You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

156 lines
6.0 KiB

  1. #!/bin/bash
  2. # By Brielle Bruns <bruns@2mbit.com>
  3. # URL: http://www.sosdg.org/freestuff/firewall
  4. # License: GPLv3
  5. #
  6. # Copyright (C) 2009 - 2014 Brielle Bruns
  7. # Copyright (C) 2009 - 2014 The Summit Open Source Development Group
  8. #
  9. # This program is free software: you can redistribute it and/or modify
  10. # it under the terms of the GNU General Public License as published by
  11. # the Free Software Foundation, either version 3 of the License, or
  12. # (at your option) any later version.
  13. #
  14. # This program is distributed in the hope that it will be useful,
  15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. # GNU General Public License for more details.
  18. # You should have received a copy of the GNU General Public License
  19. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  20. # iptables_rules_flush (ipv6|ipv4)
  21. # Clear all rules from iptables - be very careful in how this is called as it
  22. # could easily lock out the user from the network. Best way to be safe, is to
  23. # call iptables_policy_reset first then this function.
  24. function iptables_rules_flush {
  25. IP_VERSION=$1
  26. case $IP_VERSION in
  27. ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
  28. ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
  29. esac
  30. ${display} GREEN "Flushing ${IP_VERSION} rules..."
  31. ${VER_IPTABLES} -F &>/dev/null
  32. ${VER_IPTABLES} -X &>/dev/null
  33. ${VER_IPTABLES} -F INPUT &>/dev/null
  34. ${VER_IPTABLES} -F OUTPUT &>/dev/null
  35. ${VER_IPTABLES} -F FORWARD &>/dev/null
  36. ${VER_IPTABLES} -t nat -F &>/dev/null
  37. ${VER_IPTABLES} -t nat -X &>/dev/null
  38. ${VER_IPTABLES} -t mangle -F &>/dev/null
  39. ${VER_IPTABLES} -t mangle -X &>/dev/null
  40. ${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null
  41. ${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null
  42. ${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null
  43. #for i in `cat $TABLE_NAMES`; do
  44. # ${VER_IPTABLES} -F -t $i &>/dev/null
  45. #done
  46. #${VER_IPTABLES} -X
  47. }
  48. # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
  49. # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
  50. # If no policy given, assume ACCEPT
  51. function iptables_policy_reset {
  52. IP_VERSION=$1
  53. SET_POLICY=${2=ACCEPT}
  54. case $IP_VERSION in
  55. ipv6) VER_IPTABLES=${IP6TABLES} ;;
  56. ipv4|*) VER_IPTABLES=${IPTABLES} ;;
  57. esac
  58. ${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
  59. ${VER_IPTABLES} --policy INPUT ${SET_POLICY}
  60. ${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
  61. ${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
  62. }
  63. # setup_iptables_chains (ipv4|ipv6)
  64. # Creates the default chains when called
  65. function setup_iptables_chains {
  66. IP_VERSION=$1
  67. case $IP_VERSION in
  68. ipv6) VER_IPTABLES=${IP6TABLES};
  69. IPVER="6" ;;
  70. ipv4|*) VER_IPTABLES=${IPTABLES}
  71. IPVER="4" ;;
  72. esac
  73. # Create the actual chains
  74. ${display} GREEN "Setting up chains for ${IP_VERSION}..."
  75. ${VER_IPTABLES} -N ${InPreRules}
  76. ${VER_IPTABLES} -N ${OutPreRules}
  77. ${VER_IPTABLES} -N ${InEasyBlock}
  78. ${VER_IPTABLES} -N ${OutEasyBlock}
  79. ${VER_IPTABLES} -N ${InFilter}
  80. ${VER_IPTABLES} -N ${OutFilter}
  81. ${VER_IPTABLES} -N ${FwdFilter}
  82. ${VER_IPTABLES} -N ${NAT} -t nat
  83. ${VER_IPTABLES} -N ${PortForward} -t nat
  84. ${VER_IPTABLES} -N ${InPostRules}
  85. ${VER_IPTABLES} -N ${OutPostRules}
  86. # Set up rules - the order matters - we do it separately here
  87. # for easy viewing of order
  88. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
  89. ${debug} ${DebugColor} "Setting up InPreRules"
  90. ${VER_IPTABLES} -A INPUT -j ${InPreRules}
  91. ${debug} ${DebugColor} "Setting up OutPreRules"
  92. ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
  93. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
  94. ${debug} ${DebugColor} "Setting up InEasyBlock"
  95. ${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
  96. ${debug} ${DebugColor} "Setting up OutEasyBlock"
  97. ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
  98. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
  99. ${debug} ${DebugColor} "Setting up InFilter"
  100. ${VER_IPTABLES} -A INPUT -j ${InFilter}
  101. ${debug} ${DebugColor} "Setting up OutFilter"
  102. ${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
  103. ${debug} ${DebugColor} "Setting up FwdFilter"
  104. ${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
  105. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
  106. ${debug} ${DebugColor} "Setting up NAT"
  107. ${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
  108. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
  109. ${debug} ${DebugColor} "Setting up PortForward"
  110. ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
  111. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
  112. ${debug} ${DebugColor} "Setting up InPostRules"
  113. ${VER_IPTABLES} -A INPUT -j ${InPostRules}
  114. ${debug} ${DebugColor} "Setting up OutPostRules"
  115. ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
  116. }
  117. function allow_all_loopback {
  118. IP_VERSION=$1
  119. case $IP_VERSION in
  120. ipv6) VER_IPTABLES=${IP6TABLES};
  121. IPVER="6" ;;
  122. ipv4|*) VER_IPTABLES=${IPTABLES}
  123. IPVER="4" ;;
  124. esac
  125. ${debug} ${DebugColor} "allow_all_loopback: loaded"
  126. ${VER_IPTABLES} -A ${InPreRules} -i lo -j ACCEPT
  127. ${VER_IPTABLES} -A ${OutPreRules} -o lo -j ACCEPT
  128. }
  129. function allow_trusted_hosts {
  130. IP_VERSION=$1
  131. case $IP_VERSION in
  132. ipv6) VER_IPTABLES=${IP6TABLES};
  133. IPVER="6" ;;
  134. ipv4|*) VER_IPTABLES=${IPTABLES}
  135. IPVER="4" ;;
  136. esac
  137. ${debug} ${DebugColor} "allow_trusted_hosts: loading"
  138. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf" ]; then
  139. for i in `grep -v "\#" "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"`; do
  140. ${VER_IPTABLES} -A ${InPreRules} -s $i -j ACCEPT
  141. ${VER_IPTABLES} -A ${OutPreRules} -d $i -j ACCEPT
  142. done
  143. ${debug} ${DebugColor} "allow_trusted_hosts: done"
  144. else
  145. ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"
  146. ${display} RED "Error: can not load trusted hosts file."
  147. ${debug} ${DebugColor} "allow_trusted_hosts: failed"
  148. fi
  149. }