Firewall
Kód scriptu
#!/bin/sh CONF_DIR="/etc/firewall" IPTBL="/sbin/iptables" do_start() { # Creating chains $IPTBL -N in-fw $IPTBL -N out-fw $IPTBL -N fw-fw # State firewall cat $CONF_DIR/global.conf | grep "^Established:" | \ awk -v IPTBL=$IPTBL '{ if ( $2 == "yes" ) system(IPTBL" -A in-fw -m state --state ESTABLISHED -j ACCEPT") if ( $3 == "yes" ) system(IPTBL" -A out-fw -m state --state ESTABLISHED -j ACCEPT") if ( $4 == "yes" ) system(IPTBL" -A fw-fw -m state --state ESTABLISHED -j ACCEPT") }' cat $CONF_DIR/global.conf | grep "^Related:" | \ awk -v IPTBL=$IPTBL '{ if ( $2 == "yes" ) system(IPTBL" -A in-fw -m state --state RELATED -j ACCEPT") if ( $3 == "yes" ) system(IPTBL" -A out-fw -m state --state RELATED -j ACCEPT") if ( $4 == "yes" ) system(IPTBL" -A fw-fw -m state --state RELATED -j ACCEPT") }' # Syn-flood protection #$IPTBL -A in-fw -p tcp --syn -m limit --limit 10/s -j ACCEPT #$IPTBL -A fw-fw -p tcp --syn -m limit --limit 100/s -j ACCEPT # Port scan protection #$IPTBL -A in-fw -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT #$IPTBL -A fw-fw -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 10/s -j ACCEPT #$IPTBL -A in-fw -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP #$IPTBL -A fw-fw -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP # Ping of death #$IPTBL -A in-fw -p icmp --icmp-type echo-request -m limit --limit 10/s -j ACCEPT #$IPTBL -A fw-fw -p icmp --icmp-type echo-request -m limit --limit 100/s -j ACCEPT # Local interface $IPTBL -A in-fw -s 127.0.0.0/8 -i lo -j ACCEPT # INPUT cat $CONF_DIR/input.conf | egrep -v "(^#|^$)" |\ awk -v IPTBL=$IPTBL '{ if ($3 == "icmp"){ if ($5 == "*") system(IPTBL" -A in-fw -s "$1" -d "$2" -p "$3" -i "$6" -j "$7) else system(IPTBL" -A in-fw -s "$1" -d "$2" -p "$3" --icmp-type "$5" -i "$6" -j "$7) } else { if ($4 != "*") sport = "--sport " $4 else sport ="" if ($5 != "*") dport = "--dport " $5 else dport ="" system(IPTBL" -A in-fw -s "$1" -d "$2" -p "$3" "sport" "dport" -i "$6" -j "$7) } }' # OUTPUT cat $CONF_DIR/output.conf | egrep -v "(^#|^$)" |\ awk -v IPTBL=$IPTBL '{ if ($3 == "icmp"){ if ($5 == "*") system(IPTBL" -A out-fw -s "$1" -d "$2" -p "$3" -o "$6" -j "$7) else system(IPTBL" -A out-fw -s "$1" -d "$2" -p "$3" --icmp-type "$5" -o "$6" -j "$7) } else { if ($4 != "*") sport = "--sport " $4 else sport ="" if ($5 != "*") dport = "--dport " $5 else dport ="" system(IPTBL" -A out-fw -s "$1" -d "$2" -p "$3" "sport" "dport" -o "$6" -j "$7) } }' # FORWARD cat $CONF_DIR/forward.conf | egrep -v "(^#|^$)" |\ awk -v IPTBL=$IPTBL '{ if ($3 == "icmp"){ if ($5 == "*") system(IPTBL" -A fw-fw -s "$1" -d "$2" -p "$3" -i "$6" -o "$7" -j "$8) else system(IPTBL" -A fw-fw -s "$1" -d "$2" -p "$3" --icmp-type "$5" -i "$6" -o "$7 -j $8) } else { if ($4 != "*") sport = "--sport " $4 else sport ="" if ($5 != "*") dport = "--dport " $5 else dport ="" system(IPTBL" -A fw-fw -s "$1" -d "$2" -p "$3" "sport" "dport" -i "$6" -o "$7" -j "$8) } }' # Logging cat $CONF_DIR/global.conf | grep "^Logging:" | \ awk -v IPTBL=$IPTBL -v CONF_DIR=$CONF_DIR '{ if ($2 != "off") system(IPTBL" -A in-fw -m limit -j LOG --log-level "$4) if ($3 != "off") system(IPTBL" -A out-fw -m limit -j LOG --log-level "$4) if ($4 != "off") system(IPTBL" -A fw-fw -m limit -j LOG --log-level "$4) }' # Inserting rules $IPTBL -I INPUT -j in-fw $IPTBL -I OUTPUT -j out-fw $IPTBL -I FORWARD -j fw-fw # Changing policy cat $CONF_DIR/global.conf | grep "^Policy:" | \ awk -v IPTBL=$IPTBL '{ system(IPTBL" -P INPUT "$2); \ system(IPTBL" -P OUTPUT "$3); system(IPTBL" -P FORWARD "$4) }' } do_stop() { $IPTBL -D INPUT -j in-fw 2>/dev/null $IPTBL -D OUTPUT -j out-fw 2>/dev/null $IPTBL -D FORWARD -j fw-fw 2>/dev/null $IPTBL -F in-fw 2>/dev/null $IPTBL -F out-fw 2>/dev/null $IPTBL -F fw-fw 2>/dev/null $IPTBL -X in-fw 2>/dev/null $IPTBL -X out-fw 2>/dev/null $IPTBL -X fw-fw 2>/dev/null $IPTBL -P INPUT ACCEPT $IPTBL -P OUTPUT ACCEPT $IPTBL -P FORWARD ACCEPT } case "$1" in start) echo -n "Starting Firewall: " do_start echo "done" ;; restart) echo -n "Restarting Firewall: " do_stop do_start echo "done" ;; stop) echo -n "Stopping Firewall: " do_stop echo "done" ;; *) echo "Usage: firewall {start|restart|stop}" exit 1 ;; esac exit 0
Konfigurační soubory