Mercurial > mbse-firewall / file comparison

comparison: sbin/mbse-firewall

sbin/mbse-firewall

changeset 12
8aaa305805df
parent 11
c5697bee6884
child 13
06b03eeae540
equal deleted inserted replaced
11:c5697bee6884 12:8aaa305805df
1 #!/bin/bash 1 #!/bin/bash
2 2
3 # --------------------------------------------------------------------------- 3 # ---------------------------------------------------------------------------
4 # Copyright (C) 2013-2017 by Michiel Broek. 4 # Copyright (C) 2013-2023 by Michiel Broek.
5 # Homepage http://www.mbse.eu 5 # Homepage http://www.mbse.eu
6 # Email mbse At mbse dOt eu 6 # Email mbse At mbse dOt eu
7 # 7 #
8 # This file is part of mbse-firewall. 8 # This file is part of mbse-firewall.
9 # 9 #
20 # You should have received a copy of the GNU General Public License 20 # You should have received a copy of the GNU General Public License
21 # along with this program; see the file COPYING. If not, write to the Free 21 # along with this program; see the file COPYING. If not, write to the Free
22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. 22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
23 # --------------------------------------------------------------------------- 23 # ---------------------------------------------------------------------------
24 24
25 MBSEFW_VERSION="0.0.23" 25 MBSEFW_VERSION="0.0.25"
26 26
27 # Sanity checks 27 # Sanity checks
28 if [ "$(id -u)" != "0" ]; then 28 if [ "$(id -u)" != "0" ]; then
29 echo "** You must be root to run this program" 29 echo "** You must be root to run this program"
30 exit 1 30 exit 1
276 echo -n "." 276 echo -n "."
277 fi 277 fi
278 278
279 # If we use the global blocktables. 279 # If we use the global blocktables.
280 if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then 280 if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then
281 $IPSET create global-blk4 hash:ip counters -exist
281 $IPTABLES -A INPUT -i $IF_EXT -m set --match-set global-blk4 src -j DROP 282 $IPTABLES -A INPUT -i $IF_EXT -m set --match-set global-blk4 src -j DROP
282 if [ "$FW_FORWARD" = "1" ]; then 283 if [ "$FW_FORWARD" = "1" ]; then
283 $IPTABLES -A FORWARD -i $IF_EXT -m set --match-set global-blk4 src -j DROP 284 $IPTABLES -A FORWARD -i $IF_EXT -m set --match-set global-blk4 src -j DROP
284 fi 285 fi
285 if [ "$USE_IPV6" == "1" ]; then 286 if [ "$USE_IPV6" == "1" ]; then
286 if [ -n "$IF_EXT6" ]; then 287 if [ -n "$IF_EXT6" ]; then
287 IF6=$IF_EXT6 288 IF6=$IF_EXT6
288 else 289 else
289 IF6=$IF_EXT 290 IF6=$IF_EXT
290 fi 291 fi
292 $IPSET create global-blk6 hash:net family inet6 counters -exist
291 $IP6TABLES -A INPUT -i $IF6 -m set --match-set global-blk6 src -j DROP 293 $IP6TABLES -A INPUT -i $IF6 -m set --match-set global-blk6 src -j DROP
292 if [ "$FW_FORWARD" = "1" ]; then 294 if [ "$FW_FORWARD" = "1" ]; then
293 $IP6TABLES -A FORWARD -i $IF6 -m set --match-set global-blk6 src -j DROP 295 $IP6TABLES -A FORWARD -i $IF6 -m set --match-set global-blk6 src -j DROP
294 fi 296 fi
295 fi 297 fi
328 $IP6TABLES -A OUTPUT -o lo -j ACCEPT 330 $IP6TABLES -A OUTPUT -o lo -j ACCEPT
329 fi 331 fi
330 332
331 # Anti spoofing on the external interface. Methods since the 3.3 kernel! 333 # Anti spoofing on the external interface. Methods since the 3.3 kernel!
332 if [ -n "$IF_EXT" ]; then 334 if [ -n "$IF_EXT" ]; then
335 # was 1, now 2 for IPTV.
333 for f in $(ls /proc/sys/net/ipv4/conf/*/rp_filter); do 336 for f in $(ls /proc/sys/net/ipv4/conf/*/rp_filter); do
334 echo 1 > $f 337 echo 2 > $f
335 done 338 done
336 $IPTABLES -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP 339 $IPTABLES -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP
337 if [ "$USE_IPV6" == "1" ]; then 340 if [ "$USE_IPV6" == "1" ]; then
338 if [ -n "$IF_EXT6" ]; then 341 if [ -n "$IF_EXT6" ]; then
339 $IP6TABLES -A PREROUTING -t raw -i $IF_EXT6 -m rpfilter --invert -j DROP 342 $IP6TABLES -A PREROUTING -t raw -i $IF_EXT6 -m rpfilter --invert -j DROP
743 echo "Start new firewall" | $LOGGER 746 echo "Start new firewall" | $LOGGER
744 fw_init_nfacct 747 fw_init_nfacct
745 reset_iptables DROP 748 reset_iptables DROP
746 echo -n "." 749 echo -n "."
747 fw_init_sysctl 750 fw_init_sysctl
748 $IPSET restore < /etc/mbse-firewall/data/firewall-ipset.data 751 $IPSET restore -exist < /etc/mbse-firewall/data/firewall-ipset.data
749 echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER 752 echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER
750 echo -n "." 753 echo -n "."
751 $IPTABLES_RESTORE < /etc/mbse-firewall/data/firewall-ipv4.data 754 $IPTABLES_RESTORE < /etc/mbse-firewall/data/firewall-ipv4.data
752 echo " Restored /etc/mbse-firewall/data/firewall-ipv4.data" | $LOGGER 755 echo " Restored /etc/mbse-firewall/data/firewall-ipv4.data" | $LOGGER
753 echo -n "." 756 echo -n "."
792 [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data 795 [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data
793 echo -n "." 796 echo -n "."
794 797
795 rm -f /etc/mbse-firewall/data/firewall-ipset.data 798 rm -f /etc/mbse-firewall/data/firewall-ipset.data
796 touch /etc/mbse-firewall/data/firewall-ipset.data 799 touch /etc/mbse-firewall/data/firewall-ipset.data
800 if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then
801 $IPSET save global-blk4 -t >> /etc/mbse-firewall/data/firewall-ipset.data
802 if [ "$USE_IPV6" == "1" ]; then
803 $IPSET save global-blk6 -t >> /etc/mbse-firewall/data/firewall-ipset.data
804 fi
805 fi
797 HOST="$(hostname)" 806 HOST="$(hostname)"
798 SETS="$($IPSET list -n | grep ${HOST})" 807 SETS="$($IPSET list -n | grep ${HOST})"
799 for set in $SETS ; do 808 for set in $SETS ; do
800 if [ "$set" = "${HOST}-mbsefw-auto4" -o "$set" = "${HOST}-mbsefw-auto6" ]; then 809 if [ "$set" = "${HOST}-mbsefw-auto4" -o "$set" = "${HOST}-mbsefw-auto6" ]; then
801 # Only save structure for auto blocklists 810 # Only save structure for auto blocklists

Mercurial Repository: mbse-firewall

mercurial