bbruns@gmail.com
6 years ago
8 changed files with 327 additions and 327 deletions
Split View
Diff Options
-
+70 -70bin/srfirewall
-
+13 -13etc/chains.conf
-
+13 -13etc/ipv4/custom.conf
-
+13 -13etc/ipv6/custom.conf
-
+10 -10etc/main.conf
-
+24 -24lib/binaries.inc
-
+81 -81lib/display.inc
-
+103 -103lib/iptables.inc
+ 70
- 70
bin/srfirewall
View File
| @@ -1,71 +1,71 @@ | |||
| #/bin/bash | |||
| # By Brielle Bruns <bruns@2mbit.com> | |||
| # URL: http://www.sosdg.org/freestuff/firewall | |||
| # License: GPLv3 | |||
| # | |||
| # Copyright (C) 2009 - 2014 Brielle Bruns | |||
| # Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
| # | |||
| # This program is free software: you can redistribute it and/or modify | |||
| # it under the terms of the GNU General Public License as published by | |||
| # the Free Software Foundation, either version 3 of the License, or | |||
| # (at your option) any later version. | |||
| # | |||
| # This program is distributed in the hope that it will be useful, | |||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
| # GNU General Public License for more details. | |||
| # You should have received a copy of the GNU General Public License | |||
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
| # Static config options, normally do not need to change | |||
| FW_VERSION="2.0" | |||
| # Important directory locations | |||
| FWPREFIX="/usr/local" | |||
| FWCONFIGDIR="${FWPREFIX}/etc/srfirewall" | |||
| FWLIBDIR="${FWPREFIX}/lib/srfirewall" | |||
| FWBINDIR="${FWPREFIX}/bin" | |||
| # Begin sourcing critical files, because we need things like path right away | |||
| source "${FWCONFIGDIR}/main.conf" | |||
| source "${FWLIBDIR}/binaries.inc" | |||
| source "${FWLIBDIR}/iptables.inc" | |||
| source "${FWLIBDIR}/display.inc" | |||
| source "${FWCONFIGDIR}/chains.conf" | |||
| source "${FWCONFIGDIR}/ipv4.conf" | |||
| source "${FWCONFIGDIR}/ipv6.conf" | |||
| # We require at least bash v3 or later at this point given some of the more complex | |||
| # operations we do to make the firewall script work. | |||
| if (( ${BASH_VERSINFO[0]} <= "2" )); then | |||
| echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version" | |||
| echo "of bash to something more recent, preferably the latest which is, as of this" | |||
| echo "writing, 4.x" | |||
| exit 1 | |||
| fi | |||
| # Swap out display_c command for dummy command if they don't want | |||
| # output when command is run. | |||
| if [[ "${DisplayDetailedOutput" == "yes" ]]; then | |||
| display="display_c" | |||
| else | |||
| display="true" | |||
| fi | |||
| if [[ "${EnableIPv4}" == "yes" ]]; then | |||
| # First flush all rules | |||
| iptables_rules_flush ipv4 | |||
| # Create the chain sets we'll need and the ones that can be | |||
| # customized by users in their custom rules | |||
| setup_iptables_chains ipv4 | |||
| fi | |||
| if [[ "${EnableIPv6}" == "yes" ]]; then | |||
| # First flush all rules | |||
| iptables_rules_flush ipv6 | |||
| #/bin/bash | |||
| # By Brielle Bruns <bruns@2mbit.com> | |||
| # URL: http://www.sosdg.org/freestuff/firewall | |||
| # License: GPLv3 | |||
| # | |||
| # Copyright (C) 2009 - 2014 Brielle Bruns | |||
| # Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
| # | |||
| # This program is free software: you can redistribute it and/or modify | |||
| # it under the terms of the GNU General Public License as published by | |||
| # the Free Software Foundation, either version 3 of the License, or | |||
| # (at your option) any later version. | |||
| # | |||
| # This program is distributed in the hope that it will be useful, | |||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
| # GNU General Public License for more details. | |||
| # You should have received a copy of the GNU General Public License | |||
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
| # Static config options, normally do not need to change | |||
| FW_VERSION="2.0" | |||
| # Important directory locations | |||
| FWPREFIX="/usr/local" | |||
| FWCONFIGDIR="${FWPREFIX}/etc/srfirewall" | |||
| FWLIBDIR="${FWPREFIX}/lib/srfirewall" | |||
| FWBINDIR="${FWPREFIX}/bin" | |||
| # Begin sourcing critical files, because we need things like path right away | |||
| source "${FWCONFIGDIR}/main.conf" | |||
| source "${FWLIBDIR}/binaries.inc" | |||
| source "${FWLIBDIR}/iptables.inc" | |||
| source "${FWLIBDIR}/display.inc" | |||
| source "${FWCONFIGDIR}/chains.conf" | |||
| source "${FWCONFIGDIR}/ipv4.conf" | |||
| source "${FWCONFIGDIR}/ipv6.conf" | |||
| # We require at least bash v3 or later at this point given some of the more complex | |||
| # operations we do to make the firewall script work. | |||
| if (( ${BASH_VERSINFO[0]} <= "2" )); then | |||
| echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version" | |||
| echo "of bash to something more recent, preferably the latest which is, as of this" | |||
| echo "writing, 4.x" | |||
| exit 1 | |||
| fi | |||
| # Swap out display_c command for dummy command if they don't want | |||
| # output when command is run. | |||
| if [[ "${DisplayDetailedOutput" == "yes" ]]; then | |||
| display="display_c" | |||
| else | |||
| display="true" | |||
| fi | |||
| if [[ "${EnableIPv4}" == "yes" ]]; then | |||
| # First flush all rules | |||
| iptables_rules_flush ipv4 | |||
| # Create the chain sets we'll need and the ones that can be | |||
| # customized by users in their custom rules | |||
| setup_iptables_chains ipv4 | |||
| fi | |||
| if [[ "${EnableIPv6}" == "yes" ]]; then | |||
| # First flush all rules | |||
| iptables_rules_flush ipv6 | |||
| fi | |||
+ 13
- 13
etc/chains.conf
View File
| @@ -1,14 +1,14 @@ | |||
| # Chain name mapping | |||
| # Don't change these unless you know what your doing | |||
| InPreRules="In-PreRules" | |||
| OutPreRules="Out-PreRules" | |||
| Trusted="In-Trusted" | |||
| InEasyBlock="In-EasyBlock" | |||
| OutEasyBlock="Out-EasyBlock" | |||
| InFilter="In-Filter" | |||
| OutFilter="Out-Filter" | |||
| NAT="NAT" | |||
| PortForward="PortForward" | |||
| InPostRules="In-PostRules" | |||
| # Chain name mapping | |||
| # Don't change these unless you know what your doing | |||
| InPreRules="In-PreRules" | |||
| OutPreRules="Out-PreRules" | |||
| Trusted="In-Trusted" | |||
| InEasyBlock="In-EasyBlock" | |||
| OutEasyBlock="Out-EasyBlock" | |||
| InFilter="In-Filter" | |||
| OutFilter="Out-Filter" | |||
| NAT="NAT" | |||
| PortForward="PortForward" | |||
| InPostRules="In-PostRules" | |||
| OutPostRules="Out-PostRules" | |||
+ 13
- 13
etc/ipv4/custom.conf
View File
| @@ -1,14 +1,14 @@ | |||
| # These are the custom files that can be used to inject rules during loading. Please don't change them | |||
| # unless you have a good reason. | |||
| # To allow variable propagation/change and some creative changes of rules that I haven't tought of, | |||
| # these files are sourced into the main file during setup of the order of chains. | |||
| $V4CUSTPREFIX="${FWPREFIX}/ipv4/" | |||
| $v4_Custom_Pre="$V4CUSTPREFIX/prerun.sh" | |||
| $v4_Custom_Trust="$V4CUSTPREFIX/trusted.sh" | |||
| $v4_Custom_EasyBlock="$V4CUSTPREFIX/easyblock.sh" | |||
| $v4_Custom_Filter="$V4CUSTPREFIX/filter.sh" | |||
| $v4_Custom_NAT="$V4CUSTPREFIX/nat.sh" | |||
| $v4_Custom_PortFw="$V4CUSTPREFIX/portfw.sh" | |||
| # These are the custom files that can be used to inject rules during loading. Please don't change them | |||
| # unless you have a good reason. | |||
| # To allow variable propagation/change and some creative changes of rules that I haven't tought of, | |||
| # these files are sourced into the main file during setup of the order of chains. | |||
| $V4CUSTPREFIX="${FWPREFIX}/ipv4/" | |||
| $v4_Custom_Pre="$V4CUSTPREFIX/prerun.sh" | |||
| $v4_Custom_Trust="$V4CUSTPREFIX/trusted.sh" | |||
| $v4_Custom_EasyBlock="$V4CUSTPREFIX/easyblock.sh" | |||
| $v4_Custom_Filter="$V4CUSTPREFIX/filter.sh" | |||
| $v4_Custom_NAT="$V4CUSTPREFIX/nat.sh" | |||
| $v4_Custom_PortFw="$V4CUSTPREFIX/portfw.sh" | |||
| $v4_Custom_Post="$V4CUSTPREFIX/postrun.sh" | |||
+ 13
- 13
etc/ipv6/custom.conf
View File
| @@ -1,14 +1,14 @@ | |||
| # These are the custom files that can be used to inject rules during loading. Please don't change them | |||
| # unless you have a good reason. | |||
| # To allow variable propagation/change and some creative changes of rules that I haven't tought of, | |||
| # these files are sourced into the main file during setup of the order of chains. | |||
| $V6CUSTPREFIX="${FWPREFIX}/ipv6/" | |||
| $v6_Custom_Pre="$V6CUSTPREFIX/prerun.sh" | |||
| $v6_Custom_Trust="$V6CUSTPREFIX/trusted.sh" | |||
| $v6_Custom_EasyBlock="$V6CUSTPREFIX/easyblock.sh" | |||
| $v6_Custom_Filter="$V6CUSTPREFIX/filter.sh" | |||
| $v6_Custom_NAT="$V6CUSTPREFIX/nat.sh" | |||
| $v6_Custom_PortFw="$V6CUSTPREFIX/portfw.sh" | |||
| # These are the custom files that can be used to inject rules during loading. Please don't change them | |||
| # unless you have a good reason. | |||
| # To allow variable propagation/change and some creative changes of rules that I haven't tought of, | |||
| # these files are sourced into the main file during setup of the order of chains. | |||
| $V6CUSTPREFIX="${FWPREFIX}/ipv6/" | |||
| $v6_Custom_Pre="$V6CUSTPREFIX/prerun.sh" | |||
| $v6_Custom_Trust="$V6CUSTPREFIX/trusted.sh" | |||
| $v6_Custom_EasyBlock="$V6CUSTPREFIX/easyblock.sh" | |||
| $v6_Custom_Filter="$V6CUSTPREFIX/filter.sh" | |||
| $v6_Custom_NAT="$V6CUSTPREFIX/nat.sh" | |||
| $v6_Custom_PortFw="$V6CUSTPREFIX/portfw.sh" | |||
| $v6_Custom_Post="$V6CUSTPREFIX/postrun.sh" | |||
+ 10
- 10
etc/main.conf
View File
| @@ -1,11 +1,11 @@ | |||
| # Main Configuration File | |||
| # Define a prefix for important locations of binaries | |||
| PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}" | |||
| # Enable / Disable IPv4 and IPv6 support (yes/no) | |||
| EnableIPv4=yes | |||
| EnableIPv6=yes | |||
| # Display detailed output while running script? | |||
| # Main Configuration File | |||
| # Define a prefix for important locations of binaries | |||
| PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}" | |||
| # Enable / Disable IPv4 and IPv6 support (yes/no) | |||
| EnableIPv4=yes | |||
| EnableIPv6=yes | |||
| # Display detailed output while running script? | |||
| EnableDetailedOutput=yes | |||
+ 24
- 24
lib/binaries.inc
View File
| @@ -1,24 +1,24 @@ | |||
| #!/bin/bash | |||
| # By Brielle Bruns <bruns@2mbit.com> | |||
| # URL: http://www.sosdg.org/freestuff/firewall | |||
| # License: GPLv3 | |||
| # | |||
| # Copyright (C) 2009 - 2014 Brielle Bruns | |||
| # Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
| # | |||
| # This program is free software: you can redistribute it and/or modify | |||
| # it under the terms of the GNU General Public License as published by | |||
| # the Free Software Foundation, either version 3 of the License, or | |||
| # (at your option) any later version. | |||
| # | |||
| # This program is distributed in the hope that it will be useful, | |||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
| # GNU General Public License for more details. | |||
| # You should have received a copy of the GNU General Public License | |||
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
| # Try and set some sane defaults for common binaries we need. Can always override them later. | |||
| MODPROBE=`which modprobe` | |||
| IPTABLES=`which iptables` | |||
| IP6TABLES=`which ip6tables` | |||
| #!/bin/bash | |||
| # By Brielle Bruns <bruns@2mbit.com> | |||
| # URL: http://www.sosdg.org/freestuff/firewall | |||
| # License: GPLv3 | |||
| # | |||
| # Copyright (C) 2009 - 2014 Brielle Bruns | |||
| # Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
| # | |||
| # This program is free software: you can redistribute it and/or modify | |||
| # it under the terms of the GNU General Public License as published by | |||
| # the Free Software Foundation, either version 3 of the License, or | |||
| # (at your option) any later version. | |||
| # | |||
| # This program is distributed in the hope that it will be useful, | |||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
| # GNU General Public License for more details. | |||
| # You should have received a copy of the GNU General Public License | |||
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
| # Try and set some sane defaults for common binaries we need. Can always override them later. | |||
| MODPROBE=`which modprobe` | |||
| IPTABLES=`which iptables` | |||
| IP6TABLES=`which ip6tables` | |||
+ 81
- 81
lib/display.inc
View File
| @@ -1,82 +1,82 @@ | |||
| #!/bin/bash | |||
| # By Brielle Bruns <bruns@2mbit.com> | |||
| # URL: http://www.sosdg.org/freestuff/firewall | |||
| # License: GPLv3 | |||
| # | |||
| # Copyright (C) 2009 - 2014 Brielle Bruns | |||
| # Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
| # | |||
| # This program is free software: you can redistribute it and/or modify | |||
| # it under the terms of the GNU General Public License as published by | |||
| # the Free Software Foundation, either version 3 of the License, or | |||
| # (at your option) any later version. | |||
| # | |||
| # This program is distributed in the hope that it will be useful, | |||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
| # GNU General Public License for more details. | |||
| # You should have received a copy of the GNU General Public License | |||
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
| # ANSI color sequences | |||
| BLUE="\E[34m" | |||
| GREEN="\E[32m" | |||
| RED="\E[31m" | |||
| YELLOW="\E[33m" | |||
| PURPLE="\E[35m" | |||
| AQUA="\E[36m" | |||
| WHITE="\E[1m" | |||
| GREY="\E[37m" | |||
| DEFAULT_COLOR="\E[39m" | |||
| # display_c $COLOR $TEXT BOOL(YN) | |||
| # $COLOR being bash colors | |||
| # $TEXT being what to output (make sure to put " " around text) | |||
| # BOOL being (Y or N) to do newline at end or not | |||
| function display_c { | |||
| unset COLOR_CODE TEXT NEWLINE | |||
| DEFAULT_COLOR="\E[39m" | |||
| COLOR_CODE=`pick_color $1` | |||
| TEXT="$2" | |||
| if [ "$3" == "N" ]; then | |||
| NEWLINE="-n" | |||
| fi | |||
| echo -e ${NEWLINE} "${COLOR_CODE}${TEXT}${DEFAULT_COLOR}" | |||
| } | |||
| # pick_color $COLOR | |||
| # returns appropriate color codes for use in display_c and such | |||
| function pick_color { | |||
| case $1 in | |||
| BLUE) COLOR="\E[34m" ;; | |||
| GREEN) COLOR="\E[32m" ;; | |||
| RED) COLOR="\E[31m" ;; | |||
| YELLOW) COLOR="\E[33m" ;; | |||
| PURPLE) COLOR="\E[35m" ;; | |||
| AQUA) COLOR="\E[36m" ;; | |||
| WHITE) COLOR="\E[1m" ;; | |||
| GREY) COLOR="\E[37m" ;; | |||
| *) COLOR="\E[37m" ;; | |||
| esac | |||
| echo "${COLOR}" | |||
| } | |||
| # reset_color | |||
| function reset_color { | |||
| unset NEWLINE | |||
| DEFAULT_COLOR="\E[39m" | |||
| if [ "$1" == "N" ]; then | |||
| NEWLINE="-n" | |||
| fi | |||
| echo ${NEWLINE} -e "${DEFAULT_COLOR}" | |||
| } | |||
| # show_help | |||
| # Show command line options help | |||
| function show_help { | |||
| echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns <bruns@2mbit.com>" | |||
| echo -e "\t--help\t\tShows this info" | |||
| echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT" | |||
| echo -e "\t--generate-cache\tGenerate cached rule file" | |||
| #!/bin/bash | |||
| # By Brielle Bruns <bruns@2mbit.com> | |||
| # URL: http://www.sosdg.org/freestuff/firewall | |||
| # License: GPLv3 | |||
| # | |||
| # Copyright (C) 2009 - 2014 Brielle Bruns | |||
| # Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
| # | |||
| # This program is free software: you can redistribute it and/or modify | |||
| # it under the terms of the GNU General Public License as published by | |||
| # the Free Software Foundation, either version 3 of the License, or | |||
| # (at your option) any later version. | |||
| # | |||
| # This program is distributed in the hope that it will be useful, | |||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
| # GNU General Public License for more details. | |||
| # You should have received a copy of the GNU General Public License | |||
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
| # ANSI color sequences | |||
| BLUE="\E[34m" | |||
| GREEN="\E[32m" | |||
| RED="\E[31m" | |||
| YELLOW="\E[33m" | |||
| PURPLE="\E[35m" | |||
| AQUA="\E[36m" | |||
| WHITE="\E[1m" | |||
| GREY="\E[37m" | |||
| DEFAULT_COLOR="\E[39m" | |||
| # display_c $COLOR $TEXT BOOL(YN) | |||
| # $COLOR being bash colors | |||
| # $TEXT being what to output (make sure to put " " around text) | |||
| # BOOL being (Y or N) to do newline at end or not | |||
| function display_c { | |||
| unset COLOR_CODE TEXT NEWLINE | |||
| DEFAULT_COLOR="\E[39m" | |||
| COLOR_CODE=`pick_color $1` | |||
| TEXT="$2" | |||
| if [ "$3" == "N" ]; then | |||
| NEWLINE="-n" | |||
| fi | |||
| echo -e ${NEWLINE} "${COLOR_CODE}${TEXT}${DEFAULT_COLOR}" | |||
| } | |||
| # pick_color $COLOR | |||
| # returns appropriate color codes for use in display_c and such | |||
| function pick_color { | |||
| case $1 in | |||
| BLUE) COLOR="\E[34m" ;; | |||
| GREEN) COLOR="\E[32m" ;; | |||
| RED) COLOR="\E[31m" ;; | |||
| YELLOW) COLOR="\E[33m" ;; | |||
| PURPLE) COLOR="\E[35m" ;; | |||
| AQUA) COLOR="\E[36m" ;; | |||
| WHITE) COLOR="\E[1m" ;; | |||
| GREY) COLOR="\E[37m" ;; | |||
| *) COLOR="\E[37m" ;; | |||
| esac | |||
| echo "${COLOR}" | |||
| } | |||
| # reset_color | |||
| function reset_color { | |||
| unset NEWLINE | |||
| DEFAULT_COLOR="\E[39m" | |||
| if [ "$1" == "N" ]; then | |||
| NEWLINE="-n" | |||
| fi | |||
| echo ${NEWLINE} -e "${DEFAULT_COLOR}" | |||
| } | |||
| # show_help | |||
| # Show command line options help | |||
| function show_help { | |||
| echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns <bruns@2mbit.com>" | |||
| echo -e "\t--help\t\tShows this info" | |||
| echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT" | |||
| echo -e "\t--generate-cache\tGenerate cached rule file" | |||
| } | |||
+ 103
- 103
lib/iptables.inc
View File
| @@ -1,104 +1,104 @@ | |||
| #!/bin/bash | |||
| # By Brielle Bruns <bruns@2mbit.com> | |||
| # URL: http://www.sosdg.org/freestuff/firewall | |||
| # License: GPLv3 | |||
| # | |||
| # Copyright (C) 2009 - 2014 Brielle Bruns | |||
| # Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
| # | |||
| # This program is free software: you can redistribute it and/or modify | |||
| # it under the terms of the GNU General Public License as published by | |||
| # the Free Software Foundation, either version 3 of the License, or | |||
| # (at your option) any later version. | |||
| # | |||
| # This program is distributed in the hope that it will be useful, | |||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
| # GNU General Public License for more details. | |||
| # You should have received a copy of the GNU General Public License | |||
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
| # iptables_rules_flush (ipv6|ipv4) | |||
| # Clear all rules from iptables - be very careful in how this is called as it | |||
| # could easily lock out the user from the network. Best way to be safe, is to | |||
| # call iptables_policy_reset first then this function. | |||
| function iptables_rules_flush { | |||
| IP_VERSION=$1 | |||
| case $IP_VERSION in | |||
| ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;; | |||
| ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;; | |||
| esac | |||
| ${display_c} RED "Flushing ${IP_VERSION} rules..." | |||
| ${VER_IPTABLES} --flush &>/dev/null | |||
| ${VER_IPTABLES} -F OUTPUT &>/dev/null | |||
| ${VER_IPTABLES} -F PREROUTING &>/dev/null | |||
| ${VER_IPTABLES} -F POSTROUTING &>/dev/null | |||
| for i in `cat $TABLE_NAMES`; do | |||
| ${VER_IPTABLES} -F -t $i &>/dev/null | |||
| done | |||
| ${VER_IPTABLES} -X | |||
| } | |||
| # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP) | |||
| # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6 | |||
| # If no policy given, assume ACCEPT | |||
| function iptables_policy_reset { | |||
| IP_VERSION=$1 | |||
| SET_POLICY=${2=ACCEPT} | |||
| case $IP_VERSION in | |||
| ipv6) VER_IPTABLES=${IP6TABLES} ;; | |||
| ipv4|*) VER_IPTABLES=${IPTABLES} ;; | |||
| esac | |||
| ${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." | |||
| ${VER_IPTABLES} --policy INPUT ${SET_POLICY} | |||
| ${VER_IPTABLES} --policy OUTPUT ${SET_POLICY} | |||
| ${VER_IPTABLES} --policy FORWARD ${SET_POLICY} | |||
| } | |||
| # setup_iptables_chains (ipv4|ipv6) | |||
| # Creates the default chains when called | |||
| function setup_iptables_chains { | |||
| IP_VERSION=$1 | |||
| case $IP_VERSION in | |||
| ipv6) VER_IPTABLES=${IP6TABLES}; | |||
| IPVER="6" ;; | |||
| ipv4|*) VER_IPTABLES=${IPTABLES} | |||
| IPVER="4" ;; | |||
| esac | |||
| # Create the actual chains | |||
| ${display_c} GREEN "Setting up chains for ${IP_VERSION}..." | |||
| ${VER_IPTABLES} -N ${InPreRules} | |||
| ${VER_IPTABLES} -N ${OutPreRules} | |||
| ${VER_IPTABLES} -N ${Trusted} | |||
| ${VER_IPTABLES} -N ${InEasyBlock} | |||
| ${VER_IPTABLES} -N ${OutEasyBlock} | |||
| ${VER_IPTABLES} -N ${InFilter} | |||
| ${VER_IPTABLES} -N ${OutFilter} | |||
| ${VER_IPTABLES} -N ${FwdFilter} | |||
| ${VER_IPTABLES} -N ${NAT} | |||
| ${VER_IPTABLES} -N ${PortForward} | |||
| ${VER_IPTABLES} -N ${InPostRules} | |||
| ${VER_IPTABLES} -N ${OutPostRules} | |||
| # Set up rules - the order matters - we do it separately here | |||
| # for easy viewing of order | |||
| if [ -x ${v${IPVER}_Custom_Pre} ]; then . ${v${IPVER}_Custom_Pre}; fi | |||
| ${VER_IPTABLES} -A INPUT -j ${InPreRules} | |||
| ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules} | |||
| if [ -x ${v${IPVER}_Custom_Trust} ]; then . ${v${IPVER}_Custom_Trust}; fi | |||
| ${VER_IPTABLES} -A INPUT -j ${Trusted} | |||
| if [ -x ${v${IPVER}_Custom_EasyBlock} ]; then . ${v${IPVER}_Custom_EasyBlock}; fi | |||
| ${VER_IPTABLES} -A INPUT -j ${InEasyBlock} | |||
| ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock} | |||
| if [ -x ${v${IPVER}_Custom_Filter} ]; then . ${v${IPVER}_Custom_Filter}; fi | |||
| ${VER_IPTABLES} -A INPUT -j ${InFilter} | |||
| ${VER_IPTABLES} -A OUTPUT -j ${OutFilter} | |||
| ${VER_IPTABLES} -A FORWARD -j ${FwdFilter} | |||
| if [ -x ${v${IPVER}_Custom_NAT} ]; then . ${v${IPVER}_Custom_NAT}; fi | |||
| ${VER_IPTABLES} -A POSTROUTING -j ${NAT} | |||
| if [ -x ${v${IPVER}_Custom_PortFw} ]; then . ${v${IPVER}_Custom_PortFw}; fi | |||
| ${VER_IPTABLES} -A PREROUTING -j ${PortForward} | |||
| if [ -x ${v${IPVER}_Custom_Post} ]; then . ${v${IPVER}_Custom_Post}; fi | |||
| ${VER_IPTABLES} -A INPUT -j ${InPostRules} | |||
| ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules} | |||
| #!/bin/bash | |||
| # By Brielle Bruns <bruns@2mbit.com> | |||
| # URL: http://www.sosdg.org/freestuff/firewall | |||
| # License: GPLv3 | |||
| # | |||
| # Copyright (C) 2009 - 2014 Brielle Bruns | |||
| # Copyright (C) 2009 - 2014 The Summit Open Source Development Group | |||
| # | |||
| # This program is free software: you can redistribute it and/or modify | |||
| # it under the terms of the GNU General Public License as published by | |||
| # the Free Software Foundation, either version 3 of the License, or | |||
| # (at your option) any later version. | |||
| # | |||
| # This program is distributed in the hope that it will be useful, | |||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
| # GNU General Public License for more details. | |||
| # You should have received a copy of the GNU General Public License | |||
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
| # iptables_rules_flush (ipv6|ipv4) | |||
| # Clear all rules from iptables - be very careful in how this is called as it | |||
| # could easily lock out the user from the network. Best way to be safe, is to | |||
| # call iptables_policy_reset first then this function. | |||
| function iptables_rules_flush { | |||
| IP_VERSION=$1 | |||
| case $IP_VERSION in | |||
| ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;; | |||
| ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;; | |||
| esac | |||
| ${display_c} RED "Flushing ${IP_VERSION} rules..." | |||
| ${VER_IPTABLES} --flush &>/dev/null | |||
| ${VER_IPTABLES} -F OUTPUT &>/dev/null | |||
| ${VER_IPTABLES} -F PREROUTING &>/dev/null | |||
| ${VER_IPTABLES} -F POSTROUTING &>/dev/null | |||
| for i in `cat $TABLE_NAMES`; do | |||
| ${VER_IPTABLES} -F -t $i &>/dev/null | |||
| done | |||
| ${VER_IPTABLES} -X | |||
| } | |||
| # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP) | |||
| # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6 | |||
| # If no policy given, assume ACCEPT | |||
| function iptables_policy_reset { | |||
| IP_VERSION=$1 | |||
| SET_POLICY=${2=ACCEPT} | |||
| case $IP_VERSION in | |||
| ipv6) VER_IPTABLES=${IP6TABLES} ;; | |||
| ipv4|*) VER_IPTABLES=${IPTABLES} ;; | |||
| esac | |||
| ${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." | |||
| ${VER_IPTABLES} --policy INPUT ${SET_POLICY} | |||
| ${VER_IPTABLES} --policy OUTPUT ${SET_POLICY} | |||
| ${VER_IPTABLES} --policy FORWARD ${SET_POLICY} | |||
| } | |||
| # setup_iptables_chains (ipv4|ipv6) | |||
| # Creates the default chains when called | |||
| function setup_iptables_chains { | |||
| IP_VERSION=$1 | |||
| case $IP_VERSION in | |||
| ipv6) VER_IPTABLES=${IP6TABLES}; | |||
| IPVER="6" ;; | |||
| ipv4|*) VER_IPTABLES=${IPTABLES} | |||
| IPVER="4" ;; | |||
| esac | |||
| # Create the actual chains | |||
| ${display_c} GREEN "Setting up chains for ${IP_VERSION}..." | |||
| ${VER_IPTABLES} -N ${InPreRules} | |||
| ${VER_IPTABLES} -N ${OutPreRules} | |||
| ${VER_IPTABLES} -N ${Trusted} | |||
| ${VER_IPTABLES} -N ${InEasyBlock} | |||
| ${VER_IPTABLES} -N ${OutEasyBlock} | |||
| ${VER_IPTABLES} -N ${InFilter} | |||
| ${VER_IPTABLES} -N ${OutFilter} | |||
| ${VER_IPTABLES} -N ${FwdFilter} | |||
| ${VER_IPTABLES} -N ${NAT} | |||
| ${VER_IPTABLES} -N ${PortForward} | |||
| ${VER_IPTABLES} -N ${InPostRules} | |||
| ${VER_IPTABLES} -N ${OutPostRules} | |||
| # Set up rules - the order matters - we do it separately here | |||
| # for easy viewing of order | |||
| if [ -x ${v${IPVER}_Custom_Pre} ]; then . ${v${IPVER}_Custom_Pre}; fi | |||
| ${VER_IPTABLES} -A INPUT -j ${InPreRules} | |||
| ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules} | |||
| if [ -x ${v${IPVER}_Custom_Trust} ]; then . ${v${IPVER}_Custom_Trust}; fi | |||
| ${VER_IPTABLES} -A INPUT -j ${Trusted} | |||
| if [ -x ${v${IPVER}_Custom_EasyBlock} ]; then . ${v${IPVER}_Custom_EasyBlock}; fi | |||
| ${VER_IPTABLES} -A INPUT -j ${InEasyBlock} | |||
| ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock} | |||
| if [ -x ${v${IPVER}_Custom_Filter} ]; then . ${v${IPVER}_Custom_Filter}; fi | |||
| ${VER_IPTABLES} -A INPUT -j ${InFilter} | |||
| ${VER_IPTABLES} -A OUTPUT -j ${OutFilter} | |||
| ${VER_IPTABLES} -A FORWARD -j ${FwdFilter} | |||
| if [ -x ${v${IPVER}_Custom_NAT} ]; then . ${v${IPVER}_Custom_NAT}; fi | |||
| ${VER_IPTABLES} -A POSTROUTING -j ${NAT} | |||
| if [ -x ${v${IPVER}_Custom_PortFw} ]; then . ${v${IPVER}_Custom_PortFw}; fi | |||
| ${VER_IPTABLES} -A PREROUTING -j ${PortForward} | |||
| if [ -x ${v${IPVER}_Custom_Post} ]; then . ${v${IPVER}_Custom_Post}; fi | |||
| ${VER_IPTABLES} -A INPUT -j ${InPostRules} | |||
| ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules} | |||
| } | |||