[people/stevee/network.git] / functions.firewall

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2012  IPFire Network Development Team                         #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

# High-level function which will create a ruleset for the current firewall
# configuration and load it into the kernel.
function firewall_start() {
	local protocol="${1}"
	assert isset protocol
	shift

	# Test mode.
	local test="false"

	while [ $# -gt 0 ]; do
		case "${1}" in
			--test)
				test="true"
				;;
			*)
				error "Unrecognized argument: ${1}"
				return ${EXIT_ERROR}
				;;
		esac
		shift
	done

	if enabled test; then
		log INFO "Test mode enabled."
		log INFO "The firewall ruleset will not be loaded."
	fi

	firewall_lock_acquire

	# Initialize an empty iptables ruleset.
	iptables_init "${protocol}" "DROP"

	# Add default chains.
	firewall_tcp_state_flags "${protocol}"
	firewall_custom_chains "${protocol}"
	firewall_connection_tracking "${protocol}"
	firewall_tcp_clamp_mss "${protocol}"

	# Add policies for every zone.
	firewall_localhost_create_chains "${protocol}"

	local zone
	for zone in $(zones_get_all); do
		# Create all needed chains for the zone.
		firewall_zone_create_chains "${protocol}" "${zone}"

		# After the chains that are always available have been
		# created, we will add a custom policy to every single
		# zone.

		policy_zone_add "${protocol}" "${zone}"
	done

	# Load the new ruleset.
	local args
	if enabled testmode; then
		list_append args "--test"
	fi
	iptables_commit "${protocol}" ${args}

	firewall_lock_release
}

function firewall_stop() {
	local protocol="${1}"
	assert isset protocol

	firewall_lock_acquire

	# Initialize an empty firewall ruleset
	# with default policy ACCEPT.
	iptables_init "${protocol}" ACCEPT

	# Load it.
	ipables_load "${protocol}"

	firewall_lock_release
}

function firewall_show() {
	local protocol="${1}"
	assert isset protocol

	# Shows the ruleset that is currently loaded.
	iptables_status "${protocol}"

	return ${EXIT_OK}
}

function firewall_panic() {
	local protocol="${1}"
	assert isset protocol
	shift

	local admin_hosts="$@"

	firewall_lock_acquire "${protocol}"

	# Drop all communications.
	iptables_init "${protocol}" DROP

	# If an admin host is provided, some administrative
	# things will be allowed from there.
	local admin_host
	for admin_host in ${admin_hosts}; do
		iptables "${protocol}" -A INPUT  -s "${admin_host}" -j ACCEPT
		iptables "${protocol}" -A OUTPUT -d "${admin_host}" -j ACCEPT
	done

	# Load it.
	iptables_commit "${protocol}"

	firewall_lock_release
}

function firewall_lock_acquire() {
	lock_acquire ${RUN_DIR}/.firewall_lock

	# Make sure the lock is released after the firewall
	# script has crashed or exited early.
	trap firewall_lock_release EXIT TERM KILL

	# Create a directory where we can put our
	# temporary data in the most secure way as possible.
	IPTABLES_TMPDIR=$(mktemp -d)
}

function firewall_lock_release() {
	if isset IPTABLES_TMPDIR; then
		# Remove all temporary data.
		rm -rf ${IPTABLES_TMPDIR}

		# Reset the tempdir variable.
		IPTABLES_TMPDIR=
	fi

	# Reset the trap.
	trap true EXIT TERM KILL

	lock_release ${RUN_DIR}/.firewall_lock
}

function firewall_custom_chains() {
	local protocol="${1}"
	assert isset protocol

	log INFO "Creating CUSTOM* chains..."

	# These chains are intened to be filled with
	# rules by the user. They are processed at the very
	# beginning so it is possible to overwrite everything.

	iptables_chain_create "${protocol}" CUSTOMINPUT
	iptables "${protocol}" -A INPUT -j CUSTOMINPUT

	iptables_chain_create "${protocol}" CUSTOMFORWARD
	iptables "${protocol}" -A FORWARD -j CUSTOMFORWARD

	iptables_chain_create "${protocol}" CUSTOMOUTPUT
	iptables "${protocol}" -A OUTPUT -j CUSTOMOUTPUT

	iptables_chain_create "${protocol}" -t nat CUSTOMPREROUTING
	iptables "${protocol}" -t nat -A PREROUTING -j CUSTOMPREROUTING

	iptables_chain_create "${protocol}" -t nat CUSTOMPOSTROUTING
	iptables "${protocol}" -t nat -A POSTROUTING -j CUSTOMPOSTROUTING

	iptables_chain_create "${protocol}" -t nat CUSTOMOUTPUT
	iptables "${protocol}" -t nat -A OUTPUT -j CUSTOMOUTPUT
}

function firewall_tcp_state_flags() {
	local protocol="${1}"
	assert isset protocol

	log INFO "Creating TCP State Flags chain..."

	iptables_chain_create "${protocol}" BADTCP_LOG
	iptables "${protocol}" -A BADTCP_LOG -p tcp -j "$(iptables_LOG "Illegal TCP state: ")"
	iptables "${protocol}" -A BADTCP_LOG -j DROP

	iptables_chain_create "${protocol}" BADTCP
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ALL NONE        -j BADTCP_LOG
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,FIN FIN     -j BADTCP_LOG
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,PSH PSH     -j BADTCP_LOG
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,URG URG     -j BADTCP_LOG

	iptables "${protocol}" -A INPUT   -p tcp -j BADTCP
	iptables "${protocol}" -A OUTPUT  -p tcp -j BADTCP
	iptables "${protocol}" -A FORWARD -p tcp -j BADTCP
}

function firewall_tcp_clamp_mss() {
	# Do nothing if this has been disabled.
	enabled FIREWALL_CLAMP_PATH_MTU || return ${EXIT_OK}

	local protocol="${1}"
	assert isset protocol

	log DEBUG "Adding rules to clamp MSS to path MTU..."

	iptables "${protocol}" -t mangle -A FORWARD \
		-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
}

function firewall_connection_tracking() {
	local protocol="${1}"
	assert isset protocol

	log INFO "Creating Connection Tracking chain..."

	iptables_chain_create "${protocol}" CONNTRACK
	iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j "$(iptables_LOG "INVALID packet: ")"
	iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j DROP

	iptables "${protocol}" -A INPUT   -j CONNTRACK
	iptables "${protocol}" -A OUTPUT  -j CONNTRACK
	iptables "${protocol}" -A FORWARD -j CONNTRACK
}

function firewall_localhost_create_chains() {
	local protocol="${1}"
	assert isset protocol

	log DEBUG "Creating firewall chains for localhost..."

	# Accept everything on lo
	iptables "${protocol}" -A INPUT  -i lo -j ACCEPT
	iptables "${protocol}" -A OUTPUT -o lo -j ACCEPT
}

function firewall_zone_create_chains() {
	local protocol="${1}"
	assert isset protocol

	local zone="${2}"
	assert isset zone

	log DEBUG "Creating firewall chains for zone '${zone}'."

	local chain_prefix="ZONE_${zone^^}"

	# Create filter chains.
	iptables_chain_create "${protocol}" "${chain_prefix}_INPUT"
	iptables "${protocol}" -A INPUT   -i ${zone} -j "${chain_prefix}_INPUT"

	iptables_chain_create "${protocol}" "${chain_prefix}_OUTPUT"
	iptables "${protocol}" -A OUTPUT  -o ${zone} -j "${chain_prefix}_OUTPUT"

	# Custom rules.
	iptables_chain_create "${protocol}" "${chain_prefix}_CUSTOM"

	# Intrusion Prevention System.
	iptables_chain_create "${protocol}" "${chain_prefix}_IPS"

	# Create a chain for each other zone.
	# This leaves us with n^2 chains. Duh.

	local other_zone other_chain_prefix
	for other_zone in $(zones_get_all); do
		other_chain_prefix="${chain_prefix}_${other_zone^^}"
		iptables_chain_create "${protocol}" "${other_chain_prefix}"

		# Connect the chain with the FORWARD chain.
		iptables "${protocol}" -A FORWARD -i "${zone}" -o "${other_zone}" \
			-j "${other_chain_prefix}"

		# Handle custom rules.
		iptables "${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_CUSTOM"

		# Link IPS.
		iptables "${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_IPS"

		# Rules.
		iptables_chain_create "${protocol}" "${other_chain_prefix}_RULES"
		iptables "${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_RULES"

		# Policy.
		iptables_chain_create "${protocol}" "${other_chain_prefix}_POLICY"
		iptables "${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_POLICY"
	done

	## Create mangle chain.
	#iptables_chain_create "${protocol}" -t mangle "${chain_prefix}"
	#iptables "${protocol}" -t mangle -A PREROUTING  -i "${zone}" -j "${chain_prefix}"
	#iptables "${protocol}" -t mangle -A POSTROUTING -o "${zone}" -j "${chain_prefix}"

	## Quality of Service
	#iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_INC"
	#iptables "${protocol}" -t mangle -A "${chain_prefix}" -i "${zone}" -j "${chain_prefix}_QOS_INC"
	#iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_OUT"
	#iptables "${protocol}" -t mangle -A "${chain_prefix}" -o "${zone}" -j "${chain_prefix}_QOS_OUT"

	# Create NAT chain.
	iptables_chain_create "${protocol}" -t nat "${chain_prefix}"
	iptables "${protocol}" -t nat -A PREROUTING  -i "${zone}" -j "${chain_prefix}"
	iptables "${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}"

	# Network Address Translation
	iptables_chain_create "${protocol}" -t nat "${chain_prefix}_DNAT"
	iptables "${protocol}" -t nat -A PREROUTING  -i "${zone}" -j "${chain_prefix}_DNAT"
	iptables_chain_create "${protocol}" -t nat "${chain_prefix}_SNAT"
	iptables "${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}_SNAT"

	# UPnP
	iptables_chain_create "${protocol}" -t nat "${chain_prefix}_UPNP"
	iptables "${protocol}" -t nat -A "${chain_prefix}" -j "${chain_prefix}_UPNP"

	return ${EXIT_OK}
}

function firewall_parse_rules() {
	local file=${1}
	assert isset file
	shift

	# End if no rule file exists.
	[ -r "${file}" ] || return ${EXIT_OK}

	local cmd

	local ${FIREWALL_RULES_CONFIG_PARAMS}
	local line
	while read -r line; do
		# Skip empty lines.
		[ -n "${line}" ] || continue

		# Skip commented lines.
		[ "${line:0:1}" = "#" ] && continue

		# Parse the rule.
		_firewall_parse_rule_line ${line}
		if [ $? -ne ${EXIT_OK} ]; then
			log WARNING "Skipping invalid line: ${line}"
			continue
		fi

		cmd="iptables $@"

		# Source IP address/net.
		if isset src; then
			list_append cmd "-s ${src}"
		fi

		# Destination IP address/net.
		if isset dst; then
			list_append cmd "-d ${dst}"
		fi

		# Protocol.
		if isset proto; then
			list_append cmd "-p ${proto}"

			if list_match ${proto} ${FIREWALL_PROTOCOLS_SUPPORTING_PORTS}; then
				if isset sport; then
					list_append cmd "--sport ${sport}"
				fi

				if isset dport; then
					list_append cmd "--dport ${dport}"
				fi
			fi
		fi

		# Always append the action.
		list_append cmd "-j ${action}"

		# Execute command.
		${cmd}
	done < ${file}
}

function _firewall_parse_rule_line() {
	local arg

	# Clear all values.
	for arg in ${FIREWALL_RULES_CONFIG_PARAMS}; do
		assign "${arg}" ""
	done

	local key val
	while read -r arg; do
		key=$(cli_get_key ${arg})

		if ! listmatch "${key}" ${FIREWALL_RULES_CONFIG_PARAMS}; then
			log WARNING "Unrecognized argument: ${arg}"
			return ${EXIT_ERROR}
		fi

		val=$(cli_get_val ${arg})
		assign "${key}" "${val}"
	done <<< "$(args $@)"

	# action must always be set.
	if ! isset action; then
		log WARNING "'action' is not set: $@"
		return ${EXIT_ERROR}
	fi

	for arg in src dst; do
		isset ${arg} || continue

		# Check for valid IP addresses.
		if ! ip_is_valid ${!arg}; then
			log WARNING "Invalid IP address for '${arg}=${!arg}': $@"
			return ${EXIT_ERROR}
		fi
	done

	if isset proto; then
		# Make lowercase.
		proto=${proto,,}

		if ! list_match "${proto}" ${FIREWALL_SUPPORTED_PROTOCOLS}; then
			log WARNING "Unsupported protocol type 'proto=${proto}': $@"
			return ${EXIT_ERROR}
		fi
	fi

	for arg in sport dport; do
		isset ${arg} || continue

		# Check if port is valid.
		if ! isinteger ${arg}; then
			log WARNING "Invalid port '${arg}=${!arg}': $@"
			return ${EXIT_ERROR}
		fi
	done

	return ${EXIT_OK}
}
Commit	Line	Data
98146c00 MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2012 IPFire Network Development Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	# High-level function which will create a ruleset for the current firewall
	23	# configuration and load it into the kernel.
	24	function firewall_start() {
fe52c5e0 MT	25	local protocol="${1}"
	26	assert isset protocol
	27	shift
	28
afb7d704 MT	29	# Test mode.
	30	local test="false"
	31
	32	while [ $# -gt 0 ]; do
	33	case "${1}" in
	34	--test)
	35	test="true"
	36	;;
b4fc59c7 MT	37	*)
	38	error "Unrecognized argument: ${1}"
	39	return ${EXIT_ERROR}
	40	;;
afb7d704 MT	41	esac
	42	shift
	43	done
	44
	45	if enabled test; then
	46	log INFO "Test mode enabled."
	47	log INFO "The firewall ruleset will not be loaded."
	48	fi
	49
98146c00 MT	50	firewall_lock_acquire
	51
	52	# Initialize an empty iptables ruleset.
fe52c5e0	53	iptables_init "${protocol}" "DROP"
98146c00 MT	54
98146c00 MT	55	# Add default chains.
fe52c5e0 MT	56	firewall_tcp_state_flags "${protocol}"
	57	firewall_custom_chains "${protocol}"
	58	firewall_connection_tracking "${protocol}"
	59	firewall_tcp_clamp_mss "${protocol}"
98146c00 MT	60
98146c00 MT	61	# Add policies for every zone.
fe52c5e0	62	firewall_localhost_create_chains "${protocol}"
98146c00 MT	63
	64	local zone
	65	for zone in $(zones_get_all); do
a2c9dff5	66	# Create all needed chains for the zone.
fe52c5e0	67	firewall_zone_create_chains "${protocol}" "${zone}"
a2c9dff5 MT	68
	69	# After the chains that are always available have been
	70	# created, we will add a custom policy to every single
	71	# zone.
	72
fe52c5e0	73	policy_zone_add "${protocol}" "${zone}"
98146c00 MT	74	done
98146c00 MT	75
afb7d704	76	# Load the new ruleset.
fe52c5e0 MT	77	local args
	78	if enabled testmode; then
	79	list_append args "--test"
	80	fi
	81	iptables_commit "${protocol}" ${args}
98146c00 MT	82
	83	firewall_lock_release
	84	}
	85
	86	function firewall_stop() {
fe52c5e0 MT	87	local protocol="${1}"
	88	assert isset protocol
	89
98146c00 MT	90	firewall_lock_acquire
	91
	92	# Initialize an empty firewall ruleset
	93	# with default policy ACCEPT.
fe52c5e0	94	iptables_init "${protocol}" ACCEPT
98146c00	95
afb7d704	96	# Load it.
fe52c5e0	97	ipables_load "${protocol}"
afb7d704 MT	98
	99	firewall_lock_release
	100	}
	101
	102	function firewall_show() {
fe52c5e0 MT	103	local protocol="${1}"
	104	assert isset protocol
	105
afb7d704	106	# Shows the ruleset that is currently loaded.
fe52c5e0	107	iptables_status "${protocol}"
afb7d704 MT	108
	109	return ${EXIT_OK}
	110	}
	111
	112	function firewall_panic() {
fe52c5e0 MT	113	local protocol="${1}"
	114	assert isset protocol
	115	shift
	116
afb7d704 MT	117	local admin_hosts="$@"
afb7d704 MT	118
fe52c5e0	119	firewall_lock_acquire "${protocol}"
afb7d704 MT	120
afb7d704 MT	121	# Drop all communications.
fe52c5e0	122	iptables_init "${protocol}" DROP
afb7d704 MT	123
	124	# If an admin host is provided, some administrative
	125	# things will be allowed from there.
	126	local admin_host
	127	for admin_host in ${admin_hosts}; do
fe52c5e0 MT	128	iptables "${protocol}" -A INPUT -s "${admin_host}" -j ACCEPT
fe52c5e0 MT	129	iptables "${protocol}" -A OUTPUT -d "${admin_host}" -j ACCEPT
afb7d704 MT	130	done
	131
	132	# Load it.
fe52c5e0	133	iptables_commit "${protocol}"
98146c00 MT	134
	135	firewall_lock_release
	136	}
	137
	138	function firewall_lock_acquire() {
	139	lock_acquire ${RUN_DIR}/.firewall_lock
	140
	141	# Make sure the lock is released after the firewall
	142	# script has crashed or exited early.
	143	trap firewall_lock_release EXIT TERM KILL
	144
	145	# Create a directory where we can put our
	146	# temporary data in the most secure way as possible.
	147	IPTABLES_TMPDIR=$(mktemp -d)
	148	}
	149
	150	function firewall_lock_release() {
	151	if isset IPTABLES_TMPDIR; then
	152	# Remove all temporary data.
	153	rm -rf ${IPTABLES_TMPDIR}
	154
	155	# Reset the tempdir variable.
	156	IPTABLES_TMPDIR=
	157	fi
	158
	159	# Reset the trap.
	160	trap true EXIT TERM KILL
	161
	162	lock_release ${RUN_DIR}/.firewall_lock
	163	}
	164
3b256a38	165	function firewall_custom_chains() {
fe52c5e0 MT	166	local protocol="${1}"
	167	assert isset protocol
	168
3b256a38 MT	169	log INFO "Creating CUSTOM* chains..."
	170
	171	# These chains are intened to be filled with
	172	# rules by the user. They are processed at the very
	173	# beginning so it is possible to overwrite everything.
	174
fe52c5e0 MT	175	iptables_chain_create "${protocol}" CUSTOMINPUT
fe52c5e0 MT	176	iptables "${protocol}" -A INPUT -j CUSTOMINPUT
3b256a38	177
fe52c5e0 MT	178	iptables_chain_create "${protocol}" CUSTOMFORWARD
fe52c5e0 MT	179	iptables "${protocol}" -A FORWARD -j CUSTOMFORWARD
3b256a38	180
fe52c5e0 MT	181	iptables_chain_create "${protocol}" CUSTOMOUTPUT
fe52c5e0 MT	182	iptables "${protocol}" -A OUTPUT -j CUSTOMOUTPUT
3b256a38	183
fe52c5e0 MT	184	iptables_chain_create "${protocol}" -t nat CUSTOMPREROUTING
fe52c5e0 MT	185	iptables "${protocol}" -t nat -A PREROUTING -j CUSTOMPREROUTING
3b256a38	186
fe52c5e0 MT	187	iptables_chain_create "${protocol}" -t nat CUSTOMPOSTROUTING
fe52c5e0 MT	188	iptables "${protocol}" -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
3b256a38	189
fe52c5e0 MT	190	iptables_chain_create "${protocol}" -t nat CUSTOMOUTPUT
fe52c5e0 MT	191	iptables "${protocol}" -t nat -A OUTPUT -j CUSTOMOUTPUT
3b256a38 MT	192	}
3b256a38 MT	193
98146c00	194	function firewall_tcp_state_flags() {
fe52c5e0 MT	195	local protocol="${1}"
	196	assert isset protocol
	197
98146c00	198	log INFO "Creating TCP State Flags chain..."
fe52c5e0 MT	199
	200	iptables_chain_create "${protocol}" BADTCP_LOG
	201	iptables "${protocol}" -A BADTCP_LOG -p tcp -j "$(iptables_LOG "Illegal TCP state: ")"
	202	iptables "${protocol}" -A BADTCP_LOG -j DROP
	203
	204	iptables_chain_create "${protocol}" BADTCP
	205	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG
	206	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
	207	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
	208	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
	209	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,FIN FIN -j BADTCP_LOG
	210	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,PSH PSH -j BADTCP_LOG
	211	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,URG URG -j BADTCP_LOG
	212
	213	iptables "${protocol}" -A INPUT -p tcp -j BADTCP
	214	iptables "${protocol}" -A OUTPUT -p tcp -j BADTCP
	215	iptables "${protocol}" -A FORWARD -p tcp -j BADTCP
98146c00 MT	216	}
98146c00 MT	217
c2d2d2a9	218	function firewall_tcp_clamp_mss() {
fc323fc4 MT	219	# Do nothing if this has been disabled.
	220	enabled FIREWALL_CLAMP_PATH_MTU \|\| return ${EXIT_OK}
	221
fe52c5e0 MT	222	local protocol="${1}"
	223	assert isset protocol
	224
c2d2d2a9	225	log DEBUG "Adding rules to clamp MSS to path MTU..."
fe52c5e0 MT	226
fe52c5e0 MT	227	iptables "${protocol}" -t mangle -A FORWARD \
c2d2d2a9 MT	228	-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
	229	}
	230
98146c00	231	function firewall_connection_tracking() {
fe52c5e0 MT	232	local protocol="${1}"
	233	assert isset protocol
	234
98146c00	235	log INFO "Creating Connection Tracking chain..."
fe52c5e0 MT	236
fe52c5e0 MT	237	iptables_chain_create "${protocol}" CONNTRACK
85b52db6 MT	238	iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	239	iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j "$(iptables_LOG "INVALID packet: ")"
	240	iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
fe52c5e0 MT	241
	242	iptables "${protocol}" -A INPUT -j CONNTRACK
	243	iptables "${protocol}" -A OUTPUT -j CONNTRACK
	244	iptables "${protocol}" -A FORWARD -j CONNTRACK
98146c00	245	}
3647b19f	246
a2c9dff5	247	function firewall_localhost_create_chains() {
fe52c5e0 MT	248	local protocol="${1}"
	249	assert isset protocol
	250
a2c9dff5 MT	251	log DEBUG "Creating firewall chains for localhost..."
	252
	253	# Accept everything on lo
fe9bf26b MT	254	iptables "${protocol}" -A INPUT -i lo -j ACCEPT
fe9bf26b MT	255	iptables "${protocol}" -A OUTPUT -o lo -j ACCEPT
a2c9dff5 MT	256	}
	257
	258	function firewall_zone_create_chains() {
fe52c5e0 MT	259	local protocol="${1}"
	260	assert isset protocol
	261
	262	local zone="${2}"
a2c9dff5 MT	263	assert isset zone
	264
	265	log DEBUG "Creating firewall chains for zone '${zone}'."
	266
	267	local chain_prefix="ZONE_${zone^^}"
	268
	269	# Create filter chains.
fe52c5e0 MT	270	iptables_chain_create "${protocol}" "${chain_prefix}_INPUT"
fe52c5e0 MT	271	iptables "${protocol}" -A INPUT -i ${zone} -j "${chain_prefix}_INPUT"
a2c9dff5	272
fe52c5e0 MT	273	iptables_chain_create "${protocol}" "${chain_prefix}_OUTPUT"
fe52c5e0 MT	274	iptables "${protocol}" -A OUTPUT -o ${zone} -j "${chain_prefix}_OUTPUT"
a2c9dff5 MT	275
a2c9dff5 MT	276	# Custom rules.
fe52c5e0	277	iptables_chain_create "${protocol}" "${chain_prefix}_CUSTOM"
a2c9dff5 MT	278
a2c9dff5 MT	279	# Intrusion Prevention System.
fe52c5e0	280	iptables_chain_create "${protocol}" "${chain_prefix}_IPS"
a2c9dff5 MT	281
	282	# Create a chain for each other zone.
	283	# This leaves us with n^2 chains. Duh.
	284
	285	local other_zone other_chain_prefix
	286	for other_zone in $(zones_get_all); do
	287	other_chain_prefix="${chain_prefix}_${other_zone^^}"
fe52c5e0	288	iptables_chain_create "${protocol}" "${other_chain_prefix}"
a2c9dff5 MT	289
a2c9dff5 MT	290	# Connect the chain with the FORWARD chain.
fe52c5e0	291	iptables "${protocol}" -A FORWARD -i "${zone}" -o "${other_zone}" \
a2c9dff5 MT	292	-j "${other_chain_prefix}"
	293
	294	# Handle custom rules.
fe52c5e0	295	iptables "${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_CUSTOM"
a2c9dff5 MT	296
a2c9dff5 MT	297	# Link IPS.
fe52c5e0	298	iptables "${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_IPS"
a2c9dff5 MT	299
a2c9dff5 MT	300	# Rules.
fe52c5e0 MT	301	iptables_chain_create "${protocol}" "${other_chain_prefix}_RULES"
fe52c5e0 MT	302	iptables "${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_RULES"
a2c9dff5 MT	303
a2c9dff5 MT	304	# Policy.
fe52c5e0 MT	305	iptables_chain_create "${protocol}" "${other_chain_prefix}_POLICY"
fe52c5e0 MT	306	iptables "${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_POLICY"
a2c9dff5 MT	307	done
	308
	309	## Create mangle chain.
fe52c5e0 MT	310	#iptables_chain_create "${protocol}" -t mangle "${chain_prefix}"
	311	#iptables "${protocol}" -t mangle -A PREROUTING -i "${zone}" -j "${chain_prefix}"
	312	#iptables "${protocol}" -t mangle -A POSTROUTING -o "${zone}" -j "${chain_prefix}"
a2c9dff5 MT	313
a2c9dff5 MT	314	## Quality of Service
fe52c5e0 MT	315	#iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_INC"
	316	#iptables "${protocol}" -t mangle -A "${chain_prefix}" -i "${zone}" -j "${chain_prefix}_QOS_INC"
	317	#iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_OUT"
	318	#iptables "${protocol}" -t mangle -A "${chain_prefix}" -o "${zone}" -j "${chain_prefix}_QOS_OUT"
a2c9dff5 MT	319
a2c9dff5 MT	320	# Create NAT chain.
fe52c5e0 MT	321	iptables_chain_create "${protocol}" -t nat "${chain_prefix}"
	322	iptables "${protocol}" -t nat -A PREROUTING -i "${zone}" -j "${chain_prefix}"
	323	iptables "${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}"
a2c9dff5 MT	324
a2c9dff5 MT	325	# Network Address Translation
fe52c5e0 MT	326	iptables_chain_create "${protocol}" -t nat "${chain_prefix}_DNAT"
	327	iptables "${protocol}" -t nat -A PREROUTING -i "${zone}" -j "${chain_prefix}_DNAT"
	328	iptables_chain_create "${protocol}" -t nat "${chain_prefix}_SNAT"
	329	iptables "${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}_SNAT"
a2c9dff5 MT	330
a2c9dff5 MT	331	# UPnP
fe52c5e0 MT	332	iptables_chain_create "${protocol}" -t nat "${chain_prefix}_UPNP"
fe52c5e0 MT	333	iptables "${protocol}" -t nat -A "${chain_prefix}" -j "${chain_prefix}_UPNP"
a2c9dff5 MT	334
	335	return ${EXIT_OK}
	336	}
	337
	338	function firewall_parse_rules() {
	339	local file=${1}
	340	assert isset file
3647b19f MT	341	shift
3647b19f MT	342
a2c9dff5 MT	343	# End if no rule file exists.
a2c9dff5 MT	344	[ -r "${file}" ] \|\| return ${EXIT_OK}
3647b19f	345
a2c9dff5 MT	346	local cmd
	347
	348	local ${FIREWALL_RULES_CONFIG_PARAMS}
	349	local line
	350	while read -r line; do
	351	# Skip empty lines.
	352	[ -n "${line}" ] \|\| continue
	353
	354	# Skip commented lines.
	355	[ "${line:0:1}" = "#" ] && continue
	356
	357	# Parse the rule.
	358	_firewall_parse_rule_line ${line}
	359	if [ $? -ne ${EXIT_OK} ]; then
	360	log WARNING "Skipping invalid line: ${line}"
	361	continue
	362	fi
	363
	364	cmd="iptables $@"
	365
	366	# Source IP address/net.
	367	if isset src; then
	368	list_append cmd "-s ${src}"
	369	fi
	370
	371	# Destination IP address/net.
	372	if isset dst; then
	373	list_append cmd "-d ${dst}"
	374	fi
	375
	376	# Protocol.
	377	if isset proto; then
	378	list_append cmd "-p ${proto}"
	379
	380	if list_match ${proto} ${FIREWALL_PROTOCOLS_SUPPORTING_PORTS}; then
	381	if isset sport; then
	382	list_append cmd "--sport ${sport}"
	383	fi
	384
	385	if isset dport; then
	386	list_append cmd "--dport ${dport}"
	387	fi
	388	fi
	389	fi
	390
	391	# Always append the action.
	392	list_append cmd "-j ${action}"
	393
	394	# Execute command.
	395	${cmd}
	396	done < ${file}
	397	}
	398
	399	function _firewall_parse_rule_line() {
	400	local arg
	401
	402	# Clear all values.
	403	for arg in ${FIREWALL_RULES_CONFIG_PARAMS}; do
	404	assign "${arg}" ""
3647b19f MT	405	done
3647b19f MT	406
a2c9dff5 MT	407	local key val
	408	while read -r arg; do
	409	key=$(cli_get_key ${arg})
3647b19f	410
a2c9dff5 MT	411	if ! listmatch "${key}" ${FIREWALL_RULES_CONFIG_PARAMS}; then
	412	log WARNING "Unrecognized argument: ${arg}"
	413	return ${EXIT_ERROR}
	414	fi
3647b19f	415
a2c9dff5 MT	416	val=$(cli_get_val ${arg})
	417	assign "${key}" "${val}"
	418	done <<< "$(args $@)"
	419
	420	# action must always be set.
	421	if ! isset action; then
	422	log WARNING "'action' is not set: $@"
	423	return ${EXIT_ERROR}
	424	fi
	425
	426	for arg in src dst; do
	427	isset ${arg} \|\| continue
	428
	429	# Check for valid IP addresses.
	430	if ! ip_is_valid ${!arg}; then
	431	log WARNING "Invalid IP address for '${arg}=${!arg}': $@"
	432	return ${EXIT_ERROR}
	433	fi
	434	done
	435
	436	if isset proto; then
	437	# Make lowercase.
	438	proto=${proto,,}
	439
	440	if ! list_match "${proto}" ${FIREWALL_SUPPORTED_PROTOCOLS}; then
	441	log WARNING "Unsupported protocol type 'proto=${proto}': $@"
	442	return ${EXIT_ERROR}
	443	fi
	444	fi
	445
	446	for arg in sport dport; do
	447	isset ${arg} \|\| continue
	448
	449	# Check if port is valid.
	450	if ! isinteger ${arg}; then
	451	log WARNING "Invalid port '${arg}=${!arg}': $@"
	452	return ${EXIT_ERROR}
	453	fi
	454	done
	455
	456	return ${EXIT_OK}
3647b19f	457	}