[people/stevee/network.git] / functions.iptables

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2012  IPFire Network Development Team                         #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

function iptables() {
	local arg
	local args
	local table

	# Check if the directory where we put our rules in is set and
	# exists.
	assert isset IPTABLES_TMPDIR
	assert [ -d "${IPTABLES_TMPDIR}" ]

	table=filter

	# Parsing arguments
	while [ $# -gt 0 ]; do
		case "${1}" in
			-t)
				table=${2}
				shift 2
				;;
			-A)
				args="${args} -A ${2^^}"
				shift 2
				;;
			*)
				args="${args} ${1}"
				shift
				;;
		esac
	done

	echo "${args:1:${#args}}" >> ${IPTABLES_TMPDIR}/${table}
}

function iptables_init() {
	local policy=${1}
	assert isoneof policy ACCEPT DROP

	iptables "* filter"
	iptables_chain_create -t filter INPUT       ${policy}
	iptables_chain_create -t filter OUTPUT      ${policy}
	iptables_chain_create -t filter FORWARD     ${policy}

	iptables -t mangle "* mangle"
	iptables_chain_create -t mangle PREROUTING  ACCEPT
	iptables_chain_create -t mangle INPUT       ACCEPT
	iptables_chain_create -t mangle OUTPUT      ACCEPT
	iptables_chain_create -t mangle FORWARD     ACCEPT
	iptables_chain_create -t mangle POSTROUTING ACCEPT

	iptables -t nat "* nat"
	iptables_chain_create -t nat    PREROUTING  ACCEPT
	iptables_chain_create -t nat    OUTPUT      ACCEPT
	iptables_chain_create -t nat    POSTROUTING ACCEPT
}

function iptables_commit() {
	local chain

	# Check if the directory where we put our rules in is set and
	# exists.
	assert isset IPTABLES_TMPDIR
	assert [ -d "${IPTABLES_TMPDIR}" ]

	log INFO "Committing firewall configuration..."
	iptables -t filter "COMMIT"
	iptables -t mangle "COMMIT"
	iptables -t nat    "COMMIT"

	local iptables_ruleset="${IPTABLES_TMPDIR}/commit"
	: > ${iptables_ruleset}

	# Concat the rules for every chain into one file.
	local table
	for table in filter mangle nat; do
		cat ${IPTABLES_TMPDIR}/${table} \
			>> ${iptables_ruleset} 2>/dev/null
	done

	log DEBUG "Dumping iptables ruleset"
	local counter=1
	local line
	while read line; do
		line=$(printf "%4d | %s\n" "${counter}" "${line}")
		log DEBUG "${line}"

		counter=$(( $counter + 1 ))
	done < ${iptables_ruleset}
	
	iptables-restore < ${iptables_ruleset}
}

function iptables_chain_create() {
	local args
	if [ "${1}" = "-t" ]; then
		args="${1} ${2}"
		shift 2
	fi

	iptables ${args} ":$1 ${2--} [0:0]"
}

function iptables_LOG() {
	local prefix=${1}

	if [ "${FIREWALL_LOG_FACILITY}" = "syslog" ]; then
		echo -n "LOG"
		[ -n "$prefix" ] && echo -n " --log-prefix \"$prefix\""
	else
		echo -n "NFLOG"
		[ -n "$prefix" ] && echo -n " --nflog-prefix \"$prefix\""
		echo -n " --nflog-threshold 30"
	fi
	echo
}

function iptables_protocol() {
	local PROTO
	PROTO=$1
	for proto in tcp udp esp ah; do
		if [ "$PROTO" = "$proto" ]; then
			echo "-p $PROTO"
			break
		fi
	done
}

IPTABLES_PORT=0
IPTABLES_MULTIPORT=1
IPTABLES_PORTRANGE=2

function _iptables_port_range() {
	grep -q ":" <<< $@
}

function _iptables_port_multiport() {
	grep -q "," <<< $@
}

function _iptables_port() {
	if _iptables_port_range "$@"; then
		echo $IPTABLES_PORTRANGE
	elif _iptables_port_multiport "$@"; then
		echo $IPTABLES_MULTIPORT
	else
		echo $IPTABLES_PORT
	fi
}

function iptables_source_port() {
	[ -z "$@" ] && return
	local type
	type=$(_iptables_port $@)
	if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
		echo "-m multiport --source-ports $@"
	else
		echo "--sport $@"
	fi
}

function iptables_destination_port() {
	[ -z "$@" ] && return
	local type
	type=$(_iptables_port $@)
	if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
		echo "-m multiport --destination-ports $@"
	else
		echo "--dport $@"
	fi
}
Commit	Line	Data
98146c00 MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2012 IPFire Network Development Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	function iptables() {
	23	local arg
	24	local args
	25	local table
	26
	27	# Check if the directory where we put our rules in is set and
	28	# exists.
	29	assert isset IPTABLES_TMPDIR
	30	assert [ -d "${IPTABLES_TMPDIR}" ]
	31
	32	table=filter
	33
	34	# Parsing arguments
	35	while [ $# -gt 0 ]; do
	36	case "${1}" in
	37	-t)
	38	table=${2}
	39	shift 2
	40	;;
	41	-A)
	42	args="${args} -A ${2^^}"
	43	shift 2
	44	;;
	45	*)
	46	args="${args} ${1}"
	47	shift
	48	;;
	49	esac
	50	done
	51
	52	echo "${args:1:${#args}}" >> ${IPTABLES_TMPDIR}/${table}
	53	}
	54
	55	function iptables_init() {
	56	local policy=${1}
	57	assert isoneof policy ACCEPT DROP
	58
	59	iptables "* filter"
	60	iptables_chain_create -t filter INPUT ${policy}
	61	iptables_chain_create -t filter OUTPUT ${policy}
	62	iptables_chain_create -t filter FORWARD ${policy}
	63
	64	iptables -t mangle "* mangle"
65	iptables_chain_create -t mangle PREROUTING ACCEPT
66	iptables_chain_create -t mangle INPUT ACCEPT
67	iptables_chain_create -t mangle OUTPUT ACCEPT
68	iptables_chain_create -t mangle FORWARD ACCEPT
69	iptables_chain_create -t mangle POSTROUTING ACCEPT
70
71	iptables -t nat "* nat"
72	iptables_chain_create -t nat PREROUTING ACCEPT
73	iptables_chain_create -t nat OUTPUT ACCEPT
74	iptables_chain_create -t nat POSTROUTING ACCEPT
75	}
76
77	function iptables_commit() {
78	local chain
79
80	# Check if the directory where we put our rules in is set and
81	# exists.
82	assert isset IPTABLES_TMPDIR
83	assert [ -d "${IPTABLES_TMPDIR}" ]
84
85	log INFO "Committing firewall configuration..."
86	iptables -t filter "COMMIT"
87	iptables -t mangle "COMMIT"
88	iptables -t nat "COMMIT"
89
90	local iptables_ruleset="${IPTABLES_TMPDIR}/commit"
91	: > ${iptables_ruleset}
92
93	# Concat the rules for every chain into one file.
94	local table
95	for table in filter mangle nat; do
96	cat ${IPTABLES_TMPDIR}/${table} \
97	>> ${iptables_ruleset} 2>/dev/null
98	done
99
100	log DEBUG "Dumping iptables ruleset"
101	local counter=1
102	local line
103	while read line; do
104	line=$(printf "%4d \| %s\n" "${counter}" "${line}")
105	log DEBUG "${line}"
106
107	counter=$(( $counter + 1 ))
108	done < ${iptables_ruleset}
109
110	iptables-restore < ${iptables_ruleset}
111	}
112
113	function iptables_chain_create() {
114	local args
115	if [ "${1}" = "-t" ]; then
116	args="${1} ${2}"
117	shift 2
118	fi
119
120	iptables ${args} ":$1 ${2--} [0:0]"
121	}
122
123	function iptables_LOG() {
124	local prefix=${1}
125
126	if [ "${FIREWALL_LOG_FACILITY}" = "syslog" ]; then
127	echo -n "LOG"
128	[ -n "$prefix" ] && echo -n " --log-prefix \"$prefix\""
129	else
130	echo -n "NFLOG"
131	[ -n "$prefix" ] && echo -n " --nflog-prefix \"$prefix\""
132	echo -n " --nflog-threshold 30"
133	fi
134	echo
135	}
136
137	function iptables_protocol() {
138	local PROTO
139	PROTO=$1
140	for proto in tcp udp esp ah; do
141	if [ "$PROTO" = "$proto" ]; then
142	echo "-p $PROTO"
143	break
144	fi
145	done
146	}
147
148	IPTABLES_PORT=0
149	IPTABLES_MULTIPORT=1
150	IPTABLES_PORTRANGE=2
151
152	function _iptables_port_range() {
153	grep -q ":" <<< $@
154	}
155
156	function _iptables_port_multiport() {
157	grep -q "," <<< $@
158	}
159
160	function _iptables_port() {
161	if _iptables_port_range "$@"; then
162	echo $IPTABLES_PORTRANGE
163	elif _iptables_port_multiport "$@"; then
164	echo $IPTABLES_MULTIPORT
165	else
166	echo $IPTABLES_PORT
167	fi
168	}
169
170	function iptables_source_port() {
171	[ -z "$@" ] && return
172	local type
173	type=$(_iptables_port $@)
174	if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
175	echo "-m multiport --source-ports $@"
176	else
177	echo "--sport $@"
178	fi
179	}
180
181	function iptables_destination_port() {
182	[ -z "$@" ] && return
183	local type
184	type=$(_iptables_port $@)
185	if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
186	echo "-m multiport --destination-ports $@"
187	else
188	echo "--dport $@"
189	fi
190	}