[people/arne_f/ipfire-3.x.git] / firewall / src / functions.firewall

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2009  Michael Tremer & Christian Schmidt                      #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

function firewall_init() {
	decho "Initializing firewall interface."
	iptables_init
	firewall_tcp_state_flags
	firewall_connection_tracking
}

function firewall_tcp_state_flags() {
	vecho "Adding ${BOLD}TCP State Flags${NORMAL} chain..."
	chain_create BADTCP_LOG
	iptables -A BADTCP_LOG -p tcp -j $(iptables_LOG "Illegal TCP state: ")
	iptables -A BADTCP_LOG -j DROP

	chain_create BADTCP
	iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG
	iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
	iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
	iptables -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
	iptables -A BADTCP -p tcp --tcp-flags ACK,FIN FIN     -j BADTCP_LOG
	iptables -A BADTCP -p tcp --tcp-flags ACK,PSH PSH     -j BADTCP_LOG
	iptables -A BADTCP -p tcp --tcp-flags ACK,URG URG     -j BADTCP_LOG

	iptables -A INPUT   -p tcp -j BADTCP
	iptables -A OUTPUT  -p tcp -j BADTCP
	iptables -A FORWARD -p tcp -j BADTCP
}

function firewall_connection_tracking() {
	vecho "Adding ${BOLD}Connection Tracking${NORMAL} chain..."
	chain_create CONNTRACK
	iptables -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A CONNTRACK -m state --state INVALID -j $(iptables_LOG "INVALID packet: ")
	iptables -A CONNTRACK -m state --state INVALID -j DROP

	iptables -A INPUT   -p tcp -j CONNTRACK
	iptables -A OUTPUT  -p tcp -j CONNTRACK
	iptables -A FORWARD -p tcp -j CONNTRACK
}
Commit	Line	Data
8838c71a MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	function firewall_init() {
2534973b	23	decho "Initializing firewall interface."
8838c71a MT	24	iptables_init
	25	firewall_tcp_state_flags
	26	firewall_connection_tracking
	27	}
	28
	29	function firewall_tcp_state_flags() {
	30	vecho "Adding ${BOLD}TCP State Flags${NORMAL} chain..."
	31	chain_create BADTCP_LOG
dbfeda6c	32	iptables -A BADTCP_LOG -p tcp -j $(iptables_LOG "Illegal TCP state: ")
8838c71a MT	33	iptables -A BADTCP_LOG -j DROP
	34
	35	chain_create BADTCP
	36	iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG
	37	iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
	38	iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
	39	iptables -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
	40	iptables -A BADTCP -p tcp --tcp-flags ACK,FIN FIN -j BADTCP_LOG
	41	iptables -A BADTCP -p tcp --tcp-flags ACK,PSH PSH -j BADTCP_LOG
	42	iptables -A BADTCP -p tcp --tcp-flags ACK,URG URG -j BADTCP_LOG
	43
	44	iptables -A INPUT -p tcp -j BADTCP
	45	iptables -A OUTPUT -p tcp -j BADTCP
	46	iptables -A FORWARD -p tcp -j BADTCP
	47	}
	48
	49	function firewall_connection_tracking() {
	50	vecho "Adding ${BOLD}Connection Tracking${NORMAL} chain..."
	51	chain_create CONNTRACK
	52	iptables -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT
	53	iptables -A CONNTRACK -m state --state INVALID -j $(iptables_LOG "INVALID packet: ")
	54	iptables -A CONNTRACK -m state --state INVALID -j DROP
	55
	56	iptables -A INPUT -p tcp -j CONNTRACK
	57	iptables -A OUTPUT -p tcp -j CONNTRACK
	58	iptables -A FORWARD -p tcp -j CONNTRACK
	59	}