|
@@ -1,571 +0,0 @@
|
1
|
|
-#/bin/bash
|
2
|
|
-# By Brielle Bruns <bruns@2mbit.com>
|
3
|
|
-# URL: http://www.sosdg.org/freestuff/firewall
|
4
|
|
-# License: GPLv3
|
5
|
|
-#
|
6
|
|
-# Copyright (C) 2009 - 2010 Brielle Bruns
|
7
|
|
-# Copyright (C) 2009 - 2010 The Summit Open Source Development Group
|
8
|
|
-#
|
9
|
|
-# This program is free software: you can redistribute it and/or modify
|
10
|
|
-# it under the terms of the GNU General Public License as published by
|
11
|
|
-# the Free Software Foundation, either version 3 of the License, or
|
12
|
|
-# (at your option) any later version.
|
13
|
|
-#
|
14
|
|
-# This program is distributed in the hope that it will be useful,
|
15
|
|
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
16
|
|
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
17
|
|
-# GNU General Public License for more details.
|
18
|
|
-# You should have received a copy of the GNU General Public License
|
19
|
|
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
20
|
|
-
|
21
|
|
-FW_VERSION="0.9.6"
|
22
|
|
-
|
23
|
|
-# These option is here to help pre-1.0 users easily upgrade, defines critical defaults
|
24
|
|
-# that would otherwise require remaking their options file. I leave this on by default,
|
25
|
|
-# but if you want to make sure you have a current options file, define this to 0.
|
26
|
|
-COMPAT_CONFIG=1
|
27
|
|
-
|
28
|
|
-BASEDIR=/etc/firewall-sosdg
|
29
|
|
-PATH=/usr/sbin:/usr/bin:/sbin:/bin
|
30
|
|
-#BASEDIR=`pwd`
|
31
|
|
-
|
32
|
|
-TWEAKS=$BASEDIR/tweaks
|
33
|
|
-
|
34
|
|
-if [ ! -r $BASEDIR/include/static ] || [ ! -r $BASEDIR/include/functions ]; then
|
35
|
|
- echo "Error: Missing either include/static or include/functions. These are critical to operation"
|
36
|
|
- echo "of this script. Please make sure they are readable and exist!"
|
37
|
|
- exit 1
|
38
|
|
-fi
|
39
|
|
-
|
40
|
|
-. $BASEDIR/include/static
|
41
|
|
-
|
42
|
|
-
|
43
|
|
-if [ -r $BASEDIR/options ]; then
|
44
|
|
- . $BASEDIR/options
|
45
|
|
-else
|
46
|
|
- echo -e "${RED}Error: Can not load options file. Did you forget to rename options.default?"
|
47
|
|
- exit 1
|
48
|
|
-fi
|
49
|
|
-
|
50
|
|
-. $BASEDIR/include/functions
|
51
|
|
-
|
52
|
|
-while [ $# -gt 0 ]; do
|
53
|
|
- case "$1" in
|
54
|
|
- -f|--flush)
|
55
|
|
- iptables_policy_reset ipv4 ACCEPT
|
56
|
|
- iptables_policy_reset ipv6 ACCEPT
|
57
|
|
- iptables_rules_flush ipv4
|
58
|
|
- iptables_rules_flush ipv6
|
59
|
|
- exit 0
|
60
|
|
- ;;
|
61
|
|
- -h|--help)
|
62
|
|
- show_help
|
63
|
|
- exit 0
|
64
|
|
- ;;
|
65
|
|
- esac
|
66
|
|
- shift
|
67
|
|
-done
|
68
|
|
-
|
69
|
|
-if [ ${PORTFW} ] && [ ! -r "${PORTFW}" ]; then
|
70
|
|
- display_c RED "Error: Missing ${PORTFW} as defined in the PORTFW option. Please make sure"
|
71
|
|
- display_c RED "it exists, or comment out the PORTFW line in options."
|
72
|
|
- exit 1
|
73
|
|
-fi
|
74
|
|
-
|
75
|
|
-echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
76
|
|
- Firewall/SOSDG ${FW_VERSION}
|
77
|
|
- Brielle Bruns <bruns@2mbit.com>
|
78
|
|
- http://www.sosdg.org/freestuff/firewall
|
79
|
|
- This program comes with ABSOLUTELY NO WARRANTY.
|
80
|
|
- This is free software, and you are welcome to
|
81
|
|
- redistribute it under certain conditions.
|
82
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
|
83
|
|
-
|
84
|
|
-if [ $UID != "0" ]; then
|
85
|
|
- display_c RED "You must be root to run this script."
|
86
|
|
- exit 2
|
87
|
|
-fi
|
88
|
|
-
|
89
|
|
-if [ ! -x $IPTABLES ]; then
|
90
|
|
- display_c RED "iptables command not found. Please make sure you have the iptables"
|
91
|
|
- display_c RED "installed (package or source) and you have the IPTABLES option properly"
|
92
|
|
- display_c RED "defined in the 'options' file."
|
93
|
|
- exit 3
|
94
|
|
-fi
|
95
|
|
-
|
96
|
|
-
|
97
|
|
-if [ ! -x $IP6TABLES ] && [ $IPV6 == "1" ]; then
|
98
|
|
- display_c RED "ip6tables command not found. Please make sure you have the iptables"
|
99
|
|
- display_c RED "installed (package or source) and you have the IP6TABLES option properly"
|
100
|
|
- display_c RED "defined in the 'options' file."
|
101
|
|
- exit 3
|
102
|
|
-fi
|
103
|
|
-
|
104
|
|
-iptables_rules_flush ipv4
|
105
|
|
-
|
106
|
|
-if [ -s "$BASEDIR/include/ipv4_custom_flush" ]; then
|
107
|
|
- display_c YELLOW "Loading custom flush rules..."
|
108
|
|
- . "$BASEDIR/include/ipv4_custom_flush"
|
109
|
|
-fi
|
110
|
|
-
|
111
|
|
-if [ -x $PRERUN ]; then
|
112
|
|
- $PRERUN
|
113
|
|
-fi
|
114
|
|
-
|
115
|
|
-$IPTABLES -A INPUT -i lo -j ACCEPT
|
116
|
|
-$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
117
|
|
-
|
118
|
|
-if [ -s "$BASEDIR/include/ipv4_custom_trust" ]; then
|
119
|
|
- display_c YELLOW "Loading custom trust rules..."
|
120
|
|
- . "$BASEDIR/include/ipv4_custom_trust"
|
121
|
|
-fi
|
122
|
|
-
|
123
|
|
-if [ "$TRUSTEDIP" ]; then
|
124
|
|
- display_c YELLOW "Adding trusted IP: " N
|
125
|
|
- for i in $TRUSTEDIP; do
|
126
|
|
- echo -n "$i "
|
127
|
|
- $IPTABLES -A INPUT -s $i -j ACCEPT
|
128
|
|
- $IPTABLES -A OUTPUT -d $i -j ACCEPT
|
129
|
|
- done
|
130
|
|
- echo -ne "\n"
|
131
|
|
-fi
|
132
|
|
-
|
133
|
|
-if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then
|
134
|
|
- display_c YELLOW "Loading custom ip block rules..."
|
135
|
|
- . "$BASEDIR/include/ipv6_custom_blockip"
|
136
|
|
-fi
|
137
|
|
-
|
138
|
|
-if [ $BLOCKEDIP ]; then
|
139
|
|
- display_c YELLOW "Adding blocked IPs: " N
|
140
|
|
- for i in `grep -v "\#" $BLOCKEDIP`; do
|
141
|
|
- echo -n "$i "
|
142
|
|
- $IPTABLES -A INPUT -s $i -j DROP
|
143
|
|
- $IPTABLES -A OUTPUT -d $i -j DROP
|
144
|
|
- done
|
145
|
|
-echo -ne "\n"
|
146
|
|
-fi
|
147
|
|
-
|
148
|
|
-if [ "$STRIPECN" ]; then
|
149
|
|
- display_c YELLOW "Stripping ECN off of TCP packets to " N
|
150
|
|
- for i in $STRIPECN; do
|
151
|
|
- echo -en "$i "
|
152
|
|
- $IPTABLES -A PREROUTING -t mangle -p tcp -d $i -j ECN \
|
153
|
|
- --ecn-tcp-remove
|
154
|
|
- done
|
155
|
|
-echo -ne "\n"
|
156
|
|
-fi
|
157
|
|
-
|
158
|
|
-if [ -s "$BASEDIR/include/ipv4_custom_mssclamp" ]; then
|
159
|
|
- display_c YELLOW "Loading custom MSS Clamp rules..."
|
160
|
|
- . "$BASEDIR/include/ipv4_custom_mssclamp"
|
161
|
|
-fi
|
162
|
|
-
|
163
|
|
-if [ "$CLAMPMSS" ]; then
|
164
|
|
- display_c YELLOW "Clamping MSS to PMTU..."
|
165
|
|
- for i in $CLAMPMSS; do
|
166
|
|
- $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
167
|
|
- --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
|
168
|
|
- $IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
169
|
|
- --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
|
170
|
|
- # This is necessary to make sure that PMTU works
|
171
|
|
- $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
|
172
|
|
- -o $i -j ACCEPT
|
173
|
|
- $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
|
174
|
|
- -i $i -j ACCEPT
|
175
|
|
- $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
|
176
|
|
- -o $i -j ACCEPT
|
177
|
|
- $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
|
178
|
|
- -i $i -j ACCEPT
|
179
|
|
- done
|
180
|
|
-echo -en "\n"
|
181
|
|
-fi
|
182
|
|
-
|
183
|
|
-
|
184
|
|
-if [ $HACK_IPV4 ]; then
|
185
|
|
- apply_ipv4_hack $HACK_IPV4
|
186
|
|
-fi
|
187
|
|
-
|
188
|
|
-if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then
|
189
|
|
- display_c YELLOW "Loading custom conntrack rules..."
|
190
|
|
- . "$BASEDIR/include/ipv4_custom_conntrack"
|
191
|
|
-fi
|
192
|
|
-
|
193
|
|
-if [ $CONNTRACK ]; then
|
194
|
|
- $IPTABLES -A INPUT -m state --state NEW -j ACCEPT
|
195
|
|
- $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
196
|
|
- $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
197
|
|
- $IPTABLES -A FORWARD -m state --state NEW -j ACCEPT
|
198
|
|
- $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
199
|
|
- $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
|
200
|
|
- $IPTABLES -A INPUT -m state --state INVALID -j DROP
|
201
|
|
- $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
|
202
|
|
- $IPTABLES -A FORWARD -m state --state INVALID -j DROP
|
203
|
|
-fi
|
204
|
|
-
|
205
|
|
-if [ -s "$BASEDIR/include/ipv4_custom_blockoutports" ]; then
|
206
|
|
- display_c YELLOW "Loading custom blocked outbound port rules..."
|
207
|
|
- . "$BASEDIR/include/ipv4_custom_blockoutports"
|
208
|
|
-fi
|
209
|
|
-
|
210
|
|
-if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then
|
211
|
|
- display_c YELLOW "Blocking outbound port: " N
|
212
|
|
-
|
213
|
|
- if [ "$BLOCKTCPPORTS" ]; then
|
214
|
|
- for i in $BLOCKTCPPORTS; do
|
215
|
|
- echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
|
216
|
|
- $IPTABLES -A OUTPUT -p tcp --dport $i --syn -j DROP
|
217
|
|
- if [ "$NATRANGE" ]; then
|
218
|
|
- for src in $NATRANGE; do
|
219
|
|
- $IPTABLES -A FORWARD -p tcp -s $src --dport $i --syn -j DROP
|
220
|
|
- done
|
221
|
|
- fi
|
222
|
|
- done
|
223
|
|
- fi
|
224
|
|
- if [ "$BLOCKUDPPORTS" ]; then
|
225
|
|
- for i in $BLOCKUDPPORTS; do
|
226
|
|
- echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
|
227
|
|
- $IPTABLES -A OUTPUT -p udp --dport $i -j DROP
|
228
|
|
- if [ "$NATRANGE" ]; then
|
229
|
|
- for src in $NATRANGE; do
|
230
|
|
- $IPTABLES -A FORWARD -p udp -s $src --dport $i -j DROP
|
231
|
|
- done
|
232
|
|
- fi
|
233
|
|
- done
|
234
|
|
- fi
|
235
|
|
- reset_color
|
236
|
|
-fi
|
237
|
|
-
|
238
|
|
-if [ -s "$BASEDIR/include/ipv4_custom_allowedports" ]; then
|
239
|
|
- display_c YELLOW "Loading custom allowed port rules..."
|
240
|
|
- . "$BASEDIR/include/ipv4_custom_allowedports"
|
241
|
|
-fi
|
242
|
|
-
|
243
|
|
-if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then
|
244
|
|
- display_c YELLOW "Adding allowed port: " N
|
245
|
|
-
|
246
|
|
- if [ "$TCPPORTS" ]; then
|
247
|
|
- for i in $TCPPORTS; do
|
248
|
|
- echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
|
249
|
|
- $IPTABLES -A INPUT -p tcp --dport $i -j ACCEPT
|
250
|
|
- done
|
251
|
|
- fi
|
252
|
|
- if [ "$UDPPORTS" ]; then
|
253
|
|
- for i in $UDPPORTS; do
|
254
|
|
- echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
|
255
|
|
- #$IPTABLES -A INPUT -p udp --dport $i -j ACCEPT
|
256
|
|
- $IPTABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT
|
257
|
|
- $IPTABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT
|
258
|
|
- $IPTABLES -A INPUT -p udp --sport $i --dport 1:65535 -j ACCEPT
|
259
|
|
- done
|
260
|
|
- fi
|
261
|
|
- reset_color
|
262
|
|
-fi
|
263
|
|
-
|
264
|
|
-
|
265
|
|
-
|
266
|
|
-if [ -s "$BASEDIR/include/ipv4_custom_proto" ]; then
|
267
|
|
- display_c YELLOW "Loading custom protocol rules..."
|
268
|
|
- . "$BASEDIR/include/ipv4_custom_proto"
|
269
|
|
-fi
|
270
|
|
-
|
271
|
|
-if [ "$ALLOWEDPROTO" ]; then
|
272
|
|
- display_c YELLOW "Adding allowed protocols: " N
|
273
|
|
- for i in $ALLOWEDPROTO; do
|
274
|
|
- echo -n "$i "
|
275
|
|
- $IPTABLES -A INPUT -p $i -j ACCEPT
|
276
|
|
- $IPTABLES -A OUTPUT -p $i -j ACCEPT
|
277
|
|
- done
|
278
|
|
- reset_color
|
279
|
|
-fi
|
280
|
|
-
|
281
|
|
-
|
282
|
|
-if [ -s "$BASEDIR/include/ipv4_custom_notrack" ]; then
|
283
|
|
- display_c YELLOW "Loading custom NOTRACK rules..."
|
284
|
|
- . "$BASEDIR/include/ipv4_custom_notrack"
|
285
|
|
-fi
|
286
|
|
-
|
287
|
|
-if [ $CONNTRACK ]; then
|
288
|
|
- for i in $DONTTRACK; do
|
289
|
|
- $IPTABLES -t raw -I PREROUTING -s $i -j NOTRACK
|
290
|
|
- $IPTABLES -t raw -I PREROUTING -d $i -j NOTRACK
|
291
|
|
- $IPTABLES -t raw -I OUTPUT -s $i -j NOTRACK
|
292
|
|
- $IPTABLES -t raw -I OUTPUT -d $i -j NOTRACK
|
293
|
|
- done
|
294
|
|
-fi
|
295
|
|
-
|
296
|
|
-
|
297
|
|
-if [ -s "$BASEDIR/include/ipv4_custom_routing" ]; then
|
298
|
|
- display_c YELLOW "Loading custom routing rules..."
|
299
|
|
- . "$BASEDIR/include/ipv4_custom_routing"
|
300
|
|
-fi
|
301
|
|
-
|
302
|
|
-if [ $ROUTING ]; then
|
303
|
|
- display_c YELLOW "Adding route: "
|
304
|
|
- for i in `grep -v "\#" $ROUTING`; do
|
305
|
|
- ROUTE=( ${i//:/ } )
|
306
|
|
- FWINT1=${ROUTE[0]}
|
307
|
|
- FWINT2=${ROUTE[2]}
|
308
|
|
- FWIP1=${ROUTE[1]}
|
309
|
|
- FWIP2=${ROUTE[3]}
|
310
|
|
-
|
311
|
|
- if [ -e "/proc/sys/net/ipv4/conf/$FWINT1/forwarding" ]; then
|
312
|
|
- echo 1 > /proc/sys/net/ipv4/conf/$FWINT1/forwarding
|
313
|
|
- fi
|
314
|
|
- if [ -e "/proc/sys/net/ipv4/conf/$FWINT2/forwarding" ]; then
|
315
|
|
- echo 1 > /proc/sys/net/ipv4/conf/$FWINT2/forwarding
|
316
|
|
- fi
|
317
|
|
- $IPTABLES -A FORWARD -i $FWINT1 -o $FWINT2 \
|
318
|
|
- -s $FWIP1 -d $FWIP2 -j ACCEPT
|
319
|
|
- if [ ${ROUTE[4]} == "1" ]; then
|
320
|
|
- display_c DEFAULT "\t${GREEN}$FWINT1:${PURPLE}$FWIP1${AQUA}<->${BLUE}$FWINT2:$FWIP2"
|
321
|
|
- $IPTABLES -A FORWARD -o $FWINT1 -i $FWINT2 \
|
322
|
|
- -d $FWIP1 -s $FWIP2 -j ACCEPT
|
323
|
|
- else
|
324
|
|
- display_c DEFAULT "\t${GREEN}$FWINT1:${PURPLE}$FWIP1${AQUA}->${BLUE}$FWINT2:$FWIP2"
|
325
|
|
- fi
|
326
|
|
- done
|
327
|
|
-echo -ne "\n"
|
328
|
|
-fi
|
329
|
|
-
|
330
|
|
-
|
331
|
|
-if [ -s "$BASEDIR/include/ipv4_custom_portforward" ]; then
|
332
|
|
- display_c YELLOW "Loading custom port forwarding rules..."
|
333
|
|
- . "$BASEDIR/include/ipv4_custom_portforward"
|
334
|
|
-fi
|
335
|
|
-
|
336
|
|
-if [ $PORTFW ] && [ $NAT ]; then
|
337
|
|
- display_c YELLOW "Adding port forward for:"
|
338
|
|
- for i in `grep -v "\#" $PORTFW`; do
|
339
|
|
- PORTADD=( ${i//:/ } )
|
340
|
|
- $IPTABLES -A PREROUTING -t nat -i ${PORTADD[0]} -p ${PORTADD[4]} -s ${PORTADD[1]} \
|
341
|
|
- --dport ${PORTADD[3]} -d ${PORTADD[2]} -j DNAT --to \
|
342
|
|
- ${PORTADD[5]}:${PORTADD[6]}
|
343
|
|
- $IPTABLES -A INPUT -p ${PORTADD[4]} -m state --state NEW -s ${PORTADD[1]} \
|
344
|
|
- --dport ${PORTADD[3]} -d ${PORTADD[2]} -i ${PORTADD[0]} -j ACCEPT
|
345
|
|
- display_c DEFAULT "\t${GREEN}${PORTADD[0]}:${BLUE}${PORTADD[1]}:${PURPLE}${PORTADD[2]}:${PORTADD[3]}:${PORTADD[4]}${AQUA}->${BLUE}${PORTADD[5]}:${PORTADD[6]} "
|
346
|
|
- done
|
347
|
|
-reset_color
|
348
|
|
-fi
|
349
|
|
-
|
350
|
|
-if [ $LANDHCPSERVER ]; then
|
351
|
|
- #$IPTABLES -A INPUT -i $INTIF -s 0.0.0.0 -j ACCEPT
|
352
|
|
- $IPTABLES -I INPUT -i $INTIF -p udp --dport 67:68 --sport \
|
353
|
|
- 67:68 -j ACCEPT
|
354
|
|
-
|
355
|
|
-fi
|
356
|
|
-
|
357
|
|
-
|
358
|
|
-if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then
|
359
|
|
- display_c YELLOW "Loading custom nat rules..."
|
360
|
|
- . "$BASEDIR/include/ipv4_custom_nat"
|
361
|
|
-fi
|
362
|
|
-
|
363
|
|
-if [ $NAT ]; then
|
364
|
|
- if [ "$NAT_RANGE" ]; then
|
365
|
|
- display_c YELLOW "Adding NAT rule:"
|
366
|
|
- for i in $NAT_RANGE; do
|
367
|
|
- NAT_RULE=( ${i//:/ } )
|
368
|
|
- case ${NAT_RULE[0]} in
|
369
|
|
- SNAT)
|
370
|
|
- $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \
|
371
|
|
- -o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]}
|
372
|
|
- display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}"
|
373
|
|
- $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
|
374
|
|
- $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
|
375
|
|
- ;;
|
376
|
|
- MASQ)
|
377
|
|
- $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]}
|
378
|
|
- display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}"
|
379
|
|
- $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
|
380
|
|
- $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
|
381
|
|
- ;;
|
382
|
|
- *) display_c RED "Invalid NAT rule in NAT_RANGE" ;;
|
383
|
|
- esac
|
384
|
|
- done
|
385
|
|
- reset_color
|
386
|
|
- fi
|
387
|
|
- #=================
|
388
|
|
- # This section is going away in 1.0
|
389
|
|
- if [ "$NATRANGE" ]; then
|
390
|
|
- echo -e "${RED} **** WARNING ****"
|
391
|
|
- echo -e "${RED} NATRANGE option detected. Please switch to using"
|
392
|
|
- echo -e "${RED} NAT_RANGE which uses the newer style NAT mappings."
|
393
|
|
- echo -e "${RED} NATRANGE will be removed in v1.0"
|
394
|
|
- for i in $NATRANGE; do
|
395
|
|
- $IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
|
396
|
|
- done
|
397
|
|
- #This is necessary to make sure that PMTU works
|
398
|
|
- $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \
|
399
|
|
- -j ACCEPT
|
400
|
|
- $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
|
401
|
|
- -o $NATEXTIF -j ACCEPT
|
402
|
|
- #=================
|
403
|
|
- fi
|
404
|
|
-fi
|
405
|
|
-
|
406
|
|
-$IPTABLES --policy INPUT ACCEPT
|
407
|
|
-$IPTABLES --policy OUTPUT ACCEPT
|
408
|
|
-$IPTABLES --policy FORWARD DROP
|
409
|
|
-
|
410
|
|
-
|
411
|
|
-if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then
|
412
|
|
- display_c YELLOW "Loading custom incoming blocked rules..."
|
413
|
|
- . "$BASEDIR/include/ipv4_custom_blockincoming"
|
414
|
|
-fi
|
415
|
|
-
|
416
|
|
-if [ $BLOCKINCOMING ]; then
|
417
|
|
- $IPTABLES -A INPUT -p tcp --syn -j DROP
|
418
|
|
- $IPTABLES -A INPUT -p udp -j DROP
|
419
|
|
-fi
|
420
|
|
-
|
421
|
|
-
|
422
|
|
-#================[IPv6]================
|
423
|
|
-if [ $IPV6 ]; then
|
424
|
|
- iptables_rules_flush ipv6
|
425
|
|
- if [ -s "$BASEDIR/include/ipv6_custom_flush" ]; then
|
426
|
|
- display_c YELLOW "Loading custom IPv6 flush rules..."
|
427
|
|
- . "$BASEDIR/include/ipv6_custom_flush"
|
428
|
|
- fi
|
429
|
|
-
|
430
|
|
- display_c YELLOW "Adding trusted IPv6: " N
|
431
|
|
-
|
432
|
|
- $IP6TABLES -A INPUT -i lo -j ACCEPT
|
433
|
|
- $IP6TABLES -A OUTPUT -o lo -j ACCEPT
|
434
|
|
-
|
435
|
|
- if [ -s "$BASEDIR/include/ipv6_custom_trust" ]; then
|
436
|
|
- display_c YELLOW "Loading custom IPv6 trust rules..."
|
437
|
|
- . "$BASEDIR/include/ipv6_custom_trust"
|
438
|
|
- fi
|
439
|
|
- for i in $IPV6TRUSTED; do
|
440
|
|
- echo -n "$i "
|
441
|
|
- $IP6TABLES -A INPUT -s $i -j ACCEPT
|
442
|
|
- $IP6TABLES -A OUTPUT -d $i -j ACCEPT
|
443
|
|
- done
|
444
|
|
- reset_color
|
445
|
|
-
|
446
|
|
- if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
|
447
|
|
- display_c YELLOW "Loading custom IPv6 MSS Clamp rules..."
|
448
|
|
- . "$BASEDIR/include/ipv6_custom_mssclamp"
|
449
|
|
- fi
|
450
|
|
-
|
451
|
|
- if [ "$CLAMPMSSIPV6" ]; then
|
452
|
|
- display_c YELLOW "Clamping IPV6 MSS to PMTU..."
|
453
|
|
- for i in $CLAMPMSSIPV6; do
|
454
|
|
- $IP6TABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
|
455
|
|
- -j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
|
456
|
|
- --mss 1280:1536
|
457
|
|
- $IP6TABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN \
|
458
|
|
- -j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
|
459
|
|
- --mss 1280:1536
|
460
|
|
- # This is necessary to make sure that PMTU works
|
461
|
|
- $IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \
|
462
|
|
- -o $i -j ACCEPT
|
463
|
|
- $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \
|
464
|
|
- -i $i -j ACCEPT
|
465
|
|
- $IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \
|
466
|
|
- -o $i -j ACCEPT
|
467
|
|
- $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \
|
468
|
|
- -i $i -j ACCEPT
|
469
|
|
- done
|
470
|
|
- fi
|
471
|
|
-
|
472
|
|
- if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then
|
473
|
|
- display_c YELLOW "Loading custom IPv6 blocked outbound port rules..."
|
474
|
|
- . "$BASEDIR/include/ipv6_custom_blockoutports"
|
475
|
|
- fi
|
476
|
|
- if [ "$BLOCKIPV6TCPPORTS" ] || [ "$BLOCKIPV6UDPPORTS" ]; then
|
477
|
|
- display_c YELLOW "Blocking outbound port: " N
|
478
|
|
- if [ "$BLOCKIPV6TCPPORTS" ]; then
|
479
|
|
- for i in $BLOCKIPV6TCPPORTS; do
|
480
|
|
- echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
|
481
|
|
- $IP6TABLES -A OUTPUT -p tcp --dport $i --syn -j DROP
|
482
|
|
- done
|
483
|
|
- fi
|
484
|
|
- if [ "$BLOCKIPV6UDPPORTS" ]; then
|
485
|
|
- for i in $BLOCKIPV6UDPPORTS; do
|
486
|
|
- echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
|
487
|
|
- $IP6TABLES -A OUTPUT -p udp --dport $i -j DROP
|
488
|
|
- done
|
489
|
|
- fi
|
490
|
|
- reset_color
|
491
|
|
- fi
|
492
|
|
-
|
493
|
|
- if [ -s "$BASEDIR/include/ipv6_custom_allowedports" ]; then
|
494
|
|
- display_c YELLOW "Loading custom IPv6 allowed port rules..."
|
495
|
|
- . "$BASEDIR/include/ipv6_custom_allowedports"
|
496
|
|
- fi
|
497
|
|
- if [ "$IPV6TCP" ] || [ "$IPV6UDP" ]; then
|
498
|
|
- display_c YELLOW "Adding allowed IPv6 port: " N
|
499
|
|
-
|
500
|
|
- if [ "$IPV6TCP" ]; then
|
501
|
|
- for i in $IPV6TCP; do
|
502
|
|
- echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
|
503
|
|
- $IP6TABLES -A INPUT -p tcp --dport $i -j ACCEPT
|
504
|
|
- done
|
505
|
|
- fi
|
506
|
|
-
|
507
|
|
- if [ "$IPV6UDP" ]; then
|
508
|
|
- for i in $IPV6UDP; do
|
509
|
|
- echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
|
510
|
|
- $IP6TABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT
|
511
|
|
- $IP6TABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT
|
512
|
|
- $IP6TABLES -A INPUT -p udp --sport $i --dport 1:65535 -j ACCEPT
|
513
|
|
- done
|
514
|
|
- fi
|
515
|
|
- reset_color
|
516
|
|
- fi
|
517
|
|
- fi
|
518
|
|
-
|
519
|
|
- if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
|
520
|
|
- display_c YELLOW "Loading custom IPv6 conntrack rules..."
|
521
|
|
- . "$BASEDIR/include/ipv6_custom_conntrack"
|
522
|
|
- fi
|
523
|
|
-
|
524
|
|
- if [ $IPV6ROUTEDCLIENTBLOCK ]; then
|
525
|
|
- $IP6TABLES -A INPUT -m state --state NEW -j ACCEPT
|
526
|
|
- $IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
527
|
|
- $IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
528
|
|
- $IP6TABLES -A FORWARD -m state --state NEW -j ACCEPT
|
529
|
|
- $IP6TABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
530
|
|
- $IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT
|
531
|
|
- $IP6TABLES -A INPUT -m state --state INVALID -j DROP
|
532
|
|
- $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP
|
533
|
|
- $IP6TABLES -A FORWARD -m state --state INVALID -j DROP
|
534
|
|
- $IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP
|
535
|
|
- $IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP
|
536
|
|
- $IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP
|
537
|
|
- $IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p udp ! --dport 32768:65535 -j DROP
|
538
|
|
- fi
|
539
|
|
-
|
540
|
|
-
|
541
|
|
-
|
542
|
|
- if [ -s "$BASEDIR/include/ipv6_custom_routing" ]; then
|
543
|
|
- display_c YELLOW "Loading custom IPv6 routing rules..."
|
544
|
|
- . "$BASEDIR/include/ipv6_custom_routing"
|
545
|
|
- fi
|
546
|
|
- if [ "$IPV6FORWARDRANGE" ]; then
|
547
|
|
- for i in $IPV6FORWARDRANGE; do
|
548
|
|
- $IP6TABLES -A FORWARD -s $i -j ACCEPT
|
549
|
|
- $IP6TABLES -A FORWARD -d $i -j ACCEPT
|
550
|
|
- done
|
551
|
|
- fi
|
552
|
|
-
|
553
|
|
- if [ -s "$BASEDIR/include/ipv6_custom_blockincoming" ]; then
|
554
|
|
- display_c YELLOW "Loading custom IPv6 incoming blocked port rules..."
|
555
|
|
- . "$BASEDIR/include/ipv6_custom_blockincoming"
|
556
|
|
- fi
|
557
|
|
- if [ $IPV6BLOCKINCOMING ]; then
|
558
|
|
- $IP6TABLES -A INPUT -p tcp --syn -j DROP
|
559
|
|
- $IP6TABLES -A INPUT -p udp -j DROP
|
560
|
|
- fi
|
561
|
|
-
|
562
|
|
-if [ $TWEAKS ]; then
|
563
|
|
- for i in `grep -v "\#" $TWEAKS`; do
|
564
|
|
- PROCOPT=( ${i//=/ } )
|
565
|
|
- echo ${PROCOPT[1]} > /proc/sys/net/${PROCOPT[0]} &>/dev/null
|
566
|
|
- done
|
567
|
|
-fi
|
568
|
|
-
|
569
|
|
-if [ -x $POSTRUN ]; then
|
570
|
|
- $POSTRUN
|
571
|
|
-fi
|