verzia 2.106, 2016/01/17 15:03:29 |
verzia 2.110, 2016/05/05 21:07:54 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.105 2015/10/19 14:00:33 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.109 2016/02/26 07:01:10 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
|
fi |
fi |
# }}} |
# }}} |
|
|
|
# Define function which can be used in config file |
|
# Usage: |
|
# load_subnets eth0_ACCEPT_INPUT_TCP Slovakia 22 |
|
load_subnets() |
|
{ # {{{ |
|
cfgvar=$1 |
|
cfgfile="$2.txt" |
|
port=$3 |
|
|
|
echo "LOAD_SUBNETS $*" |
|
|
|
if [ -f "$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else |
|
if [ -f "$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else |
|
print_info "LOAD_SUBNETS: Config file '$cfgfile' not found" |
|
return 1 |
|
fi |
|
fi |
|
LOADED_CONFIG_FILES="$LOADED_CONFIG_FILES $cfgfound"; |
|
|
|
lines=0 |
|
print_info "LOAD_SUBNETS: Mapping $cfgfound map file to $cfgvar, port $port" |
|
while read subnet ; do |
|
case "$subnet" in |
|
""|\#*) |
|
continue |
|
;; |
|
esac |
|
print_info "LOAD_SUBNETS: $cfgvar=\"\$$cfgvar $subnet:$port\"" |
|
eval "$cfgvar=\"\$$cfgvar $subnet:$port\"" |
|
lines=$(($lines + 1)) |
|
done < $cfgfound |
|
print_info "LOAD_SUBNETS: $cfgvar='${!cfgvar}'" |
|
print_info "LOAD_SUBNETS: $lines subnets loaded from '$cfgfile' into '$cfgvar'" |
|
|
|
} # }}} |
|
|
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
print_info "Reading config file $DEFAULT_FIREWALL_CONFIG" |
print_info "Reading config file $DEFAULT_FIREWALL_CONFIG" |
. $DEFAULT_FIREWALL_CONFIG |
. $DEFAULT_FIREWALL_CONFIG |
|
|
|
|
config=""; |
config=""; |
if [ -r "$DEFAULT_FIREWALL_CONFIG" ]; then |
if [ -r "$DEFAULT_FIREWALL_CONFIG" ]; then |
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG\" `"; |
config="$config ` md5sum \"$DEFAULT_FIREWALL_CONFIG\" `"; |
fi |
fi |
if [ -r "$0" ]; then |
if [ -r "$0" ]; then |
config="$config ` cat \"$0\" `"; |
config="$config ` md5sum \"$0\" `"; |
fi |
fi |
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list" ]; then |
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list" ]; then |
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list\" `"; |
config="$config ` md5sum \"$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list\" `"; |
fi |
fi |
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf" ]; then |
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf" ]; then |
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf\" `"; |
config="$config ` md5sum \"$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf\" `"; |
fi |
fi |
|
for lc in $LOADED_CONFIG_FILES; do |
|
echo "CHECKSUM $lc"; |
|
config="$config ` md5sum \"$lc\" `"; |
|
done |
md5key=`echo "config='$config' parsed_interfaces='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | $AWK '{print $1;}'`; |
md5key=`echo "config='$config' parsed_interfaces='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | $AWK '{print $1;}'`; |
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
|
|
Riadok 912 reject_input() |
|
Riadok 956 reject_input() |
|
allow_input() |
allow_input() |
{ # {{{ |
{ # {{{ |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
print_info -en "Accepting ALL INPUT TCP connections on ports:" |
print_info -e "Accepting ALL INPUT TCP connections on ports:" |
for port in $ALL_ACCEPT_INPUT_TCP; do |
for port in $ALL_ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
|
fi |
fi |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
|
if [ "$last_port" != "$port" -a -n "$src_ip" ]; then counter=0; print_info ""; fi |
print_info -en " $port($iface)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
|
last_port="$port"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z "$src_ip" ]; then |
if [ -z "$src_ip" ]; then |
|
|
print_info " done." |
print_info " done." |
fi |
fi |
if [ ! -z "$ALL_ACCEPT_INPUT_UDP" ]; then |
if [ ! -z "$ALL_ACCEPT_INPUT_UDP" ]; then |
print_info -en "Accepting ALL INPUT UDP connections on ports:" |
print_info -e "Accepting ALL INPUT UDP connections on ports:" |
for port in $ALL_ACCEPT_INPUT_UDP; do |
for port in $ALL_ACCEPT_INPUT_UDP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
|
fi |
fi |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
|
if [ "$last_port" != "$port" -a -n "$src_ip" ]; then counter=0; print_info ""; fi |
print_info -en " $port($iface)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
|
last_port="$port"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
if [ "x$port" = "x67" ]; then # DHCP requests doesn't have destination IP specified |
if [ "x$port" = "x67" ]; then # DHCP requests doesn't have destination IP specified |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
|
Riadok 1021 allow_input() |
|
fi |
fi |
|
|
if [ ! -z "$REAL_ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$REAL_ACCEPT_INPUT_TCP" ]; then |
print_info -en "Accepting REAL all INPUT TCP connections for ALL interfaces on ports:" |
print_info -e "Accepting REAL all INPUT TCP connections for ALL interfaces on ports:" |
for port in $REAL_ACCEPT_INPUT_TCP; do |
for port in $REAL_ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
if [ "$last_port" != "$port" -a -n "$src_ip" ]; then counter=0; print_info ""; fi |
print_info -en " $port(ALL)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
print_info -en " $port(ALL)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
|
last_port="$port"; |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
|
Riadok 1045 allow_input() |
|
print_info " done." |
print_info " done." |
fi |
fi |
if [ ! -z "$REAL_ACCEPT_INPUT_UDP" ]; then |
if [ ! -z "$REAL_ACCEPT_INPUT_UDP" ]; then |
print_info -en "Accepting REAL all INPUT UDP connections for ALL interfaces on ports:" |
print_info -e "Accepting REAL all INPUT UDP connections for ALL interfaces on ports:" |
for port in $REAL_ACCEPT_INPUT_UDP; do |
for port in $REAL_ACCEPT_INPUT_UDP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
if [ "$last_port" != "$port" -a -n "$src_ip" ]; then counter=0; print_info ""; fi |
print_info -en " $port(ALL)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
print_info -en " $port(ALL)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
|
last_port="$port"; |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
Riadok 1124 allow_input() |
|
Riadok 1180 allow_input() |
|
|
|
# ACCEPT {{{ |
# ACCEPT {{{ |
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
print_info -en "$iface: Accepting INPUT TCP connections on ports:" |
print_info -e "$iface: Accepting INPUT TCP connections on ports:" |
counter=0; |
counter=0; |
for port in $ACCEPT_INPUT_TCP; do |
for port in $ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
Riadok 1132 allow_input() |
|
Riadok 1188 allow_input() |
|
if [ -n "$src_ip" -a "$port" = "0" ]; then |
if [ -n "$src_ip" -a "$port" = "0" ]; then |
port="ALL"; |
port="ALL"; |
fi |
fi |
|
if [ "$last_port" != "$port" -a -n "$src_ip" ]; then counter=0; print_info ""; fi |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
if [ $(( ++counter )) -ge 5 -o "x$port" = "x10050" ]; then counter=0; print_info ""; fi; |
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
|
last_port="$port"; |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
Riadok 1236 allow_output() |
|
Riadok 1294 allow_output() |
|
accept_output_udp="${iface}_ACCEPT_OUTPUT_UDP" |
accept_output_udp="${iface}_ACCEPT_OUTPUT_UDP" |
ACCEPT_OUTPUT_UDP="${!accept_output_udp}" |
ACCEPT_OUTPUT_UDP="${!accept_output_udp}" |
|
|
|
# UDP *must* go before TCP |
|
# |
|
# Reason: we need to have working DNS resolving, which works over |
|
# port 53/UDP. Resolving is required for those rules, which use |
|
# hostname instead of IP address, for example cvs.platon.sk:2401. |
|
|
# TCP |
# UDP |
if [ -z "$ACCEPT_OUTPUT_TCP" ]; then |
if [ -z "$ACCEPT_OUTPUT_UDP" ]; then |
if [ -n "${!gateway}" ]; then |
if [ -n "${!gateway}" ]; then |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
output_tcp_str="$output_tcp_str $ip:${!riface}:${!gateway}"; |
output_udp_str="$output_udp_str $ip:${!riface}:${!gateway}"; |
$IPTABLES -A OUTPUT -p TCP -o ${!riface} -s $ip -j ACCEPT |
$IPTABLES -A OUTPUT -p UDP -o ${!riface} -s $ip -j ACCEPT |
done |
done |
fi |
fi |
else |
else |
print_info -en "$iface: Accepting OUTPUT TCP connections to ports:" |
print_info -en "$iface: Accepting OUTPUT UDP connections to ports:" |
for port in $ACCEPT_OUTPUT_TCP; do |
for port in $ACCEPT_OUTPUT_UDP; do |
dest_ip="" |
dest_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
Riadok 1255 allow_output() |
|
Riadok 1318 allow_output() |
|
fi |
fi |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
if [ -z "$dest_ip" ]; then |
if [ -z "$dest_ip" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -p TCP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -p UDP --dport $port -j ACCEPT |
else |
else |
if [ "$port" = "ALL" ]; then |
if [ "$port" = "ALL" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP -j ACCEPT |
else |
else |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP --dport $port -j ACCEPT |
fi |
fi |
fi |
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
# UDP |
# TCP |
if [ -z "$ACCEPT_OUTPUT_UDP" ]; then |
if [ -z "$ACCEPT_OUTPUT_TCP" ]; then |
if [ -n "${!gateway}" ]; then |
if [ -n "${!gateway}" ]; then |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
output_udp_str="$output_udp_str $ip:${!riface}:${!gateway}"; |
output_tcp_str="$output_tcp_str $ip:${!riface}:${!gateway}"; |
$IPTABLES -A OUTPUT -p UDP -o ${!riface} -s $ip -j ACCEPT |
$IPTABLES -A OUTPUT -p TCP -o ${!riface} -s $ip -j ACCEPT |
done |
done |
fi |
fi |
else |
else |
print_info -en "$iface: Accepting OUTPUT UDP connections to ports:" |
print_info -en "$iface: Accepting OUTPUT TCP connections to ports:" |
for port in $ACCEPT_OUTPUT_UDP; do |
for port in $ACCEPT_OUTPUT_TCP; do |
dest_ip="" |
dest_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
Riadok 1285 allow_output() |
|
Riadok 1348 allow_output() |
|
fi |
fi |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
if [ -z "$dest_ip" ]; then |
if [ -z "$dest_ip" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -p TCP --dport $port -j ACCEPT |
else |
else |
if [ "$port" = "ALL" ]; then |
if [ "$port" = "ALL" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP -j ACCEPT |
else |
else |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP --dport $port -j ACCEPT |
fi |
fi |
fi |
fi |
done |
done |
|
|
done |
done |
} # }}} |
} # }}} |
|
|
map_subnet() |
|
{ # {{{ |
|
cfgvar=$1 |
|
cfgfile=$2 |
|
port=$3 |
|
|
|
if [ -f "$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else |
|
if [ -f "$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else |
|
"Config file '$cfgfile' not found" |
|
exit 1 |
|
fi |
|
fi |
|
|
|
echo "Mapping $cfgfound map file to $cfgvar, port $port" |
|
while read subnet ; do |
|
case "$subnet" in |
|
""|\#*) |
|
continue |
|
;; |
|
esac |
|
echo "$cfgvar=\"\$$cfgvar $subnet:$port\"" >> "$DEFAULT_FIREWALL_CONFIG_DIR/$cfgfile" |
|
done < $cfgfound |
|
|
|
} # }}} |
|
|
|
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
parse_ifconfig() |
parse_ifconfig() |
|
|
mangle_prerouting |
mangle_prerouting |
mangle_output |
mangle_output |
accept_related |
accept_related |
|
accept_loopback |
log_new_connections |
log_new_connections |
drop_output |
drop_output |
|
allow_output |
|
allow_icmp |
|
echo "----[ INCOMMING TRAFFIC ]------------------------------------------------" |
drop_input |
drop_input |
reject_input |
reject_input |
allow_input |
allow_input |
allow_output |
|
allow_icmp |
|
accept_loopback |
|
masquerade |
masquerade |
forward_on |
forward_on |
log_input_drop |
log_input_drop |
|
|
remote) |
remote) |
remote; |
remote; |
;; |
;; |
map-subnet) |
|
shift; |
|
map_subnet $*; |
|
;; |
|
*) |
*) |
echo "Usage: $0 {start|stop|really-off|status|purge|block|deploy-block|deploy-update|update}" >&2 |
echo "Usage: $0 {start|stop|really-off|status|purge|block|deploy-block|deploy-update|update}" >&2 |
exit 1 |
exit 1 |