]> git.ipfire.org Git - people/ms/network.git/blob - functions.firewall
Fix "network device" command and document it.
[people/ms/network.git] / functions.firewall
1 #!/bin/bash
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 IPFire Network Development Team #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 # High-level function which will create a ruleset for the current firewall
23 # configuration and load it into the kernel.
24 function firewall_start() {
25 firewall_lock_acquire
26
27 # Initialize an empty iptables ruleset.
28 iptables_init DROP
29
30 # Add default chains.
31 firewall_tcp_state_flags
32 firewall_connection_tracking
33
34 # Add policies for every zone.
35 policy_add_localhost
36
37 local zone
38 for zone in $(zones_get_all); do
39 policy_add_zone ${zone}
40 done
41
42 # Commit the new ruleset.
43 iptables_commit
44
45 firewall_lock_release
46 }
47
48 function firewall_stop() {
49 firewall_lock_acquire
50
51 # Initialize an empty firewall ruleset
52 # with default policy ACCEPT.
53 iptables_init ACCEPT
54
55 # Commit it.
56 iptables_commit
57
58 firewall_lock_release
59 }
60
61 function firewall_lock_acquire() {
62 lock_acquire ${RUN_DIR}/.firewall_lock
63
64 # Make sure the lock is released after the firewall
65 # script has crashed or exited early.
66 trap firewall_lock_release EXIT TERM KILL
67
68 # Create a directory where we can put our
69 # temporary data in the most secure way as possible.
70 IPTABLES_TMPDIR=$(mktemp -d)
71 }
72
73 function firewall_lock_release() {
74 if isset IPTABLES_TMPDIR; then
75 # Remove all temporary data.
76 rm -rf ${IPTABLES_TMPDIR}
77
78 # Reset the tempdir variable.
79 IPTABLES_TMPDIR=
80 fi
81
82 # Reset the trap.
83 trap true EXIT TERM KILL
84
85 lock_release ${RUN_DIR}/.firewall_lock
86 }
87
88 function firewall_tcp_state_flags() {
89 log INFO "Creating TCP State Flags chain..."
90 iptables_chain_create BADTCP_LOG
91 iptables -A BADTCP_LOG -p tcp -j $(iptables_LOG "Illegal TCP state: ")
92 iptables -A BADTCP_LOG -j DROP
93
94 iptables_chain_create BADTCP
95 iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG
96 iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
97 iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
98 iptables -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
99 iptables -A BADTCP -p tcp --tcp-flags ACK,FIN FIN -j BADTCP_LOG
100 iptables -A BADTCP -p tcp --tcp-flags ACK,PSH PSH -j BADTCP_LOG
101 iptables -A BADTCP -p tcp --tcp-flags ACK,URG URG -j BADTCP_LOG
102
103 iptables -A INPUT -p tcp -j BADTCP
104 iptables -A OUTPUT -p tcp -j BADTCP
105 iptables -A FORWARD -p tcp -j BADTCP
106 }
107
108 function firewall_connection_tracking() {
109 log INFO "Creating Connection Tracking chain..."
110 iptables_chain_create CONNTRACK
111 iptables -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT
112 iptables -A CONNTRACK -m state --state INVALID -j $(iptables_LOG "INVALID packet: ")
113 iptables -A CONNTRACK -m state --state INVALID -j DROP
114
115 iptables -A INPUT -j CONNTRACK
116 iptables -A OUTPUT -j CONNTRACK
117 iptables -A FORWARD -j CONNTRACK
118 }
119
120 function firewall_import_portfw() {
121 local zone=${1}
122 shift
123
124 local protocol="ipv6"
125 local chain="filter"
126
127 while [ $# -gt 0 ]; do
128 case "${1}" in
129 --chain=*)
130 chain=$(cli_get_val ${1})
131 ;;
132 --protocol=*)
133 protocol=$(cli_get_val ${1})
134 ;;
135 esac
136 done
137
138 assert isoneof protocol ipv4 ipv6
139
140 local allowed_chains="filter"
141 if [ "${protocol}" = "ipv4" ]; then
142 allowed_chains="${allowed_chains} nat"
143 fi
144 assert isoneof chain ${allowed_chains}
145
146 # XXX TODO
147
148 local src dst proto
149 while read src dst proto; do
150 case "${chain}" in
151 filter)
152 ;;
153 nat)
154 ;;
155 esac
156 done < ${FIREWALL_CONFIG_PORTFW}
157 }
158
159