From c94af28d78261bce8af9a5f9799bb6086db8974d Mon Sep 17 00:00:00 2001 From: "bbruns@gmail.com" Date: Sat, 1 Mar 2014 18:23:05 +0000 Subject: [PATCH] --- bin/srfirewall | 32 ++++++++++++++++++++++++++++++-- etc/chains.conf | 42 ++++++++++++++++++++++++++++++++++++++++++ etc/main.conf | 2 ++ lib/iptables.inc | 36 ++++++++++++++++++++++++++++++++++-- 4 files changed, 108 insertions(+), 4 deletions(-) create mode 100644 etc/chains.conf diff --git a/bin/srfirewall b/bin/srfirewall index 799f2a5..aa91adf 100644 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -23,8 +23,8 @@ FW_VERSION="2.0" # Important directory locations FWPREFIX="/usr/local" -FWCONFIGDIR="${FWPREFIX}/etc/firewall-sosdg" -FWLIBDIR="${FWPREFIX}/lib/firewall-sosdg" +FWCONFIGDIR="${FWPREFIX}/etc/srfirewall" +FWLIBDIR="${FWPREFIX}/lib/srfirewall" FWBINDIR="${FWPREFIX}/bin" # Begin sourcing critical files, because we need things like path right away @@ -33,6 +33,10 @@ source "${FWLIBDIR}/binaries.inc" source "${FWLIBDIR}/iptables.inc" source "${FWLIBDIR}/display.inc" +source "${FWCONFIGDIR}/chains.conf" +source "${FWCONFIGDIR}/ipv4.conf" +source "${FWCONFIGDIR}/ipv6.conf" + # We require at least bash v3 or later at this point given some of the more complex # operations we do to make the firewall script work. if (( ${BASH_VERSINFO[0]} <= "2" )); then @@ -40,4 +44,28 @@ if (( ${BASH_VERSINFO[0]} <= "2" )); then echo "of bash to something more recent, preferably the latest which is, as of this" echo "writing, 4.x" exit 1 +fi + +# Swap out display_c command for dummy command if they don't want +# output when command is run. +if [[ "${DisplayDetailedOutput" == "yes" ]]; then + display="display_c" +else + display="true" +fi + +if [[ "${EnableIPv4}" == "yes" ]]; then + # First flush all rules + iptables_rules_flush ipv4 + + # Create the chain sets we'll need and the ones that can be + # customized by users in their custom rules + + + +fi + +if [[ "${EnableIPv6}" == "yes" ]]; then + # First flush all rules + iptables_rules_flush ipv6 fi \ No newline at end of file diff --git a/etc/chains.conf b/etc/chains.conf new file mode 100644 index 0000000..17c0d1d --- /dev/null +++ b/etc/chains.conf @@ -0,0 +1,42 @@ +# Chain name mapping +# Don't change these unless you know what your doing + +InCustomPreRules="In-CustomPreRules" + +InPreRules="In-PreRules" + +OutCustomPreRules="Out-CustomPreRules" + +OutPreRules="Out-PreRules" + +Trusted="In-Trusted" + +InEasyBlock="In-EasyBlock" + +OutEasyBlock="Out-EasyBlock" + +InCustomFilter="In-CustomFilter" + +OutCustomFilter="Out-CustomFilter" + +FwdCustomFilter="Fwd-CustomFilter" + +InFilter="In-Filter" + +OutFilter="Out-Filter" + +CustomNAT="CustomNAT" + +NAT="NAT" + +CustomPortForward="Custom-PortFW" + +PortForward="PortForward" + +InCustomPostRules="In-CustomPostRules" + +InPostRules="In-PostRules" + +OutCustomOstRules="Out-CustomPostRules" + +OutPostRules="Out-PostRules" \ No newline at end of file diff --git a/etc/main.conf b/etc/main.conf index 7a47fa8..dcbd297 100644 --- a/etc/main.conf +++ b/etc/main.conf @@ -7,3 +7,5 @@ PREFIX="/bin:/sbin:/usr/bin:/usr/sbin:${PREFIX}" EnableIPv4=yes EnableIPv6=yes +# Display detailed output while running script? +EnableDetailedOutput=yes \ No newline at end of file diff --git a/lib/iptables.inc b/lib/iptables.inc index 6529a74..9e87d45 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -28,7 +28,7 @@ function iptables_rules_flush { ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;; ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;; esac - display_c RED "Flushing ${IP_VERSION} rules..." + ${display_c} RED "Flushing ${IP_VERSION} rules..." ${VER_IPTABLES} --flush &>/dev/null ${VER_IPTABLES} -F OUTPUT &>/dev/null ${VER_IPTABLES} -F PREROUTING &>/dev/null @@ -49,8 +49,40 @@ function iptables_policy_reset { ipv6) VER_IPTABLES=${IP6TABLES} ;; ipv4|*) VER_IPTABLES=${IPTABLES} ;; esac - display_c RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." + ${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." ${VER_IPTABLES} --policy INPUT ${SET_POLICY} ${VER_IPTABLES} --policy OUTPUT ${SET_POLICY} ${VER_IPTABLES} --policy FORWARD ${SET_POLICY} +} + +# setup_iptables_chains (ipv4|ipv6) +# Creates the default chains when called +function setup_uptables_chains { + IP_VERSION=$1 + case $IP_VERSION in + ipv6) VER_IPTABLES=${IP6TABLES} ;; + ipv4|*) VER_IPTABLES=${IPTABLES} ;; + esac + ${display_c} GREEN "Setting up default chains for ${IP_VERSION}..." + ${VER_IPTABLES} -N ${InCustomPreRules} + ${VER_IPTABLES} -N ${InPreRules} + ${VER_IPTABLES} -N ${OutCustomPreRules} + ${VER_IPTABLES} -N ${OutPreRules} + ${VER_IPTABLES} -N ${Trusted} + ${VER_IPTABLES} -N ${InEasyBlock} + ${VER_IPTABLES} -N ${OutEasyBlock} + ${VER_IPTABLES} -N ${InCustomFilter} + ${VER_IPTABLES} -N ${InFilter} + ${VER_IPTABLES} -N ${OutCustomFilter} + ${VER_IPTABLES} -N ${OutFilter} + ${VER_IPTABLES} -N ${FwdCustomFilter} + ${VER_IPTABLES} -N ${FwdFilter} + ${VER_IPTABLES} -N ${CustomNAT} + ${VER_IPTABLES} -N ${NAT} + ${VER_IPTABLES} -N ${CustomPortForward} + ${VER_IPTABLES} -N ${PortForward} + ${VER_IPTABLES} -N ${InCustomPostRules} + ${VER_IPTABLES} -N ${InPostRules} + ${VER_IPTABLES} -N ${OutCustomPostRules} + ${VER_IPTABLES} -N ${InPostRules} } \ No newline at end of file