@@ -1,4 +1,8 @@ | |||
2.00 Alpha 1 | |||
2.00 Alpha 2 - 04/11/2014 | |||
- Slightly better documentation | |||
- Module loading for netfilter helpers | |||
2.00 Alpha 1 - 04/10/2014 | |||
- Complete code rewrite and restructure to solve some long standing issues with v1 | |||
- Separate out functions into support files for easier grouping of what they do | |||
- Make more compatible with multiple disto file layouts | |||
@@ -31,6 +31,7 @@ FWBINDIR="${FWPREFIX}/bin" | |||
source "${FWLIBDIR}/binaries.inc" | |||
source "${FWLIBDIR}/iptables.inc" | |||
source "${FWLIBDIR}/display.inc" | |||
source "${FWLIBDIR}/kernel.inc" | |||
source "${FWCONFIGDIR}/main.conf" | |||
@@ -46,10 +47,10 @@ source "${FWCONFIGDIR}/ipv6.conf" | |||
[[ -e "{FWCONFIGDIR}/ipv6/local.conf" ]] && source "{FWCONFIGDIR}/ipv6/local.conf" | |||
# We require at least bash v3 or later at this point given some of the more complex | |||
# We require at least bash v2 or later at this point given some of the more complex | |||
# operations we do to make the firewall script work. | |||
if (( ${BASH_VERSINFO[0]} <= "2" )); then | |||
echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version" | |||
echo "Error: We can only run with bash 2.0 or higher. Please upgrade your version" | |||
echo "of bash to something more recent, preferably the latest which is, as of this" | |||
echo "writing, 4.x" | |||
exit 1 | |||
@@ -178,7 +179,11 @@ if [ "${EnableIPv4}" == "yes" ]; then | |||
Defaultv4InPolicy=${Defaultv4InPolicy=ACCEPT} | |||
Defaultv4OutPolicy=${Defaultv4OutPolicy=ACCEPT} | |||
Defaultv4FwdPolicy=${Defaultv4FwdPolicy=ACCEPT} | |||
default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy} | |||
default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy} | |||
([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \ | |||
&& load_kernel_modules "${Loadv4NetfilterModules}" | |||
([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] \ | |||
&& [[ ${Enablev4NAT} == "yes" ]]) && load_kernel_modules "${Loadv4NetfilterModulesNAT}" | |||
[[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4 | |||
([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \ | |||
&& enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}" | |||
@@ -208,6 +213,10 @@ if [ "${EnableIPv6}" == "yes" ]; then | |||
Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT} | |||
Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT} | |||
default_policy_set ipv6 ${Defaultv6InPolicy} ${Defaultv6OutPolicy} ${Defaultv6FwdPolicy} | |||
([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \ | |||
&& load_kernel_modules "${Loadv6NetfilterModules}" | |||
([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] \ | |||
&& [[ ${Enablev6NAT} == "yes" ]]) && load_kernel_modules "${Loadv6NetfilterModulesNAT}" | |||
[[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6 | |||
([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \ | |||
&& enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}" | |||
@@ -29,7 +29,8 @@ Enablev4MSSClamp="yes" | |||
# packets it allows and refuses. On highly loaded systems or | |||
# ones with low memory, this may be desirable. Everyone else | |||
# should probably leave this on. | |||
# Depended on by: Enablev4NAT Enablev4ConnTrackInterfaces | |||
# Depended on by: Enablev4NAT Enablev4ConnTrackInterfaces Enablev4NetfilterModules | |||
# Loadv4NetfilterModules | |||
# Values: no | yes (default) | |||
Enablev4ConnectionTracking="yes" | |||
@@ -97,6 +98,26 @@ Enablev4NAT="yes" | |||
# Values: no | yes (default) | |||
Enablev4PortForwarding="yes" | |||
# Enable loading of helper modules | |||
# Load kernel modules for various helpers/ALGs that netfilter | |||
# has available. You may need to modify the Loadv4NetfilterModules | |||
# option as sometimes kernel modules may not exist or be renamed on | |||
# a particular system. | |||
# Values: no | yes (default) | |||
Enablev4NetfilterModules="yes" | |||
# List of kernel netfilter modules to Load | |||
# Default: nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc | |||
# nf_conntrack_pptp nf_conntrack_proto_dccp nf_conntrack_proto_gre | |||
# nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip | |||
# nf_conntrack_broadcast | |||
Loadv4NetfilterModules="nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc nf_conntrack_pptp nf_conntrack_proto_dccp nf_conntrack_proto_gre nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip nf_conntrack_broadcast" | |||
# These are loaded as well if you have Enablev4NAT set to yes | |||
# Default: nf_nat_ftp nf_nat_h323 nf_nat_irc nf_nat_pptp nf_nat_proto_dccp | |||
# nf_nat_proto_gre nf_nat_proto_sctp nf_nat_proto_udplite nf_nat_sip | |||
Loadv4NetfilterModulesNAT="nf_nat_ftp nf_nat_h323 nf_nat_irc nf_nat_pptp nf_nat_proto_dccp nf_nat_proto_gre nf_nat_proto_sctp nf_nat_proto_udplite nf_nat_sip" | |||
# Default policy for filtering rules | |||
# netfilter/iptables has a default policy that can be set, such as | |||
# DROP all unless it is explicitly allowed via rules. | |||
@@ -97,6 +97,25 @@ Enablev6NAT="yes" | |||
# Values: no | yes (default) | |||
Enablev6PortForwarding="yes" | |||
# Enable loading of helper modules | |||
# Load kernel modules for various helpers/ALGs that netfilter | |||
# has available. You may need to modify the Loadv4NetfilterModules | |||
# option as sometimes kernel modules may not exist or be renamed on | |||
# a particular system. | |||
# This is set to no by default on ipv6 because on my test system, I do not | |||
# see any usable helper modules for ipv6 use. Obviously this may change | |||
# in the future. | |||
# Values: no (default) | yes | |||
Enablev6NetfilterModules="no" | |||
# List of kernel netfilter modules to Load | |||
# Default: none | |||
Loadv6NetfilterModules="" | |||
# These are loaded as well if you have Enablev4NAT set to yes | |||
# Default: none | |||
Loadv6NetfilterModulesNAT="" | |||
# Default policy for filtering rules | |||
# netfilter/iptables has a default policy that can be set, such as | |||
# DROP all unless it is explicitly allowed via rules. | |||
@@ -60,7 +60,7 @@ function default_policy_set { | |||
ipv6) VER_IPTABLES=${IP6TABLES} ;; | |||
ipv4|*) VER_IPTABLES=${IPTABLES} ;; | |||
esac | |||
${display} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." | |||
${display} RED "Setting ${IP_VERSION} policies to INPUT:${INPOLICY} OUTPUT:${OUTPOLICY} FORWARD:${FWDPOLICY}..." | |||
${VER_IPTABLES} --policy INPUT ${INPOLICY} | |||
${VER_IPTABLES} --policy OUTPUT ${OUTPOLICY} | |||
${VER_IPTABLES} --policy FORWARD ${FWDPOLICY} | |||
@@ -0,0 +1,28 @@ | |||
#!/bin/bash | |||
# By Brielle Bruns <bruns@2mbit.com> | |||
# URL: http://www.sosdg.org/freestuff/firewall | |||
# License: GPLv3 | |||
# | |||
# Copyright (C) 2009 - 2014 Brielle Bruns | |||
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
# | |||
# This program is free software: you can redistribute it and/or modify | |||
# it under the terms of the GNU General Public License as published by | |||
# the Free Software Foundation, either version 3 of the License, or | |||
# (at your option) any later version. | |||
# | |||
# This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
# GNU General Public License for more details. | |||
# You should have received a copy of the GNU General Public License | |||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
function load_kernel_modules { | |||
LOAD_MODULES="${2}" | |||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" | |||
for i in $LOAD_MODULES; do | |||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Loading kernel module ${i}..." | |||
${MODPROBE} ${i} | |||
done | |||
} |