[people/stevee/network.git] / functions.firewall

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2012  IPFire Network Development Team                         #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

# High-level function which will create a ruleset for the current firewall
# configuration and load it into the kernel.
function firewall_start() {
	local protocol="${1}"
	assert isset protocol
	shift

	# Test mode.
	local test="false"

	while [ $# -gt 0 ]; do
		case "${1}" in
			--test)
				test="true"
				;;
			*)
				error "Unrecognized argument: ${1}"
				return ${EXIT_ERROR}
				;;
		esac
		shift
	done

	if enabled test; then
		log INFO "Test mode enabled."
		log INFO "The firewall ruleset will not be loaded."
	fi

	firewall_lock_acquire

	# Initialize an empty iptables ruleset.
	iptables_init "${protocol}" "DROP"

	# Add default chains.
	firewall_filter_rh0_headers "${protocol}"
	firewall_tcp_state_flags "${protocol}"
	firewall_custom_chains "${protocol}"
	firewall_connection_tracking "${protocol}"
	firewall_tcp_clamp_mss "${protocol}"

	# Add policies for every zone.
	firewall_localhost_create_chains "${protocol}"

	local zone
	for zone in $(zones_get_all); do
		# Create all needed chains for the zone.
		firewall_zone_create_chains "${protocol}" "${zone}"

		# After the chains that are always available have been
		# created, we will add a custom policy to every single
		# zone.

		policy_zone_add "${protocol}" "${zone}"
	done

	# Load the new ruleset.
	local args
	if enabled testmode; then
		list_append args "--test"
	fi
	iptables_commit "${protocol}" ${args}

	firewall_lock_release
}

function firewall_stop() {
	local protocol="${1}"
	assert isset protocol

	firewall_lock_acquire

	# Initialize an empty firewall ruleset
	# with default policy ACCEPT.
	iptables_init "${protocol}" ACCEPT

	# Load it.
	ipables_load "${protocol}"

	firewall_lock_release
}

function firewall_show() {
	local protocol="${1}"
	assert isset protocol

	# Shows the ruleset that is currently loaded.
	iptables_status "${protocol}"

	return ${EXIT_OK}
}

function firewall_panic() {
	local protocol="${1}"
	assert isset protocol
	shift

	local admin_hosts="$@"

	firewall_lock_acquire "${protocol}"

	# Drop all communications.
	iptables_init "${protocol}" DROP

	# If an admin host is provided, some administrative
	# things will be allowed from there.
	local admin_host
	for admin_host in ${admin_hosts}; do
		iptables "${protocol}" -A INPUT  -s "${admin_host}" -j ACCEPT
		iptables "${protocol}" -A OUTPUT -d "${admin_host}" -j ACCEPT
	done

	# Load it.
	iptables_commit "${protocol}"

	firewall_lock_release
}

function firewall_lock_acquire() {
	lock_acquire ${RUN_DIR}/.firewall_lock

	# Make sure the lock is released after the firewall
	# script has crashed or exited early.
	trap firewall_lock_release EXIT TERM KILL

	# Create a directory where we can put our
	# temporary data in the most secure way as possible.
	IPTABLES_TMPDIR=$(mktemp -d)
}

function firewall_lock_release() {
	if isset IPTABLES_TMPDIR; then
		# Remove all temporary data.
		rm -rf ${IPTABLES_TMPDIR}

		# Reset the tempdir variable.
		IPTABLES_TMPDIR=
	fi

	# Reset the trap.
	trap true EXIT TERM KILL

	lock_release ${RUN_DIR}/.firewall_lock
}

function firewall_custom_chains() {
	local protocol="${1}"
	assert isset protocol

	log INFO "Creating CUSTOM* chains..."

	# These chains are intened to be filled with
	# rules by the user. They are processed at the very
	# beginning so it is possible to overwrite everything.

	iptables_chain_create "${protocol}" CUSTOMINPUT
	iptables "${protocol}" -A INPUT -j CUSTOMINPUT

	iptables_chain_create "${protocol}" CUSTOMFORWARD
	iptables "${protocol}" -A FORWARD -j CUSTOMFORWARD

	iptables_chain_create "${protocol}" CUSTOMOUTPUT
	iptables "${protocol}" -A OUTPUT -j CUSTOMOUTPUT

	iptables_chain_create "${protocol}" -t nat CUSTOMPREROUTING
	iptables "${protocol}" -t nat -A PREROUTING -j CUSTOMPREROUTING

	iptables_chain_create "${protocol}" -t nat CUSTOMPOSTROUTING
	iptables "${protocol}" -t nat -A POSTROUTING -j CUSTOMPOSTROUTING

	iptables_chain_create "${protocol}" -t nat CUSTOMOUTPUT
	iptables "${protocol}" -t nat -A OUTPUT -j CUSTOMOUTPUT
}

function firewall_tcp_state_flags() {
	local protocol="${1}"
	assert isset protocol

	log INFO "Creating TCP State Flags chain..."

	iptables_chain_create "${protocol}" BADTCP_LOG
	iptables "${protocol}" -A BADTCP_LOG -p tcp -j "$(iptables_LOG "Illegal TCP state: ")"
	iptables "${protocol}" -A BADTCP_LOG -j DROP

	iptables_chain_create "${protocol}" BADTCP
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ALL NONE        -j BADTCP_LOG
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,FIN FIN     -j BADTCP_LOG
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,PSH PSH     -j BADTCP_LOG
	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,URG URG     -j BADTCP_LOG

	iptables "${protocol}" -A INPUT   -p tcp -j BADTCP
	iptables "${protocol}" -A OUTPUT  -p tcp -j BADTCP
	iptables "${protocol}" -A FORWARD -p tcp -j BADTCP
}

function firewall_tcp_clamp_mss() {
	# Do nothing if this has been disabled.
	enabled FIREWALL_CLAMP_PATH_MTU || return ${EXIT_OK}

	local protocol="${1}"
	assert isset protocol

	log DEBUG "Adding rules to clamp MSS to path MTU..."

	iptables "${protocol}" -t mangle -A FORWARD \
		-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
}

function firewall_connection_tracking() {
	local protocol="${1}"
	assert isset protocol

	log INFO "Creating Connection Tracking chain..."

	iptables_chain_create "${protocol}" CONNTRACK
	iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j "$(iptables_LOG "INVALID packet: ")"
	iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j DROP

	iptables "${protocol}" -A INPUT   -j CONNTRACK
	iptables "${protocol}" -A OUTPUT  -j CONNTRACK
	iptables "${protocol}" -A FORWARD -j CONNTRACK
}

function firewall_localhost_create_chains() {
	local protocol="${1}"
	assert isset protocol

	log DEBUG "Creating firewall chains for localhost..."

	# Accept everything on lo
	iptables "${protocol}" -A INPUT  -i lo -j ACCEPT
	iptables "${protocol}" -A OUTPUT -o lo -j ACCEPT
}

function firewall_filter_rh0_headers() {
	local protocol="${1}"
	assert isset protocol

	# Only IPv6.
	[ "${protocol}" = "ipv6" ] || return ${EXIT_OK}

	# Filter all packets that have RH0 headers
	# http://www.ietf.org/rfc/rfc5095.txt
	iptables_chain_create "${protocol}" FILTER_RH0
	iptables "${protocol}" -A FILTER_RH0 -m rt --rt-type 0 -j DROP

	iptables "${protocol}" -A INPUT   -j FILTER_RH0
	iptables "${protocol}" -A FORWARD -j FILTER_RH0
	iptables "${protocol}" -A OUTPUT  -j FILTER_RH0
}

function firewall_zone_create_chains() {
	local protocol="${1}"
	assert isset protocol

	local zone="${2}"
	assert isset zone

	log DEBUG "Creating firewall chains for zone '${zone}'."

	local chain_prefix="ZONE_${zone^^}"

	# Create filter chains.
	iptables_chain_create "${protocol}" "${chain_prefix}_INPUT"
	iptables "${protocol}" -A INPUT   -i ${zone} -j "${chain_prefix}_INPUT"

	iptables_chain_create "${protocol}" "${chain_prefix}_OUTPUT"
	iptables "${protocol}" -A OUTPUT  -o ${zone} -j "${chain_prefix}_OUTPUT"

	# Custom rules.
	iptables_chain_create "${protocol}" "${chain_prefix}_CUSTOM"

	# Intrusion Prevention System.
	iptables_chain_create "${protocol}" "${chain_prefix}_IPS"

	# Create a chain for each other zone.
	# This leaves us with n^2 chains. Duh.

	local other_zone other_chain_prefix
	for other_zone in $(zones_get_all); do
		other_chain_prefix="${chain_prefix}_${other_zone^^}"
		iptables_chain_create "${protocol}" "${other_chain_prefix}"

		# Connect the chain with the FORWARD chain.
		iptables "${protocol}" -A FORWARD -i "${zone}" -o "${other_zone}" \
			-j "${other_chain_prefix}"

		# Handle custom rules.
		iptables "${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_CUSTOM"

		# Link IPS.
		iptables "${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_IPS"

		# Rules.
		iptables_chain_create "${protocol}" "${other_chain_prefix}_RULES"
		iptables "${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_RULES"

		# Policy.
		iptables_chain_create "${protocol}" "${other_chain_prefix}_POLICY"
		iptables "${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_POLICY"
	done

	## Create mangle chain.
	#iptables_chain_create "${protocol}" -t mangle "${chain_prefix}"
	#iptables "${protocol}" -t mangle -A PREROUTING  -i "${zone}" -j "${chain_prefix}"
	#iptables "${protocol}" -t mangle -A POSTROUTING -o "${zone}" -j "${chain_prefix}"

	## Quality of Service
	#iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_INC"
	#iptables "${protocol}" -t mangle -A "${chain_prefix}" -i "${zone}" -j "${chain_prefix}_QOS_INC"
	#iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_OUT"
	#iptables "${protocol}" -t mangle -A "${chain_prefix}" -o "${zone}" -j "${chain_prefix}_QOS_OUT"

	# Create NAT chain.
	iptables_chain_create "${protocol}" -t nat "${chain_prefix}"
	iptables "${protocol}" -t nat -A PREROUTING  -i "${zone}" -j "${chain_prefix}"
	iptables "${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}"

	# Network Address Translation
	iptables_chain_create "${protocol}" -t nat "${chain_prefix}_DNAT"
	iptables "${protocol}" -t nat -A PREROUTING  -i "${zone}" -j "${chain_prefix}_DNAT"
	iptables_chain_create "${protocol}" -t nat "${chain_prefix}_SNAT"
	iptables "${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}_SNAT"

	# UPnP
	iptables_chain_create "${protocol}" -t nat "${chain_prefix}_UPNP"
	iptables "${protocol}" -t nat -A "${chain_prefix}" -j "${chain_prefix}_UPNP"

	return ${EXIT_OK}
}

function firewall_parse_rules() {
	local file=${1}
	assert isset file
	shift

	# End if no rule file exists.
	[ -r "${file}" ] || return ${EXIT_OK}

	local cmd

	local ${FIREWALL_RULES_CONFIG_PARAMS}
	local line
	while read -r line; do
		# Skip empty lines.
		[ -n "${line}" ] || continue

		# Skip commented lines.
		[ "${line:0:1}" = "#" ] && continue

		# Parse the rule.
		_firewall_parse_rule_line ${line}
		if [ $? -ne ${EXIT_OK} ]; then
			log WARNING "Skipping invalid line: ${line}"
			continue
		fi

		cmd="iptables $@"

		# Source IP address/net.
		if isset src; then
			list_append cmd "-s ${src}"
		fi

		# Destination IP address/net.
		if isset dst; then
			list_append cmd "-d ${dst}"
		fi

		# Protocol.
		if isset proto; then
			list_append cmd "-p ${proto}"

			if list_match ${proto} ${FIREWALL_PROTOCOLS_SUPPORTING_PORTS}; then
				if isset sport; then
					list_append cmd "--sport ${sport}"
				fi

				if isset dport; then
					list_append cmd "--dport ${dport}"
				fi
			fi
		fi

		# Always append the action.
		list_append cmd "-j ${action}"

		# Execute command.
		${cmd}
	done < ${file}
}

function _firewall_parse_rule_line() {
	local arg

	# Clear all values.
	for arg in ${FIREWALL_RULES_CONFIG_PARAMS}; do
		assign "${arg}" ""
	done

	local key val
	while read -r arg; do
		key=$(cli_get_key ${arg})

		if ! listmatch "${key}" ${FIREWALL_RULES_CONFIG_PARAMS}; then
			log WARNING "Unrecognized argument: ${arg}"
			return ${EXIT_ERROR}
		fi

		val=$(cli_get_val ${arg})
		assign "${key}" "${val}"
	done <<< "$(args $@)"

	# action must always be set.
	if ! isset action; then
		log WARNING "'action' is not set: $@"
		return ${EXIT_ERROR}
	fi

	for arg in src dst; do
		isset ${arg} || continue

		# Check for valid IP addresses.
		if ! ip_is_valid ${!arg}; then
			log WARNING "Invalid IP address for '${arg}=${!arg}': $@"
			return ${EXIT_ERROR}
		fi
	done

	if isset proto; then
		# Make lowercase.
		proto=${proto,,}

		if ! list_match "${proto}" ${FIREWALL_SUPPORTED_PROTOCOLS}; then
			log WARNING "Unsupported protocol type 'proto=${proto}': $@"
			return ${EXIT_ERROR}
		fi
	fi

	for arg in sport dport; do
		isset ${arg} || continue

		# Check if port is valid.
		if ! isinteger ${arg}; then
			log WARNING "Invalid port '${arg}=${!arg}': $@"
			return ${EXIT_ERROR}
		fi
	done

	return ${EXIT_OK}
}
Commit	Line	Data
98146c00 MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2012 IPFire Network Development Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	# High-level function which will create a ruleset for the current firewall
	23	# configuration and load it into the kernel.
	24	function firewall_start() {
fe52c5e0 MT	25	local protocol="${1}"
	26	assert isset protocol
	27	shift
	28
afb7d704 MT	29	# Test mode.
	30	local test="false"
	31
	32	while [ $# -gt 0 ]; do
	33	case "${1}" in
	34	--test)
	35	test="true"
	36	;;
b4fc59c7 MT	37	*)
	38	error "Unrecognized argument: ${1}"
	39	return ${EXIT_ERROR}
	40	;;
afb7d704 MT	41	esac
	42	shift
	43	done
	44
	45	if enabled test; then
	46	log INFO "Test mode enabled."
	47	log INFO "The firewall ruleset will not be loaded."
	48	fi
	49
98146c00 MT	50	firewall_lock_acquire
	51
	52	# Initialize an empty iptables ruleset.
fe52c5e0	53	iptables_init "${protocol}" "DROP"
98146c00 MT	54
98146c00 MT	55	# Add default chains.
a7e23f3c	56	firewall_filter_rh0_headers "${protocol}"
fe52c5e0 MT	57	firewall_tcp_state_flags "${protocol}"
	58	firewall_custom_chains "${protocol}"
	59	firewall_connection_tracking "${protocol}"
	60	firewall_tcp_clamp_mss "${protocol}"
98146c00 MT	61
98146c00 MT	62	# Add policies for every zone.
fe52c5e0	63	firewall_localhost_create_chains "${protocol}"
98146c00 MT	64
	65	local zone
	66	for zone in $(zones_get_all); do
a2c9dff5	67	# Create all needed chains for the zone.
fe52c5e0	68	firewall_zone_create_chains "${protocol}" "${zone}"
a2c9dff5 MT	69
	70	# After the chains that are always available have been
	71	# created, we will add a custom policy to every single
	72	# zone.
	73
fe52c5e0	74	policy_zone_add "${protocol}" "${zone}"
98146c00 MT	75	done
98146c00 MT	76
afb7d704	77	# Load the new ruleset.
fe52c5e0 MT	78	local args
	79	if enabled testmode; then
	80	list_append args "--test"
	81	fi
	82	iptables_commit "${protocol}" ${args}
98146c00 MT	83
	84	firewall_lock_release
	85	}
	86
	87	function firewall_stop() {
fe52c5e0 MT	88	local protocol="${1}"
	89	assert isset protocol
	90
98146c00 MT	91	firewall_lock_acquire
	92
	93	# Initialize an empty firewall ruleset
	94	# with default policy ACCEPT.
fe52c5e0	95	iptables_init "${protocol}" ACCEPT
98146c00	96
afb7d704	97	# Load it.
fe52c5e0	98	ipables_load "${protocol}"
afb7d704 MT	99
	100	firewall_lock_release
	101	}
	102
	103	function firewall_show() {
fe52c5e0 MT	104	local protocol="${1}"
	105	assert isset protocol
	106
afb7d704	107	# Shows the ruleset that is currently loaded.
fe52c5e0	108	iptables_status "${protocol}"
afb7d704 MT	109
	110	return ${EXIT_OK}
	111	}
	112
	113	function firewall_panic() {
fe52c5e0 MT	114	local protocol="${1}"
	115	assert isset protocol
	116	shift
	117
afb7d704 MT	118	local admin_hosts="$@"
afb7d704 MT	119
fe52c5e0	120	firewall_lock_acquire "${protocol}"
afb7d704 MT	121
afb7d704 MT	122	# Drop all communications.
fe52c5e0	123	iptables_init "${protocol}" DROP
afb7d704 MT	124
	125	# If an admin host is provided, some administrative
	126	# things will be allowed from there.
	127	local admin_host
	128	for admin_host in ${admin_hosts}; do
fe52c5e0 MT	129	iptables "${protocol}" -A INPUT -s "${admin_host}" -j ACCEPT
fe52c5e0 MT	130	iptables "${protocol}" -A OUTPUT -d "${admin_host}" -j ACCEPT
afb7d704 MT	131	done
	132
	133	# Load it.
fe52c5e0	134	iptables_commit "${protocol}"
98146c00 MT	135
	136	firewall_lock_release
	137	}
	138
	139	function firewall_lock_acquire() {
	140	lock_acquire ${RUN_DIR}/.firewall_lock
	141
	142	# Make sure the lock is released after the firewall
	143	# script has crashed or exited early.
	144	trap firewall_lock_release EXIT TERM KILL
	145
	146	# Create a directory where we can put our
	147	# temporary data in the most secure way as possible.
	148	IPTABLES_TMPDIR=$(mktemp -d)
	149	}
	150
	151	function firewall_lock_release() {
	152	if isset IPTABLES_TMPDIR; then
	153	# Remove all temporary data.
	154	rm -rf ${IPTABLES_TMPDIR}
	155
	156	# Reset the tempdir variable.
	157	IPTABLES_TMPDIR=
	158	fi
	159
	160	# Reset the trap.
	161	trap true EXIT TERM KILL
	162
	163	lock_release ${RUN_DIR}/.firewall_lock
	164	}
	165
3b256a38	166	function firewall_custom_chains() {
fe52c5e0 MT	167	local protocol="${1}"
	168	assert isset protocol
	169
3b256a38 MT	170	log INFO "Creating CUSTOM* chains..."
	171
	172	# These chains are intened to be filled with
	173	# rules by the user. They are processed at the very
	174	# beginning so it is possible to overwrite everything.
	175
fe52c5e0 MT	176	iptables_chain_create "${protocol}" CUSTOMINPUT
fe52c5e0 MT	177	iptables "${protocol}" -A INPUT -j CUSTOMINPUT
3b256a38	178
fe52c5e0 MT	179	iptables_chain_create "${protocol}" CUSTOMFORWARD
fe52c5e0 MT	180	iptables "${protocol}" -A FORWARD -j CUSTOMFORWARD
3b256a38	181
fe52c5e0 MT	182	iptables_chain_create "${protocol}" CUSTOMOUTPUT
fe52c5e0 MT	183	iptables "${protocol}" -A OUTPUT -j CUSTOMOUTPUT
3b256a38	184
fe52c5e0 MT	185	iptables_chain_create "${protocol}" -t nat CUSTOMPREROUTING
fe52c5e0 MT	186	iptables "${protocol}" -t nat -A PREROUTING -j CUSTOMPREROUTING
3b256a38	187
fe52c5e0 MT	188	iptables_chain_create "${protocol}" -t nat CUSTOMPOSTROUTING
fe52c5e0 MT	189	iptables "${protocol}" -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
3b256a38	190
fe52c5e0 MT	191	iptables_chain_create "${protocol}" -t nat CUSTOMOUTPUT
fe52c5e0 MT	192	iptables "${protocol}" -t nat -A OUTPUT -j CUSTOMOUTPUT
3b256a38 MT	193	}
3b256a38 MT	194
98146c00	195	function firewall_tcp_state_flags() {
fe52c5e0 MT	196	local protocol="${1}"
	197	assert isset protocol
	198
98146c00	199	log INFO "Creating TCP State Flags chain..."
fe52c5e0 MT	200
	201	iptables_chain_create "${protocol}" BADTCP_LOG
	202	iptables "${protocol}" -A BADTCP_LOG -p tcp -j "$(iptables_LOG "Illegal TCP state: ")"
	203	iptables "${protocol}" -A BADTCP_LOG -j DROP
	204
	205	iptables_chain_create "${protocol}" BADTCP
	206	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG
	207	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
	208	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
	209	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
	210	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,FIN FIN -j BADTCP_LOG
	211	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,PSH PSH -j BADTCP_LOG
	212	iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,URG URG -j BADTCP_LOG
	213
	214	iptables "${protocol}" -A INPUT -p tcp -j BADTCP
	215	iptables "${protocol}" -A OUTPUT -p tcp -j BADTCP
	216	iptables "${protocol}" -A FORWARD -p tcp -j BADTCP
98146c00 MT	217	}
98146c00 MT	218
c2d2d2a9	219	function firewall_tcp_clamp_mss() {
fc323fc4 MT	220	# Do nothing if this has been disabled.
	221	enabled FIREWALL_CLAMP_PATH_MTU \|\| return ${EXIT_OK}
	222
fe52c5e0 MT	223	local protocol="${1}"
	224	assert isset protocol
	225
c2d2d2a9	226	log DEBUG "Adding rules to clamp MSS to path MTU..."
fe52c5e0 MT	227
fe52c5e0 MT	228	iptables "${protocol}" -t mangle -A FORWARD \
c2d2d2a9 MT	229	-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
	230	}
	231
98146c00	232	function firewall_connection_tracking() {
fe52c5e0 MT	233	local protocol="${1}"
	234	assert isset protocol
	235
98146c00	236	log INFO "Creating Connection Tracking chain..."
fe52c5e0 MT	237
fe52c5e0 MT	238	iptables_chain_create "${protocol}" CONNTRACK
85b52db6 MT	239	iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	240	iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j "$(iptables_LOG "INVALID packet: ")"
	241	iptables "${protocol}" -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
fe52c5e0 MT	242
	243	iptables "${protocol}" -A INPUT -j CONNTRACK
	244	iptables "${protocol}" -A OUTPUT -j CONNTRACK
	245	iptables "${protocol}" -A FORWARD -j CONNTRACK
98146c00	246	}
3647b19f	247
a2c9dff5	248	function firewall_localhost_create_chains() {
fe52c5e0 MT	249	local protocol="${1}"
	250	assert isset protocol
	251
a2c9dff5 MT	252	log DEBUG "Creating firewall chains for localhost..."
	253
	254	# Accept everything on lo
fe9bf26b MT	255	iptables "${protocol}" -A INPUT -i lo -j ACCEPT
fe9bf26b MT	256	iptables "${protocol}" -A OUTPUT -o lo -j ACCEPT
a2c9dff5 MT	257	}
a2c9dff5 MT	258
a7e23f3c MT	259	function firewall_filter_rh0_headers() {
	260	local protocol="${1}"
	261	assert isset protocol
	262
	263	# Only IPv6.
	264	[ "${protocol}" = "ipv6" ] \|\| return ${EXIT_OK}
	265
	266	# Filter all packets that have RH0 headers
	267	# http://www.ietf.org/rfc/rfc5095.txt
	268	iptables_chain_create "${protocol}" FILTER_RH0
	269	iptables "${protocol}" -A FILTER_RH0 -m rt --rt-type 0 -j DROP
	270
	271	iptables "${protocol}" -A INPUT -j FILTER_RH0
	272	iptables "${protocol}" -A FORWARD -j FILTER_RH0
	273	iptables "${protocol}" -A OUTPUT -j FILTER_RH0
	274	}
	275
a2c9dff5	276	function firewall_zone_create_chains() {
fe52c5e0 MT	277	local protocol="${1}"
	278	assert isset protocol
	279
	280	local zone="${2}"
a2c9dff5 MT	281	assert isset zone
	282
	283	log DEBUG "Creating firewall chains for zone '${zone}'."
	284
	285	local chain_prefix="ZONE_${zone^^}"
	286
	287	# Create filter chains.
fe52c5e0 MT	288	iptables_chain_create "${protocol}" "${chain_prefix}_INPUT"
fe52c5e0 MT	289	iptables "${protocol}" -A INPUT -i ${zone} -j "${chain_prefix}_INPUT"
a2c9dff5	290
fe52c5e0 MT	291	iptables_chain_create "${protocol}" "${chain_prefix}_OUTPUT"
fe52c5e0 MT	292	iptables "${protocol}" -A OUTPUT -o ${zone} -j "${chain_prefix}_OUTPUT"
a2c9dff5 MT	293
a2c9dff5 MT	294	# Custom rules.
fe52c5e0	295	iptables_chain_create "${protocol}" "${chain_prefix}_CUSTOM"
a2c9dff5 MT	296
a2c9dff5 MT	297	# Intrusion Prevention System.
fe52c5e0	298	iptables_chain_create "${protocol}" "${chain_prefix}_IPS"
a2c9dff5 MT	299
	300	# Create a chain for each other zone.
	301	# This leaves us with n^2 chains. Duh.
	302
	303	local other_zone other_chain_prefix
	304	for other_zone in $(zones_get_all); do
	305	other_chain_prefix="${chain_prefix}_${other_zone^^}"
fe52c5e0	306	iptables_chain_create "${protocol}" "${other_chain_prefix}"
a2c9dff5 MT	307
a2c9dff5 MT	308	# Connect the chain with the FORWARD chain.
fe52c5e0	309	iptables "${protocol}" -A FORWARD -i "${zone}" -o "${other_zone}" \
a2c9dff5 MT	310	-j "${other_chain_prefix}"
	311
	312	# Handle custom rules.
fe52c5e0	313	iptables "${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_CUSTOM"
a2c9dff5 MT	314
a2c9dff5 MT	315	# Link IPS.
fe52c5e0	316	iptables "${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_IPS"
a2c9dff5 MT	317
a2c9dff5 MT	318	# Rules.
fe52c5e0 MT	319	iptables_chain_create "${protocol}" "${other_chain_prefix}_RULES"
fe52c5e0 MT	320	iptables "${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_RULES"
a2c9dff5 MT	321
a2c9dff5 MT	322	# Policy.
fe52c5e0 MT	323	iptables_chain_create "${protocol}" "${other_chain_prefix}_POLICY"
fe52c5e0 MT	324	iptables "${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_POLICY"
a2c9dff5 MT	325	done
	326
	327	## Create mangle chain.
fe52c5e0 MT	328	#iptables_chain_create "${protocol}" -t mangle "${chain_prefix}"
	329	#iptables "${protocol}" -t mangle -A PREROUTING -i "${zone}" -j "${chain_prefix}"
	330	#iptables "${protocol}" -t mangle -A POSTROUTING -o "${zone}" -j "${chain_prefix}"
a2c9dff5 MT	331
a2c9dff5 MT	332	## Quality of Service
fe52c5e0 MT	333	#iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_INC"
	334	#iptables "${protocol}" -t mangle -A "${chain_prefix}" -i "${zone}" -j "${chain_prefix}_QOS_INC"
	335	#iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_OUT"
	336	#iptables "${protocol}" -t mangle -A "${chain_prefix}" -o "${zone}" -j "${chain_prefix}_QOS_OUT"
a2c9dff5 MT	337
a2c9dff5 MT	338	# Create NAT chain.
fe52c5e0 MT	339	iptables_chain_create "${protocol}" -t nat "${chain_prefix}"
	340	iptables "${protocol}" -t nat -A PREROUTING -i "${zone}" -j "${chain_prefix}"
	341	iptables "${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}"
a2c9dff5 MT	342
a2c9dff5 MT	343	# Network Address Translation
fe52c5e0 MT	344	iptables_chain_create "${protocol}" -t nat "${chain_prefix}_DNAT"
	345	iptables "${protocol}" -t nat -A PREROUTING -i "${zone}" -j "${chain_prefix}_DNAT"
	346	iptables_chain_create "${protocol}" -t nat "${chain_prefix}_SNAT"
	347	iptables "${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}_SNAT"
a2c9dff5 MT	348
a2c9dff5 MT	349	# UPnP
fe52c5e0 MT	350	iptables_chain_create "${protocol}" -t nat "${chain_prefix}_UPNP"
fe52c5e0 MT	351	iptables "${protocol}" -t nat -A "${chain_prefix}" -j "${chain_prefix}_UPNP"
a2c9dff5 MT	352
	353	return ${EXIT_OK}
	354	}
	355
	356	function firewall_parse_rules() {
	357	local file=${1}
	358	assert isset file
3647b19f MT	359	shift
3647b19f MT	360
a2c9dff5 MT	361	# End if no rule file exists.
a2c9dff5 MT	362	[ -r "${file}" ] \|\| return ${EXIT_OK}
3647b19f	363
a2c9dff5 MT	364	local cmd
	365
	366	local ${FIREWALL_RULES_CONFIG_PARAMS}
	367	local line
	368	while read -r line; do
	369	# Skip empty lines.
	370	[ -n "${line}" ] \|\| continue
	371
	372	# Skip commented lines.
	373	[ "${line:0:1}" = "#" ] && continue
	374
	375	# Parse the rule.
	376	_firewall_parse_rule_line ${line}
	377	if [ $? -ne ${EXIT_OK} ]; then
	378	log WARNING "Skipping invalid line: ${line}"
	379	continue
	380	fi
	381
	382	cmd="iptables $@"
	383
	384	# Source IP address/net.
	385	if isset src; then
	386	list_append cmd "-s ${src}"
	387	fi
	388
	389	# Destination IP address/net.
	390	if isset dst; then
	391	list_append cmd "-d ${dst}"
	392	fi
	393
	394	# Protocol.
	395	if isset proto; then
	396	list_append cmd "-p ${proto}"
	397
	398	if list_match ${proto} ${FIREWALL_PROTOCOLS_SUPPORTING_PORTS}; then
	399	if isset sport; then
	400	list_append cmd "--sport ${sport}"
	401	fi
	402
	403	if isset dport; then
	404	list_append cmd "--dport ${dport}"
	405	fi
	406	fi
	407	fi
	408
	409	# Always append the action.
	410	list_append cmd "-j ${action}"
	411
	412	# Execute command.
	413	${cmd}
	414	done < ${file}
	415	}
	416
	417	function _firewall_parse_rule_line() {
	418	local arg
	419
	420	# Clear all values.
	421	for arg in ${FIREWALL_RULES_CONFIG_PARAMS}; do
	422	assign "${arg}" ""
3647b19f MT	423	done
3647b19f MT	424
a2c9dff5 MT	425	local key val
	426	while read -r arg; do
	427	key=$(cli_get_key ${arg})
3647b19f	428
a2c9dff5 MT	429	if ! listmatch "${key}" ${FIREWALL_RULES_CONFIG_PARAMS}; then
	430	log WARNING "Unrecognized argument: ${arg}"
	431	return ${EXIT_ERROR}
	432	fi
3647b19f	433
a2c9dff5 MT	434	val=$(cli_get_val ${arg})
	435	assign "${key}" "${val}"
	436	done <<< "$(args $@)"
	437
	438	# action must always be set.
	439	if ! isset action; then
	440	log WARNING "'action' is not set: $@"
	441	return ${EXIT_ERROR}
	442	fi
	443
	444	for arg in src dst; do
	445	isset ${arg} \|\| continue
	446
	447	# Check for valid IP addresses.
	448	if ! ip_is_valid ${!arg}; then
	449	log WARNING "Invalid IP address for '${arg}=${!arg}': $@"
	450	return ${EXIT_ERROR}
	451	fi
	452	done
	453
	454	if isset proto; then
	455	# Make lowercase.
	456	proto=${proto,,}
	457
	458	if ! list_match "${proto}" ${FIREWALL_SUPPORTED_PROTOCOLS}; then
	459	log WARNING "Unsupported protocol type 'proto=${proto}': $@"
	460	return ${EXIT_ERROR}
	461	fi
	462	fi
	463
	464	for arg in sport dport; do
	465	isset ${arg} \|\| continue
	466
	467	# Check if port is valid.
	468	if ! isinteger ${arg}; then
	469	log WARNING "Invalid port '${arg}=${!arg}': $@"
	470	return ${EXIT_ERROR}
	471	fi
	472	done
	473
	474	return ${EXIT_OK}
3647b19f	475	}