verzia 2.101, 2013/09/28 18:51:30 |
verzia 2.116, 2018/06/28 23:13:42 |
|
|
# Provides: firewall |
# Provides: firewall |
# Required-Start: $network |
# Required-Start: $network |
# Required-Stop: $remote_fs |
# Required-Stop: $remote_fs |
# Default-Start: S |
# Default-Start: 2 3 4 5 |
# Default-Stop: 0 6 |
# Default-Stop: 0 6 |
# Short-Description: Starts firewall |
# Short-Description: Starts firewall |
# Description: Handle universal firewall script by Platon Group |
# Description: Handle universal firewall script by Platon Group |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ |
# Author: Lubomir Host <rajo@platon.sk> |
# Author: Lubomir Host <rajo@platon.sk> |
# Copyright: (c) 2003-2011 Platon Group |
# Copyright: (c) 2003-2018 Platon Group |
### END INIT INFO |
### END INIT INFO |
|
|
# |
# |
|
|
# Can be started by init or by hand. |
# Can be started by init or by hand. |
# |
# |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Copyright (c) 2003-2011 Platon Group, http://platon.sk/ |
# Copyright (c) 2003-2018 Platon Group, http://platon.sk/ |
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.100 2013-09-28 10:07:18 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.115 2018/06/28 22:46:00 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
# 2011-07-20 - implemented XEN_MODE |
# 2011-07-20 - implemented XEN_MODE |
|
# 2018-03-01 - fixed Default-Start for SystemD on Stretch (nepto) |
# |
# |
|
|
|
|
Riadok 39 DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREW |
|
Riadok 40 DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREW |
|
DEFAULT_FIREWALL_CONFIG_DIR="${DEFAULT_FIREWALL_CONFIG_DIR:=/etc/default/firewall.d}" |
DEFAULT_FIREWALL_CONFIG_DIR="${DEFAULT_FIREWALL_CONFIG_DIR:=/etc/default/firewall.d}" |
DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:=/var/cache/firewall}" |
DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:=/var/cache/firewall}" |
|
|
|
DIST_FIREWALL_CONFIG_DIR="${DIST_FIREWALL_CONFIG_DIR:=/etc/firewall/firewall.d}" |
|
|
# quiet output? {{{ |
# quiet output? {{{ |
if [ "x$1" = "xblock" ] || [ "x$QUIET" = "xyes" ]; then |
if [ "x$QUIET" = "xyes" ]; then |
print_info() |
print_info() |
{ |
{ |
echo -n "" |
echo -n "" |
|
|
fi |
fi |
# }}} |
# }}} |
|
|
|
# Define function which can be used in config file |
|
# Usage: |
|
# load_subnets eth0_ACCEPT_INPUT_TCP Slovakia.txt 22 |
|
load_subnets() |
|
{ # {{{ |
|
cfgvar="$1"; |
|
cfgfile="$2"; |
|
port="$3"; |
|
|
|
print_info "LOAD_SUBNETS: $*"; |
|
|
|
if [ -f "$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else if [ -f "$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else |
|
print_info "LOAD_SUBNETS: config file not found: $cfgfile"; |
|
return 1 |
|
fi fi |
|
LOADED_CONFIG_FILES="$LOADED_CONFIG_FILES $cfgfound"; |
|
|
|
print_info "LOAD_SUBNETS: found $cfgfile: $cfgfound"; |
|
print_info "LOAD_SUBNETS: mapping $cfgfile to $cfgvar, port $port" |
|
|
|
lines=0; |
|
while read subnet ; do |
|
case "$subnet" in |
|
""|\#*) |
|
continue |
|
;; |
|
esac |
|
eval "$cfgvar=\"\$$cfgvar $subnet:$port\""; |
|
lines=$(($lines + 1)); |
|
done < $cfgfound |
|
print_info "LOAD_SUBNETS: $lines subnets loaded from $cfgfile" |
|
} # }}} |
|
|
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
print_info "Reading config file $DEFAULT_FIREWALL_CONFIG" |
print_info "Reading config file $DEFAULT_FIREWALL_CONFIG" |
. $DEFAULT_FIREWALL_CONFIG |
. $DEFAULT_FIREWALL_CONFIG |
|
|
|
|
config=""; |
config=""; |
if [ -r "$DEFAULT_FIREWALL_CONFIG" ]; then |
if [ -r "$DEFAULT_FIREWALL_CONFIG" ]; then |
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG\" `"; |
config="$config ` md5sum \"$DEFAULT_FIREWALL_CONFIG\" `"; |
fi |
fi |
if [ -r "$0" ]; then |
if [ -r "$0" ]; then |
config="$config ` cat \"$0\" `"; |
config="$config ` md5sum \"$0\" `"; |
fi |
fi |
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list" ]; then |
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list" ]; then |
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list\" `"; |
config="$config ` md5sum \"$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list\" `"; |
fi |
fi |
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf" ]; then |
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf" ]; then |
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf\" `"; |
config="$config ` md5sum \"$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf\" `"; |
fi |
fi |
|
for lc in $LOADED_CONFIG_FILES; do |
|
echo "CHECKSUM $lc"; |
|
config="$config ` md5sum \"$lc\" `"; |
|
done |
md5key=`echo "config='$config' parsed_interfaces='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | $AWK '{print $1;}'`; |
md5key=`echo "config='$config' parsed_interfaces='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | $AWK '{print $1;}'`; |
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
|
|
|
|
print_info " done." |
print_info " done." |
fi |
fi |
done |
done |
|
} # }}} |
|
|
|
do_ban_single_ip() |
|
{ # {{{ |
|
if [ -z "$1" ]; then |
|
print_info "do_ban_single_ip(): empty banned_ip"; |
|
return; |
|
fi |
|
for banned_ip in $*; do |
|
$IPTABLES -A INPUT -s $banned_ip -j DROP; |
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -s $banned_ip -j DROP; |
|
fi |
|
done |
} # }}} |
} # }}} |
|
|
bann_ip_adresses() |
bann_ip_adresses() |
Riadok 732 bann_ip_adresses() |
|
Riadok 791 bann_ip_adresses() |
|
if [ ! -z "$BANNED_IP" ]; then |
if [ ! -z "$BANNED_IP" ]; then |
print_info -en "Dropping ALL packets from IP:" |
print_info -en "Dropping ALL packets from IP:" |
for banned_ip in $BANNED_IP; do |
for banned_ip in $BANNED_IP; do |
print_info -en " $banned_ip" |
print_info -en " $banned_ip"; |
$IPTABLES -A INPUT -s $banned_ip -j DROP |
do_ban_single_ip "$banned_ip"; |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -s $banned_ip -j DROP |
|
fi |
|
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
Riadok 910 reject_input() |
|
Riadok 963 reject_input() |
|
allow_input() |
allow_input() |
{ # {{{ |
{ # {{{ |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
print_info -en "Accepting ALL INPUT TCP connections on ports:" |
print_info -e "Accepting ALL INPUT TCP connections on ports:" |
for port in $ALL_ACCEPT_INPUT_TCP; do |
for port in $ALL_ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
|
fi |
fi |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
|
if [ "$last_port" != "$port" -a -n "$src_ip" ]; then counter=0; print_info ""; fi |
print_info -en " $port($iface)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
|
last_port="$port"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z "$src_ip" ]; then |
if [ -z "$src_ip" ]; then |
|
|
print_info " done." |
print_info " done." |
fi |
fi |
if [ ! -z "$ALL_ACCEPT_INPUT_UDP" ]; then |
if [ ! -z "$ALL_ACCEPT_INPUT_UDP" ]; then |
print_info -en "Accepting ALL INPUT UDP connections on ports:" |
print_info -e "Accepting ALL INPUT UDP connections on ports:" |
for port in $ALL_ACCEPT_INPUT_UDP; do |
for port in $ALL_ACCEPT_INPUT_UDP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
Riadok 1006 allow_input() |
|
fi |
fi |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
|
if [ "$last_port" != "$port" -a -n "$src_ip" ]; then counter=0; print_info ""; fi |
print_info -en " $port($iface)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
|
last_port="$port"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
if [ "x$port" = "x67" ]; then # DHCP requests doesn't have destination IP specified |
if [ "x$port" = "x67" ]; then # DHCP requests doesn't have destination IP specified |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
|
Riadok 1028 allow_input() |
|
fi |
fi |
|
|
if [ ! -z "$REAL_ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$REAL_ACCEPT_INPUT_TCP" ]; then |
print_info -en "Accepting REAL all INPUT TCP connections for ALL interfaces on ports:" |
print_info -e "Accepting REAL all INPUT TCP connections for ALL interfaces on ports:" |
for port in $REAL_ACCEPT_INPUT_TCP; do |
for port in $REAL_ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
if [ "$last_port" != "$port" -a -n "$src_ip" ]; then counter=0; print_info ""; fi |
print_info -en " $port(ALL)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
print_info -en " $port(ALL)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
|
last_port="$port"; |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
|
Riadok 1052 allow_input() |
|
print_info " done." |
print_info " done." |
fi |
fi |
if [ ! -z "$REAL_ACCEPT_INPUT_UDP" ]; then |
if [ ! -z "$REAL_ACCEPT_INPUT_UDP" ]; then |
print_info -en "Accepting REAL all INPUT UDP connections for ALL interfaces on ports:" |
print_info -e "Accepting REAL all INPUT UDP connections for ALL interfaces on ports:" |
for port in $REAL_ACCEPT_INPUT_UDP; do |
for port in $REAL_ACCEPT_INPUT_UDP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
if [ "$last_port" != "$port" -a -n "$src_ip" ]; then counter=0; print_info ""; fi |
print_info -en " $port(ALL)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
print_info -en " $port(ALL)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
|
last_port="$port"; |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
Riadok 1011 allow_input() |
|
Riadok 1076 allow_input() |
|
print_info " done." |
print_info " done." |
fi |
fi |
|
|
for iface in $INTERFACES; do |
# We are using INTERFACES + lo instead of INTERFACES here, because we want |
|
# to do redirects for "lo" interface as well. However for "lo" it is done |
|
# quite differently. See http://ix.sk/0WY2j for more information on this. |
|
# -- Nepto [2015-10-19] |
|
for iface in lo $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
|
|
Riadok 1039 allow_input() |
|
Riadok 1108 allow_input() |
|
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
print_info -en " $remote_ip:$from_port->$to_port" |
print_info -en " $remote_ip:$from_port->$to_port" |
$IPTABLES -t nat -A PREROUTING -p TCP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
if [ "X$iface" = "Xlo" ]; then |
|
$IPTABLES -t nat -A OUTPUT -p TCP -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
|
else |
|
$IPTABLES -t nat -A PREROUTING -p TCP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
|
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
Riadok 1053 allow_input() |
|
Riadok 1126 allow_input() |
|
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
print_info -en " $remote_ip:$from_port->$to_port" |
print_info -en " $remote_ip:$from_port->$to_port" |
$IPTABLES -t nat -A PREROUTING -p UDP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
if [ "X$iface" = "Xlo" ]; then |
|
$IPTABLES -t nat -A OUTPUT -p UDP -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
|
else |
|
$IPTABLES -t nat -A PREROUTING -p UDP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
|
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
Riadok 1110 allow_input() |
|
Riadok 1187 allow_input() |
|
|
|
# ACCEPT {{{ |
# ACCEPT {{{ |
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
print_info -en "$iface: Accepting INPUT TCP connections on ports:" |
print_info -e "$iface: Accepting INPUT TCP connections on ports:" |
counter=0; |
counter=0; |
for port in $ACCEPT_INPUT_TCP; do |
for port in $ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
Riadok 1118 allow_input() |
|
Riadok 1195 allow_input() |
|
if [ -n "$src_ip" -a "$port" = "0" ]; then |
if [ -n "$src_ip" -a "$port" = "0" ]; then |
port="ALL"; |
port="ALL"; |
fi |
fi |
|
if [ "$last_port" != "$port" -a -n "$src_ip" ]; then counter=0; print_info ""; fi |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
|
last_port="$port"; |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
Riadok 1222 allow_output() |
|
Riadok 1301 allow_output() |
|
accept_output_udp="${iface}_ACCEPT_OUTPUT_UDP" |
accept_output_udp="${iface}_ACCEPT_OUTPUT_UDP" |
ACCEPT_OUTPUT_UDP="${!accept_output_udp}" |
ACCEPT_OUTPUT_UDP="${!accept_output_udp}" |
|
|
|
# UDP *must* go before TCP |
|
# |
|
# Reason: we need to have working DNS resolving, which works over |
|
# port 53/UDP. Resolving is required for those rules, which use |
|
# hostname instead of IP address, for example cvs.platon.sk:2401. |
|
|
# TCP |
# UDP |
if [ -z "$ACCEPT_OUTPUT_TCP" ]; then |
if [ -z "$ACCEPT_OUTPUT_UDP" ]; then |
if [ -n "${!gateway}" ]; then |
if [ -n "${!gateway}" ]; then |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
output_tcp_str="$output_tcp_str $ip:${!riface}:${!gateway}"; |
output_udp_str="$output_udp_str $ip:${!riface}:${!gateway}"; |
$IPTABLES -A OUTPUT -p TCP -o ${!riface} -s $ip -j ACCEPT |
$IPTABLES -A OUTPUT -p UDP -o ${!riface} -s $ip -j ACCEPT |
done |
done |
fi |
fi |
else |
else |
print_info -en "$iface: Accepting OUTPUT TCP connections to ports:" |
print_info -en "$iface: Accepting OUTPUT UDP connections to ports:" |
for port in $ACCEPT_OUTPUT_TCP; do |
for port in $ACCEPT_OUTPUT_UDP; do |
dest_ip="" |
dest_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
Riadok 1241 allow_output() |
|
Riadok 1325 allow_output() |
|
fi |
fi |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
if [ -z "$dest_ip" ]; then |
if [ -z "$dest_ip" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -p TCP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -p UDP --dport $port -j ACCEPT |
else |
else |
if [ "$port" = "ALL" ]; then |
if [ "$port" = "ALL" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP -j ACCEPT |
else |
else |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP --dport $port -j ACCEPT |
fi |
fi |
fi |
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
# UDP |
# TCP |
if [ -z "$ACCEPT_OUTPUT_UDP" ]; then |
if [ -z "$ACCEPT_OUTPUT_TCP" ]; then |
if [ -n "${!gateway}" ]; then |
if [ -n "${!gateway}" ]; then |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
output_udp_str="$output_udp_str $ip:${!riface}:${!gateway}"; |
output_tcp_str="$output_tcp_str $ip:${!riface}:${!gateway}"; |
$IPTABLES -A OUTPUT -p UDP -o ${!riface} -s $ip -j ACCEPT |
$IPTABLES -A OUTPUT -p TCP -o ${!riface} -s $ip -j ACCEPT |
done |
done |
fi |
fi |
else |
else |
print_info -en "$iface: Accepting OUTPUT UDP connections to ports:" |
print_info -en "$iface: Accepting OUTPUT TCP connections to ports:" |
for port in $ACCEPT_OUTPUT_UDP; do |
for port in $ACCEPT_OUTPUT_TCP; do |
dest_ip="" |
dest_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
Riadok 1271 allow_output() |
|
Riadok 1355 allow_output() |
|
fi |
fi |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
if [ -z "$dest_ip" ]; then |
if [ -z "$dest_ip" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -p TCP --dport $port -j ACCEPT |
else |
else |
if [ "$port" = "ALL" ]; then |
if [ "$port" = "ALL" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP -j ACCEPT |
else |
else |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP --dport $port -j ACCEPT |
fi |
fi |
fi |
fi |
done |
done |
Riadok 1541 shaping_status() |
|
Riadok 1625 shaping_status() |
|
|
|
# }}} |
# }}} |
|
|
|
check_banned_ip() |
|
{ # {{{ |
|
output="`grep \"$1\" $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf`"; |
|
if [ "$?" -eq 0 -a -n "$output" ]; then |
|
return 0; |
|
fi |
|
return 1; |
|
} # }}} |
|
|
add_banned_ip() |
add_banned_ip() |
{ # {{{ |
{ # {{{ |
echo "# `date '+%Y-%m-%d %X' `" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
echo "# `date '+%F %T'`" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
if [ -z "$*" ]; then |
if [ -z "$*" ]; then |
Riadok 1556 add_banned_ip() |
|
Riadok 1649 add_banned_ip() |
|
fi |
fi |
read_config_ips $TMPFILE >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
read_config_ips $TMPFILE >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
rm -f $TMPFILE |
rm -f $TMPFILE |
# start with new firewalling rules |
|
$0 start |
|
} # }}} |
} # }}} |
|
|
deploy_block() |
deploy_block() |
Riadok 1658 while (my $line = <STDIN>) { |
|
Riadok 1749 while (my $line = <STDIN>) { |
|
$iface = $1; |
$iface = $1; |
my $iface_hwaddr = $2; |
my $iface_hwaddr = $2; |
my $x_iface = $iface; |
my $x_iface = $iface; |
$iface =~ s/:/_/; # convert "eth0:0" --> "eth0_0" |
$iface =~ s/:$//g; |
|
$iface =~ s/:/_/g; # convert "eth0:0" --> "eth0_0" |
$x_iface = [ $x_iface =~ m/^([a-z0-9]+)/i ]->[0]; # convert "eth0:0" --> "eth0" |
$x_iface = [ $x_iface =~ m/^([a-z0-9]+)/i ]->[0]; # convert "eth0:0" --> "eth0" |
$ifname{$iface} = $x_iface; |
$ifname{$iface} = $x_iface; |
$ipcount{$iface}++; |
$ipcount{$iface}++; |
Riadok 1678 while (my $line = <STDIN>) { |
|
Riadok 1770 while (my $line = <STDIN>) { |
|
push @{$ip6{$iface}}, $fields[3]; |
push @{$ip6{$iface}}, $fields[3]; |
$scope6{$iface} = [ $fields[4] =~ m/Scope:(.*)$/i ]->[0]; |
$scope6{$iface} = [ $fields[4] =~ m/Scope:(.*)$/i ]->[0]; |
} |
} |
|
elsif ($line =~ m/^[ \t]+inet\s/) { # Linux IP address |
|
die unless defined $iface; |
|
my @fields = split(/[\s:]+/, $line); |
|
push @{$ip{$iface}}, $fields[2]; |
|
$bcast{$iface} = (defined($fields[5]) and $fields[5] eq "broadcast") ? $fields[6] : ""; |
|
$mask{$iface} = $fields[4]; |
|
} |
|
|
} |
} |
|
|
Riadok 1691 map { printf "IPcount_%s=\"%s\"; export |
|
Riadok 1790 map { printf "IPcount_%s=\"%s\"; export |
|
map { printf "IFname_%s=\"%s\"; export IFname_%s;\n", $_, $ifname{$_}, $_; } keys %ifname; |
map { printf "IFname_%s=\"%s\"; export IFname_%s;\n", $_, $ifname{$_}, $_; } keys %ifname; |
printf "interfaces=\"%s\"; export interfaces;\n", join(" ", sort keys %ip); |
printf "interfaces=\"%s\"; export interfaces;\n", join(" ", sort keys %ip); |
'` |
'` |
eval "$parsed_interfaces"; |
|
#echo "$parsed_interfaces"; |
#echo "$parsed_interfaces"; |
|
eval "$parsed_interfaces"; |
|
|
parsed_routes=`$PERL -e ' |
parsed_routes=`$PERL -e ' |
$\ = "\n"; |
$\ = "\n"; |
Riadok 1741 printf "interfaces=\"%s\"; export inter |
|
Riadok 1840 printf "interfaces=\"%s\"; export inter |
|
|
|
} # }}} |
} # }}} |
'` |
'` |
|
#echo $parsed_routes |
eval "$parsed_routes"; |
eval "$parsed_routes"; |
|
|
# Now we have defined variables like this: |
# Now we have defined variables like this: |
|
|
REAL_INTERFACES="`echo $x_REAL_INTERFACES | awk -v RS=' ' '{ print; }' | sort -u`" |
REAL_INTERFACES="`echo $x_REAL_INTERFACES | awk -v RS=' ' '{ print; }' | sort -u`" |
INTERFACES_ACCEPT_ALL="$IFACE_ACCEPT_ALL" |
INTERFACES_ACCEPT_ALL="$IFACE_ACCEPT_ALL" |
|
|
|
retcode=0; |
case "$1" in |
case "$1" in |
start) |
start) |
print_info -n "Starting $DESC: " |
print_info -n "Starting $DESC: " |
|
|
mangle_prerouting |
mangle_prerouting |
mangle_output |
mangle_output |
accept_related |
accept_related |
|
accept_loopback |
log_new_connections |
log_new_connections |
drop_output |
drop_output |
|
allow_output |
|
allow_icmp |
|
print_info "----[ INCOMMING TRAFFIC ]------------------------------------------------" |
drop_input |
drop_input |
reject_input |
reject_input |
allow_input |
allow_input |
allow_output |
|
allow_icmp |
|
accept_loopback |
|
masquerade |
masquerade |
forward_on |
forward_on |
log_input_drop |
log_input_drop |
|
|
purge) |
purge) |
find $DEFAULT_CACHE_DIR -type f -ls -exec rm -f {} \; |
find $DEFAULT_CACHE_DIR -type f -ls -exec rm -f {} \; |
;; |
;; |
|
|
block) |
block) |
shift; |
shift; |
add_banned_ip $*; |
for banned_ip in $*; do |
# start the some script twice to refresh rules (new blocked IP's) |
check_banned_ip "$banned_ip"; |
QUIET=yes $0 start; |
if [ "$?" -eq 0 ]; then |
|
print_info "Already blocked IP address: $banned_ip"; |
|
retcode=1; |
|
else |
|
print_info "Blocking IP address: $banned_ip"; |
|
add_banned_ip "$banned_ip"; |
|
do_ban_single_ip "$banned_ip"; |
|
fi |
|
done |
;; |
;; |
update) |
update) |
update; |
update; |
|
|
;; |
;; |
esac |
esac |
|
|
exit 0 |
exit "$retcode"; |
|
|
# vim600: fdm=marker fdl=0 fdc=3 |
# vim600: fdm=marker fdl=0 fdc=3 |
|
|