From: Michael Tremer Date: Sun, 19 Apr 2009 21:12:05 +0000 (+0200) Subject: Worked on firewallinterface. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dbfeda6cb7be212bbb4f1b25bd1cd27f789f49a2;p=ipfire-3.x.git Worked on firewallinterface. Added missing tables and added some new features. --- diff --git a/lfs/firewall b/lfs/firewall index 525777fd4..a7f101e46 100644 --- a/lfs/firewall +++ b/lfs/firewall @@ -72,9 +72,10 @@ $(objects): $(OBJECT): $(objects) @$(PREBUILD) - -mkdir -pv /usr/lib/firewall + -mkdir -pv /usr/{lib,share}/firewall for i in $(DIR_APP)/{functions,zones}*; do \ install -m 644 -v $$i /usr/lib/firewall; \ done + cp -avf $(DIR_APP)/macros /usr/share/firewall/ install -m 755 -v $(DIR_APP)/firewall /usr/bin @$(POSTBUILD) diff --git a/src/firewall/firewall b/src/firewall/firewall index 8d6c905ef..44d0937a6 100644 --- a/src/firewall/firewall +++ b/src/firewall/firewall @@ -93,13 +93,7 @@ while [ "$#" -gt 0 ]; do ;; reload) ;; - restart) - # XXX Do restart function here - _stop - _start - _exit $@ - ;; - start) + start|restart) _start _exit $@ ;; diff --git a/src/firewall/functions b/src/firewall/functions index 567973dc2..0d0bd6682 100644 --- a/src/firewall/functions +++ b/src/firewall/functions @@ -90,15 +90,24 @@ include functions.macros include functions.zones function _start() { + local zone + local policy + firewall_init zones_local_add - # Need to get all zones here + for zone in $(network zone list); do + zone=$(basename ${zone}) + policy=${zone%%[0-9]*} + zones_${policy}_add ${zone} + done iptables_commit touch /var/lock/subsys/firewall } function _stop() { + iptables_flush + iptables_commit rm -f /var/lock/subsys/firewall } diff --git a/src/firewall/functions.firewall b/src/firewall/functions.firewall index 90aae81ed..b98128bed 100644 --- a/src/firewall/functions.firewall +++ b/src/firewall/functions.firewall @@ -29,8 +29,7 @@ function firewall_init() { function firewall_tcp_state_flags() { vecho "Adding ${BOLD}TCP State Flags${NORMAL} chain..." chain_create BADTCP_LOG - iptables -A BADTCP_LOG -p tcp -j LOG --log-prefix \"Illegal TCP state: \" \ - --log-ip-options --log-tcp-options + iptables -A BADTCP_LOG -p tcp -j $(iptables_LOG "Illegal TCP state: ") iptables -A BADTCP_LOG -j DROP chain_create BADTCP diff --git a/src/firewall/functions.iptables b/src/firewall/functions.iptables index c6f1dafa1..4ede215bc 100644 --- a/src/firewall/functions.iptables +++ b/src/firewall/functions.iptables @@ -22,33 +22,92 @@ IPTABLES_FILE=$TMPDIR/iptables function iptables() { - echo "$@" >> $IPTABLES_FILE + local arg + local args + local table + + table=filter + + # Parsing arguments + while [ $# -gt 0 ]; do + arg=${1} + shift + case "${arg}" in + -t) + table=${1} + shift + ;; + -A) + args="${args} -A $(uppercase ${1})" + shift + ;; + *) + args="${args} ${arg}" + ;; + esac + done + echo "${args:1:${#args}}" >> ${IPTABLES_FILE}-${table} } function iptables_flush() { decho "Flushing iptables" - : # TODO + iptables "* filter" + chain_create INPUT ACCEPT + chain_create OUTPUT ACCEPT + chain_create FORWARD ACCEPT } function iptables_init() { - iptables_flush - iptables "* filter" - chain_create INPUT DROP - chain_create OUTPUT DROP - chain_create FORWARD DROP + chain_create -t filter INPUT DROP + chain_create -t filter OUTPUT DROP + chain_create -t filter FORWARD DROP + + iptables -t mangle "* mangle" + chain_create -t mangle PREROUTING ACCEPT + chain_create -t mangle INPUT ACCEPT + chain_create -t mangle OUTPUT ACCEPT + chain_create -t mangle FORWARD ACCEPT + chain_create -t mangle POSTROUTING ACCEPT + + iptables -t nat "* nat" + chain_create -t nat PREROUTING ACCEPT + chain_create -t nat OUTPUT ACCEPT + chain_create -t nat POSTROUTING ACCEPT } function iptables_commit() { + local chain + vecho "Committing firewall configuration." - iptables "COMMIT" + iptables -t filter "COMMIT" + iptables -t mangle "COMMIT" + iptables -t nat "COMMIT" + + for table in filter mangle nat; do + [ -e ${IPTABLES_FILE}-${table} ] || continue + cat ${IPTABLES_FILE}-${table} >> $IPTABLES_FILE + done + decho "Dumping iptables output" - debug && cat $IPTABLES_FILE - #iptables-restore < $IPTABLES_FILE + if debug; then + counter=1 + cat $IPTABLES_FILE | while read LINE; do + printf "%4d | %s\n" "$counter" "$LINE" + counter=$(( $counter + 1 )) + done + fi + + iptables-restore $(debug && echo "-v") < $IPTABLES_FILE } function chain_create() { - iptables ":$1 ${2--} [0:0]" + local args + if [ "${1}" = "-t" ]; then + args="${1} ${2}" + shift 2 + fi + iptables ${args} ":$1 ${2--} [0:0]" } function iptables_LOG() { diff --git a/src/firewall/functions.macros b/src/firewall/functions.macros index ac37ce121..2abe81a12 100644 --- a/src/firewall/functions.macros +++ b/src/firewall/functions.macros @@ -21,55 +21,55 @@ function macro() { local file - file="macros/$1" + local line + local rules + + file=$1 + if [ "${file:0:1}" != "/" ]; then + file="/usr/share/firewall/macros/$file" + fi + shift if _config_is_sqlite $file; then - macro_sqlite $file + rules=$(macro_parse $@ < $file) else - macro_text $file + rules=$(sqlite -noheader -column $file | macro_parse $@) fi -} -function macro_text() { - macro_parse < $1 -} - -function macro_sqlite() { - sqlite3 -noheader -column $1 | macro_parse + while read line <<< ${rules}; do + iptables ${line} + done } -# Just a scatch of concept... Need a lot to do here function macro_parse() { local STRING - grep -v "^#" | while read TARGET SOURCE DESTINATION PROTOCOL SOURCE_PORT DESTINATION_PORT RATE; do + grep -v "^#" | while read ACTION SOURCE DESTINATION PROTOCOL LOCAL_PORT REMOTE_PORT RATE; do STRING="" + + # Handle inlcudes + if [ "$ACTION" = "INCLUDE" ]; then + marco $SOURCE $@ + fi + # Protocol STRING="$STRING $(iptables_protocol $PROTOCOL)" # Ports - STRING="$STRING $(iptables_source_port $SOURCE_PORT)" - STRING="$STRING $(iptables_destination_port $DESTINATION_PORT)" + if [ -n "$PORT_SWITCH" ]; then + # Switch ports for upload rule + STRING="$STRING $(iptables_source_port $REMOTE_PORT)" + STRING="$STRING $(iptables_destination_port $LOCAL_PORT)" + else + STRING="$STRING $(iptables_source_port $LOCAL_PORT)" + STRING="$STRING $(iptables_destination_port $REMOTE_PORT)" + fi - if [ "$TARGET" = "ACCEPT" ]; then + if [ "$ACTION" = "ACCEPT" ]; then STRING="$STRING -j ACCEPT" - elif [ "$TARGET" = "DROP" ]; then + elif [ "$ACTION" = "DROP" ]; then STRING="$STRING -j DROP" - # elif ... - fi - [ -n "$STRING" ] && echo $STRING - done -} - -function macro_add() { - local file - local line - - file=$1 - shift - - macro $file | while read line; do - iptables $line $@ + [ -n "$STRING" ] && echo "$STRING $@" done } diff --git a/src/firewall/functions.zones b/src/firewall/functions.zones index c2d4752e0..5528b491d 100644 --- a/src/firewall/functions.zones +++ b/src/firewall/functions.zones @@ -21,9 +21,8 @@ include zones.blue include zones.green -include zones.local include zones.orange -include zones.management +include zones.red function zones_global_add() { local device @@ -31,10 +30,11 @@ function zones_global_add() { device=$1 - decho "Adding zone \"$device\"" - zones_exists $device || error "Zone $device does not exist." + vecho "Adding zone \"$device\"" name=$(uppercase "ZONE_$device") + + ### FILTER chain_create $name iptables -A INPUT -i $device -j $name iptables -A FORWARD -i $device -j $name @@ -45,24 +45,59 @@ function zones_global_add() { chain_create ${name}_CUSTOM iptables -A $name -j ${name}_CUSTOM - # Policy rules - chain_create ${name}_POLICY - iptables -A $name -j ${name}_POLICY - # Intrusion Preventions System chain_create ${name}_IPS iptables -A $name -i $device -j ${name}_IPS - # Portforwaring + # Portforwarding chain_create ${name}_PORTFW iptables -A $name -i $device -j ${name}_PORTFW - + # Outgoing firewall chain_create ${name}_OUTFW iptables -A $name -o $device -j ${name}_OUTFW + + # Policy rules + chain_create ${name}_POLICY + iptables -A $name -j ${name}_POLICY + + ### MANGLE + chain_create -t mangle $name + iptables -t mangle -A PREROUTING -i $device -j $name + iptables -t mangle -A POSTROUTING -o $device -j $name + + # Quality of Service + chain_create -t mangle ${name}_QOS_INC + iptables -t mangle -A $name -i $device -j ${name}_QOS_INC + chain_create -t mangle ${name}_QOS_OUT + iptables -t mangle -A $name -o $device -j ${name}_QOS_OUT + + ### NAT + chain_create -t nat ${name} + iptables -t nat -A PREROUTING -i $device -j ${name} + iptables -t nat -A POSTROUTING -o $device -j ${name} + + # Network Address Translation + chain_create -t nat ${name}_NAT + iptables -t nat -A $name -i $device -j ${name}_NAT + + # Portforwarding + chain_create -t nat ${name}_PORTFW + iptables -t nat -A $name -i $device -j ${name}_PORTFW + + # UPNP + chain_create -t nat ${name}_UPNP + iptables -t nat -A $name -j ${name}_UPNP } -function zones_exists() { - decho "Checking if zone $1 exists." - cmd_quiet ip link show $1 + +### LOCAL ZONE +function zones_local_add() { + + decho "Adding zone \"local\"" + + # Accept everything on lo + iptables -A INPUT -i lo -j ACCEPT + iptables -A OUTPUT -o lo -j ACCEPT + } diff --git a/src/firewall/macros/DHCP b/src/firewall/macros/DHCP index 914f90a08..41d8a8797 100644 --- a/src/firewall/macros/DHCP +++ b/src/firewall/macros/DHCP @@ -1,5 +1,5 @@ # IPFire Macro # This macro handles the dynamic host configuration protocol. -# ACTION SRC DST PROTO SRC_PORT DST_PORT RATE +# ACTION SRC DST PROTO LOCAL_PORT REMOTE_PORT RATE CUSTOM - - tcp 68 67 CUSTOM - - udp 68 67 diff --git a/src/firewall/macros/HTTP b/src/firewall/macros/HTTP index 9ea69edd7..bce11f930 100644 --- a/src/firewall/macros/HTTP +++ b/src/firewall/macros/HTTP @@ -1,4 +1,4 @@ # IPFire Macro # This macro handles plaintext HTTP (WWW) traffic. -# ACTION SRC DST PROTO SRC_PORT DST_PORT RATE -CUSTOM - - tcp 80 +# ACTION SRC DST PROTO LOCAL_PORT REMOTE_PORT RATE +CUSTOM - - tcp - 80 diff --git a/src/firewall/macros/HTTPS b/src/firewall/macros/HTTPS new file mode 100644 index 000000000..65b2e9eed --- /dev/null +++ b/src/firewall/macros/HTTPS @@ -0,0 +1,4 @@ +# IPFire Macro +# This macro handles secure HTTP (WWW) traffic. +# ACTION SRC DST PROTO LOCAL_PORT REMOTE_PORT RATE +CUSTOM - - tcp - 443 diff --git a/src/firewall/macros/WWW b/src/firewall/macros/WWW new file mode 100644 index 000000000..ca72d0f33 --- /dev/null +++ b/src/firewall/macros/WWW @@ -0,0 +1,5 @@ +# IPFire Macro +# This macro handles WWW traffic. +# ACTION SRC DST PROTO SRC_PORT DST_PORT RATE +INCLUDE HTTP +INCLUDE HTTPS diff --git a/src/firewall/zones.blue b/src/firewall/zones.blue index 012786cd9..2f515477b 100644 --- a/src/firewall/zones.blue +++ b/src/firewall/zones.blue @@ -35,7 +35,7 @@ function zones_policy_blue() { name=$(uppercase "$device") # Accept dhcp traffic - macro_add DHCP -A ${name}_POLICY -i ${device} -j ACCEPT + macro DHCP -A ZONE_${name}_POLICY -i ${device} -j ACCEPT # Mac filter : # TODO diff --git a/src/firewall/zones.green b/src/firewall/zones.green index a3877279e..5566587b5 100644 --- a/src/firewall/zones.green +++ b/src/firewall/zones.green @@ -33,6 +33,6 @@ function zones_policy_green() { device=$1 # Accept any traffic from green - iptables -A ${device}_POLICY -i $device -j ACCEPT - + iptables -A ZONE_${device}_POLICY -i $device -j ACCEPT + iptables -A ZONE_${device}_POLICY -o $device -j ACCEPT } diff --git a/src/firewall/zones.management b/src/firewall/zones.management deleted file mode 100644 index 303138da4..000000000 --- a/src/firewall/zones.management +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2009 Michael Tremer & Christian Schmidt # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - -function zones_management_init() { - - chain_create MANAGEMENT - # Add rules for management hosts/subnets here - -} - -function zones_management_insert() { - - iptables "-A $1 -j MANAGEMENT" - -} diff --git a/src/firewall/zones.local b/src/firewall/zones.red similarity index 90% rename from src/firewall/zones.local rename to src/firewall/zones.red index 82c2e56c9..1b3e4c384 100644 --- a/src/firewall/zones.local +++ b/src/firewall/zones.red @@ -19,12 +19,3 @@ # # ############################################################################### -function zones_local_add() { - - decho "Adding zone \"local\"" - - # Accept everything on lo - iptables -A INPUT -i lo -j ACCEPT - iptables -A OUTPUT -o lo -j ACCEPT - -} diff --git a/src/rootfiles/core/firewall b/src/rootfiles/core/firewall index e50d2918b..2c0aff41e 100644 --- a/src/rootfiles/core/firewall +++ b/src/rootfiles/core/firewall @@ -10,6 +10,11 @@ usr/lib/firewall/functions.macros usr/lib/firewall/functions.zones usr/lib/firewall/zones.blue usr/lib/firewall/zones.green -usr/lib/firewall/zones.local -usr/lib/firewall/zones.management usr/lib/firewall/zones.orange +usr/lib/firewall/zones.red +usr/share/firewall +usr/share/firewall/macros +usr/share/firewall/macros/DHCP +usr/share/firewall/macros/HTTP +usr/share/firewall/macros/HTTPS +usr/share/firewall/macros/WWW