bbruns@gmail.com
7 years ago
4 changed files with 108 additions and 4 deletions
Split View
Diff Options
-
+30 -2bin/srfirewall
-
+42 -0etc/chains.conf
-
+2 -0etc/main.conf
-
+34 -2lib/iptables.inc
+ 30
- 2
bin/srfirewall
View File
| @@ -23,8 +23,8 @@ FW_VERSION="2.0" | |||
| # Important directory locations | |||
| FWPREFIX="/usr/local" | |||
| FWCONFIGDIR="${FWPREFIX}/etc/firewall-sosdg" | |||
| FWLIBDIR="${FWPREFIX}/lib/firewall-sosdg" | |||
| FWCONFIGDIR="${FWPREFIX}/etc/srfirewall" | |||
| FWLIBDIR="${FWPREFIX}/lib/srfirewall" | |||
| FWBINDIR="${FWPREFIX}/bin" | |||
| # Begin sourcing critical files, because we need things like path right away | |||
| @@ -33,6 +33,10 @@ source "${FWLIBDIR}/binaries.inc" | |||
| source "${FWLIBDIR}/iptables.inc" | |||
| source "${FWLIBDIR}/display.inc" | |||
| source "${FWCONFIGDIR}/chains.conf" | |||
| source "${FWCONFIGDIR}/ipv4.conf" | |||
| source "${FWCONFIGDIR}/ipv6.conf" | |||
| # We require at least bash v3 or later at this point given some of the more complex | |||
| # operations we do to make the firewall script work. | |||
| if (( ${BASH_VERSINFO[0]} <= "2" )); then | |||
| @@ -40,4 +44,28 @@ if (( ${BASH_VERSINFO[0]} <= "2" )); then | |||
| echo "of bash to something more recent, preferably the latest which is, as of this" | |||
| echo "writing, 4.x" | |||
| exit 1 | |||
| fi | |||
| # Swap out display_c command for dummy command if they don't want | |||
| # output when command is run. | |||
| if [[ "${DisplayDetailedOutput" == "yes" ]]; then | |||
| display="display_c" | |||
| else | |||
| display="true" | |||
| fi | |||
| if [[ "${EnableIPv4}" == "yes" ]]; then | |||
| # First flush all rules | |||
| iptables_rules_flush ipv4 | |||
| # Create the chain sets we'll need and the ones that can be | |||
| # customized by users in their custom rules | |||
| fi | |||
| if [[ "${EnableIPv6}" == "yes" ]]; then | |||
| # First flush all rules | |||
| iptables_rules_flush ipv6 | |||
| fi | |||
+ 42
- 0
etc/chains.conf
View File
| @@ -0,0 +1,42 @@ | |||
| # Chain name mapping | |||
| # Don't change these unless you know what your doing | |||
| InCustomPreRules="In-CustomPreRules" | |||
| InPreRules="In-PreRules" | |||
| OutCustomPreRules="Out-CustomPreRules" | |||
| OutPreRules="Out-PreRules" | |||
| Trusted="In-Trusted" | |||
| InEasyBlock="In-EasyBlock" | |||
| OutEasyBlock="Out-EasyBlock" | |||
| InCustomFilter="In-CustomFilter" | |||
| OutCustomFilter="Out-CustomFilter" | |||
| FwdCustomFilter="Fwd-CustomFilter" | |||
| InFilter="In-Filter" | |||
| OutFilter="Out-Filter" | |||
| CustomNAT="CustomNAT" | |||
| NAT="NAT" | |||
| CustomPortForward="Custom-PortFW" | |||
| PortForward="PortForward" | |||
| InCustomPostRules="In-CustomPostRules" | |||
| InPostRules="In-PostRules" | |||
| OutCustomOstRules="Out-CustomPostRules" | |||
| OutPostRules="Out-PostRules" | |||
+ 2
- 0
etc/main.conf
View File
| @@ -7,3 +7,5 @@ PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}" | |||
| EnableIPv4=yes | |||
| EnableIPv6=yes | |||
| # Display detailed output while running script? | |||
| EnableDetailedOutput=yes | |||
+ 34
- 2
lib/iptables.inc
View File
| @@ -28,7 +28,7 @@ function iptables_rules_flush { | |||
| ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;; | |||
| ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;; | |||
| esac | |||
| display_c RED "Flushing ${IP_VERSION} rules..." | |||
| ${display_c} RED "Flushing ${IP_VERSION} rules..." | |||
| ${VER_IPTABLES} --flush &>/dev/null | |||
| ${VER_IPTABLES} -F OUTPUT &>/dev/null | |||
| ${VER_IPTABLES} -F PREROUTING &>/dev/null | |||
| @@ -49,8 +49,40 @@ function iptables_policy_reset { | |||
| ipv6) VER_IPTABLES=${IP6TABLES} ;; | |||
| ipv4|*) VER_IPTABLES=${IPTABLES} ;; | |||
| esac | |||
| display_c RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." | |||
| ${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." | |||
| ${VER_IPTABLES} --policy INPUT ${SET_POLICY} | |||
| ${VER_IPTABLES} --policy OUTPUT ${SET_POLICY} | |||
| ${VER_IPTABLES} --policy FORWARD ${SET_POLICY} | |||
| } | |||
| # setup_iptables_chains (ipv4|ipv6) | |||
| # Creates the default chains when called | |||
| function setup_uptables_chains { | |||
| IP_VERSION=$1 | |||
| case $IP_VERSION in | |||
| ipv6) VER_IPTABLES=${IP6TABLES} ;; | |||
| ipv4|*) VER_IPTABLES=${IPTABLES} ;; | |||
| esac | |||
| ${display_c} GREEN "Setting up default chains for ${IP_VERSION}..." | |||
| ${VER_IPTABLES} -N ${InCustomPreRules} | |||
| ${VER_IPTABLES} -N ${InPreRules} | |||
| ${VER_IPTABLES} -N ${OutCustomPreRules} | |||
| ${VER_IPTABLES} -N ${OutPreRules} | |||
| ${VER_IPTABLES} -N ${Trusted} | |||
| ${VER_IPTABLES} -N ${InEasyBlock} | |||
| ${VER_IPTABLES} -N ${OutEasyBlock} | |||
| ${VER_IPTABLES} -N ${InCustomFilter} | |||
| ${VER_IPTABLES} -N ${InFilter} | |||
| ${VER_IPTABLES} -N ${OutCustomFilter} | |||
| ${VER_IPTABLES} -N ${OutFilter} | |||
| ${VER_IPTABLES} -N ${FwdCustomFilter} | |||
| ${VER_IPTABLES} -N ${FwdFilter} | |||
| ${VER_IPTABLES} -N ${CustomNAT} | |||
| ${VER_IPTABLES} -N ${NAT} | |||
| ${VER_IPTABLES} -N ${CustomPortForward} | |||
| ${VER_IPTABLES} -N ${PortForward} | |||
| ${VER_IPTABLES} -N ${InCustomPostRules} | |||
| ${VER_IPTABLES} -N ${InPostRules} | |||
| ${VER_IPTABLES} -N ${OutCustomPostRules} | |||
| ${VER_IPTABLES} -N ${InPostRules} | |||
| } | |||