version 2.84, 2011/11/18 23:58:33 |
version 2.85, 2011/12/03 19:28:30 |
|
|
#!/bin/bash |
#!/bin/bash |
|
|
### BEGIN INIT INFO |
### BEGIN INIT INFO |
# Provides: firewall |
# Provides: firewall |
# Required-Start: networking |
# Required-Start: $network |
# Required-Stop: |
# Required-Stop: $remote_fs |
# Default-Start: S |
# Default-Start: S |
# Default-Stop: |
# Default-Stop: 0 6 |
# Short-Description: firewalling rules |
# Short-Description: Starts firewall |
|
# Description: Handle universal firewall script by Platon Group |
|
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ |
|
# Author: Lubomir Host <rajo@platon.sk> |
|
# Copyright: (c) 2003-2011 Platon Group |
### END INIT INFO |
### END INIT INFO |
|
|
# |
# |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.83 2011-11-18 23:49:00 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.84 2011-11-18 23:58:33 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
# 2011-07-20 - implemented XEN_MODE |
# 2011-07-20 - implemented XEN_MODE |
# |
# |
|
|
### BEGIN INIT INFO |
|
# Provides: firewall |
|
# Required-Start: $network $remote_fs |
|
# Required-Stop: $network $remote_fs |
|
# Default-Start: 2 3 4 5 |
|
# Default-Stop: 0 1 6 |
|
# Short-Description: Starts firewall |
|
# Description: Handle universal firewall script by Platon Group |
|
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ |
|
# Author: Lubomir Host <rajo@platon.sk> |
|
# Copyright: (c) 2003-2011 Platon Group |
|
### END INIT INFO |
|
|
|
umask 077 # security |
umask 077 # security |
|
|
|
|
fi |
fi |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z "$src_ip" ]; then |
if [ -z "$src_ip" ]; then |
|
|
fi |
fi |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
if [ "x$port" = "x67" ]; then # DHCP requests doesn't have destination IP specified |
if [ "x$port" = "x67" ]; then # DHCP requests doesn't have destination IP specified |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
|
|
for port in $REAL_ACCEPT_INPUT_TCP; do |
for port in $REAL_ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port(ALL)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port(ALL)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
|
|
for port in $REAL_ACCEPT_INPUT_UDP; do |
for port in $REAL_ACCEPT_INPUT_UDP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port(ALL)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port(ALL)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
|
|
for port in $REJECT_INPUT_TCP; do |
for port in $REJECT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
|
|
port_rule="--dport $port" |
port_rule="--dport $port" |
fi |
fi |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
|
|
for port in $REJECT_INPUT_UDP; do |
for port in $REJECT_INPUT_UDP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
|
|
port_rule="--dport $port" |
port_rule="--dport $port" |
fi |
fi |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
|
|
if [ -n "$src_ip" -a "$port" = "0" ]; then |
if [ -n "$src_ip" -a "$port" = "0" ]; then |
port="ALL"; |
port="ALL"; |
fi |
fi |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
|
|
port_rule="--dport $port" |
port_rule="--dport $port" |
fi |
fi |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP $port_rule -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP $port_rule -j ACCEPT |
else |
else |
if [ "$port" = "ALL" ]; then |
if [ "$port" = "ALL" ]; then |
|
|
else |
else |
port_rule="--dport $port" |
port_rule="--dport $port" |
fi |
fi |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
if [ "x$port" = "x67" ]; then # DHCP requests doesn't have destination IP specified |
if [ "x$port" = "x67" ]; then # DHCP requests doesn't have destination IP specified |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
else |
else |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP $port_rule -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP $port_rule -j ACCEPT |
else |
else |
if [ "$port" = "ALL" ]; then |
if [ "$port" = "ALL" ]; then |
|
|
{ # {{{ |
{ # {{{ |
|
|
mark_idx=1 |
mark_idx=1 |
if [ ! -z $SHAPING_IFACE ]; then |
if [ ! -z "$SHAPING_IFACE" ]; then |
for iface in $SHAPING_IFACE; do |
for iface in $SHAPING_IFACE; do |
echo "Shaping for interface $iface" |
echo "Shaping for interface $iface" |
shaping_classes="${iface}_SHAPING_CLASSES" |
shaping_classes="${iface}_SHAPING_CLASSES" |
|
|
burst="${iface}_SHAPING_BURST_${class}" |
burst="${iface}_SHAPING_BURST_${class}" |
netmask="${iface}_SHAPING_NETMASK_${class}" |
netmask="${iface}_SHAPING_NETMASK_${class}" |
echo -e "\tshaping \"$class\" traffic: rate=${!rate} burst=${!burst} netmask=${!netmask}" |
echo -e "\tshaping \"$class\" traffic: rate=${!rate} burst=${!burst} netmask=${!netmask}" |
if [ -z ${!netmask} ]; then |
if [ -z "${!netmask}" ]; then |
$IPTABLES -t mangle -A OUTPUT -j MARK --set-mark 0x$mark_idx |
$IPTABLES -t mangle -A OUTPUT -j MARK --set-mark 0x$mark_idx |
else |
else |
$IPTABLES -t mangle -A OUTPUT -d ${!netmask} -j MARK --set-mark 0x$mark_idx |
$IPTABLES -t mangle -A OUTPUT -d ${!netmask} -j MARK --set-mark 0x$mark_idx |
fi |
fi |
|
|
if [ -z ${!rate} ]; then |
if [ -z "${!rate}" ]; then |
# SFQ for local traffic |
# SFQ for local traffic |
$TC qdisc add dev $iface parent 1:$mark_idx handle $((10 + $mark_idx)): sfq perturb 10 |
$TC qdisc add dev $iface parent 1:$mark_idx handle $((10 + $mark_idx)): sfq perturb 10 |
else |
else |
|
|
|
|
shaping_off() |
shaping_off() |
{ # {{{ |
{ # {{{ |
if [ ! -z $SHAPING_IFACE ]; then |
if [ ! -z "$SHAPING_IFACE" ]; then |
echo -en "Shaping turned off for interface" |
echo -en "Shaping turned off for interface" |
for iface in $SHAPING_IFACE; do |
for iface in $SHAPING_IFACE; do |
echo -en " $iface" |
echo -en " $iface" |
|
|
|
|
shaping_status() |
shaping_status() |
{ # {{{ |
{ # {{{ |
if [ ! -z $SHAPING_IFACE ]; then |
if [ ! -z "$SHAPING_IFACE" ]; then |
echo "# Shaping status: " |
echo "# Shaping status: " |
$TC qdisc list |
$TC qdisc list |
else |
else |