bbruns@gmail.com 2014-03-30 16:16:22 +00:00
parent 75472cf87f
commit ac31e43197
6 changed files with 104 additions and 22 deletions

View File

@ -49,16 +49,24 @@ fi
# Swap out display_c command for dummy command if they don't want # Swap out display_c command for dummy command if they don't want
# output when command is run. # output when command is run.
if [[ "${DisplayDetailedOutput}" == "yes" ]]; then if [ "${DisplayDetailedOutput}" == "yes" ]; then
display="display_c" if [ "${ColorizeOut}" == "yes" ]; then
else display="display_c"
else
display="display_m"
fi
else
display="true" display="true"
fi fi
# Swap out display_c command for dummy command if they don't want # Swap out display_c command for dummy command if they don't want
# debug output when command is run. # debug output when command is run.
if [[ "${DisplayDebugInfo}" == "yes" ]]; then if [ "${DisplayDebugInfo}" == "yes" ]; then
debug="display_c" if [ "${ColorizeOut}" == "yes" ]; then
debug="display_c"
else
debug="display_m"
fi
else else
debug="true" debug="true"
fi fi
@ -68,6 +76,8 @@ fi
# exit 2 # exit 2
#fi #fi
# Basic sanity tests for ip{6}tables binaries and modules
if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
${display} RED "iptables command not found. Please make sure you have the iptables" ${display} RED "iptables command not found. Please make sure you have the iptables"
${display} RED "installed (package or source) and you have the IPTABLES option properly" ${display} RED "installed (package or source) and you have the IPTABLES option properly"
@ -105,21 +115,44 @@ if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "$
fi fi
fi fi
if [[ "${EnableIPv4}" == "yes" ]]; then # Set up proper state matching variables, since there is old and new style.
if [ "$StateMatching" ]; then
case $StateMatching in
conntrack|CONNTRACK|*)
M_STATE="-m conntrack"
C_STATE="--ctstate"
;;
state|STATE)
M_STATE="-m state"
C_STATE="--state"
esac
else
M_STATE="-m conntrack"
C_STATE="--ctstate"
fi
# Do IPv4 IPTables Rules
if [ "${EnableIPv4}" == "yes" ]; then
# First flush all rules # First flush all rules
iptables_rules_flush ipv4 iptables_rules_flush ipv4
# Create the chain sets we'll need and the ones that can be # Create the chain sets we'll need and the ones that can be
# customized by users in their custom rules # customized by users in their custom rules
setup_iptables_chains ipv4 setup_iptables_chains ipv4
if [ "${AllowAllv4Loopback}" == "yes" ]; then allow_all_loopback ipv4; fi
fi fi
if [[ "${EnableIPv6}" == "yes" ]]; then # Do IPv4 IPTables Rules
if [ "${EnableIPv6}" == "yes" ]; then
# First flush all rules # First flush all rules
iptables_rules_flush ipv6 iptables_rules_flush ipv6
# Create the chain sets we'll need and the ones that can be # Create the chain sets we'll need and the ones that can be
# customized by users in their custom rules # customized by users in their custom rules
setup_iptables_chains ipv6 setup_iptables_chains ipv6
if [ "${AllowAllv6Loopback}" == "yes" ]; then allow_all_loopback ipv6; fi
fi fi

View File

@ -1,2 +1,7 @@
# IPv4 Specific Configuration File # IPv4 Specific Configuration File
# #
# Allow everything over loopback (lo/127.0.0.0/8)
# Good idea to keep this turned on, but if you so wish to,
# you can disable it here.
AllowAllv4Loopback="yes"

View File

@ -1,2 +1,7 @@
# IPv4 Specific Configuration File # IPv4 Specific Configuration File
# #
# Allow everything over loopback (lo ::1/28)
# Good idea to keep this turned on, but if you so wish to,
# you can disable it here.
AllowAllv6Loopback="yes"

View File

@ -4,22 +4,38 @@
PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}" PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}"
# Enable / Disable IPv4 and IPv6 support (yes/no) # Enable / Disable IPv4 and IPv6 support (yes/no)
# Values: no | yes (both default)
EnableIPv4="yes" EnableIPv4="yes"
EnableIPv6="yes" EnableIPv6="yes"
# Display detailed output while running script? # Display detailed output while running script?
# Values: no | yes (default)
DisplayDetailedOutput="yes" DisplayDetailedOutput="yes"
# Display alot of extra debugging info? # Display alot of extra debugging info?
# Values: no (default) | yes
DisplayDebugInfo="yes" DisplayDebugInfo="yes"
# Debug Override? # Debug Override?
# I use this command to disable checks while debugging scripts # I use this command to disable checks while debugging scripts
# where I don't want certain sanity checks to run. Normally, # where I don't want certain sanity checks to run. Normally,
# keep this off in production # keep this off in production
# Values: no (default) | yes
DebugOverride="no" DebugOverride="no"
# Colorize output?
# Values: no | yes (default)
ColorizeOut="yes"
# Color of debug output?
DebugColor="PURPLE"
# Manually override location of iptables/ip6tables if needed # Manually override location of iptables/ip6tables if needed
# otherwise detect automatically with 'which' # otherwise detect automatically with 'which'
#IPTABLES="/sbin/iptables" #IPTABLES="/sbin/iptables"
#IP6TABLES="/sbin/ip6tables" #IP6TABLES="/sbin/ip6tables"
# There are two types of state matches available, old style
# state matching using '--state' and new style '--ctstate'
# Values: state | conntrack (default)
StateMatching="conntrack"

View File

@ -45,6 +45,16 @@ function display_c {
echo -e ${NEWLINE} "${COLOR_CODE}${TEXT}${DEFAULT_COLOR}" echo -e ${NEWLINE} "${COLOR_CODE}${TEXT}${DEFAULT_COLOR}"
} }
# Monochrome version of above
function display_m {
unset TEXT NEWLINE
TEXT="$2"
if [ "$3" == "N" ]; then
NEWLINE="-n"
fi
echo -e $NEWLINE "$TEXT"
}
# pick_color $COLOR # pick_color $COLOR
# returns appropriate color codes for use in display_c and such # returns appropriate color codes for use in display_c and such
function pick_color { function pick_color {

View File

@ -29,7 +29,7 @@ function iptables_rules_flush {
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;; ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;; ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
esac esac
${display} RED "Flushing ${IP_VERSION} rules..." ${display} GREEN "Flushing ${IP_VERSION} rules..."
${VER_IPTABLES} --flush &>/dev/null ${VER_IPTABLES} --flush &>/dev/null
${VER_IPTABLES} -F OUTPUT &>/dev/null ${VER_IPTABLES} -F OUTPUT &>/dev/null
${VER_IPTABLES} -F PREROUTING &>/dev/null ${VER_IPTABLES} -F PREROUTING &>/dev/null
@ -84,34 +84,47 @@ function setup_iptables_chains {
# Set up rules - the order matters - we do it separately here # Set up rules - the order matters - we do it separately here
# for easy viewing of order # for easy viewing of order
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
${debug} PURPLE "Setting up InPreRules" ${debug} ${DebugColor} "Setting up InPreRules"
${VER_IPTABLES} -A INPUT -j ${InPreRules} ${VER_IPTABLES} -A INPUT -j ${InPreRules}
${debug} PURPLE "Setting up OutPreRules" ${debug} ${DebugColor} "Setting up OutPreRules"
${VER_IPTABLES} -A OUTPUT -j ${OutPreRules} ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh; fi
${debug} PURPLE "Setting up Trusted" ${debug} ${DebugColor} "Setting up Trusted"
${VER_IPTABLES} -A INPUT -j ${Trusted} ${VER_IPTABLES} -A INPUT -j ${Trusted}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
${debug} PURPLE "Setting up InEasyBlock" ${debug} ${DebugColor} "Setting up InEasyBlock"
${VER_IPTABLES} -A INPUT -j ${InEasyBlock} ${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
${debug} PURPLE "Setting up OutEasyBlock" ${debug} ${DebugColor} "Setting up OutEasyBlock"
${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock} ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
${debug} PURPLE "Setting up InFilter" ${debug} ${DebugColor} "Setting up InFilter"
${VER_IPTABLES} -A INPUT -j ${InFilter} ${VER_IPTABLES} -A INPUT -j ${InFilter}
${debug} PURPLE "Setting up OutFilter" ${debug} ${DebugColor} "Setting up OutFilter"
${VER_IPTABLES} -A OUTPUT -j ${OutFilter} ${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
${debug} PURPLE "Setting up FwdFilter" ${debug} ${DebugColor} "Setting up FwdFilter"
${VER_IPTABLES} -A FORWARD -j ${FwdFilter} ${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
${debug} PURPLE "Setting up NAT" ${debug} ${DebugColor} "Setting up NAT"
${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT} ${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
${debug} PURPLE "Setting up PortForward" ${debug} ${DebugColor} "Setting up PortForward"
${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward} ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
${debug} PURPLE "Setting up InPostRules" ${debug} ${DebugColor} "Setting up InPostRules"
${VER_IPTABLES} -A INPUT -j ${InPostRules} ${VER_IPTABLES} -A INPUT -j ${InPostRules}
${debug} PURPLE "Setting up OutPostRules" ${debug} ${DebugColor} "Setting up OutPostRules"
${VER_IPTABLES} -A OUTPUT -j ${OutPostRules} ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
}
function allow_all_loopback {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES};
IPVER="6" ;;
ipv4|*) VER_IPTABLES=${IPTABLES}
IPVER="4" ;;
esac
${debug} ${DebugColor} "allow_all_loopback: loaded"
${VER_IPTABLES} -A ${InPreRules} -i lo -j ACCEPT
${VER_IPTABLES} -A ${OutPreRules} -o lo -j ACCEPT
} }