbsefw-blk4ip hash:ip counters -exist |
| 230 $IPSET create mbsefw-blk4net hash:net counters -exist | 230 $IPSET create mbsefw-blk4net hash:net counters -exist |
| 231 $IPTABLES -A INPUT -i $IF_EXT -m set --match-set mbsefw-blk4ip src -j DROP | 231 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4ip src -j DROP |
| 232 $IPTABLES -A INPUT -i $IF_EXT -m set --match-set mbsefw-blk4net src -j DROP | 232 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4net src -j DROP |
| 233 if [ "$FW_FORWARD" = "1" ]; then | 233 if [ "$FW_FORWARD" = "1" ]; then |
| 234 $IPTABLES -A FORWARD -i $IF_EXT -m set --match-set mbsefw-blk4ip src -j DROP | 234 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4ip src -j DROP |
| 235 $IPTABLES -A FORWARD -i $IF_EXT -m set --match-set mbsefw-blk4net src -j DROP | 235 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4net src -j DROP |
| 236 fi | 236 fi |
| 237 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | 237 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
| 238 set $L | 238 set $L |
| 239 if echo $1 | $GREP -q "/" ; then | 239 if echo $1 | $GREP -q "/" ; then |
| 240 $IPSET add mbsefw-blk4net $1 -exist | 240 $IPSET add mbsefw-blk4net $1 -exist |
| 252 if [ -n "$IF_EXT6" ]; then | 252 if [ -n "$IF_EXT6" ]; then |
| 253 IF6=$IF_EXT6 | 253 IF6=$IF_EXT6 |
| 254 else | 254 else |
| 255 IF6=$IF_EXT | 255 IF6=$IF_EXT |
| 256 fi | 256 fi |
| 257 $IP6TABLES -A INPUT -i $IF6 -m set --match-set mbsefw-blk6 src -j DROP | 257 $IP6TABLES -A INPUT -i $IF6 -m state --state NEW -m set --match-set mbsefw-blk6 src -j DROP |
| 258 if [ "$FW_FORWARD" = "1" ]; then | 258 if [ "$FW_FORWARD" = "1" ]; then |
| 259 $IP6TABLES -A FORWARD -i $IF6 -m set --match-set mbsefw-blk6 src -j DROP | 259 $IP6TABLES -A FORWARD -i $IF6 -m state --state NEW -m set --match-set mbsefw-blk6 src -j DROP |
| 260 fi | 260 fi |
| 261 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | 261 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
| 262 set $L | 262 set $L |
| 263 $IPSET add mbsefw-blk6 $1 -exist | 263 $IPSET add mbsefw-blk6 $1 -exist |
| 264 done | 264 done |
| 587 # Ignore timing problems with old connections | 587 # Ignore timing problems with old connections |
| 588 $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP | 588 $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP |
| 589 [ "$USE_IPV6" = "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP | 589 [ "$USE_IPV6" = "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ACK,PSH ACK,PSH -j DROP |
| 590 | 590 |
| 591 # Install the final autoblock rule if this is the INPUT or FORWARD chain. | 591 # Install the final autoblock rule if this is the INPUT or FORWARD chain. |
| 592 # We allow upto 1 probe per minute or a burst of 3 probes. This should be | 592 # We allow upto 5 probes per minute or a burst of 10 probes. This should be |
| 593 # a good balance to catch the real bad guys. Note that until the IP is | 593 # a good balance to catch the real bad guys. Note that until the IP is |
| 594 # blocked these systems are logged using the rule below this one. | 594 # blocked these systems are logged using the rule below this one. |
| 595 if [ "$IF_EXT_AUTO_BLOCK" = "1" -a "$NCHAIN" != "OUTPUT" ]; then | 595 if [ "$IF_EXT_AUTO_BLOCK" = "1" -a "$NCHAIN" != "OUTPUT" ]; then |
| 596 if [ "${EXTERN4}" = "1" ]; then | 596 if [ "${EXTERN4}" = "1" ]; then |
| 597 # First, ignore these. Can happen after a temporary network problem. | |
| 598 $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP | |
| 599 # Now the real rule. | |
| 597 $IPTABLES -A $NCHAIN $iodir ${INTF} \ | 600 $IPTABLES -A $NCHAIN $iodir ${INTF} \ |
| 598 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto4 \ | 601 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto4 \ |
| 599 -j SET --add-set mbsefw-auto4 src | 602 -j SET --add-set mbsefw-auto4 src |
| 600 fi | 603 fi |
| 601 if [ "${EXTERN6}" = "1" ]; then | 604 if [ "${EXTERN6}" = "1" ]; then |
| 605 # First, ignore these. Can happen after a temporary network problem. | |
| 606 $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP | |
| 607 # Now the real rule. | |
| 602 $IP6TABLES -A $NCHAIN $iodir ${INTF} \ | 608 $IP6TABLES -A $NCHAIN $iodir ${INTF} \ |
| 603 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ | 609 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ |
| 604 -j SET --add-set mbsefw-auto6 src | 610 -j SET --add-set mbsefw-auto6 src |
| 605 fi | 611 fi |
| 606 fi | 612 fi |
| 883 status) | 889 status) |
| 884 fw_status | 890 fw_status |
| 885 ;; | 891 ;; |
| 886 | 892 |
| 887 *) | 893 *) |
| 888 echo "Usage $0 [start|stop|restart|status]" | 894 echo "Usage $0 [start|stop|restart|save|install|reload|status]" |
| 895 echo | |
| 896 echo "start start a saved firewall" | |
| 897 echo "stop stop firewall and set default ACCEPT state" | |
| 898 echo "restart stop and start the firewall" | |
| 899 echo "save save current installed firewall rules" | |
| 900 echo "install install new firewall from configuration" | |
| 901 echo "reload reload the blocklists" | |
| 902 echo "status show the firewall rules and counters" | |
| 889 ;; | 903 ;; |
| 890 esac | 904 esac |
| 891 | 905 |
| 892 | 906 |
