SRFirewall/bin/srfirewall

254 lines
9.6 KiB
Plaintext
Executable File

#/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2014 Brielle Bruns
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Static config options, normally do not need to change
FW_VERSION="2.1p2"
# Important directory locations
FWPREFIX="/usr/local"
FWCONFIGDIR="${FWPREFIX}/etc/srfirewall"
FWLIBDIR="${FWPREFIX}/lib/srfirewall"
FWBINDIR="${FWPREFIX}/bin"
# Begin sourcing critical files, because we need things like path right away
source "${FWLIBDIR}/binaries.inc"
source "${FWLIBDIR}/iptables.inc"
source "${FWLIBDIR}/display.inc"
source "${FWLIBDIR}/kernel.inc"
source "${FWCONFIGDIR}/main.conf"
source "${FWCONFIGDIR}/chains.conf"
source "${FWCONFIGDIR}/ipv4.conf"
source "${FWCONFIGDIR}/ipv6.conf"
# The local.conf file can be used to override any of the above files without having to worry
# about changes being overwritten when upgrading. Mostly useful for people who use a package
# manager.
[[ -e "${FWCONFIGDIR}/local.conf" ]] && source "${FWCONFIGDIR}/local.conf"
[[ -e "${FWCONFIGDIR}/ipv4/local.conf" ]] && source "${FWCONFIGDIR}/ipv4/local.conf"
[[ -e "${FWCONFIGDIR}/ipv6/local.conf" ]] && source "${FWCONFIGDIR}/ipv6/local.conf"
# We require at least bash v2 or later at this point given some of the more complex
# operations we do to make the firewall script work.
if (( ${BASH_VERSINFO[0]} <= "2" )); then
echo "Error: We can only run with bash 2.0 or higher. Please upgrade your version"
echo "of bash to something more recent, preferably the latest which is, as of this"
echo "writing, 4.x"
exit 1
fi
# Swap out display_c command for dummy command if they don't want
# output when command is run.
if [ "${DisplayDetailedOutput}" == "yes" ]; then
if [ "${ColorizeOut}" == "yes" ]; then
display="display_c"
else
display="display_m"
fi
else
display="true"
fi
# Swap out debug command for dummy command if they don't want
# debug output when command is run.
if [ "${DisplayDebugInfo}" == "yes" ]; then
if [ "${ColorizeOut}" == "yes" ]; then
debug="display_c"
else
debug="display_m"
fi
else
debug="true"
fi
# Parse command line args
while getopts "hfgv" opt; do
case $opt in
h)
show_help
exit 0
;;
v)
show_version
exit 0
;;
f)
[[ ${EnableIPv4} == "yes" ]] && iptables_rules_flush ipv4
[[ ${EnableIPv6} == "yes" ]] && iptables_rules_flush ipv6
[[ ${EnableIPv6} == "yes" ]] && default_policy_set ipv6 ACCEPT ACCEPT ACCEPT
[[ ${EnableIPv4} == "yes" ]] && default_policy_set ipv4 ACCEPT ACCEPT ACCEPT
exit 0
;;
\?)
echo "Invalid option: -$OPTARG" >&2
;;
esac
done
#if [ "$UID" != "0" ] && [ "${DebugOverride}" != "yes" ]; then
# ${display} RED "You must be root to run this script."
# exit 2
#fi
# We can't function without certain cli binaries being available
if [ ! -x "${GREP}" ]; then
${display} RED "Error: grep command not found. Please define GREP variable in main.conf manually."
exit 3
fi
# Basic sanity tests for ip{6}tables binaries and modules
if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
${display} RED "iptables command not found. Please make sure you have the iptables"
${display} RED "installed (package or source) and you have the IPTABLES option properly"
${display} RED "defined in the 'main.conf' file if needed."
exit 3
fi
if [ ! -x "${IP6TABLES}" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
${display} RED "ip6tables command not found. Please make sure you have the iptables"
${display} RED "installed (package or source) and you have the IP6TABLES option properly"
${display} RED "defined in the 'main.conf' file if needed."
exit 3
fi
if [ ! -e "/proc/net/ip_tables_names" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
${display} RED "IPv4 Netfilter modules do not appear to be loaded. Attempting to load now..."
if ! `${MODPROBE} ${IP4TablesMod} &>/dev/null`; then
${display} RED "Module ${IP4TablesMod} failed to load."
${display} RED "Will continue with IPv4 disabled."
EnableIPv4="no"
else
${display} GREEN "Module successfully loaded."
fi
fi
if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
${display} RED "IPv6 Netfilter modules do not appear to be loaded. Attempting to load now..."
if ! `${MODPROBE} ${IP6TablesMod} &>/dev/null`; then
${display} RED "Module ${IP6TablesMod} failed to load."
${display} RED "Will continue with IPv6 disabled."
EnableIPv6="no"
else
${display} GREEN "Module successfully loaded."
fi
fi
# Set up proper state matching variables, since there is old and new style.
if [ "$StateMatching" ]; then
case $StateMatching in
conntrack|CONNTRACK|*)
M_STATE="-m conntrack"
C_STATE="--ctstate"
;;
state|STATE)
M_STATE="-m state"
C_STATE="--state"
esac
else
M_STATE="-m conntrack"
C_STATE="--ctstate"
fi
# Do IPv4 IPTables Rules
if [ "${EnableIPv4}" == "yes" ]; then
# Commands to run before everything else
if [ -x ${FWCONFIGDIR}/ipv4/custom/runbefore.sh ]; then . ${FWCONFIGDIR}/ipv4/custom/runbefore.sh; fi
# First flush all rules
iptables_rules_flush ipv4
# Create the chain sets we'll need and the ones that can be
# customized by users in their custom rules
setup_iptables_chains ipv4
[[ ${AllowAllv4Loopback} == "yes" ]] && allow_all_loopback ipv4
[[ ${EnableTrustedv4Hosts} == "yes" ]] && allow_trusted_hosts ipv4
Defaultv4InPolicy=${Defaultv4InPolicy=ACCEPT}
Defaultv4OutPolicy=${Defaultv4OutPolicy=ACCEPT}
Defaultv4FwdPolicy=${Defaultv4FwdPolicy=ACCEPT}
default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy}
([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
&& load_kernel_modules "${Loadv4NetfilterModules}"
([[ ${Enablev4NetfilterModules} == "yes" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] \
&& [[ ${Enablev4NAT} == "yes" ]]) && load_kernel_modules "${Loadv4NetfilterModulesNAT}"
[[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4
([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
&& enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}"
[[ ${DNSClientUsev4ResolvConf} == "yes" ]] && allow_resolvconf_servers ipv4
[[ ${DNSClientManualv4Servers} ]] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}"
[[ ${Enablev4EasyBlock} == "yes" ]] && enable_easyblock ipv4
[[ ${Enablev4Filtering} == "yes" ]] && enable_filtering ipv4
[[ ${Enablev4Services} == "yes" ]] && enable_services ipv4
[[ ${Enablev4Forwarding} == "yes" ]] && enable_forwarding ipv4
[[ ${Enablev4NAT} == "yes" ]] && enable_nat ipv4
[[ ${Enablev4PortForwarding} == "yes" ]] && enable_portfw ipv4
# Commands to run after everything else
if [ -x ${FWCONFIGDIR}/ipv4/custom/runafter.sh ]; then . ${FWCONFIGDIR}/ipv4/custom/runafter.sh; fi
fi
# Do IPv6 IPTables Rules
if [ "${EnableIPv6}" == "yes" ]; then
# Commands to run before everything else
if [ -x ${FWCONFIGDIR}/ipv6/custom/runbefore.sh ]; then . ${FWCONFIGDIR}/ipv6/custom/runbefore.sh; fi
# First flush all rules
iptables_rules_flush ipv6
# Create the chain sets we'll need and the ones that can be
# customized by users in their custom rules
setup_iptables_chains ipv6
[[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6
[[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6
enable_v6_critical_icmp
Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT}
Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT}
Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT}
default_policy_set ipv6 ${Defaultv6InPolicy} ${Defaultv6OutPolicy} ${Defaultv6FwdPolicy}
([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
&& load_kernel_modules "${Loadv6NetfilterModules}"
([[ ${Enablev6NetfilterModules} == "yes" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] \
&& [[ ${Enablev6NAT} == "yes" ]]) && load_kernel_modules "${Loadv6NetfilterModulesNAT}"
[[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6
([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
&& enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}"
[[ ${DNSClientUsev6ResolvConf} == "yes" ]] && allow_resolvconf_servers ipv6
[[ ${DNSClientManualv6Servers} ]] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}"
[[ ${Enablev6EasyBlock} == "yes" ]] && enable_easyblock ipv6
[[ ${Enablev6Filtering} == "yes" ]] && enable_filtering ipv6
[[ ${Enablev6Services} == "yes" ]] && enable_services ipv6
[[ ${Enablev6Forwarding} == "yes" ]] && enable_forwarding ipv6
[[ ${Enablev6NAT} == "yes" ]] && enable_nat ipv6
[[ ${Enablev6PortForwarding} == "yes" ]] && enable_portfw ipv6
[[ ${EnableSysctlTweaks} == "yes" ]] && sysctl_tweaks
# Commands to run after everything else
if [ -x ${FWCONFIGDIR}/ipv6/custom/runafter.sh ]; then . ${FWCONFIGDIR}/ipv6/custom/runafter.sh; fi
fi