Browse Source

Default policy support, which I believe makes this release Alpha 1 quality

tags/v2.01a1
bbruns 6 years ago
parent
commit
d71e8794c6
4 changed files with 40 additions and 10 deletions
  1. +8
    -0
      bin/srfirewall
  2. +11
    -1
      etc/ipv4.conf
  3. +11
    -1
      etc/ipv6.conf
  4. +10
    -8
      lib/iptables.inc

+ 8
- 0
bin/srfirewall View File

@@ -175,6 +175,10 @@ if [ "${EnableIPv4}" == "yes" ]; then
[[ ${AllowAllv4Loopback} == "yes" ]] && allow_all_loopback ipv4
[[ ${EnableTrustedv4Hosts} == "yes" ]] && allow_trusted_hosts ipv4
Defaultv4InPolicy=${Defaultv4InPolicy=ACCEPT}
Defaultv4OutPolicy=${Defaultv4OutPolicy=ACCEPT}
Defaultv4FwdPolicy=${Defaultv4FwdPolicy=ACCEPT}
default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy}
[[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4
([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
&& enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}"
@@ -200,6 +204,10 @@ if [ "${EnableIPv6}" == "yes" ]; then
[[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6
[[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6
Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT}
Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT}
Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT}
default_policy_set ipv6 ${Defaultv6InPolicy} ${Defaultv6OutPolicy} ${Defaultv6FwdPolicy}
[[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6
([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
&& enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}"


+ 11
- 1
etc/ipv4.conf View File

@@ -95,4 +95,14 @@ Enablev4NAT="yes"
# external access to internal machines
# Config file: ipv4/portfw.conf
# Values: no | yes (default)
Enablev4PortForwarding="yes"
Enablev4PortForwarding="yes"

# Default policy for filtering rules
# netfilter/iptables has a default policy that can be set, such as
# DROP all unless it is explicitly allowed via rules.
# Values: ACCEPT (default) | DROP
# Please note if you do not specify policies, they will default to
# ACCEPT, which may not be what you want.
Defaultv4InPolicy="ACCEPT"
Defaultv4OutPolicy="ACCEPT"
Defaultv4FwdPolicy="ACCEPT"

+ 11
- 1
etc/ipv6.conf View File

@@ -95,4 +95,14 @@ Enablev6NAT="yes"
# external access to internal machines
# Config file: ipv6/portfw.conf
# Values: no | yes (default)
Enablev6PortForwarding="yes"
Enablev6PortForwarding="yes"

# Default policy for filtering rules
# netfilter/iptables has a default policy that can be set, such as
# DROP all unless it is explicitly allowed via rules.
# Values: ACCEPT (default) | DROP
# Please note if you do not specify policies, they will default to
# ACCEPT, which may not be what you want.
Defaultv6InPolicy="ACCEPT"
Defaultv6OutPolicy="ACCEPT"
Defaultv6FwdPolicy="ACCEPT"

+ 10
- 8
lib/iptables.inc View File

@@ -30,6 +30,9 @@ function iptables_rules_flush {
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
esac
${display} GREEN "Flushing ${IP_VERSION} rules..."
${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null
${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null
${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null
${VER_IPTABLES} -F &>/dev/null
${VER_IPTABLES} -X &>/dev/null
${VER_IPTABLES} -F INPUT &>/dev/null
@@ -39,9 +42,6 @@ function iptables_rules_flush {
${VER_IPTABLES} -t nat -X &>/dev/null
${VER_IPTABLES} -t mangle -F &>/dev/null
${VER_IPTABLES} -t mangle -X &>/dev/null
${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null
${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null
${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null
#for i in `cat $TABLE_NAMES`; do
# ${VER_IPTABLES} -F -t $i &>/dev/null
#done
@@ -51,17 +51,19 @@ function iptables_rules_flush {
# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
# If no policy given, assume ACCEPT
function iptables_policy_reset {
function default_policy_set {
IP_VERSION=$1
SET_POLICY=${2=ACCEPT}
INPOLICY=${2=ACCEPT}
OUTPOLICY=${3=ACCEPT}
FWDPOLICY=${4=ACCEPT}
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES} ;;
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
esac
${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
${VER_IPTABLES} --policy INPUT ${SET_POLICY}
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
${VER_IPTABLES} --policy INPUT ${INPOLICY}
${VER_IPTABLES} --policy OUTPUT ${OUTPOLICY}
${VER_IPTABLES} --policy FORWARD ${FWDPOLICY}
}

# setup_iptables_chains (ipv4|ipv6)


Loading…
Cancel
Save