diff --git a/include/bogon-bn-agg.txt b/include/bogon-bn-agg.txt deleted file mode 100644 index 7ba4659..0000000 --- a/include/bogon-bn-agg.txt +++ /dev/null @@ -1,23 +0,0 @@ -0.0.0.0/7 -5.0.0.0/8 -14.0.0.0/8 -23.0.0.0/8 -27.0.0.0/8 -31.0.0.0/8 -36.0.0.0/7 -39.0.0.0/8 -42.0.0.0/8 -49.0.0.0/8 -50.0.0.0/8 -100.0.0.0/6 -104.0.0.0/6 -127.0.0.0/8 -169.254.0.0/16 -176.0.0.0/7 -179.0.0.0/8 -181.0.0.0/8 -185.0.0.0/8 -192.0.2.0/24 -198.18.0.0/15 -223.0.0.0/8 -224.0.0.0/3 diff --git a/include/ipv4_custom_allowedports b/include/ipv4_custom_allowedports new file mode 100644 index 0000000..e69de29 diff --git a/include/ipv4_custom_blockincoming b/include/ipv4_custom_blockincoming new file mode 100644 index 0000000..e69de29 diff --git a/include/ipv4_custom_blockports b/include/ipv4_custom_blockports new file mode 100644 index 0000000..e69de29 diff --git a/include/ipv4_custom_conntrack b/include/ipv4_custom_conntrack new file mode 100644 index 0000000..e69de29 diff --git a/include/ipv4_custom_mssclamp b/include/ipv4_custom_mssclamp new file mode 100644 index 0000000..e69de29 diff --git a/include/ipv4_custom_nat b/include/ipv4_custom_nat new file mode 100644 index 0000000..e69de29 diff --git a/include/ipv4_custom_notrack b/include/ipv4_custom_notrack new file mode 100644 index 0000000..e69de29 diff --git a/include/ipv4_custom_portforward b/include/ipv4_custom_portforward new file mode 100644 index 0000000..e69de29 diff --git a/include/ipv4_custom_proto b/include/ipv4_custom_proto new file mode 100644 index 0000000..e69de29 diff --git a/include/ipv4_custom_routing b/include/ipv4_custom_routing new file mode 100644 index 0000000..e69de29 diff --git a/include/update-bogons b/include/update-bogons deleted file mode 100755 index 547a3ec..0000000 --- a/include/update-bogons +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash -# Script to auto update bogons file for use with firewall script - -VERSION="0.1" -WGET=/usr/bin/wget -PREFIX=`pwd` -BOGONSFILE=$PREFIX/bogon-bn-agg.txt -BOGONSURL="http://www.cymru.com/Documents/bogon-bn-agg.txt" -REMOVECIDR="(192.168.0.0|10.0.0.0|172.16.0.0)" - - -if [ ! -x $WGET ]; then - echo "wget command not found or executable. Please" - echo "edit the update-bogons script." - exit 1 -fi - - -echo "Bogons update script - Version $VERSION" -echo -e "Part of Firewall/SOSDG - http://www.sosdg.org \n" -echo "Uses The Team Cymru Bogon List located at:" -echo -e "http://www.cymru.com/Documents/bogon-list.html\n" - -if `wget -q -O $BOGONSFILE.new $BOGONSURL`; then - echo "Downloaded new bogons file..." - mv $BOGONSFILE $BOGONSFILE.old &>/dev/null - echo "Backed up $BOGONSFILE to .old..." - if [ $REMOVECIDR ]; then - grep -vE -e "$REMOVECIDR" $BOGONSFILE.new > $BOGONSFILE - echo "Removed blocks listed in REMOVECIDR..." - rm -f $BOGONSFILE.new - else - mv $BOGONSFILE.new $BOGONSFILE - echo "Replaced old bogons file with new one." - fi -else - echo "Error downloading bogons file. Please try again later." - rm -f $BOGONSFILE.new - exit 1 -fi -exit 0 diff --git a/rc.firewall b/rc.firewall index 0e3044f..3abf071 100755 --- a/rc.firewall +++ b/rc.firewall @@ -61,6 +61,12 @@ if [ "$STRIPECN" ]; then echo -ne "\n" fi +if [ -s "$BASEDIR/include/ipv4_custom_mssclamp" ]; then + echo -e "\E[33mLoading custom MSS Clamp rules...\E[37m" + . "$BASEDIR/include/ipv4_custom_mssclamp" + echo -ne "\n" +fi + if [ "$CLAMPMSS" ]; then echo -e "\E[33mClamping MSS to PMTU...\E[37m" for i in $CLAMPMSS; do @@ -84,6 +90,12 @@ fi $IPTABLES -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \ "0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001" +if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then + echo -e "\E[33mLoading custom conntrack rules...\E[37m" + . "$BASEDIR/include/ipv4_custom_conntrack" + echo -ne "\n" +fi + if [ $CONNTRACK ]; then $IPTABLES -A INPUT -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT @@ -96,6 +108,12 @@ if [ $CONNTRACK ]; then $IPTABLES -A FORWARD -m state --state INVALID -j DROP fi +if [ -s "$BASEDIR/include/ipv4_custom_blockports" ]; then + echo -e "\E[33mLoading custom blocked port rules...\E[37m" + . "$BASEDIR/include/ipv4_custom_blockports" + echo -ne "\n" +fi + if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then echo -en "\E[33mBlocking outbound port:\E[37m " @@ -124,6 +142,12 @@ if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then echo -en "\n" fi +if [ -s "$BASEDIR/include/ipv4_custom_allowedports" ]; then + echo -e "\E[33mLoading custom allowed port rules...\E[37m" + . "$BASEDIR/include/ipv4_custom_allowedports" + echo -ne "\n" +fi + if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then echo -en "\E[33mAdding allowed port:\E[37m " @@ -147,6 +171,12 @@ fi +if [ -s "$BASEDIR/include/ipv4_custom_proto" ]; then + echo -e "\E[33mLoading custom protocol rules...\E[37m" + . "$BASEDIR/include/ipv4_custom_proto" + echo -ne "\n" +fi + if [ "$ALLOWEDPROTO" ]; then echo -en "\E[33mAdding allowed protocols:\E[37m " for i in $ALLOWEDPROTO; do @@ -157,6 +187,13 @@ if [ "$ALLOWEDPROTO" ]; then echo -en "\n\E[37m" fi + +if [ -s "$BASEDIR/include/ipv4_custom_notrack" ]; then + echo -e "\E[33mLoading custom NOTRACK rules...\E[37m" + . "$BASEDIR/include/ipv4_custom_notrack" + echo -ne "\n" +fi + if [ $CONNTRACK ]; then for i in $DONTTRACK; do $IPTABLES -t raw -I PREROUTING -s $i -j NOTRACK @@ -167,6 +204,12 @@ if [ $CONNTRACK ]; then fi +if [ -s "$BASEDIR/include/ipv4_custom_routing" ]; then + echo -e "\E[33mLoading custom routing rules...\E[37m" + . "$BASEDIR/include/ipv4_custom_routing" + echo -ne "\n" +fi + if [ $ROUTING ]; then echo -en "\E[33mAdding route:\E[37m " for i in `grep -v "\#" $ROUTING`; do @@ -196,6 +239,12 @@ echo -ne "\n" fi +if [ -s "$BASEDIR/include/ipv4_custom_portforward" ]; then + echo -e "\E[33mLoading custom port forwarding rules...\E[37m" + . "$BASEDIR/include/ipv4_custom_portforward" + echo -ne "\n" +fi + if [ $PORTFW ] && [ $NAT ]; then echo -en "\E[33mAdding port forward for:\E[37m " for i in `grep -v "\#" $PORTFW`; do @@ -215,8 +264,11 @@ if [ $LANDHCPSERVER ]; then fi - - +if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then + echo -e "\E[33mLoading custom nat rules...\E[37m" + . "$BASEDIR/include/ipv4_custom_nat" + echo -ne "\n" +fi if [ $NAT ]; then for i in $NATRANGE; do @@ -233,6 +285,13 @@ $IPTABLES --policy INPUT ACCEPT $IPTABLES --policy OUTPUT ACCEPT $IPTABLES --policy FORWARD DROP + +if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then + echo -e "\E[33mLoading custom incoming blocked rules...\E[37m" + . "$BASEDIR/include/ipv4_custom_blockincoming" + echo -ne "\n" +fi + if [ $BLOCKINCOMING ]; then $IPTABLES -A INPUT -p tcp --syn -j DROP $IPTABLES -A INPUT -p udp -j DROP