You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

560 lines
27 KiB

7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
  1. #!/bin/bash
  2. # By Brielle Bruns <bruns@2mbit.com>
  3. # URL: http://www.sosdg.org/freestuff/firewall
  4. # License: GPLv3
  5. #
  6. # Copyright (C) 2009 - 2014 Brielle Bruns
  7. # Copyright (C) 2009 - 2014 The Summit Open Source Development Group
  8. #
  9. # This program is free software: you can redistribute it and/or modify
  10. # it under the terms of the GNU General Public License as published by
  11. # the Free Software Foundation, either version 3 of the License, or
  12. # (at your option) any later version.
  13. #
  14. # This program is distributed in the hope that it will be useful,
  15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. # GNU General Public License for more details.
  18. # You should have received a copy of the GNU General Public License
  19. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  20. # iptables_rules_flush (ipv6|ipv4)
  21. # Clear all rules from iptables - be very careful in how this is called as it
  22. # could easily lock out the user from the network. Best way to be safe, is to
  23. # call iptables_policy_reset first then this function.
  24. function iptables_rules_flush {
  25. IP_VERSION=$1
  26. case $IP_VERSION in
  27. ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
  28. ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
  29. esac
  30. ${display} GREEN "Flushing ${IP_VERSION} rules..."
  31. ${VER_IPTABLES} -F &>/dev/null
  32. ${VER_IPTABLES} -X &>/dev/null
  33. ${VER_IPTABLES} -F INPUT &>/dev/null
  34. ${VER_IPTABLES} -F OUTPUT &>/dev/null
  35. ${VER_IPTABLES} -F FORWARD &>/dev/null
  36. ${VER_IPTABLES} -t nat -F &>/dev/null
  37. ${VER_IPTABLES} -t nat -X &>/dev/null
  38. ${VER_IPTABLES} -t mangle -F &>/dev/null
  39. ${VER_IPTABLES} -t mangle -X &>/dev/null
  40. ${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null
  41. ${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null
  42. ${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null
  43. #for i in `cat $TABLE_NAMES`; do
  44. # ${VER_IPTABLES} -F -t $i &>/dev/null
  45. #done
  46. #${VER_IPTABLES} -X
  47. }
  48. # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
  49. # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
  50. # If no policy given, assume ACCEPT
  51. function iptables_policy_reset {
  52. IP_VERSION=$1
  53. SET_POLICY=${2=ACCEPT}
  54. case $IP_VERSION in
  55. ipv6) VER_IPTABLES=${IP6TABLES} ;;
  56. ipv4|*) VER_IPTABLES=${IPTABLES} ;;
  57. esac
  58. ${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
  59. ${VER_IPTABLES} --policy INPUT ${SET_POLICY}
  60. ${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
  61. ${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
  62. }
  63. # setup_iptables_chains (ipv4|ipv6)
  64. # Creates the default chains when called
  65. function setup_iptables_chains {
  66. IP_VERSION=$1
  67. case $IP_VERSION in
  68. ipv6) VER_IPTABLES=${IP6TABLES};
  69. IPVER="6" ;;
  70. ipv4|*) VER_IPTABLES=${IPTABLES}
  71. IPVER="4" ;;
  72. esac
  73. # Create the actual chains
  74. ${display} GREEN "Setting up chains for ${IP_VERSION}..."
  75. ${VER_IPTABLES} -N ${InPreRules}
  76. ${VER_IPTABLES} -N ${OutPreRules}
  77. ${VER_IPTABLES} -N ${InEasyBlock}
  78. ${VER_IPTABLES} -N ${OutEasyBlock}
  79. ${VER_IPTABLES} -N ${InFilter}
  80. ${VER_IPTABLES} -N ${OutFilter}
  81. ${VER_IPTABLES} -N ${FwdFilter}
  82. ${VER_IPTABLES} -N ${NAT} -t nat
  83. ${VER_IPTABLES} -N ${PortForward} -t nat
  84. ${VER_IPTABLES} -N ${InPostRules}
  85. ${VER_IPTABLES} -N ${OutPostRules}
  86. # Set up rules - the order matters - we do it separately here
  87. # for easy viewing of order
  88. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
  89. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPreRules"
  90. ${VER_IPTABLES} -A INPUT -j ${InPreRules}
  91. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPreRules"
  92. ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
  93. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
  94. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InEasyBlock"
  95. ${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
  96. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutEasyBlock"
  97. ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
  98. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
  99. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InFilter"
  100. ${VER_IPTABLES} -A INPUT -j ${InFilter}
  101. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutFilter"
  102. ${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
  103. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up FwdFilter"
  104. ${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
  105. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
  106. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up NAT"
  107. ${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
  108. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
  109. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up PortForward"
  110. ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
  111. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
  112. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPostRules"
  113. ${VER_IPTABLES} -A INPUT -j ${InPostRules}
  114. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPostRules"
  115. ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
  116. }
  117. function allow_all_loopback {
  118. IP_VERSION=$1
  119. case $IP_VERSION in
  120. ipv6) VER_IPTABLES=${IP6TABLES};
  121. IPVER="6" ;;
  122. ipv4|*) VER_IPTABLES=${IPTABLES}
  123. IPVER="4" ;;
  124. esac
  125. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loaded"
  126. ${VER_IPTABLES} -A ${InPreRules} -i lo -j ACCEPT
  127. ${VER_IPTABLES} -A ${OutPreRules} -o lo -j ACCEPT
  128. }
  129. function allow_trusted_hosts {
  130. IP_VERSION=$1
  131. case $IP_VERSION in
  132. ipv6) VER_IPTABLES=${IP6TABLES};
  133. IPVER="6" ;;
  134. ipv4|*) VER_IPTABLES=${IPTABLES}
  135. IPVER="4" ;;
  136. esac
  137. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  138. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf" ]; then
  139. for i in `grep -v "\#" "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"`; do
  140. ${VER_IPTABLES} -A ${InPreRules} -s $i -j ACCEPT
  141. ${VER_IPTABLES} -A ${OutPreRules} -d $i -j ACCEPT
  142. done
  143. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  144. else
  145. ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"
  146. ${display} RED "Error: can not load trusted hosts file."
  147. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} failed"
  148. fi
  149. }
  150. function enable_mss_clamp {
  151. IP_VERSION=$1
  152. case $IP_VERSION in
  153. ipv6) VER_IPTABLES=${IP6TABLES};
  154. IPVER="6" ;;
  155. ipv4|*) VER_IPTABLES=${IPTABLES}
  156. IPVER="4" ;;
  157. esac
  158. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  159. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf" ]; then
  160. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf successful"
  161. while read -r interface mss type; do
  162. [[ ${interface} = \#* ]] && continue
  163. [[ ${interface} = "" ]] && continue
  164. [[ ${mss} == "-" ]] && mss="1400:1536"
  165. [[ ${type} == "-" ]] && type="${OutFilter}"
  166. [[ ${type} == "out" ]] && type="${OutFilter}"
  167. [[ ${type} == "fwd" ]] && type="${FwdFilter}"
  168. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${interface} ${mss} ${type}"
  169. ${VER_IPTABLES} -A ${type} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
  170. --clamp-mss-to-pmtu -o ${interface} -m tcpmss --mss ${mss}
  171. done < "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
  172. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  173. else
  174. ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
  175. ${display} RED "Error: can not load mss clamp file."
  176. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} failed"
  177. fi
  178. }
  179. function allow_resolvconf_servers {
  180. IP_VERSION=$1
  181. case $IP_VERSION in
  182. ipv6) VER_IPTABLES=${IP6TABLES};
  183. IPVER="6" ;;
  184. ipv4|*) VER_IPTABLES=${IPTABLES}
  185. IPVER="4" ;;
  186. esac
  187. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  188. [[ ${IP_VERSION} == "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}"
  189. [[ ${IP_VERSION} == "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}"
  190. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Using ${ResolvConfFile} as resolv.conf"
  191. while read -r type server; do
  192. [[ ${type} != "nameserver" ]] && continue
  193. [[ ${type} = "" ]] && continue
  194. ([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue
  195. ([[ ! ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv6" ]]) && continue
  196. use_conntrack="no"
  197. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  198. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  199. if [[ ${use_conntrack} == "yes" ]]; then
  200. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
  201. ${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${server} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
  202. ${VER_IPTABLES} -A ${InPreRules} -p udp -s ${server} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  203. else
  204. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to DNS client trusted list"
  205. ${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
  206. ${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
  207. #${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
  208. #${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
  209. fi
  210. done < "${ResolvConfFile}"
  211. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  212. }
  213. function allow_dnsclient_manual {
  214. IP_VERSION=$1
  215. case $IP_VERSION in
  216. ipv6) VER_IPTABLES=${IP6TABLES};
  217. IPVER="6" ;;
  218. ipv4|*) VER_IPTABLES=${IPTABLES}
  219. IPVER="4" ;;
  220. esac
  221. DNS_SERVERS="$2"
  222. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  223. use_conntrack="no"
  224. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  225. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  226. for i in ${DNS_SERVERS}; do
  227. if [[ ${use_conntrack} == "yes" ]]; then
  228. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
  229. ${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${i} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
  230. ${VER_IPTABLES} -A ${InPreRules} -p udp -s ${i} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  231. else
  232. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${i} to DNS client trusted list"
  233. ${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
  234. ${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
  235. #${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
  236. #${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
  237. fi
  238. done
  239. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  240. }
  241. function enable_easyblock {
  242. IP_VERSION=$1
  243. case $IP_VERSION in
  244. ipv6) VER_IPTABLES=${IP6TABLES};
  245. IPVER="6" ;;
  246. ipv4|*) VER_IPTABLES=${IPTABLES}
  247. IPVER="4" ;;
  248. esac
  249. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  250. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf" ]; then
  251. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf successful"
  252. while read -r direction interface address port protocol; do
  253. [[ ${direction} = \#* ]] && continue
  254. [[ ${direction} = "" ]] && continue
  255. ([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
  256. && ${display} RED "easyblock.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${interface} ${address} ${port} ${protocol}" && continue
  257. # Do some creative work with variables to make building the iptables rules fairly painless
  258. [[ ${port} != "-" ]] && port="--dport ${port}"
  259. ([[ ${address} != "-" ]] && [[ ${direction} == "IN" ]]) && address="-s ${address}"
  260. ([[ ${address} != "-" ]] && [[ ${direction} == "OUT" ]]) && address="-d ${address}"
  261. ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
  262. ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]]) && interface="-o ${interface}"
  263. [[ ${direction} == "OUT" ]] && chain="${OutEasyBlock}"
  264. [[ ${direction} == "IN" ]] && chain="${InEasyBlock}"
  265. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  266. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${direction} ${interface} ${address} ${port} ${protocol}"
  267. # Blank variables that we're not going to use.
  268. [[ ${interface} == "-" ]] && interface=""
  269. [[ ${port} == "-" ]] && port=""
  270. [[ ${address} == "-" ]] && address=""
  271. [[ ${protocol} == "-" ]] && protocol=""
  272. ${VER_IPTABLES} -A ${chain} ${interface} ${address} ${protocol} ${port} -j DROP
  273. done < "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf"
  274. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  275. fi
  276. }
  277. function enable_filtering {
  278. IP_VERSION=$1
  279. case $IP_VERSION in
  280. ipv6) VER_IPTABLES=${IP6TABLES};
  281. IPVER="6" ;;
  282. ipv4|*) VER_IPTABLES=${IPTABLES}
  283. IPVER="4" ;;
  284. esac
  285. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  286. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then
  287. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful"
  288. while read -r direction action interface srcaddress srcport dstaddress dstport protocol; do
  289. [[ ${direction} = \#* ]] && continue
  290. [[ ${direction} = "" ]] && continue
  291. ([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
  292. && ${display} RED "acl.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue
  293. ([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]] && [[ ${action} != "REJECT" ]]) \
  294. && ${display} RED "acl.conf: Error - action must be either ACCEPT, DROP, or REJECT : ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue
  295. # Do some creative work with variables to make building the iptables rules fairly painless
  296. [[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
  297. [[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
  298. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  299. [[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
  300. ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
  301. ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]]) && interface="-o ${interface}"
  302. [[ ${direction} == "OUT" ]] && chain="${OutFilter}"
  303. [[ ${direction} == "IN" ]] && chain="${InFilter}"
  304. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  305. [[ ${action} == "REJECT" ]] && action="REJECT --reject-with tcp-reset"
  306. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}"
  307. # Blank variables that we're not going to use.
  308. [[ ${interface} == "-" ]] && interface=""
  309. [[ ${dstport} == "-" ]] && dstport=""
  310. [[ ${srcport} == "-" ]] && srcport=""
  311. [[ ${dstaddress} == "-" ]] && dstaddress=""
  312. [[ ${srcaddress} == "-" ]] && srcaddress=""
  313. [[ ${protocol} == "-" ]] && protocol=""
  314. ${VER_IPTABLES} -A ${chain} ${interface} ${protocol} ${srcaddress} ${srcport} ${dstaddress} ${dstport} -j ${action}
  315. done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf"
  316. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  317. fi
  318. }
  319. function enable_forwarding {
  320. IP_VERSION=$1
  321. case $IP_VERSION in
  322. ipv6) VER_IPTABLES=${IP6TABLES};
  323. IPVER="6" ;;
  324. ipv4|*) VER_IPTABLES=${IPTABLES}
  325. IPVER="4" ;;
  326. esac
  327. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  328. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then
  329. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful"
  330. use_conntrack="no"
  331. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
  332. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
  333. while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional; do
  334. [[ ${action} = \#* ]] && continue
  335. [[ ${action} = "" ]] && continue
  336. ([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]]) \
  337. && ${display} RED "acl.conf: Error - action must be either ACCEPT or DROP : ${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${srcaddress}" && continue
  338. # Do some creative work with variables to make building the iptables rules fairly painless
  339. ([[ ${bidirectional} == "yes" ]] && [[ ${srcaddress} != "-" ]]) && revsrcaddress="-d ${srcaddress}"
  340. ([[ ${bidirectional} == "yes" ]] && [[ ${dstaddress} != "-" ]]) && revdstaddress="-s ${dstaddress}"
  341. ([[ ${bidirectional} == "yes" ]] && [[ ${dstinterface} != "-" ]]) && revdstinterface="-i ${dstinterface}"
  342. ([[ ${bidirectional} == "yes" ]] && [[ ${srcinterface} != "-" ]]) && revsrcinterface="-o ${srcinterface}"
  343. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  344. [[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
  345. [[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
  346. [[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
  347. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${srcaddress}"
  348. # Blank variables that we're not going to use.
  349. [[ ${srcinterface} == "-" ]] && srcinterface=""
  350. [[ ${dstinterface} == "-" ]] && dstinterface=""
  351. [[ ${dstaddress} == "-" ]] && dstaddress=""
  352. [[ ${srcaddress} == "-" ]] && srcaddress=""
  353. [[ ${bidirectional} == "-" ]] && bidirectional="no"
  354. [[ ${action} == "DROP" ]] && conntrack_state=""
  355. ${VER_IPTABLES} -A ${FwdFilter} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${conntrack_state} -j ${action}
  356. [[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${revsrcinterface} ${revsrcaddress} ${revdstinterface} ${revdstaddress} ${conntrack_state} -j ${action}
  357. done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf"
  358. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  359. fi
  360. }
  361. function enable_nat {
  362. IP_VERSION=$1
  363. case $IP_VERSION in
  364. ipv6) VER_IPTABLES=${IP6TABLES};
  365. IPVER="6" ;;
  366. ipv4|*) VER_IPTABLES=${IPTABLES}
  367. IPVER="4" ;;
  368. esac
  369. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  370. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev4ConnectionTracking=no" && return 1
  371. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev6ConnectionTracking=no" && return 1
  372. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/nat.conf" ]; then
  373. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/nat.conf successful"
  374. while read -r type srcinterface srcaddress dstinterface dstaddress; do
  375. [[ ${type} = \#* ]] && continue
  376. [[ ${type} = "" ]] && continue
  377. ([[ ${type} != "SNAT" ]] && [[ ${type} != "MASQ" ]] && [[ ${type} != "NETMAP" ]]) \
  378. && ${display} RED "nat.conf: Error - must begin with SNAT/MASQ/NETMAP: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" && continue
  379. # Do some creative work with variables to make building the iptables rules fairly painless
  380. [[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
  381. [[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
  382. ([[ ${srcaddress} != "-" ]] && [[ ${type} != "NETMAP" ]]) && srcaddress="-s ${srcaddress}"
  383. ([[ ${dstinterface} != "-" ]] && [[ ${type} == "MASQ" ]]) && action="-j MASQUERADE"
  384. ([[ ${dstinterface} == "-" ]] && [[ ${type} == "MASQ" ]]) && \
  385. ${display} RED "nat.conf: Error - MASQ rule can not have empty destination interface: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
  386. && continue
  387. ([[ ${dstaddress} != "-" ]] && [[ ${type} == "SNAT" ]]) && action="-j SNAT" && dstaddress="--to-source ${dstaddress}"
  388. ([[ ${dstaddress} == "-" ]] && [[ ${type} == "SNAT" ]]) && \
  389. ${display} RED "nat.conf: Error - SNAT rule can not have empty destination address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
  390. && continue
  391. ([[ ${srcaddress} != "-" ]] && [[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && action="-j NETMAP" && srcaddress="-d ${srcaddress}" && dstaddress="--to ${dstaddress}"
  392. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}"
  393. # Blank variables that we're not going to use.
  394. [[ ${srcinterface} == "-" ]] && srcinterface=""
  395. [[ ${dstinterface} == "-" ]] && dstinterface=""
  396. [[ ${dstaddress} == "-" ]] && dstaddress=""
  397. [[ ${srcaddress} == "-" ]] && srcaddress=""
  398. ${VER_IPTABLES} -A ${NAT} -t nat ${srcaddress} ${action} ${dstinterface} ${dstaddress}
  399. ${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED ${srcinterface} ${srcaddress} ${dstinterface} -j ACCEPT
  400. done < "${FWCONFIGDIR}/ipv${IPVER}/nat.conf"
  401. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  402. fi
  403. }
  404. function enable_services {
  405. IP_VERSION=$1
  406. case $IP_VERSION in
  407. ipv6) VER_IPTABLES=${IP6TABLES};
  408. IPVER="6" ;;
  409. ipv4|*) VER_IPTABLES=${IPTABLES}
  410. IPVER="4" ;;
  411. esac
  412. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  413. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/services.conf" ]; then
  414. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/services.conf successful"
  415. use_conntrack="no"
  416. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  417. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  418. while read -r service protocol interface address srcaddress; do
  419. multiport="no"
  420. [[ ${service} = \#* ]] && continue
  421. [[ ${service} = "" ]] && continue
  422. [[ ${service} == "-" ]] \
  423. && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  424. [[ ${protocol} == "-" ]] \
  425. && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  426. [[ ${service} =~ "," ]] && multiport="yes"
  427. # Do some creative work with variables to make building the iptables rules fairly painless
  428. ([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}"
  429. ([[ ${service} != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"
  430. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  431. [[ ${interface} != "-" ]] && interface="-i ${interface}"
  432. [[ ${address} != "-" ]] && srcaddress="-d ${address}"
  433. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  434. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${interface} ${address} ${srcaddress}"
  435. # Blank variables that we're not going to use.
  436. [[ ${interface} == "-" ]] && interface=""
  437. [[ ${address} == "-" ]] && address=""
  438. [[ ${srcaddress} == "-" ]] && srcaddress=""
  439. ${VER_IPTABLES} -A ${InFilter} ${protocol} ${service} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT
  440. done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf"
  441. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  442. fi
  443. }
  444. function enable_conntrack_int {
  445. IP_VERSION=$1
  446. case $IP_VERSION in
  447. ipv6) VER_IPTABLES=${IP6TABLES};
  448. IPVER="6" ;;
  449. ipv4|*) VER_IPTABLES=${IPTABLES}
  450. IPVER="4" ;;
  451. esac
  452. conntrack_int="$2"
  453. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  454. if [[ ${conntrack_int} == "all" ]]; then
  455. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on all interfaces"
  456. ${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  457. ${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  458. ${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
  459. ${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
  460. else
  461. for i in ${conntrack_int}; do
  462. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on ${i}"
  463. ${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  464. ${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  465. ${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
  466. ${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
  467. done
  468. fi
  469. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  470. }
  471. function enable_portfw {
  472. IP_VERSION=$1
  473. case $IP_VERSION in
  474. ipv6) VER_IPTABLES=${IP6TABLES};
  475. IPVER="6" ;;
  476. ipv4|*) VER_IPTABLES=${IPTABLES}
  477. IPVER="4" ;;
  478. esac
  479. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  480. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf" ]; then
  481. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/portfw.conf successful"
  482. use_conntrack="no"
  483. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  484. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  485. while read -r service protocol intip intport interface address srcaddress; do
  486. [[ ${service} = \#* ]] && continue
  487. [[ ${service} = "" ]] && continue
  488. [[ ${service} == "-" ]] \
  489. && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${intip} ${intport} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  490. [[ ${protocol} == "-" ]] \
  491. && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${intip} ${intport} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  492. # Do some creative work with variables to make building the iptables rules fairly painless
  493. [[ ${service} != "-" ]] && service="--dport ${service}"
  494. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  495. [[ ${intip} != "-" ]] && intdest="--to-destination ${intip}:${intport}"
  496. ([[ ${interface} != "-" ]] && [[ ${interface} != "" ]]) && interface="-i ${interface}"
  497. ([[ ${address} != "-" ]] && [[ ${address} != "" ]]) && address="-d ${address}"
  498. ([[ ${srcaddress} != "-" ]] && [[ ${srcaddress} != "" ]]) && srcaddress="-s ${srcaddress}"
  499. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${intip} ${intport} ${interface} ${address} ${srcaddress}"
  500. # Blank variables that we're not going to use.
  501. [[ ${interface} == "-" ]] && interface=""
  502. [[ ${address} == "-" ]] && address=""
  503. [[ ${srcaddress} == "-" ]] && srcaddress=""
  504. ${VER_IPTABLES} -A ${PortForward} -t nat ${protocol} ${service} ${interface} ${address} ${srcaddress} -j DNAT ${intdest}
  505. ${VER_IPTABLES} -A ${InFilter} ${protocol} ${service} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT
  506. done < "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf"
  507. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  508. fi
  509. }