Mercurial > mbse-firewall / file comparison
comparison: sbin/mbse-firewall
sbin/mbse-firewall
- changeset 2
- 7c794ae9f4de
- parent 0
- d4d23e51be4f
- child 3
- 6b45cf9df8cf
equal
deleted
inserted
replaced
| 1:96a14c72b423 | 2:7c794ae9f4de |
|---|---|
| 20 # You should have received a copy of the GNU General Public License | 20 # You should have received a copy of the GNU General Public License |
| 21 # along with this program; see the file COPYING. If not, write to the Free | 21 # along with this program; see the file COPYING. If not, write to the Free |
| 22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. | 22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
| 23 # --------------------------------------------------------------------------- | 23 # --------------------------------------------------------------------------- |
| 24 | 24 |
| 25 MBSEFW_VERSION="0.0.12" | 25 MBSEFW_VERSION="0.0.13" |
| 26 | 26 |
| 27 # Sanity checks | 27 # Sanity checks |
| 28 if [ "$(id -u)" != "0" ]; then | 28 if [ "$(id -u)" != "0" ]; then |
| 29 echo "** You must be root to run this program" | 29 echo "** You must be root to run this program" |
| 30 exit 1 | 30 exit 1 |
| 51 LSMOD=$(which lsmod 2>/dev/null) | 51 LSMOD=$(which lsmod 2>/dev/null) |
| 52 AWK=$(which awk 2>/dev/null) | 52 AWK=$(which awk 2>/dev/null) |
| 53 GREP=$(which grep 2>/dev/null) | 53 GREP=$(which grep 2>/dev/null) |
| 54 IPSET=$(which ipset 2>/dev/null) | 54 IPSET=$(which ipset 2>/dev/null) |
| 55 SYSCTL=$(which sysctl 2>/dev/null) | 55 SYSCTL=$(which sysctl 2>/dev/null) |
| 56 NFACCT=$(which nfacct 2>/dev/null) | |
| 56 | 57 |
| 57 if [ "$USE_IPV6" = "1" ]; then | 58 if [ "$USE_IPV6" = "1" ]; then |
| 58 IP6TABLES=$(which ip6tables 2>/dev/null) | 59 IP6TABLES=$(which ip6tables 2>/dev/null) |
| 59 IP6TABLES_SAVE=$(which ip6tables-save 2>/dev/null) | 60 IP6TABLES_SAVE=$(which ip6tables-save 2>/dev/null) |
| 60 IP6TABLES_RESTORE=$(which ip6tables-restore 2>/dev/null) | 61 IP6TABLES_RESTORE=$(which ip6tables-restore 2>/dev/null) |
| 183 fi | 184 fi |
| 184 } | 185 } |
| 185 | 186 |
| 186 | 187 |
| 187 | 188 |
| 189 fw_init_nfacct() { | |
| 190 NFACCTCONF="/etc/mbse-firewall/conf.d/nfacct.conf" | |
| 191 if [ -f $NFACCTCONF ]; then | |
| 192 echo "Init netfilter accounting" | $LOGGER | |
| 193 $GREP -Ev '^#|^;|^\s*$' $NFACCTCONF | while read L ; do | |
| 194 set $L | |
| 195 if [ -z "$($NFACCT list | $GREP $1)" ]; then | |
| 196 $NFACCT add $1 | |
| 197 fi | |
| 198 done | |
| 199 fi | |
| 200 } | |
| 201 | |
| 202 | |
| 203 | |
| 188 fw_init_sysctl() { | 204 fw_init_sysctl() { |
| 189 # If we have bridges and don't want iptables to work between | 205 # If we have bridges and don't want iptables to work between |
| 190 # the physical interfaces, turn it off. | 206 # the physical interfaces, turn it off. |
| 191 if [ "$FW_NO_BRIDGE_NF_CALL" = "1" ]; then | 207 if [ "$FW_NO_BRIDGE_NF_CALL" = "1" ]; then |
| 192 $SYSCTL -e -q -w net.bridge.bridge-nf-call-arptables=0 | 208 $SYSCTL -e -q -w net.bridge.bridge-nf-call-arptables=0 |
| 246 set $L | 262 set $L |
| 247 $IPSET add mbsefw-blk6 $1 -exist | 263 $IPSET add mbsefw-blk6 $1 -exist |
| 248 done | 264 done |
| 249 echo -n "." | 265 echo -n "." |
| 250 fi | 266 fi |
| 267 | |
| 268 fw_init_nfacct | |
| 269 echo -n "." | |
| 251 | 270 |
| 252 # accept established and related connections | 271 # accept established and related connections |
| 253 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | 272 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| 254 $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | 273 $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| 255 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | 274 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
| 663 -f /etc/mbse-firewall/data/firewall-ipv6.data -a \ | 682 -f /etc/mbse-firewall/data/firewall-ipv6.data -a \ |
| 664 -f /etc/mbse-firewall/data/firewall-ipset.data ]; then | 683 -f /etc/mbse-firewall/data/firewall-ipset.data ]; then |
| 665 # Do a full restore of all saved data | 684 # Do a full restore of all saved data |
| 666 echo -n "Starting $(basename $0) $MBSEFW_VERSION: " | 685 echo -n "Starting $(basename $0) $MBSEFW_VERSION: " |
| 667 echo "Start new firewall" | $LOGGER | 686 echo "Start new firewall" | $LOGGER |
| 687 fw_init_nfacct | |
| 668 reset_iptables DROP | 688 reset_iptables DROP |
| 669 echo -n "." | 689 echo -n "." |
| 670 fw_init_sysctl | 690 fw_init_sysctl |
| 671 $IPSET restore < /etc/mbse-firewall/data/firewall-ipset.data | 691 $IPSET restore < /etc/mbse-firewall/data/firewall-ipset.data |
| 672 echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER | 692 echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER |
