brielle
/
SRFirewall
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 6 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
20 Commits
1 Branch
227 KiB
 
 
Tree: 35504323b6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '35504323b6'
${ noResults }
SRFirewall/lib/iptables.inc

156 lines
6.0 KiB
Raw Blame History 

  1. #!/bin/bash

  2. # By Brielle Bruns <bruns@2mbit.com>

  3. # URL: http://www.sosdg.org/freestuff/firewall

  4. # License: GPLv3

  5. #

  6. #    Copyright (C) 2009 - 2014  Brielle Bruns

  7. #    Copyright (C) 2009 - 2014  The Summit Open Source Development Group

  8. #

  9. #    This program is free software: you can redistribute it and/or modify

  10. #    it under the terms of the GNU General Public License as published by

  11. #    the Free Software Foundation, either version 3 of the License, or

  12. #    (at your option) any later version.

  13. #

  14. #    This program is distributed in the hope that it will be useful,

  15. #    but WITHOUT ANY WARRANTY; without even the implied warranty of

  16. #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  17. #    GNU General Public License for more details.

  18. #    You should have received a copy of the GNU General Public License

  19. #    along with this program.  If not, see <http://www.gnu.org/licenses/>.

  20. 

  21. 

  22. # iptables_rules_flush (ipv6|ipv4)

  23. # Clear all rules from iptables - be very careful in how this is called as it

  24. # could easily lock out the user from the network.  Best way to be safe, is to

  25. # call iptables_policy_reset first then this function.

  26. function iptables_rules_flush {

  27. 	IP_VERSION=$1

  28. 	case $IP_VERSION in

  29. 		ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;

  30. 		ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;

  31. 	esac

  32. 	${display} GREEN "Flushing ${IP_VERSION} rules..."

  33. 	${VER_IPTABLES} -F &>/dev/null

  34. 	${VER_IPTABLES} -X &>/dev/null

  35. 	${VER_IPTABLES} -F INPUT &>/dev/null

  36. 	${VER_IPTABLES} -F OUTPUT &>/dev/null

  37. 	${VER_IPTABLES} -F FORWARD &>/dev/null

  38. 	${VER_IPTABLES} -t nat -F &>/dev/null

  39. 	${VER_IPTABLES} -t nat -X &>/dev/null

  40. 	${VER_IPTABLES} -t mangle -F &>/dev/null

  41. 	${VER_IPTABLES} -t mangle -X &>/dev/null

  42. 	${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null

  43. 	${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null

  44. 	${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null

  45. 	#for i in `cat $TABLE_NAMES`; do

  46. 	#	${VER_IPTABLES} -F -t $i &>/dev/null

  47. 	#done

  48. 	#${VER_IPTABLES} -X

  49. }

  50. 

  51. # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)

  52. # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6

  53. # If no policy given, assume ACCEPT

  54. function iptables_policy_reset {

  55. 	IP_VERSION=$1

  56. 	SET_POLICY=${2=ACCEPT}

  57. 	case $IP_VERSION in

  58. 		ipv6) VER_IPTABLES=${IP6TABLES} ;;

  59. 		ipv4|*) VER_IPTABLES=${IPTABLES} ;;

  60. 	esac

  61. 	${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."

  62. 	${VER_IPTABLES} --policy INPUT ${SET_POLICY}

  63. 	${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}

  64. 	${VER_IPTABLES} --policy FORWARD ${SET_POLICY}

  65. }

  66. 

  67. # setup_iptables_chains (ipv4|ipv6)

  68. # Creates the default chains when called

  69. function setup_iptables_chains {

  70. 	IP_VERSION=$1

  71. 	case $IP_VERSION in

  72. 		ipv6) VER_IPTABLES=${IP6TABLES};

  73. 				IPVER="6" ;;

  74. 		ipv4|*) VER_IPTABLES=${IPTABLES}

  75. 				IPVER="4" ;;

  76. 	esac

  77. 	# Create the actual chains

  78. 	${display} GREEN "Setting up chains for ${IP_VERSION}..."

  79. 	${VER_IPTABLES} -N ${InPreRules}

  80. 	${VER_IPTABLES} -N ${OutPreRules}

  81. 	${VER_IPTABLES} -N ${InEasyBlock}

  82. 	${VER_IPTABLES} -N ${OutEasyBlock}

  83. 	${VER_IPTABLES} -N ${InFilter}

  84. 	${VER_IPTABLES} -N ${OutFilter}

  85. 	${VER_IPTABLES} -N ${FwdFilter}

  86. 	${VER_IPTABLES} -N ${NAT} -t nat

  87. 	${VER_IPTABLES} -N ${PortForward} -t nat

  88. 	${VER_IPTABLES} -N ${InPostRules}

  89. 	${VER_IPTABLES} -N ${OutPostRules}

  90. 	

  91. 	# Set up rules - the order matters - we do it separately here

  92. 	# for easy viewing of order

  93. 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi

  94. 	${debug} ${DebugColor} "Setting up InPreRules"

  95. 	${VER_IPTABLES} -A INPUT -j ${InPreRules}

  96. 	${debug} ${DebugColor} "Setting up OutPreRules"

  97. 	${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}

  98. 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi

  99. 	${debug} ${DebugColor} "Setting up InEasyBlock"

  100. 	${VER_IPTABLES} -A INPUT -j ${InEasyBlock}

  101. 	${debug} ${DebugColor} "Setting up OutEasyBlock"

  102. 	${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}

  103. 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi

  104. 	${debug} ${DebugColor} "Setting up InFilter"

  105. 	${VER_IPTABLES} -A INPUT -j ${InFilter}

  106. 	${debug} ${DebugColor} "Setting up OutFilter"

  107. 	${VER_IPTABLES} -A OUTPUT -j ${OutFilter}

  108. 	${debug} ${DebugColor} "Setting up FwdFilter"

  109. 	${VER_IPTABLES} -A FORWARD -j ${FwdFilter}

  110. 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi

  111. 	${debug} ${DebugColor} "Setting up NAT"

  112. 	${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}

  113. 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi

  114. 	${debug} ${DebugColor} "Setting up PortForward"

  115. 	${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}

  116. 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi

  117. 	${debug} ${DebugColor} "Setting up InPostRules"

  118. 	${VER_IPTABLES} -A INPUT -j ${InPostRules}

  119. 	${debug} ${DebugColor} "Setting up OutPostRules"

  120. 	${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}

  121. }

  122. 

  123. function allow_all_loopback {

  124. 	IP_VERSION=$1

  125. 	case $IP_VERSION in

  126. 		ipv6) VER_IPTABLES=${IP6TABLES};

  127. 				IPVER="6" ;;

  128. 		ipv4|*) VER_IPTABLES=${IPTABLES}

  129. 				IPVER="4" ;;

  130. 	esac

  131. 	${debug} ${DebugColor} "allow_all_loopback: loaded"

  132. 	${VER_IPTABLES} -A ${InPreRules} -i lo -j ACCEPT

  133. 	${VER_IPTABLES} -A ${OutPreRules} -o lo -j ACCEPT

  134. }

  135. 

  136. function allow_trusted_hosts {

  137. 	IP_VERSION=$1

  138. 		case $IP_VERSION in

  139. 		ipv6) VER_IPTABLES=${IP6TABLES};

  140. 				IPVER="6" ;;

  141. 		ipv4|*) VER_IPTABLES=${IPTABLES}

  142. 				IPVER="4" ;;

  143. 	esac

  144. 	${debug} ${DebugColor} "allow_trusted_hosts: loading"

  145. 	if [ -e "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf" ]; then

  146. 		for i in `grep -v "\#" "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"`; do

  147. 			${VER_IPTABLES} -A ${InPreRules} -s $i -j ACCEPT

  148. 			${VER_IPTABLES} -A ${OutPreRules} -d $i -j ACCEPT

  149. 		done

  150. 		${debug} ${DebugColor} "allow_trusted_hosts: done"

  151. 	else

  152. 		${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"

  153. 		${display} RED "Error: can not load trusted hosts file."

  154. 		${debug} ${DebugColor} "allow_trusted_hosts: failed"

  155. 	fi

  156. }