]> git.ipfire.org Git - people/ms/network.git/blob - functions.firewall
projects / people / ms / network.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
firewall: Add rule to clamp PMTU.
[people/ms/network.git] / functions.firewall
1 #!/bin/bash
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 IPFire Network Development Team #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 # High-level function which will create a ruleset for the current firewall
23 # configuration and load it into the kernel.
24 function firewall_start() {
25 # Test mode.
26 local test="false"
27
28 while [ $# -gt 0 ]; do
29 case "${1}" in
30 --test)
31 test="true"
32 ;;
33 esac
34 shift
35 done
36
37 if enabled test; then
38 log INFO "Test mode enabled."
39 log INFO "The firewall ruleset will not be loaded."
40 fi
41
42 firewall_lock_acquire
43
44 # Initialize an empty iptables ruleset.
45 iptables_init DROP
46
47 # Add default chains.
48 firewall_tcp_state_flags
49 firewall_connection_tracking
50 firewall_tcp_clamp_mss
51
52 # Add policies for every zone.
53 policy_add_localhost
54
55 local zone
56 for zone in $(zones_get_all); do
57 policy_add_zone ${zone}
58 done
59
60 # Load the new ruleset.
61 iptables_load ${test}
62
63 firewall_lock_release
64 }
65
66 function firewall_stop() {
67 firewall_lock_acquire
68
69 # Initialize an empty firewall ruleset
70 # with default policy ACCEPT.
71 iptables_init ACCEPT
72
73 # Load it.
74 iptables_load
75
76 firewall_lock_release
77 }
78
79 function firewall_show() {
80 # Shows the ruleset that is currently loaded.
81 iptables_status
82
83 return ${EXIT_OK}
84 }
85
86 function firewall_panic() {
87 local admin_hosts="$@"
88
89 firewall_lock_acquire
90
91 # Drop all communications.
92 iptables_init DROP
93
94 # If an admin host is provided, some administrative
95 # things will be allowed from there.
96 local admin_host
97 for admin_host in ${admin_hosts}; do
98 iptables -A INPUT -s ${admin_host} -j ACCEPT
99 iptables -A OUTPUT -d ${admin_host} -j ACCEPT
100 done
101
102 # Load it.
103 iptables_load
104
105 firewall_lock_release
106 }
107
108 function firewall_lock_acquire() {
109 lock_acquire ${RUN_DIR}/.firewall_lock
110
111 # Make sure the lock is released after the firewall
112 # script has crashed or exited early.
113 trap firewall_lock_release EXIT TERM KILL
114
115 # Create a directory where we can put our
116 # temporary data in the most secure way as possible.
117 IPTABLES_TMPDIR=$(mktemp -d)
118 }
119
120 function firewall_lock_release() {
121 if isset IPTABLES_TMPDIR; then
122 # Remove all temporary data.
123 rm -rf ${IPTABLES_TMPDIR}
124
125 # Reset the tempdir variable.
126 IPTABLES_TMPDIR=
127 fi
128
129 # Reset the trap.
130 trap true EXIT TERM KILL
131
132 lock_release ${RUN_DIR}/.firewall_lock
133 }
134
135 function firewall_tcp_state_flags() {
136 log INFO "Creating TCP State Flags chain..."
137 iptables_chain_create BADTCP_LOG
138 iptables -A BADTCP_LOG -p tcp -j $(iptables_LOG "Illegal TCP state: ")
139 iptables -A BADTCP_LOG -j DROP
140
141 iptables_chain_create BADTCP
142 iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG
143 iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
144 iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
145 iptables -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
146 iptables -A BADTCP -p tcp --tcp-flags ACK,FIN FIN -j BADTCP_LOG
147 iptables -A BADTCP -p tcp --tcp-flags ACK,PSH PSH -j BADTCP_LOG
148 iptables -A BADTCP -p tcp --tcp-flags ACK,URG URG -j BADTCP_LOG
149
150 iptables -A INPUT -p tcp -j BADTCP
151 iptables -A OUTPUT -p tcp -j BADTCP
152 iptables -A FORWARD -p tcp -j BADTCP
153 }
154
155 function firewall_tcp_clamp_mss() {
156 log DEBUG "Adding rules to clamp MSS to path MTU..."
157 iptables -t mangle -A FORWARD \
158 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
159 }
160
161 function firewall_connection_tracking() {
162 log INFO "Creating Connection Tracking chain..."
163 iptables_chain_create CONNTRACK
164 iptables -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT
165 iptables -A CONNTRACK -m state --state INVALID -j $(iptables_LOG "INVALID packet: ")
166 iptables -A CONNTRACK -m state --state INVALID -j DROP
167
168 iptables -A INPUT -j CONNTRACK
169 iptables -A OUTPUT -j CONNTRACK
170 iptables -A FORWARD -j CONNTRACK
171 }
172
173 function firewall_import_rules() {
174 local zone=${1}
175 shift
176
177 local protocol="ipv6"
178 local table="filter"
179
180 while [ $# -gt 0 ]; do
181 case "${1}" in
182 --table=*)
183 table=$(cli_get_val ${1})
184 ;;
185 --protocol=*)
186 protocol=$(cli_get_val ${1})
187 ;;
188 esac
189 done
190
191 assert isoneof protocol ipv4 ipv6
192 assert isoneof table $(iptables_table ${protocol})
193
194 # XXX TODO
195
196 local src dst proto
197 while read src dst proto; do
198 case "${chain}" in
199 filter)
200 ;;
201 nat)
202 ;;
203 esac
204 done < ${FIREWALL_CONFIG_RULES}
205 }
Networking code of IPFire 3.x.