Browse Source

More changes for 0.9.6, moving rc.firewall to bin/firewall-sosdg and replacing it with sym links

bbruns 8 years ago
parent
commit
cda0ab23ef
6 changed files with 616 additions and 40 deletions
  1. 3
    0
      ChangeLog
  2. 571
    0
      bin/firewall-sosdg
  3. 1
    1
      doc/firewall-sosdg.init
  4. 38
    0
      old/stop-firewall
  5. 1
    1
      start-firewall
  6. 2
    38
      stop-firewall

+ 3
- 0
ChangeLog View File

@@ -1,3 +1,6 @@
1
+0.9.6 - Brielle Bruns <bruns@2mbit.com>
2
+	- Minor changes to procedures in planning of 1.0
3
+
1 4
 0.9.5 - Brielle Bruns <bruns@2mbit.com>
2 5
 	- Makefile to automate building tarball and for future use
3 6
 	- More changes to port-forwards file to support source IP and external IP (existing

+ 571
- 0
bin/firewall-sosdg View File

@@ -0,0 +1,571 @@
1
+#/bin/bash
2
+# By Brielle Bruns <bruns@2mbit.com>
3
+# URL: http://www.sosdg.org/freestuff/firewall
4
+# License: GPLv3
5
+#
6
+#    Copyright (C) 2009 - 2010  Brielle Bruns
7
+#    Copyright (C) 2009 - 2010  The Summit Open Source Development Group
8
+#
9
+#    This program is free software: you can redistribute it and/or modify
10
+#    it under the terms of the GNU General Public License as published by
11
+#    the Free Software Foundation, either version 3 of the License, or
12
+#    (at your option) any later version.
13
+#
14
+#    This program is distributed in the hope that it will be useful,
15
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
16
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17
+#    GNU General Public License for more details.
18
+#    You should have received a copy of the GNU General Public License
19
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20
+
21
+FW_VERSION="0.9.6"
22
+
23
+# These option is here to help pre-1.0 users easily upgrade, defines critical defaults
24
+# that would otherwise require remaking their options file.  I leave this on by default,
25
+# but if you want to make sure you have a current options file, define this to 0.
26
+COMPAT_CONFIG=1
27
+
28
+BASEDIR=/etc/firewall-sosdg
29
+PATH=/usr/sbin:/usr/bin:/sbin:/bin
30
+#BASEDIR=`pwd`
31
+
32
+TWEAKS=$BASEDIR/tweaks
33
+
34
+if [ ! -r $BASEDIR/include/static ] || [ ! -r $BASEDIR/include/functions ]; then
35
+	echo "Error: Missing either include/static or include/functions. These are critical to operation"
36
+	echo "of this script.  Please make sure they are readable and exist!"
37
+	exit 1
38
+fi
39
+
40
+. $BASEDIR/include/static
41
+
42
+
43
+if [ -r $BASEDIR/options ]; then
44
+	. $BASEDIR/options
45
+else
46
+	echo -e "${RED}Error: Can not load options file.  Did you forget to rename options.default?"
47
+	exit 1
48
+fi
49
+
50
+. $BASEDIR/include/functions
51
+
52
+while [ $# -gt 0 ]; do
53
+	case "$1" in
54
+	-f|--flush)
55
+		iptables_policy_reset ipv4 ACCEPT
56
+		iptables_policy_reset ipv6 ACCEPT
57
+		iptables_rules_flush ipv4
58
+		iptables_rules_flush ipv6
59
+		exit 0
60
+		;;
61
+	-h|--help)
62
+		show_help
63
+		exit 0
64
+		;;	
65
+	esac
66
+	shift
67
+done
68
+
69
+if [ ${PORTFW} ] && [ ! -r "${PORTFW}" ]; then
70
+	display_c RED "Error: Missing ${PORTFW} as defined in the PORTFW option.  Please make sure"
71
+	display_c RED "it exists, or comment out the PORTFW line in options."
72
+	exit 1
73
+fi
74
+
75
+echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
76
+ Firewall/SOSDG ${FW_VERSION}
77
+ Brielle Bruns <bruns@2mbit.com>
78
+ http://www.sosdg.org/freestuff/firewall
79
+ This program comes with ABSOLUTELY NO WARRANTY.
80
+ This is free software, and you are welcome to 
81
+ redistribute it under certain conditions.
82
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
83
+
84
+if [ $UID != "0" ]; then
85
+	display_c RED "You must be root to run this script."
86
+	exit 2
87
+fi
88
+
89
+if [ ! -x $IPTABLES ]; then
90
+	display_c RED "iptables command not found.  Please make sure you have the iptables"
91
+	display_c RED "installed (package or source) and you have the IPTABLES option properly"
92
+	display_c RED "defined in the 'options' file."
93
+	exit 3
94
+fi
95
+
96
+
97
+if [ ! -x $IP6TABLES ] && [ $IPV6 == "1" ]; then
98
+	display_c RED "ip6tables command not found.  Please make sure you have the iptables"
99
+	display_c RED "installed (package or source) and you have the IP6TABLES option properly"
100
+	display_c RED "defined in the 'options' file."
101
+	exit 3
102
+fi
103
+
104
+iptables_rules_flush ipv4
105
+
106
+if [ -s "$BASEDIR/include/ipv4_custom_flush" ]; then
107
+	display_c YELLOW "Loading custom flush rules..."
108
+	. "$BASEDIR/include/ipv4_custom_flush"
109
+fi
110
+
111
+if [ -x $PRERUN ]; then
112
+	$PRERUN
113
+fi
114
+
115
+$IPTABLES -A INPUT -i lo -j ACCEPT
116
+$IPTABLES -A OUTPUT -o lo -j ACCEPT
117
+
118
+if [ -s "$BASEDIR/include/ipv4_custom_trust" ]; then
119
+	display_c YELLOW "Loading custom trust rules..."
120
+	. "$BASEDIR/include/ipv4_custom_trust"
121
+fi
122
+
123
+if [ "$TRUSTEDIP" ]; then
124
+	display_c YELLOW "Adding trusted IP: " N
125
+	for i in $TRUSTEDIP; do
126
+		echo -n "$i "
127
+		$IPTABLES -A INPUT -s $i -j ACCEPT
128
+		$IPTABLES -A OUTPUT -d $i -j ACCEPT
129
+	done
130
+	echo -ne "\n"
131
+fi
132
+
133
+if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then
134
+	display_c YELLOW "Loading custom ip block rules..."
135
+	. "$BASEDIR/include/ipv6_custom_blockip"
136
+fi
137
+
138
+if [ $BLOCKEDIP ]; then
139
+	display_c YELLOW "Adding blocked IPs: " N
140
+	for i in `grep -v "\#" $BLOCKEDIP`; do
141
+		echo -n "$i "
142
+		$IPTABLES -A INPUT -s $i -j DROP
143
+		$IPTABLES -A OUTPUT -d $i -j DROP
144
+	done
145
+echo -ne "\n"
146
+fi
147
+
148
+if [ "$STRIPECN" ]; then
149
+	display_c YELLOW "Stripping ECN off of TCP packets to " N
150
+	for i in $STRIPECN; do
151
+		echo -en "$i "
152
+		$IPTABLES -A PREROUTING -t mangle -p tcp -d $i -j ECN \
153
+			--ecn-tcp-remove
154
+	done
155
+echo -ne "\n"
156
+fi
157
+
158
+if [ -s "$BASEDIR/include/ipv4_custom_mssclamp" ]; then
159
+	display_c YELLOW "Loading custom MSS Clamp rules..."
160
+	. "$BASEDIR/include/ipv4_custom_mssclamp"
161
+fi
162
+
163
+if [ "$CLAMPMSS" ]; then
164
+	display_c YELLOW "Clamping MSS to PMTU..."
165
+	for i in $CLAMPMSS; do
166
+		$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
167
+			--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
168
+		$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
169
+			--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
170
+		# This is necessary to make sure that PMTU works
171
+		$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
172
+			-o $i -j ACCEPT
173
+		$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
174
+			-i $i -j ACCEPT
175
+		$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
176
+			-o $i -j ACCEPT
177
+		$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
178
+			-i $i -j ACCEPT
179
+	done
180
+echo -en "\n"
181
+fi
182
+
183
+
184
+if [ $HACK_IPV4 ]; then
185
+	apply_ipv4_hack $HACK_IPV4
186
+fi
187
+
188
+if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then
189
+	display_c YELLOW "Loading custom conntrack rules..."
190
+	. "$BASEDIR/include/ipv4_custom_conntrack"
191
+fi
192
+
193
+if [ $CONNTRACK ]; then
194
+	$IPTABLES -A INPUT -m state --state NEW -j ACCEPT
195
+	$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
196
+	$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
197
+	$IPTABLES -A FORWARD -m state --state NEW -j ACCEPT
198
+	$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
199
+	$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
200
+	$IPTABLES -A INPUT -m state --state INVALID -j DROP
201
+	$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
202
+	$IPTABLES -A FORWARD -m state --state INVALID -j DROP
203
+fi
204
+
205
+if [ -s "$BASEDIR/include/ipv4_custom_blockoutports" ]; then
206
+	display_c YELLOW "Loading custom blocked outbound port rules..."
207
+	. "$BASEDIR/include/ipv4_custom_blockoutports"
208
+fi
209
+
210
+if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then
211
+	display_c YELLOW "Blocking outbound port: " N
212
+
213
+	if  [ "$BLOCKTCPPORTS" ]; then
214
+		for i in $BLOCKTCPPORTS; do
215
+			echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
216
+			$IPTABLES -A OUTPUT -p tcp --dport $i --syn -j DROP
217
+			if [ "$NATRANGE" ]; then
218
+				for src in $NATRANGE; do
219
+					$IPTABLES -A FORWARD -p tcp -s $src --dport $i --syn -j DROP
220
+				done
221
+			fi
222
+		done
223
+	fi
224
+	if  [ "$BLOCKUDPPORTS" ]; then
225
+		for i in $BLOCKUDPPORTS; do
226
+			echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
227
+			$IPTABLES -A OUTPUT -p udp --dport $i -j DROP
228
+			if [ "$NATRANGE" ]; then
229
+				for src in $NATRANGE; do
230
+					$IPTABLES -A FORWARD -p udp -s $src --dport $i -j DROP
231
+				done
232
+			fi
233
+		done
234
+	fi
235
+	reset_color
236
+fi
237
+
238
+if [ -s "$BASEDIR/include/ipv4_custom_allowedports" ]; then
239
+	display_c YELLOW "Loading custom allowed port rules..."
240
+	. "$BASEDIR/include/ipv4_custom_allowedports"
241
+fi
242
+
243
+if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then
244
+	display_c YELLOW "Adding allowed port: " N
245
+
246
+	if [ "$TCPPORTS" ]; then
247
+		for i in $TCPPORTS; do
248
+			echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
249
+			$IPTABLES -A INPUT -p tcp --dport $i -j ACCEPT
250
+		done
251
+	fi
252
+	if [ "$UDPPORTS" ]; then
253
+		for i in $UDPPORTS; do
254
+			echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
255
+			#$IPTABLES -A INPUT -p udp --dport $i -j ACCEPT
256
+			$IPTABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT
257
+        		$IPTABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT
258
+			$IPTABLES -A INPUT -p udp --sport $i --dport 1:65535 -j ACCEPT
259
+		done
260
+	fi
261
+	reset_color
262
+fi
263
+
264
+
265
+
266
+if [ -s "$BASEDIR/include/ipv4_custom_proto" ]; then
267
+	display_c YELLOW "Loading custom protocol rules..."
268
+	. "$BASEDIR/include/ipv4_custom_proto"
269
+fi
270
+
271
+if [ "$ALLOWEDPROTO" ]; then
272
+	display_c YELLOW "Adding allowed protocols: " N
273
+	for i in $ALLOWEDPROTO; do
274
+		echo -n "$i "
275
+		$IPTABLES -A INPUT -p $i -j ACCEPT
276
+		$IPTABLES -A OUTPUT -p $i -j ACCEPT
277
+	done
278
+	reset_color
279
+fi
280
+
281
+
282
+if [ -s "$BASEDIR/include/ipv4_custom_notrack" ]; then
283
+	display_c YELLOW "Loading custom NOTRACK rules..."
284
+	. "$BASEDIR/include/ipv4_custom_notrack"
285
+fi
286
+
287
+if [ $CONNTRACK ]; then
288
+	for i in $DONTTRACK; do
289
+		$IPTABLES -t raw -I PREROUTING -s $i -j NOTRACK
290
+		$IPTABLES -t raw -I PREROUTING -d $i -j NOTRACK
291
+		$IPTABLES -t raw -I OUTPUT -s $i -j NOTRACK
292
+		$IPTABLES -t raw -I OUTPUT -d $i -j NOTRACK
293
+	done
294
+fi
295
+
296
+
297
+if [ -s "$BASEDIR/include/ipv4_custom_routing" ]; then
298
+	display_c YELLOW "Loading custom routing rules..."
299
+	. "$BASEDIR/include/ipv4_custom_routing"
300
+fi
301
+
302
+if [ $ROUTING ]; then
303
+	display_c YELLOW "Adding route: "
304
+	for i in `grep -v "\#" $ROUTING`; do
305
+		ROUTE=( ${i//:/ } )
306
+		FWINT1=${ROUTE[0]}
307
+		FWINT2=${ROUTE[2]}
308
+		FWIP1=${ROUTE[1]}
309
+		FWIP2=${ROUTE[3]}
310
+
311
+		if [ -e "/proc/sys/net/ipv4/conf/$FWINT1/forwarding" ]; then
312
+			echo 1 > /proc/sys/net/ipv4/conf/$FWINT1/forwarding
313
+		fi
314
+		if [ -e "/proc/sys/net/ipv4/conf/$FWINT2/forwarding" ]; then
315
+			echo 1 > /proc/sys/net/ipv4/conf/$FWINT2/forwarding
316
+		fi
317
+		$IPTABLES -A FORWARD -i $FWINT1 -o $FWINT2 \
318
+			-s $FWIP1 -d $FWIP2 -j ACCEPT
319
+		if [ ${ROUTE[4]} == "1" ]; then
320
+			display_c DEFAULT "\t${GREEN}$FWINT1:${PURPLE}$FWIP1${AQUA}<->${BLUE}$FWINT2:$FWIP2"
321
+ 			$IPTABLES -A FORWARD -o $FWINT1 -i $FWINT2 \
322
+				-d $FWIP1 -s $FWIP2 -j ACCEPT
323
+		else
324
+			display_c DEFAULT "\t${GREEN}$FWINT1:${PURPLE}$FWIP1${AQUA}->${BLUE}$FWINT2:$FWIP2"
325
+	fi
326
+	done
327
+echo -ne "\n"
328
+fi
329
+
330
+
331
+if [ -s "$BASEDIR/include/ipv4_custom_portforward" ]; then
332
+	display_c YELLOW "Loading custom port forwarding rules..."
333
+	. "$BASEDIR/include/ipv4_custom_portforward"
334
+fi
335
+
336
+if [ $PORTFW ] && [ $NAT ]; then
337
+	display_c YELLOW "Adding port forward for:"
338
+	for i in `grep -v "\#" $PORTFW`; do
339
+		PORTADD=( ${i//:/ } )
340
+		$IPTABLES -A PREROUTING -t nat -i ${PORTADD[0]} -p ${PORTADD[4]} -s ${PORTADD[1]} \
341
+			--dport ${PORTADD[3]} -d ${PORTADD[2]} -j DNAT --to \
342
+			${PORTADD[5]}:${PORTADD[6]}
343
+		$IPTABLES -A INPUT -p ${PORTADD[4]} -m state --state NEW -s ${PORTADD[1]} \
344
+			--dport ${PORTADD[3]} -d ${PORTADD[2]} -i ${PORTADD[0]} -j ACCEPT
345
+		display_c DEFAULT "\t${GREEN}${PORTADD[0]}:${BLUE}${PORTADD[1]}:${PURPLE}${PORTADD[2]}:${PORTADD[3]}:${PORTADD[4]}${AQUA}->${BLUE}${PORTADD[5]}:${PORTADD[6]} "
346
+	done
347
+reset_color
348
+fi
349
+
350
+if [ $LANDHCPSERVER ]; then
351
+	#$IPTABLES -A INPUT -i $INTIF -s 0.0.0.0 -j ACCEPT
352
+	$IPTABLES  -I INPUT -i $INTIF -p udp --dport 67:68 --sport \
353
+     67:68 -j ACCEPT
354
+
355
+fi
356
+
357
+
358
+if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then
359
+	display_c YELLOW "Loading custom nat rules..."
360
+	. "$BASEDIR/include/ipv4_custom_nat"
361
+fi
362
+
363
+if [ $NAT ]; then
364
+	if [ "$NAT_RANGE" ]; then
365
+		display_c YELLOW "Adding NAT rule:"
366
+		for i in $NAT_RANGE; do
367
+			NAT_RULE=( ${i//:/ } )
368
+			case ${NAT_RULE[0]} in
369
+			SNAT)
370
+				$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \
371
+					-o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]} 
372
+				display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}"
373
+				$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
374
+				$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
375
+					;;
376
+			MASQ)
377
+				$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]}
378
+				display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}"
379
+				$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
380
+				$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
381
+					;;
382
+				*) display_c RED "Invalid NAT rule in NAT_RANGE" ;;
383
+			esac
384
+		done
385
+		reset_color
386
+	fi
387
+	#=================
388
+    # This section is going away in 1.0
389
+	if [ "$NATRANGE" ]; then
390
+		echo -e "${RED} **** WARNING ****"
391
+		echo -e "${RED} NATRANGE option detected.  Please switch to using"
392
+		echo -e "${RED} NAT_RANGE which uses the newer style NAT mappings."
393
+		echo -e "${RED} NATRANGE will be removed in v1.0"
394
+		for i in $NATRANGE; do
395
+			$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
396
+		done
397
+	 	#This is necessary to make sure that PMTU works
398
+		$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \
399
+				-j ACCEPT
400
+		$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
401
+				-o $NATEXTIF -j ACCEPT
402
+	#=================
403
+	fi
404
+fi
405
+
406
+$IPTABLES --policy INPUT ACCEPT
407
+$IPTABLES --policy OUTPUT ACCEPT
408
+$IPTABLES --policy FORWARD DROP
409
+
410
+
411
+if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then
412
+	display_c YELLOW "Loading custom incoming blocked rules..."
413
+	. "$BASEDIR/include/ipv4_custom_blockincoming"
414
+fi
415
+
416
+if [ $BLOCKINCOMING ]; then
417
+		$IPTABLES -A INPUT -p tcp --syn -j DROP
418
+		$IPTABLES -A INPUT -p udp -j DROP
419
+fi
420
+
421
+
422
+#================[IPv6]================
423
+if [ $IPV6 ]; then
424
+	iptables_rules_flush ipv6
425
+	if [ -s "$BASEDIR/include/ipv6_custom_flush" ]; then
426
+		display_c YELLOW "Loading custom IPv6 flush rules..."
427
+		. "$BASEDIR/include/ipv6_custom_flush"
428
+	fi
429
+
430
+	display_c YELLOW "Adding trusted IPv6: " N
431
+
432
+	$IP6TABLES -A INPUT -i lo -j ACCEPT
433
+	$IP6TABLES -A OUTPUT -o lo -j ACCEPT
434
+
435
+	if [ -s "$BASEDIR/include/ipv6_custom_trust" ]; then
436
+		display_c YELLOW "Loading custom IPv6 trust rules..."
437
+		. "$BASEDIR/include/ipv6_custom_trust"
438
+	fi
439
+	for i in $IPV6TRUSTED; do
440
+		echo -n "$i "
441
+		$IP6TABLES -A INPUT -s $i -j ACCEPT
442
+		$IP6TABLES -A OUTPUT -d $i -j ACCEPT
443
+	done
444
+	reset_color
445
+
446
+	if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
447
+		display_c YELLOW "Loading custom IPv6 MSS Clamp rules..."
448
+		. "$BASEDIR/include/ipv6_custom_mssclamp"
449
+	fi
450
+
451
+	if [ "$CLAMPMSSIPV6" ]; then
452
+		display_c YELLOW "Clamping IPV6 MSS to PMTU..."
453
+		for i in $CLAMPMSSIPV6; do
454
+			$IP6TABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
455
+			-j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
456
+			--mss 1280:1536
457
+			$IP6TABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN \
458
+			-j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
459
+			--mss 1280:1536
460
+			# This is necessary to make sure that PMTU works
461
+			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \
462
+			-o $i -j ACCEPT
463
+			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \
464
+			-i $i -j ACCEPT
465
+			$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \
466
+			-o $i -j ACCEPT
467
+			$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \
468
+			-i $i -j ACCEPT
469
+		done
470
+	fi
471
+
472
+	if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then
473
+		display_c YELLOW "Loading custom IPv6 blocked outbound port rules..."
474
+		. "$BASEDIR/include/ipv6_custom_blockoutports"
475
+	fi
476
+	if [ "$BLOCKIPV6TCPPORTS" ] || [ "$BLOCKIPV6UDPPORTS" ]; then
477
+		display_c YELLOW "Blocking outbound port: " N
478
+		if [ "$BLOCKIPV6TCPPORTS" ]; then
479
+			for i in $BLOCKIPV6TCPPORTS; do
480
+				echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
481
+				$IP6TABLES -A OUTPUT -p tcp --dport $i --syn -j DROP
482
+			done
483
+		fi
484
+		if [ "$BLOCKIPV6UDPPORTS" ]; then
485
+			for i in $BLOCKIPV6UDPPORTS; do
486
+				echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
487
+				$IP6TABLES -A OUTPUT -p udp --dport $i -j DROP
488
+			done
489
+		fi
490
+		reset_color
491
+	fi
492
+
493
+	if [ -s "$BASEDIR/include/ipv6_custom_allowedports" ]; then
494
+		display_c YELLOW "Loading custom IPv6 allowed port rules..."
495
+		. "$BASEDIR/include/ipv6_custom_allowedports"
496
+	fi
497
+	if [ "$IPV6TCP" ] || [ "$IPV6UDP" ]; then
498
+		display_c YELLOW "Adding allowed IPv6 port: " N
499
+
500
+		if [ "$IPV6TCP" ]; then
501
+			for i in $IPV6TCP; do
502
+				echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
503
+				$IP6TABLES -A INPUT -p tcp --dport $i -j ACCEPT
504
+			done
505
+		fi
506
+
507
+		if [ "$IPV6UDP" ]; then
508
+			for i in $IPV6UDP; do
509
+				echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
510
+				$IP6TABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT
511
+	        		$IP6TABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT
512
+        			$IP6TABLES -A INPUT -p udp --sport $i --dport 1:65535 -j ACCEPT
513
+			done
514
+		fi
515
+		reset_color
516
+	fi
517
+	fi
518
+
519
+	if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
520
+		display_c YELLOW "Loading custom IPv6 conntrack rules..."
521
+		. "$BASEDIR/include/ipv6_custom_conntrack"
522
+	fi
523
+
524
+	if [ $IPV6ROUTEDCLIENTBLOCK ]; then
525
+		$IP6TABLES -A INPUT -m state --state NEW -j ACCEPT
526
+		$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
527
+		$IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
528
+		$IP6TABLES -A FORWARD -m state --state NEW -j ACCEPT
529
+		$IP6TABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
530
+		$IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT
531
+		$IP6TABLES -A INPUT -m state --state INVALID -j DROP
532
+		$IP6TABLES -A OUTPUT -m state --state INVALID -j DROP
533
+		$IP6TABLES -A FORWARD -m state --state INVALID -j DROP
534
+		$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP
535
+		$IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP
536
+		$IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP
537
+		$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p udp ! --dport 32768:65535 -j DROP
538
+	fi
539
+	
540
+
541
+
542
+	if [ -s "$BASEDIR/include/ipv6_custom_routing" ]; then
543
+		display_c YELLOW "Loading custom IPv6 routing rules..."
544
+		. "$BASEDIR/include/ipv6_custom_routing"
545
+	fi
546
+	if [ "$IPV6FORWARDRANGE" ]; then
547
+		for i in $IPV6FORWARDRANGE; do
548
+			$IP6TABLES -A FORWARD -s $i -j ACCEPT
549
+			$IP6TABLES -A FORWARD -d $i -j ACCEPT
550
+		done
551
+	fi
552
+	
553
+	if [ -s "$BASEDIR/include/ipv6_custom_blockincoming" ]; then
554
+		display_c YELLOW "Loading custom IPv6 incoming blocked port rules..."
555
+		. "$BASEDIR/include/ipv6_custom_blockincoming"
556
+	fi
557
+	if [ $IPV6BLOCKINCOMING ]; then
558
+		$IP6TABLES -A INPUT -p tcp --syn -j DROP
559
+		$IP6TABLES -A INPUT -p udp -j DROP
560
+	fi
561
+
562
+if [ $TWEAKS ]; then
563
+	for i in `grep -v "\#" $TWEAKS`; do
564
+		PROCOPT=( ${i//=/ } )
565
+		echo ${PROCOPT[1]} > /proc/sys/net/${PROCOPT[0]} &>/dev/null
566
+	done
567
+fi
568
+
569
+if [ -x $POSTRUN ]; then
570
+	$POSTRUN
571
+fi

+ 1
- 1
doc/firewall-sosdg.init View File

@@ -12,7 +12,7 @@
12 12
 ### END INIT INFO
13 13
 
14 14
 PATH=/bin:/sbin:/usr/bin:/usr/sbin
15
-FIREWALL_START=/etc/firewall-sosdg/rc.firewall
15
+FIREWALL_START=/etc/firewall-sosdg/bin/firewall-sosdg
16 16
 FIREWALL_STOP=/etc/firewall-sosdg/stop-firewall
17 17
 . /lib/lsb/init-functions
18 18
 

+ 38
- 0
old/stop-firewall View File

@@ -0,0 +1,38 @@
1
+#!/bin/sh
2
+
3
+BASEDIR=/etc/firewall-sosdg
4
+#BASEDIR=`pwd`
5
+
6
+. $BASEDIR/options
7
+
8
+$IPTABLES --policy INPUT ACCEPT
9
+$IPTABLES --policy OUTPUT ACCEPT
10
+$IPTABLES --policy FORWARD ACCEPT
11
+
12
+$IPTABLES --flush &>/dev/null
13
+$IPTABLES -F OUTPUT &>/dev/null
14
+$IPTABLES -F PREROUTING &>/dev/null
15
+$IPTABLES -F POSTROUTING &>/dev/null
16
+$IPTABLES -F -t mangle &>/dev/null
17
+if [ $NAT ]; then
18
+        $IPTABLES -F -t nat &>/dev/null
19
+fi
20
+$IPTABLES -F -t raw &>/dev/null
21
+if [ -s "$BASEDIR/include/ipv4_custom_flush" ]; then
22
+        . "$BASEDIR/include/ipv4_custom_flush"
23
+fi
24
+
25
+if [ $IPV6 ]; then
26
+	$IP6TABLES --policy INPUT ACCEPT
27
+	$IP6TABLES --policy OUTPUT ACCEPT
28
+	$IP6TABLES --policy FORWARD ACCEPT
29
+        $IP6TABLES --flush &>/dev/null
30
+        $IP6TABLES -F OUTPUT &>/dev/null
31
+        $IP6TABLES -F PREROUTING &>/dev/null
32
+        $IP6TABLES -F POSTROUTING &>/dev/null
33
+        if [ -s "$BASEDIR/include/ipv6_custom_flush" ]; then
34
+                . "$BASEDIR/include/ipv6_custom_flush"
35
+        fi
36
+fi
37
+
38
+exit 0

+ 1
- 1
start-firewall View File

@@ -1 +1 @@
1
-rc.firewall
1
+bin/firewall-sosdg

+ 2
- 38
stop-firewall View File

@@ -1,38 +1,2 @@
1
-#!/bin/sh
2
-
3
-BASEDIR=/etc/firewall-sosdg
4
-#BASEDIR=`pwd`
5
-
6
-. $BASEDIR/options
7
-
8
-$IPTABLES --policy INPUT ACCEPT
9
-$IPTABLES --policy OUTPUT ACCEPT
10
-$IPTABLES --policy FORWARD ACCEPT
11
-
12
-$IPTABLES --flush &>/dev/null
13
-$IPTABLES -F OUTPUT &>/dev/null
14
-$IPTABLES -F PREROUTING &>/dev/null
15
-$IPTABLES -F POSTROUTING &>/dev/null
16
-$IPTABLES -F -t mangle &>/dev/null
17
-if [ $NAT ]; then
18
-        $IPTABLES -F -t nat &>/dev/null
19
-fi
20
-$IPTABLES -F -t raw &>/dev/null
21
-if [ -s "$BASEDIR/include/ipv4_custom_flush" ]; then
22
-        . "$BASEDIR/include/ipv4_custom_flush"
23
-fi
24
-
25
-if [ $IPV6 ]; then
26
-	$IP6TABLES --policy INPUT ACCEPT
27
-	$IP6TABLES --policy OUTPUT ACCEPT
28
-	$IP6TABLES --policy FORWARD ACCEPT
29
-        $IP6TABLES --flush &>/dev/null
30
-        $IP6TABLES -F OUTPUT &>/dev/null
31
-        $IP6TABLES -F PREROUTING &>/dev/null
32
-        $IP6TABLES -F POSTROUTING &>/dev/null
33
-        if [ -s "$BASEDIR/include/ipv6_custom_flush" ]; then
34
-                . "$BASEDIR/include/ipv6_custom_flush"
35
-        fi
36
-fi
37
-
38
-exit 0
1
+#!/bin/bash
2
+bin/firewall-sosdg --flush

Loading…
Cancel
Save