diff --git a/bin/srfirewall b/bin/srfirewall index 70d5e41..e1371f7 100755 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -1,71 +1,71 @@ -#/bin/bash -# By Brielle Bruns -# URL: http://www.sosdg.org/freestuff/firewall -# License: GPLv3 -# -# Copyright (C) 2009 - 2014 Brielle Bruns -# Copyright (C) 2009 - 2014 The Summit Open Source Development Group -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -# Static config options, normally do not need to change -FW_VERSION="2.0" - -# Important directory locations -FWPREFIX="/usr/local" -FWCONFIGDIR="${FWPREFIX}/etc/srfirewall" -FWLIBDIR="${FWPREFIX}/lib/srfirewall" -FWBINDIR="${FWPREFIX}/bin" - -# Begin sourcing critical files, because we need things like path right away -source "${FWCONFIGDIR}/main.conf" -source "${FWLIBDIR}/binaries.inc" -source "${FWLIBDIR}/iptables.inc" -source "${FWLIBDIR}/display.inc" - -source "${FWCONFIGDIR}/chains.conf" -source "${FWCONFIGDIR}/ipv4.conf" -source "${FWCONFIGDIR}/ipv6.conf" - -# We require at least bash v3 or later at this point given some of the more complex -# operations we do to make the firewall script work. -if (( ${BASH_VERSINFO[0]} <= "2" )); then - echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version" - echo "of bash to something more recent, preferably the latest which is, as of this" - echo "writing, 4.x" - exit 1 -fi - -# Swap out display_c command for dummy command if they don't want -# output when command is run. -if [[ "${DisplayDetailedOutput" == "yes" ]]; then - display="display_c" -else - display="true" -fi - -if [[ "${EnableIPv4}" == "yes" ]]; then - # First flush all rules - iptables_rules_flush ipv4 - - # Create the chain sets we'll need and the ones that can be - # customized by users in their custom rules - setup_iptables_chains ipv4 - - -fi - -if [[ "${EnableIPv6}" == "yes" ]]; then - # First flush all rules - iptables_rules_flush ipv6 +#/bin/bash +# By Brielle Bruns +# URL: http://www.sosdg.org/freestuff/firewall +# License: GPLv3 +# +# Copyright (C) 2009 - 2014 Brielle Bruns +# Copyright (C) 2009 - 2014 The Summit Open Source Development Group +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Static config options, normally do not need to change +FW_VERSION="2.0" + +# Important directory locations +FWPREFIX="/usr/local" +FWCONFIGDIR="${FWPREFIX}/etc/srfirewall" +FWLIBDIR="${FWPREFIX}/lib/srfirewall" +FWBINDIR="${FWPREFIX}/bin" + +# Begin sourcing critical files, because we need things like path right away +source "${FWCONFIGDIR}/main.conf" +source "${FWLIBDIR}/binaries.inc" +source "${FWLIBDIR}/iptables.inc" +source "${FWLIBDIR}/display.inc" + +source "${FWCONFIGDIR}/chains.conf" +source "${FWCONFIGDIR}/ipv4.conf" +source "${FWCONFIGDIR}/ipv6.conf" + +# We require at least bash v3 or later at this point given some of the more complex +# operations we do to make the firewall script work. +if (( ${BASH_VERSINFO[0]} <= "2" )); then + echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version" + echo "of bash to something more recent, preferably the latest which is, as of this" + echo "writing, 4.x" + exit 1 +fi + +# Swap out display_c command for dummy command if they don't want +# output when command is run. +if [[ "${DisplayDetailedOutput" == "yes" ]]; then + display="display_c" +else + display="true" +fi + +if [[ "${EnableIPv4}" == "yes" ]]; then + # First flush all rules + iptables_rules_flush ipv4 + + # Create the chain sets we'll need and the ones that can be + # customized by users in their custom rules + setup_iptables_chains ipv4 + + +fi + +if [[ "${EnableIPv6}" == "yes" ]]; then + # First flush all rules + iptables_rules_flush ipv6 fi \ No newline at end of file diff --git a/etc/chains.conf b/etc/chains.conf index be20a11..1ef6404 100644 --- a/etc/chains.conf +++ b/etc/chains.conf @@ -1,14 +1,14 @@ -# Chain name mapping -# Don't change these unless you know what your doing - -InPreRules="In-PreRules" -OutPreRules="Out-PreRules" -Trusted="In-Trusted" -InEasyBlock="In-EasyBlock" -OutEasyBlock="Out-EasyBlock" -InFilter="In-Filter" -OutFilter="Out-Filter" -NAT="NAT" -PortForward="PortForward" -InPostRules="In-PostRules" +# Chain name mapping +# Don't change these unless you know what your doing + +InPreRules="In-PreRules" +OutPreRules="Out-PreRules" +Trusted="In-Trusted" +InEasyBlock="In-EasyBlock" +OutEasyBlock="Out-EasyBlock" +InFilter="In-Filter" +OutFilter="Out-Filter" +NAT="NAT" +PortForward="PortForward" +InPostRules="In-PostRules" OutPostRules="Out-PostRules" \ No newline at end of file diff --git a/etc/ipv4/custom.conf b/etc/ipv4/custom.conf index e26459a..6993b55 100644 --- a/etc/ipv4/custom.conf +++ b/etc/ipv4/custom.conf @@ -1,14 +1,14 @@ -# These are the custom files that can be used to inject rules during loading. Please don't change them -# unless you have a good reason. -# To allow variable propagation/change and some creative changes of rules that I haven't tought of, -# these files are sourced into the main file during setup of the order of chains. - -$V4CUSTPREFIX="${FWPREFIX}/ipv4/" - -$v4_Custom_Pre="$V4CUSTPREFIX/prerun.sh" -$v4_Custom_Trust="$V4CUSTPREFIX/trusted.sh" -$v4_Custom_EasyBlock="$V4CUSTPREFIX/easyblock.sh" -$v4_Custom_Filter="$V4CUSTPREFIX/filter.sh" -$v4_Custom_NAT="$V4CUSTPREFIX/nat.sh" -$v4_Custom_PortFw="$V4CUSTPREFIX/portfw.sh" +# These are the custom files that can be used to inject rules during loading. Please don't change them +# unless you have a good reason. +# To allow variable propagation/change and some creative changes of rules that I haven't tought of, +# these files are sourced into the main file during setup of the order of chains. + +$V4CUSTPREFIX="${FWPREFIX}/ipv4/" + +$v4_Custom_Pre="$V4CUSTPREFIX/prerun.sh" +$v4_Custom_Trust="$V4CUSTPREFIX/trusted.sh" +$v4_Custom_EasyBlock="$V4CUSTPREFIX/easyblock.sh" +$v4_Custom_Filter="$V4CUSTPREFIX/filter.sh" +$v4_Custom_NAT="$V4CUSTPREFIX/nat.sh" +$v4_Custom_PortFw="$V4CUSTPREFIX/portfw.sh" $v4_Custom_Post="$V4CUSTPREFIX/postrun.sh" \ No newline at end of file diff --git a/etc/ipv6/custom.conf b/etc/ipv6/custom.conf index 626dca6..209ab1f 100644 --- a/etc/ipv6/custom.conf +++ b/etc/ipv6/custom.conf @@ -1,14 +1,14 @@ -# These are the custom files that can be used to inject rules during loading. Please don't change them -# unless you have a good reason. -# To allow variable propagation/change and some creative changes of rules that I haven't tought of, -# these files are sourced into the main file during setup of the order of chains. - -$V6CUSTPREFIX="${FWPREFIX}/ipv6/" - -$v6_Custom_Pre="$V6CUSTPREFIX/prerun.sh" -$v6_Custom_Trust="$V6CUSTPREFIX/trusted.sh" -$v6_Custom_EasyBlock="$V6CUSTPREFIX/easyblock.sh" -$v6_Custom_Filter="$V6CUSTPREFIX/filter.sh" -$v6_Custom_NAT="$V6CUSTPREFIX/nat.sh" -$v6_Custom_PortFw="$V6CUSTPREFIX/portfw.sh" +# These are the custom files that can be used to inject rules during loading. Please don't change them +# unless you have a good reason. +# To allow variable propagation/change and some creative changes of rules that I haven't tought of, +# these files are sourced into the main file during setup of the order of chains. + +$V6CUSTPREFIX="${FWPREFIX}/ipv6/" + +$v6_Custom_Pre="$V6CUSTPREFIX/prerun.sh" +$v6_Custom_Trust="$V6CUSTPREFIX/trusted.sh" +$v6_Custom_EasyBlock="$V6CUSTPREFIX/easyblock.sh" +$v6_Custom_Filter="$V6CUSTPREFIX/filter.sh" +$v6_Custom_NAT="$V6CUSTPREFIX/nat.sh" +$v6_Custom_PortFw="$V6CUSTPREFIX/portfw.sh" $v6_Custom_Post="$V6CUSTPREFIX/postrun.sh" \ No newline at end of file diff --git a/etc/main.conf b/etc/main.conf index dcbd297..d197027 100644 --- a/etc/main.conf +++ b/etc/main.conf @@ -1,11 +1,11 @@ -# Main Configuration File - -# Define a prefix for important locations of binaries -PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}" - -# Enable / Disable IPv4 and IPv6 support (yes/no) -EnableIPv4=yes -EnableIPv6=yes - -# Display detailed output while running script? +# Main Configuration File + +# Define a prefix for important locations of binaries +PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}" + +# Enable / Disable IPv4 and IPv6 support (yes/no) +EnableIPv4=yes +EnableIPv6=yes + +# Display detailed output while running script? EnableDetailedOutput=yes \ No newline at end of file diff --git a/lib/binaries.inc b/lib/binaries.inc index 230a285..f7fa886 100644 --- a/lib/binaries.inc +++ b/lib/binaries.inc @@ -1,24 +1,24 @@ -#!/bin/bash -# By Brielle Bruns -# URL: http://www.sosdg.org/freestuff/firewall -# License: GPLv3 -# -# Copyright (C) 2009 - 2014 Brielle Bruns -# Copyright (C) 2009 - 2014 The Summit Open Source Development Group -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -# Try and set some sane defaults for common binaries we need. Can always override them later. -MODPROBE=`which modprobe` -IPTABLES=`which iptables` -IP6TABLES=`which ip6tables` +#!/bin/bash +# By Brielle Bruns +# URL: http://www.sosdg.org/freestuff/firewall +# License: GPLv3 +# +# Copyright (C) 2009 - 2014 Brielle Bruns +# Copyright (C) 2009 - 2014 The Summit Open Source Development Group +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Try and set some sane defaults for common binaries we need. Can always override them later. +MODPROBE=`which modprobe` +IPTABLES=`which iptables` +IP6TABLES=`which ip6tables` diff --git a/lib/display.inc b/lib/display.inc index 58c1afc..06ea295 100644 --- a/lib/display.inc +++ b/lib/display.inc @@ -1,82 +1,82 @@ -#!/bin/bash -# By Brielle Bruns -# URL: http://www.sosdg.org/freestuff/firewall -# License: GPLv3 -# -# Copyright (C) 2009 - 2014 Brielle Bruns -# Copyright (C) 2009 - 2014 The Summit Open Source Development Group -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - - -# ANSI color sequences -BLUE="\E[34m" -GREEN="\E[32m" -RED="\E[31m" -YELLOW="\E[33m" -PURPLE="\E[35m" -AQUA="\E[36m" -WHITE="\E[1m" -GREY="\E[37m" -DEFAULT_COLOR="\E[39m" - -# display_c $COLOR $TEXT BOOL(YN) -# $COLOR being bash colors -# $TEXT being what to output (make sure to put " " around text) -# BOOL being (Y or N) to do newline at end or not -function display_c { - unset COLOR_CODE TEXT NEWLINE - DEFAULT_COLOR="\E[39m" - COLOR_CODE=`pick_color $1` - TEXT="$2" - if [ "$3" == "N" ]; then - NEWLINE="-n" - fi - echo -e ${NEWLINE} "${COLOR_CODE}${TEXT}${DEFAULT_COLOR}" -} - -# pick_color $COLOR -# returns appropriate color codes for use in display_c and such -function pick_color { - case $1 in - BLUE) COLOR="\E[34m" ;; - GREEN) COLOR="\E[32m" ;; - RED) COLOR="\E[31m" ;; - YELLOW) COLOR="\E[33m" ;; - PURPLE) COLOR="\E[35m" ;; - AQUA) COLOR="\E[36m" ;; - WHITE) COLOR="\E[1m" ;; - GREY) COLOR="\E[37m" ;; - *) COLOR="\E[37m" ;; - esac - echo "${COLOR}" -} - -# reset_color -function reset_color { - unset NEWLINE - DEFAULT_COLOR="\E[39m" - if [ "$1" == "N" ]; then - NEWLINE="-n" - fi - echo ${NEWLINE} -e "${DEFAULT_COLOR}" -} - -# show_help -# Show command line options help -function show_help { - echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns " - echo -e "\t--help\t\tShows this info" - echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT" - echo -e "\t--generate-cache\tGenerate cached rule file" +#!/bin/bash +# By Brielle Bruns +# URL: http://www.sosdg.org/freestuff/firewall +# License: GPLv3 +# +# Copyright (C) 2009 - 2014 Brielle Bruns +# Copyright (C) 2009 - 2014 The Summit Open Source Development Group +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + + +# ANSI color sequences +BLUE="\E[34m" +GREEN="\E[32m" +RED="\E[31m" +YELLOW="\E[33m" +PURPLE="\E[35m" +AQUA="\E[36m" +WHITE="\E[1m" +GREY="\E[37m" +DEFAULT_COLOR="\E[39m" + +# display_c $COLOR $TEXT BOOL(YN) +# $COLOR being bash colors +# $TEXT being what to output (make sure to put " " around text) +# BOOL being (Y or N) to do newline at end or not +function display_c { + unset COLOR_CODE TEXT NEWLINE + DEFAULT_COLOR="\E[39m" + COLOR_CODE=`pick_color $1` + TEXT="$2" + if [ "$3" == "N" ]; then + NEWLINE="-n" + fi + echo -e ${NEWLINE} "${COLOR_CODE}${TEXT}${DEFAULT_COLOR}" +} + +# pick_color $COLOR +# returns appropriate color codes for use in display_c and such +function pick_color { + case $1 in + BLUE) COLOR="\E[34m" ;; + GREEN) COLOR="\E[32m" ;; + RED) COLOR="\E[31m" ;; + YELLOW) COLOR="\E[33m" ;; + PURPLE) COLOR="\E[35m" ;; + AQUA) COLOR="\E[36m" ;; + WHITE) COLOR="\E[1m" ;; + GREY) COLOR="\E[37m" ;; + *) COLOR="\E[37m" ;; + esac + echo "${COLOR}" +} + +# reset_color +function reset_color { + unset NEWLINE + DEFAULT_COLOR="\E[39m" + if [ "$1" == "N" ]; then + NEWLINE="-n" + fi + echo ${NEWLINE} -e "${DEFAULT_COLOR}" +} + +# show_help +# Show command line options help +function show_help { + echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns " + echo -e "\t--help\t\tShows this info" + echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT" + echo -e "\t--generate-cache\tGenerate cached rule file" } \ No newline at end of file diff --git a/lib/iptables.inc b/lib/iptables.inc index d7eb8ae..a1bd018 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -1,104 +1,104 @@ -#!/bin/bash -# By Brielle Bruns -# URL: http://www.sosdg.org/freestuff/firewall -# License: GPLv3 -# -# Copyright (C) 2009 - 2014 Brielle Bruns -# Copyright (C) 2009 - 2014 The Summit Open Source Development Group -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -# iptables_rules_flush (ipv6|ipv4) -# Clear all rules from iptables - be very careful in how this is called as it -# could easily lock out the user from the network. Best way to be safe, is to -# call iptables_policy_reset first then this function. -function iptables_rules_flush { - IP_VERSION=$1 - case $IP_VERSION in - ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;; - ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;; - esac - ${display_c} RED "Flushing ${IP_VERSION} rules..." - ${VER_IPTABLES} --flush &>/dev/null - ${VER_IPTABLES} -F OUTPUT &>/dev/null - ${VER_IPTABLES} -F PREROUTING &>/dev/null - ${VER_IPTABLES} -F POSTROUTING &>/dev/null - for i in `cat $TABLE_NAMES`; do - ${VER_IPTABLES} -F -t $i &>/dev/null - done - ${VER_IPTABLES} -X -} - -# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP) -# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6 -# If no policy given, assume ACCEPT -function iptables_policy_reset { - IP_VERSION=$1 - SET_POLICY=${2=ACCEPT} - case $IP_VERSION in - ipv6) VER_IPTABLES=${IP6TABLES} ;; - ipv4|*) VER_IPTABLES=${IPTABLES} ;; - esac - ${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." - ${VER_IPTABLES} --policy INPUT ${SET_POLICY} - ${VER_IPTABLES} --policy OUTPUT ${SET_POLICY} - ${VER_IPTABLES} --policy FORWARD ${SET_POLICY} -} - -# setup_iptables_chains (ipv4|ipv6) -# Creates the default chains when called -function setup_iptables_chains { - IP_VERSION=$1 - case $IP_VERSION in - ipv6) VER_IPTABLES=${IP6TABLES}; - IPVER="6" ;; - ipv4|*) VER_IPTABLES=${IPTABLES} - IPVER="4" ;; - esac - # Create the actual chains - ${display_c} GREEN "Setting up chains for ${IP_VERSION}..." - ${VER_IPTABLES} -N ${InPreRules} - ${VER_IPTABLES} -N ${OutPreRules} - ${VER_IPTABLES} -N ${Trusted} - ${VER_IPTABLES} -N ${InEasyBlock} - ${VER_IPTABLES} -N ${OutEasyBlock} - ${VER_IPTABLES} -N ${InFilter} - ${VER_IPTABLES} -N ${OutFilter} - ${VER_IPTABLES} -N ${FwdFilter} - ${VER_IPTABLES} -N ${NAT} - ${VER_IPTABLES} -N ${PortForward} - ${VER_IPTABLES} -N ${InPostRules} - ${VER_IPTABLES} -N ${OutPostRules} - - # Set up rules - the order matters - we do it separately here - # for easy viewing of order - if [ -x ${v${IPVER}_Custom_Pre} ]; then . ${v${IPVER}_Custom_Pre}; fi - ${VER_IPTABLES} -A INPUT -j ${InPreRules} - ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules} - if [ -x ${v${IPVER}_Custom_Trust} ]; then . ${v${IPVER}_Custom_Trust}; fi - ${VER_IPTABLES} -A INPUT -j ${Trusted} - if [ -x ${v${IPVER}_Custom_EasyBlock} ]; then . ${v${IPVER}_Custom_EasyBlock}; fi - ${VER_IPTABLES} -A INPUT -j ${InEasyBlock} - ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock} - if [ -x ${v${IPVER}_Custom_Filter} ]; then . ${v${IPVER}_Custom_Filter}; fi - ${VER_IPTABLES} -A INPUT -j ${InFilter} - ${VER_IPTABLES} -A OUTPUT -j ${OutFilter} - ${VER_IPTABLES} -A FORWARD -j ${FwdFilter} - if [ -x ${v${IPVER}_Custom_NAT} ]; then . ${v${IPVER}_Custom_NAT}; fi - ${VER_IPTABLES} -A POSTROUTING -j ${NAT} - if [ -x ${v${IPVER}_Custom_PortFw} ]; then . ${v${IPVER}_Custom_PortFw}; fi - ${VER_IPTABLES} -A PREROUTING -j ${PortForward} - if [ -x ${v${IPVER}_Custom_Post} ]; then . ${v${IPVER}_Custom_Post}; fi - ${VER_IPTABLES} -A INPUT -j ${InPostRules} - ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules} +#!/bin/bash +# By Brielle Bruns +# URL: http://www.sosdg.org/freestuff/firewall +# License: GPLv3 +# +# Copyright (C) 2009 - 2014 Brielle Bruns +# Copyright (C) 2009 - 2014 The Summit Open Source Development Group +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# iptables_rules_flush (ipv6|ipv4) +# Clear all rules from iptables - be very careful in how this is called as it +# could easily lock out the user from the network. Best way to be safe, is to +# call iptables_policy_reset first then this function. +function iptables_rules_flush { + IP_VERSION=$1 + case $IP_VERSION in + ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;; + ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;; + esac + ${display_c} RED "Flushing ${IP_VERSION} rules..." + ${VER_IPTABLES} --flush &>/dev/null + ${VER_IPTABLES} -F OUTPUT &>/dev/null + ${VER_IPTABLES} -F PREROUTING &>/dev/null + ${VER_IPTABLES} -F POSTROUTING &>/dev/null + for i in `cat $TABLE_NAMES`; do + ${VER_IPTABLES} -F -t $i &>/dev/null + done + ${VER_IPTABLES} -X +} + +# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP) +# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6 +# If no policy given, assume ACCEPT +function iptables_policy_reset { + IP_VERSION=$1 + SET_POLICY=${2=ACCEPT} + case $IP_VERSION in + ipv6) VER_IPTABLES=${IP6TABLES} ;; + ipv4|*) VER_IPTABLES=${IPTABLES} ;; + esac + ${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." + ${VER_IPTABLES} --policy INPUT ${SET_POLICY} + ${VER_IPTABLES} --policy OUTPUT ${SET_POLICY} + ${VER_IPTABLES} --policy FORWARD ${SET_POLICY} +} + +# setup_iptables_chains (ipv4|ipv6) +# Creates the default chains when called +function setup_iptables_chains { + IP_VERSION=$1 + case $IP_VERSION in + ipv6) VER_IPTABLES=${IP6TABLES}; + IPVER="6" ;; + ipv4|*) VER_IPTABLES=${IPTABLES} + IPVER="4" ;; + esac + # Create the actual chains + ${display_c} GREEN "Setting up chains for ${IP_VERSION}..." + ${VER_IPTABLES} -N ${InPreRules} + ${VER_IPTABLES} -N ${OutPreRules} + ${VER_IPTABLES} -N ${Trusted} + ${VER_IPTABLES} -N ${InEasyBlock} + ${VER_IPTABLES} -N ${OutEasyBlock} + ${VER_IPTABLES} -N ${InFilter} + ${VER_IPTABLES} -N ${OutFilter} + ${VER_IPTABLES} -N ${FwdFilter} + ${VER_IPTABLES} -N ${NAT} + ${VER_IPTABLES} -N ${PortForward} + ${VER_IPTABLES} -N ${InPostRules} + ${VER_IPTABLES} -N ${OutPostRules} + + # Set up rules - the order matters - we do it separately here + # for easy viewing of order + if [ -x ${v${IPVER}_Custom_Pre} ]; then . ${v${IPVER}_Custom_Pre}; fi + ${VER_IPTABLES} -A INPUT -j ${InPreRules} + ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules} + if [ -x ${v${IPVER}_Custom_Trust} ]; then . ${v${IPVER}_Custom_Trust}; fi + ${VER_IPTABLES} -A INPUT -j ${Trusted} + if [ -x ${v${IPVER}_Custom_EasyBlock} ]; then . ${v${IPVER}_Custom_EasyBlock}; fi + ${VER_IPTABLES} -A INPUT -j ${InEasyBlock} + ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock} + if [ -x ${v${IPVER}_Custom_Filter} ]; then . ${v${IPVER}_Custom_Filter}; fi + ${VER_IPTABLES} -A INPUT -j ${InFilter} + ${VER_IPTABLES} -A OUTPUT -j ${OutFilter} + ${VER_IPTABLES} -A FORWARD -j ${FwdFilter} + if [ -x ${v${IPVER}_Custom_NAT} ]; then . ${v${IPVER}_Custom_NAT}; fi + ${VER_IPTABLES} -A POSTROUTING -j ${NAT} + if [ -x ${v${IPVER}_Custom_PortFw} ]; then . ${v${IPVER}_Custom_PortFw}; fi + ${VER_IPTABLES} -A PREROUTING -j ${PortForward} + if [ -x ${v${IPVER}_Custom_Post} ]; then . ${v${IPVER}_Custom_Post}; fi + ${VER_IPTABLES} -A INPUT -j ${InPostRules} + ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules} } \ No newline at end of file