Platon Technologies
not logged in Login Registration
EnglishSlovak
open source software development celebrating 10 years of open source development! Tuesday, March 19, 2024

File: [Platon] / scripts / shell / firewall / fw-universal.sh (download)

Revision 2.16, Sun Jan 16 15:27:15 2005 UTC (19 years, 2 months ago) by rajo

Changes since 2.15: +35 -1 lines

Added traceroute support

#!/bin/sh

#
# This will be universal firewalling script for Linux kernel (iptables) in near future
# Can be started by init or by hand.
#
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk>
# Copyright (c) 2003-2005 Platon SDG, http://platon.sk/
# Licensed under terms of GNU General Public License.
# All rights reserved.
#
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.15 2005/01/16 12:13:32 rajo Exp $
#
# Changelog:
# 2003-10-24 - created
#

DESC="firewall"
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

DEFAULT_CONFIG="${DEFAULT_CONFIG:=/etc/default/firewall}"

if [ -f "$DEFAULT_CONFIG" ]; then
    echo "Reading config file $DEFAULT_CONFIG"
    . $DEFAULT_CONFIG
fi

#
# Default configuration values:
#

DEFAULT_POLICY="${DEFAULT_POLICY:=DROP}"
# which modules to load
MODULES="${MODULES:=}"

LOG_LIMIT="${LOG_LIMIT:=-m limit --limit 12/h --limit-burst 10 -j LOG --log-level notice --log-prefix}"

# Paths:
#IPTABLES=":" # for testing only - does nothing
IPTABLES="${IPTABLES:=$DEBUG/sbin/iptables}"
IFCONFIG="${IFCONFIG:=/sbin/ifconfig}"
DEPMOD="${DEPMOD:=/sbin/depmod}"
MODPROBE="${MODPROBE:=/sbin/modprobe}"
RMMOD="${RMMOD:=/sbin/rmmod}"
AWK="${AWK:=/usr/bin/awk}"

# loopback interface
LO_IFACE="${LO_IFACE:=lo}"
LO_IP="IP_$LO_IFACE"

#
# CONSTANTS - Do not edit
#
ANYWHERE="0.0.0.0/0"                # Match any IP address
BROADCAST_SRC="0.0.0.0"                # Broadcast Source Address
BROADCAST_DEST="255.255.255.255"    # Broadcast Destination Address
CLASS_A="10.0.0.0/8"                # Class-A Private (RFC-1918) Networks
CLASS_B="172.16.0.0/12"                # Class-B Private (RFC-1918) Networks
CLASS_C="192.168.0.0/16"            # Class-C Private (RFC-1918) Networks
CLASS_D_MULTICAST="224.0.0.0/4"        # Class-D Multicast Addresses
CLASS_E_RESERVED_NET="240.0.0.0/5"    # Class-E Reserved Addresses
PRIVPORTS="0:1023"                    # Well-Known, Privileged Port Range
UNPRIVPORTS="1024:65535"            # Unprivileged Port Range
TRACEROUTE_SRC_PORTS="32769:65535"    # Traceroute Source Ports
TRACEROUTE_DEST_PORTS="33434:33523"    # Traceroute Destination Ports


# allow some ICMP packets - needed for ping etc.
ACCEPT_ICMP_PACKETS="${ACCEPT_ICMP_PACKETS:=echo-reply destination-unreachable echo-request time-exceeded}"


# load necessary modules from $MODULES variable
load_modules()
{ # {{{
    echo "# Loading modules"
    for mod in $MODULES; do
        echo "    $MODPROBE $mod"
        $MODPROBE $mod
    done
} # }}}

# unload necessary modules from $MODULES variable
unload_modules()
{ # {{{
    # reverse modules
    echo "# Removing modules"
    R_MODULES=`echo "$MODULES" | tr ' ' '\012' | tac | tr '\012' ' '`
    for mod in $R_MODULES; do
        echo "    $RMMOD $mod"
        $RMMOD $mod
    done
} # }}}

# print status of detected interfaces
print_iface_status()
{ # {{{
    # Print interfaces:
    echo "# iface    | IP addr    | broadcast    | netmask    | HW addr"
    for iface in $interfaces; do
        IP="IP_$iface"; Bcast="Bcast_$iface"; Mask="Mask_$iface"; HWaddr="HWaddr_$iface";
        echo "$iface    | ${!IP}    | ${!Bcast}    | ${!Mask}    | ${!HWaddr}"
    done
} # }}}

# set default policy (variable $DEFAULT_POLICY)
set_default_policy()
{ # {{{
    # Set default policy
    for chain in INPUT OUTPUT FORWARD; do
        $IPTABLES -P $chain $DEFAULT_POLICY
    done
} # }}}

antispoof_on()
{ # {{{
    for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo "1" > ${interface}
    done
} # }}}

# clear status of iptable chains
remove_chains()
{ # {{{

    for table in filter nat mangle; do
        $IPTABLES -t $table -F # clear all chains
        $IPTABLES -t $table -X # remove all chains
    done

} # }}}

# DROP packages from nmap(1)
nmap_scan_filter()
{ # {{{

    echo -en "Turning on nmap scan filter "

    for chain in INPUT FORWARD; do
        #  Nie je nastaveny ziaden bit
        $IPTABLES -A $chain   -p TCP --tcp-flags ALL NONE  $LOG_LIMIT "nmap scan $chain ALL NONE: "
        echo -en "."
        $IPTABLES -A $chain   -p TCP --tcp-flags ALL NONE -j DROP 
        echo -en "."

        # dva odporujuuce si flagy su nastavene:
        for flags in   SYN,FIN   SYN,RST   FIN,RST   ; do
            $IPTABLES -A $chain   -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: "
            echo -en "."
            $IPTABLES -A $chain   -p TCP --tcp-flags $flags $flags -j DROP 
            echo -en "."
        done

        # je nastavene len $flags bez predpokladaneho ACK
        for flags in   FIN   PSH   URG   ; do
            $IPTABLES -A $chain   -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: "
            echo -en "."
            $IPTABLES -A $chain   -p TCP --tcp-flags ACK,$flags $flags -j DROP 
            echo -en "."
        done
    done
    
    echo " done."

} # }}}

# drop packets in state INVALID
invalid_packet_filter()
{ # {{{
    
    echo -en "Turning on INVALID packet filter "
    for chain in INPUT OUTPUT FORWARD; do
        $IPTABLES -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: "
        echo -en "."
        $IPTABLES -A $chain -m state --state INVALID -j DROP 
        echo -en "."
    done

    echo " done."

} # }}}

syn_flood()
{ # {{{
    $IPTABLES -N syn-flood
    $IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
    $IPTABLES -A syn-flood -j DROP

    for iface in $INTERFACES; do
        $IPTABLES -A INPUT -i $iface -p TCP --syn -j syn-flood

        # packet is marked az NEW, but doesn't have SYN flag - drop it
        $IPTABLES -A INPUT -i $iface -p TCP ! --syn -m state --state NEW -j DROP
    done


} # }}}

anti_spoof_filter()
{ # {{{
    
    #   http://www.iana.com/assignments/ipv4-address-space

    if [ ! -z "$ANTISPOOF_IFACE" ]; then

        echo -en "Turning on antispoof filter for interfaces: "
        $IPTABLES -N spoof

        # Ochrana proti Spoogingu zo spatnej slucky
        $IPTABLES -A spoof -s 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 src" 
        $IPTABLES -A spoof -s 127.0.0.0/8 -j DROP 
        $IPTABLES -A spoof -d 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 dest"
        $IPTABLES -A spoof -d 127.0.0.0/8 -j DROP
        # Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete 
        $IPTABLES -A spoof -s 192.168.0.0/16 $LOG_LIMIT "RESERVED:192.168.0.0/16 src"
        $IPTABLES -A spoof -s 192.168.0.0/16 -j DROP         # RFC1918
        $IPTABLES -A spoof -s 172.16.0.0/12 $LOG_LIMIT "RESERVED:172.16.0.0/12 src"
        $IPTABLES -A spoof -s 172.16.0.0/12 -j DROP         # RFC1918
        $IPTABLES -A spoof -s 10.0.0.0/8  $LOG_LIMIT "RESERVED:10.0.0.0/8 src"
        $IPTABLES -A spoof -s 10.0.0.0/8 -j DROP  # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN
        $IPTABLES -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src"
        $IPTABLES -A spoof -s 96.0.0.0/4 -j DROP              # IANA

        for iface in $ANTISPOOF_IFACE; do
            echo -en " $iface"
            $IPTABLES -A FORWARD -i $iface -j spoof
            $IPTABLES -A INPUT   -i $iface -j spoof
        done
        echo " done."
    fi
} # }}}

mangle_prerouting()
{ # {{{

    echo -en "Optimizing PREROUTING TOS: "
    # TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet
    # pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost
    $IPTABLES -t mangle -A PREROUTING -p TCP --sport ssh -j TOS --set-tos Minimize-Delay
    echo -en "."
    $IPTABLES -t mangle -A PREROUTING -p TCP --dport ssh -j TOS --set-tos Minimize-Delay
    echo -en "."
    $IPTABLES -t mangle -A PREROUTING -p TCP --sport ftp -j TOS --set-tos Minimize-Delay
    echo -en "."
    $IPTABLES -t mangle -A PREROUTING -p TCP --dport ftp -j TOS --set-tos Minimize-Delay
    echo -en "."
    $IPTABLES -t mangle -A PREROUTING -p TCP --dport telnet -j TOS --set-tos Minimize-Delay
    echo -en "."
    $IPTABLES -t mangle -A PREROUTING -p TCP --sport ftp-data -j TOS --set-tos Maximize-Throughput
    echo -en "."
    echo " done."

} # }}}

mangle_output()
{ # {{{

    echo -en "Optimizing OUTPUT TOS:"
    # TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet
    # pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost
    for iface in $INTERFACES; do
        echo -en " $iface";
        $IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --sport ssh -j TOS --set-tos Minimize-Delay
        $IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --dport ssh -j TOS --set-tos Minimize-Delay
        $IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --sport ftp -j TOS --set-tos Minimize-Delay
        $IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --dport ftp -j TOS --set-tos Minimize-Delay
        $IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --dport telnet -j TOS --set-tos Minimize-Delay
        $IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --sport ftp-data -j TOS --set-tos Maximize-Throughput
    done
    echo " done."

} # }}}

# Masquerade local subnet
masquerade()
{ # {{{
    if [ ! -z "$NAT_LAN_IFACE" ]; then
        echo -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE"

        ip="IP_$NAT_SUBNET_IFACE";
        netmask="Mask_$NAT_SUBNET_IFACE"
        localnet="${!ip}/${!netmask}"

        lan_ip="IP_$NAT_LAN_IFACE"

        # alow packets from private subnet
        $IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP

        for redirect in $NAT_TCP_PORT_REDIRECT; do
            eval `echo $redirect | awk -v FS=: '{ printf "remote_port=%s; local_port=%s;", $1, $2; }'`
            echo -en " $remote_port:$local_port"
            $IPTABLES -t nat -A PREROUTING -p TCP \
                -i ! $NAT_LAN_IFACE -d ! ${!lan_ip} \
                --dport $remote_port -j REDIRECT --to-port $local_port
        done

        #$IPTABLES -t nat -A POSTROUTING -s $localnet -o $NAT_LAN_IFACE -j MASQUERADE
        $IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE

        echo " done."

        # don't forward Miscrosoft protocols - NOT RFC compliant packets
        if [ ! -z "$NAT_FORWARD_MICROSOFT" ]; then
            if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then
                $IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP

                for port in 69 135 445 1434 6667; do
                    $IPTABLES -A FORWARD -p TCP --dport $port -j DROP
                    $IPTABLES -A FORWARD -p UDP --dport $port -j DROP
                done
            fi
        fi

        if [ ! -z "$NAT_FORWARD_TCP_PORTS" ]; then
            echo -en "\tAccepting FORWARD TCP ports:"
            for port in $NAT_FORWARD_TCP_PORTS; do
                echo -en " $port"
                $IPTABLES -A FORWARD -p TCP --dport $port -m state --state NEW -j ACCEPT
            done
            echo " done."
        fi

        if [ ! -z "$NAT_FORWARD_UDP_PORTS" ]; then
            echo -en "\tAccepting FORWARD UDP ports:"
            for port in $NAT_FORWARD_UDP_PORTS; do
                echo -en " $port"
                $IPTABLES -A FORWARD -p UDP --dport $port -m state --state NEW -j ACCEPT
            done
            echo " done."
        fi

        echo -en "\tAccepting ICMP packets:"
        for type in $ACCEPT_ICMP_PACKETS; do
            echo -en " $type"
            $IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT
        done
        #$IPTABLES -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: "
        echo " done."

        # Keep state of connections from private subnets
        $IPTABLES -A OUTPUT  -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT
        #$IPTABLES -A FORWARD -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT
        $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    fi
} # }}}

log_new_connections()
{ # {{{
    if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then
        if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then
            echo -en "Logging new connections:"
            $IPTABLES -A INPUT   -m state --state NEW -j LOG --log-prefix "IN  connection: "
            $IPTABLES -A OUTPUT  -m state --state NEW -j LOG --log-prefix "OUT connection: "
            $IPTABLES -A FORWARD -m state --state NEW -j LOG --log-prefix "FWD connection: "
            echo " done."
        fi
    fi
} # }}}

drop_output()
{ # {{{

    for iface in $INTERFACES; do
        ip="IP_$iface";
        drop_output_tcp="${iface}_DROP_OUTPUT_TCP"
        DROP_OUTPUT_TCP="${!drop_output_tcp}"
        drop_output_udp="${iface}_DROP_OUTPUT_UDP"
        DROP_OUTPUT_UDP="${!drop_output_udp}"

        if [ ! -z "$DROP_OUTPUT_TCP" ]; then
            echo -en "$iface: Dropping outgoing packets from ports:"
            for port in $DROP_OUTPUT_TCP; do
                echo -en " $port"
                $IPTABLES -A FORWARD -p TCP --sport $port -o $iface -j DROP
                $IPTABLES -A OUTPUT  -p TCP --sport $port -o $iface -j DROP
            done
            echo " done."
        fi

        if [ ! -z "$DROP_OUTPUT_UDP" ]; then
            echo -en "$iface: Dropping outgoing packets from ports:"
            for port in $DROP_OUTPUT_UDP; do
                echo -en " $port"
                $IPTABLES -A FORWARD -p UDP --sport $port -o $iface -j DROP
                $IPTABLES -A OUTPUT  -p UDP --sport $port -o $iface -j DROP
            done
            echo " done."
        fi
    done

} # }}}

allow_accept_all()
{ # {{{
    if [ ! -z "$IFACE_ACCEPT_ALL" ]; then
        echo -en "Accepting ALL packets on interfaces:"
        for iface in $IFACE_ACCEPT_ALL; do
            echo -en " $iface"
            $IPTABLES -A INPUT   -i $iface -j ACCEPT
            $IPTABLES -A FORWARD -i $iface -j ACCEPT
            $IPTABLES -A OUTPUT  -o $iface -j ACCEPT
        done
        echo " done."
    fi
} # }}}

allow_input()
{ # {{{

    if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then
        echo -en "Accepting ALL INPUT TCP connections on ports:"
        for port in $ALL_ACCEPT_INPUT_TCP; do
            for iface in $INTERFACES; do
                ip="IP_$iface";
                echo -en " $port($iface)"
                $IPTABLES -A INPUT -i $iface -d ${!ip} -p TCP --dport $port -j ACCEPT
            done
        done
        echo " done."
    fi
    if [ ! -z "$ALL_ACCEPT_INPUT_UDP" ]; then
        echo -en "Accepting ALL INPUT UDP connections on ports:"
        for port in $ALL_ACCEPT_INPUT_UDP; do
            for iface in $INTERFACES; do
                ip="IP_$iface";
                echo -en " $port($iface)"
                $IPTABLES -A INPUT -i $iface -p UDP --dport $port -j ACCEPT
            done
        done
        echo " done."
    fi

    for iface in $INTERFACES; do
        ip="IP_$iface";
        accept_input_tcp="${iface}_ACCEPT_INPUT_TCP"
        ACCEPT_INPUT_TCP="${!accept_input_tcp}"
        accept_input_udp="${iface}_ACCEPT_INPUT_UDP"
        ACCEPT_INPUT_UDP="${!accept_input_udp}"

        if [ ! -z "$ACCEPT_INPUT_TCP" ]; then
            echo -en "$iface: Accepting INPUT TCP connections on ports:"
            for port in $ACCEPT_INPUT_TCP; do
                echo -en " $port"
                $IPTABLES -A INPUT -i $iface -d ${!ip} -p TCP --dport $port -j ACCEPT
            done
            echo " done."
        fi

        if [ ! -z "$ACCEPT_INPUT_UDP" ]; then
            echo -en "$iface: Accepting INPUT UDP connections on ports:"
            for port in $ACCEPT_INPUT_UDP; do
                echo -en " $port"
                #$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT
                #$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT
                $IPTABLES -A INPUT -i $iface -p UDP --dport $port -j ACCEPT
            done
            echo " done."
        fi
    done

    # Enable outgoing TRACEROUTE requests (required e.g. by Skype, http://www.skype.com)
    if [ ! -z "$TRACEROUTE_IFACE" ]; then
        ip="IP_$ANTISPOOF_IFACE";
        echo -en "Accepting traceroute:"

        $IPTABLES -A OUTPUT -o $ANTISPOOF_IFACE -p UDP \
            --sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \
            -s ${!ip} -d $ANYWHERE -j ACCEPT

        for iface in $TRACEROUTE_IFACE; do
            $IPTABLES -A FORWARD -p UDP -i $iface --sport $TRACEROUTE_SRC_PORTS \
                --dport $TRACEROUTE_DEST_PORTS -j ACCEPT
        done
        echo " done."
    fi

} # }}}

# ACCEPT all packets from our IP address
allow_output()
{ # {{{

    # Povolíme odchozí pakety, které mají naše IP adresy
    echo -en "Accepting OUTPUT packets from"
    for iface in $INTERFACES; do
        ip="IP_$iface";
        echo -en " ${!ip}($iface)"
        $IPTABLES -A OUTPUT -o $iface -s ${!ip} -j ACCEPT
    done;
    echo " done.";

} # }}}

allow_icmp()
{ # {{{

    echo -en "Accepting ICMP packets:"
    # Službu AUTH není dobré filtrovat pomocí DROP, protože to může
    # vést k prodlevám při navazování některých spojení. Proto jej
    # sice zamítneme, ale vygenerujeme korektní ICMP chybovou zprávu
    $IPTABLES -A INPUT -p TCP --dport 113 -j REJECT --reject-with tcp-reset #AUTH server

    # accept only allowed ICMP packets
    for type in $ACCEPT_ICMP_PACKETS; do
        echo -en " $type"
        for iface in $INTERFACES; do
            ip="IP_$iface";
            $IPTABLES -A INPUT -i $iface -d ${!ip} -p ICMP --icmp-type $type -j ACCEPT
        done
    done
    #$IPTABLES -A INPUT  -p ICMP -j LOG --log-prefix "IN  ICMP: "
    #$IPTABLES -A OUTPUT -p ICMP -j LOG --log-prefix "OUT ICMP: "
    echo " done."

} # }}}

log_input_drop()
{ # {{{

    prefix="input drop: "
    echo "Input drop is logged with prefix '$prefix'"
    $IPTABLES -A INPUT $LOG_LIMIT "$prefix"

} # }}}

log_output_drop()
{ # {{{

    prefix="output drop: "
    echo "Output drop is logged with prefix '$prefix'"
    $IPTABLES -A OUTPUT $LOG_LIMIT "$prefix"

} # }}}

log_forward_drop()
{ # {{{

    prefix="forward drop: "
    echo "Forward drop is logged with prefix '$prefix'"
    $IPTABLES -A FORWARD $LOG_LIMIT "$prefix"

} # }}}

accept_related()
{ # {{{
    
    echo -en "Accepting ESTABLISHED, RELATED packets for IP:"
    for iface in $INTERFACES; do
        ip="IP_$iface";
        echo -en " ${!ip}($iface)"
        $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    done
    echo " done."

} # }}}

accept_loopback()
{ # {{{
    
    # Loopback není radno omezovat
    echo -en "Accepting loopback:"
    $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
    echo " done."

} # }}}

# Parse output from ifconfig: - tested on Linux and FreeBSD
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh
parse_ifconfig()
{ # {{{
    # Parse output from ifconfig:
    eval `$IFCONFIG | \
        $AWK 'BEGIN { interfaces=""; }
            /^[a-zA-Z0-9]+[ \t]+/ { # Linux
                iface=$1;
                interfaces = sprintf("%s %s", interfaces, iface);
                printf "\nIFACE_%s=\"%s\";    export IFACE_%s;\n", iface, iface, iface;
                printf "HWaddr_%s=\"%s\";    export HWaddr_%s;\n", iface, $5, iface;
            }
            /^[ \t]+inet addr:/ { # Linux
                split($0, fields, "[ \t:]+");
                printf "IP_%s=\"%s\";    export IP_%s;\n", iface, fields[4], iface;
                printf "Bcast_%s=\"%s\";    export Bcast_%s;\n", iface, fields[6], iface;
                printf "Mask_%s=\"%s\";    export Mask_%s;\n", iface, fields[8],  iface;
            }
            /^[a-zA-Z0-9]+:/ { # FreeBSD
                iface = $1;
                sub(":", "", iface);
                interfaces = sprintf("%s %s", interfaces, iface);
                printf "\nIFACE_%s=\"%s\";    export IFACE_%s;\n", iface, iface, iface;
            }
            /^[ \t]+inet [0-9]+/ { # FreeBSD
                printf "IP_%s=\"%s\";    export IP_%s;\n", iface, $2, iface;
                printf "Bcast_%s=\"%s\";    export Bcast_%s;\n", iface, $6, iface;
                printf "Mask_%s=\"%s\";    export Mask_%s;\n", iface, $4,  iface;
            }
            /^[ \t]+ether/ { # FreeBSD
                printf "HWaddr_%s=\"%s\";    export HWaddr_%s;\n", iface, $2, iface;
            }
            END { printf "\ninterfaces=\"%s\";     export interfaces;\n", interfaces; }
    '`

    # Now we have defined variables like this:
    # IFACE_eth0 HWaddr_eth0 IP_eth0 Bcast_eth0 Mask_eth0
    # IFACE_lo   HWaddr_lo   IP_lo   Bcast_lo   Mask_lo
    # interfaces

} # }}}


parse_ifconfig
print_iface_status

#
# Split interfaces into 2 groups:
#
# $INTERFACES_ACCEPT_ALL - interfaces withouth restrictions
#
# $INTERFACES - all interfaces withouth loopback
#               and devices without restrictions (e.g. tun0 tun1 tap0 ...)
#
# list of all interfaces is in $interfaces variable
#
INTERFACES=""
INTERFACES_ACCEPT_ALL=""
regexp='^\('`echo $IFACE_ACCEPT_ALL | sed 's/ /\\\|/g; s/+/.*/g;'`'\)$'
for iface in $interfaces; do
    #if [ "o$iface" = "olo" ]; then continue; fi
    echo $iface | grep -q -e "$regexp"
    if [ $? = 0 ] || [ "o$iface" = "olo" ]; then # lo interface is always here
        INTERFACES_ACCEPT_ALL="$INTERFACES_ACCEPT_ALL $iface";
    else
        INTERFACES="$INTERFACES $iface";
    fi
done


case "$1" in
    start)
        echo -n "Starting $DESC: "
        # Inicialize modules
        $DEPMOD -a
        load_modules
        set_default_policy
        remove_chains
        #
        # (un)commnet next lines as needed
        #
        allow_accept_all
        nmap_scan_filter
        invalid_packet_filter
        anti_spoof_filter
        syn_flood
        mangle_prerouting
        mangle_output
        log_new_connections
        drop_output
        allow_input
        allow_output
        allow_icmp
        accept_related
        accept_loopback
        masquerade
        log_input_drop
        log_output_drop
        log_forward_drop
        ;;
        
    stop)
        echo -n "Stopping $DESC: "
        set_default_policy
        remove_chains
        unload_modules
        ;;

    status)
        print_iface_status; echo
        $IPTABLES -L -nv
        ;;

    *)
        echo "Usage: $0 {start|stop|stop}" >&2
        exit 1
        ;;
esac

exit 0

# vim600: fdm=marker fdl=0 fdc=3


Platon Group <platon@platon.org> http://platon.org/
Copyright © 2002-2006 Platon Group
Site powered by Metafox CMS
Go to Top