You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

234 lines
8.7 KiB

  1. #/bin/bash
  2. # By Brielle Bruns <bruns@2mbit.com>
  3. # URL: http://www.sosdg.org/freestuff/firewall
  4. # License: GPLv3
  5. #
  6. # Copyright (C) 2009 - 2014 Brielle Bruns
  7. # Copyright (C) 2009 - 2014 The Summit Open Source Development Group
  8. #
  9. # This program is free software: you can redistribute it and/or modify
  10. # it under the terms of the GNU General Public License as published by
  11. # the Free Software Foundation, either version 3 of the License, or
  12. # (at your option) any later version.
  13. #
  14. # This program is distributed in the hope that it will be useful,
  15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. # GNU General Public License for more details.
  18. # You should have received a copy of the GNU General Public License
  19. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  20. # Static config options, normally do not need to change
  21. FW_VERSION="2.0 Alpha 3"
  22. # Important directory locations
  23. FWPREFIX="/usr/local"
  24. FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
  25. FWLIBDIR="${FWPREFIX}/lib/srfirewall"
  26. FWBINDIR="${FWPREFIX}/bin"
  27. # Begin sourcing critical files, because we need things like path right away
  28. source "${FWLIBDIR}/binaries.inc"
  29. source "${FWLIBDIR}/iptables.inc"
  30. source "${FWLIBDIR}/display.inc"
  31. source "${FWLIBDIR}/kernel.inc"
  32. source "${FWCONFIGDIR}/main.conf"
  33. source "${FWCONFIGDIR}/chains.conf"
  34. source "${FWCONFIGDIR}/ipv4.conf"
  35. source "${FWCONFIGDIR}/ipv6.conf"
  36. # The local.conf file can be used to override any of the above files without having to worry
  37. # about changes being overwritten when upgrading. Mostly useful for people who use a package
  38. # manager.
  39. [[ -e "${FWCONFIGDIR}/local.conf" ]] && source "${FWCONFIGDIR}/local.conf"
  40. [[ -e "${FWCONFIGDIR}/ipv4/local.conf" ]] && source "${FWCONFIGDIR}/ipv4/local.conf"
  41. [[ -e "${FWCONFIGDIR}/ipv6/local.conf" ]] && source "${FWCONFIGDIR}/ipv6/local.conf"
  42. # We require at least bash v2 or later at this point given some of the more complex
  43. # operations we do to make the firewall script work.
  44. if (( ${BASH_VERSINFO[0]} <= "2" )); then
  45. echo "Error: We can only run with bash 2.0 or higher. Please upgrade your version"
  46. echo "of bash to something more recent, preferably the latest which is, as of this"
  47. echo "writing, 4.x"
  48. exit 1
  49. fi
  50. # Swap out display_c command for dummy command if they don't want
  51. # output when command is run.
  52. if [ "${DisplayDetailedOutput}" == "yes" ]; then
  53. if [ "${ColorizeOut}" == "yes" ]; then
  54. display="display_c"
  55. else
  56. display="display_m"
  57. fi
  58. else
  59. display="true"
  60. fi
  61. # Swap out debug command for dummy command if they don't want
  62. # debug output when command is run.
  63. if [ "${DisplayDebugInfo}" == "yes" ]; then
  64. if [ "${ColorizeOut}" == "yes" ]; then
  65. debug="display_c"
  66. else
  67. debug="display_m"
  68. fi
  69. else
  70. debug="true"
  71. fi
  72. # Parse command line args
  73. while getopts "hfgv" opt; do
  74. case $opt in
  75. h)
  76. show_help
  77. exit 0
  78. ;;
  79. v)
  80. show_version
  81. exit 0
  82. ;;
  83. \?)
  84. echo "Invalid option: -$OPTARG" >&2
  85. ;;
  86. esac
  87. done
  88. #if [ "$UID" != "0" ] && [ "${DebugOverride}" != "yes" ]; then
  89. # ${display} RED "You must be root to run this script."
  90. # exit 2
  91. #fi
  92. # We can't function without certain cli binaries being available
  93. if [ ! -x "${GREP}" ]; then
  94. ${display} RED "Error: grep command not found. Please define GREP variable in main.conf manually."
  95. exit 3
  96. fi
  97. # Basic sanity tests for ip{6}tables binaries and modules
  98. if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
  99. ${display} RED "iptables command not found. Please make sure you have the iptables"
  100. ${display} RED "installed (package or source) and you have the IPTABLES option properly"
  101. ${display} RED "defined in the 'main.conf' file if needed."
  102. exit 3
  103. fi
  104. if [ ! -x "${IP6TABLES}" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
  105. ${display} RED "ip6tables command not found. Please make sure you have the iptables"
  106. ${display} RED "installed (package or source) and you have the IP6TABLES option properly"
  107. ${display} RED "defined in the 'main.conf' file if needed."
  108. exit 3
  109. fi
  110. if [ ! -e "/proc/net/ip_tables_names" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
  111. ${display} RED "IPv4 Netfilter modules do not appear to be loaded. Attempting to load now..."
  112. if ! `${MODPROBE} ${IP4TablesMod} &>/dev/null`; then
  113. ${display} RED "Module ${IP4TablesMod} failed to load."
  114. ${display} RED "Will continue with IPv4 disabled."
  115. EnableIPv4="no"
  116. else
  117. ${display} GREEN "Module successfully loaded."
  118. fi
  119. fi
  120. if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
  121. ${display} RED "IPv6 Netfilter modules do not appear to be loaded. Attempting to load now..."
  122. if ! `${MODPROBE} ${IP6TablesMod} &>/dev/null`; then
  123. ${display} RED "Module ${IP6TablesMod} failed to load."
  124. ${display} RED "Will continue with IPv6 disabled."
  125. EnableIPv6="no"
  126. else
  127. ${display} GREEN "Module successfully loaded."
  128. fi
  129. fi
  130. # Set up proper state matching variables, since there is old and new style.
  131. if [ "$StateMatching" ]; then
  132. case $StateMatching in
  133. conntrack|CONNTRACK|*)
  134. M_STATE="-m conntrack"
  135. C_STATE="--ctstate"
  136. ;;
  137. state|STATE)
  138. M_STATE="-m state"
  139. C_STATE="--state"
  140. esac
  141. else
  142. M_STATE="-m conntrack"
  143. C_STATE="--ctstate"
  144. fi
  145. # Do IPv4 IPTables Rules
  146. if [ "${EnableIPv4}" == "yes" ]; then
  147. # First flush all rules
  148. iptables_rules_flush ipv4
  149. # Create the chain sets we'll need and the ones that can be
  150. # customized by users in their custom rules
  151. setup_iptables_chains ipv4
  152. [[ ${AllowAllv4Loopback} == "yes" ]] && allow_all_loopback ipv4
  153. [[ ${EnableTrustedv4Hosts} == "yes" ]] && allow_trusted_hosts ipv4
  154. Defaultv4InPolicy=${Defaultv4InPolicy=ACCEPT}
  155. Defaultv4OutPolicy=${Defaultv4OutPolicy=ACCEPT}
  156. Defaultv4FwdPolicy=${Defaultv4FwdPolicy=ACCEPT}
  157. default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy}
  158. ([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
  159. && load_kernel_modules "${Loadv4NetfilterModules}"
  160. ([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] \
  161. && [[ ${Enablev4NAT} == "yes" ]]) && load_kernel_modules "${Loadv4NetfilterModulesNAT}"
  162. [[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4
  163. ([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
  164. && enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}"
  165. [[ ${DNSClientUsev4ResolvConf} == "yes" ]] && allow_resolvconf_servers ipv4
  166. [[ ${DNSClientManualv4Servers} ]] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}"
  167. [[ ${Enablev4EasyBlock} == "yes" ]] && enable_easyblock ipv4
  168. [[ ${Enablev4Filtering} == "yes" ]] && enable_filtering ipv4
  169. [[ ${Enablev4Services} == "yes" ]] && enable_services ipv4
  170. [[ ${Enablev4Forwarding} == "yes" ]] && enable_forwarding ipv4
  171. [[ ${Enablev4NAT} == "yes" ]] && enable_nat ipv4
  172. [[ ${Enablev4PortForwarding} == "yes" ]] && enable_portfw ipv4
  173. fi
  174. # Do IPv6 IPTables Rules
  175. if [ "${EnableIPv6}" == "yes" ]; then
  176. # First flush all rules
  177. iptables_rules_flush ipv6
  178. # Create the chain sets we'll need and the ones that can be
  179. # customized by users in their custom rules
  180. setup_iptables_chains ipv6
  181. [[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6
  182. [[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6
  183. enable_v6_critical_icmp
  184. Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT}
  185. Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT}
  186. Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT}
  187. default_policy_set ipv6 ${Defaultv6InPolicy} ${Defaultv6OutPolicy} ${Defaultv6FwdPolicy}
  188. ([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
  189. && load_kernel_modules "${Loadv6NetfilterModules}"
  190. ([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] \
  191. && [[ ${Enablev6NAT} == "yes" ]]) && load_kernel_modules "${Loadv6NetfilterModulesNAT}"
  192. [[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6
  193. ([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
  194. && enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}"
  195. [[ ${DNSClientUsev6ResolvConf} == "yes" ]] && allow_resolvconf_servers ipv6
  196. [[ ${DNSClientManualv6Servers} ]] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}"
  197. [[ ${Enablev6EasyBlock} == "yes" ]] && enable_easyblock ipv6
  198. [[ ${Enablev6Filtering} == "yes" ]] && enable_filtering ipv6
  199. [[ ${Enablev6Services} == "yes" ]] && enable_services ipv6
  200. [[ ${Enablev6Forwarding} == "yes" ]] && enable_forwarding ipv6
  201. [[ ${Enablev6NAT} == "yes" ]] && enable_nat ipv6
  202. [[ ${Enablev6PortForwarding} == "yes" ]] && enable_portfw ipv6
  203. fi