You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

254 lines
9.6KB

  1. #/bin/bash
  2. # By Brielle Bruns <bruns@2mbit.com>
  3. # URL: http://www.sosdg.org/freestuff/firewall
  4. # License: GPLv3
  5. #
  6. # Copyright (C) 2009 - 2014 Brielle Bruns
  7. # Copyright (C) 2009 - 2014 The Summit Open Source Development Group
  8. #
  9. # This program is free software: you can redistribute it and/or modify
  10. # it under the terms of the GNU General Public License as published by
  11. # the Free Software Foundation, either version 3 of the License, or
  12. # (at your option) any later version.
  13. #
  14. # This program is distributed in the hope that it will be useful,
  15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. # GNU General Public License for more details.
  18. # You should have received a copy of the GNU General Public License
  19. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  20. # Static config options, normally do not need to change
  21. FW_VERSION="2.1"
  22. # Important directory locations
  23. FWPREFIX="/usr/local"
  24. FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
  25. FWLIBDIR="${FWPREFIX}/lib/srfirewall"
  26. FWBINDIR="${FWPREFIX}/bin"
  27. # Begin sourcing critical files, because we need things like path right away
  28. source "${FWLIBDIR}/binaries.inc"
  29. source "${FWLIBDIR}/iptables.inc"
  30. source "${FWLIBDIR}/display.inc"
  31. source "${FWLIBDIR}/kernel.inc"
  32. source "${FWCONFIGDIR}/main.conf"
  33. source "${FWCONFIGDIR}/chains.conf"
  34. source "${FWCONFIGDIR}/ipv4.conf"
  35. source "${FWCONFIGDIR}/ipv6.conf"
  36. # The local.conf file can be used to override any of the above files without having to worry
  37. # about changes being overwritten when upgrading. Mostly useful for people who use a package
  38. # manager.
  39. [[ -e "${FWCONFIGDIR}/local.conf" ]] && source "${FWCONFIGDIR}/local.conf"
  40. [[ -e "${FWCONFIGDIR}/ipv4/local.conf" ]] && source "${FWCONFIGDIR}/ipv4/local.conf"
  41. [[ -e "${FWCONFIGDIR}/ipv6/local.conf" ]] && source "${FWCONFIGDIR}/ipv6/local.conf"
  42. # We require at least bash v2 or later at this point given some of the more complex
  43. # operations we do to make the firewall script work.
  44. if (( ${BASH_VERSINFO[0]} <= "2" )); then
  45. echo "Error: We can only run with bash 2.0 or higher. Please upgrade your version"
  46. echo "of bash to something more recent, preferably the latest which is, as of this"
  47. echo "writing, 4.x"
  48. exit 1
  49. fi
  50. # Swap out display_c command for dummy command if they don't want
  51. # output when command is run.
  52. if [ "${DisplayDetailedOutput}" == "yes" ]; then
  53. if [ "${ColorizeOut}" == "yes" ]; then
  54. display="display_c"
  55. else
  56. display="display_m"
  57. fi
  58. else
  59. display="true"
  60. fi
  61. # Swap out debug command for dummy command if they don't want
  62. # debug output when command is run.
  63. if [ "${DisplayDebugInfo}" == "yes" ]; then
  64. if [ "${ColorizeOut}" == "yes" ]; then
  65. debug="display_c"
  66. else
  67. debug="display_m"
  68. fi
  69. else
  70. debug="true"
  71. fi
  72. # Parse command line args
  73. while getopts "hfgv" opt; do
  74. case $opt in
  75. h)
  76. show_help
  77. exit 0
  78. ;;
  79. v)
  80. show_version
  81. exit 0
  82. ;;
  83. f)
  84. [[ ${EnableIPv4} == "yes" ]] && iptables_rules_flush ipv4
  85. [[ ${EnableIPv6} == "yes" ]] && iptables_rules_flush ipv6
  86. [[ ${EnableIPv6} == "yes" ]] && default_policy_set ipv6 ACCEPT ACCEPT ACCEPT
  87. [[ ${EnableIPv4} == "yes" ]] && default_policy_set ipv4 ACCEPT ACCEPT ACCEPT
  88. exit 0
  89. ;;
  90. \?)
  91. echo "Invalid option: -$OPTARG" >&2
  92. ;;
  93. esac
  94. done
  95. #if [ "$UID" != "0" ] && [ "${DebugOverride}" != "yes" ]; then
  96. # ${display} RED "You must be root to run this script."
  97. # exit 2
  98. #fi
  99. # We can't function without certain cli binaries being available
  100. if [ ! -x "${GREP}" ]; then
  101. ${display} RED "Error: grep command not found. Please define GREP variable in main.conf manually."
  102. exit 3
  103. fi
  104. # Basic sanity tests for ip{6}tables binaries and modules
  105. if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
  106. ${display} RED "iptables command not found. Please make sure you have the iptables"
  107. ${display} RED "installed (package or source) and you have the IPTABLES option properly"
  108. ${display} RED "defined in the 'main.conf' file if needed."
  109. exit 3
  110. fi
  111. if [ ! -x "${IP6TABLES}" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
  112. ${display} RED "ip6tables command not found. Please make sure you have the iptables"
  113. ${display} RED "installed (package or source) and you have the IP6TABLES option properly"
  114. ${display} RED "defined in the 'main.conf' file if needed."
  115. exit 3
  116. fi
  117. if [ ! -e "/proc/net/ip_tables_names" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
  118. ${display} RED "IPv4 Netfilter modules do not appear to be loaded. Attempting to load now..."
  119. if ! `${MODPROBE} ${IP4TablesMod} &>/dev/null`; then
  120. ${display} RED "Module ${IP4TablesMod} failed to load."
  121. ${display} RED "Will continue with IPv4 disabled."
  122. EnableIPv4="no"
  123. else
  124. ${display} GREEN "Module successfully loaded."
  125. fi
  126. fi
  127. if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
  128. ${display} RED "IPv6 Netfilter modules do not appear to be loaded. Attempting to load now..."
  129. if ! `${MODPROBE} ${IP6TablesMod} &>/dev/null`; then
  130. ${display} RED "Module ${IP6TablesMod} failed to load."
  131. ${display} RED "Will continue with IPv6 disabled."
  132. EnableIPv6="no"
  133. else
  134. ${display} GREEN "Module successfully loaded."
  135. fi
  136. fi
  137. # Set up proper state matching variables, since there is old and new style.
  138. if [ "$StateMatching" ]; then
  139. case $StateMatching in
  140. conntrack|CONNTRACK|*)
  141. M_STATE="-m conntrack"
  142. C_STATE="--ctstate"
  143. ;;
  144. state|STATE)
  145. M_STATE="-m state"
  146. C_STATE="--state"
  147. esac
  148. else
  149. M_STATE="-m conntrack"
  150. C_STATE="--ctstate"
  151. fi
  152. # Do IPv4 IPTables Rules
  153. if [ "${EnableIPv4}" == "yes" ]; then
  154. # Commands to run before everything else
  155. if [ -x ${FWCONFIGDIR}/ipv4/custom/runbefore.sh ]; then . ${FWCONFIGDIR}/ipv4/custom/runbefore.sh; fi
  156. # First flush all rules
  157. iptables_rules_flush ipv4
  158. # Create the chain sets we'll need and the ones that can be
  159. # customized by users in their custom rules
  160. setup_iptables_chains ipv4
  161. [[ ${AllowAllv4Loopback} == "yes" ]] && allow_all_loopback ipv4
  162. [[ ${EnableTrustedv4Hosts} == "yes" ]] && allow_trusted_hosts ipv4
  163. Defaultv4InPolicy=${Defaultv4InPolicy=ACCEPT}
  164. Defaultv4OutPolicy=${Defaultv4OutPolicy=ACCEPT}
  165. Defaultv4FwdPolicy=${Defaultv4FwdPolicy=ACCEPT}
  166. default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy}
  167. ([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
  168. && load_kernel_modules "${Loadv4NetfilterModules}"
  169. ([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] \
  170. && [[ ${Enablev4NAT} == "yes" ]]) && load_kernel_modules "${Loadv4NetfilterModulesNAT}"
  171. [[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4
  172. ([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
  173. && enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}"
  174. [[ ${DNSClientUsev4ResolvConf} == "yes" ]] && allow_resolvconf_servers ipv4
  175. [[ ${DNSClientManualv4Servers} ]] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}"
  176. [[ ${Enablev4EasyBlock} == "yes" ]] && enable_easyblock ipv4
  177. [[ ${Enablev4Filtering} == "yes" ]] && enable_filtering ipv4
  178. [[ ${Enablev4Services} == "yes" ]] && enable_services ipv4
  179. [[ ${Enablev4Forwarding} == "yes" ]] && enable_forwarding ipv4
  180. [[ ${Enablev4NAT} == "yes" ]] && enable_nat ipv4
  181. [[ ${Enablev4PortForwarding} == "yes" ]] && enable_portfw ipv4
  182. # Commands to run after everything else
  183. if [ -x ${FWCONFIGDIR}/ipv4/custom/runafter.sh ]; then . ${FWCONFIGDIR}/ipv4/custom/runafter.sh; fi
  184. fi
  185. # Do IPv6 IPTables Rules
  186. if [ "${EnableIPv6}" == "yes" ]; then
  187. # Commands to run before everything else
  188. if [ -x ${FWCONFIGDIR}/ipv6/custom/runbefore.sh ]; then . ${FWCONFIGDIR}/ipv6/custom/runbefore.sh; fi
  189. # First flush all rules
  190. iptables_rules_flush ipv6
  191. # Create the chain sets we'll need and the ones that can be
  192. # customized by users in their custom rules
  193. setup_iptables_chains ipv6
  194. [[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6
  195. [[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6
  196. enable_v6_critical_icmp
  197. Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT}
  198. Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT}
  199. Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT}
  200. default_policy_set ipv6 ${Defaultv6InPolicy} ${Defaultv6OutPolicy} ${Defaultv6FwdPolicy}
  201. ([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
  202. && load_kernel_modules "${Loadv6NetfilterModules}"
  203. ([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] \
  204. && [[ ${Enablev6NAT} == "yes" ]]) && load_kernel_modules "${Loadv6NetfilterModulesNAT}"
  205. [[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6
  206. ([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
  207. && enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}"
  208. [[ ${DNSClientUsev6ResolvConf} == "yes" ]] && allow_resolvconf_servers ipv6
  209. [[ ${DNSClientManualv6Servers} ]] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}"
  210. [[ ${Enablev6EasyBlock} == "yes" ]] && enable_easyblock ipv6
  211. [[ ${Enablev6Filtering} == "yes" ]] && enable_filtering ipv6
  212. [[ ${Enablev6Services} == "yes" ]] && enable_services ipv6
  213. [[ ${Enablev6Forwarding} == "yes" ]] && enable_forwarding ipv6
  214. [[ ${Enablev6NAT} == "yes" ]] && enable_nat ipv6
  215. [[ ${Enablev6PortForwarding} == "yes" ]] && enable_portfw ipv6
  216. [[ ${EnableSysctlTweaks} == "yes" ]] && sysctl_tweaks
  217. # Commands to run after everything else
  218. if [ -x ${FWCONFIGDIR}/ipv6/custom/runafter.sh ]; then . ${FWCONFIGDIR}/ipv6/custom/runafter.sh; fi
  219. fi