You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

105 lines
4.3 KiB

  1. #!/bin/bash
  2. # By Brielle Bruns <bruns@2mbit.com>
  3. # URL: http://www.sosdg.org/freestuff/firewall
  4. # License: GPLv3
  5. #
  6. # Copyright (C) 2009 - 2014 Brielle Bruns
  7. # Copyright (C) 2009 - 2014 The Summit Open Source Development Group
  8. #
  9. # This program is free software: you can redistribute it and/or modify
  10. # it under the terms of the GNU General Public License as published by
  11. # the Free Software Foundation, either version 3 of the License, or
  12. # (at your option) any later version.
  13. #
  14. # This program is distributed in the hope that it will be useful,
  15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. # GNU General Public License for more details.
  18. # You should have received a copy of the GNU General Public License
  19. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  20. # iptables_rules_flush (ipv6|ipv4)
  21. # Clear all rules from iptables - be very careful in how this is called as it
  22. # could easily lock out the user from the network. Best way to be safe, is to
  23. # call iptables_policy_reset first then this function.
  24. function iptables_rules_flush {
  25. IP_VERSION=$1
  26. case $IP_VERSION in
  27. ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
  28. ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
  29. esac
  30. ${display} RED "Flushing ${IP_VERSION} rules..."
  31. ${VER_IPTABLES} --flush &>/dev/null
  32. ${VER_IPTABLES} -F OUTPUT &>/dev/null
  33. ${VER_IPTABLES} -F PREROUTING &>/dev/null
  34. ${VER_IPTABLES} -F POSTROUTING &>/dev/null
  35. for i in `cat $TABLE_NAMES`; do
  36. ${VER_IPTABLES} -F -t $i &>/dev/null
  37. done
  38. ${VER_IPTABLES} -X
  39. }
  40. # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
  41. # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
  42. # If no policy given, assume ACCEPT
  43. function iptables_policy_reset {
  44. IP_VERSION=$1
  45. SET_POLICY=${2=ACCEPT}
  46. case $IP_VERSION in
  47. ipv6) VER_IPTABLES=${IP6TABLES} ;;
  48. ipv4|*) VER_IPTABLES=${IPTABLES} ;;
  49. esac
  50. ${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
  51. ${VER_IPTABLES} --policy INPUT ${SET_POLICY}
  52. ${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
  53. ${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
  54. }
  55. # setup_iptables_chains (ipv4|ipv6)
  56. # Creates the default chains when called
  57. function setup_iptables_chains {
  58. IP_VERSION=$1
  59. case $IP_VERSION in
  60. ipv6) VER_IPTABLES=${IP6TABLES};
  61. IPVER="6" ;;
  62. ipv4|*) VER_IPTABLES=${IPTABLES}
  63. IPVER="4" ;;
  64. esac
  65. # Create the actual chains
  66. ${display} GREEN "Setting up chains for ${IP_VERSION}..."
  67. ${VER_IPTABLES} -N ${InPreRules}
  68. ${VER_IPTABLES} -N ${OutPreRules}
  69. ${VER_IPTABLES} -N ${Trusted}
  70. ${VER_IPTABLES} -N ${InEasyBlock}
  71. ${VER_IPTABLES} -N ${OutEasyBlock}
  72. ${VER_IPTABLES} -N ${InFilter}
  73. ${VER_IPTABLES} -N ${OutFilter}
  74. ${VER_IPTABLES} -N ${FwdFilter}
  75. ${VER_IPTABLES} -N ${NAT}
  76. ${VER_IPTABLES} -N ${PortForward}
  77. ${VER_IPTABLES} -N ${InPostRules}
  78. ${VER_IPTABLES} -N ${OutPostRules}
  79. # Set up rules - the order matters - we do it separately here
  80. # for easy viewing of order
  81. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
  82. ${VER_IPTABLES} -A INPUT -j ${InPreRules}
  83. ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
  84. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/trusted.sh; fi
  85. ${VER_IPTABLES} -A INPUT -j ${Trusted}
  86. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
  87. ${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
  88. ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
  89. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
  90. ${VER_IPTABLES} -A INPUT -j ${InFilter}
  91. ${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
  92. ${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
  93. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
  94. ${VER_IPTABLES} -A POSTROUTING -j ${NAT}
  95. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
  96. ${VER_IPTABLES} -A PREROUTING -j ${PortForward}
  97. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
  98. ${VER_IPTABLES} -A INPUT -j ${InPostRules}
  99. ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
  100. }