You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

161 lines
5.2 KiB

  1. #/bin/bash
  2. # By Brielle Bruns <bruns@2mbit.com>
  3. # URL: http://www.sosdg.org/freestuff/firewall
  4. # License: GPLv3
  5. #
  6. # Copyright (C) 2009 - 2014 Brielle Bruns
  7. # Copyright (C) 2009 - 2014 The Summit Open Source Development Group
  8. #
  9. # This program is free software: you can redistribute it and/or modify
  10. # it under the terms of the GNU General Public License as published by
  11. # the Free Software Foundation, either version 3 of the License, or
  12. # (at your option) any later version.
  13. #
  14. # This program is distributed in the hope that it will be useful,
  15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. # GNU General Public License for more details.
  18. # You should have received a copy of the GNU General Public License
  19. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  20. # Static config options, normally do not need to change
  21. FW_VERSION="2.0"
  22. # Important directory locations
  23. FWPREFIX="/usr/local"
  24. FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
  25. FWLIBDIR="${FWPREFIX}/lib/srfirewall"
  26. FWBINDIR="${FWPREFIX}/bin"
  27. # Begin sourcing critical files, because we need things like path right away
  28. source "${FWLIBDIR}/binaries.inc"
  29. source "${FWLIBDIR}/iptables.inc"
  30. source "${FWLIBDIR}/display.inc"
  31. source "${FWCONFIGDIR}/main.conf"
  32. source "${FWCONFIGDIR}/chains.conf"
  33. source "${FWCONFIGDIR}/ipv4.conf"
  34. source "${FWCONFIGDIR}/ipv6.conf"
  35. # We require at least bash v3 or later at this point given some of the more complex
  36. # operations we do to make the firewall script work.
  37. if (( ${BASH_VERSINFO[0]} <= "2" )); then
  38. echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version"
  39. echo "of bash to something more recent, preferably the latest which is, as of this"
  40. echo "writing, 4.x"
  41. exit 1
  42. fi
  43. # Swap out display_c command for dummy command if they don't want
  44. # output when command is run.
  45. if [ "${DisplayDetailedOutput}" == "yes" ]; then
  46. if [ "${ColorizeOut}" == "yes" ]; then
  47. display="display_c"
  48. else
  49. display="display_m"
  50. fi
  51. else
  52. display="true"
  53. fi
  54. # Swap out display_c command for dummy command if they don't want
  55. # debug output when command is run.
  56. if [ "${DisplayDebugInfo}" == "yes" ]; then
  57. if [ "${ColorizeOut}" == "yes" ]; then
  58. debug="display_c"
  59. else
  60. debug="display_m"
  61. fi
  62. else
  63. debug="true"
  64. fi
  65. #if [ "$UID" != "0" ] && [ "${DebugOverride}" != "yes" ]; then
  66. # ${display} RED "You must be root to run this script."
  67. # exit 2
  68. #fi
  69. # Basic sanity tests for ip{6}tables binaries and modules
  70. if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
  71. ${display} RED "iptables command not found. Please make sure you have the iptables"
  72. ${display} RED "installed (package or source) and you have the IPTABLES option properly"
  73. ${display} RED "defined in the 'main.conf' file if needed."
  74. exit 3
  75. fi
  76. if [ ! -x "${IP6TABLES}" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
  77. ${display} RED "ip6tables command not found. Please make sure you have the iptables"
  78. ${display} RED "installed (package or source) and you have the IP6TABLES option properly"
  79. ${display} RED "defined in the 'main.conf' file if needed."
  80. exit 3
  81. fi
  82. if [ ! -e "/proc/net/ip_tables_names" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
  83. ${display} RED "IPv4 Netfilter modules do not appear to be loaded. Attempting to load now..."
  84. if ! `${MODPROBE} ${IP4TablesMod} &>/dev/null`; then
  85. ${display} RED "Module ${IP4TablesMod} failed to load."
  86. ${display} RED "Will continue with IPv4 disabled."
  87. EnableIPv4="no"
  88. else
  89. ${display} GREEN "Module successfully loaded."
  90. fi
  91. fi
  92. if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
  93. ${display} RED "IPv6 Netfilter modules do not appear to be loaded. Attempting to load now..."
  94. if ! `${MODPROBE} ${IP6TablesMod} &>/dev/null`; then
  95. ${display} RED "Module ${IP6TablesMod} failed to load."
  96. ${display} RED "Will continue with IPv6 disabled."
  97. EnableIPv6="no"
  98. else
  99. ${display} GREEN "Module successfully loaded."
  100. fi
  101. fi
  102. # Set up proper state matching variables, since there is old and new style.
  103. if [ "$StateMatching" ]; then
  104. case $StateMatching in
  105. conntrack|CONNTRACK|*)
  106. M_STATE="-m conntrack"
  107. C_STATE="--ctstate"
  108. ;;
  109. state|STATE)
  110. M_STATE="-m state"
  111. C_STATE="--state"
  112. esac
  113. else
  114. M_STATE="-m conntrack"
  115. C_STATE="--ctstate"
  116. fi
  117. # Do IPv4 IPTables Rules
  118. if [ "${EnableIPv4}" == "yes" ]; then
  119. # First flush all rules
  120. iptables_rules_flush ipv4
  121. # Create the chain sets we'll need and the ones that can be
  122. # customized by users in their custom rules
  123. setup_iptables_chains ipv4
  124. if [ "${AllowAllv4Loopback}" == "yes" ]; then allow_all_loopback ipv4; fi
  125. if [ "${EnableTrustedv4Hosts}" == "yes" ]; then allow_trusted_hosts ipv4; fi
  126. fi
  127. # Do IPv4 IPTables Rules
  128. if [ "${EnableIPv6}" == "yes" ]; then
  129. # First flush all rules
  130. iptables_rules_flush ipv6
  131. # Create the chain sets we'll need and the ones that can be
  132. # customized by users in their custom rules
  133. setup_iptables_chains ipv6
  134. if [ "${AllowAllv6Loopback}" == "yes" ]; then allow_all_loopback ipv6; fi
  135. if [ "${EnableTrustedv6Hosts}" == "yes" ]; then allow_trusted_hosts ipv6; fi
  136. fi