]> git.ipfire.org Git - people/stevee/network.git/blob - functions.iptables
projects / people / stevee / network.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Don't use connection tracking for loopback traffic.
[people/stevee/network.git] / functions.iptables
1 #!/bin/bash
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012-2013 IPFire Network Development Team #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 IPTABLES_TABLES="filter mangle nat"
23
24 function iptables() {
25 local protocol="${1}"
26 assert isset protocol
27 shift
28
29 # Rules go to the filter table by default
30 local table="filter"
31
32 # Argument list
33 local args
34
35 # Cached arguments
36 local src dst
37
38 # Parsing arguments
39 while [ $# -gt 0 ]; do
40 case "${1}" in
41 # Filter to which table this rule should go.
42 -t)
43 table="${2}"
44 shift 2
45
46 assert isoneof table ${IPTABLES_TABLES}
47 ;;
48 *)
49 list_append args "${1}"
50
51 # Save some values for further processing.
52 case "${1}" in
53 -s)
54 src="${2}"
55 ;;
56 -d)
57 dst="${2}"
58 ;;
59 esac
60 shift
61 ;;
62 esac
63 done
64
65 assert isset action
66
67 # Check if given IP addresses or networks match the protocol version.
68 local src_proto
69 if isset src; then
70 src_proto="$(ip_detect_protocol ${src})"
71
72 assert [ "${protocol}" = "${src_proto}" ]
73 fi
74
75 local dst_proto
76 if isset dst; then
77 dst_proto="$(ip_detect_protocol ${dst})"
78
79 assert [ "${protocol}" = "${dst_proto}" ]
80 fi
81
82 # Check if the directory where we put our rules in is set and
83 # exists.
84 assert isset IPTABLES_TMPDIR
85 local rulesfile="${IPTABLES_TMPDIR}/${protocol}-${table}"
86
87 print "${args}" >> "${rulesfile}"
88 assert_check_retval $?
89 }
90
91 function iptables_chain_create() {
92 local protocol="${1}"
93 assert isset protocol
94 shift
95
96 local chain
97 local table="filter"
98 local policy="-"
99
100 while [ $# -gt 0 ]; do
101 case "${1}" in
102 -t)
103 table="${2}"
104 shift
105 ;;
106 --policy=*)
107 policy="$(cli_get_val ${1})"
108 ;;
109 -*)
110 log WARNING "Unrecognized argument: ${1}"
111 ;;
112 *)
113 chain=${1}
114 ;;
115 esac
116 shift
117 done
118
119 assert isset chain
120 assert isset table
121 assert isoneof policy ACCEPT DROP "-"
122
123 iptables "${protocol}" -t "${table}" ":${chain} ${policy} [0:0]"
124 }
125
126 # Calls the binary iptables command.
127 function _iptables() {
128 local protocol="${1}"
129 assert isset protocol
130 shift
131
132 local cmd
133 case "${protocol}" in
134 ipv6)
135 cmd="ip6tables"
136 ;;
137 ipv4)
138 cmd="iptables"
139 ;;
140 esac
141 assert isset cmd
142 cmd="$(which ${cmd})"
143
144 cmd "${cmd}" "$@"
145 return $?
146 }
147
148 function iptables_status() {
149 local protocol="${1}"
150 assert isset protocol
151
152 local table
153 for table in ${IPTABLES_TABLES}; do
154 print "${protocol} - ${table}:"
155 _iptables "${protocol}" -t "${table}" -L -n -v
156 print
157 done
158
159 return ${EXIT_OK}
160 }
161
162 function iptables_rulesfile() {
163 local proto=${1}
164 proto=${proto/ipv/}
165
166 local chain=${2}
167 [ -z "${chain}" ] && chain="ruleset"
168
169 print "${IPTABLES_TMPDIR}/${chain}${proto}"
170 }
171
172 function iptables_init() {
173 local protocol="${1}"
174 assert isset protocol
175
176 local policy="${2}"
177 assert isset policy
178
179 # Create filter table and initialize chains.
180 iptables "${protocol}" "* filter"
181 iptables_chain_create "${protocol}" -t filter INPUT --policy="${policy}"
182 iptables_chain_create "${protocol}" -t filter OUTPUT --policy="${policy}"
183 iptables_chain_create "${protocol}" -t filter FORWARD --policy="${policy}"
184
185 # Create mangle table and initialize chains.
186 iptables "${protocol}" -t mangle "* mangle"
187 iptables_chain_create "${protocol}" -t mangle PREROUTING --policy="ACCEPT"
188 iptables_chain_create "${protocol}" -t mangle INPUT --policy="ACCEPT"
189 iptables_chain_create "${protocol}" -t mangle OUTPUT --policy="ACCEPT"
190 iptables_chain_create "${protocol}" -t mangle FORWARD --policy="ACCEPT"
191 iptables_chain_create "${protocol}" -t mangle POSTROUTING --policy="ACCEPT"
192
193 # Create NAT table and initialize chains.
194 iptables "${protocol}" -t nat "* nat"
195 iptables_chain_create "${protocol}" -t nat PREROUTING --policy="ACCEPT"
196 iptables_chain_create "${protocol}" -t nat OUTPUT --policy="ACCEPT"
197 iptables_chain_create "${protocol}" -t nat POSTROUTING --policy="ACCEPT"
198 }
199
200 # Load the created ruleset into the kernel.
201 function iptables_commit () {
202 local protocol="${1}"
203 assert isset protocol
204 shift
205
206 local testmode="false"
207
208 while [ $# -gt 0 ]; do
209 case "${1}" in
210 --test)
211 testmode="true"
212 ;;
213 *)
214 log WARNING "Unrecognized argument: ${1}"
215 ;;
216 esac
217 shift
218 done
219
220 # Concat all rules into one big file.
221 local rulesfile="${IPTABLES_TMPDIR}/ruleset"
222 _iptables_commit_cat_rulesfile "${protocol}" "${rulesfile}"
223
224 # Run the following loop twice:
225 # 1st: Check if the ruleset can be loaded
226 # 2nd: If not in test mode, actually load the ruleset into the kernel
227 local load_cmd="--test"
228 local ret=0
229
230 local i
231 for i in 0 1; do
232 _iptables_commit_load_rulesfile "${protocol}" "${rulesfile}" "${load_cmd}"
233 ret=$?
234
235 case "${i},${ret}" in
236 0,${EXIT_OK})
237 iptables_dump "${protocol}" "${rulesfile}" --log-facility="DEBUG"
238 log DEBUG "Ruleset load check succeeded (${protocol})"
239 ;;
240
241 # Loading rules has failed (test)
242 0,*)
243 iptables_dump "${protocol}" "${rulesfile}" --log-facility="CRITICAL"
244 log CRITICAL "Ruleset load check failed (${protocol} - ${ret})"
245 return ${ret}
246 ;;
247
248 1,${EXIT_OK})
249 log DEBUG "Ruleset successfully loaded (${protocol})"
250 return ${EXIT_OK}
251 ;;
252
253 1,*)
254 log CRITICAL "Ruleset loading failed (${protocol})"
255 return ${ret}
256 ;;
257 esac
258
259 # Skip the second loop iteration, if we are running in test mode.
260 enabled testmode && break
261
262 load_cmd=""
263 done
264
265 return ${EXIT_OK}
266 }
267
268 function _iptables_commit_cat_rulesfile() {
269 local protocol="${1}"
270 assert isset protocol
271
272 local rulesfile="${2}"
273 assert isset rulesfile
274
275 local table
276 local file
277 for table in ${IPTABLES_TABLES}; do
278 file="${IPTABLES_TMPDIR}/${protocol}-${table}"
279
280 fread "${file}"
281
282 # Add the COMMIT statement for every table.
283 print "COMMIT"
284 done > "${rulesfile}"
285
286 assert [ -s "${rulesfile}" ]
287 }
288
289 function _iptables_commit_load_rulesfile() {
290 local protocol="${1}"
291 assert isset protocol
292
293 local rulesfile="${2}"
294 assert isset rulesfile
295 shift 2
296
297 local testmode="false"
298 while [ $# -gt 0 ]; do
299 case "${1}" in
300 --test)
301 testmode="true"
302 ;;
303 esac
304 shift
305 done
306
307 local iptables_cmd
308 case "${protocol}" in
309 ipv6)
310 iptables_cmd="ip6tables-restore"
311 ;;
312 ipv4)
313 iptables_cmd="iptables-restore"
314 ;;
315 esac
316 assert isset iptables_cmd
317
318 if enabled testmode; then
319 list_append iptables_cmd "--test"
320 fi
321
322 # Save when importing the rules has started.
323 local time_started="$(timestamp)"
324
325 cmd "${iptables_cmd}" < "${rulesfile}"
326 local ret=$?
327
328 case "${ret}" in
329 ${EXIT_OK})
330 local time_finished="$(timestamp)"
331 time_finished="$(( ${time_finished} - ${time_started} ))"
332
333 enabled testmode && return ${EXIT_OK}
334
335 log INFO "Successfully loaded new firewall ruleset for ${protocol} in ${time_finished}s!"
336 ;;
337 *)
338 if ! enabled testmode; then
339 log CRITICAL "Error loading firewall ruleset for ${protocol}!"
340 fi
341 ;;
342 esac
343
344 return ${ret}
345 }
346
347 function iptables_dump() {
348 local protocol="${1}"
349 assert isset protocol
350
351 local rulesfile="${2}"
352 assert isset rulesfile
353 shift 2
354
355 local log_facility="INFO"
356
357 while [ $# -gt 0 ]; do
358 case "${1}" in
359 --log-facility=*)
360 log_facility="$(cli_get_val ${1})"
361 ;;
362 *)
363 log WARNING "Unrecognized argument: ${1}"
364 ;;
365 esac
366 shift
367 done
368
369 # Say what we are going to do:
370 log "${log_facility}" "Firewall ruleset for ${protocol}:"
371
372 local counter="0"
373 local line
374 while read -r line; do
375 counter="$(( ${counter} + 1 ))"
376
377 printf -v line "%4d | %s" "${counter}" "${line}"
378 log "${log_facility}" "${line}"
379 done < "${rulesfile}"
380 }
381
382 function iptables_LOG() {
383 local prefix=${1}
384 local ret
385
386 case "${FIREWALL_LOG_METHOD}" in
387 nflog)
388 ret="NFLOG --nflog-threshold ${FIREWALL_NFLOG_THRESHOLD}"
389 isset prefix && ret="${ret} --nflog-prefix \"$prefix\""
390 ;;
391 syslog)
392 ret="LOG"
393 isset prefix && ret="${ret} --log-prefix \"$prefix\""
394 ;;
395 esac
396
397 print "${ret}"
398 }
399
400 function iptables_protocol() {
401 local PROTO
402 PROTO=$1
403 for proto in tcp udp esp ah; do
404 if [ "$PROTO" = "$proto" ]; then
405 echo "-p $PROTO"
406 break
407 fi
408 done
409 }
410
411 IPTABLES_PORT=0
412 IPTABLES_MULTIPORT=1
413 IPTABLES_PORTRANGE=2
414
415 function _iptables_port_range() {
416 grep -q ":" <<< $@
417 }
418
419 function _iptables_port_multiport() {
420 grep -q "," <<< $@
421 }
422
423 function _iptables_port() {
424 if _iptables_port_range "$@"; then
425 echo $IPTABLES_PORTRANGE
426 elif _iptables_port_multiport "$@"; then
427 echo $IPTABLES_MULTIPORT
428 else
429 echo $IPTABLES_PORT
430 fi
431 }
432
433 function iptables_source_port() {
434 [ -z "$@" ] && return
435 local type
436 type=$(_iptables_port $@)
437 if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
438 echo "-m multiport --source-ports $@"
439 else
440 echo "--sport $@"
441 fi
442 }
443
444 function iptables_destination_port() {
445 [ -z "$@" ] && return
446 local type
447 type=$(_iptables_port $@)
448 if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
449 echo "-m multiport --destination-ports $@"
450 else
451 echo "--dport $@"
452 fi
453 }
Stevee's network tree.