]>
Commit | Line | Data |
---|---|---|
8838c71a MT |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2009 Michael Tremer & Christian Schmidt # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | IPTABLES_FILE=$TMPDIR/iptables | |
23 | ||
24 | function iptables() { | |
dbfeda6c MT |
25 | local arg |
26 | local args | |
27 | local table | |
28 | ||
29 | table=filter | |
30 | ||
31 | # Parsing arguments | |
32 | while [ $# -gt 0 ]; do | |
33 | arg=${1} | |
34 | shift | |
35 | case "${arg}" in | |
36 | -t) | |
37 | table=${1} | |
38 | shift | |
39 | ;; | |
40 | -A) | |
41 | args="${args} -A $(uppercase ${1})" | |
42 | shift | |
43 | ;; | |
44 | *) | |
45 | args="${args} ${arg}" | |
46 | ;; | |
47 | esac | |
48 | done | |
49 | echo "${args:1:${#args}}" >> ${IPTABLES_FILE}-${table} | |
8838c71a MT |
50 | } |
51 | ||
52 | function iptables_flush() { | |
2534973b | 53 | decho "Flushing iptables" |
dbfeda6c MT |
54 | iptables "* filter" |
55 | chain_create INPUT ACCEPT | |
56 | chain_create OUTPUT ACCEPT | |
57 | chain_create FORWARD ACCEPT | |
8838c71a MT |
58 | } |
59 | ||
60 | function iptables_init() { | |
8838c71a | 61 | iptables "* filter" |
dbfeda6c MT |
62 | chain_create -t filter INPUT DROP |
63 | chain_create -t filter OUTPUT DROP | |
64 | chain_create -t filter FORWARD DROP | |
65 | ||
66 | iptables -t mangle "* mangle" | |
67 | chain_create -t mangle PREROUTING ACCEPT | |
68 | chain_create -t mangle INPUT ACCEPT | |
69 | chain_create -t mangle OUTPUT ACCEPT | |
70 | chain_create -t mangle FORWARD ACCEPT | |
71 | chain_create -t mangle POSTROUTING ACCEPT | |
72 | ||
73 | iptables -t nat "* nat" | |
74 | chain_create -t nat PREROUTING ACCEPT | |
75 | chain_create -t nat OUTPUT ACCEPT | |
76 | chain_create -t nat POSTROUTING ACCEPT | |
8838c71a MT |
77 | } |
78 | ||
79 | function iptables_commit() { | |
dbfeda6c MT |
80 | local chain |
81 | ||
8838c71a | 82 | vecho "Committing firewall configuration." |
dbfeda6c MT |
83 | iptables -t filter "COMMIT" |
84 | iptables -t mangle "COMMIT" | |
85 | iptables -t nat "COMMIT" | |
86 | ||
87 | for table in filter mangle nat; do | |
88 | [ -e ${IPTABLES_FILE}-${table} ] || continue | |
89 | cat ${IPTABLES_FILE}-${table} >> $IPTABLES_FILE | |
90 | done | |
91 | ||
2534973b | 92 | decho "Dumping iptables output" |
dbfeda6c MT |
93 | if debug; then |
94 | counter=1 | |
95 | cat $IPTABLES_FILE | while read LINE; do | |
96 | printf "%4d | %s\n" "$counter" "$LINE" | |
97 | counter=$(( $counter + 1 )) | |
98 | done | |
99 | fi | |
100 | ||
101 | iptables-restore $(debug && echo "-v") < $IPTABLES_FILE | |
8838c71a MT |
102 | } |
103 | ||
104 | function chain_create() { | |
dbfeda6c MT |
105 | local args |
106 | if [ "${1}" = "-t" ]; then | |
107 | args="${1} ${2}" | |
108 | shift 2 | |
109 | fi | |
110 | iptables ${args} ":$1 ${2--} [0:0]" | |
8838c71a MT |
111 | } |
112 | ||
113 | function iptables_LOG() { | |
114 | local prefix | |
115 | prefix=$1 | |
116 | ||
c10ee854 MT |
117 | if [ "$LOG_FACILITY" = "syslog" ]; then |
118 | echo -n "LOG" | |
119 | [ -n "$prefix" ] && echo -n " --log-prefix \"$prefix\"" | |
120 | else | |
8838c71a MT |
121 | echo -n "NFLOG" |
122 | [ -n "$prefix" ] && echo -n " --nflog-prefix \"$prefix\"" | |
123 | echo -n " --nflog-threshold 30" | |
8838c71a MT |
124 | fi |
125 | echo | |
126 | } | |
127 | ||
128 | function iptables_protocol() { | |
129 | local PROTO | |
130 | PROTO=$1 | |
131 | for proto in tcp udp esp ah; do | |
132 | if [ "$PROTO" = "$proto" ]; then | |
133 | echo "-p $PROTO" | |
134 | break | |
135 | fi | |
136 | done | |
137 | } | |
138 | ||
139 | IPTABLES_PORT=0 | |
140 | IPTABLES_MULTIPORT=1 | |
141 | IPTABLES_PORTRANGE=2 | |
142 | ||
143 | function _iptables_port_range() { | |
144 | grep -q ":" <<< $@ | |
145 | } | |
146 | ||
147 | function _iptables_port_multiport() { | |
148 | grep -q "," <<< $@ | |
149 | } | |
150 | ||
151 | function _iptables_port() { | |
152 | if _iptables_port_range "$@"; then | |
153 | echo $IPTABLES_PORTRANGE | |
154 | elif _iptables_port_multiport "$@"; then | |
155 | echo $IPTABLES_MULTIPORT | |
156 | else | |
157 | echo $IPTABLES_PORT | |
158 | fi | |
159 | } | |
160 | ||
161 | function iptables_source_port() { | |
162 | [ -z "$@" ] && return | |
163 | local type | |
164 | type=$(_iptables_port $@) | |
165 | if [ "$type" = "$IPTABLES_MULTIPORT" ]; then | |
166 | echo "-m multiport --source-ports $@" | |
167 | else | |
168 | echo "--sport $@" | |
169 | fi | |
170 | } | |
171 | ||
172 | function iptables_destination_port() { | |
173 | [ -z "$@" ] && return | |
174 | local type | |
175 | type=$(_iptables_port $@) | |
176 | if [ "$type" = "$IPTABLES_MULTIPORT" ]; then | |
177 | echo "-m multiport --destination-ports $@" | |
178 | else | |
179 | echo "--dport $@" | |
180 | fi | |
181 | } |