20 # You should have received a copy of the GNU General Public License |
20 # You should have received a copy of the GNU General Public License |
21 # along with this program; see the file COPYING. If not, write to the Free |
21 # along with this program; see the file COPYING. If not, write to the Free |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
23 # --------------------------------------------------------------------------- |
23 # --------------------------------------------------------------------------- |
24 |
24 |
25 MBSEFW_VERSION="0.0.15" |
25 MBSEFW_VERSION="0.0.16" |
26 |
26 |
27 # Sanity checks |
27 # Sanity checks |
28 if [ "$(id -u)" != "0" ]; then |
28 if [ "$(id -u)" != "0" ]; then |
29 echo "** You must be root to run this program" |
29 echo "** You must be root to run this program" |
30 exit 1 |
30 exit 1 |
144 |
149 |
145 |
150 |
146 reload_blocklist4() { |
151 reload_blocklist4() { |
147 |
152 |
148 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" |
153 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" |
|
154 HOST="$(hostname)" |
|
155 |
149 if [ -f $BLOCKLIST ]; then |
156 if [ -f $BLOCKLIST ]; then |
150 echo "Reload $BLOCKLIST" | $LOGGER |
157 echo "Reload $BLOCKLIST" | $LOGGER |
151 $IPSET create new-mbsefw-blk4ip hash:ip counters -exist |
158 $IPSET create ${HOST}-new-mbsefw-blk4ip hash:ip counters -exist |
152 $IPSET create new-mbsefw-blk4net hash:net counters -exist |
159 $IPSET create ${HOST}new-mbsefw-blk4net hash:net counters -exist |
153 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
160 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
154 set $L |
161 set $L |
155 if echo $1 | $GREP -q "/" ; then |
162 if echo $1 | $GREP -q "/" ; then |
156 $IPSET add new-mbsefw-blk4net $1 -exist |
163 $IPSET add ${HOST}-new-mbsefw-blk4net $1 -exist |
157 else |
164 else |
158 $IPSET add new-mbsefw-blk4ip $1 -exist |
165 $IPSET add ${HOST}-new-mbsefw-blk4ip $1 -exist |
159 fi |
166 fi |
160 done |
167 done |
161 $IPSET swap mbsefw-blk4net new-mbsefw-blk4net |
168 $IPSET swap ${HOST}-mbsefw-blk4net ${HOST}-new-mbsefw-blk4net |
162 $IPSET flush new-mbsefw-blk4net |
169 $IPSET flush ${HOST}-new-mbsefw-blk4net |
163 $IPSET destroy new-mbsefw-blk4net |
170 $IPSET destroy ${HOST}-new-mbsefw-blk4net |
164 $IPSET swap mbsefw-blk4ip new-mbsefw-blk4ip |
171 $IPSET swap ${HOST}-mbsefw-blk4ip ${HOST}-new-mbsefw-blk4ip |
165 $IPSET flush new-mbsefw-blk4ip |
172 $IPSET flush ${HOST}-new-mbsefw-blk4ip |
166 $IPSET destroy new-mbsefw-blk4ip |
173 $IPSET destroy ${HOST}-new-mbsefw-blk4ip |
167 fi |
174 fi |
168 } |
175 } |
169 |
176 |
170 |
177 |
171 |
178 |
172 reload_blocklist6() { |
179 reload_blocklist6() { |
173 |
180 |
174 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" |
181 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" |
|
182 HOST="$(hostname)" |
|
183 |
175 if [ -f $BLOCKLIST ]; then |
184 if [ -f $BLOCKLIST ]; then |
176 echo "Reload $BLOCKLIST" | $LOGGER |
185 echo "Reload $BLOCKLIST" | $LOGGER |
177 $IPSET create new-mbsefw-blk6 hash:net family inet6 counters -exist |
186 $IPSET create ${HOST}-new-mbsefw-blk6 hash:net family inet6 counters -exist |
178 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
187 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
179 set $L ; $IPSET add new-mbsefw-blk6 $1 -exist |
188 set $L ; $IPSET add ${HOST}-new-mbsefw-blk6 $1 -exist |
180 done |
189 done |
181 $IPSET swap mbsefw-blk6 new-mbsefw-blk6 |
190 $IPSET swap ${HOST}-mbsefw-blk6 ${HOST}-new-mbsefw-blk6 |
182 $IPSET flush new-mbsefw-blk6 |
191 $IPSET flush ${HOST}-new-mbsefw-blk6 |
183 $IPSET destroy new-mbsefw-blk6 |
192 $IPSET destroy ${HOST}-new-mbsefw-blk6 |
184 fi |
193 fi |
185 } |
194 } |
186 |
195 |
187 |
196 |
188 |
197 |
222 fw_start_init() { |
231 fw_start_init() { |
223 |
232 |
224 echo "Init new firewall" | $LOGGER |
233 echo "Init new firewall" | $LOGGER |
225 |
234 |
226 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" |
235 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" |
|
236 HOST="$(hostname)" |
|
237 |
227 if [ -f $BLOCKLIST -a -n "$IF_EXT" ]; then |
238 if [ -f $BLOCKLIST -a -n "$IF_EXT" ]; then |
228 echo " Install $BLOCKLIST" | $LOGGER |
239 echo " Install $BLOCKLIST" | $LOGGER |
229 $IPSET create mbsefw-blk4ip hash:ip counters -exist |
240 $IPSET create ${HOST}-mbsefw-blk4ip hash:ip counters -exist |
230 $IPSET create mbsefw-blk4net hash:net counters -exist |
241 $IPSET create ${HOST}-mbsefw-blk4net hash:net counters -exist |
231 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4ip src -j DROP |
242 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4ip src -j DROP |
232 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4net src -j DROP |
243 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4net src -j DROP |
233 if [ "$FW_FORWARD" = "1" ]; then |
244 if [ "$FW_FORWARD" = "1" ]; then |
234 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4ip src -j DROP |
245 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4ip src -j DROP |
235 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4net src -j DROP |
246 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4net src -j DROP |
236 fi |
247 fi |
237 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
248 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
238 set $L |
249 set $L |
239 if echo $1 | $GREP -q "/" ; then |
250 if echo $1 | $GREP -q "/" ; then |
240 $IPSET add mbsefw-blk4net $1 -exist |
251 $IPSET add ${HOST}-mbsefw-blk4net $1 -exist |
241 else |
252 else |
242 $IPSET add mbsefw-blk4ip $1 -exist |
253 $IPSET add ${HOST}-mbsefw-blk4ip $1 -exist |
243 fi |
254 fi |
244 done |
255 done |
245 echo -n "." |
256 echo -n "." |
246 fi |
257 fi |
247 |
258 |
248 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" |
259 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" |
249 if [ -f $BLOCKLIST ]; then |
260 if [ -f $BLOCKLIST ]; then |
250 echo " Install $BLOCKLIST" | $LOGGER |
261 echo " Install $BLOCKLIST" | $LOGGER |
251 $IPSET create mbsefw-blk6 hash:net family inet6 counters -exist |
262 $IPSET create ${HOST}-mbsefw-blk6 hash:net family inet6 counters -exist |
252 if [ -n "$IF_EXT6" ]; then |
263 if [ -n "$IF_EXT6" ]; then |
253 IF6=$IF_EXT6 |
264 IF6=$IF_EXT6 |
254 else |
265 else |
255 IF6=$IF_EXT |
266 IF6=$IF_EXT |
256 fi |
267 fi |
257 $IP6TABLES -A INPUT -i $IF6 -m state --state NEW -m set --match-set mbsefw-blk6 src -j DROP |
268 $IP6TABLES -A INPUT -i $IF6 -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk6 src -j DROP |
258 if [ "$FW_FORWARD" = "1" ]; then |
269 if [ "$FW_FORWARD" = "1" ]; then |
259 $IP6TABLES -A FORWARD -i $IF6 -m state --state NEW -m set --match-set mbsefw-blk6 src -j DROP |
270 $IP6TABLES -A FORWARD -i $IF6 -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk6 src -j DROP |
260 fi |
271 fi |
261 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
272 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
262 set $L |
273 set $L |
263 $IPSET add mbsefw-blk6 $1 -exist |
274 $IPSET add ${HOST}-mbsefw-blk6 $1 -exist |
264 done |
275 done |
265 echo -n "." |
276 echo -n "." |
266 fi |
277 fi |
267 |
278 |
268 fw_init_nfacct |
279 fw_init_nfacct |
378 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT |
389 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT |
379 fi |
390 fi |
380 |
391 |
381 # rules to permit IPv6 Neighbor discovery |
392 # rules to permit IPv6 Neighbor discovery |
382 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT |
393 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT |
|
394 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j DROP # Silent drop HOPLIMIT <> 255 |
383 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT |
395 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT |
384 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT |
396 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT |
|
397 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j DROP # Silent drop HOPLIMIT <> 255 |
385 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT |
398 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT |
386 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT |
399 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT |
387 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT |
400 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT |
388 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT |
401 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT |
389 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT |
402 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT |
475 # See the end of this function for the actual test. |
490 # See the end of this function for the actual test. |
476 if [ "$NCHAIN" = "INPUT" -o "$NCHAIN" = "FORWARD" ]; then |
491 if [ "$NCHAIN" = "INPUT" -o "$NCHAIN" = "FORWARD" ]; then |
477 if [ "$IF_EXT_AUTO_BLOCK" = "1" ]; then |
492 if [ "$IF_EXT_AUTO_BLOCK" = "1" ]; then |
478 if [ "$EXTERN4" = "1" ]; then |
493 if [ "$EXTERN4" = "1" ]; then |
479 echo " Installing IPv4 auto blacklisting on interface ${INTF}" | $LOGGER |
494 echo " Installing IPv4 auto blacklisting on interface ${INTF}" | $LOGGER |
480 $IPSET create mbsefw-auto4 hash:ip timeout $IF_EXT_AUTO_TO counters -exist |
495 $IPSET create ${HOST}-mbsefw-auto4 hash:ip timeout $IF_EXT_AUTO_TO counters -exist |
481 $IPTABLES -I $NCHAIN -m set --match-set mbsefw-auto4 src -j DROP |
496 $IPTABLES -I $NCHAIN -m set --match-set ${HOST}-mbsefw-auto4 src -j DROP |
482 fi |
497 fi |
483 if [ "$EXTERN6" = "1" ]; then |
498 if [ "$EXTERN6" = "1" ]; then |
484 echo " Installing IPv6 auto blacklisting on interface ${INTF}" | $LOGGER |
499 echo " Installing IPv6 auto blacklisting on interface ${INTF}" | $LOGGER |
485 $IPSET create mbsefw-auto6 hash:ip family inet6 timeout $IF_EXT_AUTO_TO counters -exist |
500 $IPSET create ${HOST}-mbsefw-auto6 hash:ip family inet6 timeout $IF_EXT_AUTO_TO counters -exist |
486 $IP6TABLES -I $NCHAIN -m set --match-set mbsefw-auto6 src -j DROP |
501 $IP6TABLES -I $NCHAIN -m set --match-set ${HOST}-mbsefw-auto6 src -j DROP |
487 fi |
502 fi |
488 fi |
503 fi |
489 fi |
504 fi |
490 |
505 |
491 # Adjust for the direction of the chain |
506 # Adjust for the direction of the chain |
597 # First, ignore these. Can happen after a temporary network problem. |
612 # First, ignore these. Can happen after a temporary network problem. |
598 $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
613 $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
599 # Now the real rule. |
614 # Now the real rule. |
600 $IPTABLES -A $NCHAIN $iodir ${INTF} \ |
615 $IPTABLES -A $NCHAIN $iodir ${INTF} \ |
601 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto4 \ |
616 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto4 \ |
602 -j SET --add-set mbsefw-auto4 src |
617 -j SET --add-set ${HOST}-mbsefw-auto4 src |
603 fi |
618 fi |
604 if [ "${EXTERN6}" = "1" ]; then |
619 if [ "${EXTERN6}" = "1" ]; then |
605 # First, ignore these. Can happen after a temporary network problem. |
620 # First, ignore these. Can happen after a temporary network problem. |
606 $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
621 $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
607 # Now the real rule. |
622 # Now the real rule. |
608 $IP6TABLES -A $NCHAIN $iodir ${INTF} \ |
623 $IP6TABLES -A $NCHAIN $iodir ${INTF} \ |
609 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ |
624 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ |
610 -j SET --add-set mbsefw-auto6 src |
625 -j SET --add-set ${HOST}-mbsefw-auto6 src |
611 fi |
626 fi |
612 fi |
627 fi |
613 # deny and log the rest |
628 # deny and log the rest |
614 $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " |
629 $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " |
615 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " |
630 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " |
741 [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data |
756 [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data |
742 echo -n "." |
757 echo -n "." |
743 |
758 |
744 rm -f /etc/mbse-firewall/data/firewall-ipset.data |
759 rm -f /etc/mbse-firewall/data/firewall-ipset.data |
745 touch /etc/mbse-firewall/data/firewall-ipset.data |
760 touch /etc/mbse-firewall/data/firewall-ipset.data |
746 SETS="$($IPSET list -n)" |
761 HOST="$(hostname)" |
|
762 SETS="$($IPSET list -n | grep ${HOST})" |
747 for set in $SETS ; do |
763 for set in $SETS ; do |
748 if [ "$set" = "mbsefw-auto4" -o "$set" = "mbsefw-auto6" ]; then |
764 if [ "$set" = "${HOST}-mbsefw-auto4" -o "$set" = "${HOST}-mbsefw-auto6" ]; then |
749 # Only save structure for auto blocklists |
765 # Only save structure for auto blocklists |
750 $IPSET save $set -t >> /etc/mbse-firewall/data/firewall-ipset.data |
766 $IPSET save $set -t >> /etc/mbse-firewall/data/firewall-ipset.data |
751 else |
767 else |
752 $IPSET save $set >> /etc/mbse-firewall/data/firewall-ipset.data |
768 $IPSET save $set >> /etc/mbse-firewall/data/firewall-ipset.data |
753 fi |
769 fi |