From: Michael Tremer Date: Sun, 8 Feb 2009 18:14:41 +0000 (+0100) Subject: Initial commit of new firewall code. X-Git-Tag: v3.0-alpha1~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8838c71a21eb88486e20bd3b55cb08f4c491face;p=ipfire-3.x.git Initial commit of new firewall code. --- diff --git a/lfs/firewall b/lfs/firewall new file mode 100644 index 000000000..525777fd4 --- /dev/null +++ b/lfs/firewall @@ -0,0 +1,80 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +PKG_NAME = firewall +PKG_VER = +PKG_REL = 0 + +THISAPP = $(PKG_NAME) +DIR_APP = $(DIR_SOURCE)/$(PKG_NAME) + +OBJECT = $(DIR_INFO)/$(STAGE_ORDER)_$(STAGE)/$(THISAPP) + +MAINTAINER = Michael Tremer +GROUP = Networking/Firewall +EXTRA = no +DEBUG = no +DEPS = + +URL = http://www.ipfire.org/ +LICENSE = GPL3+ +SHORT_DESC = The IPFire Firewall Engine. + +define LONG_DESC + This script installs IPFire's firewall. +endef + +############################################################################### +# Top-level Rules +############################################################################### + +objects = + +download: $(objects) + +info: + $(DO_PKG_INFO) + +install: $(OBJECT) + +package: + @$(DO_PACKAGE) + +$(objects): + @$(LOAD) + +############################################################################### +# Installation Details +############################################################################### + +$(OBJECT): $(objects) + @$(PREBUILD) + -mkdir -pv /usr/lib/firewall + for i in $(DIR_APP)/{functions,zones}*; do \ + install -m 644 -v $$i /usr/lib/firewall; \ + done + install -m 755 -v $(DIR_APP)/firewall /usr/bin + @$(POSTBUILD) diff --git a/make.sh b/make.sh index a69803e49..8e46be82f 100755 --- a/make.sh +++ b/make.sh @@ -324,6 +324,7 @@ ipfire_build() { #ipfire_make wireless ipfire_make pyfire + ipfire_make firewall } ################################################################################ diff --git a/src/firewall/firewall b/src/firewall/firewall new file mode 100644 index 000000000..6b00c6bc2 --- /dev/null +++ b/src/firewall/firewall @@ -0,0 +1,104 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# This is the script, that is runned by the user to contol the firewall # +# We only do some actions here and call the functions from the libs. # +# # +# Actions (as known at the moment): # +# - start/stop/restart/reload # +# - show # +# - running? # +# - serveral config # +# - calc (cidr|subnets|...) # +# - ... # +# # +############################################################################### + +LIBDIR=/usr/lib/firewall + +function include() { + local file=$1 + local path + for path in $LIBDIR .; do + if [ -f "$path/$file" ]; then + . $path/$file + return # found + fi + done + echo "Couldn't include $file. File was not found!" >&2 + _exit 1 +} + +function usage() { + echo "Usage: $0 [global options] command [command options]" + echo + _exit ${1-1} +} + +include functions + +while [ "$#" -gt 0 ]; do + case "$1" in + --verbose|-v) + verbose 1 + vecho "${BOLD}Verbose mode is enabled.${NORMAL}" + ;; + calc) + shift + case "$1" in + mask2cidr) + mask_to_cidr $2 + _exit $? + ;; + *) + usage + ;; + esac + ;; + config) + config_load $2 + _exit $? + ;; + help|-h|--help) + usage 0 + ;; + notify) + ;; + reload) + ;; + restart) + ;; + start) + _start + _exit $? + ;; + stop) + ;; + *) + usage + ;; + esac + shift +done + +error "No command was given." +usage diff --git a/src/firewall/functions b/src/firewall/functions new file mode 100644 index 000000000..a7d17cfe1 --- /dev/null +++ b/src/firewall/functions @@ -0,0 +1,77 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +VERBOSE= +TMPDIR=$(mktemp -d) + +BOLD="\\033[1;39m" +NORMAL="\\033[0;39m" +ERROR="\\033[1;31m" + +function verbose() { + if [ -n "$1" ]; then + VERBOSE=$1 + return + else + if [ "$VERBOSE" = "1" ]; then + return 0 + else + return 1 + fi + fi +} + +function vecho() { + verbose && echo -e "$@" +} + +function error() { + echo -e "${ERROR}ERROR${NORMAL}: $@" >&2 + _exit 1 +} + +function ifs() { + if [ -n "$1" ]; then + IFS_SAVE=$IFS + echo $1 + else + echo $IFS_SAVE + fi +} + +function uppercase() { + tr [a-z] [A-Z] <<< "$@" +} + +include functions.commands +include functions.config +include functions.firewall +include functions.ip +include functions.iptables +include functions.macros +include functions.zones + +function _start() { + firewall_init + zones_init + zones_add green0 + iptables_commit +} diff --git a/src/firewall/functions.commands b/src/firewall/functions.commands new file mode 100644 index 000000000..d46a536bc --- /dev/null +++ b/src/firewall/functions.commands @@ -0,0 +1,29 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +function cmd_quiet() { + $@ &>/dev/null +} + +function _exit() { + rm -rf $TMPDIR + exit $@ +} diff --git a/src/firewall/functions.config b/src/firewall/functions.config new file mode 100644 index 000000000..8abda0490 --- /dev/null +++ b/src/firewall/functions.config @@ -0,0 +1,70 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +CONFIG_NONE=0 +CONFIG_TEXT=1 +CONFIG_SQLITE=2 + +function config_type() { + if _config_is_sqlite $1; then + echo $CONFIG_SQLITE + else + echo $CONFIG_TEXT + fi +} + +function config_load() { + local file + local type + file=$1 + + if ! [ -f "$file" ]; then + error "Cannot load config file $file. File does not exist!" + exit 1 + fi + + vecho "Loading config file: $file" + + type=$(config_type $file) + if [ "$type" = "$CONFIG_SQLITE" ]; then + eval $(_config_load_sqlite $file) + else + eval $(_config_load_text $file) + fi +} + +function _config_is_sqlite() { + file $1 2>/dev/null | grep -q "SQLite 3.x database" +} + +function _config_dump_sqlite() { + sqlite3 -noheader -column $1 "SELECT * FROM config;" +} + +function _config_load_sqlite() { + _config_dump_sqlite $1 | while read KEY VALUE; do + echo "$KEY=$VALUE" + done +} + +function _config_load_text() { + readhash $1 +} diff --git a/src/firewall/functions.firewall b/src/firewall/functions.firewall new file mode 100644 index 000000000..92bae2836 --- /dev/null +++ b/src/firewall/functions.firewall @@ -0,0 +1,59 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +function firewall_init() { + iptables_init + firewall_tcp_state_flags + firewall_connection_tracking +} + +function firewall_tcp_state_flags() { + vecho "Adding ${BOLD}TCP State Flags${NORMAL} chain..." + chain_create BADTCP_LOG + iptables -A BADTCP_LOG -p tcp -j LOG --log-prefix \"Illegal TCP state: \" \ + --log-ip-options --log-tcp-options + iptables -A BADTCP_LOG -j DROP + + chain_create BADTCP + iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG + iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG + iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG + iptables -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG + iptables -A BADTCP -p tcp --tcp-flags ACK,FIN FIN -j BADTCP_LOG + iptables -A BADTCP -p tcp --tcp-flags ACK,PSH PSH -j BADTCP_LOG + iptables -A BADTCP -p tcp --tcp-flags ACK,URG URG -j BADTCP_LOG + + iptables -A INPUT -p tcp -j BADTCP + iptables -A OUTPUT -p tcp -j BADTCP + iptables -A FORWARD -p tcp -j BADTCP +} + +function firewall_connection_tracking() { + vecho "Adding ${BOLD}Connection Tracking${NORMAL} chain..." + chain_create CONNTRACK + iptables -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -A CONNTRACK -m state --state INVALID -j $(iptables_LOG "INVALID packet: ") + iptables -A CONNTRACK -m state --state INVALID -j DROP + + iptables -A INPUT -p tcp -j CONNTRACK + iptables -A OUTPUT -p tcp -j CONNTRACK + iptables -A FORWARD -p tcp -j CONNTRACK +} diff --git a/src/firewall/functions.ip b/src/firewall/functions.ip new file mode 100644 index 000000000..78a29ac3f --- /dev/null +++ b/src/firewall/functions.ip @@ -0,0 +1,231 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# General IP address manipulation functions +# ip_encode - Encodes an IP to an integer +# Parameters: ip address (e.g. 192.168.0.1) +# Returns : integer +# ip_decode - Decodes an integer to an IP +# Parameters: integer +# Returns : ip address +# ip_valid - Checks if given IP is valid +# Parameters: IP +# Returns : boolean +# +# General subnet functions +# ip_range - Enumerates members of an IP range +# Parameters: ip range (e.g. 192.168.0.1-192.168.0.128) +# Returns : several subnets/IPs +# ip_range_explicit - Enumerates ALL IP addresses of an IP range +# Parameters: ip range +# Returns : several IPs +# subnet_network - Calculates the network address of a CIDR +# Parameters: CIDR network (e.g. 192.168.0.0/24) +# Returns : Network address +# subnet_broadcast - Calculates the broadcast address of a CIDR +# Parameters: CIDR network +# Returns : Broadcast address +# ip_in_subnet - Checks if an IP is in given subnet +# Parameters: IP address, subnet +# Returns : Boolean +# mask_to_cidr - Converts a subnet mask to cidr type +# Parameters: subnet (e.g. 255.255.255.0) +# Returns : CIDR (e.g. 24) +# + +function ip_encode() { + IFS=$(ifs .) + + local int=0 + for field in $1; do + int=$(( $(( $int << 8 )) | $field )) + done + + echo $int + IFS=$(ifs) +} + +function ip_decode() { + addr=$1 + + local x + local y + + y=$(($addr & 255)) + for x in 1 2 3; do + addr=$(($addr >> 8)) + y=$(($addr & 255)).$y + done + + echo $y +} + +function ip_range() { + local first + local last + local l + local x + local y + local z + local vlsm + + case "$1" in + !*) + echo $1 + return + ;; + [0-9]*.*.*.*-*.*.*.*) + ;; + *) + echo $1 + return + ;; + esac + + first=$(ip_encode ${1%-*}) + last=$(ip_encode ${1#*-}) + + if [ $first -gt $last ]; then + error "Invalid IP address range: $1" + fi + + l=$(( $last + 1 )) + + while [ $l -gt $first ]; do + vlsm= + x=31 + y=2 + z=1 + + while [ $(( $first % $y )) -eq 0 ] && [ $l -gt $(( $first + $y )) ]; do + vlsm=/$x + x=$(( $x - 1 )) + z=$y + y=$(( $y * 2 )) + done + + echo $(ip_decode $first)$vlsm + first=$(($first + $z)) + done +} + +function ip_range_explicit() { + local first + local last + + case $1 in + [0-9]*.*.*.*-*.*.*.*) + ;; + *) + echo $1 + return + ;; + esac + + first=$(ip_encode ${1%-*}) + last=$(ip_encode ${1#*-}) + + if [ $first -gt $last ]; then + error "Invalid IP address range: $1" + fi + + while ! [ $first -gt $last ]; do + echo $(ip_decode $first) + first=$(($first + 1)) + done +} + +function _netmask() { + local vlsm + vlsm=${1#*/} + [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) )) +} + +function subnet_network() { + local encodedaddr + encodedaddr=$(ip_encode ${1%/*}) + local netmask + netmask=$(_netmask $1) + + echo $(ip_decode $(($encodedaddr & $netmask))) +} + +function _broadcast() { + local x + x=$(( 32 - ${1#*/} )) + [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 << $x )) - 1 )) +} + +function subnet_broadcast() { + local encodedaddr + encodedaddr=$(ip_encode ${1%/*}) + local netmask + netmask=$(_netmask $1) + local broadcast + broadcast=$(_broadcast $1) + + echo $(ip_decode $(( $(($encodedaddr & $netmask)) | $broadcast ))) +} + +function ip_in_subnet() { + local netmask + netmask=$(_netmask $2) + [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ] +} + +function mask_to_cidr() { + local mask + mask=$(ip_encode $1) + local cidr + cidr=0 + local x + x=$(( 128 << 24 )) # 0x80000000 + + while [ $(( $x & $mask )) -ne 0 ]; do + [ $mask -eq $x ] && mask=0 || mask=$(( $mask << 1 )) + cidr=$(($cidr + 1)) + done + + if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff + echo "Invalid net mask: $1" >&2 + else + echo $cidr + fi +} + +function ip_valid() { + local x + IFS=$(ifs .) + for x in $1; do + case $x in + [0-9]|[0-9][0-9]|[1-2][0-9][0-9]) + [ $x -lt 256 ] || { IFS=$(ifs); return 1; } + ;; + *) + IFS=$(ifs) + return 1 + ;; + esac + done + IFS=$(ifs) + return 0 +} diff --git a/src/firewall/functions.iptables b/src/firewall/functions.iptables new file mode 100644 index 000000000..a362888ca --- /dev/null +++ b/src/firewall/functions.iptables @@ -0,0 +1,120 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +IPTABLES_FILE=$TMPDIR/iptables + +function iptables() { + echo "$@" >> $IPTABLES_FILE +} + +function iptables_flush() { + : # TODO +} + +function iptables_init() { + iptables_flush + + iptables "* filter" + chain_create INPUT DROP + chain_create OUTPUT DROP + chain_create FORWARD DROP +} + +function iptables_commit() { + vecho "Committing firewall configuration." + iptables "COMMIT" + verbose && cat $IPTABLES_FILE + #iptables-restore < $IPTABLES_FILE +} + +function chain_create() { + iptables ":$1 ${2--} [0:0]" +} + +function iptables_LOG() { + local prefix + prefix=$1 + + if [ "$LOG_FACILITY" = "ulogd2" ]; then + echo -n "NFLOG" + [ -n "$prefix" ] && echo -n " --nflog-prefix \"$prefix\"" + echo -n " --nflog-threshold 30" + else + echo -n "LOG" + [ -n "$prefix" ] && echo -n " --log-prefix \"$prefix\"" + fi + echo +} + +function iptables_protocol() { + local PROTO + PROTO=$1 + for proto in tcp udp esp ah; do + if [ "$PROTO" = "$proto" ]; then + echo "-p $PROTO" + break + fi + done +} + +IPTABLES_PORT=0 +IPTABLES_MULTIPORT=1 +IPTABLES_PORTRANGE=2 + +function _iptables_port_range() { + grep -q ":" <<< $@ +} + +function _iptables_port_multiport() { + grep -q "," <<< $@ +} + +function _iptables_port() { + if _iptables_port_range "$@"; then + echo $IPTABLES_PORTRANGE + elif _iptables_port_multiport "$@"; then + echo $IPTABLES_MULTIPORT + else + echo $IPTABLES_PORT + fi +} + +function iptables_source_port() { + [ -z "$@" ] && return + local type + type=$(_iptables_port $@) + if [ "$type" = "$IPTABLES_MULTIPORT" ]; then + echo "-m multiport --source-ports $@" + else + echo "--sport $@" + fi +} + +function iptables_destination_port() { + [ -z "$@" ] && return + local type + type=$(_iptables_port $@) + if [ "$type" = "$IPTABLES_MULTIPORT" ]; then + echo "-m multiport --destination-ports $@" + else + echo "--dport $@" + fi +} diff --git a/src/firewall/functions.macros b/src/firewall/functions.macros new file mode 100644 index 000000000..2b0f6e143 --- /dev/null +++ b/src/firewall/functions.macros @@ -0,0 +1,65 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +function macro() { + local file + file=$1 + + vecho "Parsing macro: $file" + + if _config_is_sqlite $file; then + macro_sqlite $file + else + macro_text $file + fi +} + +function macro_text() { + macro_parse < $1 +} + +function macro_sqlite() { + sqlite3 -noheader -column $1 | macro_parse +} + +# Just a scatch of concept... Need a lot to do here +function macro_parse() { + local STRING + grep -v "^#" | while read TARGET SOURCE DESTINATION PROTOCOL SOURCE_PORT DESTINATION_PORT RATE; do + STRING="" + # Protocol + STRING="$STRING $(iptables_protocol $PROTOCOL)" + # Ports + STRING="$STRING $(iptables_source_port $SOURCE_PORT)" + STRING="$STRING $(iptables_destination_port $DESTINATION_PORT)" + + if [ "$TARGET" = "ACCEPT" ]; then + STRING="$STRING -j ACCEPT" + + elif [ "$TARGET" = "DROP" ]; then + STRING="$STRING -j DROP" + + # elif ... + + fi + [ -n "$STRING" ] && echo $STRING + done +} diff --git a/src/firewall/functions.zones b/src/firewall/functions.zones new file mode 100644 index 000000000..8f2e3ee12 --- /dev/null +++ b/src/firewall/functions.zones @@ -0,0 +1,48 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +include zones.local + +function zones_init() { + + zones_local_init + +} + +function zones_add() { + local device + local name + + device=$1 + zones_exists $device || error "Zone $device does not exist." + + name=$(uppercase "ZONE_$device") + chain_create $name + iptables -A FORWARD -i $device -j $name + iptables -A FORWARD -o $device -j $name + + chain_create ${name}_CUSTOM + iptables -A $name -j ${name}_CUSTOM +} + +function zones_exists() { + cmd_quiet ip link show $1 +} diff --git a/src/firewall/macros/HTTP b/src/firewall/macros/HTTP new file mode 100644 index 000000000..9ea69edd7 --- /dev/null +++ b/src/firewall/macros/HTTP @@ -0,0 +1,4 @@ +# IPFire Macro +# This macro handles plaintext HTTP (WWW) traffic. +# ACTION SRC DST PROTO SRC_PORT DST_PORT RATE +CUSTOM - - tcp 80 diff --git a/src/firewall/zones.local b/src/firewall/zones.local new file mode 100644 index 000000000..eb7a3ef40 --- /dev/null +++ b/src/firewall/zones.local @@ -0,0 +1,28 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +function zones_local_init() { + + # Accept everything on lo + iptables -A INPUT -i lo -j ACCEPT + iptables -A OUTPUT -o lo -j ACCEPT + +} diff --git a/src/rootfiles/core/firewall b/src/rootfiles/core/firewall new file mode 100644 index 000000000..5b4588943 --- /dev/null +++ b/src/rootfiles/core/firewall @@ -0,0 +1,11 @@ +usr/bin/firewall +usr/lib/firewall +usr/lib/firewall/functions +usr/lib/firewall/functions.commands +usr/lib/firewall/functions.config +usr/lib/firewall/functions.firewall +usr/lib/firewall/functions.ip +usr/lib/firewall/functions.iptables +usr/lib/firewall/functions.macros +usr/lib/firewall/functions.zones +usr/lib/firewall/zones.local diff --git a/src/rootfiles/core/iptables b/src/rootfiles/core/iptables index b3258e776..72423ca1f 100644 --- a/src/rootfiles/core/iptables +++ b/src/rootfiles/core/iptables @@ -92,14 +92,14 @@ lib/xtables/libxt_time.so lib/xtables/libxt_tos.so lib/xtables/libxt_u32.so lib/xtables/libxt_udp.so -#sbin/ip6tables +sbin/ip6tables #sbin/ip6tables-multi -#sbin/ip6tables-restore -#sbin/ip6tables-save +sbin/ip6tables-restore +sbin/ip6tables-save sbin/iptables #sbin/iptables-multi -#sbin/iptables-restore -#sbin/iptables-save +sbin/iptables-restore +sbin/iptables-save #usr/include/ip6tables.h #usr/include/iptables.h #usr/include/libipq.h