]>
Commit | Line | Data |
---|---|---|
98146c00 MT |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2012 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
ef953be2 MT |
22 | # This function initializes all kernel parameters that need to be adjusted |
23 | # to run this firewall properly. | |
1c6a4e30 | 24 | firewall_kernel_init() { |
ef953be2 MT |
25 | log INFO "Configuring kernel parameters..." |
26 | local option | |
27 | ||
28 | # Enable conntrack accounting | |
29 | conntrack_set_accounting "true" | |
30 | ||
31 | # Adjust max. amount of simultaneous connections | |
32 | conntrack_set_max_connections "${CONNTRACK_MAX_CONNECTIONS}" | |
33 | ||
34 | # Increase UDP connection timeout (fixes DNS) | |
35 | conntrack_set_udp_timeout "${CONNTRACK_UDP_TIMEOUT}" | |
36 | ||
37 | # Disable sending redirects | |
38 | log INFO "Disabling sending redirects" | |
39 | sysctl_set_recursively "net.ipv6.conf" "send_redirects" 0 | |
40 | sysctl_set_recursively "net.ipv4.conf" "send_redirects" 0 | |
41 | ||
42 | # Enable source route protection | |
43 | log INFO "Enabling source route protection" | |
44 | sysctl_set_recursively "net.ipv6.conf" "accept_source_route" 0 | |
45 | sysctl_set_recursively "net.ipv4.conf" "accept_source_route" 0 | |
46 | ||
47 | # ICMP broadcast protection (smurf amplifier protection) | |
48 | log INFO "Enabling ICMP broadcast protection (smurf amplifier protection)" | |
49 | sysctl_set "net.ipv4.icmp_echo_ignore_broadcasts" 1 | |
50 | ||
51 | # ICMP Dead Error Message protection | |
52 | log INFO "Enabling ICMP dead error message protection" | |
53 | sysctl_set "net.ipv4.icmp_ignore_bogus_error_responses" 0 | |
54 | ||
55 | # Enable packet forwarding | |
56 | log INFO "Enabling packet forwarding" | |
57 | sysctl_set_recursively "net.ipv6.conf" "forwarding" 1 | |
58 | sysctl_set_recursively "net.ipv4.conf" "forwarding" 1 | |
59 | ||
60 | # Setting some kernel performance options | |
61 | log INFO "Setting some kernel performance options" | |
62 | for option in window_scaling timestamps sack dsack fack; do | |
63 | sysctl_set "net.ipv4.tcp_${option}" 1 | |
64 | done | |
65 | sysctl_set "net.ipv4.tcp_low_latency" 0 | |
66 | ||
67 | # Reduce DoS ability by reducing timeouts | |
68 | log INFO "Reducing DoS ability" | |
69 | sysctl_set "net.ipv4.tcp_fin_timeout" 30 | |
70 | sysctl_set "net.ipv4.tcp_keepalive_time" 1800 | |
71 | ||
72 | # Set number of times to retry SYN in a new connection | |
73 | sysctl_set "net.ipv4.tcp_syn_retries" 3 | |
74 | ||
75 | # Set number of times to retry a SYN-ACK in a half-open new connection | |
76 | sysctl_set "net.ipv4.tcp_synack_retries" 2 | |
77 | ||
78 | # Enable a fix for RFC1337 - time-wait assassination hazards in TCP | |
79 | sysctl_set "net.ipv4.tcp_rfc1337" 1 | |
80 | ||
81 | # SYN-flood protection | |
82 | if enabled FIREWALL_SYN_COOKIES; then | |
83 | log INFO "Enabling SYN-flood protection via SYN-cookies" | |
84 | sysctl_set_bool "net.ipv4.tcp_syncookies" 1 | |
85 | else | |
86 | log INFO "Disabling SYN-flood protection via SYN-cookies" | |
87 | sysctl_set_bool "net.ipv4.tcp_syncookies" 0 | |
88 | fi | |
89 | ||
90 | # rp_filter | |
91 | if enabled FIREWALL_RP_FILTER; then | |
92 | log INFO "Enabling anti-spoof from non-routable IP addresses" | |
93 | sysctl_set_recursively "net.ipv4.conf" "rp_filter" 1 | |
94 | else | |
95 | log INFO "Disabling anti-spoof from non-routable IP addresses" | |
96 | sysctl_set_recursively "net.ipv4.conf" "rp_filter" 0 | |
97 | fi | |
98 | ||
99 | # Log martians | |
100 | if enabled FIREWALL_LOG_MARTIANS; then | |
101 | log INFO "Enabling the logging of martians" | |
102 | sysctl_set_recursively "net.ipv4.conf" "log_martians" 1 | |
103 | else | |
104 | log INFO "Disabling the logging of martians" | |
105 | sysctl_set_recursively "net.ipv4.conf" "log_martians" 0 | |
106 | fi | |
107 | ||
108 | # ICMP redirect messages | |
109 | if enabled FIREWALL_ACCEPT_ICMP_REDIRECTS; then | |
110 | log INFO "Enabling accepting ICMP-redirect messages" | |
111 | sysctl_set_recursively "net.ipv6.conf" "accept_redirects" 1 | |
112 | sysctl_set_recursively "net.ipv4.conf" "accept_redirects" 1 | |
113 | else | |
114 | log INFO "Disabling accepting ICMP-redirect messages" | |
115 | sysctl_set_recursively "net.ipv6.conf" "accept_redirects" 0 | |
116 | sysctl_set_recursively "net.ipv4.conf" "accept_redirects" 0 | |
117 | fi | |
118 | ||
119 | # Explicit Congestion Notification | |
120 | if enabled FIREWALL_USE_ECN; then | |
121 | log INFO "Enabling ECN (Explicit Congestion Notification)" | |
122 | sysctl_set "net.ipv4.tcp_ecn" 1 | |
6d28b29c | 123 | sysctl_set "net.ipv4.tcp_ecn_fallback" 1 |
ef953be2 MT |
124 | else |
125 | log INFO "Disabling ECN (Explicit Congestion Notification)" | |
126 | sysctl_set "net.ipv4.tcp_ecn" 2 | |
127 | fi | |
128 | ||
129 | # Dynamic IP address hacking | |
130 | log INFO "Enabling kernel support for dynamic IP addresses" | |
131 | sysctl_set "net.ipv4.ip_dynaddr" 1 | |
132 | ||
133 | if enabled FIREWALL_PMTU_DISCOVERY; then | |
134 | log INFO "Enabling PMTU discovery" | |
135 | sysctl_set "net.ipv4.ip_no_pmtu_disc" 0 | |
136 | else | |
137 | log INFO "Disabling PMTU discovery" | |
138 | sysctl_set "net.ipv4.ip_no_pmtu_disc" 1 | |
139 | fi | |
140 | ||
141 | # TTL | |
142 | if ipv4_ttl_valid "${FIREWALL_DEFAULT_TTL}"; then | |
143 | log INFO "Setting default TTL to ${FIREWALL_DEFAULT_TTL}" | |
144 | sysctl_set "net.ipv4.ip_default_ttl" "${FIREWALL_DEFAULT_TTL}" | |
145 | else | |
146 | log ERROR "Invalid value for default TTL '${FIREWALL_DEFAULT_TTL}'" | |
147 | log ERROR " Must be between 10 and 255!" | |
148 | fi | |
149 | ||
150 | return ${EXIT_OK} | |
151 | } | |
152 | ||
98146c00 MT |
153 | # High-level function which will create a ruleset for the current firewall |
154 | # configuration and load it into the kernel. | |
1c6a4e30 | 155 | firewall_start() { |
fe52c5e0 MT |
156 | local protocol="${1}" |
157 | assert isset protocol | |
158 | shift | |
159 | ||
afb7d704 MT |
160 | # Test mode. |
161 | local test="false" | |
162 | ||
163 | while [ $# -gt 0 ]; do | |
164 | case "${1}" in | |
165 | --test) | |
166 | test="true" | |
167 | ;; | |
b4fc59c7 MT |
168 | *) |
169 | error "Unrecognized argument: ${1}" | |
170 | return ${EXIT_ERROR} | |
171 | ;; | |
afb7d704 MT |
172 | esac |
173 | shift | |
174 | done | |
175 | ||
176 | if enabled test; then | |
177 | log INFO "Test mode enabled." | |
178 | log INFO "The firewall ruleset will not be loaded." | |
179 | fi | |
180 | ||
98146c00 MT |
181 | firewall_lock_acquire |
182 | ||
183 | # Initialize an empty iptables ruleset. | |
fe52c5e0 | 184 | iptables_init "${protocol}" "DROP" |
98146c00 MT |
185 | |
186 | # Add default chains. | |
a7e23f3c | 187 | firewall_filter_rh0_headers "${protocol}" |
204013de | 188 | firewall_filter_icmp "${protocol}" |
4320067c | 189 | firewall_filter_invalid_packets "${protocol}" |
fe52c5e0 MT |
190 | firewall_custom_chains "${protocol}" |
191 | firewall_connection_tracking "${protocol}" | |
192 | firewall_tcp_clamp_mss "${protocol}" | |
98146c00 MT |
193 | |
194 | # Add policies for every zone. | |
fe52c5e0 | 195 | firewall_localhost_create_chains "${protocol}" |
98146c00 MT |
196 | |
197 | local zone | |
198 | for zone in $(zones_get_all); do | |
a2c9dff5 | 199 | # Create all needed chains for the zone. |
fe52c5e0 | 200 | firewall_zone_create_chains "${protocol}" "${zone}" |
a2c9dff5 MT |
201 | |
202 | # After the chains that are always available have been | |
203 | # created, we will add a custom policy to every single | |
204 | # zone. | |
205 | ||
fe52c5e0 | 206 | policy_zone_add "${protocol}" "${zone}" |
98146c00 MT |
207 | done |
208 | ||
afb7d704 | 209 | # Load the new ruleset. |
fe52c5e0 MT |
210 | local args |
211 | if enabled testmode; then | |
212 | list_append args "--test" | |
213 | fi | |
214 | iptables_commit "${protocol}" ${args} | |
98146c00 MT |
215 | |
216 | firewall_lock_release | |
217 | } | |
218 | ||
1c6a4e30 | 219 | firewall_stop() { |
fe52c5e0 MT |
220 | local protocol="${1}" |
221 | assert isset protocol | |
222 | ||
98146c00 MT |
223 | firewall_lock_acquire |
224 | ||
225 | # Initialize an empty firewall ruleset | |
226 | # with default policy ACCEPT. | |
fe52c5e0 | 227 | iptables_init "${protocol}" ACCEPT |
98146c00 | 228 | |
afb7d704 | 229 | # Load it. |
fe52c5e0 | 230 | ipables_load "${protocol}" |
afb7d704 MT |
231 | |
232 | firewall_lock_release | |
233 | } | |
234 | ||
1c6a4e30 | 235 | firewall_show() { |
fe52c5e0 MT |
236 | local protocol="${1}" |
237 | assert isset protocol | |
238 | ||
afb7d704 | 239 | # Shows the ruleset that is currently loaded. |
fe52c5e0 | 240 | iptables_status "${protocol}" |
afb7d704 MT |
241 | |
242 | return ${EXIT_OK} | |
243 | } | |
244 | ||
1c6a4e30 | 245 | firewall_panic() { |
fe52c5e0 MT |
246 | local protocol="${1}" |
247 | assert isset protocol | |
248 | shift | |
249 | ||
afb7d704 MT |
250 | local admin_hosts="$@" |
251 | ||
fe52c5e0 | 252 | firewall_lock_acquire "${protocol}" |
afb7d704 MT |
253 | |
254 | # Drop all communications. | |
fe52c5e0 | 255 | iptables_init "${protocol}" DROP |
afb7d704 MT |
256 | |
257 | # If an admin host is provided, some administrative | |
258 | # things will be allowed from there. | |
259 | local admin_host | |
260 | for admin_host in ${admin_hosts}; do | |
fe52c5e0 MT |
261 | iptables "${protocol}" -A INPUT -s "${admin_host}" -j ACCEPT |
262 | iptables "${protocol}" -A OUTPUT -d "${admin_host}" -j ACCEPT | |
afb7d704 MT |
263 | done |
264 | ||
265 | # Load it. | |
fe52c5e0 | 266 | iptables_commit "${protocol}" |
98146c00 MT |
267 | |
268 | firewall_lock_release | |
269 | } | |
270 | ||
1c6a4e30 | 271 | firewall_lock_acquire() { |
98146c00 MT |
272 | lock_acquire ${RUN_DIR}/.firewall_lock |
273 | ||
274 | # Make sure the lock is released after the firewall | |
275 | # script has crashed or exited early. | |
276 | trap firewall_lock_release EXIT TERM KILL | |
277 | ||
278 | # Create a directory where we can put our | |
279 | # temporary data in the most secure way as possible. | |
280 | IPTABLES_TMPDIR=$(mktemp -d) | |
281 | } | |
282 | ||
1c6a4e30 | 283 | firewall_lock_release() { |
98146c00 MT |
284 | if isset IPTABLES_TMPDIR; then |
285 | # Remove all temporary data. | |
286 | rm -rf ${IPTABLES_TMPDIR} | |
287 | ||
288 | # Reset the tempdir variable. | |
289 | IPTABLES_TMPDIR= | |
290 | fi | |
291 | ||
292 | # Reset the trap. | |
293 | trap true EXIT TERM KILL | |
294 | ||
295 | lock_release ${RUN_DIR}/.firewall_lock | |
296 | } | |
297 | ||
1c6a4e30 | 298 | firewall_custom_chains() { |
fe52c5e0 MT |
299 | local protocol="${1}" |
300 | assert isset protocol | |
301 | ||
3b256a38 MT |
302 | log INFO "Creating CUSTOM* chains..." |
303 | ||
304 | # These chains are intened to be filled with | |
305 | # rules by the user. They are processed at the very | |
306 | # beginning so it is possible to overwrite everything. | |
307 | ||
fe52c5e0 MT |
308 | iptables_chain_create "${protocol}" CUSTOMINPUT |
309 | iptables "${protocol}" -A INPUT -j CUSTOMINPUT | |
3b256a38 | 310 | |
fe52c5e0 MT |
311 | iptables_chain_create "${protocol}" CUSTOMFORWARD |
312 | iptables "${protocol}" -A FORWARD -j CUSTOMFORWARD | |
3b256a38 | 313 | |
fe52c5e0 MT |
314 | iptables_chain_create "${protocol}" CUSTOMOUTPUT |
315 | iptables "${protocol}" -A OUTPUT -j CUSTOMOUTPUT | |
3b256a38 | 316 | |
fe52c5e0 MT |
317 | iptables_chain_create "${protocol}" -t nat CUSTOMPREROUTING |
318 | iptables "${protocol}" -t nat -A PREROUTING -j CUSTOMPREROUTING | |
3b256a38 | 319 | |
fe52c5e0 MT |
320 | iptables_chain_create "${protocol}" -t nat CUSTOMPOSTROUTING |
321 | iptables "${protocol}" -t nat -A POSTROUTING -j CUSTOMPOSTROUTING | |
3b256a38 | 322 | |
fe52c5e0 MT |
323 | iptables_chain_create "${protocol}" -t nat CUSTOMOUTPUT |
324 | iptables "${protocol}" -t nat -A OUTPUT -j CUSTOMOUTPUT | |
3b256a38 MT |
325 | } |
326 | ||
1c6a4e30 | 327 | firewall_filter_invalid_packets() { |
fe52c5e0 MT |
328 | local protocol="${1}" |
329 | assert isset protocol | |
330 | ||
4320067c | 331 | local log_limit="-m limit --limit 5/m --limit-burst 10" |
fe52c5e0 | 332 | |
4320067c MT |
333 | # Create a chain |
334 | iptables_chain_create "${protocol}" FILTER_INVALID | |
335 | iptables "${protocol}" -A INPUT -j FILTER_INVALID | |
336 | iptables "${protocol}" -A OUTPUT -j FILTER_INVALID | |
337 | iptables "${protocol}" -A FORWARD -j FILTER_INVALID | |
fe52c5e0 | 338 | |
4320067c MT |
339 | # Create a chain where only TCP packets go |
340 | iptables_chain_create "${protocol}" FILTER_INVALID_TCP | |
341 | iptables "${protocol}" -A FILTER_INVALID -p tcp -j FILTER_INVALID_TCP | |
fe52c5e0 | 342 | |
4320067c MT |
343 | # Create a chain where only UDP packets go |
344 | iptables_chain_create "${protocol}" FILTER_INVALID_UDP | |
345 | iptables "${protocol}" -A FILTER_INVALID -p udp -j FILTER_INVALID_UDP | |
346 | ||
347 | # Create a chain where only ICMP packets go | |
348 | iptables_chain_create "${protocol}" FILTER_INVALID_ICMP | |
349 | iptables "${protocol}" -A FILTER_INVALID -p icmp -j FILTER_INVALID_ICMP | |
350 | ||
351 | ||
352 | # Optionally log all port scans | |
353 | ||
354 | if enabled FIREWALL_LOG_STEALTH_SCANS; then | |
355 | log INFO "Logging of stealth scans enabled" | |
356 | ||
357 | # NMAP FIN/URG/PSH - XMAS scan | |
358 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL FIN,URG,PSH \ | |
359 | "${log_limit}" -j "$(iptables_LOG "Stealth XMAS scan")" | |
360 | ||
361 | # SYN/RST/ACK/FIN/URG | |
362 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \ | |
363 | "${log_limit}" -j "$(iptables_LOG "Stealth XMAS-PSH scan")" | |
364 | ||
365 | # ALL/ALL | |
366 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL ALL \ | |
367 | "${log_limit}" -j "$(iptables_LOG "Stealth XMAS-ALL scan")" | |
368 | ||
369 | # NMAP FIN Stealth | |
370 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL FIN \ | |
371 | "${log_limit}" -j "$(iptables_LOG "Stealth FIN scan")" | |
372 | ||
373 | # SYN/RST | |
374 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags SYN,RST SYN,RST \ | |
375 | "${log_limit}" -j "$(iptables_LOG "Stealth SYN/RST scan")" | |
376 | ||
377 | # SYN/FIN | |
378 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags SYN,FIN SYN,FIN \ | |
379 | "${log_limit}" -j "$(iptables_LOG "Stealth SYN/FIN scan")" | |
380 | ||
381 | # Null scan | |
382 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL NONE \ | |
383 | "${log_limit}" -j "$(iptables_LOG "Stealth NULL scan")" | |
384 | else | |
385 | log INFO "Logging of stealth scans disabled" | |
386 | fi | |
387 | ||
388 | ||
389 | # Drop scan packets | |
390 | ||
391 | # NMAP FIN/URG/PSH | |
392 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP | |
393 | ||
394 | # SYN/RST/ACK/FIN/URG | |
395 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP | |
396 | ||
397 | # ALL/ALL | |
398 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL ALL -j DROP | |
399 | ||
400 | # NMAP FIN Stealth | |
401 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL FIN -j DROP | |
402 | ||
403 | # SYN/RST | |
404 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
405 | ||
406 | # SYN/FIN | |
407 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
408 | ||
409 | # Null scan | |
410 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL NONE -j DROP | |
411 | ||
412 | ||
413 | # Log packets with bad flags | |
414 | ||
415 | if enabled FIREWALL_LOG_BAD_TCP_FLAGS; then | |
416 | log INFO "Logging of packets with bad TCP flags enabled" | |
417 | ||
418 | # Option 64 | |
419 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-option 64 \ | |
420 | "${log_limit}" -j "$(iptables_LOG "Bad TCP flag(64)")" | |
421 | ||
422 | # Option 128 | |
423 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-option 128 \ | |
424 | "${log_limit}" -j "$(iptables_LOG "Bad TCP flag(128)")" | |
425 | else | |
426 | log INFO "Logging of packets with bad TCP flags disabled" | |
427 | fi | |
428 | ||
429 | # Drop packets with bad flags | |
430 | ||
431 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-option 64 -j DROP | |
432 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-option 128 -j DROP | |
433 | ||
434 | ||
435 | # Log invalid packets | |
436 | ||
437 | if enabled FIREWALL_LOG_INVALID_TCP; then | |
438 | log INFO "Logging of INVALID TCP packets enabled" | |
439 | ||
440 | iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp -m conntrack --ctstate INVALID \ | |
441 | "${log_limit}" -j "$(iptables_LOG "INVALID TCP")" | |
442 | else | |
443 | log INFO "Logging of INVALID TCP packets disabled" | |
444 | fi | |
445 | ||
446 | if enabled FIREWALL_LOG_INVALID_UDP; then | |
447 | log INFO "Logging of INVALID UDP packets enabled" | |
448 | ||
449 | iptables "${protocol}" -A FILTER_INVALID_UDP -p udp -m conntrack --ctstate INVALID \ | |
450 | "${log_limit}" -j "$(iptables_LOG "INVALID UDP")" | |
451 | else | |
452 | log INFO "Logging of INVALID UDP packets disabled" | |
453 | fi | |
454 | ||
455 | if enabled FIREWALL_LOG_INVALID_ICMP; then | |
456 | log INFO "Logging of INVALID ICMP packets enabled" | |
457 | ||
458 | iptables "${protocol}" -A FILTER_INVALID_ICMP -p icmp -m conntrack --ctstate INVALID \ | |
459 | "${log_limit}" -j "$(iptables_LOG "INVALID ICMP")" | |
460 | else | |
461 | log INFO "Logging of INVALID ICMP packets disabled" | |
462 | fi | |
463 | ||
464 | # Drop all INVALID packets | |
465 | iptables "${protocol}" -A FILTER_INVALID -m conntrack --ctstate INVALID -j DROP | |
98146c00 MT |
466 | } |
467 | ||
1c6a4e30 | 468 | firewall_tcp_clamp_mss() { |
fc323fc4 MT |
469 | # Do nothing if this has been disabled. |
470 | enabled FIREWALL_CLAMP_PATH_MTU || return ${EXIT_OK} | |
471 | ||
fe52c5e0 MT |
472 | local protocol="${1}" |
473 | assert isset protocol | |
474 | ||
c2d2d2a9 | 475 | log DEBUG "Adding rules to clamp MSS to path MTU..." |
fe52c5e0 MT |
476 | |
477 | iptables "${protocol}" -t mangle -A FORWARD \ | |
c2d2d2a9 MT |
478 | -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
479 | } | |
480 | ||
1c6a4e30 | 481 | firewall_connection_tracking() { |
fe52c5e0 MT |
482 | local protocol="${1}" |
483 | assert isset protocol | |
484 | ||
98146c00 | 485 | log INFO "Creating Connection Tracking chain..." |
fe52c5e0 MT |
486 | |
487 | iptables_chain_create "${protocol}" CONNTRACK | |
85b52db6 MT |
488 | iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
489 | iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j "$(iptables_LOG "INVALID packet: ")" | |
490 | iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j DROP | |
fe52c5e0 MT |
491 | |
492 | iptables "${protocol}" -A INPUT -j CONNTRACK | |
493 | iptables "${protocol}" -A OUTPUT -j CONNTRACK | |
494 | iptables "${protocol}" -A FORWARD -j CONNTRACK | |
98146c00 | 495 | } |
3647b19f | 496 | |
1c6a4e30 | 497 | firewall_localhost_create_chains() { |
fe52c5e0 MT |
498 | local protocol="${1}" |
499 | assert isset protocol | |
500 | ||
a2c9dff5 MT |
501 | log DEBUG "Creating firewall chains for localhost..." |
502 | ||
503 | # Accept everything on lo | |
fe9bf26b MT |
504 | iptables "${protocol}" -A INPUT -i lo -j ACCEPT |
505 | iptables "${protocol}" -A OUTPUT -o lo -j ACCEPT | |
a2c9dff5 MT |
506 | } |
507 | ||
1c6a4e30 | 508 | firewall_filter_rh0_headers() { |
a7e23f3c MT |
509 | local protocol="${1}" |
510 | assert isset protocol | |
511 | ||
512 | # Only IPv6. | |
513 | [ "${protocol}" = "ipv6" ] || return ${EXIT_OK} | |
514 | ||
515 | # Filter all packets that have RH0 headers | |
516 | # http://www.ietf.org/rfc/rfc5095.txt | |
517 | iptables_chain_create "${protocol}" FILTER_RH0 | |
518 | iptables "${protocol}" -A FILTER_RH0 -m rt --rt-type 0 -j DROP | |
519 | ||
520 | iptables "${protocol}" -A INPUT -j FILTER_RH0 | |
521 | iptables "${protocol}" -A FORWARD -j FILTER_RH0 | |
522 | iptables "${protocol}" -A OUTPUT -j FILTER_RH0 | |
523 | } | |
524 | ||
1c6a4e30 | 525 | firewall_filter_icmp() { |
204013de MT |
526 | local protocol="${1}" |
527 | assert isset protocol | |
528 | ||
529 | # Only IPv6. | |
530 | [ "${protocol}" = "ipv6" ] || return ${EXIT_OK} | |
531 | ||
532 | local chain="FILTER_ICMPV6" | |
533 | ||
534 | # Create an extra chain for handling ICMP packets. | |
535 | iptables_chain_create "${protocol}" "${chain}_COMMON" | |
536 | ||
537 | local suffix | |
538 | for suffix in INC FWD OUT; do | |
539 | iptables_chain_create "${protocol}" "${chain}_${suffix}" | |
540 | iptables "${protocol}" -A "${chain}_${suffix}" -j "${chain}_COMMON" | |
541 | done | |
542 | iptables "${protocol}" -A INPUT -p icmpv6 -j "${chain}_INC" | |
543 | iptables "${protocol}" -A FORWARD -p icmpv6 -j "${chain}_FWD" | |
544 | iptables "${protocol}" -A OUTPUT -p icmpv6 -j "${chain}_OUT" | |
545 | ||
546 | # Packets that must always pass the firewall. | |
547 | # Type 4: Parameter Problem | |
548 | local type | |
549 | for type in ttl-zero-during-reassembly bad-header; do | |
550 | iptables "${protocol}" -A "${chain}_COMMON" \ | |
551 | -p icmpv6 --icmpv6-type "${type}" -j ACCEPT | |
552 | done | |
553 | ||
554 | # Packets that are accepted if they belong to an existing connection. | |
555 | for type in echo-reply destination-unreachable packet-too-big \ | |
556 | unknown-header-type unknown-option; do | |
557 | iptables "${protocol}" -A "${chain}_COMMON" \ | |
558 | -m conntrack --ctstate ESTABLISHED,RELATED \ | |
559 | -p icmpv6 --icmpv6-type "${type}" -j ACCEPT | |
560 | done | |
561 | ||
562 | # Packets that are always discarded. | |
563 | # Type 100, 101, 200, 201: Private Experimentation | |
564 | for type in 100 101 200 201; do | |
565 | iptables "${protocol}" -A "${chain}_COMMON" \ | |
566 | -p icmpv6 --icmpv6-type "${type}" -j DROP | |
567 | done | |
568 | ||
569 | # Discard packets from local networks with hop limit smaller than $hoplimit. | |
570 | # Type 148: Path solicitation | |
571 | # Type 149: Path advertisement | |
572 | local hoplimit=255 | |
573 | for type in {router,neighbour}-{advertisement,solicitation} 148 149; do | |
574 | iptables "${protocol}" -A "${chain}_INC" \ | |
575 | -p icmpv6 --icmpv6-type "${type}" \ | |
576 | -m hl --hl-lt "${hoplimit}" -j DROP | |
577 | done | |
578 | ||
579 | # The firewall is always allowed to send ICMP echo requests. | |
580 | iptables "${protocol}" -A "${chain}_OUT" \ | |
581 | -p icmpv6 --icmpv6-type echo-request -j ACCEPT | |
582 | ||
583 | return ${EXIT_OK} | |
584 | } | |
585 | ||
1c6a4e30 | 586 | firewall_zone_create_chains() { |
fe52c5e0 MT |
587 | local protocol="${1}" |
588 | assert isset protocol | |
589 | ||
590 | local zone="${2}" | |
a2c9dff5 MT |
591 | assert isset zone |
592 | ||
593 | log DEBUG "Creating firewall chains for zone '${zone}'." | |
594 | ||
595 | local chain_prefix="ZONE_${zone^^}" | |
596 | ||
597 | # Create filter chains. | |
fe52c5e0 MT |
598 | iptables_chain_create "${protocol}" "${chain_prefix}_INPUT" |
599 | iptables "${protocol}" -A INPUT -i ${zone} -j "${chain_prefix}_INPUT" | |
a2c9dff5 | 600 | |
fe52c5e0 MT |
601 | iptables_chain_create "${protocol}" "${chain_prefix}_OUTPUT" |
602 | iptables "${protocol}" -A OUTPUT -o ${zone} -j "${chain_prefix}_OUTPUT" | |
a2c9dff5 MT |
603 | |
604 | # Custom rules. | |
fe52c5e0 | 605 | iptables_chain_create "${protocol}" "${chain_prefix}_CUSTOM" |
a2c9dff5 MT |
606 | |
607 | # Intrusion Prevention System. | |
fe52c5e0 | 608 | iptables_chain_create "${protocol}" "${chain_prefix}_IPS" |
a2c9dff5 MT |
609 | |
610 | # Create a chain for each other zone. | |
611 | # This leaves us with n^2 chains. Duh. | |
612 | ||
613 | local other_zone other_chain_prefix | |
614 | for other_zone in $(zones_get_all); do | |
615 | other_chain_prefix="${chain_prefix}_${other_zone^^}" | |
fe52c5e0 | 616 | iptables_chain_create "${protocol}" "${other_chain_prefix}" |
a2c9dff5 MT |
617 | |
618 | # Connect the chain with the FORWARD chain. | |
fe52c5e0 | 619 | iptables "${protocol}" -A FORWARD -i "${zone}" -o "${other_zone}" \ |
a2c9dff5 MT |
620 | -j "${other_chain_prefix}" |
621 | ||
622 | # Handle custom rules. | |
fe52c5e0 | 623 | iptables "${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_CUSTOM" |
a2c9dff5 MT |
624 | |
625 | # Link IPS. | |
fe52c5e0 | 626 | iptables "${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_IPS" |
a2c9dff5 MT |
627 | |
628 | # Rules. | |
fe52c5e0 MT |
629 | iptables_chain_create "${protocol}" "${other_chain_prefix}_RULES" |
630 | iptables "${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_RULES" | |
a2c9dff5 MT |
631 | |
632 | # Policy. | |
fe52c5e0 MT |
633 | iptables_chain_create "${protocol}" "${other_chain_prefix}_POLICY" |
634 | iptables "${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_POLICY" | |
a2c9dff5 MT |
635 | done |
636 | ||
637 | ## Create mangle chain. | |
fe52c5e0 MT |
638 | #iptables_chain_create "${protocol}" -t mangle "${chain_prefix}" |
639 | #iptables "${protocol}" -t mangle -A PREROUTING -i "${zone}" -j "${chain_prefix}" | |
640 | #iptables "${protocol}" -t mangle -A POSTROUTING -o "${zone}" -j "${chain_prefix}" | |
a2c9dff5 MT |
641 | |
642 | ## Quality of Service | |
fe52c5e0 MT |
643 | #iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_INC" |
644 | #iptables "${protocol}" -t mangle -A "${chain_prefix}" -i "${zone}" -j "${chain_prefix}_QOS_INC" | |
645 | #iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_OUT" | |
646 | #iptables "${protocol}" -t mangle -A "${chain_prefix}" -o "${zone}" -j "${chain_prefix}_QOS_OUT" | |
a2c9dff5 MT |
647 | |
648 | # Create NAT chain. | |
fe52c5e0 MT |
649 | iptables_chain_create "${protocol}" -t nat "${chain_prefix}" |
650 | iptables "${protocol}" -t nat -A PREROUTING -i "${zone}" -j "${chain_prefix}" | |
651 | iptables "${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}" | |
a2c9dff5 MT |
652 | |
653 | # Network Address Translation | |
fe52c5e0 MT |
654 | iptables_chain_create "${protocol}" -t nat "${chain_prefix}_DNAT" |
655 | iptables "${protocol}" -t nat -A PREROUTING -i "${zone}" -j "${chain_prefix}_DNAT" | |
656 | iptables_chain_create "${protocol}" -t nat "${chain_prefix}_SNAT" | |
657 | iptables "${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}_SNAT" | |
a2c9dff5 MT |
658 | |
659 | # UPnP | |
fe52c5e0 MT |
660 | iptables_chain_create "${protocol}" -t nat "${chain_prefix}_UPNP" |
661 | iptables "${protocol}" -t nat -A "${chain_prefix}" -j "${chain_prefix}_UPNP" | |
a2c9dff5 MT |
662 | |
663 | return ${EXIT_OK} | |
664 | } | |
665 | ||
1c6a4e30 | 666 | firewall_parse_rules() { |
a2c9dff5 MT |
667 | local file=${1} |
668 | assert isset file | |
3647b19f MT |
669 | shift |
670 | ||
a2c9dff5 MT |
671 | # End if no rule file exists. |
672 | [ -r "${file}" ] || return ${EXIT_OK} | |
3647b19f | 673 | |
a2c9dff5 MT |
674 | local cmd |
675 | ||
676 | local ${FIREWALL_RULES_CONFIG_PARAMS} | |
677 | local line | |
678 | while read -r line; do | |
679 | # Skip empty lines. | |
680 | [ -n "${line}" ] || continue | |
681 | ||
682 | # Skip commented lines. | |
683 | [ "${line:0:1}" = "#" ] && continue | |
684 | ||
685 | # Parse the rule. | |
686 | _firewall_parse_rule_line ${line} | |
687 | if [ $? -ne ${EXIT_OK} ]; then | |
688 | log WARNING "Skipping invalid line: ${line}" | |
689 | continue | |
690 | fi | |
691 | ||
692 | cmd="iptables $@" | |
693 | ||
694 | # Source IP address/net. | |
695 | if isset src; then | |
696 | list_append cmd "-s ${src}" | |
697 | fi | |
698 | ||
699 | # Destination IP address/net. | |
700 | if isset dst; then | |
701 | list_append cmd "-d ${dst}" | |
702 | fi | |
703 | ||
704 | # Protocol. | |
705 | if isset proto; then | |
706 | list_append cmd "-p ${proto}" | |
707 | ||
708 | if list_match ${proto} ${FIREWALL_PROTOCOLS_SUPPORTING_PORTS}; then | |
709 | if isset sport; then | |
710 | list_append cmd "--sport ${sport}" | |
711 | fi | |
712 | ||
713 | if isset dport; then | |
714 | list_append cmd "--dport ${dport}" | |
715 | fi | |
716 | fi | |
717 | fi | |
718 | ||
719 | # Always append the action. | |
720 | list_append cmd "-j ${action}" | |
721 | ||
722 | # Execute command. | |
723 | ${cmd} | |
724 | done < ${file} | |
725 | } | |
726 | ||
1c6a4e30 | 727 | _firewall_parse_rule_line() { |
a2c9dff5 MT |
728 | local arg |
729 | ||
730 | # Clear all values. | |
731 | for arg in ${FIREWALL_RULES_CONFIG_PARAMS}; do | |
732 | assign "${arg}" "" | |
3647b19f MT |
733 | done |
734 | ||
a2c9dff5 MT |
735 | local key val |
736 | while read -r arg; do | |
737 | key=$(cli_get_key ${arg}) | |
3647b19f | 738 | |
8c9205b1 | 739 | if ! list_match "${key}" ${FIREWALL_RULES_CONFIG_PARAMS}; then |
a2c9dff5 MT |
740 | log WARNING "Unrecognized argument: ${arg}" |
741 | return ${EXIT_ERROR} | |
742 | fi | |
3647b19f | 743 | |
2212045f | 744 | val=$(cli_get_val "${arg}") |
a2c9dff5 | 745 | assign "${key}" "${val}" |
2212045f | 746 | done <<< "$(args "$@")" |
a2c9dff5 MT |
747 | |
748 | # action must always be set. | |
749 | if ! isset action; then | |
750 | log WARNING "'action' is not set: $@" | |
751 | return ${EXIT_ERROR} | |
752 | fi | |
753 | ||
754 | for arg in src dst; do | |
755 | isset ${arg} || continue | |
756 | ||
757 | # Check for valid IP addresses. | |
758 | if ! ip_is_valid ${!arg}; then | |
759 | log WARNING "Invalid IP address for '${arg}=${!arg}': $@" | |
760 | return ${EXIT_ERROR} | |
761 | fi | |
762 | done | |
763 | ||
764 | if isset proto; then | |
765 | # Make lowercase. | |
766 | proto=${proto,,} | |
767 | ||
768 | if ! list_match "${proto}" ${FIREWALL_SUPPORTED_PROTOCOLS}; then | |
769 | log WARNING "Unsupported protocol type 'proto=${proto}': $@" | |
770 | return ${EXIT_ERROR} | |
771 | fi | |
772 | fi | |
773 | ||
774 | for arg in sport dport; do | |
775 | isset ${arg} || continue | |
776 | ||
777 | # Check if port is valid. | |
778 | if ! isinteger ${arg}; then | |
779 | log WARNING "Invalid port '${arg}=${!arg}': $@" | |
780 | return ${EXIT_ERROR} | |
781 | fi | |
782 | done | |
783 | ||
784 | return ${EXIT_OK} | |
3647b19f | 785 | } |