SRFirewall/bin/srfirewall

214 lines
7.4 KiB
Plaintext
Raw Normal View History

#/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2014 Brielle Bruns
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Static config options, normally do not need to change
2014-03-31 19:40:35 -06:00
FW_VERSION="2.0 PreAlpha 1"
# Important directory locations
FWPREFIX="/usr/local"
FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
FWLIBDIR="${FWPREFIX}/lib/srfirewall"
FWBINDIR="${FWPREFIX}/bin"
# Begin sourcing critical files, because we need things like path right away
source "${FWLIBDIR}/binaries.inc"
source "${FWLIBDIR}/iptables.inc"
source "${FWLIBDIR}/display.inc"
2014-03-30 09:46:26 -06:00
source "${FWCONFIGDIR}/main.conf"
source "${FWCONFIGDIR}/chains.conf"
source "${FWCONFIGDIR}/ipv4.conf"
source "${FWCONFIGDIR}/ipv6.conf"
2014-04-06 10:22:42 -06:00
# The local.conf file can be used to override any of the above files without having to worry
# about changes being overwritten when upgrading. Mostly useful for people who use a package
# manager.
[[ -e "{FWCONFIGDIR}/local.conf" ]] && source "{FWCONFIGDIR}/local.conf"
2014-04-06 10:43:04 -06:00
[[ -e "{FWCONFIGDIR}/ipv4/local.conf" ]] && source "{FWCONFIGDIR}/ipv4/local.conf"
[[ -e "{FWCONFIGDIR}/ipv6/local.conf" ]] && source "{FWCONFIGDIR}/ipv6/local.conf"
2014-04-06 10:22:42 -06:00
# We require at least bash v3 or later at this point given some of the more complex
# operations we do to make the firewall script work.
if (( ${BASH_VERSINFO[0]} <= "2" )); then
echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version"
echo "of bash to something more recent, preferably the latest which is, as of this"
echo "writing, 4.x"
exit 1
fi
2014-03-31 19:40:35 -06:00
# Swap out display_c command for dummy command if they don't want
# output when command is run.
2014-03-30 10:16:22 -06:00
if [ "${DisplayDetailedOutput}" == "yes" ]; then
if [ "${ColorizeOut}" == "yes" ]; then
display="display_c"
else
display="display_m"
fi
else
display="true"
fi
2014-03-31 19:40:35 -06:00
# Swap out debug command for dummy command if they don't want
2014-03-30 09:46:26 -06:00
# debug output when command is run.
2014-03-30 10:16:22 -06:00
if [ "${DisplayDebugInfo}" == "yes" ]; then
if [ "${ColorizeOut}" == "yes" ]; then
debug="display_c"
else
debug="display_m"
fi
2014-03-30 09:46:26 -06:00
else
debug="true"
fi
2014-03-31 19:40:35 -06:00
# Parse command line args
while getopts "hfgv" opt; do
case $opt in
h)
show_help
exit 0
;;
v)
show_version
exit 0
;;
\?)
echo "Invalid option: -$OPTARG" >&2
;;
esac
done
2014-03-30 09:46:26 -06:00
#if [ "$UID" != "0" ] && [ "${DebugOverride}" != "yes" ]; then
# ${display} RED "You must be root to run this script."
# exit 2
#fi
# We can't function without certain cli binaries being available
if [ ! -x "${GREP}" ]; then
${display} RED "Error: grep command not found. Please define GREP variable in main.conf manually."
exit 3
fi
2014-03-30 10:16:22 -06:00
# Basic sanity tests for ip{6}tables binaries and modules
2014-03-30 09:46:26 -06:00
if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
${display} RED "iptables command not found. Please make sure you have the iptables"
${display} RED "installed (package or source) and you have the IPTABLES option properly"
${display} RED "defined in the 'main.conf' file if needed."
exit 3
fi
if [ ! -x "${IP6TABLES}" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
${display} RED "ip6tables command not found. Please make sure you have the iptables"
${display} RED "installed (package or source) and you have the IP6TABLES option properly"
${display} RED "defined in the 'main.conf' file if needed."
exit 3
fi
if [ ! -e "/proc/net/ip_tables_names" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
${display} RED "IPv4 Netfilter modules do not appear to be loaded. Attempting to load now..."
if ! `${MODPROBE} ${IP4TablesMod} &>/dev/null`; then
${display} RED "Module ${IP4TablesMod} failed to load."
${display} RED "Will continue with IPv4 disabled."
EnableIPv4="no"
else
${display} GREEN "Module successfully loaded."
fi
fi
if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
${display} RED "IPv6 Netfilter modules do not appear to be loaded. Attempting to load now..."
if ! `${MODPROBE} ${IP6TablesMod} &>/dev/null`; then
${display} RED "Module ${IP6TablesMod} failed to load."
${display} RED "Will continue with IPv6 disabled."
EnableIPv6="no"
else
${display} GREEN "Module successfully loaded."
fi
fi
2014-03-30 10:16:22 -06:00
# Set up proper state matching variables, since there is old and new style.
if [ "$StateMatching" ]; then
case $StateMatching in
conntrack|CONNTRACK|*)
M_STATE="-m conntrack"
C_STATE="--ctstate"
;;
state|STATE)
M_STATE="-m state"
C_STATE="--state"
esac
else
M_STATE="-m conntrack"
C_STATE="--ctstate"
fi
# Do IPv4 IPTables Rules
if [ "${EnableIPv4}" == "yes" ]; then
# First flush all rules
iptables_rules_flush ipv4
# Create the chain sets we'll need and the ones that can be
# customized by users in their custom rules
setup_iptables_chains ipv4
2014-03-30 10:16:22 -06:00
2014-04-06 11:52:53 -06:00
[[ ${AllowAllv4Loopback} == "yes" ]] && allow_all_loopback ipv4
[[ ${EnableTrustedv4Hosts} == "yes" ] && allow_trusted_hosts ipv4
[[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4
([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
&& enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}"
[[ ${DNSClientUsev4ResolvConf} == "yes" ]] && allow_resolvconf_servers ipv4
[[ ${DNSClientManualv4Servers} ]] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}"
[[ ${Enablev4EasyBlock} == "yes" ]] && enable_easyblock ipv4
[[ ${Enablev4Filtering} == "yes" ]] && enable_filtering ipv4
[[ ${Enablev4Services} == "yes" ]] && enable_services ipv4
[[ ${Enablev4Forwarding} == "yes" ]] && enable_forwarding ipv4
[[ ${Enablev4NAT} == "yes" ]] && enable_nat ipv4
2014-03-31 17:37:38 -06:00
fi
# Do IPv6 IPTables Rules
2014-03-30 10:16:22 -06:00
if [ "${EnableIPv6}" == "yes" ]; then
# First flush all rules
iptables_rules_flush ipv6
2014-03-29 11:55:38 -06:00
# Create the chain sets we'll need and the ones that can be
2014-03-30 13:36:55 -06:00
# customized by users in their custom rules
2014-03-29 11:55:38 -06:00
setup_iptables_chains ipv6
2014-03-30 10:16:22 -06:00
2014-04-06 11:52:53 -06:00
[[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6
[[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6
[[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6
([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
&& enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}"
[[ ${DNSClientUsev6ResolvConf} == "yes" ]] && allow_resolvconf_servers ipv6
[[ ${DNSClientManualv6Servers} ]] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}"
[[ ${Enablev6EasyBlock} == "yes" ]] && enable_easyblock ipv6
[[ ${Enablev6Filtering} == "yes" ]] && enable_filtering ipv6
[[ ${Enablev6Services} == "yes" ]] && enable_services ipv6
[[ ${Enablev6Forwarding} == "yes" ]] && enable_forwarding ipv6
2014-04-05 14:53:01 -06:00
[ "${Enablev6NAT}" == "yes" ] && enable_nat ipv6
2014-03-29 11:06:08 -06:00
fi
2014-03-30 09:46:26 -06:00