version 2.18, 2005/03/01 21:47:20 |
version 2.30, 2005/11/01 00:36:24 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.17 2005/01/16 17:24:23 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.29 2005/11/01 00:12:49 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
|
DESC="firewall" |
DESC="firewall" |
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
|
|
DEFAULT_CONFIG="${DEFAULT_CONFIG:=/etc/default/firewall}" |
DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREWALL_CONFIG:=/etc/default/firewall}" |
|
DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:=/var/cache/firewall}" |
|
|
if [ -f "$DEFAULT_CONFIG" ]; then |
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
echo "Reading config file $DEFAULT_CONFIG" |
echo "Reading config file $DEFAULT_FIREWALL_CONFIG" |
. $DEFAULT_CONFIG |
. $DEFAULT_FIREWALL_CONFIG |
fi |
fi |
|
|
# |
# |
|
|
DEFAULT_POLICY="${DEFAULT_POLICY:=DROP}" |
DEFAULT_POLICY="${DEFAULT_POLICY:=DROP}" |
# which modules to load |
# which modules to load |
MODULES="${MODULES:=}" |
MODULES="${MODULES:=}" |
|
MODULES_LOADING="${MODULES_LOADING:=yes}" |
|
MODULES_REMOVING="${MODULES_REMOVING:=no}" |
|
|
LOG_LIMIT="${LOG_LIMIT:=-m limit --limit 12/h --limit-burst 10 -j LOG --log-level notice --log-prefix}" |
LOG_LIMIT="${LOG_LIMIT:=-m limit --limit 12/h --limit-burst 10 -j LOG --log-level notice --log-prefix}" |
|
|
# Paths: |
# Paths: |
#IPTABLES=":" # for testing only - does nothing |
#IPTABLES=":" # for testing only - does nothing |
IPTABLES="${IPTABLES:=$DEBUG/sbin/iptables}" |
IPTABLES="${IPTABLES:=$DEBUG/sbin/iptables}" |
|
IPTABLES_SAVE="${IPTABLES_SAVE:=$DEBUG/sbin/iptables-save}" |
|
IPTABLES_RESTORE="${IPTABLES_RESTORE:=$DEBUG/sbin/iptables-restore}" |
|
|
|
if [ "x$LOGGING" = "xoff" ]; then |
|
IPTABLES_LOG=": log turned off" |
|
else |
|
IPTABLES_LOG="${IPTABLES_LOG:=$DEBUG/sbin/iptables}" |
|
fi |
IFCONFIG="${IFCONFIG:=/sbin/ifconfig}" |
IFCONFIG="${IFCONFIG:=/sbin/ifconfig}" |
DEPMOD="${DEPMOD:=/sbin/depmod}" |
DEPMOD="${DEPMOD:=/sbin/depmod}" |
MODPROBE="${MODPROBE:=/sbin/modprobe}" |
MODPROBE="${MODPROBE:=/sbin/modprobe}" |
Line 46 AWK="${AWK:=/usr/bin/awk}" |
|
Line 57 AWK="${AWK:=/usr/bin/awk}" |
|
|
|
# loopback interface |
# loopback interface |
LO_IFACE="${LO_IFACE:=lo}" |
LO_IFACE="${LO_IFACE:=lo}" |
LO_IP="IP_$LO_IFACE" |
|
|
|
# |
# |
# CONSTANTS - Do not edit |
# CONSTANTS - Do not edit |
Line 72 ACCEPT_ICMP_PACKETS="${ACCEPT_ICMP_PACKE |
|
Line 82 ACCEPT_ICMP_PACKETS="${ACCEPT_ICMP_PACKE |
|
# load necessary modules from $MODULES variable |
# load necessary modules from $MODULES variable |
load_modules() |
load_modules() |
{ # {{{ |
{ # {{{ |
echo "# Loading modules" |
if [ "e$MODULES_LOADING" = "eyes" ]; then |
for mod in $MODULES; do |
echo "# Loading modules" |
echo " $MODPROBE $mod" |
for mod in $MODULES; do |
$MODPROBE $mod |
echo " $MODPROBE $mod" |
done |
$MODPROBE $mod |
|
done |
|
fi |
|
} # }}} |
|
|
|
load_cache() |
|
{ # {{{ |
|
|
|
if [ ! -d "$DEFAULT_CACHE_DIR" ]; then |
|
mkdir -p "$DEFAULT_CACHE_DIR"; |
|
fi |
|
|
|
config=`cat $DEFAULT_FIREWALL_CONFIG`; |
|
md5key=`echo "config = '$config' parsed_interfaces ='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | awk '{ print $1; }'`; |
|
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
|
|
|
#echo "CACHE_FILE=$CACHE_FILE" |
|
|
|
if [ -f "$CACHE_FILE" ]; then |
|
echo "Loading rules from cache file $CACHE_FILE" |
|
$IPTABLES_RESTORE -c < $CACHE_FILE; |
|
forward_on # this has nothing to do with IPtables rules, we need to run them explicitly |
|
exit 0; |
|
fi |
} # }}} |
} # }}} |
|
|
# unload necessary modules from $MODULES variable |
# unload necessary modules from $MODULES variable |
unload_modules() |
unload_modules() |
{ # {{{ |
{ # {{{ |
# reverse modules |
# reverse modules |
echo "# Removing modules" |
if [ "e$MODULES_REMOVING" = "eyes" ]; then |
R_MODULES=`echo "$MODULES" | tr ' ' '\012' | tac | tr '\012' ' '` |
echo "# Removing modules" |
for mod in $R_MODULES; do |
R_MODULES=`echo "$MODULES" | tr ' ' '\012' | tac | tr '\012' ' '` |
echo " $RMMOD $mod" |
for mod in $R_MODULES; do |
$RMMOD $mod |
echo " $RMMOD $mod" |
done |
$RMMOD $mod |
|
done |
|
fi |
} # }}} |
} # }}} |
|
|
# print status of detected interfaces |
# print status of detected interfaces |
print_iface_status() |
print_iface_status() |
{ # {{{ |
{ # {{{ |
# Print interfaces: |
# Print interfaces: |
echo "# iface | IP addr | broadcast | netmask | HW addr" |
echo "# iface | IP addr | Gateway | broadcast | netmask | HW addr" |
for iface in $interfaces; do |
for iface in $interfaces; do |
IP="IP_$iface"; Bcast="Bcast_$iface"; Mask="Mask_$iface"; HWaddr="HWaddr_$iface"; |
IP="IP_$iface"; Gateway="Gateway_$iface"; Bcast="Bcast_$iface"; Mask="Mask_$iface"; HWaddr="HWaddr_$iface"; |
echo "$iface | ${!IP} | ${!Bcast} | ${!Mask} | ${!HWaddr}" |
echo "$iface | ${!IP} | ${!Gateway} | ${!Bcast} | ${!Mask} | ${!HWaddr}" |
done |
done |
} # }}} |
} # }}} |
|
|
|
|
done |
done |
} # }}} |
} # }}} |
|
|
|
# Turn on IP packets forwarding |
|
forward_on() |
|
{ # {{{ |
|
# NAT requires turn on IP forwarding |
|
if [ ! -z "$NAT_LAN_IFACE" ]; then |
|
echo -en "NAT: Enabling packet forwarding..." |
|
echo 1 > /proc/sys/net/ipv4/ip_forward |
|
echo " done." |
|
fi |
|
} # }}} |
|
|
|
forward_off() |
|
{ # {{{ |
|
echo -en "NAT: Disabling packet forwarding..." |
|
echo 0 > /proc/sys/net/ipv4/ip_forward |
|
echo " done." |
|
} # }}} |
|
|
# clear status of iptable chains |
# clear status of iptable chains |
remove_chains() |
remove_chains() |
{ # {{{ |
{ # {{{ |
Line 138 nmap_scan_filter() |
|
Line 191 nmap_scan_filter() |
|
|
|
for chain in INPUT FORWARD; do |
for chain in INPUT FORWARD; do |
# Nie je nastaveny ziaden bit |
# Nie je nastaveny ziaden bit |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
echo -en "." |
echo -en "." |
|
|
# dva odporujuuce si flagy su nastavene: |
# dva odporujuuce si flagy su nastavene: |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
echo -en "." |
echo -en "." |
done |
done |
|
|
# je nastavene len $flags bez predpokladaneho ACK |
# je nastavene len $flags bez predpokladaneho ACK |
for flags in FIN PSH URG ; do |
for flags in FIN PSH URG ; do |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
echo -en "." |
echo -en "." |
done |
done |
done |
done |
Line 170 invalid_packet_filter() |
|
Line 223 invalid_packet_filter() |
|
|
|
echo -en "Turning on INVALID packet filter " |
echo -en "Turning on INVALID packet filter " |
for chain in INPUT OUTPUT FORWARD; do |
for chain in INPUT OUTPUT FORWARD; do |
$IPTABLES -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
$IPTABLES_LOG -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
echo -en "." |
echo -en "." |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
echo -en "." |
echo -en "." |
done |
done |
|
|
Line 207 anti_spoof_filter() |
|
Line 260 anti_spoof_filter() |
|
$IPTABLES -N spoof |
$IPTABLES -N spoof |
|
|
# Ochrana proti Spoogingu zo spatnej slucky |
# Ochrana proti Spoogingu zo spatnej slucky |
$IPTABLES -A spoof -s 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 src" |
$IPTABLES_LOG -A spoof -s 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 src" |
$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -d 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 dest" |
$IPTABLES_LOG -A spoof -d 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 dest" |
$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP |
$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete |
$IPTABLES -A spoof -s 192.168.0.0/16 $LOG_LIMIT "RESERVED:192.168.0.0/16 src" |
$IPTABLES_LOG -A spoof -s 192.168.0.0/16 $LOG_LIMIT "RESERVED:192.168.0.0/16 src" |
$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 172.16.0.0/12 $LOG_LIMIT "RESERVED:172.16.0.0/12 src" |
$IPTABLES_LOG -A spoof -s 172.16.0.0/12 $LOG_LIMIT "RESERVED:172.16.0.0/12 src" |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 10.0.0.0/8 $LOG_LIMIT "RESERVED:10.0.0.0/8 src" |
$IPTABLES_LOG -A spoof -s 10.0.0.0/8 $LOG_LIMIT "RESERVED:10.0.0.0/8 src" |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src" |
$IPTABLES_LOG -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src" |
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
|
|
for iface in $ANTISPOOF_IFACE; do |
for iface in $ANTISPOOF_IFACE; do |
echo -en " $iface" |
echo -en " $iface" |
|
|
masquerade() |
masquerade() |
{ # {{{ |
{ # {{{ |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
|
echo -en "NAT: Enabling packet forwarding..." |
|
echo 1 > /proc/sys/net/ipv4/ip_forward |
|
echo " done." |
echo -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
echo -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
|
|
ip="IP_$NAT_SUBNET_IFACE"; |
ip="IP_$NAT_SUBNET_IFACE"; |
|
|
echo -en " $type" |
echo -en " $type" |
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
done |
done |
#$IPTABLES -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " |
#$IPTABLES_LOG -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " |
echo " done." |
echo " done." |
|
|
|
# Port forwarding to local machines |
|
if [ ! -z "$NAT_TCP_PORT_FORWARD" ]; then |
|
echo -en "\tForwarding ports to local machines:" |
|
for redirect in $NAT_TCP_PORT_FORWARD; do |
|
eval `echo $redirect | awk -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
|
echo -en " $src_port -> $local_machine:$dest_port" |
|
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d ${!lan_ip} \ |
|
--dport $src_port -j DNAT --to $local_machine:$dest_port |
|
$IPTABLES -A FORWARD -p TCP -i eth0 -d $local_machine --dport $dest_port -j ACCEPT |
|
done |
|
echo " done." |
|
fi |
|
|
# Keep state of connections from private subnets |
# Keep state of connections from private subnets |
$IPTABLES -A OUTPUT -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
$IPTABLES -A OUTPUT -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
#$IPTABLES -A FORWARD -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
#$IPTABLES -A FORWARD -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
Line 354 log_new_connections() |
|
Line 423 log_new_connections() |
|
if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then |
if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then |
if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then |
if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then |
echo -en "Logging new connections:" |
echo -en "Logging new connections:" |
$IPTABLES -A INPUT -m state --state NEW -j LOG --log-prefix "IN connection: " |
$IPTABLES_LOG -A INPUT -m state --state NEW -j LOG --log-prefix "IN connection: " |
$IPTABLES -A OUTPUT -m state --state NEW -j LOG --log-prefix "OUT connection: " |
$IPTABLES_LOG -A OUTPUT -m state --state NEW -j LOG --log-prefix "OUT connection: " |
$IPTABLES -A FORWARD -m state --state NEW -j LOG --log-prefix "FWD connection: " |
$IPTABLES_LOG -A FORWARD -m state --state NEW -j LOG --log-prefix "FWD connection: " |
echo " done." |
echo " done." |
fi |
fi |
fi |
fi |
|
|
|
|
} # }}} |
} # }}} |
|
|
|
bann_ip_adresses() |
|
{ # {{{ |
|
# |
|
# This feature has been developed for following reason: |
|
# UbiCrawler spam our website with many requests (they are duplicit requests of the same page!) |
|
# And this web robot doesn't accept HTTP META tags (http://www.robotstxt.org/wc/faq.html#extension) |
|
# |
|
# Bann them too! |
|
# |
|
#IP address is: 146.48.97.11 146.48.97.13 |
|
# User Agent: "UbiCrawler/v0.4beta (http://ubi.iit.cnr.it/projects/ubicrawler/)" |
|
# |
|
if [ ! -z "$BANNED_IP" ]; then |
|
echo -en "Dropping ALL packets from IP:" |
|
for banned_ip in $BANNED_IP; do |
|
echo -en " $banned_ip" |
|
$IPTABLES -A INPUT -s $banned_ip -j DROP |
|
$IPTABLES -A FORWARD -s $banned_ip -j DROP |
|
done |
|
echo " done." |
|
fi |
|
} # }}} |
|
|
allow_accept_all() |
allow_accept_all() |
{ # {{{ |
{ # {{{ |
if [ ! -z "$IFACE_ACCEPT_ALL" ]; then |
if [ ! -z "$IFACE_ACCEPT_ALL" ]; then |
Line 412 allow_accept_all() |
|
Line 504 allow_accept_all() |
|
allow_input() |
allow_input() |
{ # {{{ |
{ # {{{ |
|
|
|
if [ ! -z "$NAT_LAN_IFACE" ]; then |
|
for client_ip in $NAT_CLIENT_DROP; do |
|
echo -en " !$client_ip"; |
|
$IPTABLES -A INPUT -s $client_ip -i $NAT_SUBNET_IFACE -j DROP |
|
done |
|
fi |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
echo -en "Accepting ALL INPUT TCP connections on ports:" |
echo -en "Accepting ALL INPUT TCP connections on ports:" |
for port in $ALL_ACCEPT_INPUT_TCP; do |
for port in $ALL_ACCEPT_INPUT_TCP; do |
|
|
$IPTABLES -A INPUT -i $iface -d ${!ip} -p ICMP --icmp-type $type -j ACCEPT |
$IPTABLES -A INPUT -i $iface -d ${!ip} -p ICMP --icmp-type $type -j ACCEPT |
done |
done |
done |
done |
#$IPTABLES -A INPUT -p ICMP -j LOG --log-prefix "IN ICMP: " |
#$IPTABLES_LOG -A INPUT -p ICMP -j LOG --log-prefix "IN ICMP: " |
#$IPTABLES -A OUTPUT -p ICMP -j LOG --log-prefix "OUT ICMP: " |
#$IPTABLES_LOG -A OUTPUT -p ICMP -j LOG --log-prefix "OUT ICMP: " |
echo " done." |
echo " done." |
|
|
} # }}} |
} # }}} |
|
|
log_input_drop() |
log_input_drop() |
{ # {{{ |
{ # {{{ |
|
|
prefix="input drop: " |
if [ ! "x$LOGGING" = "xoff" ]; then |
echo "Input drop is logged with prefix '$prefix'" |
prefix="input drop: " |
$IPTABLES -A INPUT $LOG_LIMIT "$prefix" |
echo "Input drop is logged with prefix '$prefix'" |
|
$IPTABLES_LOG -A INPUT $LOG_LIMIT "$prefix" |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
log_output_drop() |
log_output_drop() |
{ # {{{ |
{ # {{{ |
|
|
prefix="output drop: " |
if [ ! "x$LOGGING" = "xoff" ]; then |
echo "Output drop is logged with prefix '$prefix'" |
prefix="output drop: " |
$IPTABLES -A OUTPUT $LOG_LIMIT "$prefix" |
echo "Output drop is logged with prefix '$prefix'" |
|
$IPTABLES_LOG -A OUTPUT $LOG_LIMIT "$prefix" |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
log_forward_drop() |
log_forward_drop() |
{ # {{{ |
{ # {{{ |
|
|
prefix="forward drop: " |
if [ ! "x$LOGGING" = "xoff" ]; then |
echo "Forward drop is logged with prefix '$prefix'" |
prefix="forward drop: " |
$IPTABLES -A FORWARD $LOG_LIMIT "$prefix" |
echo "Forward drop is logged with prefix '$prefix'" |
|
$IPTABLES_LOG -A FORWARD $LOG_LIMIT "$prefix" |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
Line 553 accept_related() |
|
Line 657 accept_related() |
|
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
ip="IP_$iface"; |
ip="IP_$iface"; |
echo -en " ${!ip}($iface)" |
echo -en " ${!ip}($iface)" |
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
done |
done |
echo " done." |
echo " done." |
|
|
Line 564 accept_loopback() |
|
Line 669 accept_loopback() |
|
|
|
# Loopback není radno omezovat |
# Loopback není radno omezovat |
echo -en "Accepting loopback:" |
echo -en "Accepting loopback:" |
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT |
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT |
|
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT |
echo " done." |
echo " done." |
|
|
} # }}} |
} # }}} |
Line 574 accept_loopback() |
|
Line 680 accept_loopback() |
|
parse_ifconfig() |
parse_ifconfig() |
{ # {{{ |
{ # {{{ |
# Parse output from ifconfig: |
# Parse output from ifconfig: |
eval `$IFCONFIG | \ |
parsed_interfaces=`$IFCONFIG | \ |
$AWK 'BEGIN { interfaces=""; } |
$AWK 'BEGIN { interfaces=""; } |
/^[a-zA-Z0-9]+[ \t]+/ { # Linux |
/^[a-zA-Z0-9]+[ \t]+/ { # Linux |
iface=$1; |
iface=$1; |
Line 604 parse_ifconfig() |
|
Line 710 parse_ifconfig() |
|
} |
} |
END { printf "\ninterfaces=\"%s\"; export interfaces;\n", interfaces; } |
END { printf "\ninterfaces=\"%s\"; export interfaces;\n", interfaces; } |
'` |
'` |
|
eval "$parsed_interfaces"; |
|
|
|
parsed_routes=`perl -e ' |
|
$\ = "\n"; |
|
open(FILE, "/proc/net/route") or die "Can not open /proc/net/route: $!"; |
|
my @columns = split(/\s+/, <FILE>); |
|
while (my $line = <FILE>) { |
|
my $iface; |
|
my @vals = split(/\s+/, $line); |
|
foreach my $key (@columns) { |
|
$iface->{$key} = shift @vals; |
|
} |
|
|
|
foreach my $key (qw( Gateway Destination )) { |
|
print "${key}_$iface->{Iface}=", |
|
qw("), hex2ip($iface->{$key}), qw("), |
|
"; export ${key}_$iface->{Iface};"; |
|
} |
|
foreach my $key (qw( Flags MTU Metric Window IRTT )) { |
|
print "${key}_$iface->{Iface}=", |
|
qw("), $iface->{$key}, qw("), |
|
"; export ${key}_$iface->{Iface};"; |
|
} |
|
} |
|
close(FILE); |
|
|
|
|
|
sub hex2ip |
|
{ # {{{ |
|
my ($str) = @_; |
|
my @block; |
|
|
|
my $hex = uc($str); |
|
|
|
while (length($hex)) { |
|
my $x = ord(substr($hex, 0, 1)); |
|
my $y = ord(substr($hex, 1, 1)); |
|
|
|
$x = $x > 64 ? $x - 55 : $x - 48; |
|
$y = $y > 64 ? $y - 55 : $y - 48; |
|
|
|
push @block, 16 * $x + $y; |
|
$hex = substr($hex, 2); |
|
} |
|
|
|
return join(".", reverse @block); |
|
|
|
} # }}} |
|
'` |
|
eval "$parsed_routes"; |
|
|
# Now we have defined variables like this: |
# Now we have defined variables like this: |
# IFACE_eth0 HWaddr_eth0 IP_eth0 Bcast_eth0 Mask_eth0 |
# IFACE_eth0 HWaddr_eth0 IP_eth0 Bcast_eth0 Mask_eth0 |
Line 638 for iface in $interfaces; do |
|
Line 794 for iface in $interfaces; do |
|
INTERFACES="$INTERFACES $iface"; |
INTERFACES="$INTERFACES $iface"; |
fi |
fi |
done |
done |
|
INTERFACES_ACCEPT_ALL="$IFACE_ACCEPT_ALL" |
|
|
|
|
case "$1" in |
case "$1" in |
start) |
start) |
echo -n "Starting $DESC: " |
echo -n "Starting $DESC: " |
# Inicialize modules |
# Inicialize modules |
$DEPMOD -a |
#$DEPMOD -a |
load_modules |
load_modules |
|
load_cache |
set_default_policy |
set_default_policy |
remove_chains |
remove_chains |
# |
# |
# (un)commnet next lines as needed |
# (un)commnet next lines as needed |
# |
# |
|
bann_ip_adresses |
allow_accept_all |
allow_accept_all |
nmap_scan_filter |
nmap_scan_filter |
invalid_packet_filter |
invalid_packet_filter |
|
|
log_input_drop |
log_input_drop |
log_output_drop |
log_output_drop |
log_forward_drop |
log_forward_drop |
|
forward_on |
|
$IPTABLES_SAVE -c > $CACHE_FILE |
;; |
;; |
|
|
stop) |
stop) |
|
|
set_default_policy |
set_default_policy |
remove_chains |
remove_chains |
unload_modules |
unload_modules |
|
forward_off |
|
accept_related |
|
;; |
|
|
|
really-off) |
|
echo -n "Stopping $DESC: removing ALL rules, all packets are dropped !!" |
|
set_default_policy |
|
remove_chains |
|
unload_modules |
|
forward_off |
;; |
;; |
|
|
status) |
status) |
|
|
$IPTABLES -L -nv |
$IPTABLES -L -nv |
;; |
;; |
|
|
|
purge) |
|
find $DEFAULT_CACHE_DIR -type f -ls -exec rm -f {} \; |
|
;; |
|
|
*) |
*) |
echo "Usage: $0 {start|stop|stop}" >&2 |
echo "Usage: $0 {start|stop|really-off|status|purge}" >&2 |
exit 1 |
exit 1 |
;; |
;; |
esac |
esac |