Platon Technologies
not logged in Login Registration
EnglishSlovak
open source software development celebrating 10 years of open source development! Friday, March 29, 2024

File: [Platon] / scripts / shell / firewall / configure-fw-universal.sh (download)

Revision 1.2, Tue Nov 1 18:09:33 2005 UTC (18 years, 5 months ago) by rajo


Changes since 1.1: +146 -25 lines

Configure next variables.

#!/bin/sh

#
# configure-fw-universal.sh - IPtables rules configurator
#                             create configuration file for fw-universal
#
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk>
# Copyright (c) 2005 Platon SDG, http://platon.sk/
# Licensed under terms of GNU General Public License.
# All rights reserved.
#
# Changelog:
# 2005-11-01 - created
#

# $Platon: scripts/shell/firewall/configure-fw-universal.sh,v 1.1 2005/11/01 02:16:56 rajo Exp $

DESC="firewall"
TITLE="Firewall configurator"
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

if [ $# -lt 1 ]; then
    echo "Usage: $0 <config_file_to_edit>"
    exit 1;
fi

EDIT_CONFIG="$1"

DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREWALL_CONFIG:=$EDIT_CONFIG}"
DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:=/var/cache/firewall}"

if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then
    echo "Reading config file $DEFAULT_FIREWALL_CONFIG"
    . "$DEFAULT_FIREWALL_CONFIG"
fi

#
# Default configuration values:
# # {{{

DEFAULT_POLICY="${DEFAULT_POLICY:=DROP}"
# which modules to load
MODULES="${MODULES:=}"
MODULES_LOADING="${MODULES_LOADING:=yes}"
MODULES_REMOVING="${MODULES_REMOVING:=no}"

LOG_LIMIT="${LOG_LIMIT:=-m limit --limit 12/h --limit-burst 10 -j LOG --log-level notice --log-prefix}"

# Paths:
#IPTABLES=":" # for testing only - does nothing
IPTABLES="${IPTABLES:=$DEBUG/sbin/iptables}"
IPTABLES_SAVE="${IPTABLES_SAVE:=$DEBUG/sbin/iptables-save}"
IPTABLES_RESTORE="${IPTABLES_RESTORE:=$DEBUG/sbin/iptables-restore}"

if [ "x$LOGGING" = "xoff" ]; then
    IPTABLES_LOG=": log turned off"
else
    IPTABLES_LOG="${IPTABLES_LOG:=$DEBUG/sbin/iptables}"
fi
IFCONFIG="${IFCONFIG:=/sbin/ifconfig}"
DEPMOD="${DEPMOD:=/sbin/depmod}"
MODPROBE="${MODPROBE:=/sbin/modprobe}"
RMMOD="${RMMOD:=/sbin/rmmod}"
AWK="${AWK:=/usr/bin/awk}"

# loopback interface
LO_IFACE="${LO_IFACE:=lo}"
LO_IP="IP_$LO_IFACE"

#
# CONSTANTS - Do not edit
#
ANYWHERE="0.0.0.0/0"                # Match any IP address
BROADCAST_SRC="0.0.0.0"                # Broadcast Source Address
BROADCAST_DEST="255.255.255.255"    # Broadcast Destination Address
CLASS_A="10.0.0.0/8"                # Class-A Private (RFC-1918) Networks
CLASS_B="172.16.0.0/12"                # Class-B Private (RFC-1918) Networks
CLASS_C="192.168.0.0/16"            # Class-C Private (RFC-1918) Networks
CLASS_D_MULTICAST="224.0.0.0/4"        # Class-D Multicast Addresses
CLASS_E_RESERVED_NET="240.0.0.0/5"    # Class-E Reserved Addresses
PRIVPORTS="0:1023"                    # Well-Known, Privileged Port Range
UNPRIVPORTS="1024:65535"            # Unprivileged Port Range
TRACEROUTE_SRC_PORTS="32769:65535"    # Traceroute Source Ports
TRACEROUTE_DEST_PORTS="33434:33523"    # Traceroute Destination Ports


# allow some ICMP packets - needed for ping etc.
ACCEPT_ICMP_PACKETS="${ACCEPT_ICMP_PACKETS:=echo-reply destination-unreachable echo-request time-exceeded}"

# }}}

save_config()
{ # {{{
# header {{{
cat > $EDIT_CONFIG <<HEAD
#!/bin/sh

# $EDIT_CONFIG

# Configuration file for fw-universal.sh created by $0
# Hostname: `hostname --fqdn`
# Kernel:   `uname -a`
# Date:     `date -R`

HEAD
# }}}
# default values {{{
cat >> $EDIT_CONFIG <<DEFAULT
# uncomment next line for debugging
#DEBUG="echo "

DEFAULT_POLICY="$DEFAULT_POLICY"

# which modules to load
MODULES="$MODULES"

# Turn on and turn off logging via syslog
# Default: on
LOGGING="$LOGGING"
LOG_LIMIT="$LOG_LIMIT"

# Paths:
IPTABLES="\$DEBUG$IPTABLES"
#IPTABLES=":" # for testing only - does nothing
IFCONFIG="$IFCONFIG"
DEPMOD="$DEPMOD"
MODPROBE="$MODPROBE"
RMMOD="$RMMOD"
AWK="$AWK"

# loopback interface
LO_IFACE="\${LO_IFACE:=lo}"

DEFAULT
# }}}
cat >> $EDIT_CONFIG <<MAIN
# Antispoof filter
ANTISPOOF_IFACE="$ANTISPOOF_IFACE"

# Allow traceroute from interfaces
TRACEROUTE_IFACE="$TRACEROUTE_IFACE"

# banned IP addresses - packets from this hosts are DROPPED
BANNED_IP="$BANNED_IP"

# accept all packetes on these interfaces
# DO NOT ADD eth0 device here !!!
IFACE_ACCEPT_ALL="lo tun+ tap+"

# Which ports will be allowed on INPUT (TCP connections)
ALL_ACCEPT_INPUT_TCP="22"
ALL_ACCEPT_INPUT_UDP="68" # dhcpclient
# interface eth0
eth0_ACCEPT_INPUT_TCP="123 137 138 139 631 80 443 3128 2220"
# interface eth1
eth1_ACCEPT_INPUT_TCP="80 6000"
# interface ppp0
ppp0_ACCEPT_INPUT_TCP=""

# Which ports will be allowed on INPUT (UDP connections)
# interface eth0
eth0_ACCEPT_INPUT_UDP="123 137 138 139 513 631"
# interface ppp0
ppp0_ACCEPT_INPUT_UDP=""

# Package dropping
#eth0_DROP_OUTPUT_TCP="123 137 138 139 445 631"
#eth0_DROP_OUTPUT_UDP="123 137 138 139 445 631"
#eth1_DROP_OUTPUT_TCP=""
#eth1_DROP_OUTPUT_UDP=""

#
# NAT configuration
#

# eth0 connected to internet
#NAT_LAN_IFACE="eth0"
# eth1 connected to local subnet
#NAT_SUBNET_IFACE="eth1"

# logging must be turned on, see LOGGING="on"
NAT_LOG_NEW_CONNECTIONS="no"

#
# Forward configuration
#
# don't forward Miscrosoft protocols - NOT RFC compliant packets (packets in NEW state withouth SYN flag)
NAT_FORWARD_MICROSOFT="no"
# redirect all outgoing connections to SMTP port 25 to local server (simple virus/antispam protection)
# redirect all outgoing HTTP connection to transparent proxy server (squid)
NAT_TCP_PORT_REDIRECT="25:25 80:3128 8080:3128 1080:3128 3128:3128"

# forward port 2220 from your firewall/router to local machine port 22 (ssh)
# you must accept port 2220 in $eth0_ACCEPT_INPUT_TCP
NAT_TCP_PORT_FORWARD="2220:192.168.0.100:22"

# NAT only "secure" ports
NAT_FORWARD_TCP_PORTS="20 21 22 23 53 113 123 143 194 220 873 992 993 994 995 1241 2401 3306 3690 5190 5432 6000"
NAT_FORWARD_UDP_PORTS="20 21 22 23 53 113 123 143 194 220 873 992 993 994 995 1241 2401 3306 3690 5190 5432 6000"

#
# Deny NAT for clients with this IP
#
#NAT_CLIENT_DROP="192.168.0.120" # ugly bad boys in your LAN

#
# ICMP configuration
#
# (4) Source Quench            - Incoming & outgoing requests to slow down (flow control)
# (12) Parameter Problem    - Incoming & outgoing error messages
# (3) Destination Unreachable, Service Unavailable
#                             - Incoming & outgoing size negotiation, service or
#                              destination unavailability, final traceroute response
# (11) Time Exceeded        - Incoming & outgoing timeout conditions, also intermediate TTL response to traceroutes
# (0 | 8) Allow OUTPUT pings to anywhere

# default: echo-reply destination-unreachable echo-request time-exceeded fragmentation-needed
ACCEPT_ICMP_PACKETS="echo-reply destination-unreachable echo-request time-exceeded fragmentation-needed"

MAIN
# footer {{{
cat >> $EDIT_CONFIG <<FOOT

#
# END of config file
#

# vim600: fdm=marker fdl=0 fdc=3

FOOT
# }}}
} # }}}

# handle user input {{{
start_user_input='tempfile=`tempfile 2> /dev/null` || tempfile=/tmp/configure-fw-universal-$$; trap "rm -f $tempfile" 0 1 2 5 15; '
end_user_input='
retval=$?;
choice=`cat $tempfile`;
case $retval in
    0)
    echo "\"$choice\" chosen for variable $varname.";
    eval "$varname=\"`cat $tempfile`\"";
    ;;
    1)
    echo "Cancel pressed.";
    exit 1;
    ;;
    255)
    echo "ESC pressed.";
    ;;
esac; '
# }}}

dialog_width=50
dialog_height=15

varname=DEFAULT_POLICY # {{{
eval $start_user_input
conf_title="Default IPtables policy"
if [ "x$DEFAULT_POLICY" = "xACCEPT" ]; then
    DEFAULT_POLICY_drop=off
    DEFAULT_POLICY_accept=on
else
    DEFAULT_POLICY_drop=on
    DEFAULT_POLICY_accept=off
fi

dialog --clear --title "$TITLE" --radiolist -- "$varname\n\n$conf_title" $dialog_height $dialog_width 2 DROP "for secure firewall" $DEFAULT_POLICY_drop ACCEPT "only IYKWYAD" $DEFAULT_POLICY_accept 2> $tempfile

eval $end_user_input # }}}

varname=ANTISPOOF_IFACE # {{{
eval $start_user_input
conf_title="Interface protected to spoofing. Do NOT add LAN interface here. If you are directly connected to internet, type 'eth0'"

dialog --clear --title "$TITLE" --inputbox -- "$varname\n\n$conf_title" $dialog_height $dialog_width "${!varname}" 2> $tempfile

eval $end_user_input # }}}

varname=TRACEROUTE_IFACE # {{{
eval $start_user_input
conf_title="Usefull with NAT and for power users. Keep empty or type 'eth1'"

dialog --clear --title "$TITLE" --inputbox -- "$varname\n\n$conf_title" $dialog_height $dialog_width "${!varname}" 2> $tempfile

eval $end_user_input # }}}

varname=BANNED_IP # {{{
eval $start_user_input
conf_title="Banned IP addresses - packets from this hosts are DROPPED. Multiple items in form 146.48.97.0/24 are allowed"

dialog --clear --title "$TITLE" --inputbox -- "$varname\n\n$conf_title" $dialog_height $dialog_width "${!varname}" 2> $tempfile

eval $end_user_input # }}}

varname=IFACE_ACCEPT_ALL # {{{
eval $start_user_input
conf_title="ALL packets from these interfaces are accepted. Add only 'lo' interface here. If you know, what you are doing and do you have VPN interfaces, add 'tun+' and 'tap+' interfaces too."

dialog --clear --title "$TITLE" --inputbox -- "$varname\n\n$conf_title" $dialog_height $dialog_width "${!varname}" 2> $tempfile

eval $end_user_input # }}}



#
# Now save config file
#
save_config

# vim600: fdm=marker fdl=0 fdc=3


Platon Group <platon@platon.org> http://platon.org/
Copyright © 2002-2006 Platon Group
Site powered by Metafox CMS
Go to Top