20 # You should have received a copy of the GNU General Public License |
20 # You should have received a copy of the GNU General Public License |
21 # along with this program; see the file COPYING. If not, write to the Free |
21 # along with this program; see the file COPYING. If not, write to the Free |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
23 # --------------------------------------------------------------------------- |
23 # --------------------------------------------------------------------------- |
24 |
24 |
25 MBSEFW_VERSION="0.0.12" |
25 MBSEFW_VERSION="0.0.13" |
26 |
26 |
27 # Sanity checks |
27 # Sanity checks |
28 if [ "$(id -u)" != "0" ]; then |
28 if [ "$(id -u)" != "0" ]; then |
29 echo "** You must be root to run this program" |
29 echo "** You must be root to run this program" |
30 exit 1 |
30 exit 1 |
51 LSMOD=$(which lsmod 2>/dev/null) |
51 LSMOD=$(which lsmod 2>/dev/null) |
52 AWK=$(which awk 2>/dev/null) |
52 AWK=$(which awk 2>/dev/null) |
53 GREP=$(which grep 2>/dev/null) |
53 GREP=$(which grep 2>/dev/null) |
54 IPSET=$(which ipset 2>/dev/null) |
54 IPSET=$(which ipset 2>/dev/null) |
55 SYSCTL=$(which sysctl 2>/dev/null) |
55 SYSCTL=$(which sysctl 2>/dev/null) |
|
56 NFACCT=$(which nfacct 2>/dev/null) |
56 |
57 |
57 if [ "$USE_IPV6" = "1" ]; then |
58 if [ "$USE_IPV6" = "1" ]; then |
58 IP6TABLES=$(which ip6tables 2>/dev/null) |
59 IP6TABLES=$(which ip6tables 2>/dev/null) |
59 IP6TABLES_SAVE=$(which ip6tables-save 2>/dev/null) |
60 IP6TABLES_SAVE=$(which ip6tables-save 2>/dev/null) |
60 IP6TABLES_RESTORE=$(which ip6tables-restore 2>/dev/null) |
61 IP6TABLES_RESTORE=$(which ip6tables-restore 2>/dev/null) |
183 fi |
184 fi |
184 } |
185 } |
185 |
186 |
186 |
187 |
187 |
188 |
|
189 fw_init_nfacct() { |
|
190 NFACCTCONF="/etc/mbse-firewall/conf.d/nfacct.conf" |
|
191 if [ -f $NFACCTCONF ]; then |
|
192 echo "Init netfilter accounting" | $LOGGER |
|
193 $GREP -Ev '^#|^;|^\s*$' $NFACCTCONF | while read L ; do |
|
194 set $L |
|
195 if [ -z "$($NFACCT list | $GREP $1)" ]; then |
|
196 $NFACCT add $1 |
|
197 fi |
|
198 done |
|
199 fi |
|
200 } |
|
201 |
|
202 |
|
203 |
188 fw_init_sysctl() { |
204 fw_init_sysctl() { |
189 # If we have bridges and don't want iptables to work between |
205 # If we have bridges and don't want iptables to work between |
190 # the physical interfaces, turn it off. |
206 # the physical interfaces, turn it off. |
191 if [ "$FW_NO_BRIDGE_NF_CALL" = "1" ]; then |
207 if [ "$FW_NO_BRIDGE_NF_CALL" = "1" ]; then |
192 $SYSCTL -e -q -w net.bridge.bridge-nf-call-arptables=0 |
208 $SYSCTL -e -q -w net.bridge.bridge-nf-call-arptables=0 |
246 set $L |
262 set $L |
247 $IPSET add mbsefw-blk6 $1 -exist |
263 $IPSET add mbsefw-blk6 $1 -exist |
248 done |
264 done |
249 echo -n "." |
265 echo -n "." |
250 fi |
266 fi |
|
267 |
|
268 fw_init_nfacct |
|
269 echo -n "." |
251 |
270 |
252 # accept established and related connections |
271 # accept established and related connections |
253 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
272 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
254 $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
273 $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
255 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
274 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
663 -f /etc/mbse-firewall/data/firewall-ipv6.data -a \ |
682 -f /etc/mbse-firewall/data/firewall-ipv6.data -a \ |
664 -f /etc/mbse-firewall/data/firewall-ipset.data ]; then |
683 -f /etc/mbse-firewall/data/firewall-ipset.data ]; then |
665 # Do a full restore of all saved data |
684 # Do a full restore of all saved data |
666 echo -n "Starting $(basename $0) $MBSEFW_VERSION: " |
685 echo -n "Starting $(basename $0) $MBSEFW_VERSION: " |
667 echo "Start new firewall" | $LOGGER |
686 echo "Start new firewall" | $LOGGER |
|
687 fw_init_nfacct |
668 reset_iptables DROP |
688 reset_iptables DROP |
669 echo -n "." |
689 echo -n "." |
670 fw_init_sysctl |
690 fw_init_sysctl |
671 $IPSET restore < /etc/mbse-firewall/data/firewall-ipset.data |
691 $IPSET restore < /etc/mbse-firewall/data/firewall-ipset.data |
672 echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER |
692 echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER |