Browse Source

Gotta love it when you have dos/win line endings unintentionally

tags/v2.01a1
bbruns@gmail.com 7 years ago
parent
commit
b0ba377ca4
8 changed files with 327 additions and 327 deletions
  1. +70
    -70
      bin/srfirewall
  2. +13
    -13
      etc/chains.conf
  3. +13
    -13
      etc/ipv4/custom.conf
  4. +13
    -13
      etc/ipv6/custom.conf
  5. +10
    -10
      etc/main.conf
  6. +24
    -24
      lib/binaries.inc
  7. +81
    -81
      lib/display.inc
  8. +103
    -103
      lib/iptables.inc

+ 70
- 70
bin/srfirewall View File

@@ -1,71 +1,71 @@
#/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2014 Brielle Bruns
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Static config options, normally do not need to change
FW_VERSION="2.0"
# Important directory locations
FWPREFIX="/usr/local"
FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
FWLIBDIR="${FWPREFIX}/lib/srfirewall"
FWBINDIR="${FWPREFIX}/bin"
# Begin sourcing critical files, because we need things like path right away
source "${FWCONFIGDIR}/main.conf"
source "${FWLIBDIR}/binaries.inc"
source "${FWLIBDIR}/iptables.inc"
source "${FWLIBDIR}/display.inc"
source "${FWCONFIGDIR}/chains.conf"
source "${FWCONFIGDIR}/ipv4.conf"
source "${FWCONFIGDIR}/ipv6.conf"
# We require at least bash v3 or later at this point given some of the more complex
# operations we do to make the firewall script work.
if (( ${BASH_VERSINFO[0]} <= "2" )); then
echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version"
echo "of bash to something more recent, preferably the latest which is, as of this"
echo "writing, 4.x"
exit 1
fi
# Swap out display_c command for dummy command if they don't want
# output when command is run.
if [[ "${DisplayDetailedOutput" == "yes" ]]; then
display="display_c"
else
display="true"
fi
if [[ "${EnableIPv4}" == "yes" ]]; then
# First flush all rules
iptables_rules_flush ipv4
# Create the chain sets we'll need and the ones that can be
# customized by users in their custom rules
setup_iptables_chains ipv4
fi
if [[ "${EnableIPv6}" == "yes" ]]; then
# First flush all rules
iptables_rules_flush ipv6
#/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2014 Brielle Bruns
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Static config options, normally do not need to change
FW_VERSION="2.0"
# Important directory locations
FWPREFIX="/usr/local"
FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
FWLIBDIR="${FWPREFIX}/lib/srfirewall"
FWBINDIR="${FWPREFIX}/bin"
# Begin sourcing critical files, because we need things like path right away
source "${FWCONFIGDIR}/main.conf"
source "${FWLIBDIR}/binaries.inc"
source "${FWLIBDIR}/iptables.inc"
source "${FWLIBDIR}/display.inc"
source "${FWCONFIGDIR}/chains.conf"
source "${FWCONFIGDIR}/ipv4.conf"
source "${FWCONFIGDIR}/ipv6.conf"
# We require at least bash v3 or later at this point given some of the more complex
# operations we do to make the firewall script work.
if (( ${BASH_VERSINFO[0]} <= "2" )); then
echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version"
echo "of bash to something more recent, preferably the latest which is, as of this"
echo "writing, 4.x"
exit 1
fi
# Swap out display_c command for dummy command if they don't want
# output when command is run.
if [[ "${DisplayDetailedOutput" == "yes" ]]; then
display="display_c"
else
display="true"
fi
if [[ "${EnableIPv4}" == "yes" ]]; then
# First flush all rules
iptables_rules_flush ipv4
# Create the chain sets we'll need and the ones that can be
# customized by users in their custom rules
setup_iptables_chains ipv4
fi
if [[ "${EnableIPv6}" == "yes" ]]; then
# First flush all rules
iptables_rules_flush ipv6
fi

+ 13
- 13
etc/chains.conf View File

@@ -1,14 +1,14 @@
# Chain name mapping
# Don't change these unless you know what your doing
InPreRules="In-PreRules"
OutPreRules="Out-PreRules"
Trusted="In-Trusted"
InEasyBlock="In-EasyBlock"
OutEasyBlock="Out-EasyBlock"
InFilter="In-Filter"
OutFilter="Out-Filter"
NAT="NAT"
PortForward="PortForward"
InPostRules="In-PostRules"
# Chain name mapping
# Don't change these unless you know what your doing
InPreRules="In-PreRules"
OutPreRules="Out-PreRules"
Trusted="In-Trusted"
InEasyBlock="In-EasyBlock"
OutEasyBlock="Out-EasyBlock"
InFilter="In-Filter"
OutFilter="Out-Filter"
NAT="NAT"
PortForward="PortForward"
InPostRules="In-PostRules"
OutPostRules="Out-PostRules"

+ 13
- 13
etc/ipv4/custom.conf View File

@@ -1,14 +1,14 @@
# These are the custom files that can be used to inject rules during loading. Please don't change them
# unless you have a good reason.
# To allow variable propagation/change and some creative changes of rules that I haven't tought of,
# these files are sourced into the main file during setup of the order of chains.
$V4CUSTPREFIX="${FWPREFIX}/ipv4/"
$v4_Custom_Pre="$V4CUSTPREFIX/prerun.sh"
$v4_Custom_Trust="$V4CUSTPREFIX/trusted.sh"
$v4_Custom_EasyBlock="$V4CUSTPREFIX/easyblock.sh"
$v4_Custom_Filter="$V4CUSTPREFIX/filter.sh"
$v4_Custom_NAT="$V4CUSTPREFIX/nat.sh"
$v4_Custom_PortFw="$V4CUSTPREFIX/portfw.sh"
# These are the custom files that can be used to inject rules during loading. Please don't change them
# unless you have a good reason.
# To allow variable propagation/change and some creative changes of rules that I haven't tought of,
# these files are sourced into the main file during setup of the order of chains.
$V4CUSTPREFIX="${FWPREFIX}/ipv4/"
$v4_Custom_Pre="$V4CUSTPREFIX/prerun.sh"
$v4_Custom_Trust="$V4CUSTPREFIX/trusted.sh"
$v4_Custom_EasyBlock="$V4CUSTPREFIX/easyblock.sh"
$v4_Custom_Filter="$V4CUSTPREFIX/filter.sh"
$v4_Custom_NAT="$V4CUSTPREFIX/nat.sh"
$v4_Custom_PortFw="$V4CUSTPREFIX/portfw.sh"
$v4_Custom_Post="$V4CUSTPREFIX/postrun.sh"

+ 13
- 13
etc/ipv6/custom.conf View File

@@ -1,14 +1,14 @@
# These are the custom files that can be used to inject rules during loading. Please don't change them
# unless you have a good reason.
# To allow variable propagation/change and some creative changes of rules that I haven't tought of,
# these files are sourced into the main file during setup of the order of chains.
$V6CUSTPREFIX="${FWPREFIX}/ipv6/"
$v6_Custom_Pre="$V6CUSTPREFIX/prerun.sh"
$v6_Custom_Trust="$V6CUSTPREFIX/trusted.sh"
$v6_Custom_EasyBlock="$V6CUSTPREFIX/easyblock.sh"
$v6_Custom_Filter="$V6CUSTPREFIX/filter.sh"
$v6_Custom_NAT="$V6CUSTPREFIX/nat.sh"
$v6_Custom_PortFw="$V6CUSTPREFIX/portfw.sh"
# These are the custom files that can be used to inject rules during loading. Please don't change them
# unless you have a good reason.
# To allow variable propagation/change and some creative changes of rules that I haven't tought of,
# these files are sourced into the main file during setup of the order of chains.
$V6CUSTPREFIX="${FWPREFIX}/ipv6/"
$v6_Custom_Pre="$V6CUSTPREFIX/prerun.sh"
$v6_Custom_Trust="$V6CUSTPREFIX/trusted.sh"
$v6_Custom_EasyBlock="$V6CUSTPREFIX/easyblock.sh"
$v6_Custom_Filter="$V6CUSTPREFIX/filter.sh"
$v6_Custom_NAT="$V6CUSTPREFIX/nat.sh"
$v6_Custom_PortFw="$V6CUSTPREFIX/portfw.sh"
$v6_Custom_Post="$V6CUSTPREFIX/postrun.sh"

+ 10
- 10
etc/main.conf View File

@@ -1,11 +1,11 @@
# Main Configuration File
# Define a prefix for important locations of binaries
PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}"
# Enable / Disable IPv4 and IPv6 support (yes/no)
EnableIPv4=yes
EnableIPv6=yes
# Display detailed output while running script?
# Main Configuration File
# Define a prefix for important locations of binaries
PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}"
# Enable / Disable IPv4 and IPv6 support (yes/no)
EnableIPv4=yes
EnableIPv6=yes
# Display detailed output while running script?
EnableDetailedOutput=yes

+ 24
- 24
lib/binaries.inc View File

@@ -1,24 +1,24 @@
#!/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2014 Brielle Bruns
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Try and set some sane defaults for common binaries we need. Can always override them later.
MODPROBE=`which modprobe`
IPTABLES=`which iptables`
IP6TABLES=`which ip6tables`
#!/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2014 Brielle Bruns
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Try and set some sane defaults for common binaries we need. Can always override them later.
MODPROBE=`which modprobe`
IPTABLES=`which iptables`
IP6TABLES=`which ip6tables`

+ 81
- 81
lib/display.inc View File

@@ -1,82 +1,82 @@
#!/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2014 Brielle Bruns
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# ANSI color sequences
BLUE="\E[34m"
GREEN="\E[32m"
RED="\E[31m"
YELLOW="\E[33m"
PURPLE="\E[35m"
AQUA="\E[36m"
WHITE="\E[1m"
GREY="\E[37m"
DEFAULT_COLOR="\E[39m"
# display_c $COLOR $TEXT BOOL(YN)
# $COLOR being bash colors
# $TEXT being what to output (make sure to put " " around text)
# BOOL being (Y or N) to do newline at end or not
function display_c {
unset COLOR_CODE TEXT NEWLINE
DEFAULT_COLOR="\E[39m"
COLOR_CODE=`pick_color $1`
TEXT="$2"
if [ "$3" == "N" ]; then
NEWLINE="-n"
fi
echo -e ${NEWLINE} "${COLOR_CODE}${TEXT}${DEFAULT_COLOR}"
}
# pick_color $COLOR
# returns appropriate color codes for use in display_c and such
function pick_color {
case $1 in
BLUE) COLOR="\E[34m" ;;
GREEN) COLOR="\E[32m" ;;
RED) COLOR="\E[31m" ;;
YELLOW) COLOR="\E[33m" ;;
PURPLE) COLOR="\E[35m" ;;
AQUA) COLOR="\E[36m" ;;
WHITE) COLOR="\E[1m" ;;
GREY) COLOR="\E[37m" ;;
*) COLOR="\E[37m" ;;
esac
echo "${COLOR}"
}
# reset_color
function reset_color {
unset NEWLINE
DEFAULT_COLOR="\E[39m"
if [ "$1" == "N" ]; then
NEWLINE="-n"
fi
echo ${NEWLINE} -e "${DEFAULT_COLOR}"
}
# show_help
# Show command line options help
function show_help {
echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns <bruns@2mbit.com>"
echo -e "\t--help\t\tShows this info"
echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT"
echo -e "\t--generate-cache\tGenerate cached rule file"
#!/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2014 Brielle Bruns
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# ANSI color sequences
BLUE="\E[34m"
GREEN="\E[32m"
RED="\E[31m"
YELLOW="\E[33m"
PURPLE="\E[35m"
AQUA="\E[36m"
WHITE="\E[1m"
GREY="\E[37m"
DEFAULT_COLOR="\E[39m"
# display_c $COLOR $TEXT BOOL(YN)
# $COLOR being bash colors
# $TEXT being what to output (make sure to put " " around text)
# BOOL being (Y or N) to do newline at end or not
function display_c {
unset COLOR_CODE TEXT NEWLINE
DEFAULT_COLOR="\E[39m"
COLOR_CODE=`pick_color $1`
TEXT="$2"
if [ "$3" == "N" ]; then
NEWLINE="-n"
fi
echo -e ${NEWLINE} "${COLOR_CODE}${TEXT}${DEFAULT_COLOR}"
}
# pick_color $COLOR
# returns appropriate color codes for use in display_c and such
function pick_color {
case $1 in
BLUE) COLOR="\E[34m" ;;
GREEN) COLOR="\E[32m" ;;
RED) COLOR="\E[31m" ;;
YELLOW) COLOR="\E[33m" ;;
PURPLE) COLOR="\E[35m" ;;
AQUA) COLOR="\E[36m" ;;
WHITE) COLOR="\E[1m" ;;
GREY) COLOR="\E[37m" ;;
*) COLOR="\E[37m" ;;
esac
echo "${COLOR}"
}
# reset_color
function reset_color {
unset NEWLINE
DEFAULT_COLOR="\E[39m"
if [ "$1" == "N" ]; then
NEWLINE="-n"
fi
echo ${NEWLINE} -e "${DEFAULT_COLOR}"
}
# show_help
# Show command line options help
function show_help {
echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns <bruns@2mbit.com>"
echo -e "\t--help\t\tShows this info"
echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT"
echo -e "\t--generate-cache\tGenerate cached rule file"
}

+ 103
- 103
lib/iptables.inc View File

@@ -1,104 +1,104 @@
#!/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2014 Brielle Bruns
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# iptables_rules_flush (ipv6|ipv4)
# Clear all rules from iptables - be very careful in how this is called as it
# could easily lock out the user from the network. Best way to be safe, is to
# call iptables_policy_reset first then this function.
function iptables_rules_flush {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
esac
${display_c} RED "Flushing ${IP_VERSION} rules..."
${VER_IPTABLES} --flush &>/dev/null
${VER_IPTABLES} -F OUTPUT &>/dev/null
${VER_IPTABLES} -F PREROUTING &>/dev/null
${VER_IPTABLES} -F POSTROUTING &>/dev/null
for i in `cat $TABLE_NAMES`; do
${VER_IPTABLES} -F -t $i &>/dev/null
done
${VER_IPTABLES} -X
}
# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
# If no policy given, assume ACCEPT
function iptables_policy_reset {
IP_VERSION=$1
SET_POLICY=${2=ACCEPT}
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES} ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
esac
${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
${VER_IPTABLES} --policy INPUT ${SET_POLICY}
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
}
# setup_iptables_chains (ipv4|ipv6)
# Creates the default chains when called
function setup_iptables_chains {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES};
IPVER="6" ;;
ipv4|*) VER_IPTABLES=${IPTABLES}
IPVER="4" ;;
esac
# Create the actual chains
${display_c} GREEN "Setting up chains for ${IP_VERSION}..."
${VER_IPTABLES} -N ${InPreRules}
${VER_IPTABLES} -N ${OutPreRules}
${VER_IPTABLES} -N ${Trusted}
${VER_IPTABLES} -N ${InEasyBlock}
${VER_IPTABLES} -N ${OutEasyBlock}
${VER_IPTABLES} -N ${InFilter}
${VER_IPTABLES} -N ${OutFilter}
${VER_IPTABLES} -N ${FwdFilter}
${VER_IPTABLES} -N ${NAT}
${VER_IPTABLES} -N ${PortForward}
${VER_IPTABLES} -N ${InPostRules}
${VER_IPTABLES} -N ${OutPostRules}
# Set up rules - the order matters - we do it separately here
# for easy viewing of order
if [ -x ${v${IPVER}_Custom_Pre} ]; then . ${v${IPVER}_Custom_Pre}; fi
${VER_IPTABLES} -A INPUT -j ${InPreRules}
${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
if [ -x ${v${IPVER}_Custom_Trust} ]; then . ${v${IPVER}_Custom_Trust}; fi
${VER_IPTABLES} -A INPUT -j ${Trusted}
if [ -x ${v${IPVER}_Custom_EasyBlock} ]; then . ${v${IPVER}_Custom_EasyBlock}; fi
${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
if [ -x ${v${IPVER}_Custom_Filter} ]; then . ${v${IPVER}_Custom_Filter}; fi
${VER_IPTABLES} -A INPUT -j ${InFilter}
${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
if [ -x ${v${IPVER}_Custom_NAT} ]; then . ${v${IPVER}_Custom_NAT}; fi
${VER_IPTABLES} -A POSTROUTING -j ${NAT}
if [ -x ${v${IPVER}_Custom_PortFw} ]; then . ${v${IPVER}_Custom_PortFw}; fi
${VER_IPTABLES} -A PREROUTING -j ${PortForward}
if [ -x ${v${IPVER}_Custom_Post} ]; then . ${v${IPVER}_Custom_Post}; fi
${VER_IPTABLES} -A INPUT -j ${InPostRules}
${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
#!/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2014 Brielle Bruns
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# iptables_rules_flush (ipv6|ipv4)
# Clear all rules from iptables - be very careful in how this is called as it
# could easily lock out the user from the network. Best way to be safe, is to
# call iptables_policy_reset first then this function.
function iptables_rules_flush {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
esac
${display_c} RED "Flushing ${IP_VERSION} rules..."
${VER_IPTABLES} --flush &>/dev/null
${VER_IPTABLES} -F OUTPUT &>/dev/null
${VER_IPTABLES} -F PREROUTING &>/dev/null
${VER_IPTABLES} -F POSTROUTING &>/dev/null
for i in `cat $TABLE_NAMES`; do
${VER_IPTABLES} -F -t $i &>/dev/null
done
${VER_IPTABLES} -X
}
# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
# If no policy given, assume ACCEPT
function iptables_policy_reset {
IP_VERSION=$1
SET_POLICY=${2=ACCEPT}
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES} ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
esac
${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
${VER_IPTABLES} --policy INPUT ${SET_POLICY}
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
}
# setup_iptables_chains (ipv4|ipv6)
# Creates the default chains when called
function setup_iptables_chains {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES};
IPVER="6" ;;
ipv4|*) VER_IPTABLES=${IPTABLES}
IPVER="4" ;;
esac
# Create the actual chains
${display_c} GREEN "Setting up chains for ${IP_VERSION}..."
${VER_IPTABLES} -N ${InPreRules}
${VER_IPTABLES} -N ${OutPreRules}
${VER_IPTABLES} -N ${Trusted}
${VER_IPTABLES} -N ${InEasyBlock}
${VER_IPTABLES} -N ${OutEasyBlock}
${VER_IPTABLES} -N ${InFilter}
${VER_IPTABLES} -N ${OutFilter}
${VER_IPTABLES} -N ${FwdFilter}
${VER_IPTABLES} -N ${NAT}
${VER_IPTABLES} -N ${PortForward}
${VER_IPTABLES} -N ${InPostRules}
${VER_IPTABLES} -N ${OutPostRules}
# Set up rules - the order matters - we do it separately here
# for easy viewing of order
if [ -x ${v${IPVER}_Custom_Pre} ]; then . ${v${IPVER}_Custom_Pre}; fi
${VER_IPTABLES} -A INPUT -j ${InPreRules}
${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
if [ -x ${v${IPVER}_Custom_Trust} ]; then . ${v${IPVER}_Custom_Trust}; fi
${VER_IPTABLES} -A INPUT -j ${Trusted}
if [ -x ${v${IPVER}_Custom_EasyBlock} ]; then . ${v${IPVER}_Custom_EasyBlock}; fi
${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
if [ -x ${v${IPVER}_Custom_Filter} ]; then . ${v${IPVER}_Custom_Filter}; fi
${VER_IPTABLES} -A INPUT -j ${InFilter}
${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
if [ -x ${v${IPVER}_Custom_NAT} ]; then . ${v${IPVER}_Custom_NAT}; fi
${VER_IPTABLES} -A POSTROUTING -j ${NAT}
if [ -x ${v${IPVER}_Custom_PortFw} ]; then . ${v${IPVER}_Custom_PortFw}; fi
${VER_IPTABLES} -A PREROUTING -j ${PortForward}
if [ -x ${v${IPVER}_Custom_Post} ]; then . ${v${IPVER}_Custom_Post}; fi
${VER_IPTABLES} -A INPUT -j ${InPostRules}
${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
}

Loading…
Cancel
Save