[people/stevee/network.git] / functions.policy

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2012  IPFire Network Development Team                         #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

function policy_add_zone() {
	local zone=${1}
	assert isset zone

	log DEBUG "Creating firewall policy for zone '${zone}'."

	local chain="ZONE_${zone}"
	chain=${chain^^}

	# Create filter chain.
	iptables_chain_create ${chain}
	iptables -A INPUT   -i ${zone} -j ${chain}
	iptables -A FORWARD -i ${zone} -j ${chain}
	iptables -A FORWARD -o ${zone} -j ${chain}
	iptables -A OUTPUT  -o ${zone} -j ${chain}

	# Leave some space for own rules right at the beginning
	# to make it possible to overwrite _everything_.
	iptables_chain_create ${chain}_CUSTOM
	iptables -A ${chain} -j ${chain}_CUSTOM

	# Intrusion Prevention System
	iptables_chain_create ${chain}_IPS
	iptables -A ${chain} -i ${zone} -j ${chain}_IPS

	# Rules for incoming packets.
	iptables_chain_create ${chain}_RULES_INC
	iptables -A ${chain} -i ${zone} -j ${chain}_RULES_INC

	# Rules for outgoing packets.
	iptables_chain_create ${chain}_RULES_OUT
	iptables -A ${chain} -o ${zone} -j ${chain}_RULES_OUT

	# Policy rules
	iptables_chain_create ${chain}_POLICY
	iptables -A ${chain} -j ${chain}_POLICY

	# Create mangle chain.
	iptables_chain_create -t mangle ${chain}
	iptables -t mangle -A PREROUTING  -i ${zone} -j ${chain}
	iptables -t mangle -A POSTROUTING -o ${zone} -j ${chain}

	# Quality of Service
	iptables_chain_create -t mangle ${chain}_QOS_INC
	iptables -t mangle -A ${chain} -i ${zone} -j ${chain}_QOS_INC
	iptables_chain_create -t mangle ${chain}_QOS_OUT
	iptables -t mangle -A ${chain} -o ${zone} -j ${chain}_QOS_OUT

	# Create NAT chain.
	iptables_chain_create -4 -t nat ${chain}
	iptables -4 -t nat -A PREROUTING  -i ${zone} -j ${chain}
	iptables -4 -t nat -A POSTROUTING -o ${zone} -j ${chain}

	# Network Address Translation
	iptables_chain_create -4 -t nat ${chain}_NAT
	iptables -4 -t nat -A ${chain} -i ${zone} -j ${chain}_NAT

	# Port forwarding
	iptables_chain_create -4 -t nat ${chain}_PORTFW
	iptables -4 -t nat -A ${chain} -i ${zone} -j ${chain}_PORTFW

	# UPNP
	iptables_chain_create -4 -t nat ${chain}_UPNP
	iptables -4 -t nat -A ${chain} -j ${chain}_UPNP

	# After the chains that are always available have been
	# created, we will add a custom policy to every single
	# zone.

	# Local zones are currently allowed to access everything.
	if zone_is_local ${zone}; then
		policy_allow_all ${zone} ${chain}

	# Uplink connections are not.
	else
		: # XXX TODO
	fi

	# Import all configured rules and those things.
	policy_import_all_rules ${zone} ${chain}
}

function policy_add_localhost() {
	log DEBUG "Creating firewall policy for localhost..."

	# Accept everything on lo
	iptables -A INPUT  -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT
}

function policy_allow_all() {
	local zone=${1}
	assert isset zone

	local chain=${2}
	assert isset chain

	# Just accept everything.
	iptables -A ${chain}_POLICY -j ACCEPT
}

function policy_drop_all() {
	# Nothing to do here, because that is the
	# default policy of the INPUT/OUTPUT/FORWARD chain.
	:
}

function policy_import_all_rules() {
	# This will populate all chains with the rules
	# for the given zone.

	local zone=${1}
	assert isset zone

	local chain=${2}
	assert isset chain

	# XXX TODO
}
Commit	Line	Data
98146c00 MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2012 IPFire Network Development Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	function policy_add_zone() {
	23	local zone=${1}
	24	assert isset zone
	25
	26	log DEBUG "Creating firewall policy for zone '${zone}'."
	27
	28	local chain="ZONE_${zone}"
	29	chain=${chain^^}
	30
	31	# Create filter chain.
	32	iptables_chain_create ${chain}
	33	iptables -A INPUT -i ${zone} -j ${chain}
	34	iptables -A FORWARD -i ${zone} -j ${chain}
	35	iptables -A FORWARD -o ${zone} -j ${chain}
	36	iptables -A OUTPUT -o ${zone} -j ${chain}
	37
	38	# Leave some space for own rules right at the beginning
	39	# to make it possible to overwrite _everything_.
	40	iptables_chain_create ${chain}_CUSTOM
	41	iptables -A ${chain} -j ${chain}_CUSTOM
	42
	43	# Intrusion Prevention System
	44	iptables_chain_create ${chain}_IPS
	45	iptables -A ${chain} -i ${zone} -j ${chain}_IPS
	46
afb7d704 MT	47	# Rules for incoming packets.
	48	iptables_chain_create ${chain}_RULES_INC
	49	iptables -A ${chain} -i ${zone} -j ${chain}_RULES_INC
98146c00	50
afb7d704 MT	51	# Rules for outgoing packets.
	52	iptables_chain_create ${chain}_RULES_OUT
	53	iptables -A ${chain} -o ${zone} -j ${chain}_RULES_OUT
98146c00 MT	54
	55	# Policy rules
	56	iptables_chain_create ${chain}_POLICY
	57	iptables -A ${chain} -j ${chain}_POLICY
	58
	59	# Create mangle chain.
	60	iptables_chain_create -t mangle ${chain}
	61	iptables -t mangle -A PREROUTING -i ${zone} -j ${chain}
	62	iptables -t mangle -A POSTROUTING -o ${zone} -j ${chain}
	63
	64	# Quality of Service
	65	iptables_chain_create -t mangle ${chain}_QOS_INC
	66	iptables -t mangle -A ${chain} -i ${zone} -j ${chain}_QOS_INC
	67	iptables_chain_create -t mangle ${chain}_QOS_OUT
	68	iptables -t mangle -A ${chain} -o ${zone} -j ${chain}_QOS_OUT
	69
	70	# Create NAT chain.
afb7d704 MT	71	iptables_chain_create -4 -t nat ${chain}
	72	iptables -4 -t nat -A PREROUTING -i ${zone} -j ${chain}
	73	iptables -4 -t nat -A POSTROUTING -o ${zone} -j ${chain}
98146c00 MT	74
98146c00 MT	75	# Network Address Translation
afb7d704 MT	76	iptables_chain_create -4 -t nat ${chain}_NAT
afb7d704 MT	77	iptables -4 -t nat -A ${chain} -i ${zone} -j ${chain}_NAT
98146c00	78
afb7d704 MT	79	# Port forwarding
	80	iptables_chain_create -4 -t nat ${chain}_PORTFW
	81	iptables -4 -t nat -A ${chain} -i ${zone} -j ${chain}_PORTFW
98146c00 MT	82
98146c00 MT	83	# UPNP
afb7d704 MT	84	iptables_chain_create -4 -t nat ${chain}_UPNP
afb7d704 MT	85	iptables -4 -t nat -A ${chain} -j ${chain}_UPNP
98146c00 MT	86
	87	# After the chains that are always available have been
	88	# created, we will add a custom policy to every single
	89	# zone.
	90
	91	# Local zones are currently allowed to access everything.
	92	if zone_is_local ${zone}; then
	93	policy_allow_all ${zone} ${chain}
	94
	95	# Uplink connections are not.
	96	else
	97	: # XXX TODO
	98	fi
afb7d704 MT	99
	100	# Import all configured rules and those things.
	101	policy_import_all_rules ${zone} ${chain}
98146c00 MT	102	}
	103
	104	function policy_add_localhost() {
	105	log DEBUG "Creating firewall policy for localhost..."
	106
	107	# Accept everything on lo
	108	iptables -A INPUT -i lo -j ACCEPT
	109	iptables -A OUTPUT -o lo -j ACCEPT
	110	}
	111
	112	function policy_allow_all() {
	113	local zone=${1}
	114	assert isset zone
	115
	116	local chain=${2}
	117	assert isset chain
	118
	119	# Just accept everything.
	120	iptables -A ${chain}_POLICY -j ACCEPT
	121	}
afb7d704 MT	122
	123	function policy_drop_all() {
	124	# Nothing to do here, because that is the
	125	# default policy of the INPUT/OUTPUT/FORWARD chain.
	126	:
	127	}
	128
	129	function policy_import_all_rules() {
	130	# This will populate all chains with the rules
	131	# for the given zone.
	132
	133	local zone=${1}
	134	assert isset zone
	135
	136	local chain=${2}
	137	assert isset chain
	138
	139	# XXX TODO
	140	}