Historie: » firewall
 

Firewall

Kód scriptu 

#!/bin/sh
 
CONF_DIR="/etc/firewall"
 
IPTBL="/sbin/iptables"
 
do_start()
{
        # Creating chains
        $IPTBL -N in-fw
        $IPTBL -N out-fw
        $IPTBL -N fw-fw
 
        # State firewall
        cat $CONF_DIR/global.conf | grep "^Established:" | \
        awk -v IPTBL=$IPTBL '{
                if ( $2 == "yes" )
                        system(IPTBL" -A in-fw -m state --state ESTABLISHED -j ACCEPT")
                if ( $3 == "yes" )
                        system(IPTBL" -A out-fw -m state --state ESTABLISHED -j ACCEPT")
                if ( $4 == "yes" )
                        system(IPTBL" -A fw-fw -m state --state ESTABLISHED -j ACCEPT")
                }'
        cat $CONF_DIR/global.conf | grep "^Related:" | \
        awk -v IPTBL=$IPTBL '{
                if ( $2 == "yes" )
                        system(IPTBL" -A in-fw -m state --state RELATED -j ACCEPT")
                if ( $3 == "yes" )
                        system(IPTBL" -A out-fw -m state --state RELATED -j ACCEPT")
                if ( $4 == "yes" )
                        system(IPTBL" -A fw-fw -m state --state RELATED -j ACCEPT")
        }'
 
        # Syn-flood protection
        #$IPTBL -A in-fw -p tcp --syn -m limit --limit 10/s -j ACCEPT
        #$IPTBL -A fw-fw -p tcp --syn -m limit --limit 100/s -j ACCEPT
 
        # Port scan protection
        #$IPTBL -A in-fw -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
        #$IPTBL -A fw-fw -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 10/s -j ACCEPT
        #$IPTBL -A in-fw -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
        #$IPTBL -A fw-fw -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
 
        # Ping of death
        #$IPTBL -A in-fw -p icmp --icmp-type echo-request -m limit --limit 10/s -j ACCEPT
        #$IPTBL -A fw-fw -p icmp --icmp-type echo-request -m limit --limit 100/s -j ACCEPT
 
        # Local interface
        $IPTBL -A in-fw -s 127.0.0.0/8 -i lo -j ACCEPT
 
        # INPUT
        cat $CONF_DIR/input.conf | egrep -v "(^#|^$)" |\
        awk -v IPTBL=$IPTBL '{
                if ($3 == "icmp"){
                        if ($5 == "*")
                                system(IPTBL" -A in-fw -s "$1" -d "$2" -p "$3" -i "$6" -j "$7)
                        else
                                system(IPTBL" -A in-fw -s "$1" -d "$2" -p "$3" --icmp-type "$5" -i "$6" -j "$7)
                }
                else {
                        if ($4 != "*")
                                sport = "--sport " $4
                        else
                                sport =""
                        if ($5 != "*")
                                dport = "--dport " $5
                        else
                                dport =""
                        system(IPTBL" -A in-fw -s "$1" -d "$2" -p "$3" "sport" "dport" -i "$6" -j "$7)
                }
        }'
 
 
        # OUTPUT
        cat $CONF_DIR/output.conf | egrep -v "(^#|^$)" |\
        awk -v IPTBL=$IPTBL '{
                if ($3 == "icmp"){
                        if ($5 == "*")
                                system(IPTBL" -A out-fw -s "$1" -d "$2" -p "$3" -o "$6" -j "$7)
                        else
                                system(IPTBL" -A out-fw -s "$1" -d "$2" -p "$3" --icmp-type "$5" -o "$6" -j "$7)
                }
                else {
                        if ($4 != "*")
                                sport = "--sport " $4
                        else
                                sport =""
                        if ($5 != "*")
                                dport = "--dport " $5
                        else
                                dport =""
                        system(IPTBL" -A out-fw -s "$1" -d "$2" -p "$3" "sport" "dport" -o "$6" -j "$7)
                }
        }'
 
        # FORWARD
        cat $CONF_DIR/forward.conf | egrep -v "(^#|^$)" |\
        awk -v IPTBL=$IPTBL '{
                if ($3 == "icmp"){
                        if ($5 == "*")
                                system(IPTBL" -A fw-fw -s "$1" -d "$2" -p "$3" -i "$6" -o "$7" -j "$8)
                        else
                                system(IPTBL" -A fw-fw -s "$1" -d "$2" -p "$3" --icmp-type "$5" -i "$6" -o "$7 -j $8)
                }
                else {
                        if ($4 != "*")
                                sport = "--sport " $4
                        else
                                sport =""
                        if ($5 != "*")
                                dport = "--dport " $5
                        else
                                dport =""
                        system(IPTBL" -A fw-fw -s "$1" -d "$2" -p "$3" "sport" "dport" -i "$6" -o "$7" -j "$8)
                }
        }'
 
        # Logging
        cat $CONF_DIR/global.conf | grep "^Logging:" | \
        awk -v IPTBL=$IPTBL -v CONF_DIR=$CONF_DIR '{
                if ($2 != "off")
                        system(IPTBL" -A in-fw -m limit -j LOG --log-level "$4)
                if ($3 != "off")
                        system(IPTBL" -A out-fw -m limit -j LOG --log-level "$4)
                if ($4 != "off")
                        system(IPTBL" -A fw-fw -m limit -j LOG --log-level "$4)
        }'
 
        # Inserting rules
        $IPTBL -I INPUT -j in-fw
        $IPTBL -I OUTPUT -j out-fw
        $IPTBL -I FORWARD -j fw-fw
 
        # Changing policy
        cat $CONF_DIR/global.conf | grep "^Policy:" | \
                awk -v IPTBL=$IPTBL '{ system(IPTBL" -P INPUT "$2); \
                        system(IPTBL" -P OUTPUT "$3); system(IPTBL" -P FORWARD "$4) }'
 
 
}
 
do_stop()
{
        $IPTBL -D INPUT -j in-fw 2>/dev/null
        $IPTBL -D OUTPUT -j out-fw 2>/dev/null
        $IPTBL -D FORWARD -j fw-fw 2>/dev/null
        $IPTBL -F in-fw 2>/dev/null
        $IPTBL -F out-fw 2>/dev/null
        $IPTBL -F fw-fw 2>/dev/null
        $IPTBL -X in-fw 2>/dev/null
        $IPTBL -X out-fw 2>/dev/null
        $IPTBL -X fw-fw 2>/dev/null
        $IPTBL -P INPUT ACCEPT
        $IPTBL -P OUTPUT ACCEPT
        $IPTBL -P FORWARD ACCEPT
}
 
case "$1" in
start)
        echo -n "Starting Firewall: "
        do_start
        echo "done"
;;
 
restart)
        echo -n "Restarting Firewall: "
        do_stop
        do_start
        echo "done"
;;
 
stop)
        echo -n "Stopping Firewall: "
        do_stop
        echo "done"
;;
 
*)
echo "Usage: firewall {start|restart|stop}"
        exit 1
;;
esac
 
exit 0

Konfigurační soubory

 
networking/firewall.txt · Poslední úprava: 2013/06/07 13:04 (upraveno mimo DokuWiki)     Nahoru
Get Firefox! Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki