mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-20 02:07:23 +01:00
a1111b83bd
detected for rule with action Continue". Policy rules with action "Continue" should not shadow other rules and can not be shadowed.
472 lines
13 KiB
Bash
Executable File
472 lines
13 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# This is automatically generated file. DO NOT MODIFY !
|
|
#
|
|
# Firewall Builder fwb_ipt v4.2.0.3498
|
|
#
|
|
# Generated Tue Mar 8 18:58:02 2011 PST by vadim
|
|
#
|
|
# files: * firewall70.fw iptables.sh
|
|
#
|
|
# Compiled for iptables (any version)
|
|
#
|
|
# this firewall translates outgoing connections using address of the particular interface (not external one). Also testing different cmbinations of objects in the policy rules on loopback interface. Finally, testing for a situation when dynamic interface "shades" a rule with old broadcast
|
|
|
|
# Also the name of the script on the firewall is different
|
|
|
|
# firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)
|
|
# firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)
|
|
# firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)
|
|
# firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)
|
|
# firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)
|
|
# firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)
|
|
|
|
# firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global)
|
|
# firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global)
|
|
# firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global)
|
|
# firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global)
|
|
|
|
|
|
FWBDEBUG=""
|
|
|
|
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
|
|
export PATH
|
|
|
|
|
|
|
|
LSMOD="/sbin/lsmod"
|
|
MODPROBE="/sbin/modprobe"
|
|
IPTABLES="/sbin/iptables"
|
|
IP6TABLES="/sbin/ip6tables"
|
|
IPTABLES_RESTORE="/sbin/iptables-restore"
|
|
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
|
|
IP="/sbin/ip"
|
|
IFCONFIG="/sbin/ifconfig"
|
|
VCONFIG="/sbin/vconfig"
|
|
BRCTL="/sbin/brctl"
|
|
IFENSLAVE="/sbin/ifenslave"
|
|
IPSET="/usr/sbin/ipset"
|
|
LOGGER="/usr/bin/logger"
|
|
|
|
log() {
|
|
echo "$1"
|
|
command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
|
|
}
|
|
|
|
getInterfaceVarName() {
|
|
echo $1 | sed 's/\./_/'
|
|
}
|
|
|
|
getaddr_internal() {
|
|
dev=$1
|
|
name=$2
|
|
af=$3
|
|
L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//')
|
|
test -z "$L" && {
|
|
eval "$name=''"
|
|
return
|
|
}
|
|
eval "${name}_list=\"$L\""
|
|
}
|
|
|
|
getaddr() {
|
|
getaddr_internal $1 $2 "-4"
|
|
}
|
|
|
|
getaddr6() {
|
|
getaddr_internal $1 $2 "-6"
|
|
}
|
|
|
|
# function getinterfaces is used to process wildcard interfaces
|
|
getinterfaces() {
|
|
NAME=$1
|
|
$IP link show | grep ": $NAME" | while read L; do
|
|
OIFS=$IFS
|
|
IFS=" :"
|
|
set $L
|
|
IFS=$OIFS
|
|
echo $2
|
|
done
|
|
}
|
|
|
|
diff_intf() {
|
|
func=$1
|
|
list1=$2
|
|
list2=$3
|
|
cmd=$4
|
|
for intf in $list1
|
|
do
|
|
echo $list2 | grep -q $intf || {
|
|
# $vlan is absent in list 2
|
|
$func $intf $cmd
|
|
}
|
|
done
|
|
}
|
|
|
|
find_program() {
|
|
PGM=$1
|
|
command -v $PGM >/dev/null 2>&1 || {
|
|
echo "$PGM not found"
|
|
exit 1
|
|
}
|
|
}
|
|
check_tools() {
|
|
find_program $IPTABLES
|
|
find_program $MODPROBE
|
|
find_program $IP
|
|
}
|
|
reset_iptables_v4() {
|
|
$IPTABLES -P OUTPUT DROP
|
|
$IPTABLES -P INPUT DROP
|
|
$IPTABLES -P FORWARD DROP
|
|
|
|
cat /proc/net/ip_tables_names | while read table; do
|
|
$IPTABLES -t $table -L -n | while read c chain rest; do
|
|
if test "X$c" = "XChain" ; then
|
|
$IPTABLES -t $table -F $chain
|
|
fi
|
|
done
|
|
$IPTABLES -t $table -X
|
|
done
|
|
}
|
|
|
|
reset_iptables_v6() {
|
|
$IP6TABLES -P OUTPUT DROP
|
|
$IP6TABLES -P INPUT DROP
|
|
$IP6TABLES -P FORWARD DROP
|
|
|
|
cat /proc/net/ip6_tables_names | while read table; do
|
|
$IP6TABLES -t $table -L -n | while read c chain rest; do
|
|
if test "X$c" = "XChain" ; then
|
|
$IP6TABLES -t $table -F $chain
|
|
fi
|
|
done
|
|
$IP6TABLES -t $table -X
|
|
done
|
|
}
|
|
|
|
|
|
P2P_INTERFACE_WARNING=""
|
|
|
|
missing_address() {
|
|
address=$1
|
|
cmd=$2
|
|
|
|
oldIFS=$IFS
|
|
IFS="@"
|
|
set $address
|
|
addr=$1
|
|
interface=$2
|
|
IFS=$oldIFS
|
|
|
|
|
|
|
|
$IP addr show dev $interface | grep -q POINTOPOINT && {
|
|
test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet"
|
|
P2P_INTERFACE_WARNING="yes"
|
|
return
|
|
}
|
|
|
|
test "$cmd" = "add" && {
|
|
echo "# Adding ip address: $interface $addr"
|
|
echo $addr | grep -q ':' && {
|
|
$FWBDEBUG $IP addr $cmd $addr dev $interface
|
|
} || {
|
|
$FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
|
|
}
|
|
}
|
|
|
|
test "$cmd" = "del" && {
|
|
echo "# Removing ip address: $interface $addr"
|
|
$FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
|
|
}
|
|
|
|
$FWBDEBUG $IP link set $interface up
|
|
}
|
|
|
|
list_addresses_by_scope() {
|
|
interface=$1
|
|
scope=$2
|
|
ignore_list=$3
|
|
$IP addr ls dev $interface | \
|
|
awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
|
|
'BEGIN {
|
|
split(IGNORED,ignored_arr);
|
|
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
|
}
|
|
(/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \
|
|
while read addr; do
|
|
echo "${addr}@$interface"
|
|
done | sort
|
|
}
|
|
|
|
|
|
update_addresses_of_interface() {
|
|
ignore_list=$2
|
|
set $1
|
|
interface=$1
|
|
shift
|
|
|
|
FWB_ADDRS=$(
|
|
for addr in $*; do
|
|
echo "${addr}@$interface"
|
|
done | sort
|
|
)
|
|
|
|
CURRENT_ADDRS_ALL_SCOPES=""
|
|
CURRENT_ADDRS_GLOBAL_SCOPE=""
|
|
|
|
$IP link show dev $interface >/dev/null 2>&1 && {
|
|
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list")
|
|
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list")
|
|
} || {
|
|
echo "# Interface $interface does not exist"
|
|
# Stop the script if we are not in test mode
|
|
test -z "$FWBDEBUG" && exit 1
|
|
}
|
|
|
|
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
|
|
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
|
|
}
|
|
|
|
clear_addresses_except_known_interfaces() {
|
|
$IP link show | sed 's/://g' | awk -v IGNORED="$*" \
|
|
'BEGIN {
|
|
split(IGNORED,ignored_arr);
|
|
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
|
}
|
|
(/state/ && !($2 in ignored_dict)) {print $2;}' | \
|
|
while read intf; do
|
|
echo "# Removing addresses not configured in fwbuilder from interface $intf"
|
|
$FWBDEBUG $IP addr flush dev $intf scope global
|
|
$FWBDEBUG $IP link set $intf down
|
|
done
|
|
}
|
|
|
|
check_file() {
|
|
test -r "$2" || {
|
|
echo "Can not find file $2 referenced by address table object $1"
|
|
exit 1
|
|
}
|
|
}
|
|
|
|
check_run_time_address_table_files() {
|
|
:
|
|
|
|
}
|
|
|
|
load_modules() {
|
|
:
|
|
OPTS=$1
|
|
MODULES_DIR="/lib/modules/`uname -r`/kernel/net/"
|
|
MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')
|
|
echo $OPTS | grep -q nat && {
|
|
MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')"
|
|
}
|
|
echo $OPTS | grep -q ipv6 && {
|
|
MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')"
|
|
}
|
|
for module in $MODULES; do
|
|
if $LSMOD | grep ${module} >/dev/null; then continue; fi
|
|
$MODPROBE ${module} || exit 1
|
|
done
|
|
}
|
|
|
|
verify_interfaces() {
|
|
:
|
|
echo "Verifying interfaces: eth0 eth1 lo"
|
|
for i in eth0 eth1 lo ; do
|
|
$IP link show "$i" > /dev/null 2>&1 || {
|
|
log "Interface $i does not exist"
|
|
exit 1
|
|
}
|
|
done
|
|
}
|
|
|
|
prolog_commands() {
|
|
echo "Running prolog script"
|
|
|
|
}
|
|
|
|
epilog_commands() {
|
|
echo "Running epilog script"
|
|
|
|
}
|
|
|
|
run_epilog_and_exit() {
|
|
epilog_commands
|
|
exit $1
|
|
}
|
|
|
|
configure_interfaces() {
|
|
:
|
|
# Configure interfaces
|
|
update_addresses_of_interface "eth0 192.168.1.1/24" ""
|
|
update_addresses_of_interface "eth1 66.66.66.130/25" ""
|
|
update_addresses_of_interface "lo 127.0.0.1/8" ""
|
|
}
|
|
|
|
script_body() {
|
|
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
|
|
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
|
|
|
|
|
|
# ================ IPv4
|
|
|
|
|
|
# ================ Table 'filter', automatic rules
|
|
# accept established sessions
|
|
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# ================ Table 'filter', rule set very_long_ruleset_name_should_be_gt_30_chars
|
|
#
|
|
# Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)
|
|
#
|
|
echo "Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)"
|
|
#
|
|
# firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)
|
|
# firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)
|
|
|
|
$IPTABLES -N very_long_ruleset_name_should_be_gt_30_chars
|
|
$IPTABLES -N very_long_ruleset_name_should_be_gt_30_chars_0
|
|
$IPTABLES -A very_long_ruleset_name_should_be_gt_30_chars -j very_long_ruleset_name_should_be_gt_30_chars_0
|
|
$IPTABLES -A very_long_ruleset_name_should_be_gt_30_chars_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
|
|
$IPTABLES -A very_long_ruleset_name_should_be_gt_30_chars_0 -j DROP
|
|
# ================ Table 'filter', rule set not_quite_long_ruleset_name
|
|
#
|
|
# Rule not_quite_long_ruleset_name 0 (global)
|
|
#
|
|
echo "Rule not_quite_long_ruleset_name 0 (global)"
|
|
#
|
|
# firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global)
|
|
|
|
$IPTABLES -N not_quite_long_ruleset_name
|
|
$IPTABLES -N Cid208737X59595.0
|
|
$IPTABLES -A not_quite_long_ruleset_name -s 22.22.22.0/24 -j Cid208737X59595.0
|
|
$IPTABLES -A not_quite_long_ruleset_name -s 33.33.33.0/24 -j Cid208737X59595.0
|
|
$IPTABLES -A Cid208737X59595.0 -d 66.66.66.130 -j RETURN
|
|
$IPTABLES -A Cid208737X59595.0 -d 192.168.1.1 -j RETURN
|
|
$IPTABLES -N not_quite_long_ruleset_name_0_3
|
|
$IPTABLES -A Cid208737X59595.0 -j not_quite_long_ruleset_name_0_3
|
|
$IPTABLES -A not_quite_long_ruleset_name_0_3 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
|
|
$IPTABLES -A not_quite_long_ruleset_name_0_3 -j DROP
|
|
}
|
|
|
|
ip_forward() {
|
|
:
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
}
|
|
|
|
reset_all() {
|
|
:
|
|
reset_iptables_v4
|
|
}
|
|
|
|
block_action() {
|
|
reset_all
|
|
}
|
|
|
|
stop_action() {
|
|
reset_all
|
|
$IPTABLES -P OUTPUT ACCEPT
|
|
$IPTABLES -P INPUT ACCEPT
|
|
$IPTABLES -P FORWARD ACCEPT
|
|
}
|
|
|
|
check_iptables() {
|
|
IP_TABLES="$1"
|
|
[ ! -e $IP_TABLES ] && return 151
|
|
NF_TABLES=$(cat $IP_TABLES 2>/dev/null)
|
|
[ -z "$NF_TABLES" ] && return 152
|
|
return 0
|
|
}
|
|
status_action() {
|
|
check_iptables "/proc/net/ip_tables_names"
|
|
ret_ipv4=$?
|
|
check_iptables "/proc/net/ip6_tables_names"
|
|
ret_ipv6=$?
|
|
[ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0
|
|
[ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && {
|
|
echo "iptables modules are not loaded"
|
|
}
|
|
[ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && {
|
|
echo "Firewall is not configured"
|
|
}
|
|
exit 3
|
|
}
|
|
|
|
# See how we were called.
|
|
# For backwards compatibility missing argument is equivalent to 'start'
|
|
|
|
cmd=$1
|
|
test -z "$cmd" && {
|
|
cmd="start"
|
|
}
|
|
|
|
case "$cmd" in
|
|
start)
|
|
log "Activating firewall script generated Tue Mar 8 18:58:02 2011 by vadim"
|
|
check_tools
|
|
prolog_commands
|
|
check_run_time_address_table_files
|
|
|
|
load_modules " "
|
|
configure_interfaces
|
|
verify_interfaces
|
|
|
|
reset_all
|
|
|
|
script_body
|
|
ip_forward
|
|
epilog_commands
|
|
RETVAL=$?
|
|
;;
|
|
|
|
stop)
|
|
stop_action
|
|
RETVAL=$?
|
|
;;
|
|
|
|
status)
|
|
status_action
|
|
RETVAL=$?
|
|
;;
|
|
|
|
block)
|
|
block_action
|
|
RETVAL=$?
|
|
;;
|
|
|
|
reload)
|
|
$0 stop
|
|
$0 start
|
|
RETVAL=$?
|
|
;;
|
|
|
|
interfaces)
|
|
configure_interfaces
|
|
RETVAL=$?
|
|
;;
|
|
|
|
test_interfaces)
|
|
FWBDEBUG="echo"
|
|
configure_interfaces
|
|
RETVAL=$?
|
|
;;
|
|
|
|
|
|
|
|
*)
|
|
echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]"
|
|
;;
|
|
|
|
esac
|
|
|
|
exit $RETVAL |