From d43e5ad04dcc1cc561cb1d40ef0431f353f3a683 Mon Sep 17 00:00:00 2001 From: "bbruns@gmail.com" Date: Sun, 30 Mar 2014 18:18:26 +0000 Subject: [PATCH] Some cleaner operations in functions, added some debugging info --- bin/srfirewall | 17 ++++++++++----- etc/ipv4.conf | 9 ++++++-- etc/ipv6.conf | 9 ++++++-- etc/main.conf | 4 ++++ lib/binaries.inc | 1 + lib/iptables.inc | 55 ++++++++++++++++++++++++++++++++++++------------ 6 files changed, 72 insertions(+), 23 deletions(-) diff --git a/bin/srfirewall b/bin/srfirewall index 3bcee55..1a5c6b0 100755 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -76,6 +76,11 @@ fi # exit 2 #fi +# We can't function without certain cli binaries being available +if [ ! -x "${GREP}" ]; then + ${display} RED "Error: grep command not found. Please define GREP variable in main.conf manually." + exit 3 +fi # Basic sanity tests for ip{6}tables binaries and modules if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then @@ -141,11 +146,12 @@ if [ "${EnableIPv4}" == "yes" ]; then # customized by users in their custom rules setup_iptables_chains ipv4 - if [ "${AllowAllv4Loopback}" == "yes" ]; then allow_all_loopback ipv4; fi - if [ "${EnableTrustedv4Hosts}" == "yes" ]; then allow_trusted_hosts ipv4; fi + [ "${AllowAllv4Loopback}" == "yes" ] && allow_all_loopback ipv4 + [ "${EnableTrustedv4Hosts}" == "yes" ] && allow_trusted_hosts ipv4 + [ "${Enablev4MSSClamp}" == "yes" ] && enable_mss_clamp ipv4 fi -# Do IPv4 IPTables Rules +# Do IPv6 IPTables Rules if [ "${EnableIPv6}" == "yes" ]; then # First flush all rules iptables_rules_flush ipv6 @@ -154,7 +160,8 @@ if [ "${EnableIPv6}" == "yes" ]; then # customized by users in their custom rules setup_iptables_chains ipv6 - if [ "${AllowAllv6Loopback}" == "yes" ]; then allow_all_loopback ipv6; fi - if [ "${EnableTrustedv6Hosts}" == "yes" ]; then allow_trusted_hosts ipv6; fi + [ "${AllowAllv6Loopback}" == "yes" ] && allow_all_loopback ipv6 + [ "${EnableTrustedv6Hosts}" == "yes" ] && allow_trusted_hosts ipv6 + [ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6 fi diff --git a/etc/ipv4.conf b/etc/ipv4.conf index 7640139..499721e 100644 --- a/etc/ipv4.conf +++ b/etc/ipv4.conf @@ -14,6 +14,11 @@ AllowAllv4Loopback="yes" # IMPORTANT: Hosts put in the trusted file will have complete # and unfettered access to the host, ignoring all other rules. # -# Config file is located in ipv4/trusted.conf +# Config file: ipv4/trusted.conf # Values: no | yes (default) -EnableTrustedv4Hosts="yes" \ No newline at end of file +EnableTrustedv4Hosts="yes" + +# Enable MSS clamping to work around MTU size issues +# on network links such as PPPoE and wireless +# Config file: ipv4/mss-clamp.conf +Enablev4MSSClamp="yes" \ No newline at end of file diff --git a/etc/ipv6.conf b/etc/ipv6.conf index 9f54b6d..ff1ee40 100644 --- a/etc/ipv6.conf +++ b/etc/ipv6.conf @@ -14,6 +14,11 @@ AllowAllv6Loopback="yes" # IMPORTANT: Hosts put in the trusted file will have complete # and unfettered access to the host, ignoring all other rules. # -# Config file is located in ipv6/trusted.conf +# Config file: ipv6/trusted.conf # Values: no | yes (default) -EnableTrustedv6Hosts="yes" \ No newline at end of file +EnableTrustedv6Hosts="yes" + +# Enable MSS clamping to work around MTU size issues +# on network links such as PPPoE and wireless +# Config file: ipv6/mss-clamp.conf +Enablev6MSSClamp="yes" \ No newline at end of file diff --git a/etc/main.conf b/etc/main.conf index 742c55f..cfec4b5 100644 --- a/etc/main.conf +++ b/etc/main.conf @@ -35,6 +35,10 @@ DebugColor="PURPLE" #IPTABLES="/sbin/iptables" #IP6TABLES="/sbin/ip6tables" +# Manually override location of grep if needed +# otherwise detect automatically with 'which' +#GREP="/usr/bin/grep" + # There are two types of state matches available, old style # state matching using '--state' and new style '--ctstate' # Values: state | conntrack (default) diff --git a/lib/binaries.inc b/lib/binaries.inc index dbc1fdf..ceac2b7 100644 --- a/lib/binaries.inc +++ b/lib/binaries.inc @@ -22,6 +22,7 @@ MODPROBE=`which modprobe` IPTABLES=`which iptables` IP6TABLES=`which ip6tables` +GREP=`which grep` IP4TablesMod="ip_tables" IP6TablesMod="ip6_tables" \ No newline at end of file diff --git a/lib/iptables.inc b/lib/iptables.inc index 141d65d..68d82e3 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -91,32 +91,32 @@ function setup_iptables_chains { # Set up rules - the order matters - we do it separately here # for easy viewing of order if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi - ${debug} ${DebugColor} "Setting up InPreRules" + ${debug} ${DebugColor} "${FUNCNAME}: Setting up InPreRules" ${VER_IPTABLES} -A INPUT -j ${InPreRules} - ${debug} ${DebugColor} "Setting up OutPreRules" + ${debug} ${DebugColor} "${FUNCNAME}: Setting up OutPreRules" ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules} if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi - ${debug} ${DebugColor} "Setting up InEasyBlock" + ${debug} ${DebugColor} "${FUNCNAME}: Setting up InEasyBlock" ${VER_IPTABLES} -A INPUT -j ${InEasyBlock} - ${debug} ${DebugColor} "Setting up OutEasyBlock" + ${debug} ${DebugColor} "${FUNCNAME}: Setting up OutEasyBlock" ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock} if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi - ${debug} ${DebugColor} "Setting up InFilter" + ${debug} ${DebugColor} "${FUNCNAME}: Setting up InFilter" ${VER_IPTABLES} -A INPUT -j ${InFilter} - ${debug} ${DebugColor} "Setting up OutFilter" + ${debug} ${DebugColor} "${FUNCNAME}: Setting up OutFilter" ${VER_IPTABLES} -A OUTPUT -j ${OutFilter} - ${debug} ${DebugColor} "Setting up FwdFilter" + ${debug} ${DebugColor} "${FUNCNAME}: Setting up FwdFilter" ${VER_IPTABLES} -A FORWARD -j ${FwdFilter} if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi - ${debug} ${DebugColor} "Setting up NAT" + ${debug} ${DebugColor} "${FUNCNAME}: Setting up NAT" ${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT} if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi - ${debug} ${DebugColor} "Setting up PortForward" + ${debug} ${DebugColor} "${FUNCNAME}: Setting up PortForward" ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward} if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi - ${debug} ${DebugColor} "Setting up InPostRules" + ${debug} ${DebugColor} "${FUNCNAME}: Setting up InPostRules" ${VER_IPTABLES} -A INPUT -j ${InPostRules} - ${debug} ${DebugColor} "Setting up OutPostRules" + ${debug} ${DebugColor} "${FUNCNAME}: Setting up OutPostRules" ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules} } @@ -141,16 +141,43 @@ function allow_trusted_hosts { ipv4|*) VER_IPTABLES=${IPTABLES} IPVER="4" ;; esac - ${debug} ${DebugColor} "allow_trusted_hosts: loading" + ${debug} ${DebugColor} "${FUNCNAME}: loading" if [ -e "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf" ]; then for i in `grep -v "\#" "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"`; do ${VER_IPTABLES} -A ${InPreRules} -s $i -j ACCEPT ${VER_IPTABLES} -A ${OutPreRules} -d $i -j ACCEPT done - ${debug} ${DebugColor} "allow_trusted_hosts: done" + ${debug} ${DebugColor} "${FUNCNAME}: done" else ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/trusted.conf" ${display} RED "Error: can not load trusted hosts file." - ${debug} ${DebugColor} "allow_trusted_hosts: failed" + ${debug} ${DebugColor} "${FUNCNAME}: failed" + fi +} +function enable_mss_clamp { + IP_VERSION=$1 + case $IP_VERSION in + ipv6) VER_IPTABLES=${IP6TABLES}; + IPVER="6" ;; + ipv4|*) VER_IPTABLES=${IPTABLES} + IPVER="4" ;; + esac + ${debug} ${DebugColor} "${FUNCNAME}: loading" + if [ -e "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf" ]; then + while read -r interface mss type; do + [[ ${interface} = \#* ]] && continue + [ ${mss} == "-" ] && mss="1400:1536" + [ ${type} == "-" ] && type="${OutFilter}" + [ ${type} == "out" ] && type="${OutFilter}" + [ ${type} == "fwd" ] && type="${FwdFilter}" + ${VER_IPTABLES} -A ${type} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ + --clamp-mss-to-pmtu -o $i -m tcpmss --mss ${mss} + done < "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf" + + ${debug} ${DebugColor} "${FUNCNAME}: done" + else + ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf" + ${display} RED "Error: can not load mss clamp file." + ${debug} ${DebugColor} "${FUNCNAME}: failed" fi } \ No newline at end of file