Added missing tables and added some new features.
$(OBJECT): $(objects)
@$(PREBUILD)
- -mkdir -pv /usr/lib/firewall
+ -mkdir -pv /usr/{lib,share}/firewall
for i in $(DIR_APP)/{functions,zones}*; do \
install -m 644 -v $$i /usr/lib/firewall; \
done
+ cp -avf $(DIR_APP)/macros /usr/share/firewall/
install -m 755 -v $(DIR_APP)/firewall /usr/bin
@$(POSTBUILD)
;;
reload)
;;
- restart)
- # XXX Do restart function here
- _stop
- _start
- _exit $@
- ;;
- start)
+ start|restart)
_start
_exit $@
;;
include functions.zones
function _start() {
+ local zone
+ local policy
+
firewall_init
zones_local_add
- # Need to get all zones here
+ for zone in $(network zone list); do
+ zone=$(basename ${zone})
+ policy=${zone%%[0-9]*}
+ zones_${policy}_add ${zone}
+ done
iptables_commit
touch /var/lock/subsys/firewall
}
function _stop() {
+ iptables_flush
+ iptables_commit
rm -f /var/lock/subsys/firewall
}
function firewall_tcp_state_flags() {
vecho "Adding ${BOLD}TCP State Flags${NORMAL} chain..."
chain_create BADTCP_LOG
- iptables -A BADTCP_LOG -p tcp -j LOG --log-prefix \"Illegal TCP state: \" \
- --log-ip-options --log-tcp-options
+ iptables -A BADTCP_LOG -p tcp -j $(iptables_LOG "Illegal TCP state: ")
iptables -A BADTCP_LOG -j DROP
chain_create BADTCP
IPTABLES_FILE=$TMPDIR/iptables
function iptables() {
- echo "$@" >> $IPTABLES_FILE
+ local arg
+ local args
+ local table
+
+ table=filter
+
+ # Parsing arguments
+ while [ $# -gt 0 ]; do
+ arg=${1}
+ shift
+ case "${arg}" in
+ -t)
+ table=${1}
+ shift
+ ;;
+ -A)
+ args="${args} -A $(uppercase ${1})"
+ shift
+ ;;
+ *)
+ args="${args} ${arg}"
+ ;;
+ esac
+ done
+ echo "${args:1:${#args}}" >> ${IPTABLES_FILE}-${table}
}
function iptables_flush() {
decho "Flushing iptables"
- : # TODO
+ iptables "* filter"
+ chain_create INPUT ACCEPT
+ chain_create OUTPUT ACCEPT
+ chain_create FORWARD ACCEPT
}
function iptables_init() {
- iptables_flush
-
iptables "* filter"
- chain_create INPUT DROP
- chain_create OUTPUT DROP
- chain_create FORWARD DROP
+ chain_create -t filter INPUT DROP
+ chain_create -t filter OUTPUT DROP
+ chain_create -t filter FORWARD DROP
+
+ iptables -t mangle "* mangle"
+ chain_create -t mangle PREROUTING ACCEPT
+ chain_create -t mangle INPUT ACCEPT
+ chain_create -t mangle OUTPUT ACCEPT
+ chain_create -t mangle FORWARD ACCEPT
+ chain_create -t mangle POSTROUTING ACCEPT
+
+ iptables -t nat "* nat"
+ chain_create -t nat PREROUTING ACCEPT
+ chain_create -t nat OUTPUT ACCEPT
+ chain_create -t nat POSTROUTING ACCEPT
}
function iptables_commit() {
+ local chain
+
vecho "Committing firewall configuration."
- iptables "COMMIT"
+ iptables -t filter "COMMIT"
+ iptables -t mangle "COMMIT"
+ iptables -t nat "COMMIT"
+
+ for table in filter mangle nat; do
+ [ -e ${IPTABLES_FILE}-${table} ] || continue
+ cat ${IPTABLES_FILE}-${table} >> $IPTABLES_FILE
+ done
+
decho "Dumping iptables output"
- debug && cat $IPTABLES_FILE
- #iptables-restore < $IPTABLES_FILE
+ if debug; then
+ counter=1
+ cat $IPTABLES_FILE | while read LINE; do
+ printf "%4d | %s\n" "$counter" "$LINE"
+ counter=$(( $counter + 1 ))
+ done
+ fi
+
+ iptables-restore $(debug && echo "-v") < $IPTABLES_FILE
}
function chain_create() {
- iptables ":$1 ${2--} [0:0]"
+ local args
+ if [ "${1}" = "-t" ]; then
+ args="${1} ${2}"
+ shift 2
+ fi
+ iptables ${args} ":$1 ${2--} [0:0]"
}
function iptables_LOG() {
function macro() {
local file
- file="macros/$1"
+ local line
+ local rules
+
+ file=$1
+ if [ "${file:0:1}" != "/" ]; then
+ file="/usr/share/firewall/macros/$file"
+ fi
+ shift
if _config_is_sqlite $file; then
- macro_sqlite $file
+ rules=$(macro_parse $@ < $file)
else
- macro_text $file
+ rules=$(sqlite -noheader -column $file | macro_parse $@)
fi
-}
-function macro_text() {
- macro_parse < $1
-}
-
-function macro_sqlite() {
- sqlite3 -noheader -column $1 | macro_parse
+ while read line <<< ${rules}; do
+ iptables ${line}
+ done
}
-# Just a scatch of concept... Need a lot to do here
function macro_parse() {
local STRING
- grep -v "^#" | while read TARGET SOURCE DESTINATION PROTOCOL SOURCE_PORT DESTINATION_PORT RATE; do
+ grep -v "^#" | while read ACTION SOURCE DESTINATION PROTOCOL LOCAL_PORT REMOTE_PORT RATE; do
STRING=""
+
+ # Handle inlcudes
+ if [ "$ACTION" = "INCLUDE" ]; then
+ marco $SOURCE $@
+ fi
+
# Protocol
STRING="$STRING $(iptables_protocol $PROTOCOL)"
# Ports
- STRING="$STRING $(iptables_source_port $SOURCE_PORT)"
- STRING="$STRING $(iptables_destination_port $DESTINATION_PORT)"
+ if [ -n "$PORT_SWITCH" ]; then
+ # Switch ports for upload rule
+ STRING="$STRING $(iptables_source_port $REMOTE_PORT)"
+ STRING="$STRING $(iptables_destination_port $LOCAL_PORT)"
+ else
+ STRING="$STRING $(iptables_source_port $LOCAL_PORT)"
+ STRING="$STRING $(iptables_destination_port $REMOTE_PORT)"
+ fi
- if [ "$TARGET" = "ACCEPT" ]; then
+ if [ "$ACTION" = "ACCEPT" ]; then
STRING="$STRING -j ACCEPT"
- elif [ "$TARGET" = "DROP" ]; then
+ elif [ "$ACTION" = "DROP" ]; then
STRING="$STRING -j DROP"
- # elif ...
-
fi
- [ -n "$STRING" ] && echo $STRING
- done
-}
-
-function macro_add() {
- local file
- local line
-
- file=$1
- shift
-
- macro $file | while read line; do
- iptables $line $@
+ [ -n "$STRING" ] && echo "$STRING $@"
done
}
include zones.blue
include zones.green
-include zones.local
include zones.orange
-include zones.management
+include zones.red
function zones_global_add() {
local device
device=$1
- decho "Adding zone \"$device\""
- zones_exists $device || error "Zone $device does not exist."
+ vecho "Adding zone \"$device\""
name=$(uppercase "ZONE_$device")
+
+ ### FILTER
chain_create $name
iptables -A INPUT -i $device -j $name
iptables -A FORWARD -i $device -j $name
chain_create ${name}_CUSTOM
iptables -A $name -j ${name}_CUSTOM
- # Policy rules
- chain_create ${name}_POLICY
- iptables -A $name -j ${name}_POLICY
-
# Intrusion Preventions System
chain_create ${name}_IPS
iptables -A $name -i $device -j ${name}_IPS
- # Portforwaring
+ # Portforwarding
chain_create ${name}_PORTFW
iptables -A $name -i $device -j ${name}_PORTFW
-
+
# Outgoing firewall
chain_create ${name}_OUTFW
iptables -A $name -o $device -j ${name}_OUTFW
+
+ # Policy rules
+ chain_create ${name}_POLICY
+ iptables -A $name -j ${name}_POLICY
+
+ ### MANGLE
+ chain_create -t mangle $name
+ iptables -t mangle -A PREROUTING -i $device -j $name
+ iptables -t mangle -A POSTROUTING -o $device -j $name
+
+ # Quality of Service
+ chain_create -t mangle ${name}_QOS_INC
+ iptables -t mangle -A $name -i $device -j ${name}_QOS_INC
+ chain_create -t mangle ${name}_QOS_OUT
+ iptables -t mangle -A $name -o $device -j ${name}_QOS_OUT
+
+ ### NAT
+ chain_create -t nat ${name}
+ iptables -t nat -A PREROUTING -i $device -j ${name}
+ iptables -t nat -A POSTROUTING -o $device -j ${name}
+
+ # Network Address Translation
+ chain_create -t nat ${name}_NAT
+ iptables -t nat -A $name -i $device -j ${name}_NAT
+
+ # Portforwarding
+ chain_create -t nat ${name}_PORTFW
+ iptables -t nat -A $name -i $device -j ${name}_PORTFW
+
+ # UPNP
+ chain_create -t nat ${name}_UPNP
+ iptables -t nat -A $name -j ${name}_UPNP
}
-function zones_exists() {
- decho "Checking if zone $1 exists."
- cmd_quiet ip link show $1
+
+### LOCAL ZONE
+function zones_local_add() {
+
+ decho "Adding zone \"local\""
+
+ # Accept everything on lo
+ iptables -A INPUT -i lo -j ACCEPT
+ iptables -A OUTPUT -o lo -j ACCEPT
+
}
# IPFire Macro
# This macro handles the dynamic host configuration protocol.
-# ACTION SRC DST PROTO SRC_PORT DST_PORT RATE
+# ACTION SRC DST PROTO LOCAL_PORT REMOTE_PORT RATE
CUSTOM - - tcp 68 67
CUSTOM - - udp 68 67
# IPFire Macro
# This macro handles plaintext HTTP (WWW) traffic.
-# ACTION SRC DST PROTO SRC_PORT DST_PORT RATE
-CUSTOM - - tcp 80
+# ACTION SRC DST PROTO LOCAL_PORT REMOTE_PORT RATE
+CUSTOM - - tcp - 80
--- /dev/null
+# IPFire Macro
+# This macro handles secure HTTP (WWW) traffic.
+# ACTION SRC DST PROTO LOCAL_PORT REMOTE_PORT RATE
+CUSTOM - - tcp - 443
--- /dev/null
+# IPFire Macro
+# This macro handles WWW traffic.
+# ACTION SRC DST PROTO SRC_PORT DST_PORT RATE
+INCLUDE HTTP
+INCLUDE HTTPS
name=$(uppercase "$device")
# Accept dhcp traffic
- macro_add DHCP -A ${name}_POLICY -i ${device} -j ACCEPT
+ macro DHCP -A ZONE_${name}_POLICY -i ${device} -j ACCEPT
# Mac filter
: # TODO
device=$1
# Accept any traffic from green
- iptables -A ${device}_POLICY -i $device -j ACCEPT
-
+ iptables -A ZONE_${device}_POLICY -i $device -j ACCEPT
+ iptables -A ZONE_${device}_POLICY -o $device -j ACCEPT
}
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-function zones_management_init() {
-
- chain_create MANAGEMENT
- # Add rules for management hosts/subnets here
-
-}
-
-function zones_management_insert() {
-
- iptables "-A $1 -j MANAGEMENT"
-
-}
# #
###############################################################################
-function zones_local_add() {
-
- decho "Adding zone \"local\""
-
- # Accept everything on lo
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
-
-}
usr/lib/firewall/functions.zones
usr/lib/firewall/zones.blue
usr/lib/firewall/zones.green
-usr/lib/firewall/zones.local
-usr/lib/firewall/zones.management
usr/lib/firewall/zones.orange
+usr/lib/firewall/zones.red
+usr/share/firewall
+usr/share/firewall/macros
+usr/share/firewall/macros/DHCP
+usr/share/firewall/macros/HTTP
+usr/share/firewall/macros/HTTPS
+usr/share/firewall/macros/WWW
projects / ipfire-3.x.git / commitdiff
