Browse Source

More changes for 0.9.6, moving rc.firewall to bin/firewall-sosdg and replacing it with sym links

bbruns@gmail.com 8 years ago
parent
commit
bb2661459e
2 changed files with 1 additions and 571 deletions
  1. 0
    571
      rc.firewall
  2. 1
    0
      rc.firewall

+ 0
- 571
rc.firewall View File

@@ -1,571 +0,0 @@
1
-#/bin/bash
2
-# By Brielle Bruns <bruns@2mbit.com>
3
-# URL: http://www.sosdg.org/freestuff/firewall
4
-# License: GPLv3
5
-#
6
-#    Copyright (C) 2009 - 2010  Brielle Bruns
7
-#    Copyright (C) 2009 - 2010  The Summit Open Source Development Group
8
-#
9
-#    This program is free software: you can redistribute it and/or modify
10
-#    it under the terms of the GNU General Public License as published by
11
-#    the Free Software Foundation, either version 3 of the License, or
12
-#    (at your option) any later version.
13
-#
14
-#    This program is distributed in the hope that it will be useful,
15
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
16
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17
-#    GNU General Public License for more details.
18
-#    You should have received a copy of the GNU General Public License
19
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20
-
21
-FW_VERSION="0.9.6"
22
-
23
-# These option is here to help pre-1.0 users easily upgrade, defines critical defaults
24
-# that would otherwise require remaking their options file.  I leave this on by default,
25
-# but if you want to make sure you have a current options file, define this to 0.
26
-COMPAT_CONFIG=1
27
-
28
-BASEDIR=/etc/firewall-sosdg
29
-PATH=/usr/sbin:/usr/bin:/sbin:/bin
30
-#BASEDIR=`pwd`
31
-
32
-TWEAKS=$BASEDIR/tweaks
33
-
34
-if [ ! -r $BASEDIR/include/static ] || [ ! -r $BASEDIR/include/functions ]; then
35
-	echo "Error: Missing either include/static or include/functions. These are critical to operation"
36
-	echo "of this script.  Please make sure they are readable and exist!"
37
-	exit 1
38
-fi
39
-
40
-. $BASEDIR/include/static
41
-
42
-
43
-if [ -r $BASEDIR/options ]; then
44
-	. $BASEDIR/options
45
-else
46
-	echo -e "${RED}Error: Can not load options file.  Did you forget to rename options.default?"
47
-	exit 1
48
-fi
49
-
50
-. $BASEDIR/include/functions
51
-
52
-while [ $# -gt 0 ]; do
53
-	case "$1" in
54
-	-f|--flush)
55
-		iptables_policy_reset ipv4 ACCEPT
56
-		iptables_policy_reset ipv6 ACCEPT
57
-		iptables_rules_flush ipv4
58
-		iptables_rules_flush ipv6
59
-		exit 0
60
-		;;
61
-	-h|--help)
62
-		show_help
63
-		exit 0
64
-		;;	
65
-	esac
66
-	shift
67
-done
68
-
69
-if [ ${PORTFW} ] && [ ! -r "${PORTFW}" ]; then
70
-	display_c RED "Error: Missing ${PORTFW} as defined in the PORTFW option.  Please make sure"
71
-	display_c RED "it exists, or comment out the PORTFW line in options."
72
-	exit 1
73
-fi
74
-
75
-echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
76
- Firewall/SOSDG ${FW_VERSION}
77
- Brielle Bruns <bruns@2mbit.com>
78
- http://www.sosdg.org/freestuff/firewall
79
- This program comes with ABSOLUTELY NO WARRANTY.
80
- This is free software, and you are welcome to 
81
- redistribute it under certain conditions.
82
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
83
-
84
-if [ $UID != "0" ]; then
85
-	display_c RED "You must be root to run this script."
86
-	exit 2
87
-fi
88
-
89
-if [ ! -x $IPTABLES ]; then
90
-	display_c RED "iptables command not found.  Please make sure you have the iptables"
91
-	display_c RED "installed (package or source) and you have the IPTABLES option properly"
92
-	display_c RED "defined in the 'options' file."
93
-	exit 3
94
-fi
95
-
96
-
97
-if [ ! -x $IP6TABLES ] && [ $IPV6 == "1" ]; then
98
-	display_c RED "ip6tables command not found.  Please make sure you have the iptables"
99
-	display_c RED "installed (package or source) and you have the IP6TABLES option properly"
100
-	display_c RED "defined in the 'options' file."
101
-	exit 3
102
-fi
103
-
104
-iptables_rules_flush ipv4
105
-
106
-if [ -s "$BASEDIR/include/ipv4_custom_flush" ]; then
107
-	display_c YELLOW "Loading custom flush rules..."
108
-	. "$BASEDIR/include/ipv4_custom_flush"
109
-fi
110
-
111
-if [ -x $PRERUN ]; then
112
-	$PRERUN
113
-fi
114
-
115
-$IPTABLES -A INPUT -i lo -j ACCEPT
116
-$IPTABLES -A OUTPUT -o lo -j ACCEPT
117
-
118
-if [ -s "$BASEDIR/include/ipv4_custom_trust" ]; then
119
-	display_c YELLOW "Loading custom trust rules..."
120
-	. "$BASEDIR/include/ipv4_custom_trust"
121
-fi
122
-
123
-if [ "$TRUSTEDIP" ]; then
124
-	display_c YELLOW "Adding trusted IP: " N
125
-	for i in $TRUSTEDIP; do
126
-		echo -n "$i "
127
-		$IPTABLES -A INPUT -s $i -j ACCEPT
128
-		$IPTABLES -A OUTPUT -d $i -j ACCEPT
129
-	done
130
-	echo -ne "\n"
131
-fi
132
-
133
-if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then
134
-	display_c YELLOW "Loading custom ip block rules..."
135
-	. "$BASEDIR/include/ipv6_custom_blockip"
136
-fi
137
-
138
-if [ $BLOCKEDIP ]; then
139
-	display_c YELLOW "Adding blocked IPs: " N
140
-	for i in `grep -v "\#" $BLOCKEDIP`; do
141
-		echo -n "$i "
142
-		$IPTABLES -A INPUT -s $i -j DROP
143
-		$IPTABLES -A OUTPUT -d $i -j DROP
144
-	done
145
-echo -ne "\n"
146
-fi
147
-
148
-if [ "$STRIPECN" ]; then
149
-	display_c YELLOW "Stripping ECN off of TCP packets to " N
150
-	for i in $STRIPECN; do
151
-		echo -en "$i "
152
-		$IPTABLES -A PREROUTING -t mangle -p tcp -d $i -j ECN \
153
-			--ecn-tcp-remove
154
-	done
155
-echo -ne "\n"
156
-fi
157
-
158
-if [ -s "$BASEDIR/include/ipv4_custom_mssclamp" ]; then
159
-	display_c YELLOW "Loading custom MSS Clamp rules..."
160
-	. "$BASEDIR/include/ipv4_custom_mssclamp"
161
-fi
162
-
163
-if [ "$CLAMPMSS" ]; then
164
-	display_c YELLOW "Clamping MSS to PMTU..."
165
-	for i in $CLAMPMSS; do
166
-		$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
167
-			--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
168
-		$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
169
-			--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
170
-		# This is necessary to make sure that PMTU works
171
-		$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
172
-			-o $i -j ACCEPT
173
-		$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
174
-			-i $i -j ACCEPT
175
-		$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
176
-			-o $i -j ACCEPT
177
-		$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
178
-			-i $i -j ACCEPT
179
-	done
180
-echo -en "\n"
181
-fi
182
-
183
-
184
-if [ $HACK_IPV4 ]; then
185
-	apply_ipv4_hack $HACK_IPV4
186
-fi
187
-
188
-if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then
189
-	display_c YELLOW "Loading custom conntrack rules..."
190
-	. "$BASEDIR/include/ipv4_custom_conntrack"
191
-fi
192
-
193
-if [ $CONNTRACK ]; then
194
-	$IPTABLES -A INPUT -m state --state NEW -j ACCEPT
195
-	$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
196
-	$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
197
-	$IPTABLES -A FORWARD -m state --state NEW -j ACCEPT
198
-	$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
199
-	$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
200
-	$IPTABLES -A INPUT -m state --state INVALID -j DROP
201
-	$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
202
-	$IPTABLES -A FORWARD -m state --state INVALID -j DROP
203
-fi
204
-
205
-if [ -s "$BASEDIR/include/ipv4_custom_blockoutports" ]; then
206
-	display_c YELLOW "Loading custom blocked outbound port rules..."
207
-	. "$BASEDIR/include/ipv4_custom_blockoutports"
208
-fi
209
-
210
-if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then
211
-	display_c YELLOW "Blocking outbound port: " N
212
-
213
-	if  [ "$BLOCKTCPPORTS" ]; then
214
-		for i in $BLOCKTCPPORTS; do
215
-			echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
216
-			$IPTABLES -A OUTPUT -p tcp --dport $i --syn -j DROP
217
-			if [ "$NATRANGE" ]; then
218
-				for src in $NATRANGE; do
219
-					$IPTABLES -A FORWARD -p tcp -s $src --dport $i --syn -j DROP
220
-				done
221
-			fi
222
-		done
223
-	fi
224
-	if  [ "$BLOCKUDPPORTS" ]; then
225
-		for i in $BLOCKUDPPORTS; do
226
-			echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
227
-			$IPTABLES -A OUTPUT -p udp --dport $i -j DROP
228
-			if [ "$NATRANGE" ]; then
229
-				for src in $NATRANGE; do
230
-					$IPTABLES -A FORWARD -p udp -s $src --dport $i -j DROP
231
-				done
232
-			fi
233
-		done
234
-	fi
235
-	reset_color
236
-fi
237
-
238
-if [ -s "$BASEDIR/include/ipv4_custom_allowedports" ]; then
239
-	display_c YELLOW "Loading custom allowed port rules..."
240
-	. "$BASEDIR/include/ipv4_custom_allowedports"
241
-fi
242
-
243
-if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then
244
-	display_c YELLOW "Adding allowed port: " N
245
-
246
-	if [ "$TCPPORTS" ]; then
247
-		for i in $TCPPORTS; do
248
-			echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
249
-			$IPTABLES -A INPUT -p tcp --dport $i -j ACCEPT
250
-		done
251
-	fi
252
-	if [ "$UDPPORTS" ]; then
253
-		for i in $UDPPORTS; do
254
-			echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
255
-			#$IPTABLES -A INPUT -p udp --dport $i -j ACCEPT
256
-			$IPTABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT
257
-        		$IPTABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT
258
-			$IPTABLES -A INPUT -p udp --sport $i --dport 1:65535 -j ACCEPT
259
-		done
260
-	fi
261
-	reset_color
262
-fi
263
-
264
-
265
-
266
-if [ -s "$BASEDIR/include/ipv4_custom_proto" ]; then
267
-	display_c YELLOW "Loading custom protocol rules..."
268
-	. "$BASEDIR/include/ipv4_custom_proto"
269
-fi
270
-
271
-if [ "$ALLOWEDPROTO" ]; then
272
-	display_c YELLOW "Adding allowed protocols: " N
273
-	for i in $ALLOWEDPROTO; do
274
-		echo -n "$i "
275
-		$IPTABLES -A INPUT -p $i -j ACCEPT
276
-		$IPTABLES -A OUTPUT -p $i -j ACCEPT
277
-	done
278
-	reset_color
279
-fi
280
-
281
-
282
-if [ -s "$BASEDIR/include/ipv4_custom_notrack" ]; then
283
-	display_c YELLOW "Loading custom NOTRACK rules..."
284
-	. "$BASEDIR/include/ipv4_custom_notrack"
285
-fi
286
-
287
-if [ $CONNTRACK ]; then
288
-	for i in $DONTTRACK; do
289
-		$IPTABLES -t raw -I PREROUTING -s $i -j NOTRACK
290
-		$IPTABLES -t raw -I PREROUTING -d $i -j NOTRACK
291
-		$IPTABLES -t raw -I OUTPUT -s $i -j NOTRACK
292
-		$IPTABLES -t raw -I OUTPUT -d $i -j NOTRACK
293
-	done
294
-fi
295
-
296
-
297
-if [ -s "$BASEDIR/include/ipv4_custom_routing" ]; then
298
-	display_c YELLOW "Loading custom routing rules..."
299
-	. "$BASEDIR/include/ipv4_custom_routing"
300
-fi
301
-
302
-if [ $ROUTING ]; then
303
-	display_c YELLOW "Adding route: "
304
-	for i in `grep -v "\#" $ROUTING`; do
305
-		ROUTE=( ${i//:/ } )
306
-		FWINT1=${ROUTE[0]}
307
-		FWINT2=${ROUTE[2]}
308
-		FWIP1=${ROUTE[1]}
309
-		FWIP2=${ROUTE[3]}
310
-
311
-		if [ -e "/proc/sys/net/ipv4/conf/$FWINT1/forwarding" ]; then
312
-			echo 1 > /proc/sys/net/ipv4/conf/$FWINT1/forwarding
313
-		fi
314
-		if [ -e "/proc/sys/net/ipv4/conf/$FWINT2/forwarding" ]; then
315
-			echo 1 > /proc/sys/net/ipv4/conf/$FWINT2/forwarding
316
-		fi
317
-		$IPTABLES -A FORWARD -i $FWINT1 -o $FWINT2 \
318
-			-s $FWIP1 -d $FWIP2 -j ACCEPT
319
-		if [ ${ROUTE[4]} == "1" ]; then
320
-			display_c DEFAULT "\t${GREEN}$FWINT1:${PURPLE}$FWIP1${AQUA}<->${BLUE}$FWINT2:$FWIP2"
321
- 			$IPTABLES -A FORWARD -o $FWINT1 -i $FWINT2 \
322
-				-d $FWIP1 -s $FWIP2 -j ACCEPT
323
-		else
324
-			display_c DEFAULT "\t${GREEN}$FWINT1:${PURPLE}$FWIP1${AQUA}->${BLUE}$FWINT2:$FWIP2"
325
-	fi
326
-	done
327
-echo -ne "\n"
328
-fi
329
-
330
-
331
-if [ -s "$BASEDIR/include/ipv4_custom_portforward" ]; then
332
-	display_c YELLOW "Loading custom port forwarding rules..."
333
-	. "$BASEDIR/include/ipv4_custom_portforward"
334
-fi
335
-
336
-if [ $PORTFW ] && [ $NAT ]; then
337
-	display_c YELLOW "Adding port forward for:"
338
-	for i in `grep -v "\#" $PORTFW`; do
339
-		PORTADD=( ${i//:/ } )
340
-		$IPTABLES -A PREROUTING -t nat -i ${PORTADD[0]} -p ${PORTADD[4]} -s ${PORTADD[1]} \
341
-			--dport ${PORTADD[3]} -d ${PORTADD[2]} -j DNAT --to \
342
-			${PORTADD[5]}:${PORTADD[6]}
343
-		$IPTABLES -A INPUT -p ${PORTADD[4]} -m state --state NEW -s ${PORTADD[1]} \
344
-			--dport ${PORTADD[3]} -d ${PORTADD[2]} -i ${PORTADD[0]} -j ACCEPT
345
-		display_c DEFAULT "\t${GREEN}${PORTADD[0]}:${BLUE}${PORTADD[1]}:${PURPLE}${PORTADD[2]}:${PORTADD[3]}:${PORTADD[4]}${AQUA}->${BLUE}${PORTADD[5]}:${PORTADD[6]} "
346
-	done
347
-reset_color
348
-fi
349
-
350
-if [ $LANDHCPSERVER ]; then
351
-	#$IPTABLES -A INPUT -i $INTIF -s 0.0.0.0 -j ACCEPT
352
-	$IPTABLES  -I INPUT -i $INTIF -p udp --dport 67:68 --sport \
353
-     67:68 -j ACCEPT
354
-
355
-fi
356
-
357
-
358
-if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then
359
-	display_c YELLOW "Loading custom nat rules..."
360
-	. "$BASEDIR/include/ipv4_custom_nat"
361
-fi
362
-
363
-if [ $NAT ]; then
364
-	if [ "$NAT_RANGE" ]; then
365
-		display_c YELLOW "Adding NAT rule:"
366
-		for i in $NAT_RANGE; do
367
-			NAT_RULE=( ${i//:/ } )
368
-			case ${NAT_RULE[0]} in
369
-			SNAT)
370
-				$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \
371
-					-o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]} 
372
-				display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}"
373
-				$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
374
-				$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
375
-					;;
376
-			MASQ)
377
-				$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]}
378
-				display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}"
379
-				$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
380
-				$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
381
-					;;
382
-				*) display_c RED "Invalid NAT rule in NAT_RANGE" ;;
383
-			esac
384
-		done
385
-		reset_color
386
-	fi
387
-	#=================
388
-    # This section is going away in 1.0
389
-	if [ "$NATRANGE" ]; then
390
-		echo -e "${RED} **** WARNING ****"
391
-		echo -e "${RED} NATRANGE option detected.  Please switch to using"
392
-		echo -e "${RED} NAT_RANGE which uses the newer style NAT mappings."
393
-		echo -e "${RED} NATRANGE will be removed in v1.0"
394
-		for i in $NATRANGE; do
395
-			$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
396
-		done
397
-	 	#This is necessary to make sure that PMTU works
398
-		$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \
399
-				-j ACCEPT
400
-		$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
401
-				-o $NATEXTIF -j ACCEPT
402
-	#=================
403
-	fi
404
-fi
405
-
406
-$IPTABLES --policy INPUT ACCEPT
407
-$IPTABLES --policy OUTPUT ACCEPT
408
-$IPTABLES --policy FORWARD DROP
409
-
410
-
411
-if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then
412
-	display_c YELLOW "Loading custom incoming blocked rules..."
413
-	. "$BASEDIR/include/ipv4_custom_blockincoming"
414
-fi
415
-
416
-if [ $BLOCKINCOMING ]; then
417
-		$IPTABLES -A INPUT -p tcp --syn -j DROP
418
-		$IPTABLES -A INPUT -p udp -j DROP
419
-fi
420
-
421
-
422
-#================[IPv6]================
423
-if [ $IPV6 ]; then
424
-	iptables_rules_flush ipv6
425
-	if [ -s "$BASEDIR/include/ipv6_custom_flush" ]; then
426
-		display_c YELLOW "Loading custom IPv6 flush rules..."
427
-		. "$BASEDIR/include/ipv6_custom_flush"
428
-	fi
429
-
430
-	display_c YELLOW "Adding trusted IPv6: " N
431
-
432
-	$IP6TABLES -A INPUT -i lo -j ACCEPT
433
-	$IP6TABLES -A OUTPUT -o lo -j ACCEPT
434
-
435
-	if [ -s "$BASEDIR/include/ipv6_custom_trust" ]; then
436
-		display_c YELLOW "Loading custom IPv6 trust rules..."
437
-		. "$BASEDIR/include/ipv6_custom_trust"
438
-	fi
439
-	for i in $IPV6TRUSTED; do
440
-		echo -n "$i "
441
-		$IP6TABLES -A INPUT -s $i -j ACCEPT
442
-		$IP6TABLES -A OUTPUT -d $i -j ACCEPT
443
-	done
444
-	reset_color
445
-
446
-	if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
447
-		display_c YELLOW "Loading custom IPv6 MSS Clamp rules..."
448
-		. "$BASEDIR/include/ipv6_custom_mssclamp"
449
-	fi
450
-
451
-	if [ "$CLAMPMSSIPV6" ]; then
452
-		display_c YELLOW "Clamping IPV6 MSS to PMTU..."
453
-		for i in $CLAMPMSSIPV6; do
454
-			$IP6TABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
455
-			-j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
456
-			--mss 1280:1536
457
-			$IP6TABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN \
458
-			-j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
459
-			--mss 1280:1536
460
-			# This is necessary to make sure that PMTU works
461
-			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \
462
-			-o $i -j ACCEPT
463
-			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \
464
-			-i $i -j ACCEPT
465
-			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \
466
-			-o $i -j ACCEPT
467
-			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \
468
-			-i $i -j ACCEPT
469
-		done
470
-	fi
471
-
472
-	if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then
473
-		display_c YELLOW "Loading custom IPv6 blocked outbound port rules..."
474
-		. "$BASEDIR/include/ipv6_custom_blockoutports"
475
-	fi
476
-	if [ "$BLOCKIPV6TCPPORTS" ] || [ "$BLOCKIPV6UDPPORTS" ]; then
477
-		display_c YELLOW "Blocking outbound port: " N
478
-		if [ "$BLOCKIPV6TCPPORTS" ]; then
479
-			for i in $BLOCKIPV6TCPPORTS; do
480
-				echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
481
-				$IP6TABLES -A OUTPUT -p tcp --dport $i --syn -j DROP
482
-			done
483
-		fi
484
-		if [ "$BLOCKIPV6UDPPORTS" ]; then
485
-			for i in $BLOCKIPV6UDPPORTS; do
486
-				echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
487
-				$IP6TABLES -A OUTPUT -p udp --dport $i -j DROP
488
-			done
489
-		fi
490
-		reset_color
491
-	fi
492
-
493
-	if [ -s "$BASEDIR/include/ipv6_custom_allowedports" ]; then
494
-		display_c YELLOW "Loading custom IPv6 allowed port rules..."
495
-		. "$BASEDIR/include/ipv6_custom_allowedports"
496
-	fi
497
-	if [ "$IPV6TCP" ] || [ "$IPV6UDP" ]; then
498
-		display_c YELLOW "Adding allowed IPv6 port: " N
499
-
500
-		if [ "$IPV6TCP" ]; then
501
-			for i in $IPV6TCP; do
502
-				echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
503
-				$IP6TABLES -A INPUT -p tcp --dport $i -j ACCEPT
504
-			done
505
-		fi
506
-
507
-		if [ "$IPV6UDP" ]; then
508
-			for i in $IPV6UDP; do
509
-				echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
510
-				$IP6TABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT
511
-	        		$IP6TABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT
512
-        			$IP6TABLES -A INPUT -p udp --sport $i --dport 1:65535 -j ACCEPT
513
-			done
514
-		fi
515
-		reset_color
516
-	fi
517
-	fi
518
-
519
-	if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
520
-		display_c YELLOW "Loading custom IPv6 conntrack rules..."
521
-		. "$BASEDIR/include/ipv6_custom_conntrack"
522
-	fi
523
-
524
-	if [ $IPV6ROUTEDCLIENTBLOCK ]; then
525
-		$IP6TABLES -A INPUT -m state --state NEW -j ACCEPT
526
-		$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
527
-		$IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
528
-		$IP6TABLES -A FORWARD -m state --state NEW -j ACCEPT
529
-		$IP6TABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
530
-		$IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT
531
-		$IP6TABLES -A INPUT -m state --state INVALID -j DROP
532
-		$IP6TABLES -A OUTPUT -m state --state INVALID -j DROP
533
-		$IP6TABLES -A FORWARD -m state --state INVALID -j DROP
534
-		$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP
535
-		$IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP
536
-		$IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP
537
-		$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p udp ! --dport 32768:65535 -j DROP
538
-	fi
539
-	
540
-
541
-
542
-	if [ -s "$BASEDIR/include/ipv6_custom_routing" ]; then
543
-		display_c YELLOW "Loading custom IPv6 routing rules..."
544
-		. "$BASEDIR/include/ipv6_custom_routing"
545
-	fi
546
-	if [ "$IPV6FORWARDRANGE" ]; then
547
-		for i in $IPV6FORWARDRANGE; do
548
-			$IP6TABLES -A FORWARD -s $i -j ACCEPT
549
-			$IP6TABLES -A FORWARD -d $i -j ACCEPT
550
-		done
551
-	fi
552
-	
553
-	if [ -s "$BASEDIR/include/ipv6_custom_blockincoming" ]; then
554
-		display_c YELLOW "Loading custom IPv6 incoming blocked port rules..."
555
-		. "$BASEDIR/include/ipv6_custom_blockincoming"
556
-	fi
557
-	if [ $IPV6BLOCKINCOMING ]; then
558
-		$IP6TABLES -A INPUT -p tcp --syn -j DROP
559
-		$IP6TABLES -A INPUT -p udp -j DROP
560
-	fi
561
-
562
-if [ $TWEAKS ]; then
563
-	for i in `grep -v "\#" $TWEAKS`; do
564
-		PROCOPT=( ${i//=/ } )
565
-		echo ${PROCOPT[1]} > /proc/sys/net/${PROCOPT[0]} &>/dev/null
566
-	done
567
-fi
568
-
569
-if [ -x $POSTRUN ]; then
570
-	$POSTRUN
571
-fi

+ 1
- 0
rc.firewall View File

@@ -0,0 +1 @@
1
+bin/firewall-sosdg

Loading…
Cancel
Save