verzia 2.110, 2016/05/05 21:07:54 |
verzia 2.115, 2018/06/28 22:46:00 |
|
|
# Provides: firewall |
# Provides: firewall |
# Required-Start: $network |
# Required-Start: $network |
# Required-Stop: $remote_fs |
# Required-Stop: $remote_fs |
# Default-Start: S |
# Default-Start: 2 3 4 5 |
# Default-Stop: 0 6 |
# Default-Stop: 0 6 |
# Short-Description: Starts firewall |
# Short-Description: Starts firewall |
# Description: Handle universal firewall script by Platon Group |
# Description: Handle universal firewall script by Platon Group |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ |
# Author: Lubomir Host <rajo@platon.sk> |
# Author: Lubomir Host <rajo@platon.sk> |
# Copyright: (c) 2003-2011 Platon Group |
# Copyright: (c) 2003-2018 Platon Group |
### END INIT INFO |
### END INIT INFO |
|
|
# |
# |
|
|
# Can be started by init or by hand. |
# Can be started by init or by hand. |
# |
# |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Copyright (c) 2003-2011 Platon Group, http://platon.sk/ |
# Copyright (c) 2003-2018 Platon Group, http://platon.sk/ |
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.109 2016/02/26 07:01:10 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.114 2018/06/28 16:50:18 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
# 2011-07-20 - implemented XEN_MODE |
# 2011-07-20 - implemented XEN_MODE |
|
# 2018-03-01 - fixed Default-Start for SystemD on Stretch (nepto) |
# |
# |
|
|
|
|
|
|
|
|
# Define function which can be used in config file |
# Define function which can be used in config file |
# Usage: |
# Usage: |
# load_subnets eth0_ACCEPT_INPUT_TCP Slovakia 22 |
# load_subnets eth0_ACCEPT_INPUT_TCP Slovakia.txt 22 |
load_subnets() |
load_subnets() |
{ # {{{ |
{ # {{{ |
cfgvar=$1 |
cfgvar="$1"; |
cfgfile="$2.txt" |
cfgfile="$2"; |
port=$3 |
port="$3"; |
|
|
echo "LOAD_SUBNETS $*" |
print_info "LOAD_SUBNETS: $*"; |
|
|
if [ -f "$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
if [ -f "$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
cfgfound="$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
cfgfound="$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else if [ -f "$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
else |
else |
if [ -f "$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
print_info "LOAD_SUBNETS: config file not found: $cfgfile"; |
cfgfound="$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
return 1 |
else |
fi fi |
print_info "LOAD_SUBNETS: Config file '$cfgfile' not found" |
|
return 1 |
|
fi |
|
fi |
|
LOADED_CONFIG_FILES="$LOADED_CONFIG_FILES $cfgfound"; |
LOADED_CONFIG_FILES="$LOADED_CONFIG_FILES $cfgfound"; |
|
|
lines=0 |
print_info "LOAD_SUBNETS: found $cfgfile: $cfgfound"; |
print_info "LOAD_SUBNETS: Mapping $cfgfound map file to $cfgvar, port $port" |
print_info "LOAD_SUBNETS: mapping $cfgfile to $cfgvar, port $port" |
|
|
|
lines=0; |
while read subnet ; do |
while read subnet ; do |
case "$subnet" in |
case "$subnet" in |
""|\#*) |
""|\#*) |
continue |
continue |
;; |
;; |
esac |
esac |
print_info "LOAD_SUBNETS: $cfgvar=\"\$$cfgvar $subnet:$port\"" |
eval "$cfgvar=\"\$$cfgvar $subnet:$port\""; |
eval "$cfgvar=\"\$$cfgvar $subnet:$port\"" |
lines=$(($lines + 1)); |
lines=$(($lines + 1)) |
|
done < $cfgfound |
done < $cfgfound |
print_info "LOAD_SUBNETS: $cfgvar='${!cfgvar}'" |
print_info "LOAD_SUBNETS: $lines subnets loaded from $cfgfile" |
print_info "LOAD_SUBNETS: $lines subnets loaded from '$cfgfile' into '$cfgvar'" |
|
|
|
} # }}} |
} # }}} |
|
|
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
Riadok 1069 allow_input() |
|
Riadok 1067 allow_input() |
|
print_info " done." |
print_info " done." |
fi |
fi |
|
|
# We are using REAL_INTERFACES instead of INTERFACES here, because we want |
# We are using INTERFACES + lo instead of INTERFACES here, because we want |
# to do redirects for "lo" interface as well. However for "lo" it is done |
# to do redirects for "lo" interface as well. However for "lo" it is done |
# quite differently. See http://ix.sk/0WY2j for more information on this. |
# quite differently. See http://ix.sk/0WY2j for more information on this. |
# -- Nepto [2015-10-19] |
# -- Nepto [2015-10-19] |
for iface in $REAL_INTERFACES; do |
for iface in lo $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
|
|
Riadok 1620 shaping_status() |
|
Riadok 1618 shaping_status() |
|
|
|
add_banned_ip() |
add_banned_ip() |
{ # {{{ |
{ # {{{ |
echo "# `date '+%Y-%m-%d %X' `" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
echo "# `date '+%F %T'`" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
if [ -z "$*" ]; then |
if [ -z "$*" ]; then |
|
|
drop_output |
drop_output |
allow_output |
allow_output |
allow_icmp |
allow_icmp |
echo "----[ INCOMMING TRAFFIC ]------------------------------------------------" |
print_info "----[ INCOMMING TRAFFIC ]------------------------------------------------" |
drop_input |
drop_input |
reject_input |
reject_input |
allow_input |
allow_input |