verzia 2.85, 2011/12/03 19:28:30 |
verzia 2.89, 2012/02/11 19:06:20 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.84 2011-11-18 23:58:33 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.88 2012-02-11 18:59:55 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
Riadok 76 IPTABLES="${IPTABLES:=$DEBUG/sbin/iptabl |
|
Riadok 76 IPTABLES="${IPTABLES:=$DEBUG/sbin/iptabl |
|
IPTABLES_SAVE="${IPTABLES_SAVE:=$DEBUG/sbin/iptables-save}" |
IPTABLES_SAVE="${IPTABLES_SAVE:=$DEBUG/sbin/iptables-save}" |
IPTABLES_RESTORE="${IPTABLES_RESTORE:=$DEBUG/sbin/iptables-restore}" |
IPTABLES_RESTORE="${IPTABLES_RESTORE:=$DEBUG/sbin/iptables-restore}" |
|
|
|
IPTABLES_TABLES="${IPTABLES_TABLES:=filter nat mangle}" |
|
|
|
|
if [ "x$LOGGING" = "xoff" ]; then |
if [ "x$LOGGING" = "xoff" ]; then |
IPTABLES_LOG=": log turned off" |
IPTABLES_LOG=": log turned off" |
else |
else |
Riadok 91 PERL="${PERL:=/usr/bin/perl}" |
|
Riadok 94 PERL="${PERL:=/usr/bin/perl}" |
|
# shaping |
# shaping |
TC="${TC:=/sbin/tc}" |
TC="${TC:=/sbin/tc}" |
|
|
|
# update script |
|
UPDATE_SCRIPT="${UPDATE_SCRIPT:=update_from_cvs}" |
|
|
# loopback interface |
# loopback interface |
LO_IFACE="${LO_IFACE:=lo}" |
LO_IFACE="${LO_IFACE:=lo}" |
# Hide NAT clients behind firewall |
# Hide NAT clients behind firewall |
Riadok 282 remove_chains() |
|
Riadok 288 remove_chains() |
|
$IPTABLES --flush spoof |
$IPTABLES --flush spoof |
# TODO!!! |
# TODO!!! |
else |
else |
for table in filter nat mangle; do |
for table in $IPTABLES_TABLES; do |
$IPTABLES -t $table -F # clear all chains |
$IPTABLES -t $table -F # clear all chains |
$IPTABLES -t $table -X # remove all chains |
$IPTABLES -t $table -X # remove all chains |
$IPTABLES -t $table -Z # zero counts |
$IPTABLES -t $table -Z # zero counts |
Riadok 831 reject_input() |
|
Riadok 837 reject_input() |
|
if [ ! -z "$ALL_REJECT_INPUT_TCP" ]; then |
if [ ! -z "$ALL_REJECT_INPUT_TCP" ]; then |
print_info -en "Reject ALL INPUT TCP connections on ports:" |
print_info -en "Reject ALL INPUT TCP connections on ports:" |
for port in $ALL_REJECT_INPUT_TCP; do |
for port in $ALL_REJECT_INPUT_TCP; do |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for riface in $REAL_INTERFACES; do |
for riface in $REAL_INTERFACES; do |
print_info -en " $port($riface)" |
print_info -en " $port($riface)" |
$IPTABLES -A INPUT -i $riface -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i $riface -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
Riadok 841 reject_input() |
|
Riadok 854 reject_input() |
|
if [ ! -z "$ALL_REJECT_INPUT_UDP" ]; then |
if [ ! -z "$ALL_REJECT_INPUT_UDP" ]; then |
print_info -en "Reject ALL INPUT UDP connections on ports:" |
print_info -en "Reject ALL INPUT UDP connections on ports:" |
for port in $ALL_REJECT_INPUT_UDP; do |
for port in $ALL_REJECT_INPUT_UDP; do |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for riface in $REAL_INTERFACES; do |
for riface in $REAL_INTERFACES; do |
print_info -en " $port($riface)" |
print_info -en " $port($riface)" |
$IPTABLES -A INPUT -i $riface -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i $riface -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
Riadok 851 reject_input() |
|
Riadok 871 reject_input() |
|
if [ ! -z "$REAL_REJECT_INPUT_TCP" ]; then |
if [ ! -z "$REAL_REJECT_INPUT_TCP" ]; then |
print_info -en "Reject REAL all INPUT TCP connections for ALL interfaces on ports:" |
print_info -en "Reject REAL all INPUT TCP connections for ALL interfaces on ports:" |
for port in $REAL_REJECT_INPUT_TCP; do |
for port in $REAL_REJECT_INPUT_TCP; do |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
print_info -en " $port(ALL)" |
print_info -en " $port(ALL)" |
$IPTABLES -A INPUT -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
if [ ! -z "$REAL_REJECT_INPUT_UDP" ]; then |
if [ ! -z "$REAL_REJECT_INPUT_UDP" ]; then |
print_info -en "Reject REAL all INPUT UDP connections for ALL interfaces on ports:" |
print_info -en "Reject REAL all INPUT UDP connections for ALL interfaces on ports:" |
for port in $REAL_REJECT_INPUT_UDP; do |
for port in $REAL_REJECT_INPUT_UDP; do |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for riface in $REAL_INTERFACES; do |
for riface in $REAL_INTERFACES; do |
print_info -en " $port(ALL)" |
print_info -en " $port(ALL)" |
$IPTABLES -A INPUT -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
Riadok 1072 allow_input() |
|
Riadok 1106 allow_input() |
|
# ACCEPT {{{ |
# ACCEPT {{{ |
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
print_info -en "$iface: Accepting INPUT TCP connections on ports:" |
print_info -en "$iface: Accepting INPUT TCP connections on ports:" |
|
counter=0; |
for port in $ACCEPT_INPUT_TCP; do |
for port in $ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
Riadok 1079 allow_input() |
|
Riadok 1114 allow_input() |
|
port="ALL"; |
port="ALL"; |
fi |
fi |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
Riadok 1425 add_banned_ip() |
|
Riadok 1461 add_banned_ip() |
|
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
if [ -z "$*" ]; then |
if [ -z "$*" ]; then |
print_info "Reading banned IP's from STDIN:" |
#print_info "Reading banned IP's from STDIN:" |
cat >> $TMPFILE |
cat >> $TMPFILE |
else |
else |
for IP in $*; do |
for IP in $*; do |
Riadok 1444 deploy_block() |
|
Riadok 1480 deploy_block() |
|
fi |
fi |
print_info "Deploying to local rules ..." |
print_info "Deploying to local rules ..." |
add_banned_ip $* |
add_banned_ip $* |
# start the some script twice to refresh rules (new blocked IP's) |
# start the same script twice to refresh rules (new blocked IP's) |
QUIET=yes $0 start |
QUIET=yes $0 start |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
for i in $*; do |
for i in $*; do |
echo $i >> $TMPFILE; |
echo "block $i" >> $TMPFILE; |
done |
done |
while read conn keyfile |
while read conn keyfile |
do |
do |
Riadok 1459 deploy_block() |
|
Riadok 1495 deploy_block() |
|
;; |
;; |
esac |
esac |
print_info "Deploying to $conn ..."; |
print_info "Deploying to $conn ..."; |
cat $TMPFILE | ssh -i $keyfile $conn $0 block |
cat $TMPFILE | ssh -i $keyfile $conn $0 remote |
done < $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list |
done < $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list |
rm -f $TMPFILE |
rm -f $TMPFILE |
} # }}} |
} # }}} |
|
|
|
update_from_cvs() |
|
{ # {{{ |
|
cd /etc/firewall && cvs up -d |
|
} # }}} |
|
|
|
update() |
|
{ # {{{ |
|
$UPDATE_SCRIPT |
|
} # }}} |
|
|
|
deploy_update() |
|
{ # {{{ |
|
print_info "Updating local firewall ..." |
|
$0 update |
|
|
|
# start the same script twice to refresh rules (updated scripts and configs) |
|
QUIET=yes $0 start |
|
while read conn keyfile |
|
do |
|
case "$conn" in |
|
""|\#*) |
|
continue |
|
;; |
|
esac |
|
print_info "Updating $conn ..."; |
|
echo "update" | ssh -i $keyfile $conn $0 remote |
|
done < $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list |
|
} # }}} |
|
|
|
remote() |
|
{ # {{{ |
|
while read comnd par |
|
do |
|
case "$comnd" in |
|
block) |
|
echo "Blocking '$par'..." |
|
add_banned_ip $par |
|
;; |
|
update) |
|
echo "Updating..." |
|
update |
|
;; |
|
""|\#*) |
|
echo "Line '$comnd $par' ignored" |
|
continue |
|
;; |
|
esac |
|
done |
|
} # }}} |
|
|
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
parse_ifconfig() |
parse_ifconfig() |
|
|
# start the some script twice to refresh rules (new blocked IP's) |
# start the some script twice to refresh rules (new blocked IP's) |
QUIET=yes $0 start; |
QUIET=yes $0 start; |
;; |
;; |
|
update) |
|
update; |
|
;; |
deploy-block) |
deploy-block) |
shift; |
shift; |
deploy_block $*; |
deploy_block $*; |
;; |
;; |
|
deploy-update) |
|
deploy_update; |
|
;; |
|
remote) |
|
remote; |
|
;; |
*) |
*) |
echo "Usage: $0 {start|stop|really-off|status|purge|block|deploy-block}" >&2 |
echo "Usage: $0 {start|stop|really-off|status|purge|block|deploy-block|deploy-update|update}" >&2 |
exit 1 |
exit 1 |
;; |
;; |
esac |
esac |