version 2.108, 2016/02/26 03:11:01 |
version 2.119, 2019/02/14 07:41:47 |
|
|
# Provides: firewall |
# Provides: firewall |
# Required-Start: $network |
# Required-Start: $network |
# Required-Stop: $remote_fs |
# Required-Stop: $remote_fs |
# Default-Start: S |
# Default-Start: 2 3 4 5 |
# Default-Stop: 0 6 |
# Default-Stop: 0 6 |
# Short-Description: Starts firewall |
# Short-Description: Starts firewall |
# Description: Handle universal firewall script by Platon Group |
# Description: Handle universal firewall script by Platon Group |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ |
# Author: Lubomir Host <rajo@platon.sk> |
# Author: Lubomir Host <rajo@platon.sk> |
# Copyright: (c) 2003-2011 Platon Group |
# Copyright: (c) 2003-2018 Platon Group |
### END INIT INFO |
### END INIT INFO |
|
|
# |
# |
|
|
# Can be started by init or by hand. |
# Can be started by init or by hand. |
# |
# |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Copyright (c) 2003-2011 Platon Group, http://platon.sk/ |
# Copyright (c) 2003-2018 Platon Group, http://platon.sk/ |
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.107 2016/02/26 02:53:42 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.118 2018/12/10 11:46:12 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
# 2011-07-20 - implemented XEN_MODE |
# 2011-07-20 - implemented XEN_MODE |
|
# 2018-03-01 - fixed Default-Start for SystemD on Stretch (nepto) |
# |
# |
|
|
|
|
Line 42 DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:= |
|
Line 43 DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:= |
|
DIST_FIREWALL_CONFIG_DIR="${DIST_FIREWALL_CONFIG_DIR:=/etc/firewall/firewall.d}" |
DIST_FIREWALL_CONFIG_DIR="${DIST_FIREWALL_CONFIG_DIR:=/etc/firewall/firewall.d}" |
|
|
# quiet output? {{{ |
# quiet output? {{{ |
if [ "x$1" = "xblock" ] || [ "x$QUIET" = "xyes" ]; then |
if [ "x$QUIET" = "xyes" ]; then |
print_info() |
print_info() |
{ |
{ |
echo -n "" |
echo -n "" |
|
|
fi |
fi |
# }}} |
# }}} |
|
|
|
# Define function which can be used in config file |
|
# Usage: |
|
# load_subnets eth0_ACCEPT_INPUT_TCP Slovakia.txt 22 |
|
load_subnets() |
|
{ # {{{ |
|
cfgvar="$1"; |
|
cfgfile="$2"; |
|
port="$3"; |
|
|
|
print_info "LOAD_SUBNETS: $*"; |
|
|
|
if [ -f "$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else if [ -f "$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else |
|
print_info "LOAD_SUBNETS: config file not found: $cfgfile"; |
|
return 1 |
|
fi fi |
|
LOADED_CONFIG_FILES="$LOADED_CONFIG_FILES $cfgfound"; |
|
|
|
print_info "LOAD_SUBNETS: found $cfgfile: $cfgfound"; |
|
print_info "LOAD_SUBNETS: mapping $cfgfile to $cfgvar, port $port" |
|
|
|
lines=0; |
|
while read subnet ; do |
|
case "$subnet" in |
|
""|\#*) |
|
continue |
|
;; |
|
esac |
|
eval "$cfgvar=\"\$$cfgvar $subnet:$port\""; |
|
lines=$(($lines + 1)); |
|
done < $cfgfound |
|
print_info "LOAD_SUBNETS: $lines subnets loaded from $cfgfile" |
|
} # }}} |
|
|
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
print_info "Reading config file $DEFAULT_FIREWALL_CONFIG" |
print_info "Reading config file $DEFAULT_FIREWALL_CONFIG" |
. $DEFAULT_FIREWALL_CONFIG |
. $DEFAULT_FIREWALL_CONFIG |
|
|
|
|
config=""; |
config=""; |
if [ -r "$DEFAULT_FIREWALL_CONFIG" ]; then |
if [ -r "$DEFAULT_FIREWALL_CONFIG" ]; then |
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG\" `"; |
config="$config ` md5sum \"$DEFAULT_FIREWALL_CONFIG\" `"; |
fi |
fi |
if [ -r "$0" ]; then |
if [ -r "$0" ]; then |
config="$config ` cat \"$0\" `"; |
config="$config ` md5sum \"$0\" `"; |
fi |
fi |
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list" ]; then |
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list" ]; then |
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list\" `"; |
config="$config ` md5sum \"$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list\" `"; |
fi |
fi |
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf" ]; then |
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf" ]; then |
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf\" `"; |
config="$config ` md5sum \"$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf\" `"; |
fi |
fi |
|
for lc in $LOADED_CONFIG_FILES; do |
|
echo "CHECKSUM $lc"; |
|
config="$config ` md5sum \"$lc\" `"; |
|
done |
md5key=`echo "config='$config' parsed_interfaces='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | $AWK '{print $1;}'`; |
md5key=`echo "config='$config' parsed_interfaces='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | $AWK '{print $1;}'`; |
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
|
|
|
|
print_info " done." |
print_info " done." |
fi |
fi |
done |
done |
|
} # }}} |
|
|
|
do_ban_single_ip() |
|
{ # {{{ |
|
if [ -z "$1" ]; then |
|
print_info "do_ban_single_ip(): empty banned_ip"; |
|
return; |
|
fi |
|
for banned_ip in $*; do |
|
# This does immediate connection termination, but it must be inserted |
|
# and thus not appended into chain, otherwise connection will still |
|
# remain alive. Former forward chain rule was removed as unneccessary. |
|
# -- Nepto [2018-08-23] |
|
# -- Plantroon [2018-12-10] |
|
$IPTABLES -I INPUT -s $banned_ip -j DROP; |
|
done |
} # }}} |
} # }}} |
|
|
bann_ip_adresses() |
bann_ip_adresses() |
Line 734 bann_ip_adresses() |
|
Line 791 bann_ip_adresses() |
|
if [ ! -z "$BANNED_IP" ]; then |
if [ ! -z "$BANNED_IP" ]; then |
print_info -en "Dropping ALL packets from IP:" |
print_info -en "Dropping ALL packets from IP:" |
for banned_ip in $BANNED_IP; do |
for banned_ip in $BANNED_IP; do |
print_info -en " $banned_ip" |
print_info -en " $banned_ip"; |
$IPTABLES -A INPUT -s $banned_ip -j DROP |
do_ban_single_ip "$banned_ip"; |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -s $banned_ip -j DROP |
|
fi |
|
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
Line 765 allow_accept_all() |
|
Line 816 allow_accept_all() |
|
fi |
fi |
} # }}} |
} # }}} |
|
|
|
allow_accept_vrrp() |
|
{ # {{{ |
|
if [ ! -z "$IFACE_ACCEPT_VRRP" ]; then |
|
print_info -en "Accepting VRRP packets on interfaces:" |
|
for iface in $IFACE_ACCEPT_VRRP; do |
|
print_info -en " $iface" |
|
$IPTABLES -A INPUT -i $iface -d 224.0.0.18/32 -p vrrp -j ACCEPT; |
|
$IPTABLES -A OUTPUT -i $iface -d 224.0.0.18/32 -p vrrp -j ACCEPT; |
|
done |
|
print_info " done." |
|
fi |
|
} # }}} |
|
|
drop_input() |
drop_input() |
{ # {{{ |
{ # {{{ |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
|
|
print_info " done." |
print_info " done." |
fi |
fi |
|
|
# We are using REAL_INTERFACES instead of INTERFACES here, because we want |
# We are using INTERFACES + lo instead of INTERFACES here, because we want |
# to do redirects for "lo" interface as well. However for "lo" it is done |
# to do redirects for "lo" interface as well. However for "lo" it is done |
# quite differently. See http://ix.sk/0WY2j for more information on this. |
# quite differently. See http://ix.sk/0WY2j for more information on this. |
# -- Nepto [2015-10-19] |
# -- Nepto [2015-10-19] |
for iface in $REAL_INTERFACES; do |
for iface in lo $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
|
|
|
|
accept_output_udp="${iface}_ACCEPT_OUTPUT_UDP" |
accept_output_udp="${iface}_ACCEPT_OUTPUT_UDP" |
ACCEPT_OUTPUT_UDP="${!accept_output_udp}" |
ACCEPT_OUTPUT_UDP="${!accept_output_udp}" |
|
|
|
# UDP *must* go before TCP |
|
# |
|
# Reason: we need to have working DNS resolving, which works over |
|
# port 53/UDP. Resolving is required for those rules, which use |
|
# hostname instead of IP address, for example cvs.platon.sk:2401. |
|
|
# TCP |
# UDP |
if [ -z "$ACCEPT_OUTPUT_TCP" ]; then |
if [ -z "$ACCEPT_OUTPUT_UDP" ]; then |
if [ -n "${!gateway}" ]; then |
if [ -n "${!gateway}" ]; then |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
output_tcp_str="$output_tcp_str $ip:${!riface}:${!gateway}"; |
output_udp_str="$output_udp_str $ip:${!riface}:${!gateway}"; |
$IPTABLES -A OUTPUT -p TCP -o ${!riface} -s $ip -j ACCEPT |
$IPTABLES -A OUTPUT -p UDP -o ${!riface} -s $ip -j ACCEPT |
done |
done |
fi |
fi |
else |
else |
print_info -en "$iface: Accepting OUTPUT TCP connections to ports:" |
print_info -en "$iface: Accepting OUTPUT UDP connections to ports:" |
for port in $ACCEPT_OUTPUT_TCP; do |
for port in $ACCEPT_OUTPUT_UDP; do |
dest_ip="" |
dest_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
|
|
fi |
fi |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
if [ -z "$dest_ip" ]; then |
if [ -z "$dest_ip" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -p TCP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -p UDP --dport $port -j ACCEPT |
else |
else |
if [ "$port" = "ALL" ]; then |
if [ "$port" = "ALL" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP -j ACCEPT |
else |
else |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP --dport $port -j ACCEPT |
fi |
fi |
fi |
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
# UDP |
# TCP |
if [ -z "$ACCEPT_OUTPUT_UDP" ]; then |
if [ -z "$ACCEPT_OUTPUT_TCP" ]; then |
if [ -n "${!gateway}" ]; then |
if [ -n "${!gateway}" ]; then |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
output_udp_str="$output_udp_str $ip:${!riface}:${!gateway}"; |
output_tcp_str="$output_tcp_str $ip:${!riface}:${!gateway}"; |
$IPTABLES -A OUTPUT -p UDP -o ${!riface} -s $ip -j ACCEPT |
$IPTABLES -A OUTPUT -p TCP -o ${!riface} -s $ip -j ACCEPT |
done |
done |
fi |
fi |
else |
else |
print_info -en "$iface: Accepting OUTPUT UDP connections to ports:" |
print_info -en "$iface: Accepting OUTPUT TCP connections to ports:" |
for port in $ACCEPT_OUTPUT_UDP; do |
for port in $ACCEPT_OUTPUT_TCP; do |
dest_ip="" |
dest_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
|
|
fi |
fi |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
if [ -z "$dest_ip" ]; then |
if [ -z "$dest_ip" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -p TCP --dport $port -j ACCEPT |
else |
else |
if [ "$port" = "ALL" ]; then |
if [ "$port" = "ALL" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP -j ACCEPT |
else |
else |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP --dport $port -j ACCEPT |
fi |
fi |
fi |
fi |
done |
done |
Line 1569 shaping_status() |
|
Line 1638 shaping_status() |
|
|
|
# }}} |
# }}} |
|
|
|
check_banned_ip() |
|
{ # {{{ |
|
output="`grep \"$1\" $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf`"; |
|
if [ "$?" -eq 0 -a -n "$output" ]; then |
|
return 0; |
|
fi |
|
return 1; |
|
} # }}} |
|
|
add_banned_ip() |
add_banned_ip() |
{ # {{{ |
{ # {{{ |
echo "# `date '+%Y-%m-%d %X' `" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
echo "# `date '+%F %T'`" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
if [ -z "$*" ]; then |
if [ -z "$*" ]; then |
Line 1584 add_banned_ip() |
|
Line 1662 add_banned_ip() |
|
fi |
fi |
read_config_ips $TMPFILE >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
read_config_ips $TMPFILE >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
rm -f $TMPFILE |
rm -f $TMPFILE |
# start with new firewalling rules |
|
$0 start |
|
} # }}} |
} # }}} |
|
|
deploy_block() |
deploy_block() |
|
|
done |
done |
} # }}} |
} # }}} |
|
|
map_subnet() |
|
{ # {{{ |
|
cfgvar=$1 |
|
cfgfile=$2 |
|
port=$3 |
|
|
|
if [ -f "$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else |
|
if [ -f "$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else |
|
"Config file '$cfgfile' not found" |
|
exit 1 |
|
fi |
|
fi |
|
|
|
echo "Mapping $cfgfound map file to $cfgvar, port $port" |
|
while read subnet ; do |
|
case "$subnet" in |
|
""|\#*) |
|
continue |
|
;; |
|
esac |
|
echo "$cfgvar=\"\$$cfgvar $subnet:$port\"" >> "$DEFAULT_FIREWALL_CONFIG_DIR/$cfgfile" |
|
done < $cfgfound |
|
|
|
} # }}} |
|
|
|
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
parse_ifconfig() |
parse_ifconfig() |
|
|
REAL_INTERFACES="`echo $x_REAL_INTERFACES | awk -v RS=' ' '{ print; }' | sort -u`" |
REAL_INTERFACES="`echo $x_REAL_INTERFACES | awk -v RS=' ' '{ print; }' | sort -u`" |
INTERFACES_ACCEPT_ALL="$IFACE_ACCEPT_ALL" |
INTERFACES_ACCEPT_ALL="$IFACE_ACCEPT_ALL" |
|
|
|
retcode=0; |
case "$1" in |
case "$1" in |
start) |
start) |
print_info -n "Starting $DESC: " |
print_info -n "Starting $DESC: " |
|
|
# |
# |
bann_ip_adresses |
bann_ip_adresses |
allow_accept_all |
allow_accept_all |
|
allow_accept_vrrp |
nmap_scan_filter |
nmap_scan_filter |
invalid_packet_filter |
invalid_packet_filter |
anti_spoof_filter |
anti_spoof_filter |
|
|
drop_output |
drop_output |
allow_output |
allow_output |
allow_icmp |
allow_icmp |
echo "----[ INCOMMING TRAFFIC ]------------------------------------------------" |
print_info "----[ INCOMMING TRAFFIC ]------------------------------------------------" |
drop_input |
drop_input |
reject_input |
reject_input |
allow_input |
allow_input |
|
|
purge) |
purge) |
find $DEFAULT_CACHE_DIR -type f -ls -exec rm -f {} \; |
find $DEFAULT_CACHE_DIR -type f -ls -exec rm -f {} \; |
;; |
;; |
|
|
block) |
block) |
shift; |
shift; |
add_banned_ip $*; |
for banned_ip in $*; do |
# start the some script twice to refresh rules (new blocked IP's) |
check_banned_ip "$banned_ip"; |
QUIET=yes $0 start; |
if [ "$?" -eq 0 ]; then |
|
print_info "Already blocked IP address: $banned_ip"; |
|
retcode=1; |
|
else |
|
print_info "Blocking IP address: $banned_ip"; |
|
add_banned_ip "$banned_ip"; |
|
do_ban_single_ip "$banned_ip"; |
|
fi |
|
done |
;; |
;; |
update) |
update) |
update; |
update; |
|
|
remote) |
remote) |
remote; |
remote; |
;; |
;; |
map-subnet) |
|
shift; |
|
map_subnet $*; |
|
;; |
|
*) |
*) |
echo "Usage: $0 {start|stop|really-off|status|purge|block|deploy-block|deploy-update|update}" >&2 |
echo "Usage: $0 {start|stop|really-off|status|purge|block|deploy-block|deploy-update|update}" >&2 |
exit 1 |
exit 1 |
;; |
;; |
esac |
esac |
|
|
exit 0 |
exit "$retcode"; |
|
|
# vim600: fdm=marker fdl=0 fdc=3 |
# vim600: fdm=marker fdl=0 fdc=3 |
|
|