Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 59984 Details for
Bug 94204
Gentoo Firewall Scripts
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
firewall shell script
firewall (text/plain), 10.02 KB, created by
Evan Buswell
on 2005-05-27 17:19:19 UTC
(
hide
)
Description:
firewall shell script
Filename:
MIME Type:
Creator:
Evan Buswell
Created:
2005-05-27 17:19:19 UTC
Size:
10.02 KB
patch
obsolete
>#!/bin/bash >[[ -r /lib/rcscripts/net.modules.d/helpers.d/functions ]] && . /lib/rcscripts/net.modules.d/helpers.d/functions > >iptables() { > LC_ALL=C /sbin/iptables "$@" >} > >modprobe() { > LC_ALL=C /sbin/modprobe "$@" >} > >route() { > LC_ALL=C /sbin/route "$@" >} > >grep() { > LC_ALL=C /bin/grep "$@" >} > >awk() { > LC_ALL=C /bin/awk "$@" >} > >sed() { > LC_ALL=C /bin/sed "$@" >} > >globalforward() { > # enable forwarding in the kernel > echo "1" >/proc/sys/net/ipv4/ip_forward > # enable dynamic adress hack > echo "1" > /proc/sys/net/ipv4/ip_dynaddr >} > >global() { > local module; > # drop everything which we don't accept > iptables --policy INPUT DROP > iptables --policy FORWARD DROP > # accept all outgoing packets > iptables --policy OUTPUT ACCEPT > # create the pkfw-out chain > if ! iptables -nL | grep -q pkfw-out; then > # create a new chain. > iptables --new-chain pkfw-out 2>/dev/null || true > # zero it. > iptables --flush pkfw-out > iptables --zero pkfw-out > fi > # load conntrack modules. All other modules *should* be loaded automatically. > for module in ip_conntrack ip_conntrack_ftp ip_conntrack_irc \ > ip_conntrack_tftp ip_nat_ftp ip_nat_irc ip_nat_smnp_basic ip_nat_tftp; do > modprobe ${module} &>/dev/null || true > done >} > >loup() { > if iptables -nL | grep -q lo-in; then > return 0 > fi > iptables --new-chain lo-in > iptables --flush lo-in > iptables --zero lo-in > # allow all > iptables -A lo-in \ > --jump ACCEPT > iptables -A INPUT \ > --in-interface lo \ > --jump lo-in &>/dev/null || true # this can fail in some weird setup where there is no lo device >} > >exechook() { > local iface=${1} ifvar=$( interface_variable ${1} ) hookname=${2} i=1 > local -a suffix > # form array of all possible conf options from least to most specific > while [[ ${ifvar:0:i} != ${ifvar} ]]; do > suffix[i - 1]=${ifvar:0:i} > (( i++ )) > done > suffix[i - 1]=${ifvar} > > eval " >[[ \$( type -t ${hookname} ) == "function" ]] && ${hookname} ${iface} ${ifvar} >" > for (( i=0; i<${#suffix[@]}; i++ )); do > eval " >[[ \$( type -t ${hookname}_${suffix[i]} ) == "function" ]] && ${hookname}_${suffix[i]} ${iface} ${ifvar} >" > done >} > >mergevars() { > local iface=${1} ifvar=$( interface_variable ${1} ) i=1 var > local -a suffix > # form array of all possible conf options from least to most specific > while [[ ${ifvar:0:i} != ${ifvar} ]]; do > suffix[i - 1]=${ifvar:0:i} > (( i++ )) > done > suffix[i - 1]=${ifvar} > > # get configuration options > [[ -r /etc/conf.d/firewall ]] && . /etc/conf.d/firewall > for (( i=0; i<${#suffix[@]}; i++ )); do > # variables which stack > for var in tcp_services udp_services protocols icmp_accept; do > eval ${var}=\"\$\{${var}\} \$\{${var}_${suffix[i]}\}\" > done > # variables which override > for var in reject log_all replies forward_replies_from forward_replies_via forward_from forward_via masquerade firewall; do > local local_val > eval local_val=\"\$\{${var}_${suffix[i]}\}\" > if [[ "${local_val}" ]]; then > eval ${var}=\"\$\{${var}_${suffix[i]}\}\" > fi > done > done >} > >defaults() { > # these are global variables > tcp_services="" > udp_services="" > protocols="" > # accept echo reply, destination unreachable, echo request, > # router advertisement, time exceeded, and parameter problem > icmp_accept="0 3 8 9 11 12" > reject="false" > log_all="false" > replies="true" > forward_replies_from="false" > forward_replies_via="false" > forward_from="false" > forward_via="false" > masquerade="false" > # global switch > firewall="false" >} > >fwup() { > local iface=${1} ifvar=$( interface_variable ${1} ) > defaults > mergevars ${iface} ># forward firewall > if [[ ${masquerade} == "true" ]]; then > # ensure we don't install a duplicate > iptables --table nat -D POSTROUTING \ > --out-interface ${iface} \ > --jump MASQUERADE &>/dev/null || true > # enable masquerading > iptables --table nat -A POSTROUTING \ > --out-interface ${iface} \ > --jump MASQUERADE > fi > if ! iptables -nL | grep -q pkfw-in-${ifvar}; then > # create a new chain. > iptables --new-chain pkfw-in-${ifvar} > # zero it. > iptables --flush pkfw-in-${ifvar} > iptables --zero pkfw-in-${ifvar} > if [[ ${forward_from} == "true" ]]; then > local intnet > globalforward > # forward from our ip range > intnet=$(route -n|awk "/${iface}\$/ && \$2 == \"0.0.0.0\" { print \$1 \"/\" \$3 }") > iptables -A pkfw-in-${ifvar} \ > --source ${intnet} \ > --jump pkfw-out > fi > if [[ ${forward_replies_from} == "true" ]]; then > # forward established, related; > iptables -A pkfw-in-${ifvar} \ > -m state --state ESTABLISHED,RELATED \ > --jump pkfw-out > fi > # user-defined rules. > exechook ${iface} pkfw_in_hook > if [[ ${log_all} == "true" ]]; then > # log the rest > iptables -A pkfw-in-${ifvar} \ > --jump LOG --log-prefix "Attempted Forward: " > fi > if [[ ${reject} == "true" ]]; then > # reject properly > iptables -A pkfw-in-${ifvar} \ > --jump REJECT --reject-with icmp-admin-prohibited > fi > # attach it correctly > iptables -t filter -A FORWARD \ > --in-interface ${iface} \ > --jump pkfw-in-${ifvar} > fi > if ! iptables -nL | grep -q pkfw-out-${ifvar}; then > # create a new chain. > iptables --new-chain pkfw-out-${ifvar} > # zero it. > iptables --flush pkfw-out-${ifvar} > iptables --zero pkfw-out-${ifvar} > if [[ ${forward_replies_via} == "true" ]]; then > # forward established, related; > iptables -A pkfw-out-${ifvar} \ > -m state --state ESTABLISHED,RELATED \ > --jump ACCEPT > fi > if [[ ${forward_via} == "true" ]]; then > # Accept all outgoing packets > iptables -A pkfw-out-${ifvar} \ > --jump ACCEPT > fi > # user-defined rules. > exechook ${iface} pkfw_out_hook > if [[ ${log_all} == "true" ]]; then > # log > iptables -A pkfw-out-${ifvar} \ > --jump LOG --log-prefix "Attempted Forward: " > fi > if [[ ${reject} == "true" ]]; then > # reject properly > iptables -A pkfw-out-${ifvar} \ > --jump REJECT --reject-with icmp-admin-prohibited > fi > # attach it correctly > iptables -A pkfw-out \ > --out-interface ${iface} \ > --jump pkfw-out-${ifvar} > fi ># incoming firewall > if ! iptables -nL | grep -q ${ifvar}-in; then > # create a new chain. > iptables --new-chain ${ifvar}-in 2>/dev/null > # zero it. > iptables --flush ${ifvar}-in > iptables --zero ${ifvar}-in > if [[ ${firewall} == "false" ]]; then > # accept all > iptables -A ${ifvar}-in \ > --jump ACCEPT > fi > if [[ ${replies} == "true" ]]; then > # let replies come through > iptables -A ${ifvar}-in \ > -m state --state ESTABLISHED,RELATED \ > --jump ACCEPT > fi > # icmp > local item > for item in ${icmp_accept}; do > local server=$(echo ${item}|sed -n 's/:.*//p') type=$(echo ${item}|sed 's/.*://') > if [[ ${server} ]]; then > iptables -A ${ifvar}-in \ > --protocol icmp --icmp-type ${type} --source ${server} \ > --jump ACCEPT > else > iptables -A ${ifvar}-in \ > --protocol icmp --icmp-type ${type} \ > --jump ACCEPT > fi > done > # protocols > for item in ${protocols}; do > # allow all traffic in specified protocol > local server=$(echo ${item}|sed -n 's/:.*//p') proto=$(echo ${item}|sed 's/.*://') > if [[ ${server} ]]; then > iptables -A ${ifvar}-in \ > --protocol ${proto} --source ${server} \ > --jump ACCEPT > else > iptables -A ${ifvar}-in \ > --protocol ${proto} \ > --jump ACCEPT > fi > done > # tcp > for item in ${tcp_services}; do > local server=$(echo ${item}|sed -n 's/:.*//p') port=$(echo ${item}|sed 's/.*://') > if [[ ${server} ]]; then > iptables -A ${ifvar}-in \ > --protocol tcp --source ${server} --destination-port ${port} \ > --jump ACCEPT > else > iptables -A ${ifvar}-in \ > --protocol tcp --destination-port ${port} \ > --jump ACCEPT > fi > done > # udp > for item in ${udp_services}; do > local server=$(echo ${item}|sed -n 's/:.*//p') port=$(echo ${item}|sed 's/.*://') > if [[ ${server} ]]; then > iptables -A ${ifvar}-in \ > --protocol udp --source ${server} --destination-port ${port} \ > --jump ACCEPT > else > iptables -A ${ifvar}-in \ > --protocol udp --destination-port ${port} \ > --jump ACCEPT > fi > done > # user-defined rules. > exechook ${iface} input_hook > # log drops > if [[ ${log_all} == "true" ]]; then > iptables -A ${ifvar}-in \ > --jump LOG --log-prefix "Dropped Packet: " > fi > # reject properly > if [[ ${reject} == "true" ]]; then > iptables -A ${ifvar}-in \ > --protocol tcp --syn \ > --jump REJECT --reject-with tcp-reset > iptables -A ${ifvar}-in \ > --jump REJECT > fi > # add the chain to the filter. > iptables -A INPUT \ > --in-interface ${iface} \ > --jump ${ifvar}-in > fi >} > >fwdown() { > # remove any of these rules if they are present and succeed regardless. > local iface=${1} ifvar=$( interface_variable ${1} ) > iptables -D INPUT \ > --in-interface ${iface} \ > --jump ${ifvar}-in &>/dev/null || true > iptables --flush ${ifvar}-in &>/dev/null || true > iptables --delete-chain ${ifvar}-in &>/dev/null || true > iptables -D FORWARD \ > --in-interface ${iface} \ > --jump pkfw-in-${ifvar} &>/dev/null || true > iptables --flush pkfw-in-${ifvar} &>/dev/null || true > iptables --delete-chain pkfw-in-${ifvar} &>/dev/null || true > iptables -D pkfw-out \ > --out-interface ${iface} \ > --jump pkfw-out-${ifvar} &>/dev/null || true > iptables --flush pkfw-out-${ifvar} &>/dev/null || true > iptables --delete-chain pkfw-out-${ifvar} &>/dev/null || true > iptables --table nat -D POSTROUTING \ > --out-interface ${iface} \ > --jump MASQUERADE &>/dev/null || true >} > >usage() { > echo "Usage: ${0} interface up|down|restart" 1>&2 > exit 1 >} > >up() { > local iface=${1} > > global > > if [[ ${iface} == "lo" ]]; then > loup > return $? > fi > > if ! iptables -nL | grep -q lo-in; then > loup > fi > > fwup ${iface} >} > >iface=${1} >cmd=${2} > >case ${cmd} in > up) > up ${iface} > ;; > down) > fwdown ${iface} > ;; > restart|reload) > fwdown ${iface} > up ${iface} > ;; > *) > usage > ;; >esac
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=59984">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 94204
:
59958
| 59984 |
59985
|
59986
|
59987
