]>
Commit | Line | Data |
---|---|---|
98146c00 MT |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2012 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | # High-level function which will create a ruleset for the current firewall | |
23 | # configuration and load it into the kernel. | |
24 | function firewall_start() { | |
afb7d704 MT |
25 | # Test mode. |
26 | local test="false" | |
27 | ||
28 | while [ $# -gt 0 ]; do | |
29 | case "${1}" in | |
30 | --test) | |
31 | test="true" | |
32 | ;; | |
33 | esac | |
34 | shift | |
35 | done | |
36 | ||
37 | if enabled test; then | |
38 | log INFO "Test mode enabled." | |
39 | log INFO "The firewall ruleset will not be loaded." | |
40 | fi | |
41 | ||
98146c00 MT |
42 | firewall_lock_acquire |
43 | ||
44 | # Initialize an empty iptables ruleset. | |
45 | iptables_init DROP | |
46 | ||
47 | # Add default chains. | |
48 | firewall_tcp_state_flags | |
49 | firewall_connection_tracking | |
50 | ||
51 | # Add policies for every zone. | |
52 | policy_add_localhost | |
53 | ||
54 | local zone | |
55 | for zone in $(zones_get_all); do | |
56 | policy_add_zone ${zone} | |
57 | done | |
58 | ||
afb7d704 MT |
59 | # Load the new ruleset. |
60 | iptables_load ${test} | |
98146c00 MT |
61 | |
62 | firewall_lock_release | |
63 | } | |
64 | ||
65 | function firewall_stop() { | |
66 | firewall_lock_acquire | |
67 | ||
68 | # Initialize an empty firewall ruleset | |
69 | # with default policy ACCEPT. | |
70 | iptables_init ACCEPT | |
71 | ||
afb7d704 MT |
72 | # Load it. |
73 | iptables_load | |
74 | ||
75 | firewall_lock_release | |
76 | } | |
77 | ||
78 | function firewall_show() { | |
79 | # Shows the ruleset that is currently loaded. | |
80 | iptables_status | |
81 | ||
82 | return ${EXIT_OK} | |
83 | } | |
84 | ||
85 | function firewall_panic() { | |
86 | local admin_hosts="$@" | |
87 | ||
88 | firewall_lock_acquire | |
89 | ||
90 | # Drop all communications. | |
91 | iptables_init DROP | |
92 | ||
93 | # If an admin host is provided, some administrative | |
94 | # things will be allowed from there. | |
95 | local admin_host | |
96 | for admin_host in ${admin_hosts}; do | |
97 | iptables -A INPUT -s ${admin_host} -j ACCEPT | |
98 | iptables -A OUTPUT -d ${admin_host} -j ACCEPT | |
99 | done | |
100 | ||
101 | # Load it. | |
102 | iptables_load | |
98146c00 MT |
103 | |
104 | firewall_lock_release | |
105 | } | |
106 | ||
107 | function firewall_lock_acquire() { | |
108 | lock_acquire ${RUN_DIR}/.firewall_lock | |
109 | ||
110 | # Make sure the lock is released after the firewall | |
111 | # script has crashed or exited early. | |
112 | trap firewall_lock_release EXIT TERM KILL | |
113 | ||
114 | # Create a directory where we can put our | |
115 | # temporary data in the most secure way as possible. | |
116 | IPTABLES_TMPDIR=$(mktemp -d) | |
117 | } | |
118 | ||
119 | function firewall_lock_release() { | |
120 | if isset IPTABLES_TMPDIR; then | |
121 | # Remove all temporary data. | |
122 | rm -rf ${IPTABLES_TMPDIR} | |
123 | ||
124 | # Reset the tempdir variable. | |
125 | IPTABLES_TMPDIR= | |
126 | fi | |
127 | ||
128 | # Reset the trap. | |
129 | trap true EXIT TERM KILL | |
130 | ||
131 | lock_release ${RUN_DIR}/.firewall_lock | |
132 | } | |
133 | ||
134 | function firewall_tcp_state_flags() { | |
135 | log INFO "Creating TCP State Flags chain..." | |
136 | iptables_chain_create BADTCP_LOG | |
137 | iptables -A BADTCP_LOG -p tcp -j $(iptables_LOG "Illegal TCP state: ") | |
138 | iptables -A BADTCP_LOG -j DROP | |
139 | ||
140 | iptables_chain_create BADTCP | |
141 | iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG | |
142 | iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG | |
143 | iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG | |
144 | iptables -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG | |
145 | iptables -A BADTCP -p tcp --tcp-flags ACK,FIN FIN -j BADTCP_LOG | |
146 | iptables -A BADTCP -p tcp --tcp-flags ACK,PSH PSH -j BADTCP_LOG | |
147 | iptables -A BADTCP -p tcp --tcp-flags ACK,URG URG -j BADTCP_LOG | |
148 | ||
149 | iptables -A INPUT -p tcp -j BADTCP | |
150 | iptables -A OUTPUT -p tcp -j BADTCP | |
151 | iptables -A FORWARD -p tcp -j BADTCP | |
152 | } | |
153 | ||
154 | function firewall_connection_tracking() { | |
155 | log INFO "Creating Connection Tracking chain..." | |
156 | iptables_chain_create CONNTRACK | |
157 | iptables -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT | |
158 | iptables -A CONNTRACK -m state --state INVALID -j $(iptables_LOG "INVALID packet: ") | |
159 | iptables -A CONNTRACK -m state --state INVALID -j DROP | |
160 | ||
161 | iptables -A INPUT -j CONNTRACK | |
162 | iptables -A OUTPUT -j CONNTRACK | |
163 | iptables -A FORWARD -j CONNTRACK | |
164 | } | |
3647b19f | 165 | |
afb7d704 | 166 | function firewall_import_rules() { |
3647b19f MT |
167 | local zone=${1} |
168 | shift | |
169 | ||
170 | local protocol="ipv6" | |
afb7d704 | 171 | local table="filter" |
3647b19f MT |
172 | |
173 | while [ $# -gt 0 ]; do | |
174 | case "${1}" in | |
afb7d704 MT |
175 | --table=*) |
176 | table=$(cli_get_val ${1}) | |
3647b19f MT |
177 | ;; |
178 | --protocol=*) | |
179 | protocol=$(cli_get_val ${1}) | |
180 | ;; | |
181 | esac | |
182 | done | |
183 | ||
184 | assert isoneof protocol ipv4 ipv6 | |
afb7d704 | 185 | assert isoneof table $(iptables_table ${protocol}) |
3647b19f MT |
186 | |
187 | # XXX TODO | |
188 | ||
189 | local src dst proto | |
190 | while read src dst proto; do | |
191 | case "${chain}" in | |
192 | filter) | |
193 | ;; | |
194 | nat) | |
195 | ;; | |
196 | esac | |
afb7d704 | 197 | done < ${FIREWALL_CONFIG_RULES} |
3647b19f | 198 | } |