verzia 2.12, 2005/01/16 10:55:39 |
verzia 2.35, 2006/01/10 01:33:26 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.11 2005/01/13 13:31:54 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.30 2005/11/01 00:36:24 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
|
DESC="firewall" |
DESC="firewall" |
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
|
|
DEFAULT_CONFIG="${DEFAULT_CONFIG:=/etc/default/firewall}" |
DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREWALL_CONFIG:=/etc/default/firewall}" |
|
DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:=/var/cache/firewall}" |
|
|
if [ -f "$DEFAULT_CONFIG" ]; then |
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
echo "Reading config file $DEFAULT_CONFIG" |
echo "Reading config file $DEFAULT_FIREWALL_CONFIG" |
. $DEFAULT_CONFIG |
. $DEFAULT_FIREWALL_CONFIG |
fi |
fi |
|
|
# |
# |
|
|
DEFAULT_POLICY="${DEFAULT_POLICY:=DROP}" |
DEFAULT_POLICY="${DEFAULT_POLICY:=DROP}" |
# which modules to load |
# which modules to load |
MODULES="${MODULES:=}" |
MODULES="${MODULES:=}" |
|
MODULES_LOADING="${MODULES_LOADING:=yes}" |
|
MODULES_REMOVING="${MODULES_REMOVING:=no}" |
|
|
LOG_LIMIT="${LOG_LIMIT:=-m limit --limit 12/h --limit-burst 10 -j LOG --log-level notice --log-prefix}" |
LOG_LIMIT="${LOG_LIMIT:=-m limit --limit 12/h --limit-burst 10 -j LOG --log-level notice --log-prefix}" |
|
|
# Paths: |
# Paths: |
#IPTABLES=":" # for testing only - does nothing |
#IPTABLES=":" # for testing only - does nothing |
IPTABLES="${IPTABLES:=/sbin/iptables}" |
IPTABLES="${IPTABLES:=$DEBUG/sbin/iptables}" |
|
IPTABLES_SAVE="${IPTABLES_SAVE:=$DEBUG/sbin/iptables-save}" |
|
IPTABLES_RESTORE="${IPTABLES_RESTORE:=$DEBUG/sbin/iptables-restore}" |
|
|
|
if [ "x$LOGGING" = "xoff" ]; then |
|
IPTABLES_LOG=": log turned off" |
|
else |
|
IPTABLES_LOG="${IPTABLES_LOG:=$DEBUG/sbin/iptables}" |
|
fi |
IFCONFIG="${IFCONFIG:=/sbin/ifconfig}" |
IFCONFIG="${IFCONFIG:=/sbin/ifconfig}" |
DEPMOD="${DEPMOD:=/sbin/depmod}" |
DEPMOD="${DEPMOD:=/sbin/depmod}" |
MODPROBE="${MODPROBE:=/sbin/modprobe}" |
MODPROBE="${MODPROBE:=/sbin/modprobe}" |
Riadok 46 AWK="${AWK:=/usr/bin/awk}" |
|
Riadok 57 AWK="${AWK:=/usr/bin/awk}" |
|
|
|
# loopback interface |
# loopback interface |
LO_IFACE="${LO_IFACE:=lo}" |
LO_IFACE="${LO_IFACE:=lo}" |
LO_IP="IP_$LO_IFACE" |
|
|
|
# Which ports will be allowed on INPUT (TCP connections) |
# |
ALL_ACCEPT_INPUT_TCP="${ALL_ACCEPT_INPUT_TCP:=}" |
# CONSTANTS - Do not edit |
# interface eth0 |
# |
eth0_ACCEPT_INPUT_TCP="${eth0_ACCEPT_INPUT_TCP:=}" |
ANYWHERE="0.0.0.0/0" # Match any IP address |
# interface ppp0 |
BROADCAST_SRC="0.0.0.0" # Broadcast Source Address |
ppp0_ACCEPT_INPUT_TCP="${ppp0_ACCEPT_INPUT_TCP:=}" |
BROADCAST_DEST="255.255.255.255" # Broadcast Destination Address |
|
CLASS_A="10.0.0.0/8" # Class-A Private (RFC-1918) Networks |
# Which ports will be allowed on INPUT (UDP connections) |
CLASS_B="172.16.0.0/12" # Class-B Private (RFC-1918) Networks |
# interface eth0 |
CLASS_C="192.168.0.0/16" # Class-C Private (RFC-1918) Networks |
eth0_ACCEPT_INPUT_UDP="${eth0_ACCEPT_INPUT_UDP:=}" |
CLASS_D_MULTICAST="224.0.0.0/4" # Class-D Multicast Addresses |
# interface ppp0 |
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class-E Reserved Addresses |
ppp0_ACCEPT_INPUT_UDP="${ppp0_ACCEPT_INPUT_UDP:=}" |
PRIVPORTS="0:1023" # Well-Known, Privileged Port Range |
|
UNPRIVPORTS="1024:65535" # Unprivileged Port Range |
|
TRACEROUTE_SRC_PORTS="32769:65535" # Traceroute Source Ports |
|
TRACEROUTE_DEST_PORTS="33434:33523" # Traceroute Destination Ports |
|
|
|
|
# allow some ICMP packets - needed for ping etc. |
# allow some ICMP packets - needed for ping etc. |
ACCEPT_ICMP_PACKETS="${ACCEPT_ICMP_PACKETS:=echo-reply destination-unreachable echo-request time-exceeded}" |
ACCEPT_ICMP_PACKETS="${ACCEPT_ICMP_PACKETS:=echo-reply destination-unreachable echo-request time-exceeded}" |
|
|
|
|
# load necessary modules from $MODULES variable |
# load necessary modules from $MODULES variable |
load_modules() |
load_modules() |
{ # {{{ |
{ # {{{ |
echo "# Loading modules" |
if [ "e$MODULES_LOADING" = "eyes" ]; then |
for mod in $MODULES; do |
echo "# Loading modules" |
echo " $MODPROBE $mod" |
for mod in $MODULES; do |
$MODPROBE $mod |
echo " $MODPROBE $mod" |
done |
$MODPROBE $mod |
|
done |
|
fi |
|
} # }}} |
|
|
|
load_cache() |
|
{ # {{{ |
|
|
|
if [ ! -d "$DEFAULT_CACHE_DIR" ]; then |
|
mkdir -p "$DEFAULT_CACHE_DIR"; |
|
fi |
|
|
|
config=`cat $DEFAULT_FIREWALL_CONFIG`; |
|
md5key=`echo "config = '$config' parsed_interfaces ='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | awk '{ print $1; }'`; |
|
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
|
|
|
#echo "CACHE_FILE=$CACHE_FILE" |
|
|
|
if [ -f "$CACHE_FILE" ]; then |
|
echo "Loading rules from cache file $CACHE_FILE" |
|
$IPTABLES_RESTORE -c < $CACHE_FILE; |
|
forward_on # this has nothing to do with IPtables rules, we need to run them explicitly |
|
exit 0; |
|
fi |
} # }}} |
} # }}} |
|
|
# unload necessary modules from $MODULES variable |
# unload necessary modules from $MODULES variable |
unload_modules() |
unload_modules() |
{ # {{{ |
{ # {{{ |
# reverse modules |
# reverse modules |
echo "# Removing modules" |
if [ "e$MODULES_REMOVING" = "eyes" ]; then |
R_MODULES=`echo "$MODULES" | tr ' ' '\012' | tac | tr '\012' ' '` |
echo "# Removing modules" |
for mod in $R_MODULES; do |
R_MODULES=`echo "$MODULES" | tr ' ' '\012' | tac | tr '\012' ' '` |
echo " $RMMOD $mod" |
for mod in $R_MODULES; do |
$RMMOD $mod |
echo " $RMMOD $mod" |
done |
$RMMOD $mod |
|
done |
|
fi |
} # }}} |
} # }}} |
|
|
# print status of detected interfaces |
# print status of detected interfaces |
print_iface_status() |
print_iface_status() |
{ # {{{ |
{ # {{{ |
# Print interfaces: |
# Print interfaces: |
echo "# iface | IP addr | broadcast | netmask | HW addr" |
echo "# iface | IP addr | Gateway | broadcast | netmask | HW addr" |
for iface in $interfaces; do |
for iface in $interfaces; do |
IP="IP_$iface"; Bcast="Bcast_$iface"; Mask="Mask_$iface"; HWaddr="HWaddr_$iface"; |
IP="IP_$iface"; Gateway="Gateway_$iface"; Bcast="Bcast_$iface"; Mask="Mask_$iface"; HWaddr="HWaddr_$iface"; |
echo "$iface | ${!IP} | ${!Bcast} | ${!Mask} | ${!HWaddr}" |
echo "$iface | ${!IP} | ${!Gateway} | ${!Bcast} | ${!Mask} | ${!HWaddr}" |
done |
done |
} # }}} |
} # }}} |
|
|
Riadok 113 antispoof_on() |
|
Riadok 153 antispoof_on() |
|
done |
done |
} # }}} |
} # }}} |
|
|
|
# Turn on IP packets forwarding |
|
forward_on() |
|
{ # {{{ |
|
# NAT requires turn on IP forwarding |
|
if [ ! -z "$NAT_LAN_IFACE" ]; then |
|
echo -en "NAT: Enabling packet forwarding..." |
|
echo 1 > /proc/sys/net/ipv4/ip_forward |
|
echo " done." |
|
fi |
|
} # }}} |
|
|
|
forward_off() |
|
{ # {{{ |
|
echo -en "NAT: Disabling packet forwarding..." |
|
echo 0 > /proc/sys/net/ipv4/ip_forward |
|
echo " done." |
|
} # }}} |
|
|
# clear status of iptable chains |
# clear status of iptable chains |
remove_chains() |
remove_chains() |
{ # {{{ |
{ # {{{ |
Riadok 120 remove_chains() |
|
Riadok 178 remove_chains() |
|
for table in filter nat mangle; do |
for table in filter nat mangle; do |
$IPTABLES -t $table -F # clear all chains |
$IPTABLES -t $table -F # clear all chains |
$IPTABLES -t $table -X # remove all chains |
$IPTABLES -t $table -X # remove all chains |
|
$IPTABLES -t $table -Z # zero counts |
done |
done |
|
|
} # }}} |
} # }}} |
|
|
# all packets on loopback are accpted |
|
set_loopback() |
|
{ # {{{ |
|
$IPTABLES -A INPUT -j ACCEPT -i $LO_IFACE |
|
$IPTABLES -A OUTPUT -j ACCEPT -o $LO_IFACE |
|
} # }}} |
|
|
|
# DROP packages from nmap(1) |
# DROP packages from nmap(1) |
nmap_scan_filter() |
nmap_scan_filter() |
{ # {{{ |
{ # {{{ |
Riadok 139 nmap_scan_filter() |
|
Riadok 191 nmap_scan_filter() |
|
|
|
for chain in INPUT FORWARD; do |
for chain in INPUT FORWARD; do |
# Nie je nastaveny ziaden bit |
# Nie je nastaveny ziaden bit |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
echo -en "." |
echo -en "." |
|
|
# dva odporujuuce si flagy su nastavene: |
# dva odporujuuce si flagy su nastavene: |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
echo -en "." |
echo -en "." |
done |
done |
|
|
# je nastavene len $flags bez predpokladaneho ACK |
# je nastavene len $flags bez predpokladaneho ACK |
for flags in FIN PSH URG ; do |
for flags in FIN PSH URG ; do |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
echo -en "." |
echo -en "." |
done |
done |
done |
done |
Riadok 171 invalid_packet_filter() |
|
Riadok 223 invalid_packet_filter() |
|
|
|
echo -en "Turning on INVALID packet filter " |
echo -en "Turning on INVALID packet filter " |
for chain in INPUT OUTPUT FORWARD; do |
for chain in INPUT OUTPUT FORWARD; do |
$IPTABLES -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
$IPTABLES_LOG -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
echo -en "." |
echo -en "." |
done |
done |
|
|
Riadok 208 anti_spoof_filter() |
|
Riadok 260 anti_spoof_filter() |
|
$IPTABLES -N spoof |
$IPTABLES -N spoof |
|
|
# Ochrana proti Spoogingu zo spatnej slucky |
# Ochrana proti Spoogingu zo spatnej slucky |
$IPTABLES -A spoof -s 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 src" |
$IPTABLES_LOG -A spoof -s 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 src" |
$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -d 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 dest" |
$IPTABLES_LOG -A spoof -d 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 dest" |
$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
$IPTABLES -A spoof -s 192.168.0.0/16 $LOG_LIMIT "RESERVED:192.168.0.0/16 src" |
$IPTABLES_LOG -A spoof -s 192.168.0.0/16 $LOG_LIMIT "RESERVED:192.168.0.0/16 src" |
$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 172.16.0.0/12 $LOG_LIMIT "RESERVED:172.16.0.0/12 src" |
$IPTABLES_LOG -A spoof -s 172.16.0.0/12 $LOG_LIMIT "RESERVED:172.16.0.0/12 src" |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 10.0.0.0/8 $LOG_LIMIT "RESERVED:10.0.0.0/8 src" |
$IPTABLES_LOG -A spoof -s 10.0.0.0/8 $LOG_LIMIT "RESERVED:10.0.0.0/8 src" |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src" |
$IPTABLES_LOG -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src" |
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
|
|
for iface in $ANTISPOOF_IFACE; do |
for iface in $ANTISPOOF_IFACE; do |
echo -en " $iface" |
echo -en " $iface" |
Riadok 276 mangle_output() |
|
Riadok 328 mangle_output() |
|
masquerade() |
masquerade() |
{ # {{{ |
{ # {{{ |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
|
echo -en "NAT: Enabling packet forwarding..." |
|
echo 1 > /proc/sys/net/ipv4/ip_forward |
|
echo " done." |
echo -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
echo -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
|
|
ip="IP_$NAT_SUBNET_IFACE"; |
ip="IP_$NAT_SUBNET_IFACE"; |
|
|
|
|
# alow packets from private subnet |
# alow packets from private subnet |
$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP |
$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP |
|
for client_ip in $NAT_CLIENT_DROP; do |
|
echo -en " !$client_ip"; |
|
$IPTABLES -A FORWARD -s $client_ip -i $NAT_SUBNET_IFACE -j DROP |
|
done |
|
|
for redirect in $NAT_TCP_PORT_REDIRECT; do |
for redirect in $NAT_TCP_PORT_REDIRECT; do |
eval `echo $redirect | awk -v FS=: '{ printf "remote_port=%s; local_port=%s;", $1, $2; }'` |
eval `echo $redirect | awk -v FS=: '{ printf "remote_port=%s; local_port=%s;", $1, $2; }'` |
|
|
echo -en " $type" |
echo -en " $type" |
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
done |
done |
#$IPTABLES -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " |
#$IPTABLES_LOG -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " |
echo " done." |
echo " done." |
|
|
|
# Port forwarding to local machines |
|
if [ ! -z "$NAT_TCP_PORT_FORWARD" ]; then |
|
echo -en "\tForwarding ports to local machines:" |
|
for redirect in $NAT_TCP_PORT_FORWARD; do |
|
eval `echo $redirect | awk -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
|
echo -en " $src_port -> $local_machine:$dest_port" |
|
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d ${!lan_ip} \ |
|
--dport $src_port -j DNAT --to $local_machine:$dest_port |
|
$IPTABLES -A FORWARD -p TCP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
|
done |
|
echo " done." |
|
fi |
|
|
# Keep state of connections from private subnets |
# Keep state of connections from private subnets |
$IPTABLES -A OUTPUT -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
$IPTABLES -A OUTPUT -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
#$IPTABLES -A FORWARD -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
#$IPTABLES -A FORWARD -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
Riadok 350 log_new_connections() |
|
Riadok 422 log_new_connections() |
|
{ # {{{ |
{ # {{{ |
if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then |
if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then |
if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then |
if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then |
echo -en "Logging new connections:" |
if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then |
$IPTABLES -A INPUT -m state --state NEW -j LOG --log-prefix "IN connection: " |
NAT_LOG_NEW_CONNECTIONS="TCP UDP" |
$IPTABLES -A OUTPUT -m state --state NEW -j LOG --log-prefix "OUT connection: " |
fi |
$IPTABLES -A FORWARD -m state --state NEW -j LOG --log-prefix "FWD connection: " |
echo -en "Logging new connections $NAT_LOG_NEW_CONNECTIONS:" |
|
for proto in $NAT_LOG_NEW_CONNECTIONS; do |
|
$IPTABLES_LOG -A INPUT -m state --state NEW -p $proto -j LOG --log-prefix "IN connection: " |
|
$IPTABLES_LOG -A OUTPUT -m state --state NEW -p $proto -j LOG --log-prefix "OUT connection: " |
|
$IPTABLES_LOG -A FORWARD -m state --state NEW -p $proto -j LOG --log-prefix "FWD connection: " |
|
done |
echo " done." |
echo " done." |
fi |
fi |
fi |
fi |
|
|
|
|
} # }}} |
} # }}} |
|
|
allow_input() |
bann_ip_adresses() |
{ # {{{ |
{ # {{{ |
|
# |
|
# This feature has been developed for following reason: |
|
# UbiCrawler spam our website with many requests (they are duplicit requests of the same page!) |
|
# And this web robot doesn't accept HTTP META tags (http://www.robotstxt.org/wc/faq.html#extension) |
|
# |
|
# Bann them too! |
|
# |
|
#IP address is: 146.48.97.11 146.48.97.13 |
|
# User Agent: "UbiCrawler/v0.4beta (http://ubi.iit.cnr.it/projects/ubicrawler/)" |
|
# |
|
if [ ! -z "$BANNED_IP" ]; then |
|
echo -en "Dropping ALL packets from IP:" |
|
for banned_ip in $BANNED_IP; do |
|
echo -en " $banned_ip" |
|
$IPTABLES -A INPUT -s $banned_ip -j DROP |
|
$IPTABLES -A FORWARD -s $banned_ip -j DROP |
|
done |
|
echo " done." |
|
fi |
|
} # }}} |
|
|
|
allow_accept_all() |
|
{ # {{{ |
if [ ! -z "$IFACE_ACCEPT_ALL" ]; then |
if [ ! -z "$IFACE_ACCEPT_ALL" ]; then |
echo -en "Accepting ALL packets on interfaces:" |
echo -en "Accepting ALL packets on interfaces:" |
for iface in $IFACE_ACCEPT_ALL; do |
for iface in $IFACE_ACCEPT_ALL; do |
|
|
done |
done |
echo " done." |
echo " done." |
fi |
fi |
|
} # }}} |
|
|
|
allow_input() |
|
{ # {{{ |
|
|
|
if [ ! -z "$NAT_LAN_IFACE" ]; then |
|
for client_ip in $NAT_CLIENT_DROP; do |
|
echo -en " !$client_ip"; |
|
$IPTABLES -A INPUT -s $client_ip -i $NAT_SUBNET_IFACE -j DROP |
|
done |
|
fi |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
echo -en "Accepting ALL INPUT TCP connections on ports:" |
echo -en "Accepting ALL INPUT TCP connections on ports:" |
for port in $ALL_ACCEPT_INPUT_TCP; do |
for port in $ALL_ACCEPT_INPUT_TCP; do |
|
|
fi |
fi |
done |
done |
|
|
|
# Enable outgoing TRACEROUTE requests (required e.g. by Skype, http://www.skype.com) |
|
if [ ! -z "$TRACEROUTE_IFACE" ]; then |
|
ip="IP_$ANTISPOOF_IFACE"; |
|
echo -en "Accepting traceroute:" |
|
|
|
$IPTABLES -A OUTPUT -o $ANTISPOOF_IFACE -p UDP \ |
|
--sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \ |
|
-s ${!ip} -d $ANYWHERE -j ACCEPT |
|
|
|
for iface in $TRACEROUTE_IFACE; do |
|
$IPTABLES -A FORWARD -p UDP -i $iface --sport $TRACEROUTE_SRC_PORTS \ |
|
--dport $TRACEROUTE_DEST_PORTS -j ACCEPT |
|
done |
|
echo " done." |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
# ACCEPT all packets from our IP address |
# ACCEPT all packets from our IP address |
|
|
$IPTABLES -A INPUT -i $iface -d ${!ip} -p ICMP --icmp-type $type -j ACCEPT |
$IPTABLES -A INPUT -i $iface -d ${!ip} -p ICMP --icmp-type $type -j ACCEPT |
done |
done |
done |
done |
#$IPTABLES -A INPUT -p ICMP -j LOG --log-prefix "IN ICMP: " |
#$IPTABLES_LOG -A INPUT -p ICMP -j LOG --log-prefix "IN ICMP: " |
#$IPTABLES -A OUTPUT -p ICMP -j LOG --log-prefix "OUT ICMP: " |
#$IPTABLES_LOG -A OUTPUT -p ICMP -j LOG --log-prefix "OUT ICMP: " |
echo " done." |
echo " done." |
|
|
} # }}} |
} # }}} |
|
|
log_input_drop() |
log_input_drop() |
{ # {{{ |
{ # {{{ |
|
|
prefix="input drop: " |
if [ ! "x$LOGGING" = "xoff" ]; then |
echo "Input drop is logged with prefix '$prefix'" |
prefix="input drop: " |
$IPTABLES -A INPUT $LOG_LIMIT "$prefix" |
echo "Input drop is logged with prefix '$prefix'" |
|
$IPTABLES_LOG -A INPUT $LOG_LIMIT "$prefix" |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
log_output_drop() |
log_output_drop() |
{ # {{{ |
{ # {{{ |
|
|
prefix="output drop: " |
if [ ! "x$LOGGING" = "xoff" ]; then |
echo "Output drop is logged with prefix '$prefix'" |
prefix="output drop: " |
$IPTABLES -A OUTPUT $LOG_LIMIT "$prefix" |
echo "Output drop is logged with prefix '$prefix'" |
|
$IPTABLES_LOG -A OUTPUT $LOG_LIMIT "$prefix" |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
log_forward_drop() |
log_forward_drop() |
{ # {{{ |
{ # {{{ |
|
|
prefix="forward drop: " |
if [ ! "x$LOGGING" = "xoff" ]; then |
echo "Forward drop is logged with prefix '$prefix'" |
prefix="forward drop: " |
$IPTABLES -A FORWARD $LOG_LIMIT "$prefix" |
echo "Forward drop is logged with prefix '$prefix'" |
|
$IPTABLES_LOG -A FORWARD $LOG_LIMIT "$prefix" |
|
fi |
|
|
|
} # }}} |
|
|
|
do_ip_accounting() |
|
{ # {{{ |
|
|
|
if [ ! "x$DO_LOCAL_IP_ACCOUNTING" = "xno" ]; then |
|
if [ ! -z "$NAT_LAN_IFACE" ]; then |
|
IPACCT_NAME="ZORBCOUNT" |
|
IPACCT_IN_NAME="ZORBCOUNTIN" |
|
IPACCT_OUT_NAME="ZORBCOUNTOUT" |
|
$IPTABLES -N $IPACCT_NAME # whole network |
|
$IPTABLES -N $IPACCT_IN_NAME # download: from server to client |
|
$IPTABLES -A $IPACCT_IN_NAME |
|
$IPTABLES -N $IPACCT_OUT_NAME # upload: from client to server |
|
$IPTABLES -A $IPACCT_OUT_NAME |
|
|
|
ip="IP_$NAT_SUBNET_IFACE"; |
|
netmask="Mask_$NAT_SUBNET_IFACE" |
|
localnet="${!ip}/${!netmask}" |
|
|
|
$IPTABLES -I INPUT -i $NAT_LAN_IFACE -j $IPACCT_IN_NAME |
|
$IPTABLES -I OUTPUT -o $NAT_LAN_IFACE -j $IPACCT_OUT_NAME |
|
|
|
$IPTABLES -I FORWARD -s $localnet -o $NAT_LAN_IFACE -j $IPACCT_NAME |
|
$IPTABLES -I FORWARD -d $localnet -i $NAT_LAN_IFACE -j $IPACCT_NAME |
|
|
|
for client_ip in $IP_ACCT_CLIENTS; do |
|
$IPTABLES -A $IPACCT_NAME -s $client_ip |
|
$IPTABLES -A $IPACCT_NAME -d $client_ip |
|
done |
|
|
|
if [ ! "x$DO_LOCAL_IP_ACCOUNTING" = "xno" ]; then |
|
accountig_ports=`echo "$NAT_TCP_PORT_REDIRECT " | awk -v RS=' ' -v FS=: '{ print $2; }' | sort -u -r -g ` |
|
for port in $accountig_ports; do |
|
$IPTABLES -I INPUT -i $NAT_SUBNET_IFACE -p TCP --dport $port -j $IPACCT_NAME |
|
$IPTABLES -I INPUT -i $NAT_SUBNET_IFACE -p UDP --dport $port -j $IPACCT_NAME |
|
$IPTABLES -I OUTPUT -o $NAT_SUBNET_IFACE -p TCP --sport $port -j $IPACCT_NAME |
|
$IPTABLES -I OUTPUT -o $NAT_SUBNET_IFACE -p UDP --sport $port -j $IPACCT_NAME |
|
done |
|
fi |
|
|
|
$IPTABLES -A $IPACCT_NAME -s $localnet |
|
$IPTABLES -A $IPACCT_NAME -d $localnet |
|
|
|
fi |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
accept_related() |
accept_related() |
{ # {{{ |
{ # {{{ |
|
|
echo -en "Accepting ESTABLISHED, RELATED packets for IP:" |
echo -en "Accepting ESTABLISHED, RELATED packets for IP:" |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
ip="IP_$iface"; |
ip="IP_$iface"; |
echo -en " ${!ip}($iface)" |
echo -en " ${!ip}($iface)" |
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
done |
done |
echo " done." |
echo " done." |
|
|
Riadok 542 accept_loopback() |
|
Riadok 721 accept_loopback() |
|
|
|
# Loopback není radno omezovat |
# Loopback není radno omezovat |
echo -en "Accepting loopback:" |
echo -en "Accepting loopback:" |
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT |
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT |
|
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT |
echo " done." |
echo " done." |
|
|
} # }}} |
} # }}} |
Riadok 552 accept_loopback() |
|
Riadok 732 accept_loopback() |
|
parse_ifconfig() |
parse_ifconfig() |
{ # {{{ |
{ # {{{ |
# Parse output from ifconfig: |
# Parse output from ifconfig: |
eval `$IFCONFIG | \ |
parsed_interfaces=`$IFCONFIG | \ |
$AWK 'BEGIN { interfaces=""; } |
$AWK 'BEGIN { interfaces=""; } |
/^[a-zA-Z0-9]+[ \t]+/ { # Linux |
/^[a-zA-Z0-9]+[ \t]+/ { # Linux |
iface=$1; |
iface=$1; |
Riadok 582 parse_ifconfig() |
|
Riadok 762 parse_ifconfig() |
|
} |
} |
END { printf "\ninterfaces=\"%s\"; export interfaces;\n", interfaces; } |
END { printf "\ninterfaces=\"%s\"; export interfaces;\n", interfaces; } |
'` |
'` |
|
eval "$parsed_interfaces"; |
|
|
|
parsed_routes=`perl -e ' |
|
$\ = "\n"; |
|
open(FILE, "/proc/net/route") or die "Can not open /proc/net/route: $!"; |
|
my @columns = split(/\s+/, <FILE>); |
|
while (my $line = <FILE>) { |
|
my $iface; |
|
my @vals = split(/\s+/, $line); |
|
foreach my $key (@columns) { |
|
$iface->{$key} = shift @vals; |
|
} |
|
|
|
foreach my $key (qw( Gateway Destination )) { |
|
print "${key}_$iface->{Iface}=", |
|
qw("), hex2ip($iface->{$key}), qw("), |
|
"; export ${key}_$iface->{Iface};"; |
|
} |
|
foreach my $key (qw( Flags MTU Metric Window IRTT )) { |
|
print "${key}_$iface->{Iface}=", |
|
qw("), $iface->{$key}, qw("), |
|
"; export ${key}_$iface->{Iface};"; |
|
} |
|
} |
|
close(FILE); |
|
|
|
|
|
sub hex2ip |
|
{ # {{{ |
|
my ($str) = @_; |
|
my @block; |
|
|
|
my $hex = uc($str); |
|
|
|
while (length($hex)) { |
|
my $x = ord(substr($hex, 0, 1)); |
|
my $y = ord(substr($hex, 1, 1)); |
|
|
|
$x = $x > 64 ? $x - 55 : $x - 48; |
|
$y = $y > 64 ? $y - 55 : $y - 48; |
|
|
|
push @block, 16 * $x + $y; |
|
$hex = substr($hex, 2); |
|
} |
|
|
|
return join(".", reverse @block); |
|
|
|
} # }}} |
|
'` |
|
eval "$parsed_routes"; |
|
|
# Now we have defined variables like this: |
# Now we have defined variables like this: |
# IFACE_eth0 HWaddr_eth0 IP_eth0 Bcast_eth0 Mask_eth0 |
# IFACE_eth0 HWaddr_eth0 IP_eth0 Bcast_eth0 Mask_eth0 |
Riadok 594 parse_ifconfig() |
|
Riadok 824 parse_ifconfig() |
|
parse_ifconfig |
parse_ifconfig |
print_iface_status |
print_iface_status |
|
|
# $interfaces - all interfaces |
# |
|
# Split interfaces into 2 groups: |
|
# |
|
# $INTERFACES_ACCEPT_ALL - interfaces withouth restrictions |
|
# |
# $INTERFACES - all interfaces withouth loopback |
# $INTERFACES - all interfaces withouth loopback |
|
# and devices without restrictions (e.g. tun0 tun1 tap0 ...) |
|
# |
|
# list of all interfaces is in $interfaces variable |
|
# |
INTERFACES="" |
INTERFACES="" |
|
INTERFACES_ACCEPT_ALL="" |
|
regexp='^\('`echo $IFACE_ACCEPT_ALL | sed 's/ /\\\|/g; s/+/.*/g;'`'\)$' |
for iface in $interfaces; do |
for iface in $interfaces; do |
if [ "o$iface" = "olo" ]; then continue; fi |
#if [ "o$iface" = "olo" ]; then continue; fi |
INTERFACES="$INTERFACES $iface"; |
echo $iface | grep -q -e "$regexp" |
|
if [ $? = 0 ] || [ "o$iface" = "olo" ]; then # lo interface is always here |
|
INTERFACES_ACCEPT_ALL="$INTERFACES_ACCEPT_ALL $iface"; |
|
else |
|
INTERFACES="$INTERFACES $iface"; |
|
fi |
done |
done |
|
INTERFACES_ACCEPT_ALL="$IFACE_ACCEPT_ALL" |
|
|
|
|
case "$1" in |
case "$1" in |
start) |
start) |
echo -n "Starting $DESC: " |
echo -n "Starting $DESC: " |
# Inicialize modules |
# Inicialize modules |
$DEPMOD -a |
#$DEPMOD -a |
load_modules |
load_modules |
|
load_cache |
set_default_policy |
set_default_policy |
remove_chains |
remove_chains |
# |
# |
# (un)commnet next lines as needed |
# (un)commnet next lines as needed |
# |
# |
set_loopback |
bann_ip_adresses |
|
allow_accept_all |
nmap_scan_filter |
nmap_scan_filter |
invalid_packet_filter |
invalid_packet_filter |
anti_spoof_filter |
anti_spoof_filter |
|
|
log_input_drop |
log_input_drop |
log_output_drop |
log_output_drop |
log_forward_drop |
log_forward_drop |
|
forward_on |
|
do_ip_accounting |
|
$IPTABLES_SAVE -c > $CACHE_FILE |
;; |
;; |
|
|
stop) |
stop) |
|
|
set_default_policy |
set_default_policy |
remove_chains |
remove_chains |
unload_modules |
unload_modules |
|
forward_off |
|
accept_related |
|
;; |
|
|
|
really-off) |
|
echo -n "Stopping $DESC: removing ALL rules, all packets are dropped !!" |
|
set_default_policy |
|
remove_chains |
|
unload_modules |
|
forward_off |
;; |
;; |
|
|
status) |
status) |
|
|
$IPTABLES -L -nv |
$IPTABLES -L -nv |
;; |
;; |
|
|
|
purge) |
|
find $DEFAULT_CACHE_DIR -type f -ls -exec rm -f {} \; |
|
;; |
|
|
*) |
*) |
echo "Usage: $0 {start|stop|stop}" >&2 |
echo "Usage: $0 {start|stop|really-off|status|purge}" >&2 |
exit 1 |
exit 1 |
;; |
;; |
esac |
esac |