=================================================================== RCS file: /home/cvsd/home/cvs/scripts/shell/firewall/fw-universal.sh,v retrieving revision 2.52 retrieving revision 2.53 diff -u -p -r2.52 -r2.53 --- scripts/shell/firewall/fw-universal.sh 2008/01/16 23:45:08 2.52 +++ scripts/shell/firewall/fw-universal.sh 2008/01/17 21:44:30 2.53 @@ -9,7 +9,7 @@ # Licensed under terms of GNU General Public License. # All rights reserved. # -# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.51 2007-12-12 23:30:10 rajo Exp $ +# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.52 2008-01-16 23:45:08 rajo Exp $ # # Changelog: # 2003-10-24 - created @@ -24,8 +24,22 @@ DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREW DEFAULT_FIREWALL_CONFIG_DIR="${DEFAULT_FIREWALL_CONFIG_DIR:=/etc/default/firewall.d}" DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:=/var/cache/firewall}" +# quiet output? {{{ +if [ "x$1" = "xblock" ] || [ "x$QUIET" = "xyes" ]; then + print_info() + { + echo -n "" + } +else + print_info() + { + echo $* + } +fi +# }}} + if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then - echo "Reading config file $DEFAULT_FIREWALL_CONFIG" + print_info "Reading config file $DEFAULT_FIREWALL_CONFIG" . $DEFAULT_FIREWALL_CONFIG fi @@ -84,6 +98,7 @@ TRACEROUTE_DEST_PORTS="33434:33523" # Tr # allow some ICMP packets - needed for ping etc. ACCEPT_ICMP_PACKETS="${ACCEPT_ICMP_PACKETS:=echo-reply destination-unreachable echo-request time-exceeded}" + print_first() { # {{{ echo $1 @@ -104,9 +119,9 @@ read_config_ips() load_modules() { # {{{ if [ "e$MODULES_LOADING" = "eyes" ]; then - echo "# Loading modules" + print_info "# Loading modules" for mod in $MODULES; do - echo " $MODPROBE $mod" + print_info " $MODPROBE $mod" $MODPROBE $mod done fi @@ -126,7 +141,7 @@ load_cache() #echo "CACHE_FILE=$CACHE_FILE" if [ -f "$CACHE_FILE" ]; then - echo "Loading rules from cache file $CACHE_FILE" + print_info "Loading rules from cache file $CACHE_FILE" $IPTABLES_RESTORE -c < $CACHE_FILE; forward_on # this has nothing to do with IPtables rules, we need to run them explicitly exit 0; @@ -138,10 +153,10 @@ unload_modules() { # {{{ # reverse modules if [ "e$MODULES_REMOVING" = "eyes" ]; then - echo "# Removing modules" + print_info "# Removing modules" R_MODULES=`echo "$MODULES" | tr ' ' '\012' | tac | tr '\012' ' '` for mod in $R_MODULES; do - echo " $RMMOD $mod" + print_info " $RMMOD $mod" $RMMOD $mod done fi @@ -151,12 +166,12 @@ unload_modules() print_iface_status() { # {{{ # Print interfaces: - echo "# iface | IP addr | Gateway | broadcast | netmask | HW addr" + print_info "# iface | IP addr | Gateway | broadcast | netmask | HW addr" for iface in $interfaces; do IPS="IP_$iface"; for IP in ${!IPS}; do Gateway="Gateway_$iface"; Bcast="Bcast_$iface"; Mask="Mask_$iface"; HWaddr="HWaddr_$iface"; - echo "$iface | ${IP} | ${!Gateway} | ${!Bcast} | ${!Mask} | ${!HWaddr}" + print_info "$iface | ${IP} | ${!Gateway} | ${!Bcast} | ${!Mask} | ${!HWaddr}" done done } # }}} @@ -182,17 +197,17 @@ forward_on() { # {{{ # NAT requires turn on IP forwarding if [ ! -z "$NAT_LAN_IFACE" ]; then - echo -en "NAT: Enabling packet forwarding..." + print_info -en "NAT: Enabling packet forwarding..." echo 1 > /proc/sys/net/ipv4/ip_forward - echo " done." + print_info " done." fi } # }}} forward_off() { # {{{ - echo -en "NAT: Disabling packet forwarding..." + print_info -en "NAT: Disabling packet forwarding..." echo 0 > /proc/sys/net/ipv4/ip_forward - echo " done." + print_info " done." } # }}} # clear status of iptable chains @@ -211,33 +226,33 @@ remove_chains() nmap_scan_filter() { # {{{ - echo -en "Turning on nmap scan filter " + print_info -en "Turning on nmap scan filter " for chain in INPUT FORWARD; do # Nie je nastaveny ziaden bit $IPTABLES_LOG -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " - echo -en "." + print_info -en "." $IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP - echo -en "." + print_info -en "." # dva odporujuuce si flagy su nastavene: for flags in SYN,FIN SYN,RST FIN,RST ; do $IPTABLES_LOG -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " - echo -en "." + print_info -en "." $IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP - echo -en "." + print_info -en "." done # je nastavene len $flags bez predpokladaneho ACK for flags in FIN PSH URG ; do $IPTABLES_LOG -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " - echo -en "." + print_info -en "." $IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP - echo -en "." + print_info -en "." done done - echo " done." + print_info " done." } # }}} @@ -245,15 +260,15 @@ nmap_scan_filter() invalid_packet_filter() { # {{{ - echo -en "Turning on INVALID packet filter " + print_info -en "Turning on INVALID packet filter " for chain in INPUT OUTPUT FORWARD; do $IPTABLES_LOG -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " - echo -en "." + print_info -en "." $IPTABLES -A $chain -m state --state INVALID -j DROP - echo -en "." + print_info -en "." done - echo " done." + print_info " done." } # }}} @@ -280,7 +295,7 @@ anti_spoof_filter() if [ ! -z "$ANTISPOOF_IFACE" ]; then - echo -en "Turning on antispoof filter for interfaces: " + print_info -en "Turning on antispoof filter for interfaces: " $IPTABLES -N spoof # Ochrana proti Spoogingu zo spatnej slucky @@ -299,44 +314,44 @@ anti_spoof_filter() $IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA for iface in $ANTISPOOF_IFACE; do - echo -en " $iface" + print_info -en " $iface" $IPTABLES -A FORWARD -i $iface -j spoof $IPTABLES -A INPUT -i $iface -j spoof done - echo " done." + print_info " done." fi } # }}} mangle_prerouting() { # {{{ - echo -en "Optimizing PREROUTING TOS: " + print_info -en "Optimizing PREROUTING TOS: " # TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet # pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost $IPTABLES -t mangle -A PREROUTING -p TCP --sport ssh -j TOS --set-tos Minimize-Delay - echo -en "." + print_info -en "." $IPTABLES -t mangle -A PREROUTING -p TCP --dport ssh -j TOS --set-tos Minimize-Delay - echo -en "." + print_info -en "." $IPTABLES -t mangle -A PREROUTING -p TCP --sport ftp -j TOS --set-tos Minimize-Delay - echo -en "." + print_info -en "." $IPTABLES -t mangle -A PREROUTING -p TCP --dport ftp -j TOS --set-tos Minimize-Delay - echo -en "." + print_info -en "." $IPTABLES -t mangle -A PREROUTING -p TCP --dport telnet -j TOS --set-tos Minimize-Delay - echo -en "." + print_info -en "." $IPTABLES -t mangle -A PREROUTING -p TCP --sport ftp-data -j TOS --set-tos Maximize-Throughput - echo -en "." - echo " done." + print_info -en "." + print_info " done." } # }}} mangle_output() { # {{{ - echo -en "Optimizing OUTPUT TOS:" + print_info -en "Optimizing OUTPUT TOS:" # TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet # pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost for iface in $INTERFACES; do - echo -en " $iface"; + print_info -en " $iface"; $IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --sport ssh -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --dport ssh -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --sport ftp -j TOS --set-tos Minimize-Delay @@ -344,7 +359,7 @@ mangle_output() $IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --dport telnet -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --sport ftp-data -j TOS --set-tos Maximize-Throughput done - echo " done." + print_info " done." } # }}} @@ -352,10 +367,10 @@ mangle_output() masquerade() { # {{{ if [ ! -z "$NAT_LAN_IFACE" ]; then - echo -en "NAT: Enabling packet forwarding..." + print_info -en "NAT: Enabling packet forwarding..." echo 1 > /proc/sys/net/ipv4/ip_forward - echo " done." - echo -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" + print_info " done." + print_info -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" ip="`get_first_ip_addr IP_$NAT_SUBNET_IFACE`" netmask="Mask_$NAT_SUBNET_IFACE" @@ -366,7 +381,7 @@ masquerade() # alow packets from private subnet $IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP for client_ip in $NAT_CLIENT_DROP; do - echo -en " !$client_ip"; + print_info -en " !$client_ip"; $IPTABLES -A FORWARD -s $client_ip -i $NAT_SUBNET_IFACE -j DROP done @@ -376,7 +391,7 @@ masquerade() $AWK -v FS=: ' (NF == 2) { remote_ip = "$lan_ip"; remote_port = $1; local_port = $2; } \ (NF == 3) { remote_ip = $2; remote_port = $1; local_port = $3; } \ END { printf "remote_ip=%s; remote_port=%s; local_port=%s;", remote_ip, remote_port, local_port; }'` - echo -en " $remote_port>>$remote_ip:$local_port(udp)" + print_info -en " $remote_port>>$remote_ip:$local_port(udp)" $IPTABLES -t nat -A PREROUTING -p TCP \ -i ! $NAT_LAN_IFACE -d ! $lan_ip \ --dport $remote_port -j REDIRECT --to-port $local_port @@ -387,7 +402,7 @@ masquerade() $AWK -v FS=: ' (NF == 2) { dnat = "no" ; remote_ip = "X"; remote_port = $1; local_port = $2; } \ (NF == 3) { dnat = "yes" ; remote_ip = $2; remote_port = $1; local_port = $3; } \ END { printf "dnat=%s; remote_ip=%s; remote_port=%s; local_port=%s;", dnat, remote_ip, remote_port, local_port; }'` - echo -en " $remote_port>>$remote_ip:$local_port(udp)" + print_info -en " $remote_port>>$remote_ip:$local_port(udp)" if [ "x$dnat" = "xyes" ]; then $IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_SUBNET_IFACE -d ! $ip \ --dport $local_port -j DNAT --to $remote_ip:$remote_port @@ -402,7 +417,7 @@ masquerade() #$IPTABLES -t nat -A POSTROUTING -s $localnet -o $NAT_LAN_IFACE -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE - echo " done." + print_info " done." # don't forward Miscrosoft protocols - NOT RFC compliant packets if [ ! -z "$NAT_FORWARD_MICROSOFT" ]; then @@ -417,53 +432,53 @@ masquerade() fi if [ ! -z "$NAT_FORWARD_TCP_PORTS" ]; then - echo -en "\tAccepting FORWARD TCP ports:" + print_info -en "\tAccepting FORWARD TCP ports:" for port in $NAT_FORWARD_TCP_PORTS; do - echo -en " $port" + print_info -en " $port" $IPTABLES -A FORWARD -p TCP --dport $port -m state --state NEW -j ACCEPT done - echo " done." + print_info " done." fi if [ ! -z "$NAT_FORWARD_UDP_PORTS" ]; then - echo -en "\tAccepting FORWARD UDP ports:" + print_info -en "\tAccepting FORWARD UDP ports:" for port in $NAT_FORWARD_UDP_PORTS; do - echo -en " $port" + print_info -en " $port" $IPTABLES -A FORWARD -p UDP --dport $port -m state --state NEW -j ACCEPT done - echo " done." + print_info " done." fi - echo -en "\tAccepting ICMP packets:" + print_info -en "\tAccepting ICMP packets:" for type in $ACCEPT_ICMP_PACKETS; do - echo -en " $type" + print_info -en " $type" $IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT done #$IPTABLES_LOG -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " - echo " done." + print_info " done." # Port forwarding to local machines if [ ! -z "$NAT_TCP_PORT_FORWARD" ]; then - echo -en "\tForwarding TCP ports to local machines:" + print_info -en "\tForwarding TCP ports to local machines:" for redirect in $NAT_TCP_PORT_FORWARD; do eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` - echo -en " $src_port -> $local_machine:$dest_port" + print_info -en " $src_port -> $local_machine:$dest_port" $IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d $lan_ip \ --dport $src_port -j DNAT --to $local_machine:$dest_port $IPTABLES -A FORWARD -p TCP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT done - echo " done." + print_info " done." fi if [ ! -z "$NAT_UDP_PORT_FORWARD" ]; then - echo -en "\tForwarding UDP ports to local machines:" + print_info -en "\tForwarding UDP ports to local machines:" for redirect in $NAT_UDP_PORT_FORWARD; do eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` - echo -en " $src_port -> $local_machine:$dest_port" + print_info -en " $src_port -> $local_machine:$dest_port" $IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_LAN_IFACE -d $lan_ip \ --dport $src_port -j DNAT --to $local_machine:$dest_port $IPTABLES -A FORWARD -p UDP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT done - echo " done." + print_info " done." fi # Keep state of connections from private subnets @@ -474,7 +489,7 @@ masquerade() # hide NAT clients behind firewall: - set TTL # XXX: warning: this breaks traceroute !!! if [ ! "a$NAT_SET_TTL" = "ano" ]; then - echo "NAT: clients hidden behind firewall - setting TTL to $NAT_SET_TTL" + print_info "NAT: clients hidden behind firewall - setting TTL to $NAT_SET_TTL" $IPTABLES -t mangle -A POSTROUTING -o $NAT_LAN_IFACE -j TTL --ttl-set $NAT_SET_TTL fi @@ -489,13 +504,13 @@ log_new_connections() if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then NAT_LOG_NEW_CONNECTIONS="TCP UDP" fi - echo -en "Logging new connections $NAT_LOG_NEW_CONNECTIONS:" + print_info -en "Logging new connections $NAT_LOG_NEW_CONNECTIONS:" for proto in $NAT_LOG_NEW_CONNECTIONS; do $IPTABLES_LOG -A INPUT -m state --state NEW -p $proto -j LOG --log-prefix "IN connection: " $IPTABLES_LOG -A OUTPUT -m state --state NEW -p $proto -j LOG --log-prefix "OUT connection: " $IPTABLES_LOG -A FORWARD -m state --state NEW -p $proto -j LOG --log-prefix "FWD connection: " done - echo " done." + print_info " done." fi fi } # }}} @@ -510,23 +525,23 @@ drop_output() DROP_OUTPUT_UDP="${!drop_output_udp}" if [ ! -z "$DROP_OUTPUT_TCP" ]; then - echo -en "$iface: Dropping outgoing packets from ports:" + print_info -en "$iface: Dropping outgoing packets from ports:" for port in $DROP_OUTPUT_TCP; do - echo -en " $port" + print_info -en " $port" $IPTABLES -A FORWARD -p TCP --sport $port -o $iface -j DROP $IPTABLES -A OUTPUT -p TCP --sport $port -o $iface -j DROP done - echo " done." + print_info " done." fi if [ ! -z "$DROP_OUTPUT_UDP" ]; then - echo -en "$iface: Dropping outgoing packets from ports:" + print_info -en "$iface: Dropping outgoing packets from ports:" for port in $DROP_OUTPUT_UDP; do - echo -en " $port" + print_info -en " $port" $IPTABLES -A FORWARD -p UDP --sport $port -o $iface -j DROP $IPTABLES -A OUTPUT -p UDP --sport $port -o $iface -j DROP done - echo " done." + print_info " done." fi done @@ -549,27 +564,27 @@ bann_ip_adresses() BANNED_IP="$BANNED_IP `read_config_ips $cf`" fi if [ ! -z "$BANNED_IP" ]; then - echo -en "Dropping ALL packets from IP:" + print_info -en "Dropping ALL packets from IP:" for banned_ip in $BANNED_IP; do - echo -en " $banned_ip" + print_info -en " $banned_ip" $IPTABLES -A INPUT -s $banned_ip -j DROP $IPTABLES -A FORWARD -s $banned_ip -j DROP done - echo " done." + print_info " done." fi } # }}} allow_accept_all() { # {{{ if [ ! -z "$IFACE_ACCEPT_ALL" ]; then - echo -en "Accepting ALL packets on interfaces:" + print_info -en "Accepting ALL packets on interfaces:" for iface in $IFACE_ACCEPT_ALL; do - echo -en " $iface" + print_info -en " $iface" $IPTABLES -A INPUT -i $iface -j ACCEPT $IPTABLES -A FORWARD -i $iface -j ACCEPT $IPTABLES -A OUTPUT -o $iface -j ACCEPT done - echo " done." + print_info " done." fi } # }}} @@ -577,53 +592,53 @@ drop_input() { # {{{ if [ ! -z "$NAT_LAN_IFACE" ]; then for client_ip in $NAT_CLIENT_DROP; do - echo -en " !$client_ip"; + print_info -en " !$client_ip"; $IPTABLES -A INPUT -s $client_ip -i $NAT_SUBNET_IFACE -j DROP done fi if [ ! -z "$ALL_DROP_INPUT_TCP" ]; then - echo -en "Drop ALL INPUT TCP connections on ports:" + print_info -en "Drop ALL INPUT TCP connections on ports:" for port in $ALL_DROP_INPUT_TCP; do for iface in $INTERFACES; do - echo -en " $port($iface)" + print_info -en " $port($iface)" $IPTABLES -A INPUT -i $iface -p TCP --dport $port -j DROP done done - echo " done." + print_info " done." fi if [ ! -z "$ALL_DROP_INPUT_UDP" ]; then - echo -en "Drop ALL INPUT UDP connections on ports:" + print_info -en "Drop ALL INPUT UDP connections on ports:" for port in $ALL_DROP_INPUT_UDP; do for iface in $INTERFACES; do - echo -en " $port($iface)" + print_info -en " $port($iface)" $IPTABLES -A INPUT -i $iface -p UDP --dport $port -j DROP done done - echo " done." + print_info " done." fi } # }}} reject_input() { # {{{ if [ ! -z "$ALL_REJECT_INPUT_TCP" ]; then - echo -en "Reject ALL INPUT TCP connections on ports:" + print_info -en "Reject ALL INPUT TCP connections on ports:" for port in $ALL_REJECT_INPUT_TCP; do for iface in $INTERFACES; do - echo -en " $port($iface)" + print_info -en " $port($iface)" $IPTABLES -A INPUT -i $iface -p TCP --dport $port -j REJECT --reject-with icmp-port-unreachable done done - echo " done." + print_info " done." fi if [ ! -z "$ALL_REJECT_INPUT_UDP" ]; then - echo -en "Reject ALL INPUT UDP connections on ports:" + print_info -en "Reject ALL INPUT UDP connections on ports:" for port in $ALL_REJECT_INPUT_UDP; do for iface in $INTERFACES; do - echo -en " $port($iface)" + print_info -en " $port($iface)" $IPTABLES -A INPUT -i $iface -p UDP --dport $port -j REJECT --reject-with icmp-port-unreachable done done - echo " done." + print_info " done." fi } # }}} @@ -631,12 +646,12 @@ allow_input() { # {{{ if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then - echo -en "Accepting ALL INPUT TCP connections on ports:" + print_info -en "Accepting ALL INPUT TCP connections on ports:" for port in $ALL_ACCEPT_INPUT_TCP; do src_ip="" eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` for iface in $INTERFACES; do - echo -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` + print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` IPS="IP_$iface"; for ip in ${!IPS}; do if [ -z "$src_ip" ]; then @@ -647,15 +662,15 @@ allow_input() done done done - echo " done." + print_info " done." fi if [ ! -z "$ALL_ACCEPT_INPUT_UDP" ]; then - echo -en "Accepting ALL INPUT UDP connections on ports:" + print_info -en "Accepting ALL INPUT UDP connections on ports:" for port in $ALL_ACCEPT_INPUT_UDP; do src_ip="" eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` for iface in $INTERFACES; do - echo -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` + print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` IPS="IP_$iface"; for ip in ${!IPS}; do if [ -z "$src_ip" ]; then @@ -666,7 +681,7 @@ allow_input() done done done - echo " done." + print_info " done." fi for iface in $INTERFACES; do @@ -688,40 +703,40 @@ allow_input() ACCEPT_INPUT_UDP="${!accept_input_udp}" if [ ! -z "$REDIRECT_TCP" ]; then - echo -en "$iface: redirecting TCP connections:" + print_info -en "$iface: redirecting TCP connections:" ip="`get_first_ip_addr IP_$iface`"; for redirect in $REDIRECT_TCP; do eval `echo $redirect | \ $AWK -v FS=: ' (NF == 2) { remote_ip = "0.0.0.0/0"; from_port = $1; to_port = $2; } \ (NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` - echo -en " $remote_ip:$from_port->$to_port" + print_info -en " $remote_ip:$from_port->$to_port" $IPTABLES -t nat -A PREROUTING -p TCP -i $iface -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port done - echo " done." + print_info " done." fi if [ ! -z "$REDIRECT_UDP" ]; then - echo -en "$iface: redirecting UDP connections:" + print_info -en "$iface: redirecting UDP connections:" ip="`get_first_ip_addr IP_$iface`"; for redirect in $REDIRECT_UDP; do eval `echo $redirect | \ $AWK -v FS=: ' (NF == 2) { remote_ip = "0.0.0.0/0"; from_port = $1; to_port = $2; } \ (NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` - echo -en " $remote_ip:$from_port->$to_port" + print_info -en " $remote_ip:$from_port->$to_port" $IPTABLES -t nat -A PREROUTING -p UDP -i $iface -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port done - echo " done." + print_info " done." fi # REJECT {{{ if [ ! -z "$REJECT_INPUT_TCP" ]; then - echo -en "$iface: Rejecting INPUT TCP connections on ports:" + print_info -en "$iface: Rejecting INPUT TCP connections on ports:" for port in $REJECT_INPUT_TCP; do src_ip="" eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` - echo -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` + print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` for ip in ${!IPS}; do if [ -z $src_ip ]; then $IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j REJECT --reject-with icmp-port-unreachable @@ -730,15 +745,15 @@ allow_input() fi done done - echo " done." + print_info " done." fi if [ ! -z "$REJECT_INPUT_UDP" ]; then - echo -en "$iface: Rejecting INPUT UDP connections on ports:" + print_info -en "$iface: Rejecting INPUT UDP connections on ports:" for port in $REJECT_INPUT_UDP; do src_ip="" eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` - echo -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` + print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` for ip in ${!IPS}; do if [ -z $src_ip ]; then $IPTABLES -A INPUT -i $iface -d $ip -p UDP --dport $port -j REJECT --reject-with icmp-port-unreachable @@ -747,17 +762,17 @@ allow_input() fi done done - echo " done." + print_info " done." fi # }}} # ACCEPT {{{ if [ ! -z "$ACCEPT_INPUT_TCP" ]; then - echo -en "$iface: Accepting INPUT TCP connections on ports:" + print_info -en "$iface: Accepting INPUT TCP connections on ports:" for port in $ACCEPT_INPUT_TCP; do src_ip="" eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` - echo -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` + print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` for ip in ${!IPS}; do if [ -z $src_ip ]; then $IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j ACCEPT @@ -766,15 +781,15 @@ allow_input() fi done done - echo " done." + print_info " done." fi if [ ! -z "$ACCEPT_INPUT_UDP" ]; then - echo -en "$iface: Accepting INPUT UDP connections on ports:" + print_info -en "$iface: Accepting INPUT UDP connections on ports:" for port in $ACCEPT_INPUT_UDP; do src_ip="" eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` - echo -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` + print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` #$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT #$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT for ip in ${!IPS}; do @@ -785,7 +800,7 @@ allow_input() fi done done - echo " done." + print_info " done." fi # }}} done @@ -793,7 +808,7 @@ allow_input() # Enable outgoing TRACEROUTE requests (required e.g. by Skype, http://www.skype.com) if [ ! -z "$TRACEROUTE_IFACE" ]; then ip="`get_first_ip_addr IP_$ANTISPOOF_IFACE`"; - echo -en "Accepting traceroute:" + print_info -en "Accepting traceroute:" $IPTABLES -A OUTPUT -o $ANTISPOOF_IFACE -p UDP \ --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \ @@ -803,7 +818,7 @@ allow_input() $IPTABLES -A FORWARD -p UDP -i $iface --sport $TRACEROUTE_SRC_PORTS \ --dport $TRACEROUTE_DEST_PORTS -j ACCEPT done - echo " done." + print_info " done." fi } # }}} @@ -813,22 +828,22 @@ allow_output() { # {{{ # Povolíme odchozí pakety, které mají naše IP adresy - echo -en "Accepting OUTPUT packets from" + print_info -en "Accepting OUTPUT packets from" for iface in $INTERFACES; do IPS="IP_$iface"; for ip in ${!IPS}; do - echo -en " $ip($iface)" + print_info -en " $ip($iface)" $IPTABLES -A OUTPUT -o $iface -s $ip -j ACCEPT done done; - echo " done."; + print_info " done."; } # }}} allow_icmp() { # {{{ - echo -en "Accepting ICMP packets:" + print_info -en "Accepting ICMP packets:" # Službu AUTH není dobré filtrovat pomocí DROP, protože to může # vést k prodlevám při navazování některých spojení. Proto jej # sice zamítneme, ale vygenerujeme korektní ICMP chybovou zprávu @@ -836,7 +851,7 @@ allow_icmp() # accept only allowed ICMP packets for type in $ACCEPT_ICMP_PACKETS; do - echo -en " $type" + print_info -en " $type" for iface in $INTERFACES; do IPS="IP_$iface"; for ip in ${!IPS}; do @@ -846,7 +861,7 @@ allow_icmp() done #$IPTABLES_LOG -A INPUT -p ICMP -j LOG --log-prefix "IN ICMP: " #$IPTABLES_LOG -A OUTPUT -p ICMP -j LOG --log-prefix "OUT ICMP: " - echo " done." + print_info " done." } # }}} @@ -855,7 +870,7 @@ log_input_drop() if [ ! "x$LOGGING" = "xoff" ]; then prefix="input drop: " - echo "Input drop is logged with prefix '$prefix'" + print_info "Input drop is logged with prefix '$prefix'" $IPTABLES_LOG -A INPUT $LOG_LIMIT "$prefix" fi @@ -866,7 +881,7 @@ log_output_drop() if [ ! "x$LOGGING" = "xoff" ]; then prefix="output drop: " - echo "Output drop is logged with prefix '$prefix'" + print_info "Output drop is logged with prefix '$prefix'" $IPTABLES_LOG -A OUTPUT $LOG_LIMIT "$prefix" fi @@ -877,7 +892,7 @@ log_forward_drop() if [ ! "x$LOGGING" = "xoff" ]; then prefix="forward drop: " - echo "Forward drop is logged with prefix '$prefix'" + print_info "Forward drop is logged with prefix '$prefix'" $IPTABLES_LOG -A FORWARD $LOG_LIMIT "$prefix" fi @@ -886,14 +901,14 @@ log_forward_drop() configure_special_rules() { # {{{ - echo -en "Loading special rules: " + print_info -en "Loading special rules: " ## ## for DSL from Slovanet (Slovak DSL provider) and DSL modem DLINK DSL-360T you must add following rule for proper ssh connect to your machine ## - # echo -en "slovanet " + # print_info -en "slovanet " # $IPTABLES -t mangle -A OUTPUT -s 0/0 -j DSCP --set-dscp 0 - echo " done."; + print_info " done."; } # }}} @@ -947,16 +962,16 @@ do_ip_accounting() accept_related() { # {{{ - echo -en "Accepting ESTABLISHED, RELATED packets for IP:" + print_info -en "Accepting ESTABLISHED, RELATED packets for IP:" for iface in $INTERFACES; do IPS="IP_$iface"; for ip in ${!IPS}; do - echo -en " $ip($iface)" + print_info -en " $ip($iface)" done $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT done - echo " done." + print_info " done." } # }}} @@ -964,10 +979,10 @@ accept_loopback() { # {{{ # Loopback není radno omezovat - echo -en "Accepting loopback:" + print_info -en "Accepting loopback:" $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT $IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT - echo " done." + print_info " done." } # }}} @@ -977,7 +992,7 @@ add_banned_ip() TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 if [ -z "$*" ]; then - echo "Reading banned IP's from STDIN:" + print_info "Reading banned IP's from STDIN:" cat >> $TMPFILE else for IP in $*; do @@ -994,13 +1009,12 @@ deploy_block() echo "Usage: $0 deploy-block IP1/netmask1 IP2/netmask2 ..." exit 1; fi - echo "Deploying to local rules ..." + print_info "Deploying to local rules ..." add_banned_ip $* # start the some script twice to refresh rules (new blocked IP's) $0 start TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 - echo TMPFILE=$TMPFILE for i in $*; do echo $i >> $TMPFILE; done @@ -1011,7 +1025,7 @@ deploy_block() continue ;; esac - echo "Deploying to $conn ..."; + print_info "Deploying to $conn ..."; cat $TMPFILE | ssh -i $keyfile $conn $0 block done < $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list rm -f $TMPFILE @@ -1152,7 +1166,7 @@ INTERFACES_ACCEPT_ALL="$IFACE_ACCEPT_ALL case "$1" in start) - echo -n "Starting $DESC: " + print_info -n "Starting $DESC: " # Inicialize modules #$DEPMOD -a load_modules @@ -1190,7 +1204,7 @@ case "$1" in ;; stop) - echo -n "Stopping $DESC: " + print_info -n "Stopping $DESC: " set_default_policy remove_chains unload_modules @@ -1199,7 +1213,7 @@ case "$1" in ;; really-off) - echo -n "Stopping $DESC: removing ALL rules, all packets are dropped !!" + print_info -n "Stopping $DESC: removing ALL rules, all packets are dropped !!" set_default_policy remove_chains unload_modules