]>
Commit | Line | Data |
---|---|---|
98146c00 MT |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2012 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | function iptables() { | |
23 | local arg | |
24 | local args | |
25 | local table | |
26 | ||
27 | # Check if the directory where we put our rules in is set and | |
28 | # exists. | |
29 | assert isset IPTABLES_TMPDIR | |
30 | assert [ -d "${IPTABLES_TMPDIR}" ] | |
31 | ||
32 | table=filter | |
33 | ||
34 | # Parsing arguments | |
35 | while [ $# -gt 0 ]; do | |
36 | case "${1}" in | |
37 | -t) | |
38 | table=${2} | |
39 | shift 2 | |
40 | ;; | |
41 | -A) | |
42 | args="${args} -A ${2^^}" | |
43 | shift 2 | |
44 | ;; | |
45 | *) | |
46 | args="${args} ${1}" | |
47 | shift | |
48 | ;; | |
49 | esac | |
50 | done | |
51 | ||
52 | echo "${args:1:${#args}}" >> ${IPTABLES_TMPDIR}/${table} | |
53 | } | |
54 | ||
55 | function iptables_init() { | |
56 | local policy=${1} | |
57 | assert isoneof policy ACCEPT DROP | |
58 | ||
59 | iptables "* filter" | |
60 | iptables_chain_create -t filter INPUT ${policy} | |
61 | iptables_chain_create -t filter OUTPUT ${policy} | |
62 | iptables_chain_create -t filter FORWARD ${policy} | |
63 | ||
64 | iptables -t mangle "* mangle" | |
65 | iptables_chain_create -t mangle PREROUTING ACCEPT | |
66 | iptables_chain_create -t mangle INPUT ACCEPT | |
67 | iptables_chain_create -t mangle OUTPUT ACCEPT | |
68 | iptables_chain_create -t mangle FORWARD ACCEPT | |
69 | iptables_chain_create -t mangle POSTROUTING ACCEPT | |
70 | ||
71 | iptables -t nat "* nat" | |
72 | iptables_chain_create -t nat PREROUTING ACCEPT | |
73 | iptables_chain_create -t nat OUTPUT ACCEPT | |
74 | iptables_chain_create -t nat POSTROUTING ACCEPT | |
75 | } | |
76 | ||
77 | function iptables_commit() { | |
78 | local chain | |
79 | ||
80 | # Check if the directory where we put our rules in is set and | |
81 | # exists. | |
82 | assert isset IPTABLES_TMPDIR | |
83 | assert [ -d "${IPTABLES_TMPDIR}" ] | |
84 | ||
85 | log INFO "Committing firewall configuration..." | |
86 | iptables -t filter "COMMIT" | |
87 | iptables -t mangle "COMMIT" | |
88 | iptables -t nat "COMMIT" | |
89 | ||
90 | local iptables_ruleset="${IPTABLES_TMPDIR}/commit" | |
91 | : > ${iptables_ruleset} | |
92 | ||
93 | # Concat the rules for every chain into one file. | |
94 | local table | |
95 | for table in filter mangle nat; do | |
96 | cat ${IPTABLES_TMPDIR}/${table} \ | |
97 | >> ${iptables_ruleset} 2>/dev/null | |
98 | done | |
99 | ||
100 | log DEBUG "Dumping iptables ruleset" | |
101 | local counter=1 | |
102 | local line | |
103 | while read line; do | |
104 | line=$(printf "%4d | %s\n" "${counter}" "${line}") | |
105 | log DEBUG "${line}" | |
106 | ||
107 | counter=$(( $counter + 1 )) | |
108 | done < ${iptables_ruleset} | |
109 | ||
110 | iptables-restore < ${iptables_ruleset} | |
111 | } | |
112 | ||
113 | function iptables_chain_create() { | |
114 | local args | |
115 | if [ "${1}" = "-t" ]; then | |
116 | args="${1} ${2}" | |
117 | shift 2 | |
118 | fi | |
119 | ||
120 | iptables ${args} ":$1 ${2--} [0:0]" | |
121 | } | |
122 | ||
123 | function iptables_LOG() { | |
124 | local prefix=${1} | |
125 | ||
126 | if [ "${FIREWALL_LOG_FACILITY}" = "syslog" ]; then | |
127 | echo -n "LOG" | |
128 | [ -n "$prefix" ] && echo -n " --log-prefix \"$prefix\"" | |
129 | else | |
130 | echo -n "NFLOG" | |
131 | [ -n "$prefix" ] && echo -n " --nflog-prefix \"$prefix\"" | |
132 | echo -n " --nflog-threshold 30" | |
133 | fi | |
134 | echo | |
135 | } | |
136 | ||
137 | function iptables_protocol() { | |
138 | local PROTO | |
139 | PROTO=$1 | |
140 | for proto in tcp udp esp ah; do | |
141 | if [ "$PROTO" = "$proto" ]; then | |
142 | echo "-p $PROTO" | |
143 | break | |
144 | fi | |
145 | done | |
146 | } | |
147 | ||
148 | IPTABLES_PORT=0 | |
149 | IPTABLES_MULTIPORT=1 | |
150 | IPTABLES_PORTRANGE=2 | |
151 | ||
152 | function _iptables_port_range() { | |
153 | grep -q ":" <<< $@ | |
154 | } | |
155 | ||
156 | function _iptables_port_multiport() { | |
157 | grep -q "," <<< $@ | |
158 | } | |
159 | ||
160 | function _iptables_port() { | |
161 | if _iptables_port_range "$@"; then | |
162 | echo $IPTABLES_PORTRANGE | |
163 | elif _iptables_port_multiport "$@"; then | |
164 | echo $IPTABLES_MULTIPORT | |
165 | else | |
166 | echo $IPTABLES_PORT | |
167 | fi | |
168 | } | |
169 | ||
170 | function iptables_source_port() { | |
171 | [ -z "$@" ] && return | |
172 | local type | |
173 | type=$(_iptables_port $@) | |
174 | if [ "$type" = "$IPTABLES_MULTIPORT" ]; then | |
175 | echo "-m multiport --source-ports $@" | |
176 | else | |
177 | echo "--sport $@" | |
178 | fi | |
179 | } | |
180 | ||
181 | function iptables_destination_port() { | |
182 | [ -z "$@" ] && return | |
183 | local type | |
184 | type=$(_iptables_port $@) | |
185 | if [ "$type" = "$IPTABLES_MULTIPORT" ]; then | |
186 | echo "-m multiport --destination-ports $@" | |
187 | else | |
188 | echo "--dport $@" | |
189 | fi | |
190 | } |