[people/arne_f/ipfire-3.x.git] / firewall / src / functions.iptables

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2009  Michael Tremer & Christian Schmidt                      #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

IPTABLES_FILE=$TMPDIR/iptables

function iptables() {
	local arg
	local args
	local table

	table=filter

	# Parsing arguments
	while [ $# -gt 0 ]; do
		arg=${1}
		shift
		case "${arg}" in
			-t)
				table=${1}
				shift
				;;
			-A)
				args="${args} -A $(uppercase ${1})"
				shift
				;;
			*)
				args="${args} ${arg}"
				;;
		esac
	done
	echo "${args:1:${#args}}" >> ${IPTABLES_FILE}-${table}
}

function iptables_flush() {
	decho "Flushing iptables"
	iptables "* filter"
	chain_create INPUT ACCEPT
	chain_create OUTPUT ACCEPT
	chain_create FORWARD ACCEPT
}

function iptables_init() {
	iptables "* filter"
	chain_create -t filter INPUT       DROP
	chain_create -t filter OUTPUT      DROP
	chain_create -t filter FORWARD     DROP

	iptables -t mangle "* mangle"
	chain_create -t mangle PREROUTING  ACCEPT
	chain_create -t mangle INPUT       ACCEPT
	chain_create -t mangle OUTPUT      ACCEPT
	chain_create -t mangle FORWARD     ACCEPT
	chain_create -t mangle POSTROUTING ACCEPT

	iptables -t nat "* nat"
	chain_create -t nat    PREROUTING  ACCEPT
	chain_create -t nat    OUTPUT      ACCEPT
	chain_create -t nat    POSTROUTING ACCEPT
}

function iptables_commit() {
	local chain

	vecho "Committing firewall configuration."
	iptables -t filter "COMMIT"
	iptables -t mangle "COMMIT"
	iptables -t nat    "COMMIT"

	for table in filter mangle nat; do
		[ -e ${IPTABLES_FILE}-${table} ] || continue
		cat ${IPTABLES_FILE}-${table} >> $IPTABLES_FILE
	done

	decho "Dumping iptables output"
	if debug; then
		counter=1
		cat $IPTABLES_FILE | while read LINE; do
			printf "%4d | %s\n" "$counter" "$LINE"
			counter=$(( $counter + 1 ))
		done
	fi

	iptables-restore $(debug && echo "-v") < $IPTABLES_FILE
}

function chain_create() {
	local args
	if [ "${1}" = "-t" ]; then
		args="${1} ${2}"
		shift 2
	fi
	iptables ${args} ":$1 ${2--} [0:0]"
}

function iptables_LOG() {
	local prefix
	prefix=$1

	if [ "$LOG_FACILITY" = "syslog" ]; then
		echo -n "LOG"
		[ -n "$prefix" ] && echo -n " --log-prefix \"$prefix\""
	else
		echo -n "NFLOG"
		[ -n "$prefix" ] && echo -n " --nflog-prefix \"$prefix\""
		echo -n " --nflog-threshold 30"
	fi
	echo
}

function iptables_protocol() {
	local PROTO
	PROTO=$1
	for proto in tcp udp esp ah; do
		if [ "$PROTO" = "$proto" ]; then
			echo "-p $PROTO"
			break
		fi
	done
}

IPTABLES_PORT=0
IPTABLES_MULTIPORT=1
IPTABLES_PORTRANGE=2

function _iptables_port_range() {
	grep -q ":" <<< $@
}

function _iptables_port_multiport() {
	grep -q "," <<< $@
}

function _iptables_port() {
	if _iptables_port_range "$@"; then
		echo $IPTABLES_PORTRANGE
	elif _iptables_port_multiport "$@"; then
		echo $IPTABLES_MULTIPORT
	else
		echo $IPTABLES_PORT
	fi
}

function iptables_source_port() {
	[ -z "$@" ] && return
	local type
	type=$(_iptables_port $@)
	if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
		echo "-m multiport --source-ports $@"
	else
		echo "--sport $@"
	fi
}

function iptables_destination_port() {
	[ -z "$@" ] && return
	local type
	type=$(_iptables_port $@)
	if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
		echo "-m multiport --destination-ports $@"
	else
		echo "--dport $@"
	fi
}
Commit	Line	Data
8838c71a MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	IPTABLES_FILE=$TMPDIR/iptables
	23
	24	function iptables() {
dbfeda6c MT	25	local arg
	26	local args
	27	local table
	28
	29	table=filter
	30
	31	# Parsing arguments
	32	while [ $# -gt 0 ]; do
	33	arg=${1}
	34	shift
	35	case "${arg}" in
	36	-t)
	37	table=${1}
	38	shift
	39	;;
	40	-A)
	41	args="${args} -A $(uppercase ${1})"
	42	shift
	43	;;
	44	*)
	45	args="${args} ${arg}"
	46	;;
	47	esac
	48	done
	49	echo "${args:1:${#args}}" >> ${IPTABLES_FILE}-${table}
8838c71a MT	50	}
	51
	52	function iptables_flush() {
2534973b	53	decho "Flushing iptables"
dbfeda6c MT	54	iptables "* filter"
	55	chain_create INPUT ACCEPT
	56	chain_create OUTPUT ACCEPT
	57	chain_create FORWARD ACCEPT
8838c71a MT	58	}
	59
	60	function iptables_init() {
8838c71a	61	iptables "* filter"
dbfeda6c MT	62	chain_create -t filter INPUT DROP
	63	chain_create -t filter OUTPUT DROP
	64	chain_create -t filter FORWARD DROP
	65
	66	iptables -t mangle "* mangle"
	67	chain_create -t mangle PREROUTING ACCEPT
	68	chain_create -t mangle INPUT ACCEPT
	69	chain_create -t mangle OUTPUT ACCEPT
	70	chain_create -t mangle FORWARD ACCEPT
	71	chain_create -t mangle POSTROUTING ACCEPT
	72
	73	iptables -t nat "* nat"
	74	chain_create -t nat PREROUTING ACCEPT
	75	chain_create -t nat OUTPUT ACCEPT
	76	chain_create -t nat POSTROUTING ACCEPT
8838c71a MT	77	}
	78
	79	function iptables_commit() {
dbfeda6c MT	80	local chain
dbfeda6c MT	81
8838c71a	82	vecho "Committing firewall configuration."
dbfeda6c MT	83	iptables -t filter "COMMIT"
	84	iptables -t mangle "COMMIT"
	85	iptables -t nat "COMMIT"
	86
	87	for table in filter mangle nat; do
	88	[ -e ${IPTABLES_FILE}-${table} ] \|\| continue
	89	cat ${IPTABLES_FILE}-${table} >> $IPTABLES_FILE
	90	done
	91
2534973b	92	decho "Dumping iptables output"
dbfeda6c MT	93	if debug; then
	94	counter=1
	95	cat $IPTABLES_FILE \| while read LINE; do
	96	printf "%4d \| %s\n" "$counter" "$LINE"
	97	counter=$(( $counter + 1 ))
	98	done
	99	fi
	100
	101	iptables-restore $(debug && echo "-v") < $IPTABLES_FILE
8838c71a MT	102	}
	103
	104	function chain_create() {
dbfeda6c MT	105	local args
	106	if [ "${1}" = "-t" ]; then
	107	args="${1} ${2}"
	108	shift 2
	109	fi
	110	iptables ${args} ":$1 ${2--} [0:0]"
8838c71a MT	111	}
	112
	113	function iptables_LOG() {
	114	local prefix
	115	prefix=$1
	116
c10ee854 MT	117	if [ "$LOG_FACILITY" = "syslog" ]; then
	118	echo -n "LOG"
	119	[ -n "$prefix" ] && echo -n " --log-prefix \"$prefix\""
	120	else
8838c71a MT	121	echo -n "NFLOG"
	122	[ -n "$prefix" ] && echo -n " --nflog-prefix \"$prefix\""
	123	echo -n " --nflog-threshold 30"
8838c71a MT	124	fi
	125	echo
	126	}
	127
	128	function iptables_protocol() {
	129	local PROTO
	130	PROTO=$1
	131	for proto in tcp udp esp ah; do
	132	if [ "$PROTO" = "$proto" ]; then
	133	echo "-p $PROTO"
	134	break
	135	fi
	136	done
	137	}
	138
	139	IPTABLES_PORT=0
	140	IPTABLES_MULTIPORT=1
	141	IPTABLES_PORTRANGE=2
	142
	143	function _iptables_port_range() {
	144	grep -q ":" <<< $@
	145	}
	146
	147	function _iptables_port_multiport() {
	148	grep -q "," <<< $@
	149	}
	150
	151	function _iptables_port() {
	152	if _iptables_port_range "$@"; then
	153	echo $IPTABLES_PORTRANGE
	154	elif _iptables_port_multiport "$@"; then
	155	echo $IPTABLES_MULTIPORT
	156	else
	157	echo $IPTABLES_PORT
	158	fi
	159	}
	160
	161	function iptables_source_port() {
	162	[ -z "$@" ] && return
	163	local type
	164	type=$(_iptables_port $@)
	165	if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
	166	echo "-m multiport --source-ports $@"
	167	else
	168	echo "--sport $@"
	169	fi
	170	}
	171
	172	function iptables_destination_port() {
	173	[ -z "$@" ] && return
	174	local type
	175	type=$(_iptables_port $@)
	176	if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
	177	echo "-m multiport --destination-ports $@"
	178	else
	179	echo "--dport $@"
	180	fi
	181	}