[people/stevee/network.git] / functions.firewall

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2012  IPFire Network Development Team                         #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

# High-level function which will create a ruleset for the current firewall
# configuration and load it into the kernel.
function firewall_start() {
	# Test mode.
	local test="false"

	while [ $# -gt 0 ]; do
		case "${1}" in
			--test)
				test="true"
				;;
		esac
		shift
	done

	if enabled test; then
		log INFO "Test mode enabled."
		log INFO "The firewall ruleset will not be loaded."
	fi

	firewall_lock_acquire

	# Initialize an empty iptables ruleset.
	iptables_init DROP

	# Add default chains.
	firewall_tcp_state_flags
	firewall_connection_tracking

	# Add policies for every zone.
	policy_add_localhost

	local zone
	for zone in $(zones_get_all); do
		policy_add_zone ${zone}
	done

	# Load the new ruleset.
	iptables_load ${test}

	firewall_lock_release
}

function firewall_stop() {
	firewall_lock_acquire

	# Initialize an empty firewall ruleset
	# with default policy ACCEPT.
	iptables_init ACCEPT

	# Load it.
	iptables_load

	firewall_lock_release
}

function firewall_show() {
	# Shows the ruleset that is currently loaded.
	iptables_status

	return ${EXIT_OK}
}

function firewall_panic() {
	local admin_hosts="$@"

	firewall_lock_acquire

	# Drop all communications.
	iptables_init DROP

	# If an admin host is provided, some administrative
	# things will be allowed from there.
	local admin_host
	for admin_host in ${admin_hosts}; do
		iptables -A INPUT -s ${admin_host} -j ACCEPT
		iptables -A OUTPUT -d ${admin_host} -j ACCEPT
	done

	# Load it.
	iptables_load

	firewall_lock_release
}

function firewall_lock_acquire() {
	lock_acquire ${RUN_DIR}/.firewall_lock

	# Make sure the lock is released after the firewall
	# script has crashed or exited early.
	trap firewall_lock_release EXIT TERM KILL

	# Create a directory where we can put our
	# temporary data in the most secure way as possible.
	IPTABLES_TMPDIR=$(mktemp -d)
}

function firewall_lock_release() {
	if isset IPTABLES_TMPDIR; then
		# Remove all temporary data.
		rm -rf ${IPTABLES_TMPDIR}

		# Reset the tempdir variable.
		IPTABLES_TMPDIR=
	fi

	# Reset the trap.
	trap true EXIT TERM KILL

	lock_release ${RUN_DIR}/.firewall_lock
}

function firewall_tcp_state_flags() {
	log INFO "Creating TCP State Flags chain..."
	iptables_chain_create BADTCP_LOG
	iptables -A BADTCP_LOG -p tcp -j $(iptables_LOG "Illegal TCP state: ")
	iptables -A BADTCP_LOG -j DROP

	iptables_chain_create BADTCP
	iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG
	iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
	iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
	iptables -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
	iptables -A BADTCP -p tcp --tcp-flags ACK,FIN FIN     -j BADTCP_LOG
	iptables -A BADTCP -p tcp --tcp-flags ACK,PSH PSH     -j BADTCP_LOG
	iptables -A BADTCP -p tcp --tcp-flags ACK,URG URG     -j BADTCP_LOG

	iptables -A INPUT   -p tcp -j BADTCP
	iptables -A OUTPUT  -p tcp -j BADTCP
	iptables -A FORWARD -p tcp -j BADTCP
}

function firewall_connection_tracking() {
	log INFO "Creating Connection Tracking chain..."
	iptables_chain_create CONNTRACK
	iptables -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A CONNTRACK -m state --state INVALID -j $(iptables_LOG "INVALID packet: ")
	iptables -A CONNTRACK -m state --state INVALID -j DROP

	iptables -A INPUT   -j CONNTRACK
	iptables -A OUTPUT  -j CONNTRACK
	iptables -A FORWARD -j CONNTRACK
}

function firewall_import_rules() {
	local zone=${1}
	shift

	local protocol="ipv6"
	local table="filter"

	while [ $# -gt 0 ]; do
		case "${1}" in
			--table=*)
				table=$(cli_get_val ${1})
				;;
			--protocol=*)
				protocol=$(cli_get_val ${1})
				;;
		esac
	done

	assert isoneof protocol ipv4 ipv6
	assert isoneof table $(iptables_table ${protocol})

	# XXX TODO

	local src dst proto
	while read src dst proto; do
		case "${chain}" in
			filter)
				;;
			nat)
				;;
		esac
	done < ${FIREWALL_CONFIG_RULES}
}
Commit	Line	Data
98146c00 MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2012 IPFire Network Development Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	# High-level function which will create a ruleset for the current firewall
	23	# configuration and load it into the kernel.
	24	function firewall_start() {
afb7d704 MT	25	# Test mode.
	26	local test="false"
	27
	28	while [ $# -gt 0 ]; do
	29	case "${1}" in
	30	--test)
	31	test="true"
	32	;;
	33	esac
	34	shift
	35	done
	36
	37	if enabled test; then
	38	log INFO "Test mode enabled."
	39	log INFO "The firewall ruleset will not be loaded."
	40	fi
	41
98146c00 MT	42	firewall_lock_acquire
	43
	44	# Initialize an empty iptables ruleset.
	45	iptables_init DROP
	46
	47	# Add default chains.
	48	firewall_tcp_state_flags
	49	firewall_connection_tracking
	50
	51	# Add policies for every zone.
	52	policy_add_localhost
	53
	54	local zone
	55	for zone in $(zones_get_all); do
	56	policy_add_zone ${zone}
	57	done
	58
afb7d704 MT	59	# Load the new ruleset.
afb7d704 MT	60	iptables_load ${test}
98146c00 MT	61
	62	firewall_lock_release
	63	}
	64
	65	function firewall_stop() {
	66	firewall_lock_acquire
	67
	68	# Initialize an empty firewall ruleset
	69	# with default policy ACCEPT.
	70	iptables_init ACCEPT
	71
afb7d704 MT	72	# Load it.
	73	iptables_load
	74
	75	firewall_lock_release
	76	}
	77
	78	function firewall_show() {
	79	# Shows the ruleset that is currently loaded.
	80	iptables_status
	81
	82	return ${EXIT_OK}
	83	}
	84
	85	function firewall_panic() {
	86	local admin_hosts="$@"
	87
	88	firewall_lock_acquire
	89
	90	# Drop all communications.
	91	iptables_init DROP
	92
	93	# If an admin host is provided, some administrative
	94	# things will be allowed from there.
	95	local admin_host
	96	for admin_host in ${admin_hosts}; do
	97	iptables -A INPUT -s ${admin_host} -j ACCEPT
	98	iptables -A OUTPUT -d ${admin_host} -j ACCEPT
	99	done
	100
	101	# Load it.
	102	iptables_load
98146c00 MT	103
	104	firewall_lock_release
	105	}
	106
	107	function firewall_lock_acquire() {
	108	lock_acquire ${RUN_DIR}/.firewall_lock
	109
	110	# Make sure the lock is released after the firewall
	111	# script has crashed or exited early.
	112	trap firewall_lock_release EXIT TERM KILL
	113
	114	# Create a directory where we can put our
	115	# temporary data in the most secure way as possible.
	116	IPTABLES_TMPDIR=$(mktemp -d)
	117	}
	118
	119	function firewall_lock_release() {
	120	if isset IPTABLES_TMPDIR; then
	121	# Remove all temporary data.
	122	rm -rf ${IPTABLES_TMPDIR}
	123
	124	# Reset the tempdir variable.
	125	IPTABLES_TMPDIR=
	126	fi
	127
	128	# Reset the trap.
	129	trap true EXIT TERM KILL
	130
	131	lock_release ${RUN_DIR}/.firewall_lock
	132	}
	133
	134	function firewall_tcp_state_flags() {
	135	log INFO "Creating TCP State Flags chain..."
	136	iptables_chain_create BADTCP_LOG
	137	iptables -A BADTCP_LOG -p tcp -j $(iptables_LOG "Illegal TCP state: ")
	138	iptables -A BADTCP_LOG -j DROP
	139
	140	iptables_chain_create BADTCP
	141	iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG
	142	iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
	143	iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
	144	iptables -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
	145	iptables -A BADTCP -p tcp --tcp-flags ACK,FIN FIN -j BADTCP_LOG
	146	iptables -A BADTCP -p tcp --tcp-flags ACK,PSH PSH -j BADTCP_LOG
	147	iptables -A BADTCP -p tcp --tcp-flags ACK,URG URG -j BADTCP_LOG
	148
	149	iptables -A INPUT -p tcp -j BADTCP
	150	iptables -A OUTPUT -p tcp -j BADTCP
	151	iptables -A FORWARD -p tcp -j BADTCP
	152	}
	153
	154	function firewall_connection_tracking() {
	155	log INFO "Creating Connection Tracking chain..."
	156	iptables_chain_create CONNTRACK
	157	iptables -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT
	158	iptables -A CONNTRACK -m state --state INVALID -j $(iptables_LOG "INVALID packet: ")
	159	iptables -A CONNTRACK -m state --state INVALID -j DROP
	160
	161	iptables -A INPUT -j CONNTRACK
	162	iptables -A OUTPUT -j CONNTRACK
	163	iptables -A FORWARD -j CONNTRACK
	164	}
3647b19f	165
afb7d704	166	function firewall_import_rules() {
3647b19f MT	167	local zone=${1}
	168	shift
	169
	170	local protocol="ipv6"
afb7d704	171	local table="filter"
3647b19f MT	172
	173	while [ $# -gt 0 ]; do
	174	case "${1}" in
afb7d704 MT	175	--table=*)
afb7d704 MT	176	table=$(cli_get_val ${1})
3647b19f MT	177	;;
	178	--protocol=*)
	179	protocol=$(cli_get_val ${1})
	180	;;
	181	esac
	182	done
	183
	184	assert isoneof protocol ipv4 ipv6
afb7d704	185	assert isoneof table $(iptables_table ${protocol})
3647b19f MT	186
	187	# XXX TODO
	188
	189	local src dst proto
	190	while read src dst proto; do
	191	case "${chain}" in
	192	filter)
	193	;;
	194	nat)
	195	;;
	196	esac
afb7d704	197	done < ${FIREWALL_CONFIG_RULES}
3647b19f	198	}