verzia 2.88, 2012/02/11 18:59:55 |
verzia 2.92, 2012/10/30 16:08:52 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.87 2012-02-10 23:01:58 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.91 2012-02-14 22:52:12 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
Riadok 76 IPTABLES="${IPTABLES:=$DEBUG/sbin/iptabl |
|
Riadok 76 IPTABLES="${IPTABLES:=$DEBUG/sbin/iptabl |
|
IPTABLES_SAVE="${IPTABLES_SAVE:=$DEBUG/sbin/iptables-save}" |
IPTABLES_SAVE="${IPTABLES_SAVE:=$DEBUG/sbin/iptables-save}" |
IPTABLES_RESTORE="${IPTABLES_RESTORE:=$DEBUG/sbin/iptables-restore}" |
IPTABLES_RESTORE="${IPTABLES_RESTORE:=$DEBUG/sbin/iptables-restore}" |
|
|
|
IPTABLES_TABLES="${IPTABLES_TABLES:=filter nat mangle}" |
|
|
|
|
if [ "x$LOGGING" = "xoff" ]; then |
if [ "x$LOGGING" = "xoff" ]; then |
IPTABLES_LOG=": log turned off" |
IPTABLES_LOG=": log turned off" |
else |
else |
Riadok 285 remove_chains() |
|
Riadok 288 remove_chains() |
|
$IPTABLES --flush spoof |
$IPTABLES --flush spoof |
# TODO!!! |
# TODO!!! |
else |
else |
for table in filter nat mangle; do |
for table in $IPTABLES_TABLES; do |
$IPTABLES -t $table -F # clear all chains |
$IPTABLES -t $table -F # clear all chains |
$IPTABLES -t $table -X # remove all chains |
$IPTABLES -t $table -X # remove all chains |
$IPTABLES -t $table -Z # zero counts |
$IPTABLES -t $table -Z # zero counts |
Riadok 347 invalid_packet_filter() |
|
Riadok 350 invalid_packet_filter() |
|
print_info -ne " XEN_MODE "; |
print_info -ne " XEN_MODE "; |
continue; |
continue; |
fi |
fi |
$IPTABLES_LOG -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
$IPTABLES_LOG -A $chain -m conntrack --ctstate INVALID $LOG_LIMIT "INVALID $chain: " |
print_info -en "." |
print_info -en "." |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
$IPTABLES -A $chain -m conntrack --ctstate INVALID -j DROP |
print_info -en "." |
print_info -en "." |
done |
done |
|
|
|
|
$IPTABLES -A INPUT -i $riface -p TCP --syn -j syn-flood |
$IPTABLES -A INPUT -i $riface -p TCP --syn -j syn-flood |
|
|
# packet is marked az NEW, but doesn't have SYN flag - drop it |
# packet is marked az NEW, but doesn't have SYN flag - drop it |
$IPTABLES -A INPUT -i $riface -p TCP ! --syn -m state --state NEW -j DROP |
$IPTABLES -A INPUT -i $riface -p TCP ! --syn -m conntrack --ctstate NEW -j DROP |
done |
done |
|
|
|
|
|
|
END { printf "remote_ip=%s; remote_port=%s; local_port=%s;", remote_ip, remote_port, local_port; }'` |
END { printf "remote_ip=%s; remote_port=%s; local_port=%s;", remote_ip, remote_port, local_port; }'` |
print_info -en " $remote_port>>$remote_ip:$local_port(tcp)" |
print_info -en " $remote_port>>$remote_ip:$local_port(tcp)" |
$IPTABLES -t nat -A PREROUTING -p TCP \ |
$IPTABLES -t nat -A PREROUTING -p TCP \ |
-i ! $NAT_LAN_IFACE -d ! $lan_ip \ |
-i $NAT_SUBNET_IFACE \ |
--dport $remote_port -j REDIRECT --to-port $local_port |
--dport $remote_port -j REDIRECT --to-port $local_port |
done |
done |
for redirect in $NAT_UDP_PORT_REDIRECT; do |
for redirect in $NAT_UDP_PORT_REDIRECT; do |
|
|
# don't forward Miscrosoft protocols - NOT RFC compliant packets |
# don't forward Miscrosoft protocols - NOT RFC compliant packets |
if [ ! -z "$NAT_FORWARD_MICROSOFT" ]; then |
if [ ! -z "$NAT_FORWARD_MICROSOFT" ]; then |
if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then |
if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then |
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP |
$IPTABLES -A FORWARD -p TCP ! --syn -m conntrack --ctstate NEW -j DROP |
|
|
for port in 67 68 69 135 445 1434 6667; do |
for port in 67 68 69 135 445 1434 6667; do |
$IPTABLES -A FORWARD -p TCP --dport $port -j DROP |
$IPTABLES -A FORWARD -p TCP --dport $port -j DROP |
|
|
print_info -en "\tAccepting FORWARD TCP ports:" |
print_info -en "\tAccepting FORWARD TCP ports:" |
for port in $NAT_FORWARD_TCP_PORTS; do |
for port in $NAT_FORWARD_TCP_PORTS; do |
print_info -en " $port" |
print_info -en " $port" |
$IPTABLES -A FORWARD -p TCP --dport $port -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -p TCP --dport $port -m conntrack --ctstate NEW -j ACCEPT |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
print_info -en "\tAccepting FORWARD UDP ports:" |
print_info -en "\tAccepting FORWARD UDP ports:" |
for port in $NAT_FORWARD_UDP_PORTS; do |
for port in $NAT_FORWARD_UDP_PORTS; do |
print_info -en " $port" |
print_info -en " $port" |
$IPTABLES -A FORWARD -p UDP --dport $port -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -p UDP --dport $port -m conntrack --ctstate NEW -j ACCEPT |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
print_info -en "\tAccepting FORWARD TCP hosts:" |
print_info -en "\tAccepting FORWARD TCP hosts:" |
for host in $NAT_FORWARD_TCP_HOSTS; do |
for host in $NAT_FORWARD_TCP_HOSTS; do |
print_info -en " $host" |
print_info -en " $host" |
$IPTABLES -A FORWARD -p TCP -d $host -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -p TCP -d $host -m conntrack --ctstate NEW -j ACCEPT |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
print_info -en "\tAccepting FORWARD UDP hosts:" |
print_info -en "\tAccepting FORWARD UDP hosts:" |
for host in $NAT_FORWARD_UDP_HOSTS; do |
for host in $NAT_FORWARD_UDP_HOSTS; do |
print_info -en " $host" |
print_info -en " $host" |
$IPTABLES -A FORWARD -p UDP -d $host -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -p UDP -d $host -m conntrack --ctstate NEW -j ACCEPT |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
print_info -en "\tAccepting FORWARD TCP clients:" |
print_info -en "\tAccepting FORWARD TCP clients:" |
for client in $NAT_FORWARD_TCP_CLIENTS; do |
for client in $NAT_FORWARD_TCP_CLIENTS; do |
print_info -en " $client" |
print_info -en " $client" |
$IPTABLES -A FORWARD -p TCP -s $client -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -p TCP -s $client -m conntrack --ctstate NEW -j ACCEPT |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
print_info -en "\tAccepting FORWARD UDP clients:" |
print_info -en "\tAccepting FORWARD UDP clients:" |
for client in $NAT_FORWARD_UDP_CLIENTS; do |
for client in $NAT_FORWARD_UDP_CLIENTS; do |
print_info -en " $client" |
print_info -en " $client" |
$IPTABLES -A FORWARD -p UDP -s $client -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -p UDP -s $client -m conntrack --ctstate NEW -j ACCEPT |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
fi |
fi |
|
|
# Keep state of connections from private subnets |
# Keep state of connections from private subnets |
$IPTABLES -A OUTPUT -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
$IPTABLES -A OUTPUT -m conntrack --ctstate NEW -o $NAT_LAN_IFACE -j ACCEPT |
#$IPTABLES -A FORWARD -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
#$IPTABLES -A FORWARD -m conntrack --ctstate NEW -o $NAT_LAN_IFACE -j ACCEPT |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
|
|
# hide NAT clients behind firewall: - set TTL |
# hide NAT clients behind firewall: - set TTL |
# XXX: warning: this breaks traceroute !!! |
# XXX: warning: this breaks traceroute !!! |
Riadok 654 log_new_connections() |
|
Riadok 657 log_new_connections() |
|
fi |
fi |
print_info -en "Logging new connections $NAT_LOG_NEW_CONNECTIONS:" |
print_info -en "Logging new connections $NAT_LOG_NEW_CONNECTIONS:" |
for proto in $NAT_LOG_NEW_CONNECTIONS; do |
for proto in $NAT_LOG_NEW_CONNECTIONS; do |
$IPTABLES_LOG -A INPUT -m state --state NEW -p $proto -j LOG --log-prefix "IN connection: " |
$IPTABLES_LOG -A INPUT -m conntrack --ctstate NEW -p $proto -j LOG --log-prefix "IN connection: " |
$IPTABLES_LOG -A OUTPUT -m state --state NEW -p $proto -j LOG --log-prefix "OUT connection: " |
$IPTABLES_LOG -A OUTPUT -m conntrack --ctstate NEW -p $proto -j LOG --log-prefix "OUT connection: " |
$IPTABLES_LOG -A FORWARD -m state --state NEW -p $proto -j LOG --log-prefix "FWD connection: " |
$IPTABLES_LOG -A FORWARD -m conntrack --ctstate NEW -p $proto -j LOG --log-prefix "FWD connection: " |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
Riadok 1365 accept_related() |
|
Riadok 1368 accept_related() |
|
{ # {{{ |
{ # {{{ |
|
|
print_info -en "Accepting ESTABLISHED, RELATED packets ..." |
print_info -en "Accepting ESTABLISHED, RELATED packets ..." |
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
$IPTABLES -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
print_info " done." |
print_info " done." |
|
|
} # }}} |
} # }}} |
Riadok 1454 shaping_status() |
|
Riadok 1457 shaping_status() |
|
|
|
add_banned_ip() |
add_banned_ip() |
{ # {{{ |
{ # {{{ |
echo "# `date '+%Y-%m-%d %X' ` - ${SSH_CLIENT:=local}" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
echo "# `date '+%Y-%m-%d %X' `" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
if [ -z "$*" ]; then |
if [ -z "$*" ]; then |
Riadok 1467 add_banned_ip() |
|
Riadok 1470 add_banned_ip() |
|
fi |
fi |
read_config_ips $TMPFILE >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
read_config_ips $TMPFILE >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
rm -f $TMPFILE |
rm -f $TMPFILE |
|
# start with new firewalling rules |
|
$0 start |
} # }}} |
} # }}} |
|
|
deploy_block() |
deploy_block() |
Riadok 1486 deploy_block() |
|
Riadok 1491 deploy_block() |
|
done |
done |
while read conn keyfile |
while read conn keyfile |
do |
do |
case "$conn" in |
case "$conn" in |
""|\#*) |
""|\#*) |
continue |
continue |
;; |
;; |
esac |
esac |
print_info "Deploying to $conn ..."; |
print_info "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" |
cat $TMPFILE | ssh -i $keyfile $conn $0 remote |
print_info "Deploying to $conn ..."; |
|
cat $TMPFILE | ssh -i $keyfile $conn $0 remote |
done < $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list |
done < $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list |
rm -f $TMPFILE |
rm -f $TMPFILE |
} # }}} |
} # }}} |
Riadok 1521 deploy_update() |
|
Riadok 1527 deploy_update() |
|
continue |
continue |
;; |
;; |
esac |
esac |
print_info "Updating $conn ..."; |
|
echo "update" | ssh -i $keyfile $conn $0 remote |
print_info "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" |
|
print_info "Updating $conn ..."; |
|
echo "update" | ssh -i $keyfile $conn $0 remote |
done < $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list |
done < $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list |
} # }}} |
} # }}} |
|
|
|
|
add_banned_ip $par |
add_banned_ip $par |
;; |
;; |
update) |
update) |
echo "Updating..." |
echo "Updating firewall scripts..." |
update |
update |
;; |
;; |
""|\#*) |
""|\#*) |