2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 # This function initializes all kernel parameters that need to be adjusted
23 # to run this firewall properly.
24 function firewall_kernel_init
() {
25 log INFO
"Configuring kernel parameters..."
28 # Enable conntrack accounting
29 conntrack_set_accounting
"true"
31 # Adjust max. amount of simultaneous connections
32 conntrack_set_max_connections
"${CONNTRACK_MAX_CONNECTIONS}"
34 # Increase UDP connection timeout (fixes DNS)
35 conntrack_set_udp_timeout
"${CONNTRACK_UDP_TIMEOUT}"
37 # Disable sending redirects
38 log INFO
"Disabling sending redirects"
39 sysctl_set_recursively
"net.ipv6.conf" "send_redirects" 0
40 sysctl_set_recursively
"net.ipv4.conf" "send_redirects" 0
42 # Enable source route protection
43 log INFO
"Enabling source route protection"
44 sysctl_set_recursively
"net.ipv6.conf" "accept_source_route" 0
45 sysctl_set_recursively
"net.ipv4.conf" "accept_source_route" 0
47 # ICMP broadcast protection (smurf amplifier protection)
48 log INFO
"Enabling ICMP broadcast protection (smurf amplifier protection)"
49 sysctl_set
"net.ipv4.icmp_echo_ignore_broadcasts" 1
51 # ICMP Dead Error Message protection
52 log INFO
"Enabling ICMP dead error message protection"
53 sysctl_set
"net.ipv4.icmp_ignore_bogus_error_responses" 0
55 # Enable packet forwarding
56 log INFO
"Enabling packet forwarding"
57 sysctl_set_recursively
"net.ipv6.conf" "forwarding" 1
58 sysctl_set_recursively
"net.ipv4.conf" "forwarding" 1
60 # Setting some kernel performance options
61 log INFO
"Setting some kernel performance options"
62 for option
in window_scaling timestamps sack dsack fack
; do
63 sysctl_set
"net.ipv4.tcp_${option}" 1
65 sysctl_set
"net.ipv4.tcp_low_latency" 0
67 # Reduce DoS ability by reducing timeouts
68 log INFO
"Reducing DoS ability"
69 sysctl_set
"net.ipv4.tcp_fin_timeout" 30
70 sysctl_set
"net.ipv4.tcp_keepalive_time" 1800
72 # Set number of times to retry SYN in a new connection
73 sysctl_set
"net.ipv4.tcp_syn_retries" 3
75 # Set number of times to retry a SYN-ACK in a half-open new connection
76 sysctl_set
"net.ipv4.tcp_synack_retries" 2
78 # Enable a fix for RFC1337 - time-wait assassination hazards in TCP
79 sysctl_set
"net.ipv4.tcp_rfc1337" 1
81 # SYN-flood protection
82 if enabled FIREWALL_SYN_COOKIES
; then
83 log INFO
"Enabling SYN-flood protection via SYN-cookies"
84 sysctl_set_bool
"net.ipv4.tcp_syncookies" 1
86 log INFO
"Disabling SYN-flood protection via SYN-cookies"
87 sysctl_set_bool
"net.ipv4.tcp_syncookies" 0
91 if enabled FIREWALL_RP_FILTER
; then
92 log INFO
"Enabling anti-spoof from non-routable IP addresses"
93 sysctl_set_recursively
"net.ipv4.conf" "rp_filter" 1
95 log INFO
"Disabling anti-spoof from non-routable IP addresses"
96 sysctl_set_recursively
"net.ipv4.conf" "rp_filter" 0
100 if enabled FIREWALL_LOG_MARTIANS
; then
101 log INFO
"Enabling the logging of martians"
102 sysctl_set_recursively
"net.ipv4.conf" "log_martians" 1
104 log INFO
"Disabling the logging of martians"
105 sysctl_set_recursively
"net.ipv4.conf" "log_martians" 0
108 # ICMP redirect messages
109 if enabled FIREWALL_ACCEPT_ICMP_REDIRECTS
; then
110 log INFO
"Enabling accepting ICMP-redirect messages"
111 sysctl_set_recursively
"net.ipv6.conf" "accept_redirects" 1
112 sysctl_set_recursively
"net.ipv4.conf" "accept_redirects" 1
114 log INFO
"Disabling accepting ICMP-redirect messages"
115 sysctl_set_recursively
"net.ipv6.conf" "accept_redirects" 0
116 sysctl_set_recursively
"net.ipv4.conf" "accept_redirects" 0
119 # Explicit Congestion Notification
120 if enabled FIREWALL_USE_ECN
; then
121 log INFO
"Enabling ECN (Explicit Congestion Notification)"
122 sysctl_set
"net.ipv4.tcp_ecn" 1
124 log INFO
"Disabling ECN (Explicit Congestion Notification)"
125 sysctl_set
"net.ipv4.tcp_ecn" 2
128 # Dynamic IP address hacking
129 log INFO
"Enabling kernel support for dynamic IP addresses"
130 sysctl_set
"net.ipv4.ip_dynaddr" 1
132 if enabled FIREWALL_PMTU_DISCOVERY
; then
133 log INFO
"Enabling PMTU discovery"
134 sysctl_set
"net.ipv4.ip_no_pmtu_disc" 0
136 log INFO
"Disabling PMTU discovery"
137 sysctl_set
"net.ipv4.ip_no_pmtu_disc" 1
141 if ipv4_ttl_valid
"${FIREWALL_DEFAULT_TTL}"; then
142 log INFO
"Setting default TTL to ${FIREWALL_DEFAULT_TTL}"
143 sysctl_set
"net.ipv4.ip_default_ttl" "${FIREWALL_DEFAULT_TTL}"
145 log ERROR
"Invalid value for default TTL '${FIREWALL_DEFAULT_TTL}'"
146 log ERROR
" Must be between 10 and 255!"
152 # High-level function which will create a ruleset for the current firewall
153 # configuration and load it into the kernel.
154 function firewall_start
() {
155 local protocol
="${1}"
156 assert isset protocol
162 while [ $# -gt 0 ]; do
168 error
"Unrecognized argument: ${1}"
175 if enabled
test; then
176 log INFO
"Test mode enabled."
177 log INFO
"The firewall ruleset will not be loaded."
180 firewall_lock_acquire
182 # Initialize an empty iptables ruleset.
183 iptables_init
"${protocol}" "DROP"
185 # Add default chains.
186 firewall_filter_rh0_headers
"${protocol}"
187 firewall_filter_icmp
"${protocol}"
188 firewall_tcp_state_flags
"${protocol}"
189 firewall_custom_chains
"${protocol}"
190 firewall_connection_tracking
"${protocol}"
191 firewall_tcp_clamp_mss
"${protocol}"
193 # Add policies for every zone.
194 firewall_localhost_create_chains
"${protocol}"
197 for zone
in $
(zones_get_all
); do
198 # Create all needed chains for the zone.
199 firewall_zone_create_chains
"${protocol}" "${zone}"
201 # After the chains that are always available have been
202 # created, we will add a custom policy to every single
205 policy_zone_add
"${protocol}" "${zone}"
208 # Load the new ruleset.
210 if enabled testmode
; then
211 list_append args
"--test"
213 iptables_commit
"${protocol}" ${args}
215 firewall_lock_release
218 function firewall_stop
() {
219 local protocol
="${1}"
220 assert isset protocol
222 firewall_lock_acquire
224 # Initialize an empty firewall ruleset
225 # with default policy ACCEPT.
226 iptables_init
"${protocol}" ACCEPT
229 ipables_load
"${protocol}"
231 firewall_lock_release
234 function firewall_show
() {
235 local protocol
="${1}"
236 assert isset protocol
238 # Shows the ruleset that is currently loaded.
239 iptables_status
"${protocol}"
244 function firewall_panic
() {
245 local protocol
="${1}"
246 assert isset protocol
249 local admin_hosts
="$@"
251 firewall_lock_acquire
"${protocol}"
253 # Drop all communications.
254 iptables_init
"${protocol}" DROP
256 # If an admin host is provided, some administrative
257 # things will be allowed from there.
259 for admin_host
in ${admin_hosts}; do
260 iptables
"${protocol}" -A INPUT
-s "${admin_host}" -j ACCEPT
261 iptables
"${protocol}" -A OUTPUT
-d "${admin_host}" -j ACCEPT
265 iptables_commit
"${protocol}"
267 firewall_lock_release
270 function firewall_lock_acquire
() {
271 lock_acquire
${RUN_DIR}/.firewall_lock
273 # Make sure the lock is released after the firewall
274 # script has crashed or exited early.
275 trap firewall_lock_release EXIT TERM KILL
277 # Create a directory where we can put our
278 # temporary data in the most secure way as possible.
279 IPTABLES_TMPDIR
=$
(mktemp
-d)
282 function firewall_lock_release
() {
283 if isset IPTABLES_TMPDIR
; then
284 # Remove all temporary data.
285 rm -rf ${IPTABLES_TMPDIR}
287 # Reset the tempdir variable.
292 trap true EXIT TERM KILL
294 lock_release
${RUN_DIR}/.firewall_lock
297 function firewall_custom_chains
() {
298 local protocol
="${1}"
299 assert isset protocol
301 log INFO
"Creating CUSTOM* chains..."
303 # These chains are intened to be filled with
304 # rules by the user. They are processed at the very
305 # beginning so it is possible to overwrite everything.
307 iptables_chain_create
"${protocol}" CUSTOMINPUT
308 iptables
"${protocol}" -A INPUT
-j CUSTOMINPUT
310 iptables_chain_create
"${protocol}" CUSTOMFORWARD
311 iptables
"${protocol}" -A FORWARD
-j CUSTOMFORWARD
313 iptables_chain_create
"${protocol}" CUSTOMOUTPUT
314 iptables
"${protocol}" -A OUTPUT
-j CUSTOMOUTPUT
316 iptables_chain_create
"${protocol}" -t nat CUSTOMPREROUTING
317 iptables
"${protocol}" -t nat
-A PREROUTING
-j CUSTOMPREROUTING
319 iptables_chain_create
"${protocol}" -t nat CUSTOMPOSTROUTING
320 iptables
"${protocol}" -t nat
-A POSTROUTING
-j CUSTOMPOSTROUTING
322 iptables_chain_create
"${protocol}" -t nat CUSTOMOUTPUT
323 iptables
"${protocol}" -t nat
-A OUTPUT
-j CUSTOMOUTPUT
326 function firewall_tcp_state_flags
() {
327 local protocol
="${1}"
328 assert isset protocol
330 log INFO
"Creating TCP State Flags chain..."
332 iptables_chain_create
"${protocol}" BADTCP_LOG
333 iptables
"${protocol}" -A BADTCP_LOG
-p tcp
-j "$(iptables_LOG "Illegal TCP state
: ")"
334 iptables
"${protocol}" -A BADTCP_LOG
-j DROP
336 iptables_chain_create
"${protocol}" BADTCP
337 iptables
"${protocol}" -A BADTCP
-p tcp
--tcp-flags ALL NONE
-j BADTCP_LOG
338 iptables
"${protocol}" -A BADTCP
-p tcp
--tcp-flags SYN
,FIN SYN
,FIN
-j BADTCP_LOG
339 iptables
"${protocol}" -A BADTCP
-p tcp
--tcp-flags SYN
,RST SYN
,RST
-j BADTCP_LOG
340 iptables
"${protocol}" -A BADTCP
-p tcp
--tcp-flags FIN
,RST FIN
,RST
-j BADTCP_LOG
341 iptables
"${protocol}" -A BADTCP
-p tcp
--tcp-flags ACK
,FIN FIN
-j BADTCP_LOG
342 iptables
"${protocol}" -A BADTCP
-p tcp
--tcp-flags ACK
,PSH PSH
-j BADTCP_LOG
343 iptables
"${protocol}" -A BADTCP
-p tcp
--tcp-flags ACK
,URG URG
-j BADTCP_LOG
345 iptables
"${protocol}" -A INPUT
-p tcp
-j BADTCP
346 iptables
"${protocol}" -A OUTPUT
-p tcp
-j BADTCP
347 iptables
"${protocol}" -A FORWARD
-p tcp
-j BADTCP
350 function firewall_tcp_clamp_mss
() {
351 # Do nothing if this has been disabled.
352 enabled FIREWALL_CLAMP_PATH_MTU ||
return ${EXIT_OK}
354 local protocol
="${1}"
355 assert isset protocol
357 log DEBUG
"Adding rules to clamp MSS to path MTU..."
359 iptables
"${protocol}" -t mangle
-A FORWARD \
360 -p tcp
--tcp-flags SYN
,RST SYN
-j TCPMSS
--clamp-mss-to-pmtu
363 function firewall_connection_tracking
() {
364 local protocol
="${1}"
365 assert isset protocol
367 log INFO
"Creating Connection Tracking chain..."
369 iptables_chain_create
"${protocol}" CONNTRACK
370 iptables
"${protocol}" -A CONNTRACK
-m conntrack
--ctstate ESTABLISHED
,RELATED
-j ACCEPT
371 iptables
"${protocol}" -A CONNTRACK
-m conntrack
--ctstate INVALID
-j "$(iptables_LOG "INVALID packet
: ")"
372 iptables
"${protocol}" -A CONNTRACK
-m conntrack
--ctstate INVALID
-j DROP
374 iptables
"${protocol}" -A INPUT
-j CONNTRACK
375 iptables
"${protocol}" -A OUTPUT
-j CONNTRACK
376 iptables
"${protocol}" -A FORWARD
-j CONNTRACK
379 function firewall_localhost_create_chains
() {
380 local protocol
="${1}"
381 assert isset protocol
383 log DEBUG
"Creating firewall chains for localhost..."
385 # Accept everything on lo
386 iptables
"${protocol}" -A INPUT
-i lo
-j ACCEPT
387 iptables
"${protocol}" -A OUTPUT
-o lo
-j ACCEPT
390 function firewall_filter_rh0_headers
() {
391 local protocol
="${1}"
392 assert isset protocol
395 [ "${protocol}" = "ipv6" ] ||
return ${EXIT_OK}
397 # Filter all packets that have RH0 headers
398 # http://www.ietf.org/rfc/rfc5095.txt
399 iptables_chain_create
"${protocol}" FILTER_RH0
400 iptables
"${protocol}" -A FILTER_RH0
-m rt
--rt-type 0 -j DROP
402 iptables
"${protocol}" -A INPUT
-j FILTER_RH0
403 iptables
"${protocol}" -A FORWARD
-j FILTER_RH0
404 iptables
"${protocol}" -A OUTPUT
-j FILTER_RH0
407 function firewall_filter_icmp
() {
408 local protocol
="${1}"
409 assert isset protocol
412 [ "${protocol}" = "ipv6" ] ||
return ${EXIT_OK}
414 local chain
="FILTER_ICMPV6"
416 # Create an extra chain for handling ICMP packets.
417 iptables_chain_create
"${protocol}" "${chain}_COMMON"
420 for suffix
in INC FWD OUT
; do
421 iptables_chain_create
"${protocol}" "${chain}_${suffix}"
422 iptables
"${protocol}" -A "${chain}_${suffix}" -j "${chain}_COMMON"
424 iptables
"${protocol}" -A INPUT
-p icmpv6
-j "${chain}_INC"
425 iptables
"${protocol}" -A FORWARD
-p icmpv6
-j "${chain}_FWD"
426 iptables
"${protocol}" -A OUTPUT
-p icmpv6
-j "${chain}_OUT"
428 # Packets that must always pass the firewall.
429 # Type 4: Parameter Problem
431 for type in ttl-zero-during-reassembly bad-header
; do
432 iptables
"${protocol}" -A "${chain}_COMMON" \
433 -p icmpv6
--icmpv6-type "${type}" -j ACCEPT
436 # Packets that are accepted if they belong to an existing connection.
437 for type in echo-reply destination-unreachable packet-too-big \
438 unknown-header-type unknown-option
; do
439 iptables
"${protocol}" -A "${chain}_COMMON" \
440 -m conntrack
--ctstate ESTABLISHED
,RELATED \
441 -p icmpv6
--icmpv6-type "${type}" -j ACCEPT
444 # Packets that are always discarded.
445 # Type 100, 101, 200, 201: Private Experimentation
446 for type in 100 101 200 201; do
447 iptables
"${protocol}" -A "${chain}_COMMON" \
448 -p icmpv6
--icmpv6-type "${type}" -j DROP
451 # Discard packets from local networks with hop limit smaller than $hoplimit.
452 # Type 148: Path solicitation
453 # Type 149: Path advertisement
455 for type in {router
,neighbour
}-{advertisement
,solicitation
} 148 149; do
456 iptables
"${protocol}" -A "${chain}_INC" \
457 -p icmpv6
--icmpv6-type "${type}" \
458 -m hl
--hl-lt "${hoplimit}" -j DROP
461 # The firewall is always allowed to send ICMP echo requests.
462 iptables
"${protocol}" -A "${chain}_OUT" \
463 -p icmpv6
--icmpv6-type echo-request
-j ACCEPT
468 function firewall_zone_create_chains
() {
469 local protocol
="${1}"
470 assert isset protocol
475 log DEBUG
"Creating firewall chains for zone '${zone}'."
477 local chain_prefix
="ZONE_${zone^^}"
479 # Create filter chains.
480 iptables_chain_create
"${protocol}" "${chain_prefix}_INPUT"
481 iptables
"${protocol}" -A INPUT -i ${zone} -j "${chain_prefix}_INPUT"
483 iptables_chain_create
"${protocol}" "${chain_prefix}_OUTPUT"
484 iptables
"${protocol}" -A OUTPUT -o ${zone} -j "${chain_prefix}_OUTPUT"
487 iptables_chain_create
"${protocol}" "${chain_prefix}_CUSTOM"
489 # Intrusion Prevention System.
490 iptables_chain_create
"${protocol}" "${chain_prefix}_IPS"
492 # Create a chain for each other zone.
493 # This leaves us with n^2 chains. Duh.
495 local other_zone other_chain_prefix
496 for other_zone
in $
(zones_get_all
); do
497 other_chain_prefix
="${chain_prefix}_${other_zone^^}"
498 iptables_chain_create
"${protocol}" "${other_chain_prefix}"
500 # Connect the chain with the FORWARD chain.
501 iptables
"${protocol}" -A FORWARD -i "${zone}" -o "${other_zone}" \
502 -j "${other_chain_prefix}"
504 # Handle custom rules.
505 iptables
"${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_CUSTOM"
508 iptables
"${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_IPS"
511 iptables_chain_create
"${protocol}" "${other_chain_prefix}_RULES"
512 iptables
"${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_RULES"
515 iptables_chain_create
"${protocol}" "${other_chain_prefix}_POLICY"
516 iptables
"${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_POLICY"
519 ## Create mangle chain.
520 #iptables_chain_create "${protocol}" -t mangle "${chain_prefix}"
521 #iptables "${protocol}" -t mangle -A PREROUTING -i "${zone}" -j "${chain_prefix}"
522 #iptables "${protocol}" -t mangle -A POSTROUTING -o "${zone}" -j "${chain_prefix}"
524 ## Quality of Service
525 #iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_INC"
526 #iptables "${protocol}" -t mangle -A "${chain_prefix}" -i "${zone}" -j "${chain_prefix}_QOS_INC"
527 #iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_OUT"
528 #iptables "${protocol}" -t mangle -A "${chain_prefix}" -o "${zone}" -j "${chain_prefix}_QOS_OUT"
531 iptables_chain_create
"${protocol}" -t nat
"${chain_prefix}"
532 iptables
"${protocol}" -t nat -A PREROUTING -i "${zone}" -j "${chain_prefix}"
533 iptables
"${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}"
535 # Network Address Translation
536 iptables_chain_create
"${protocol}" -t nat
"${chain_prefix}_DNAT"
537 iptables
"${protocol}" -t nat -A PREROUTING -i "${zone}" -j "${chain_prefix}_DNAT"
538 iptables_chain_create
"${protocol}" -t nat
"${chain_prefix}_SNAT"
539 iptables
"${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}_SNAT"
542 iptables_chain_create
"${protocol}" -t nat
"${chain_prefix}_UPNP"
543 iptables
"${protocol}" -t nat -A "${chain_prefix}" -j "${chain_prefix}_UPNP"
548 function firewall_parse_rules
() {
553 # End if no rule file exists.
554 [ -r "${file}" ] ||
return ${EXIT_OK}
558 local ${FIREWALL_RULES_CONFIG_PARAMS}
560 while read -r line
; do
562 [ -n "${line}" ] ||
continue
564 # Skip commented lines.
565 [ "${line:0:1}" = "#" ] && continue
568 _firewall_parse_rule_line
${line}
569 if [ $?
-ne ${EXIT_OK} ]; then
570 log WARNING
"Skipping invalid line: ${line}"
576 # Source IP address/net.
578 list_append cmd
"-s ${src}"
581 # Destination IP address/net.
583 list_append cmd
"-d ${dst}"
588 list_append cmd
"-p ${proto}"
590 if list_match
${proto} ${FIREWALL_PROTOCOLS_SUPPORTING_PORTS}; then
592 list_append cmd
"--sport ${sport}"
596 list_append cmd
"--dport ${dport}"
601 # Always append the action.
602 list_append cmd
"-j ${action}"
609 function _firewall_parse_rule_line
() {
613 for arg
in ${FIREWALL_RULES_CONFIG_PARAMS}; do
618 while read -r arg
; do
619 key
=$
(cli_get_key
${arg})
621 if ! listmatch
"${key}" ${FIREWALL_RULES_CONFIG_PARAMS}; then
622 log WARNING
"Unrecognized argument: ${arg}"
626 val
=$
(cli_get_val
${arg})
627 assign
"${key}" "${val}"
628 done <<< "$(args $@)"
630 # action must always be set.
631 if ! isset action
; then
632 log WARNING
"'action' is not set: $@"
636 for arg
in src dst
; do
637 isset
${arg} ||
continue
639 # Check for valid IP addresses.
640 if ! ip_is_valid
${!arg}; then
641 log WARNING
"Invalid IP address for '${arg}=${!arg}': $@"
650 if ! list_match
"${proto}" ${FIREWALL_SUPPORTED_PROTOCOLS}; then
651 log WARNING
"Unsupported protocol type 'proto=${proto}': $@"
656 for arg
in sport dport
; do
657 isset
${arg} ||
continue
659 # Check if port is valid.
660 if ! isinteger
${arg}; then
661 log WARNING
"Invalid port '${arg}=${!arg}': $@"