Browse Source

tags/v2.01a1
bbruns@gmail.com 7 years ago
parent
commit
c94af28d78
4 changed files with 108 additions and 4 deletions
  1. +30
    -2
      bin/srfirewall
  2. +42
    -0
      etc/chains.conf
  3. +2
    -0
      etc/main.conf
  4. +34
    -2
      lib/iptables.inc

+ 30
- 2
bin/srfirewall View File

@@ -23,8 +23,8 @@ FW_VERSION="2.0"
# Important directory locations
FWPREFIX="/usr/local"
FWCONFIGDIR="${FWPREFIX}/etc/firewall-sosdg"
FWLIBDIR="${FWPREFIX}/lib/firewall-sosdg"
FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
FWLIBDIR="${FWPREFIX}/lib/srfirewall"
FWBINDIR="${FWPREFIX}/bin"
# Begin sourcing critical files, because we need things like path right away
@@ -33,6 +33,10 @@ source "${FWLIBDIR}/binaries.inc"
source "${FWLIBDIR}/iptables.inc"
source "${FWLIBDIR}/display.inc"
source "${FWCONFIGDIR}/chains.conf"
source "${FWCONFIGDIR}/ipv4.conf"
source "${FWCONFIGDIR}/ipv6.conf"
# We require at least bash v3 or later at this point given some of the more complex
# operations we do to make the firewall script work.
if (( ${BASH_VERSINFO[0]} <= "2" )); then
@@ -40,4 +44,28 @@ if (( ${BASH_VERSINFO[0]} <= "2" )); then
echo "of bash to something more recent, preferably the latest which is, as of this"
echo "writing, 4.x"
exit 1
fi
# Swap out display_c command for dummy command if they don't want
# output when command is run.
if [[ "${DisplayDetailedOutput" == "yes" ]]; then
display="display_c"
else
display="true"
fi
if [[ "${EnableIPv4}" == "yes" ]]; then
# First flush all rules
iptables_rules_flush ipv4
# Create the chain sets we'll need and the ones that can be
# customized by users in their custom rules
fi
if [[ "${EnableIPv6}" == "yes" ]]; then
# First flush all rules
iptables_rules_flush ipv6
fi

+ 42
- 0
etc/chains.conf View File

@@ -0,0 +1,42 @@
# Chain name mapping
# Don't change these unless you know what your doing
InCustomPreRules="In-CustomPreRules"
InPreRules="In-PreRules"
OutCustomPreRules="Out-CustomPreRules"
OutPreRules="Out-PreRules"
Trusted="In-Trusted"
InEasyBlock="In-EasyBlock"
OutEasyBlock="Out-EasyBlock"
InCustomFilter="In-CustomFilter"
OutCustomFilter="Out-CustomFilter"
FwdCustomFilter="Fwd-CustomFilter"
InFilter="In-Filter"
OutFilter="Out-Filter"
CustomNAT="CustomNAT"
NAT="NAT"
CustomPortForward="Custom-PortFW"
PortForward="PortForward"
InCustomPostRules="In-CustomPostRules"
InPostRules="In-PostRules"
OutCustomOstRules="Out-CustomPostRules"
OutPostRules="Out-PostRules"

+ 2
- 0
etc/main.conf View File

@@ -7,3 +7,5 @@ PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}"
EnableIPv4=yes
EnableIPv6=yes
# Display detailed output while running script?
EnableDetailedOutput=yes

+ 34
- 2
lib/iptables.inc View File

@@ -28,7 +28,7 @@ function iptables_rules_flush {
ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
esac
display_c RED "Flushing ${IP_VERSION} rules..."
${display_c} RED "Flushing ${IP_VERSION} rules..."
${VER_IPTABLES} --flush &>/dev/null
${VER_IPTABLES} -F OUTPUT &>/dev/null
${VER_IPTABLES} -F PREROUTING &>/dev/null
@@ -49,8 +49,40 @@ function iptables_policy_reset {
ipv6) VER_IPTABLES=${IP6TABLES} ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
esac
display_c RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
${VER_IPTABLES} --policy INPUT ${SET_POLICY}
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
}
# setup_iptables_chains (ipv4|ipv6)
# Creates the default chains when called
function setup_uptables_chains {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES} ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
esac
${display_c} GREEN "Setting up default chains for ${IP_VERSION}..."
${VER_IPTABLES} -N ${InCustomPreRules}
${VER_IPTABLES} -N ${InPreRules}
${VER_IPTABLES} -N ${OutCustomPreRules}
${VER_IPTABLES} -N ${OutPreRules}
${VER_IPTABLES} -N ${Trusted}
${VER_IPTABLES} -N ${InEasyBlock}
${VER_IPTABLES} -N ${OutEasyBlock}
${VER_IPTABLES} -N ${InCustomFilter}
${VER_IPTABLES} -N ${InFilter}
${VER_IPTABLES} -N ${OutCustomFilter}
${VER_IPTABLES} -N ${OutFilter}
${VER_IPTABLES} -N ${FwdCustomFilter}
${VER_IPTABLES} -N ${FwdFilter}
${VER_IPTABLES} -N ${CustomNAT}
${VER_IPTABLES} -N ${NAT}
${VER_IPTABLES} -N ${CustomPortForward}
${VER_IPTABLES} -N ${PortForward}
${VER_IPTABLES} -N ${InCustomPostRules}
${VER_IPTABLES} -N ${InPostRules}
${VER_IPTABLES} -N ${OutCustomPostRules}
${VER_IPTABLES} -N ${InPostRules}
}

Loading…
Cancel
Save