brielle
/
SRFirewall
1
0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 6 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
136 Commits
1 Branch
227 KiB
 
 
Tree: 7b50a75f09
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van '7b50a75f09'
${ noResults }
SRFirewall/bin/srfirewall

234 regels
8.7 KiB
Ruw Blame Geschiedenis 

  1. #/bin/bash

  2. # By Brielle Bruns <bruns@2mbit.com>

  3. # URL: http://www.sosdg.org/freestuff/firewall

  4. # License: GPLv3

  5. #

  6. #    Copyright (C) 2009 - 2014  Brielle Bruns

  7. #    Copyright (C) 2009 - 2014  The Summit Open Source Development Group

  8. #

  9. #    This program is free software: you can redistribute it and/or modify

  10. #    it under the terms of the GNU General Public License as published by

  11. #    the Free Software Foundation, either version 3 of the License, or

  12. #    (at your option) any later version.

  13. #

  14. #    This program is distributed in the hope that it will be useful,

  15. #    but WITHOUT ANY WARRANTY; without even the implied warranty of

  16. #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  17. #    GNU General Public License for more details.

  18. #    You should have received a copy of the GNU General Public License

  19. #    along with this program.  If not, see <http://www.gnu.org/licenses/>.

  20. 

  21. # Static config options, normally do not need to change

  22. FW_VERSION="2.0 Alpha 3"

  23. 

  24. # Important directory locations

  25. FWPREFIX="/usr/local"

  26. FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"

  27. FWLIBDIR="${FWPREFIX}/lib/srfirewall"

  28. FWBINDIR="${FWPREFIX}/bin"

  29. 

  30. # Begin sourcing critical files, because we need things like path right away

  31. source "${FWLIBDIR}/binaries.inc"

  32. source "${FWLIBDIR}/iptables.inc"

  33. source "${FWLIBDIR}/display.inc"

  34. source "${FWLIBDIR}/kernel.inc"

  35. 

  36. source "${FWCONFIGDIR}/main.conf"

  37. 

  38. source "${FWCONFIGDIR}/chains.conf"

  39. source "${FWCONFIGDIR}/ipv4.conf"

  40. source "${FWCONFIGDIR}/ipv6.conf"

  41. 

  42. # The local.conf file can be used to override any of the above files without having to worry

  43. # about changes being overwritten when upgrading.  Mostly useful for people who use a package

  44. # manager.

  45. [[ -e "${FWCONFIGDIR}/local.conf" ]] && source "${FWCONFIGDIR}/local.conf"

  46. [[ -e "${FWCONFIGDIR}/ipv4/local.conf" ]] && source "${FWCONFIGDIR}/ipv4/local.conf"

  47. [[ -e "${FWCONFIGDIR}/ipv6/local.conf" ]] && source "${FWCONFIGDIR}/ipv6/local.conf"

  48. 

  49. 

  50. # We require at least bash v2 or later at this point given some of the more complex

  51. # operations we do to make the firewall script work.

  52. if (( ${BASH_VERSINFO[0]} <= "2" )); then

  53. 	echo "Error: We can only run with bash 2.0 or higher.  Please upgrade your version"

  54. 	echo "of bash to something more recent, preferably the latest which is, as of this"

  55. 	echo "writing, 4.x"

  56. 	exit 1

  57. fi

  58. 

  59. 

  60. 

  61. # Swap out display_c command for dummy command if they don't want

  62. # output when command is run.

  63. if [ "${DisplayDetailedOutput}" == "yes" ]; then

  64. 	if [ "${ColorizeOut}" == "yes" ]; then

  65. 		display="display_c"

  66. 	else

  67. 		display="display_m"

  68. 	fi

  69. 	else

  70. 	display="true"

  71. fi

  72. 

  73. # Swap out debug command for dummy command if they don't want

  74. # debug output when command is run.

  75. if [ "${DisplayDebugInfo}" == "yes" ]; then

  76. 	if [ "${ColorizeOut}" == "yes" ]; then

  77. 		debug="display_c"

  78. 	else

  79. 		debug="display_m"

  80. 	fi

  81. else

  82. 	debug="true"

  83. fi

  84. 

  85. # Parse command line args

  86. while getopts "hfgv" opt; do

  87.   case $opt in

  88.     h)

  89.       show_help

  90. 	  exit 0

  91.       ;;

  92. 	v)

  93. 	  show_version

  94. 	  exit 0

  95. 	  ;;

  96.     \?)

  97.       echo "Invalid option: -$OPTARG" >&2

  98.       ;;

  99.   esac

  100. done

  101. 

  102. #if [ "$UID" != "0" ] && [ "${DebugOverride}" != "yes" ]; then

  103. #	${display} RED "You must be root to run this script."

  104. #	exit 2

  105. #fi

  106. 

  107. # We can't function without certain cli binaries being available

  108. if [ ! -x "${GREP}" ]; then

  109. 	${display} RED "Error: grep command not found.  Please define GREP variable in main.conf manually."

  110. 	exit 3

  111. fi

  112. 

  113. # Basic sanity tests for ip{6}tables binaries and modules

  114. if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then

  115. 	${display} RED "iptables command not found.  Please make sure you have the iptables"

  116. 	${display} RED "installed (package or source) and you have the IPTABLES option properly"

  117. 	${display} RED "defined in the 'main.conf' file if needed."

  118. 	exit 3

  119. fi

  120. 

  121. 

  122. if [ ! -x "${IP6TABLES}" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then

  123. 	${display} RED "ip6tables command not found.  Please make sure you have the iptables"

  124. 	${display} RED "installed (package or source) and you have the IP6TABLES option properly"

  125. 	${display} RED "defined in the 'main.conf' file if needed."

  126. 	exit 3

  127. fi

  128. 

  129. if [ ! -e "/proc/net/ip_tables_names" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then

  130. 	${display} RED "IPv4 Netfilter modules do not appear to be loaded.  Attempting to load now..."

  131. 	if ! `${MODPROBE} ${IP4TablesMod} &>/dev/null`; then

  132. 		${display} RED "Module ${IP4TablesMod} failed to load."

  133. 		${display} RED "Will continue with IPv4 disabled."

  134. 		EnableIPv4="no"

  135. 	else

  136. 		${display} GREEN "Module successfully loaded."

  137. 	fi

  138. fi

  139. 

  140. if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then

  141. 	${display} RED "IPv6 Netfilter modules do not appear to be loaded.  Attempting to load now..."

  142. 	if ! `${MODPROBE} ${IP6TablesMod} &>/dev/null`; then

  143. 		${display} RED "Module ${IP6TablesMod} failed to load."

  144. 		${display} RED "Will continue with IPv6 disabled."

  145. 		EnableIPv6="no"

  146. 	else

  147. 		${display} GREEN "Module successfully loaded."

  148. 	fi

  149. fi

  150. 

  151. # Set up proper state matching variables, since there is old and new style.

  152. if [ "$StateMatching" ]; then

  153. 	case $StateMatching in

  154. 		conntrack|CONNTRACK|*)

  155. 			M_STATE="-m conntrack"

  156. 			C_STATE="--ctstate"

  157. 			;;

  158. 		state|STATE)

  159. 			M_STATE="-m state"

  160. 			C_STATE="--state"

  161. 	esac

  162. else

  163. 	M_STATE="-m conntrack"

  164. 	C_STATE="--ctstate"

  165. fi

  166. 

  167. 

  168. # Do IPv4 IPTables Rules

  169. if [ "${EnableIPv4}" == "yes" ]; then

  170. 	# First flush all rules

  171. 	iptables_rules_flush ipv4

  172. 	

  173. 	# Create the chain sets we'll need and the ones that can be

  174. 	# customized by users in their custom rules

  175. 	setup_iptables_chains ipv4

  176. 	

  177. 	[[ ${AllowAllv4Loopback} == "yes" ]] && allow_all_loopback ipv4

  178. 	[[ ${EnableTrustedv4Hosts} == "yes" ]] && allow_trusted_hosts ipv4

  179. 	Defaultv4InPolicy=${Defaultv4InPolicy=ACCEPT}

  180. 	Defaultv4OutPolicy=${Defaultv4OutPolicy=ACCEPT}

  181. 	Defaultv4FwdPolicy=${Defaultv4FwdPolicy=ACCEPT}

  182. 	default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy}

  183. 	([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \

  184. 		&& load_kernel_modules "${Loadv4NetfilterModules}"

  185. 	([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] \

  186. 		&& [[ ${Enablev4NAT} == "yes" ]]) && load_kernel_modules "${Loadv4NetfilterModulesNAT}"

  187. 	[[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4

  188. 	([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \

  189. 			&& enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}"

  190. 	[[ ${DNSClientUsev4ResolvConf} == "yes" ]] && allow_resolvconf_servers ipv4

  191. 	[[ ${DNSClientManualv4Servers} ]] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}"

  192. 	[[ ${Enablev4EasyBlock} == "yes" ]] && enable_easyblock ipv4

  193. 	[[ ${Enablev4Filtering} == "yes" ]] && enable_filtering ipv4

  194. 	[[ ${Enablev4Services} == "yes" ]] && enable_services ipv4

  195. 	[[ ${Enablev4Forwarding} == "yes" ]] && enable_forwarding ipv4

  196. 	[[ ${Enablev4NAT} == "yes" ]] && enable_nat ipv4

  197. 	[[ ${Enablev4PortForwarding} == "yes" ]] && enable_portfw ipv4

  198. 	

  199. fi

  200. 

  201. # Do IPv6 IPTables Rules

  202. if [ "${EnableIPv6}" == "yes" ]; then

  203. 	# First flush all rules

  204. 	iptables_rules_flush ipv6

  205. 	

  206. 	# Create the chain sets we'll need and the ones that can be

  207. 	# customized by users in their custom rules

  208. 	setup_iptables_chains ipv6

  209. 	

  210. 	[[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6

  211. 	[[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6

  212. 	enable_v6_critical_icmp

  213. 	Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT}

  214. 	Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT}

  215. 	Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT}

  216. 	default_policy_set ipv6 ${Defaultv6InPolicy} ${Defaultv6OutPolicy} ${Defaultv6FwdPolicy}

  217. 	([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \

  218. 		&& load_kernel_modules "${Loadv6NetfilterModules}"

  219. 	([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] \

  220. 		&& [[ ${Enablev6NAT} == "yes" ]]) && load_kernel_modules "${Loadv6NetfilterModulesNAT}"

  221. 	[[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6

  222. 	([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \

  223. 			&& enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}"

  224. 	[[ ${DNSClientUsev6ResolvConf} == "yes" ]] && allow_resolvconf_servers ipv6

  225. 	[[ ${DNSClientManualv6Servers} ]] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}"

  226. 	[[ ${Enablev6EasyBlock} == "yes" ]] && enable_easyblock ipv6

  227. 	[[ ${Enablev6Filtering} == "yes" ]] && enable_filtering ipv6

  228. 	[[ ${Enablev6Services} == "yes" ]] && enable_services ipv6

  229. 	[[ ${Enablev6Forwarding} == "yes" ]] && enable_forwarding ipv6

  230. 	[[ ${Enablev6NAT} == "yes" ]] && enable_nat ipv6

  231. 	[[ ${Enablev6PortForwarding} == "yes" ]] && enable_portfw ipv6

  232. fi