@@ -1,71 +1,71 @@ | |||
#/bin/bash | |||
# By Brielle Bruns <bruns@2mbit.com> | |||
# URL: http://www.sosdg.org/freestuff/firewall | |||
# License: GPLv3 | |||
# | |||
# Copyright (C) 2009 - 2014 Brielle Bruns | |||
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
# | |||
# This program is free software: you can redistribute it and/or modify | |||
# it under the terms of the GNU General Public License as published by | |||
# the Free Software Foundation, either version 3 of the License, or | |||
# (at your option) any later version. | |||
# | |||
# This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
# GNU General Public License for more details. | |||
# You should have received a copy of the GNU General Public License | |||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
# Static config options, normally do not need to change | |||
FW_VERSION="2.0" | |||
# Important directory locations | |||
FWPREFIX="/usr/local" | |||
FWCONFIGDIR="${FWPREFIX}/etc/srfirewall" | |||
FWLIBDIR="${FWPREFIX}/lib/srfirewall" | |||
FWBINDIR="${FWPREFIX}/bin" | |||
# Begin sourcing critical files, because we need things like path right away | |||
source "${FWCONFIGDIR}/main.conf" | |||
source "${FWLIBDIR}/binaries.inc" | |||
source "${FWLIBDIR}/iptables.inc" | |||
source "${FWLIBDIR}/display.inc" | |||
source "${FWCONFIGDIR}/chains.conf" | |||
source "${FWCONFIGDIR}/ipv4.conf" | |||
source "${FWCONFIGDIR}/ipv6.conf" | |||
# We require at least bash v3 or later at this point given some of the more complex | |||
# operations we do to make the firewall script work. | |||
if (( ${BASH_VERSINFO[0]} <= "2" )); then | |||
echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version" | |||
echo "of bash to something more recent, preferably the latest which is, as of this" | |||
echo "writing, 4.x" | |||
exit 1 | |||
fi | |||
# Swap out display_c command for dummy command if they don't want | |||
# output when command is run. | |||
if [[ "${DisplayDetailedOutput" == "yes" ]]; then | |||
display="display_c" | |||
else | |||
display="true" | |||
fi | |||
if [[ "${EnableIPv4}" == "yes" ]]; then | |||
# First flush all rules | |||
iptables_rules_flush ipv4 | |||
# Create the chain sets we'll need and the ones that can be | |||
# customized by users in their custom rules | |||
setup_iptables_chains ipv4 | |||
fi | |||
if [[ "${EnableIPv6}" == "yes" ]]; then | |||
# First flush all rules | |||
iptables_rules_flush ipv6 | |||
#/bin/bash | |||
# By Brielle Bruns <bruns@2mbit.com> | |||
# URL: http://www.sosdg.org/freestuff/firewall | |||
# License: GPLv3 | |||
# | |||
# Copyright (C) 2009 - 2014 Brielle Bruns | |||
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
# | |||
# This program is free software: you can redistribute it and/or modify | |||
# it under the terms of the GNU General Public License as published by | |||
# the Free Software Foundation, either version 3 of the License, or | |||
# (at your option) any later version. | |||
# | |||
# This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
# GNU General Public License for more details. | |||
# You should have received a copy of the GNU General Public License | |||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
# Static config options, normally do not need to change | |||
FW_VERSION="2.0" | |||
# Important directory locations | |||
FWPREFIX="/usr/local" | |||
FWCONFIGDIR="${FWPREFIX}/etc/srfirewall" | |||
FWLIBDIR="${FWPREFIX}/lib/srfirewall" | |||
FWBINDIR="${FWPREFIX}/bin" | |||
# Begin sourcing critical files, because we need things like path right away | |||
source "${FWCONFIGDIR}/main.conf" | |||
source "${FWLIBDIR}/binaries.inc" | |||
source "${FWLIBDIR}/iptables.inc" | |||
source "${FWLIBDIR}/display.inc" | |||
source "${FWCONFIGDIR}/chains.conf" | |||
source "${FWCONFIGDIR}/ipv4.conf" | |||
source "${FWCONFIGDIR}/ipv6.conf" | |||
# We require at least bash v3 or later at this point given some of the more complex | |||
# operations we do to make the firewall script work. | |||
if (( ${BASH_VERSINFO[0]} <= "2" )); then | |||
echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version" | |||
echo "of bash to something more recent, preferably the latest which is, as of this" | |||
echo "writing, 4.x" | |||
exit 1 | |||
fi | |||
# Swap out display_c command for dummy command if they don't want | |||
# output when command is run. | |||
if [[ "${DisplayDetailedOutput" == "yes" ]]; then | |||
display="display_c" | |||
else | |||
display="true" | |||
fi | |||
if [[ "${EnableIPv4}" == "yes" ]]; then | |||
# First flush all rules | |||
iptables_rules_flush ipv4 | |||
# Create the chain sets we'll need and the ones that can be | |||
# customized by users in their custom rules | |||
setup_iptables_chains ipv4 | |||
fi | |||
if [[ "${EnableIPv6}" == "yes" ]]; then | |||
# First flush all rules | |||
iptables_rules_flush ipv6 | |||
fi |
@@ -1,14 +1,14 @@ | |||
# Chain name mapping | |||
# Don't change these unless you know what your doing | |||
InPreRules="In-PreRules" | |||
OutPreRules="Out-PreRules" | |||
Trusted="In-Trusted" | |||
InEasyBlock="In-EasyBlock" | |||
OutEasyBlock="Out-EasyBlock" | |||
InFilter="In-Filter" | |||
OutFilter="Out-Filter" | |||
NAT="NAT" | |||
PortForward="PortForward" | |||
InPostRules="In-PostRules" | |||
# Chain name mapping | |||
# Don't change these unless you know what your doing | |||
InPreRules="In-PreRules" | |||
OutPreRules="Out-PreRules" | |||
Trusted="In-Trusted" | |||
InEasyBlock="In-EasyBlock" | |||
OutEasyBlock="Out-EasyBlock" | |||
InFilter="In-Filter" | |||
OutFilter="Out-Filter" | |||
NAT="NAT" | |||
PortForward="PortForward" | |||
InPostRules="In-PostRules" | |||
OutPostRules="Out-PostRules" |
@@ -1,14 +1,14 @@ | |||
# These are the custom files that can be used to inject rules during loading. Please don't change them | |||
# unless you have a good reason. | |||
# To allow variable propagation/change and some creative changes of rules that I haven't tought of, | |||
# these files are sourced into the main file during setup of the order of chains. | |||
$V4CUSTPREFIX="${FWPREFIX}/ipv4/" | |||
$v4_Custom_Pre="$V4CUSTPREFIX/prerun.sh" | |||
$v4_Custom_Trust="$V4CUSTPREFIX/trusted.sh" | |||
$v4_Custom_EasyBlock="$V4CUSTPREFIX/easyblock.sh" | |||
$v4_Custom_Filter="$V4CUSTPREFIX/filter.sh" | |||
$v4_Custom_NAT="$V4CUSTPREFIX/nat.sh" | |||
$v4_Custom_PortFw="$V4CUSTPREFIX/portfw.sh" | |||
# These are the custom files that can be used to inject rules during loading. Please don't change them | |||
# unless you have a good reason. | |||
# To allow variable propagation/change and some creative changes of rules that I haven't tought of, | |||
# these files are sourced into the main file during setup of the order of chains. | |||
$V4CUSTPREFIX="${FWPREFIX}/ipv4/" | |||
$v4_Custom_Pre="$V4CUSTPREFIX/prerun.sh" | |||
$v4_Custom_Trust="$V4CUSTPREFIX/trusted.sh" | |||
$v4_Custom_EasyBlock="$V4CUSTPREFIX/easyblock.sh" | |||
$v4_Custom_Filter="$V4CUSTPREFIX/filter.sh" | |||
$v4_Custom_NAT="$V4CUSTPREFIX/nat.sh" | |||
$v4_Custom_PortFw="$V4CUSTPREFIX/portfw.sh" | |||
$v4_Custom_Post="$V4CUSTPREFIX/postrun.sh" |
@@ -1,14 +1,14 @@ | |||
# These are the custom files that can be used to inject rules during loading. Please don't change them | |||
# unless you have a good reason. | |||
# To allow variable propagation/change and some creative changes of rules that I haven't tought of, | |||
# these files are sourced into the main file during setup of the order of chains. | |||
$V6CUSTPREFIX="${FWPREFIX}/ipv6/" | |||
$v6_Custom_Pre="$V6CUSTPREFIX/prerun.sh" | |||
$v6_Custom_Trust="$V6CUSTPREFIX/trusted.sh" | |||
$v6_Custom_EasyBlock="$V6CUSTPREFIX/easyblock.sh" | |||
$v6_Custom_Filter="$V6CUSTPREFIX/filter.sh" | |||
$v6_Custom_NAT="$V6CUSTPREFIX/nat.sh" | |||
$v6_Custom_PortFw="$V6CUSTPREFIX/portfw.sh" | |||
# These are the custom files that can be used to inject rules during loading. Please don't change them | |||
# unless you have a good reason. | |||
# To allow variable propagation/change and some creative changes of rules that I haven't tought of, | |||
# these files are sourced into the main file during setup of the order of chains. | |||
$V6CUSTPREFIX="${FWPREFIX}/ipv6/" | |||
$v6_Custom_Pre="$V6CUSTPREFIX/prerun.sh" | |||
$v6_Custom_Trust="$V6CUSTPREFIX/trusted.sh" | |||
$v6_Custom_EasyBlock="$V6CUSTPREFIX/easyblock.sh" | |||
$v6_Custom_Filter="$V6CUSTPREFIX/filter.sh" | |||
$v6_Custom_NAT="$V6CUSTPREFIX/nat.sh" | |||
$v6_Custom_PortFw="$V6CUSTPREFIX/portfw.sh" | |||
$v6_Custom_Post="$V6CUSTPREFIX/postrun.sh" |
@@ -1,11 +1,11 @@ | |||
# Main Configuration File | |||
# Define a prefix for important locations of binaries | |||
PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}" | |||
# Enable / Disable IPv4 and IPv6 support (yes/no) | |||
EnableIPv4=yes | |||
EnableIPv6=yes | |||
# Display detailed output while running script? | |||
# Main Configuration File | |||
# Define a prefix for important locations of binaries | |||
PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}" | |||
# Enable / Disable IPv4 and IPv6 support (yes/no) | |||
EnableIPv4=yes | |||
EnableIPv6=yes | |||
# Display detailed output while running script? | |||
EnableDetailedOutput=yes |
@@ -1,24 +1,24 @@ | |||
#!/bin/bash | |||
# By Brielle Bruns <bruns@2mbit.com> | |||
# URL: http://www.sosdg.org/freestuff/firewall | |||
# License: GPLv3 | |||
# | |||
# Copyright (C) 2009 - 2014 Brielle Bruns | |||
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
# | |||
# This program is free software: you can redistribute it and/or modify | |||
# it under the terms of the GNU General Public License as published by | |||
# the Free Software Foundation, either version 3 of the License, or | |||
# (at your option) any later version. | |||
# | |||
# This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
# GNU General Public License for more details. | |||
# You should have received a copy of the GNU General Public License | |||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
# Try and set some sane defaults for common binaries we need. Can always override them later. | |||
MODPROBE=`which modprobe` | |||
IPTABLES=`which iptables` | |||
IP6TABLES=`which ip6tables` | |||
#!/bin/bash | |||
# By Brielle Bruns <bruns@2mbit.com> | |||
# URL: http://www.sosdg.org/freestuff/firewall | |||
# License: GPLv3 | |||
# | |||
# Copyright (C) 2009 - 2014 Brielle Bruns | |||
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
# | |||
# This program is free software: you can redistribute it and/or modify | |||
# it under the terms of the GNU General Public License as published by | |||
# the Free Software Foundation, either version 3 of the License, or | |||
# (at your option) any later version. | |||
# | |||
# This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
# GNU General Public License for more details. | |||
# You should have received a copy of the GNU General Public License | |||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
# Try and set some sane defaults for common binaries we need. Can always override them later. | |||
MODPROBE=`which modprobe` | |||
IPTABLES=`which iptables` | |||
IP6TABLES=`which ip6tables` |
@@ -1,82 +1,82 @@ | |||
#!/bin/bash | |||
# By Brielle Bruns <bruns@2mbit.com> | |||
# URL: http://www.sosdg.org/freestuff/firewall | |||
# License: GPLv3 | |||
# | |||
# Copyright (C) 2009 - 2014 Brielle Bruns | |||
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
# | |||
# This program is free software: you can redistribute it and/or modify | |||
# it under the terms of the GNU General Public License as published by | |||
# the Free Software Foundation, either version 3 of the License, or | |||
# (at your option) any later version. | |||
# | |||
# This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
# GNU General Public License for more details. | |||
# You should have received a copy of the GNU General Public License | |||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
# ANSI color sequences | |||
BLUE="\E[34m" | |||
GREEN="\E[32m" | |||
RED="\E[31m" | |||
YELLOW="\E[33m" | |||
PURPLE="\E[35m" | |||
AQUA="\E[36m" | |||
WHITE="\E[1m" | |||
GREY="\E[37m" | |||
DEFAULT_COLOR="\E[39m" | |||
# display_c $COLOR $TEXT BOOL(YN) | |||
# $COLOR being bash colors | |||
# $TEXT being what to output (make sure to put " " around text) | |||
# BOOL being (Y or N) to do newline at end or not | |||
function display_c { | |||
unset COLOR_CODE TEXT NEWLINE | |||
DEFAULT_COLOR="\E[39m" | |||
COLOR_CODE=`pick_color $1` | |||
TEXT="$2" | |||
if [ "$3" == "N" ]; then | |||
NEWLINE="-n" | |||
fi | |||
echo -e ${NEWLINE} "${COLOR_CODE}${TEXT}${DEFAULT_COLOR}" | |||
} | |||
# pick_color $COLOR | |||
# returns appropriate color codes for use in display_c and such | |||
function pick_color { | |||
case $1 in | |||
BLUE) COLOR="\E[34m" ;; | |||
GREEN) COLOR="\E[32m" ;; | |||
RED) COLOR="\E[31m" ;; | |||
YELLOW) COLOR="\E[33m" ;; | |||
PURPLE) COLOR="\E[35m" ;; | |||
AQUA) COLOR="\E[36m" ;; | |||
WHITE) COLOR="\E[1m" ;; | |||
GREY) COLOR="\E[37m" ;; | |||
*) COLOR="\E[37m" ;; | |||
esac | |||
echo "${COLOR}" | |||
} | |||
# reset_color | |||
function reset_color { | |||
unset NEWLINE | |||
DEFAULT_COLOR="\E[39m" | |||
if [ "$1" == "N" ]; then | |||
NEWLINE="-n" | |||
fi | |||
echo ${NEWLINE} -e "${DEFAULT_COLOR}" | |||
} | |||
# show_help | |||
# Show command line options help | |||
function show_help { | |||
echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns <bruns@2mbit.com>" | |||
echo -e "\t--help\t\tShows this info" | |||
echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT" | |||
echo -e "\t--generate-cache\tGenerate cached rule file" | |||
#!/bin/bash | |||
# By Brielle Bruns <bruns@2mbit.com> | |||
# URL: http://www.sosdg.org/freestuff/firewall | |||
# License: GPLv3 | |||
# | |||
# Copyright (C) 2009 - 2014 Brielle Bruns | |||
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
# | |||
# This program is free software: you can redistribute it and/or modify | |||
# it under the terms of the GNU General Public License as published by | |||
# the Free Software Foundation, either version 3 of the License, or | |||
# (at your option) any later version. | |||
# | |||
# This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
# GNU General Public License for more details. | |||
# You should have received a copy of the GNU General Public License | |||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
# ANSI color sequences | |||
BLUE="\E[34m" | |||
GREEN="\E[32m" | |||
RED="\E[31m" | |||
YELLOW="\E[33m" | |||
PURPLE="\E[35m" | |||
AQUA="\E[36m" | |||
WHITE="\E[1m" | |||
GREY="\E[37m" | |||
DEFAULT_COLOR="\E[39m" | |||
# display_c $COLOR $TEXT BOOL(YN) | |||
# $COLOR being bash colors | |||
# $TEXT being what to output (make sure to put " " around text) | |||
# BOOL being (Y or N) to do newline at end or not | |||
function display_c { | |||
unset COLOR_CODE TEXT NEWLINE | |||
DEFAULT_COLOR="\E[39m" | |||
COLOR_CODE=`pick_color $1` | |||
TEXT="$2" | |||
if [ "$3" == "N" ]; then | |||
NEWLINE="-n" | |||
fi | |||
echo -e ${NEWLINE} "${COLOR_CODE}${TEXT}${DEFAULT_COLOR}" | |||
} | |||
# pick_color $COLOR | |||
# returns appropriate color codes for use in display_c and such | |||
function pick_color { | |||
case $1 in | |||
BLUE) COLOR="\E[34m" ;; | |||
GREEN) COLOR="\E[32m" ;; | |||
RED) COLOR="\E[31m" ;; | |||
YELLOW) COLOR="\E[33m" ;; | |||
PURPLE) COLOR="\E[35m" ;; | |||
AQUA) COLOR="\E[36m" ;; | |||
WHITE) COLOR="\E[1m" ;; | |||
GREY) COLOR="\E[37m" ;; | |||
*) COLOR="\E[37m" ;; | |||
esac | |||
echo "${COLOR}" | |||
} | |||
# reset_color | |||
function reset_color { | |||
unset NEWLINE | |||
DEFAULT_COLOR="\E[39m" | |||
if [ "$1" == "N" ]; then | |||
NEWLINE="-n" | |||
fi | |||
echo ${NEWLINE} -e "${DEFAULT_COLOR}" | |||
} | |||
# show_help | |||
# Show command line options help | |||
function show_help { | |||
echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns <bruns@2mbit.com>" | |||
echo -e "\t--help\t\tShows this info" | |||
echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT" | |||
echo -e "\t--generate-cache\tGenerate cached rule file" | |||
} |
@@ -1,104 +1,104 @@ | |||
#!/bin/bash | |||
# By Brielle Bruns <bruns@2mbit.com> | |||
# URL: http://www.sosdg.org/freestuff/firewall | |||
# License: GPLv3 | |||
# | |||
# Copyright (C) 2009 - 2014 Brielle Bruns | |||
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
# | |||
# This program is free software: you can redistribute it and/or modify | |||
# it under the terms of the GNU General Public License as published by | |||
# the Free Software Foundation, either version 3 of the License, or | |||
# (at your option) any later version. | |||
# | |||
# This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
# GNU General Public License for more details. | |||
# You should have received a copy of the GNU General Public License | |||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
# iptables_rules_flush (ipv6|ipv4) | |||
# Clear all rules from iptables - be very careful in how this is called as it | |||
# could easily lock out the user from the network. Best way to be safe, is to | |||
# call iptables_policy_reset first then this function. | |||
function iptables_rules_flush { | |||
IP_VERSION=$1 | |||
case $IP_VERSION in | |||
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;; | |||
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;; | |||
esac | |||
${display_c} RED "Flushing ${IP_VERSION} rules..." | |||
${VER_IPTABLES} --flush &>/dev/null | |||
${VER_IPTABLES} -F OUTPUT &>/dev/null | |||
${VER_IPTABLES} -F PREROUTING &>/dev/null | |||
${VER_IPTABLES} -F POSTROUTING &>/dev/null | |||
for i in `cat $TABLE_NAMES`; do | |||
${VER_IPTABLES} -F -t $i &>/dev/null | |||
done | |||
${VER_IPTABLES} -X | |||
} | |||
# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP) | |||
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6 | |||
# If no policy given, assume ACCEPT | |||
function iptables_policy_reset { | |||
IP_VERSION=$1 | |||
SET_POLICY=${2=ACCEPT} | |||
case $IP_VERSION in | |||
ipv6) VER_IPTABLES=${IP6TABLES} ;; | |||
ipv4|*) VER_IPTABLES=${IPTABLES} ;; | |||
esac | |||
${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." | |||
${VER_IPTABLES} --policy INPUT ${SET_POLICY} | |||
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY} | |||
${VER_IPTABLES} --policy FORWARD ${SET_POLICY} | |||
} | |||
# setup_iptables_chains (ipv4|ipv6) | |||
# Creates the default chains when called | |||
function setup_iptables_chains { | |||
IP_VERSION=$1 | |||
case $IP_VERSION in | |||
ipv6) VER_IPTABLES=${IP6TABLES}; | |||
IPVER="6" ;; | |||
ipv4|*) VER_IPTABLES=${IPTABLES} | |||
IPVER="4" ;; | |||
esac | |||
# Create the actual chains | |||
${display_c} GREEN "Setting up chains for ${IP_VERSION}..." | |||
${VER_IPTABLES} -N ${InPreRules} | |||
${VER_IPTABLES} -N ${OutPreRules} | |||
${VER_IPTABLES} -N ${Trusted} | |||
${VER_IPTABLES} -N ${InEasyBlock} | |||
${VER_IPTABLES} -N ${OutEasyBlock} | |||
${VER_IPTABLES} -N ${InFilter} | |||
${VER_IPTABLES} -N ${OutFilter} | |||
${VER_IPTABLES} -N ${FwdFilter} | |||
${VER_IPTABLES} -N ${NAT} | |||
${VER_IPTABLES} -N ${PortForward} | |||
${VER_IPTABLES} -N ${InPostRules} | |||
${VER_IPTABLES} -N ${OutPostRules} | |||
# Set up rules - the order matters - we do it separately here | |||
# for easy viewing of order | |||
if [ -x ${v${IPVER}_Custom_Pre} ]; then . ${v${IPVER}_Custom_Pre}; fi | |||
${VER_IPTABLES} -A INPUT -j ${InPreRules} | |||
${VER_IPTABLES} -A OUTPUT -j ${OutPreRules} | |||
if [ -x ${v${IPVER}_Custom_Trust} ]; then . ${v${IPVER}_Custom_Trust}; fi | |||
${VER_IPTABLES} -A INPUT -j ${Trusted} | |||
if [ -x ${v${IPVER}_Custom_EasyBlock} ]; then . ${v${IPVER}_Custom_EasyBlock}; fi | |||
${VER_IPTABLES} -A INPUT -j ${InEasyBlock} | |||
${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock} | |||
if [ -x ${v${IPVER}_Custom_Filter} ]; then . ${v${IPVER}_Custom_Filter}; fi | |||
${VER_IPTABLES} -A INPUT -j ${InFilter} | |||
${VER_IPTABLES} -A OUTPUT -j ${OutFilter} | |||
${VER_IPTABLES} -A FORWARD -j ${FwdFilter} | |||
if [ -x ${v${IPVER}_Custom_NAT} ]; then . ${v${IPVER}_Custom_NAT}; fi | |||
${VER_IPTABLES} -A POSTROUTING -j ${NAT} | |||
if [ -x ${v${IPVER}_Custom_PortFw} ]; then . ${v${IPVER}_Custom_PortFw}; fi | |||
${VER_IPTABLES} -A PREROUTING -j ${PortForward} | |||
if [ -x ${v${IPVER}_Custom_Post} ]; then . ${v${IPVER}_Custom_Post}; fi | |||
${VER_IPTABLES} -A INPUT -j ${InPostRules} | |||
${VER_IPTABLES} -A OUTPUT -j ${OutPostRules} | |||
#!/bin/bash | |||
# By Brielle Bruns <bruns@2mbit.com> | |||
# URL: http://www.sosdg.org/freestuff/firewall | |||
# License: GPLv3 | |||
# | |||
# Copyright (C) 2009 - 2014 Brielle Bruns | |||
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
# | |||
# This program is free software: you can redistribute it and/or modify | |||
# it under the terms of the GNU General Public License as published by | |||
# the Free Software Foundation, either version 3 of the License, or | |||
# (at your option) any later version. | |||
# | |||
# This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
# GNU General Public License for more details. | |||
# You should have received a copy of the GNU General Public License | |||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
# iptables_rules_flush (ipv6|ipv4) | |||
# Clear all rules from iptables - be very careful in how this is called as it | |||
# could easily lock out the user from the network. Best way to be safe, is to | |||
# call iptables_policy_reset first then this function. | |||
function iptables_rules_flush { | |||
IP_VERSION=$1 | |||
case $IP_VERSION in | |||
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;; | |||
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;; | |||
esac | |||
${display_c} RED "Flushing ${IP_VERSION} rules..." | |||
${VER_IPTABLES} --flush &>/dev/null | |||
${VER_IPTABLES} -F OUTPUT &>/dev/null | |||
${VER_IPTABLES} -F PREROUTING &>/dev/null | |||
${VER_IPTABLES} -F POSTROUTING &>/dev/null | |||
for i in `cat $TABLE_NAMES`; do | |||
${VER_IPTABLES} -F -t $i &>/dev/null | |||
done | |||
${VER_IPTABLES} -X | |||
} | |||
# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP) | |||
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6 | |||
# If no policy given, assume ACCEPT | |||
function iptables_policy_reset { | |||
IP_VERSION=$1 | |||
SET_POLICY=${2=ACCEPT} | |||
case $IP_VERSION in | |||
ipv6) VER_IPTABLES=${IP6TABLES} ;; | |||
ipv4|*) VER_IPTABLES=${IPTABLES} ;; | |||
esac | |||
${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." | |||
${VER_IPTABLES} --policy INPUT ${SET_POLICY} | |||
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY} | |||
${VER_IPTABLES} --policy FORWARD ${SET_POLICY} | |||
} | |||
# setup_iptables_chains (ipv4|ipv6) | |||
# Creates the default chains when called | |||
function setup_iptables_chains { | |||
IP_VERSION=$1 | |||
case $IP_VERSION in | |||
ipv6) VER_IPTABLES=${IP6TABLES}; | |||
IPVER="6" ;; | |||
ipv4|*) VER_IPTABLES=${IPTABLES} | |||
IPVER="4" ;; | |||
esac | |||
# Create the actual chains | |||
${display_c} GREEN "Setting up chains for ${IP_VERSION}..." | |||
${VER_IPTABLES} -N ${InPreRules} | |||
${VER_IPTABLES} -N ${OutPreRules} | |||
${VER_IPTABLES} -N ${Trusted} | |||
${VER_IPTABLES} -N ${InEasyBlock} | |||
${VER_IPTABLES} -N ${OutEasyBlock} | |||
${VER_IPTABLES} -N ${InFilter} | |||
${VER_IPTABLES} -N ${OutFilter} | |||
${VER_IPTABLES} -N ${FwdFilter} | |||
${VER_IPTABLES} -N ${NAT} | |||
${VER_IPTABLES} -N ${PortForward} | |||
${VER_IPTABLES} -N ${InPostRules} | |||
${VER_IPTABLES} -N ${OutPostRules} | |||
# Set up rules - the order matters - we do it separately here | |||
# for easy viewing of order | |||
if [ -x ${v${IPVER}_Custom_Pre} ]; then . ${v${IPVER}_Custom_Pre}; fi | |||
${VER_IPTABLES} -A INPUT -j ${InPreRules} | |||
${VER_IPTABLES} -A OUTPUT -j ${OutPreRules} | |||
if [ -x ${v${IPVER}_Custom_Trust} ]; then . ${v${IPVER}_Custom_Trust}; fi | |||
${VER_IPTABLES} -A INPUT -j ${Trusted} | |||
if [ -x ${v${IPVER}_Custom_EasyBlock} ]; then . ${v${IPVER}_Custom_EasyBlock}; fi | |||
${VER_IPTABLES} -A INPUT -j ${InEasyBlock} | |||
${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock} | |||
if [ -x ${v${IPVER}_Custom_Filter} ]; then . ${v${IPVER}_Custom_Filter}; fi | |||
${VER_IPTABLES} -A INPUT -j ${InFilter} | |||
${VER_IPTABLES} -A OUTPUT -j ${OutFilter} | |||
${VER_IPTABLES} -A FORWARD -j ${FwdFilter} | |||
if [ -x ${v${IPVER}_Custom_NAT} ]; then . ${v${IPVER}_Custom_NAT}; fi | |||
${VER_IPTABLES} -A POSTROUTING -j ${NAT} | |||
if [ -x ${v${IPVER}_Custom_PortFw} ]; then . ${v${IPVER}_Custom_PortFw}; fi | |||
${VER_IPTABLES} -A PREROUTING -j ${PortForward} | |||
if [ -x ${v${IPVER}_Custom_Post} ]; then . ${v${IPVER}_Custom_Post}; fi | |||
${VER_IPTABLES} -A INPUT -j ${InPostRules} | |||
${VER_IPTABLES} -A OUTPUT -j ${OutPostRules} | |||
} |