More framework

master
bbruns@gmail.com 2014-03-29 16:39:06 +00:00
parent a1852a5e66
commit 8533148fa3
18 changed files with 124 additions and 49 deletions

View File

@ -1,42 +1,14 @@
# Chain name mapping
# Don't change these unless you know what your doing
InCustomPreRules="In-CustomPreRules"
InPreRules="In-PreRules"
OutCustomPreRules="Out-CustomPreRules"
OutPreRules="Out-PreRules"
Trusted="In-Trusted"
InEasyBlock="In-EasyBlock"
OutEasyBlock="Out-EasyBlock"
InCustomFilter="In-CustomFilter"
OutCustomFilter="Out-CustomFilter"
FwdCustomFilter="Fwd-CustomFilter"
InFilter="In-Filter"
OutFilter="Out-Filter"
CustomPostRouting="CustomPostRouting"
NAT="NAT"
CustomPreRouting="Custom-PreRouting"
PortForward="PortForward"
InCustomPostRules="In-CustomPostRules"
InPostRules="In-PostRules"
OutCustomOstRules="Out-CustomPostRules"
OutPostRules="Out-PostRules"

14
etc/ipv4/custom.conf Normal file
View File

@ -0,0 +1,14 @@
# These are the custom files that can be used to inject rules during loading. Please don't change them
# unless you have a good reason.
# To allow variable propagation/change and some creative changes of rules that I haven't tought of,
# these files are sourced into the main file during setup of the order of chains.
$V4CUSTPREFIX="${FWPREFIX}/ipv4/"
$v4_Custom_Pre="$V4CUSTPREFIX/prerun.sh"
$v4_Custom_Trust="$V4CUSTPREFIX/trusted.sh"
$v4_Custom_EasyBlock="$V4CUSTPREFIX/easyblock.sh"
$v4_Custom_Filter="$V4CUSTPREFIX/filter.sh"
$v4_Custom_NAT="$V4CUSTPREFIX/nat.sh"
$v4_Custom_PortFw="$V4CUSTPREFIX/portfw.sh"
$v4_Custom_Post="$V4CUSTPREFIX/postrun.sh"

View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the easyblock in/out rules are setup

View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the main filter rules are set up

6
etc/ipv4/custom/nat.sh Normal file
View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the main nat rules are set up

View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the main port forwardings are set up

View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the final post rules are set up

View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the main chains are setup.

View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the trusted chains are set up

14
etc/ipv6/custom.conf Normal file
View File

@ -0,0 +1,14 @@
# These are the custom files that can be used to inject rules during loading. Please don't change them
# unless you have a good reason.
# To allow variable propagation/change and some creative changes of rules that I haven't tought of,
# these files are sourced into the main file during setup of the order of chains.
$V6CUSTPREFIX="${FWPREFIX}/ipv6/"
$v6_Custom_Pre="$V6CUSTPREFIX/prerun.sh"
$v6_Custom_Trust="$V6CUSTPREFIX/trusted.sh"
$v6_Custom_EasyBlock="$V6CUSTPREFIX/easyblock.sh"
$v6_Custom_Filter="$V6CUSTPREFIX/filter.sh"
$v6_Custom_NAT="$V6CUSTPREFIX/nat.sh"
$v6_Custom_PortFw="$V6CUSTPREFIX/portfw.sh"
$v6_Custom_Post="$V6CUSTPREFIX/postrun.sh"

View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the easyblock in/out rules are setup

View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the main filter rules are set up

6
etc/ipv6/custom/nat.sh Normal file
View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the main nat rules are set up

View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the main port forwardings are set up

View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the final post rules are set up

View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the main chains are setup.

View File

@ -0,0 +1,6 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before the trusted chains are set up

View File

@ -60,54 +60,45 @@ function iptables_policy_reset {
function setup_iptables_chains {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES} ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
ipv6) VER_IPTABLES=${IP6TABLES};
IPVER="6" ;;
ipv4|*) VER_IPTABLES=${IPTABLES}
IPVER="4" ;;
esac
# Create the actual chains
${display_c} GREEN "Setting up chains for ${IP_VERSION}..."
${VER_IPTABLES} -N ${InCustomPreRules}
${VER_IPTABLES} -N ${InPreRules}
${VER_IPTABLES} -N ${OutCustomPreRules}
${VER_IPTABLES} -N ${OutPreRules}
${VER_IPTABLES} -N ${Trusted}
${VER_IPTABLES} -N ${InEasyBlock}
${VER_IPTABLES} -N ${OutEasyBlock}
${VER_IPTABLES} -N ${InCustomFilter}
${VER_IPTABLES} -N ${InFilter}
${VER_IPTABLES} -N ${OutCustomFilter}
${VER_IPTABLES} -N ${OutFilter}
${VER_IPTABLES} -N ${FwdCustomFilter}
${VER_IPTABLES} -N ${FwdFilter}
${VER_IPTABLES} -N ${CustomPostRouting}
${VER_IPTABLES} -N ${NAT}
${VER_IPTABLES} -N ${CustomPreRouting}
${VER_IPTABLES} -N ${PortForward}
${VER_IPTABLES} -N ${InCustomPostRules}
${VER_IPTABLES} -N ${InPostRules}
${VER_IPTABLES} -N ${OutCustomPostRules}
${VER_IPTABLES} -N ${OutPostRules}
# Set up rules - the order matters - we do it separately here
# for easy viewing of order
${VER_IPTABLES} -A INPUT -j ${InCustomPreRules}
if [ -x ${v${IPVER}_Custom_Pre} ]; then . ${v${IPVER}_Custom_Pre}; fi
${VER_IPTABLES} -A INPUT -j ${InPreRules}
${VER_IPTABLES} -A OUTPUT -j ${OutCustomPreRules}
${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
if [ -x ${v${IPVER}_Custom_Trust} ]; then . ${v${IPVER}_Custom_Trust}; fi
${VER_IPTABLES} -A INPUT -j ${Trusted}
if [ -x ${v${IPVER}_Custom_EasyBlock} ]; then . ${v${IPVER}_Custom_EasyBlock}; fi
${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
${VER_IPTABLES} -A INPUT -j ${InCustomFilter}
if [ -x ${v${IPVER}_Custom_Filter} ]; then . ${v${IPVER}_Custom_Filter}; fi
${VER_IPTABLES} -A INPUT -j ${InFilter}
${VER_IPTABLES} -A OUTPUT -j ${OutCustomFilter}
${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
${VER_IPTABLES} -A FORWARD -j ${FwdCustomFilter}
${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
${VER_IPTABLES} -A POSTROUTING -j ${CustomPostRouting}
if [ -x ${v${IPVER}_Custom_NAT} ]; then . ${v${IPVER}_Custom_NAT}; fi
${VER_IPTABLES} -A POSTROUTING -j ${NAT}
${VER_IPTABLES} -A PREROUTING -j ${CustomPreRouting}
if [ -x ${v${IPVER}_Custom_PortFw} ]; then . ${v${IPVER}_Custom_PortFw}; fi
${VER_IPTABLES} -A PREROUTING -j ${PortForward}
${VER_IPTABLES} -A INPUT -j ${InCustomPostRules}
if [ -x ${v${IPVER}_Custom_Post} ]; then . ${v${IPVER}_Custom_Post}; fi
${VER_IPTABLES} -A INPUT -j ${InPostRules}
${VER_IPTABLES} -A OUTPUT -j ${OutCustomPostRules}
${VER_IPTABLES} -A OUTPUT -j${OutPostRules}
${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
}