1 #!/bin/bash |
1 #!/bin/bash |
2 |
2 |
3 # --------------------------------------------------------------------------- |
3 # --------------------------------------------------------------------------- |
4 # Copyright (C) 2013-2017 by Michiel Broek. |
4 # Copyright (C) 2013-2023 by Michiel Broek. |
5 # Homepage http://www.mbse.eu |
5 # Homepage http://www.mbse.eu |
6 # Email mbse At mbse dOt eu |
6 # Email mbse At mbse dOt eu |
7 # |
7 # |
8 # This file is part of mbse-firewall. |
8 # This file is part of mbse-firewall. |
9 # |
9 # |
20 # You should have received a copy of the GNU General Public License |
20 # You should have received a copy of the GNU General Public License |
21 # along with this program; see the file COPYING. If not, write to the Free |
21 # along with this program; see the file COPYING. If not, write to the Free |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
23 # --------------------------------------------------------------------------- |
23 # --------------------------------------------------------------------------- |
24 |
24 |
25 MBSEFW_VERSION="0.0.23" |
25 MBSEFW_VERSION="0.0.25" |
26 |
26 |
27 # Sanity checks |
27 # Sanity checks |
28 if [ "$(id -u)" != "0" ]; then |
28 if [ "$(id -u)" != "0" ]; then |
29 echo "** You must be root to run this program" |
29 echo "** You must be root to run this program" |
30 exit 1 |
30 exit 1 |
276 echo -n "." |
276 echo -n "." |
277 fi |
277 fi |
278 |
278 |
279 # If we use the global blocktables. |
279 # If we use the global blocktables. |
280 if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then |
280 if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then |
|
281 $IPSET create global-blk4 hash:ip counters -exist |
281 $IPTABLES -A INPUT -i $IF_EXT -m set --match-set global-blk4 src -j DROP |
282 $IPTABLES -A INPUT -i $IF_EXT -m set --match-set global-blk4 src -j DROP |
282 if [ "$FW_FORWARD" = "1" ]; then |
283 if [ "$FW_FORWARD" = "1" ]; then |
283 $IPTABLES -A FORWARD -i $IF_EXT -m set --match-set global-blk4 src -j DROP |
284 $IPTABLES -A FORWARD -i $IF_EXT -m set --match-set global-blk4 src -j DROP |
284 fi |
285 fi |
285 if [ "$USE_IPV6" == "1" ]; then |
286 if [ "$USE_IPV6" == "1" ]; then |
286 if [ -n "$IF_EXT6" ]; then |
287 if [ -n "$IF_EXT6" ]; then |
287 IF6=$IF_EXT6 |
288 IF6=$IF_EXT6 |
288 else |
289 else |
289 IF6=$IF_EXT |
290 IF6=$IF_EXT |
290 fi |
291 fi |
|
292 $IPSET create global-blk6 hash:net family inet6 counters -exist |
291 $IP6TABLES -A INPUT -i $IF6 -m set --match-set global-blk6 src -j DROP |
293 $IP6TABLES -A INPUT -i $IF6 -m set --match-set global-blk6 src -j DROP |
292 if [ "$FW_FORWARD" = "1" ]; then |
294 if [ "$FW_FORWARD" = "1" ]; then |
293 $IP6TABLES -A FORWARD -i $IF6 -m set --match-set global-blk6 src -j DROP |
295 $IP6TABLES -A FORWARD -i $IF6 -m set --match-set global-blk6 src -j DROP |
294 fi |
296 fi |
295 fi |
297 fi |
328 $IP6TABLES -A OUTPUT -o lo -j ACCEPT |
330 $IP6TABLES -A OUTPUT -o lo -j ACCEPT |
329 fi |
331 fi |
330 |
332 |
331 # Anti spoofing on the external interface. Methods since the 3.3 kernel! |
333 # Anti spoofing on the external interface. Methods since the 3.3 kernel! |
332 if [ -n "$IF_EXT" ]; then |
334 if [ -n "$IF_EXT" ]; then |
|
335 # was 1, now 2 for IPTV. |
333 for f in $(ls /proc/sys/net/ipv4/conf/*/rp_filter); do |
336 for f in $(ls /proc/sys/net/ipv4/conf/*/rp_filter); do |
334 echo 1 > $f |
337 echo 2 > $f |
335 done |
338 done |
336 $IPTABLES -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP |
339 $IPTABLES -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP |
337 if [ "$USE_IPV6" == "1" ]; then |
340 if [ "$USE_IPV6" == "1" ]; then |
338 if [ -n "$IF_EXT6" ]; then |
341 if [ -n "$IF_EXT6" ]; then |
339 $IP6TABLES -A PREROUTING -t raw -i $IF_EXT6 -m rpfilter --invert -j DROP |
342 $IP6TABLES -A PREROUTING -t raw -i $IF_EXT6 -m rpfilter --invert -j DROP |
743 echo "Start new firewall" | $LOGGER |
746 echo "Start new firewall" | $LOGGER |
744 fw_init_nfacct |
747 fw_init_nfacct |
745 reset_iptables DROP |
748 reset_iptables DROP |
746 echo -n "." |
749 echo -n "." |
747 fw_init_sysctl |
750 fw_init_sysctl |
748 $IPSET restore < /etc/mbse-firewall/data/firewall-ipset.data |
751 $IPSET restore -exist < /etc/mbse-firewall/data/firewall-ipset.data |
749 echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER |
752 echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER |
750 echo -n "." |
753 echo -n "." |
751 $IPTABLES_RESTORE < /etc/mbse-firewall/data/firewall-ipv4.data |
754 $IPTABLES_RESTORE < /etc/mbse-firewall/data/firewall-ipv4.data |
752 echo " Restored /etc/mbse-firewall/data/firewall-ipv4.data" | $LOGGER |
755 echo " Restored /etc/mbse-firewall/data/firewall-ipv4.data" | $LOGGER |
753 echo -n "." |
756 echo -n "." |
792 [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data |
795 [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data |
793 echo -n "." |
796 echo -n "." |
794 |
797 |
795 rm -f /etc/mbse-firewall/data/firewall-ipset.data |
798 rm -f /etc/mbse-firewall/data/firewall-ipset.data |
796 touch /etc/mbse-firewall/data/firewall-ipset.data |
799 touch /etc/mbse-firewall/data/firewall-ipset.data |
|
800 if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then |
|
801 $IPSET save global-blk4 -t >> /etc/mbse-firewall/data/firewall-ipset.data |
|
802 if [ "$USE_IPV6" == "1" ]; then |
|
803 $IPSET save global-blk6 -t >> /etc/mbse-firewall/data/firewall-ipset.data |
|
804 fi |
|
805 fi |
797 HOST="$(hostname)" |
806 HOST="$(hostname)" |
798 SETS="$($IPSET list -n | grep ${HOST})" |
807 SETS="$($IPSET list -n | grep ${HOST})" |
799 for set in $SETS ; do |
808 for set in $SETS ; do |
800 if [ "$set" = "${HOST}-mbsefw-auto4" -o "$set" = "${HOST}-mbsefw-auto6" ]; then |
809 if [ "$set" = "${HOST}-mbsefw-auto4" -o "$set" = "${HOST}-mbsefw-auto6" ]; then |
801 # Only save structure for auto blocklists |
810 # Only save structure for auto blocklists |