Mercurial > mbse-firewall / file comparison
comparison: sbin/mbse-firewall
sbin/mbse-firewall
- changeset 13
- 06b03eeae540
- parent 12
- 8aaa305805df
- child 14
- 654773d80b70
equal
deleted
inserted
replaced
| 12:8aaa305805df | 13:06b03eeae540 |
|---|---|
| 20 # You should have received a copy of the GNU General Public License | 20 # You should have received a copy of the GNU General Public License |
| 21 # along with this program; see the file COPYING. If not, write to the Free | 21 # along with this program; see the file COPYING. If not, write to the Free |
| 22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. | 22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
| 23 # --------------------------------------------------------------------------- | 23 # --------------------------------------------------------------------------- |
| 24 | 24 |
| 25 MBSEFW_VERSION="0.0.25" | 25 MBSEFW_VERSION="0.0.26" |
| 26 | 26 |
| 27 # Sanity checks | 27 # Sanity checks |
| 28 if [ "$(id -u)" != "0" ]; then | 28 if [ "$(id -u)" != "0" ]; then |
| 29 echo "** You must be root to run this program" | 29 echo "** You must be root to run this program" |
| 30 exit 1 | 30 exit 1 |
| 311 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | 311 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
| 312 fi | 312 fi |
| 313 | 313 |
| 314 # drop packets that do not match any valid state. This also blocks invalid | 314 # drop packets that do not match any valid state. This also blocks invalid |
| 315 # flag combinations that are used by portscans. | 315 # flag combinations that are used by portscans. |
| 316 $IPTABLES -A OUTPUT -m state --state INVALID -j DROP | 316 $IPTABLES -A OUTPUT -m state --state INVALID -j DROP |
| 317 $IPTABLES -A INPUT -m state --state INVALID -j DROP | 317 $IPTABLES -A INPUT -m state --state INVALID -j DROP |
| 318 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state INVALID -j DROP | 318 [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -m state --state INVALID -j DROP |
| 319 if [ "$USE_IPV6" == "1" ]; then | 319 if [ "$USE_IPV6" == "1" ]; then |
| 320 $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP | 320 $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP |
| 321 $IP6TABLES -A INPUT -m state --state INVALID -j DROP | 321 $IP6TABLES -A INPUT -m state --state INVALID -j DROP |
| 458 $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP | 458 $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP |
| 459 } | 459 } |
| 460 fi | 460 fi |
| 461 | 461 |
| 462 if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then | 462 if [ "$CLAMP_MSS_TO_PMTU" = "1" ]; then |
| 463 # ================ Table 'mangle', automatic rules | 463 # ================ Tables 'filter' and 'mangle', automatic rules |
| 464 [ "$FW_FORWARD" = "1" ] && $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | 464 [ "$FW_FORWARD" = "1" ] && { |
| 465 if [ "$USE_IPV6" == "1" ]; then | 465 $IPTABLES -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
| 466 [ "$FW_FORWARD" = "1" ] && $IP6TABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | 466 $IPTABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
| 467 fi | 467 if [ "$USE_IPV6" == "1" ]; then |
| 468 $IP6TABLES -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
| 469 $IP6TABLES -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
| 470 fi | |
| 471 } | |
| 468 fi | 472 fi |
| 469 | 473 |
| 470 # Filter all packets that have RH0 header | 474 # Filter all packets that have RH0 header |
| 471 if [ "$USE_IPV6" == "1" ]; then | 475 if [ "$USE_IPV6" == "1" ]; then |
| 472 # Filter all packets that have RH0 header | 476 # Filter all packets that have RH0 header |
| 722 } | 726 } |
| 723 | 727 |
| 724 | 728 |
| 725 | 729 |
| 726 fw_install() { | 730 fw_install() { |
| 731 echo "Installing $(basename $0) $MBSEFW_VERSION" | $LOGGER | |
| 727 echo -n "Installing $(basename $0) $MBSEFW_VERSION: " | 732 echo -n "Installing $(basename $0) $MBSEFW_VERSION: " |
| 728 reset_iptables DROP | 733 reset_iptables DROP |
| 729 echo -n "." | 734 echo -n "." |
| 730 fw_init_sysctl | 735 fw_init_sysctl |
| 731 echo -n "." | 736 echo -n "." |
| 741 if [ -f /etc/mbse-firewall/data/firewall-ipv4.data -a \ | 746 if [ -f /etc/mbse-firewall/data/firewall-ipv4.data -a \ |
| 742 -f /etc/mbse-firewall/data/firewall-ipv6.data -a \ | 747 -f /etc/mbse-firewall/data/firewall-ipv6.data -a \ |
| 743 -f /etc/mbse-firewall/data/firewall-ipset.data ]; then | 748 -f /etc/mbse-firewall/data/firewall-ipset.data ]; then |
| 744 # Do a full restore of all saved data | 749 # Do a full restore of all saved data |
| 745 echo -n "Starting $(basename $0) $MBSEFW_VERSION: " | 750 echo -n "Starting $(basename $0) $MBSEFW_VERSION: " |
| 751 echo "Starting $(basename $0) $MBSEFW_VERSION" | $LOGGER | |
| 746 echo "Start new firewall" | $LOGGER | 752 echo "Start new firewall" | $LOGGER |
| 747 fw_init_nfacct | 753 fw_init_nfacct |
| 748 reset_iptables DROP | 754 reset_iptables DROP |
| 749 echo -n "." | 755 echo -n "." |
| 750 fw_init_sysctl | 756 fw_init_sysctl |
| 766 } | 772 } |
| 767 | 773 |
| 768 | 774 |
| 769 | 775 |
| 770 fw_stop() { | 776 fw_stop() { |
| 777 echo "Stopping $(basename $0) $MBSEFW_VERSION" | $LOGGER | |
| 771 echo -n "Stopping $(basename $0) $MBSEFW_VERSION: " | 778 echo -n "Stopping $(basename $0) $MBSEFW_VERSION: " |
| 772 # Slackware defaults to ACCEPT when no firewall is active. | 779 # Slackware defaults to ACCEPT when no firewall is active. |
| 773 reset_iptables ACCEPT | 780 reset_iptables ACCEPT |
| 774 echo "done." | 781 echo "done." |
| 775 } | 782 } |
| 776 | 783 |
| 777 | 784 |
| 778 | 785 |
| 779 # If there are blocklist tables, reload them. | 786 # If there are blocklist tables, reload them. |
| 780 fw_reload() { | 787 fw_reload() { |
| 788 echo "Reload $(basename $0) $MBSEFW_VERSION" | $LOGGER | |
| 781 echo -n "Reload $(basename $0) $MBSEFW_VERSION: " | 789 echo -n "Reload $(basename $0) $MBSEFW_VERSION: " |
| 782 reload_blocklist4 | 790 reload_blocklist4 |
| 783 reload_blocklist6 | 791 reload_blocklist6 |
| 784 echo done. | 792 echo done. |
| 785 } | 793 } |
| 786 | 794 |
| 787 | 795 |
| 788 | 796 |
| 789 fw_save() { | 797 fw_save() { |
| 798 echo "Saving $(basename $0) $MBSEFW_VERSION" | $LOGGER | |
| 790 echo -n "Saving $(basename $0) $MBSEFW_VERSION: " | 799 echo -n "Saving $(basename $0) $MBSEFW_VERSION: " |
| 791 echo "Saving firewall" | $LOGGER | |
| 792 mkdir -p /etc/mbse-firewall/data | 800 mkdir -p /etc/mbse-firewall/data |
| 793 [ -n "$IPTABLES_SAVE" ] && $IPTABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv4.data | 801 [ -n "$IPTABLES_SAVE" ] && $IPTABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv4.data |
| 794 echo -n "." | 802 echo -n "." |
| 795 [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data | 803 [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data |
| 796 echo -n "." | 804 echo -n "." |
