20 # You should have received a copy of the GNU General Public License |
20 # You should have received a copy of the GNU General Public License |
21 # along with this program; see the file COPYING. If not, write to the Free |
21 # along with this program; see the file COPYING. If not, write to the Free |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
23 # --------------------------------------------------------------------------- |
23 # --------------------------------------------------------------------------- |
24 |
24 |
25 MBSEFW_VERSION="0.0.25" |
25 MBSEFW_VERSION="0.0.26" |
26 |
26 |
27 # Sanity checks |
27 # Sanity checks |
28 if [ "$(id -u)" != "0" ]; then |
28 if [ "$(id -u)" != "0" ]; then |
29 echo "** You must be root to run this program" |
29 echo "** You must be root to run this program" |
30 exit 1 |
30 exit 1 |
311 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
311 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
312 fi |
312 fi |
313 |
313 |
314 # drop packets that do not match any valid state. This also blocks invalid |
314 # drop packets that do not match any valid state. This also blocks invalid |
315 # flag combinations that are used by portscans. |
315 # flag combinations that are used by portscans. |
316 $IPTABLES -A OUTPUT -m state --state INVALID -j DROP |
316 $IPTABLES -A OUTPUT -m state --state INVALID -j DROP |
317 $IPTABLES -A INPUT -m state --state INVALID -j DROP |
317 $IPTABLES -A INPUT -m state --state INVALID -j DROP |
318 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state INVALID -j DROP |
318 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state INVALID -j DROP |
319 if [ "$USE_IPV6" == "1" ]; then |
319 if [ "$USE_IPV6" == "1" ]; then |
320 $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP |
320 $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP |
321 $IP6TABLES -A INPUT -m state --state INVALID -j DROP |
321 $IP6TABLES -A INPUT -m state --state INVALID -j DROP |
458 $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP |
458 $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP |
459 } |
459 } |
460 fi |
460 fi |
461 |
461 |
462 if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then |
462 if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then |
463 # ================ Table 'mangle', automatic rules |
463 # ================ Tables 'filter' and 'mangle', automatic rules |
464 [ "$FW_FORWARD" = "1" ] && $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
464 [ "$FW_FORWARD" = "1" ] && { |
465 if [ "$USE_IPV6" == "1" ]; then |
465 $IPTABLES -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
466 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
466 $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
467 fi |
467 if [ "$USE_IPV6" == "1" ]; then |
|
468 $IP6TABLES -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
|
469 $IP6TABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
|
470 fi |
|
471 } |
468 fi |
472 fi |
469 |
473 |
470 # Filter all packets that have RH0 header |
474 # Filter all packets that have RH0 header |
471 if [ "$USE_IPV6" == "1" ]; then |
475 if [ "$USE_IPV6" == "1" ]; then |
472 # Filter all packets that have RH0 header |
476 # Filter all packets that have RH0 header |
741 if [ -f /etc/mbse-firewall/data/firewall-ipv4.data -a \ |
746 if [ -f /etc/mbse-firewall/data/firewall-ipv4.data -a \ |
742 -f /etc/mbse-firewall/data/firewall-ipv6.data -a \ |
747 -f /etc/mbse-firewall/data/firewall-ipv6.data -a \ |
743 -f /etc/mbse-firewall/data/firewall-ipset.data ]; then |
748 -f /etc/mbse-firewall/data/firewall-ipset.data ]; then |
744 # Do a full restore of all saved data |
749 # Do a full restore of all saved data |
745 echo -n "Starting $(basename $0) $MBSEFW_VERSION: " |
750 echo -n "Starting $(basename $0) $MBSEFW_VERSION: " |
|
751 echo "Starting $(basename $0) $MBSEFW_VERSION" | $LOGGER |
746 echo "Start new firewall" | $LOGGER |
752 echo "Start new firewall" | $LOGGER |
747 fw_init_nfacct |
753 fw_init_nfacct |
748 reset_iptables DROP |
754 reset_iptables DROP |
749 echo -n "." |
755 echo -n "." |
750 fw_init_sysctl |
756 fw_init_sysctl |
766 } |
772 } |
767 |
773 |
768 |
774 |
769 |
775 |
770 fw_stop() { |
776 fw_stop() { |
|
777 echo "Stopping $(basename $0) $MBSEFW_VERSION" | $LOGGER |
771 echo -n "Stopping $(basename $0) $MBSEFW_VERSION: " |
778 echo -n "Stopping $(basename $0) $MBSEFW_VERSION: " |
772 # Slackware defaults to ACCEPT when no firewall is active. |
779 # Slackware defaults to ACCEPT when no firewall is active. |
773 reset_iptables ACCEPT |
780 reset_iptables ACCEPT |
774 echo "done." |
781 echo "done." |
775 } |
782 } |
776 |
783 |
777 |
784 |
778 |
785 |
779 # If there are blocklist tables, reload them. |
786 # If there are blocklist tables, reload them. |
780 fw_reload() { |
787 fw_reload() { |
|
788 echo "Reload $(basename $0) $MBSEFW_VERSION" | $LOGGER |
781 echo -n "Reload $(basename $0) $MBSEFW_VERSION: " |
789 echo -n "Reload $(basename $0) $MBSEFW_VERSION: " |
782 reload_blocklist4 |
790 reload_blocklist4 |
783 reload_blocklist6 |
791 reload_blocklist6 |
784 echo done. |
792 echo done. |
785 } |
793 } |
786 |
794 |
787 |
795 |
788 |
796 |
789 fw_save() { |
797 fw_save() { |
|
798 echo "Saving $(basename $0) $MBSEFW_VERSION" | $LOGGER |
790 echo -n "Saving $(basename $0) $MBSEFW_VERSION: " |
799 echo -n "Saving $(basename $0) $MBSEFW_VERSION: " |
791 echo "Saving firewall" | $LOGGER |
|
792 mkdir -p /etc/mbse-firewall/data |
800 mkdir -p /etc/mbse-firewall/data |
793 [ -n "$IPTABLES_SAVE" ] && $IPTABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv4.data |
801 [ -n "$IPTABLES_SAVE" ] && $IPTABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv4.data |
794 echo -n "." |
802 echo -n "." |
795 [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data |
803 [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data |
796 echo -n "." |
804 echo -n "." |