arno-iptables-firewall_2.0.1d/0000755000000000000000000000000012055611116014777 5ustar rootrootarno-iptables-firewall_2.0.1d/install.sh0000755000000000000000000002554312055611115017014 0ustar rootroot#!/bin/bash MY_VERSION="1.06a" # ------------------------------------------------------------------------------------------ # -= Arno's iptables firewall =- # Single- & multi-homed firewall script with DSL/ADSL support # # ~ In memory of my dear father ~ # # (C) Copyright 2001-2012 by Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------------------ # Check if the environment file exists and if so, load it ######################################################### if [ -f ./share/arno-iptables-firewall/environment ]; then . ./share/arno-iptables-firewall/environment else printf "\033[40m\033[1;31mERROR: Could not read environment file ./share/arno-iptables-firewall/environment!\033[0m\n" >&2 exit 2 fi sanity_check() { # root check if [ "$(id -u)" != "0" ]; then printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n" >&2 exit 1 fi check_command_error iptables if [ "$IPV6_DETECTED" = "1" ]; then check_command_error ip6tables fi check_command_error awk check_command_error tr check_command_error ip check_command_error cut check_command_error uname check_command_error sed check_command_error cat check_command_error date check_command_error modprobe check_command_error sysctl check_command_error head check_command_error tail check_command_error wc check_command_error gzip check_command_error logger check_command_error chmod check_command_error chown check_command_error diff check_command_error find check_command_error cp check_command_error rm check_command_error mkdir check_command_error rmdir check_command_error ln check_command_warning dig nslookup } copy_ask_if_exist() { if [ -z "$(find "$1" -type f)" ]; then echo "ERROR: Missing source file(s) \"$1\"" exit 2 fi unset IFS for source in `find "$1" -type f |grep -v '/\.svn/'`; do if echo "$2" |grep -q '/$'; then fn="$(echo "$source" |sed "s,^$1,,")" if [ -z "$fn" ]; then target="$2$(basename "$1")" else target="$2$fn" fi target_dir="$2" else target="$2" target_dir="$(dirname "$2")" fi if [ ! -d "$target_dir" ]; then printf "\033[40m\033[1;31m* WARNING: Target directory $target_dir does not exist. Skipping copy of $source!\033[0m\n" >&2 continue; fi if [ -f "$source" -a -f "$target" ]; then # Ignore files that are the same in the target if ! diff "$source" "$target" >/dev/null; then printf "File \"$target\" already exists. Overwrite (Y/N)? " read -s -n1 C if [ "$C" != "y" ] && [ "$C" != "Y" ]; then echo "No. Skipped..." continue; fi echo "Yes" else echo "* Target file \"$target\" is the same as source. Skipping copy of $source" continue; fi fi # copy file & create backup of old file if exists if ! cp -bv "$source" "$target"; then echo "ERROR: Copy error of \"$source\" to \"$target\"!" >&2 exit 3 fi chown 0:0 "$target" done return 0 } copy_skip_if_exist() { if [ -z "$(find "$1" -type f)" ]; then echo "ERROR: Missing source file(s) \"$1\"" >&2 exit 2 fi unset IFS for source in `find "$1" -type f |grep -v '/\.svn/'`; do if echo "$2" |grep -q '/$'; then fn="$(echo "$source" |sed "s,^$1,,")" if [ -z "$fn" ]; then target="$2$(basename "$1")" else target="$2$fn" fi target_dir="$2" else target="$2" target_dir="$(dirname "$2")" fi if [ ! -d "$target_dir" ]; then printf "\033[40m\033[1;31m* WARNING: Target directory $target_dir does not exist. Skipping copy of $source!\033[0m\n" >&2 continue; fi if [ -f "$target" ]; then echo "* File \"$target\" already exists. Skipping copy of $source" continue; fi if ! cp -v "$source" "$target"; then echo "ERROR: Copy error of \"$source\" to \"$target!\"" >&2 exit 3 fi chown 0:0 "$target" done return 0 } copy_overwrite() { if [ -z "$(find "$1" -type f)" ]; then echo "ERROR: Missing source file(s) \"$1\"" >&2 exit 2 fi unset IFS for source in `find "$1" -type f |grep -v '/\.svn/'`; do if echo "$2" |grep -q '/$'; then fn="$(echo "$source" |sed "s,^$1,,")" if [ -z "$fn" ]; then target="$2$(basename "$1")" else target="$2$fn" fi target_dir="$2" else target="$2" target_dir="$(dirname "$2")" fi if [ ! -d "$target_dir" ]; then printf "\033[40m\033[1;31m* WARNING: Target directory $target_dir does not exist. Skipping copy of $source!\033[0m\n" >&2 continue; fi if [ -f "$source" -a -f "$target" ]; then # Ignore files that are the same in the target if diff "$source" "$target" >/dev/null; then echo "* Target file \"$target\" is the same as source. Skipping copy of $source" continue; fi fi if ! cp -fv "$source" "$target"; then echo "ERROR: Copy error of \"$source\" to \"$target\"!" >&2 exit 3 fi chown 0:0 "$target" done return 0 } get_user_yn() { printf "$1 " while true; do read -s -n1 answer if [ "$answer" = "y" -o "$answer" = "Y" ]; then echo "Yes" return 0 fi if [ "$answer" = "n" -o "$answer" = "N" ]; then echo "No" return 1 fi # Fallback to default if [ "$2" = "y" ]; then echo "Yes" return 0 elif [ "$2" = "n" ]; then echo "No" return 1 fi done } check_18_version() { if [ -e "/etc/init.d/arno-iptables-firewall" ] && grep -q "^MY_VERSION=" "/etc/init.d/arno-iptables-firewall"; then if get_user_yn "WARNING: An old version is still installed. Removing it first is *STRONGLY* recommended. Remove (Y/N)?" "y"; then rm -fv /etc/init.d/arno-iptables-firewall mv -fv /etc/arno-iptables-firewall/custom-rules /etc/arno-iptables-firewall/custom-rules.old mv -fv /etc/arno-iptables-firewall/firewall.conf /etc/arno-iptables-firewall/firewall.conf.old rm -fv /etc/arno-iptables-firewall/plugins/*.plugin rm -fv /etc/rc*.d/*arno-iptables-firewall fi fi } # Check plugins for (old) versions with different priority check_plugins() { if [ -d "/usr/local/share/arno-iptables-firewall/plugins/" ]; then unset IFS for plugin in ./share/arno-iptables-firewall/plugins/*.plugin; do plugin_name="$(basename "$plugin" |sed 's/^[0-9]*//')" ls /usr/local/share/arno-iptables-firewall/plugins/*.plugin |grep "/[0-9]*$plugin_name$" |grep -v "/$(basename "$plugin")$" |while read fn; do echo "* Removing old plugin: $fn" rm -fv "$fn" done done fi } # main line: AIF_VERSION="$(grep "MY_VERSION=" ./bin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")" printf "\033[40m\033[1;32mArno's Iptables Firewall Script v$AIF_VERSION\033[0m\n" printf "Install Script v$MY_VERSION\n" echo "-------------------------------------------------------------------------------" sanity_check; # We want to run in the dir the install script is in cd "$(dirname $0)" if ! get_user_yn "Continue install (Y/N)?" "n"; then echo "*Install aborted" exit 1 fi # Make sure there still isn't an old version installed check_18_version; copy_overwrite ./bin/arno-iptables-firewall /usr/local/sbin/ copy_overwrite ./bin/arno-fwfilter /usr/local/bin/ rm -f /usr/local/sbin/arno-fwfilter mkdir -pv /usr/local/share/arno-iptables-firewall/plugins || exit 1 copy_overwrite ./share/arno-iptables-firewall/ /usr/local/share/arno-iptables-firewall/ if [ ! -e /usr/local/sbin/traffic-accounting-show ]; then ln -sv /usr/local/share/arno-iptables-firewall/plugins/traffic-accounting-show /usr/local/sbin/traffic-accounting-show fi mkdir -pv /usr/local/share/man/man1 || exit 1 mkdir -pv /usr/local/share/man/man8 || exit 1 gzip -c -v ./share/man/man8/arno-iptables-firewall.8 >/usr/local/share/man/man8/arno-iptables-firewall.8.gz gzip -c -v ./share/man/man1/arno-fwfilter.1 >/usr/local/share/man/man8/arno-fwfilter.1.gz mkdir -pv /usr/local/share/doc/arno-iptables-firewall || exit 1 copy_overwrite ./README /usr/local/share/doc/arno-iptables-firewall/ copy_ask_if_exist ./etc/init.d/arno-iptables-firewall /etc/init.d/ mkdir -pv /etc/arno-iptables-firewall || exit 1 copy_overwrite ./etc/arno-iptables-firewall/firewall.conf /etc/arno-iptables-firewall/firewall.conf.dist copy_skip_if_exist ./etc/arno-iptables-firewall/custom-rules /etc/arno-iptables-firewall/ copy_ask_if_exist ./etc/arno-iptables-firewall/firewall.conf /etc/arno-iptables-firewall/ mkdir -pv /etc/arno-iptables-firewall/plugins || exit 1 copy_ask_if_exist ./etc/arno-iptables-firewall/plugins/ /etc/arno-iptables-firewall/plugins/ mkdir -pv /etc/arno-iptables-firewall/conf.d || exit 1 echo "Files with a .conf extension in this directory will be sourced by the environment file" >/etc/arno-iptables-firewall/conf.d/README check_plugins; echo "" echo "** Install done **" echo "" if get_user_yn "Do you want to run the configuration script (Y/N)?"; then ./configure.sh fi echo "" echo "-------------------------------------------------------------------------------" echo "** NOTE: You can now (manually) start the firewall by executing **" echo "** \"/etc/init.d/arno-iptables-firewall start\" **" echo "** It is recommended however to first review the settings in **" echo "** /etc/arno-iptables-firewall/firewall.conf! **" echo "-------------------------------------------------------------------------------" echo "" if get_user_yn "(Re)start firewall (Y/N)?"; then /usr/local/sbin/arno-iptables-firewall restart fi exit 0 arno-iptables-firewall_2.0.1d/share/0000755000000000000000000000000012055611116016101 5ustar rootrootarno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/0000755000000000000000000000000012055611116022444 5ustar rootrootarno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/environment0000644000000000000000000011317612055611115024743 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall =- # Single- & multi-homed firewall script with DSL/ADSL support # # ~ In memory of my dear father ~ # # (C) Copyright 2001-2012 by Arno van Amersfoort # Co-authors : Lonnie Abelbeck & Philip Prindeville # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # NOTE: When used in combination with firewall.conf. Load firewall.conf first before calling us! # Some predefined variables/macros: ANYHOST="0/0" ANYPORT="0:65535" SEP="~" SEP2="#" SEP3="|" INDENT="" TAB="$(printf '\t')" EOL=' ' # Globals variables: RULE_WARNING=0 DNS_FAST_FAIL_ONCE=0 ################################# Functions #################################### trace() { if [ -n "$TRACEFILE" ]; then ((PS4='' ; set -x ; : "$@" >/dev/null) 2>&1 ) | sed 's/^: //' >> $TRACEFILE else "$@" fi } # Find command path with '/hint/path/command' as the argument find_command() { if [ -x "$1" ]; then echo "$1" else which $(basename "$1") 2>/dev/null fi } # Check whether a certain command is available check_command() { local path IFS IFS=' ' for cmd in $*; do case "$cmd" in /*) path="" ;; ip|tc|modprobe|sysctl) path="/sbin/" ;; sed|cat|date|uname) path="/bin/" ;; *) path="/usr/bin/" ;; esac if [ -x "$path$cmd" ]; then return 0 fi if which "$cmd" >/dev/null 2>&1; then return 0 fi done return 1 } # Check whether a binary is available and if not, generate an error and stop program execution check_command_error() { local IFS=' ' if ! check_command "$@"; then printf "\033[40m\033[1;31mERROR : Command(s) \"$(echo "$@" |tr ' ' '|')\" is/are not available!\033[0m\n" >&2 printf "\033[40m\033[1;31m Please investigate. Quitting...\033[0m\n" >&2 echo "" exit 2 fi } # Check whether a binary is available and if not, generate a warning but continue program execution check_command_warning() { local retval IFS=' ' check_command "$@" retval=$? if [ $retval -ne 0 ]; then printf "\033[40m\033[1;31mWARNING: Command(s) \"$(echo "$@" |tr ' ' '|')\" is/are not available!\033[0m\n" >&2 printf "\033[40m\033[1;31m Please investigate. This *may* be a problem!\033[0m\n" >&2 echo "" fi return $retval } # Check if the current kernel is at least a certain version (or newer) # Arguments: major minor rev (eg. "2 6 25") # Return : 0 = kernel is equal or newer, 1 = kernel is older ###################################################################### kernel_ver_chk() { local maj min rev ver ver_maj ver_min ver_rev if [ -n "$2" ]; then maj="$1" min="$2" rev="$3" else maj=$(echo "$1" |cut -s -d'.' -f1) min=$(echo "$1" |cut -s -d'.' -f2) rev=$(echo "$1" |cut -s -d'.' -f3) fi ver=$(uname -r |cut -s -d'-' -f1) ver_maj=$(echo "$ver" |cut -s -d'.' -f1) if [ $ver_maj -gt $maj ]; then return 0 elif [ $ver_maj -lt $maj ]; then return 1 fi ver_min=$(echo "$ver" |cut -s -d'.' -f2) if [ $ver_min -gt $min ]; then return 0 elif [ $ver_min -lt $min ]; then return 1 fi ver_rev=$(echo "$ver" |cut -s -d'.' -f3) if [ $ver_rev -gt $rev ]; then return 0 elif [ $ver_rev -lt $rev ]; then return 1 fi return 0 } # Linecount function lc() { wc -l |awk '{ print $1 }' } note_iptables_error() { local arg IFS IFS='~' # expand command-line args using the unique 'tilde' character for arg in $*; do if [ "$arg" = "-A" -o "$arg" = "-I" ]; then return 0 fi done return 1 } ip6tables_icmp_args() { local arg args="" action="" tilde="~" IFS IFS='~' # expand command-line args using the unique 'tilde' character for arg in $*; do if [ "$action" = "p" ]; then if [ "$arg" = "icmp" ]; then arg="icmpv6" fi action="" else # parse option flags case $arg in --icmp-type) arg="--icmpv6-type" ;; -p|--proto) action="p" ;; esac fi # build 'tilde' separated command-line # Note: use $tilde instead of ~ to workaround Busybox 'ash' bug args="$args${args:+$tilde}$arg" done # return 'tilde' separated command-line echo "$args" } iptables() { local arg action="" IFS local src=0 dst=0 table="" proto="" if [ "$IPV6_SUPPORT" = "1" ]; then IFS='~' # expand command-line args using the unique 'tilde' character for arg in $*; do if [ -n "$action" ]; then case $action in s) get_numeric_ip_version "$arg" src=$? ;; d) get_numeric_ip_version "$arg" dst=$? ;; t) table="$arg" ;; p) proto="$arg" ;; esac action="" else # parse option flags case $arg in -s|--source) action="s" ;; -d|--destination) action="d" ;; -t|--table) action="t" ;; -p|--proto) action="p" ;; esac fi done unset IFS # # Call ip4tables and/or ip6tables as appropriate # if [ $src -eq 4 -o $dst -eq 4 -o "$table" = "nat" ]; then ip4tables "$@" elif [ $src -eq 6 -o $dst -eq 6 -o "$proto" = "icmpv6" ]; then if [ "$proto" = "icmp" ]; then IFS='~'; set -- $(ip6tables_icmp_args "$@"); unset IFS fi ip6tables "$@" elif [ "$proto" = "icmp" ]; then ip4tables "$@" # Regenerate ip6tables command-line from the returned 'tilde' separated string IFS='~'; set -- $(ip6tables_icmp_args "$@"); unset IFS ip6tables "$@" else ip4tables "$@" ip6tables "$@" fi else # # Only call ip4tables since IPv6 filtering is disabled. # ip4tables "$@" fi } ip4tables() { local result retval IFS=' ' result=`trace $IP4TABLES "$@" 2>&1` retval=$? if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${IP4TABLES} $*\nERROR ($retval): ${result}\033[0m\n" >&2 if note_iptables_error "$@"; then RULE_WARNING=1 fi elif [ -n "$result" ]; then # Filter successful, informational results case "$result" in 'WARNING: '*' match is obsolete'*) ;; *) echo "${INDENT}$result" ;; esac fi return $retval } ip6tables() { local result retval IFS=' ' result=`trace $IP6TABLES "$@" 2>&1` retval=$? if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${IP6TABLES} $*\nERROR ($retval): ${result}\033[0m\n" >&2 if note_iptables_error "$@"; then RULE_WARNING=1 fi elif [ -n "$result" ]; then # Filter successful, informational results case "$result" in 'WARNING: '*' match is obsolete'*) ;; *) echo "${INDENT}$result" ;; esac fi return $retval } ip4tables_save() { local retval IFS=' ' $IP4TABLES_SAVE "$@" retval=$? if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${IP4TABLES_SAVE} $*\nERROR ($retval)\033[0m\n" >&2 RULE_WARNING=1 fi return $retval } ip4tables_restore() { local result retval IFS=' ' result=`$IP4TABLES_RESTORE "$@" 2>&1` retval=$? if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${IP4TABLES_RESTORE} $*\nERROR ($retval): ${result}\033[0m\n" >&2 RULE_WARNING=1 elif [ -n "$result" ]; then echo "${INDENT}$result" fi return $retval } ip6tables_save() { local retval IFS=' ' $IP6TABLES_SAVE "$@" retval=$? if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${IP6TABLES_SAVE} $*\nERROR ($retval)\033[0m\n" >&2 RULE_WARNING=1 fi return $retval } ip6tables_restore() { local result retval IFS=' ' result=`$IP6TABLES_RESTORE "$@" 2>&1` retval=$? if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${IP6TABLES_RESTORE} $*\nERROR ($retval): ${result}\033[0m\n" >&2 RULE_WARNING=1 elif [ -n "$result" ]; then echo "${INDENT}$result" fi return $retval } try_ip4tables() { local IFS=' ' trace $IP4TABLES "$@" >/dev/null 2>&1 } try_ip6tables() { local IFS=' ' trace $IP6TABLES "$@" >/dev/null 2>&1 } # Wrapper function for modprobe ############################### modprobe() { local result retval IFS=' ' # Module support available? if [ -e /proc/modules ]; then # Make sure environment variable is not set MODPROBE_OPTIONS="" result=`trace $MODPROBE $@ 2>&1` retval=$? if [ $retval -ne 0 ]; then if ! echo "$result" |grep -q -e "Module .* not found" -e "Can't locate module" -e "^ *$"; then # Show any (error) messages in red printf "\033[40m\033[1;31m${MODPROBE} $*\nERROR ($retval): ${result}\033[0m\n" >&2 elif [ "$COMPILED_IN_KERNEL_MESSAGES" != "0" ]; then printf "WARNING: Module \"$1\" failed to load. Assuming compiled-in-kernel.\n" >&2 fi return $retval else if echo "$result" |grep -q -e '^WARNING:'; then # Show any (warning) messages in red printf "\033[40m\033[1;31m${MODPROBE} $*\nWARNING: ${result}\033[0m\n" >&2 else echo "${INDENT}Loaded kernel module $1. $result" fi return 0 fi elif [ "$COMPILED_IN_KERNEL_MESSAGES" != "0" ]; then echo "${INDENT}NOTE: Kernel has no module support. Assuming compiled-in-kernel for module \"$1\"" fi return 0 } # Multi modprobe - Modprobe different modules until one succeeds, group modules with a comma modprobe_multi() { local result retval OPTIONS="" MODULES="" IFS=' ' # Split options and modules while [ -n "$1" ]; do case "$1" in -*) OPTIONS="$OPTIONS${OPTIONS:+ }$1";; *) MODULES="${MODULES}${MODULES:+ }$1";; esac shift done # Module support available? if [ -e /proc/modules ]; then # Make sure environment variable is not set MODPROBE_OPTIONS="" local module modules fail modprobe_commandline IFS=' ' for modules in $MODULES; do fail=0 IFS=',' for module in $modules; do modprobe_commandline="$MODPROBE" if [ -n "$OPTIONS" ]; then modprobe_commandline="$modprobe_commandline $OPTIONS" fi modprobe_commandline="$modprobe_commandline $module" IFS=' ' result=`trace $modprobe_commandline 2>&1` retval=$? if [ $retval -ne 0 ]; then if ! echo "$result" |grep -q -e "Module .* not found" -e "Can't locate module" -e "^ *$"; then # Show any (error) messages in red printf "\033[40m\033[1;31m${modprobe_commandline}\nERROR ($retval): $result\033[0m\n" >&2 fi fail=1 else if echo "$result" |grep -q -e '^WARNING:'; then # Show any (warning) messages in red printf "\033[40m\033[1;31m${modprobe_commandline}\nWARNING: $result\033[0m\n" >&2 else echo "${INDENT}Loaded kernel module $module. $result" fi fi done if [ $fail -eq 0 ]; then return 0 fi done if [ "$COMPILED_IN_KERNEL_MESSAGES" != "0" ]; then printf "WARNING: Modules \"$(echo "$MODULES" |tr ' ' '|')\" failed to load. Assuming compiled-in-kernel.\n" >&2 return 1 fi elif [ "$COMPILED_IN_KERNEL_MESSAGES" != "0" ]; then echo "${INDENT}NOTE: Kernel has no module support. Assuming compiled-in-kernel for modules \"$(echo "$MODULES" |tr ' ' '|')\"" fi return 0 } # sysctl binary wrapper ####################### sysctl() { local result retval IFS=' ' result=`trace $SYSCTL "$@" 2>&1` retval=$? if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${SYSCTL} $*\nERROR ($retval): ${result}\033[0m\n" >&2 return $retval fi if [ -n "$result" ]; then echo "${INDENT}$result" fi return 0 } # Multi sysctl - Try sysctl-variables until one succeeds sysctl_multi() { local result retval OPTIONS="" VARIABLES="" IFS=' ' while [ -n "$1" ]; do # Combine options and exit on first non-option case "$1" in -*) OPTIONS="${OPTIONS}${OPTIONS:+ }$1";; *) VARIABLES="${VARIABLES}${VARIABLES:+ }$1";; esac shift done IFS=' ' for variable in $VARIABLES; do if $SYSCTL "$(echo "$variable" |cut -d'=' -f1)" >/dev/null 2>&1; then local sysctl_commandline="$SYSCTL" if [ -n "$OPTIONS" ]; then sysctl_commandline="$sysctl_commandline $OPTIONS" fi sysctl_commandline="$sysctl_commandline $variable" result=`trace $sysctl_commandline 2>&1` retval=$? if [ $retval -eq 0 ]; then if [ -n "$result" ]; then echo "${INDENT}$result" fi return 0 else # Show any (error) messages in red printf "\033[40m\033[1;31m${sysctl_commandline}\nERROR ($retval): $result\033[0m\n" >&2 fi fi done printf "\033[40m\033[1;31mERROR: Unable to find kernel parameters \"$(echo "$VARIABLES" |tr ' ' '|')\"!\033[0m\n" >&2 return 1 } # Set a value for sysctl wildcard interfaces (like "net.ipv4.conf.*.rp_filter") # $1 = prefix (eg. net.ipv4.conf) # $2 = variable (eg. rp_filter) # $3 = value to set sysctl_set_all() { local prefix="$1" variable="$2" value="$3" local interface line IFS IFS=$EOL for line in $($SYSCTL -a 2>/dev/null |cut -d' ' -f1 |grep "^${prefix}\..*\.${variable}$"); do IFS=' ,' for interface in all default lo $EXT_IF $INT_IF $DMZ_IF; do if [ "$line" = "$prefix.$interface.$variable" ]; then sysctl -w "$line=$value" break fi done done } sysctl_key() { $SYSCTL -a 2>/dev/null |grep -q "^$1" } # tc binary wrapper ################### tc() { trace $TC "$@" } # ip binary wrapper ################### ip() { trace $IP "$@" } # dig binary wrapper #################### dig() { local cnt=0 x=0 addr name line lines retval IFS if [ -n "$DIG" ]; then if [ "$DNS_FAST_FAIL" = "1" -o "$DNS_FAST_FAIL_ONCE" = "1" ]; then lines="$($DIG +short +tries=1 +time=1 "$@" 2>/dev/null)" retval=$? DNS_FAST_FAIL_ONCE=0 else lines="$($DIG +short "$@" 2>/dev/null)" retval=$? fi retval=$? while [ $# -gt 1 ]; do if [ "$1" = "-x" ]; then x=1 fi shift done IFS=$EOL for line in $lines; do case "$line" in ';'*|'') addr="" name="" ;; *'.') addr="" name="$line" ;; *) addr="$line" name="" ;; esac if [ -n "$addr" -a "$x" = 0 ]; then echo "$addr" return 0 elif [ -n "$name" -a "$x" = 1 ]; then echo "$name" return 0 fi done return $retval elif [ -n "$NSLOOKUP" ]; then while [ $# -gt 1 ]; do if [ "$1" = "-x" ]; then x=1 fi shift done if [ -n "$1" ]; then if [ "$DNS_FAST_FAIL" = "1" -o "$DNS_FAST_FAIL_ONCE" = "1" ]; then lines="$($NSLOOKUP -retry=1 -timeout=1 "$1" 2>/dev/null)" DNS_FAST_FAIL_ONCE=0 else lines="$($NSLOOKUP "$1" 2>/dev/null)" fi IFS=$EOL for line in $lines; do cnt=$((cnt + 1)) if [ $cnt -gt 2 ]; then case "$line" in Address*) addr="$(echo "$line" |sed -n -r -e 's/^Address.*: *([0-9.]{7,}).*$/\1/p')" name="$(echo "$line" |sed -e 's/^.* //')" ;; *'canonical name = '*) addr="" name="" ;; *'name = '*) addr="$1" name="$(echo "$line" |sed -e 's/^.*name = *//' -e 's/ .*$//')" ;; *) addr="" name="" ;; esac if [ -n "$addr" -a "$x" = 0 ]; then echo "$addr" return 0 elif [ -n "$name" -a "$x" = 1 ]; then echo "$name" return 0 fi fi done return 9 fi return 1 else return 9 fi } # Helper function to expand out wildcards in interface name list wildcard_ifs() { local expnd if0 if1 expnd="" local IFS=', ' for if0 in $*; do if1="$if0" case $if1 in *+) if1="${if1%+}" if1="$($IP link | awk "\$2 ~ /${if1}[0-9]+:/ { print substr(\$2, 1, length(\$2)-1); }" | tr '\n' ' ')" if [ -z "$if1" ]; then echo "wildcard: $if0 unmatched!" >&2 continue fi ;; esac expnd="$expnd${expnd:+ }$if1" done echo "$expnd" } parse_rule() { local rule="$1" var="$2" type="$3" left_rule right_rule case $type in hosts-ports|hosts-protos) hosts=$(get_hosts_ihp "$rule") ports=$(get_ports_ihp "$rule") if [ -z "$hosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; hosts:ANYHOST-ports:ANYPORT|hosts:ANYHOST-protos) hosts=$(get_hosts_ihp "$rule" "$ANYHOST") if [ "$type" = "hosts:ANYHOST-ports:ANYPORT" ]; then ports=$(get_ports_ihp "$rule" "$ANYPORT") else ports=$(get_ports_ihp "$rule") fi if [ -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-ports|interfaces-protos) interfaces=$(get_ifs "$rule") ports=$(get_ports_ip "$rule") if [ -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-srcips-ports|interfaces-srcips-protos) interfaces=$(get_ifs "$rule") srcips=$(get_ips "$rule") ports=$(get_ports_ip "$rule") if [ -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-srcips-hosts) interfaces=$(get_ifs "$rule") srcips=$(get_ips "$rule") hosts=$(get_hosts_ih "$rule") if [ -z "$hosts" ]; then parse_rule_warning "$rule" return 1 fi ;; interfaces-srcips-hosts-ports|interfaces-srcips-hosts-protos) interfaces=$(get_ifs "$rule") srcips=$(get_ips "$rule") hosts=$(get_hosts_ihp "$rule") ports=$(get_ports_ihp "$rule") if [ -z "$hosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-destips-ports|interfaces-destips-protos) interfaces=$(get_ifs "$rule") destips=$(get_ips "$rule") ports=$(get_ports_ip "$rule") if [ -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-destips-hosts) interfaces=$(get_ifs "$rule") destips=$(get_ips "$rule") hosts=$(get_hosts_ih "$rule") if [ -z "$hosts" ]; then parse_rule_warning "$rule" return 1 fi ;; interfaces-destips-hosts-ports|interfaces-destips-hosts-protos) interfaces=$(get_ifs "$rule") destips=$(get_ips "$rule") hosts=$(get_hosts_ihp "$rule") ports=$(get_ports_ihp "$rule") if [ -z "$hosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; shosts:ANYHOST-dhosts-ports:ANYPORT|shosts:ANYHOST-dhosts-protos) left_rule=$(echo "$rule" |cut -s -d'>' -f1) right_rule=$(echo "$rule" |cut -s -d'>' -f2) shosts=$(get_hosts_ih "$left_rule" "$ANYHOST") dhosts=$(get_hosts_hp "$right_rule") if [ "$type" = "shosts:ANYHOST-dhosts-ports:ANYPORT" ]; then ports=$(get_ports_hp "$right_rule" "$ANYPORT") else ports=$(get_ports_hp "$right_rule") fi if [ -z "$dhosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT|interfaces-shosts:ANYHOST-dhosts-protos) left_rule=$(echo "$rule" |cut -s -d'>' -f1) right_rule=$(echo "$rule" |cut -s -d'>' -f2) interfaces=$(get_ifs "$left_rule") shosts=$(get_hosts_ih "$left_rule" "$ANYHOST") dhosts=$(get_hosts_hp "$right_rule") if [ "$type" = "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT" ]; then ports=$(get_ports_hp "$right_rule" "$ANYPORT") else ports=$(get_ports_hp "$right_rule") fi if [ -z "$dhosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-shosts-dhosts-ports:ANYPORT|interfaces-shosts-dhosts-protos) left_rule=$(echo "$rule" |cut -s -d'>' -f1) right_rule=$(echo "$rule" |cut -s -d'>' -f2) interfaces=$(get_ifs "$left_rule") shosts=$(get_hosts_ih "$left_rule") dhosts=$(get_hosts_hp "$right_rule") if [ "$type" = "interfaces-shosts-dhosts-ports:ANYPORT" ]; then ports=$(get_ports_hp "$right_rule" "$ANYPORT") else ports=$(get_ports_hp "$right_rule") fi if [ -z "$shosts" -o -z "$dhosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces:EXT_IF-shosts-dhosts-ports:ANYPORT|interfaces:EXT_IF-shosts-dhosts-protos) left_rule=$(echo "$rule" |cut -s -d'>' -f1) right_rule=$(echo "$rule" |cut -s -d'>' -f2) interfaces=$(get_ifs "$left_rule" "$EXT_IF") shosts=$(get_hosts_ih "$left_rule") dhosts=$(get_hosts_hp "$right_rule") if [ "$type" = "interfaces:EXT_IF-shosts-dhosts-ports:ANYPORT" ]; then ports=$(get_ports_hp "$right_rule" "$ANYPORT") else ports=$(get_ports_hp "$right_rule") fi if [ -z "$shosts" -o -z "$dhosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces:EXT_IF-destips-shosts-ports-dhost_dport|interfaces:EXT_IF-destips-shosts-protos-dhost) left_rule=$(echo "$rule" |cut -s -d'>' -f1) right_rule=$(echo "$rule" |cut -s -d'>' -f2) interfaces=$(get_ifs "$left_rule" "$EXT_IF") destips=$(get_ips "$left_rule") # Check for separator(SEP) if echo "$left_rule" |grep -q "$SEP"; then shosts=$(get_hosts_ihp "$left_rule") ports=$(get_ports_ihp "$left_rule") else # Assume ports/protos only if no separator shosts="$ANYHOST" ports=$(get_ports_ip "$left_rule") fi dhost_dport="$right_rule" if [ -z "$shosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" dhost="$dhost_dport" ;; *) echo "** ERROR: Invalid rule parse type! **" >&2 return 1 ;; esac return 0 } parse_rule_warning() { local rule="$1" RULE_WARNING=1 echo "** WARNING: In Variable $var, Rule: \"$rule\" is ignored." >&2 } # Helper function to get interface(s) from variable get_ifs() { local result="" if echo "$1" |grep -q -e "$SEP2"; then result=`echo "$1" |cut -s -d"$SEP2" -f1 |grep -v -e '\.' -e "$ANYHOST" |tr ' ' ','` fi if [ -n "$result" ]; then echo "$result" return 0 else if [ -n "$2" ]; then echo "$2" else echo "+" fi return 1 fi } # Helper function to get source/destination IP(s) from variable get_ips() { local result="" if echo "$1" |grep -q -e "$SEP2"; then result=`echo "$1" |cut -s -d"$SEP2" -f1 |grep -e '\.' -e "$ANYHOST" |tr ' ' ','` fi if [ -n "$result" ]; then echo "$result" return 0 else if [ -n "$2" ]; then echo "$2" else echo "$ANYHOST" fi return 1 fi } # Helper function to get hostname(s) from variable (ifs|ips#hosts) get_hosts_ih() { local result="$(echo "$1" |sed "s!^.*$SEP2!!")" if [ -n "$result" ]; then echo "$result" return 0; else echo "$2" return 1 fi } # Helper function to get hostname(s) from variable (ifs|ips#hosts~ports|protos) get_hosts_ihp() { local result="$(echo "$1" |sed "s!^.*$SEP2!!" |cut -s -d"$SEP" -f1)" if [ -n "$result" ]; then echo "$result" return 0 else echo "$2" return 1 fi } # Helper function to get port(s) from variable (ifs|ips#hosts~ports|protos) get_ports_ihp() { local result="$(echo "$1" |sed "s!^.*$SEP2!!")" if echo "$result" |grep -q -e "$SEP"; then echo "$result" |cut -s -d"$SEP" -f2 |tr '-' ':' return 0 elif [ -n "$2" ]; then # Use default, if specified echo "$2" return 1 else # When we have no separator, assume port(s) only and no host(s) echo "$result" |tr '-' ':' return 0 fi } # Helper function to get hostname(s) from variable (hosts~ports|protos) get_hosts_hp() { local result="$(echo "$1" |sed "s!^.*$SEP2!!")" if echo "$result" |grep -q -e "$SEP"; then echo "$result" |cut -s -d"$SEP" -f1 return 0 elif [ -n "$2" ]; then # Use default, if specified echo "$2" return 1 else # When we have no separator, assume host(s) only and no port(s) echo "$result" return 0 fi } # Helper function to get port(s) from variable (hosts~ports|protos) get_ports_hp() { local result="$(echo "$1" |sed "s!^.*$SEP2!!")" if echo "$result" |grep -q -e "$SEP"; then echo "$result" |cut -s -d"$SEP" -f2 |tr '-' ':' return 0 else echo "$2" return 1 fi } # Helper function to get port(s) from variable (ifs|ips#ports|protos) get_ports_ip() { local result="$(echo "$1" |sed "s!^.*$SEP2!!")" if [ -n "$result" ]; then echo "$result" |tr '-' ':' return 0 else echo "$2" return 1 fi } get_numeric_ip_version() { case $1 in 0/0) ;; [0-9][0-9.][0-9.][0-9.][0-9.]*.*[0-9]) return 4 ;; [0-9]*.*/*[0-9]|[0-9]/*[0-9]|[1-9][0-9]/*[0-9]|[12][0-9][0-9]/*[0-9]) return 4 ;; *:*) return 6 ;; esac return 0 } # Is argument IPv4 numeric? is_numeric_ipv4() { get_numeric_ip_version "$1" if [ $? -eq 4 ]; then return 0 fi return 1 } # Is argument IPv6 numeric? is_numeric_ipv6() { get_numeric_ip_version "$1" if [ $? -eq 6 ]; then return 0 fi return 1 } # Is argument a (numeric) IP? is_numeric_ip() { get_numeric_ip_version "$1" if [ $? -eq 0 ]; then return 1 fi return 0 } # Helper function to resolve an IP to a DNS name # $1 = IP. $2 (optional) = Additional arguments for dig. stdout = DNS name gethostbyaddr() { local host="$1" result retval=0 # We can't resolve addresses with a subnet mask case "$host" in */*) return 1 ;; esac # Don't try to resolve DNS names: if ! is_numeric_ip "$host"; then # It's a DNS name already, so just return it echo "$host" return 0 fi shift result="$(dig -x "$@" "$host")" retval=$? if [ $retval -eq 0 ]; then if [ -n "$result" ]; then echo "$result" return 0 else return 1 fi else return $retval fi } # Helper function to resolve a DNS name to an IP # $1 = Hostname. $2 (optional) = Additional arguments for dig. stdout = IP gethostbyname() { local host="$1" result retval=0 # Don't try to resolve IPs: if is_numeric_ip "$host"; then # It's an IP already, so just return it echo "$host" return 0 fi shift result="$(dig "$@" "$host")" retval=$? if [ $retval -eq 0 ]; then if [ -n "$result" ]; then echo "$result" return 0 else return 1 fi else return $retval fi } # Helper function to show interfaces / ips in front of verbose line # $1 = interfaces. $2 = ips show_if_ip() { # Only show interfaces if not empty: if [ -n "$1" -a "$1" != "+" ]; then printf "($1) " fi # Only show destination IPs if not empty: if [ -n "$2" -a "$2" != "$ANYHOST" ]; then printf "($2) " fi } # Helper function to show hosts:ports # $1 = host. $2 = ports show_hosts_ports() { # Only show interfaces if not empty: if [ -n "$1" ]; then printf "$1:$2" else printf "$2" fi } # Helper function to translate host ranges from variable ip_range() { local FIRST IFS=' ' # Return the args if there is no '-' for improved execution speed case "$@" in *-*) ;; *) echo "$@"; return;; esac FIRST=1 IFS=',' # Get variable from commandline for item in $*; do # Check whether an IP range was specified (only works like w.x.y.z1-z2!): start="$(echo "$item" |cut -s -d'-' -f1 |awk -F'.' '{ print $NF }' |grep -e '[0-9]')" host_base="$(echo "$item" |cut -s -d'-' -f1 |awk -F'.' '{ for (i=1; i> "$CHAINFILE" elif [ "$1" = "init" ]; then rm -f "$CHAINFILE" elif [ "$1" = "apply" ]; then sed -i "/^-A $CHAIN / r $CHAINFILE" "$IP4TABLES_BATCH_FILE" ip4tables_restore < "$IP4TABLES_BATCH_FILE" RESULT=$? rm -f "$CHAINFILE" else RESULT=1 fi else if [ "$1" = "start" ]; then ip4tables_save -t filter > "$IP4TABLES_BATCH_FILE" RESULT=$? elif [ "$1" = "stop" ]; then rm -f "$IP4TABLES_BATCH_FILE" else RESULT=1 fi fi return $RESULT } # Add ip6tables rules in batch using ip6tables-save and ip6tables-restore ip6tables_batch() { local ARGS CHAIN CHAINFILE RESULT=0 IFS=' ' # Args must be of the form and called in this order: # start # init CHAIN # -A CHAIN ... # apply CHAIN # stop # # Note: the added rules will be placed after a required # pre-existing rule in CHAIN. # ARGS="$@" CHAIN="$2" if [ "$DISABLE_IPTABLES_BATCH" = "1" ]; then if [ "$1" = "-A" ]; then ip6tables "$@" fi return fi if [ -n "$CHAIN" ]; then CHAINFILE="$IP6TABLES_BATCH_FILE"_"$CHAIN" if [ "$1" = "-A" ]; then echo "$ARGS" >> "$CHAINFILE" elif [ "$1" = "init" ]; then rm -f "$CHAINFILE" elif [ "$1" = "apply" ]; then sed -i "/^-A $CHAIN / r $CHAINFILE" "$IP6TABLES_BATCH_FILE" ip6tables_restore < "$IP6TABLES_BATCH_FILE" RESULT=$? rm -f "$CHAINFILE" else RESULT=1 fi else if [ "$1" = "start" ]; then ip6tables_save -t filter > "$IP6TABLES_BATCH_FILE" RESULT=$? elif [ "$1" = "stop" ]; then rm -f "$IP6TABLES_BATCH_FILE" else RESULT=1 fi fi return $RESULT } # Display progress bar, 0% to 100% in 2% increments progress_bar() { # Args: cur_cnt total_cnt local prev if [ $2 -gt 0 ]; then if [ $1 -eq 0 ]; then progress_percent=0 printf " 0%%" else cur=$(($1 / $2)) if [ $progress_percent -lt $cur ]; then prev=$progress_percent while [ $prev -le $cur ]; do if [ $progress_percent -lt $prev ]; then progress_percent=$prev if [ $(($progress_percent % 20)) -eq 0 ]; then printf "$progress_percent%%" else printf "." fi fi prev=$(($prev + 2)) done fi fi fi } # Check existance of an interface check_interface() { local interface IFS=' ' local interfaces="$(ip -o link show | cut -d':' -f2)" unset IFS for interface in $interfaces; do case "$1" in # Wildcard interface? *+) if [ "${1%+}" = "${interface%%[0-9]*}" ]; then return 0 fi ;; *) if [ "${1}" = "${interface%@*}" ]; then return 0 fi ;; esac done # Interface not found return 1 } # Get IP address/mask of specified network interface get_network_ipv4_address_mask() { ip -o addr show dev "$1" 2>/dev/null \ |awk '$3 == "inet" { print $4; exit; }' } # Get IP address of the specified network interface get_network_ipv4_address() { get_network_ipv4_address_mask "$1" |cut -f1 -d'/' } # Get netmask of the specified network interface get_network_ipv4_mask() { get_network_ipv4_address_mask "$1" |cut -f2 -d'/' } # Get broadcast address of the specified network interface get_network_ipv4_broadcast() { ip -o addr show dev "$1" 2>/dev/null \ |awk '$3 == "inet" && $5 == "brd" { print $6; exit; }' } # Get IPv6 address/mask of specified network interface get_network_ipv6_address_mask() { ip -o addr show dev "$1" 2>/dev/null \ |awk '$3 == "inet6" { print $4; exit; }' } # Get IPv6 address of the specified network interface get_network_ipv6_address() { get_network_ipv6_address_mask "$1" |cut -f1 -d'/' } # Get IPv6 netmask of the specified network interface get_network_ipv6_mask() { get_network_ipv6_address_mask "$1" |cut -f2 -d'/' } ################################# Main #################################### # Set base file for iptables_batch IP4TABLES_BATCH_FILE="/var/tmp/aif_ip4tables_batch" IP6TABLES_BATCH_FILE="/var/tmp/aif_ip6tables_batch" # Set file to store which plugins are loaded PLUGIN_LOAD_FILE="/var/tmp/aif_active_plugins" PLUGIN_LOAD_FILE_RESTART="/var/tmp/aif_active_plugins_restart" # Host cache: filled by the DynDNS-plugin and used compatible plugins HOST_CACHE_FILE="/var/tmp/aif_host_cache" # Check whether we also need to drop messages in a dedicated firewall log file if [ -z "$FIREWALL_LOG" ]; then FIREWALL_LOG="/dev/null" fi # Check for a local/global config file ###################################### if [ -e "$LOCAL_CONFIG_FILE" ]; then . "$LOCAL_CONFIG_FILE" fi # Source config directory (conf.d) ################################## if [ -z "$LOCAL_CONFIG_DIR" ]; then LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d" fi if [ -d "$LOCAL_CONFIG_DIR" ] && ls "$LOCAL_CONFIG_DIR"/*.conf >/dev/null 2>&1; then unset IFS for conf_file in "$LOCAL_CONFIG_DIR/"*.conf; do . "$conf_file" done fi # if $LOGLEVEL is not set, default to "info" ############################################ if [ -z "$LOGLEVEL" ]; then LOGLEVEL="info" fi # Detect all binaries ##################### if [ -z "$IP6TABLES" ]; then IP6TABLES="$(find_command /sbin/ip6tables)" fi if [ -n "$IP6TABLES" ]; then IP6TABLES_SAVE="$(find_command "$IP6TABLES"-save)" IP6TABLES_RESTORE="$(find_command "$IP6TABLES"-restore)" fi if [ -z "$IP4TABLES" ]; then IP4TABLES="$(find_command /sbin/iptables)" fi if [ -n "$IP4TABLES" ]; then IP4TABLES_SAVE="$(find_command "$IP4TABLES"-save)" IP4TABLES_RESTORE="$(find_command "$IP4TABLES"-restore)" fi IP="$(find_command /sbin/ip)" TC="$(find_command /sbin/tc)" SYSCTL="$(find_command /sbin/sysctl)" MODPROBE="$(find_command /sbin/modprobe)" DIG="$(find_command /usr/bin/dig)" if [ -z "$DIG" ]; then NSLOOKUP="$(find_command /usr/bin/nslookup)" fi # Setup IPv6 detected environment variable if sysctl_key net.ipv6.conf; then IPV6_DETECTED=1 else IPV6_DETECTED=0 IPV6_SUPPORT=0 fi # check for tracing ################### if [ "$TRACE" = "1" ]; then TRACEFILE="/tmp/aif-trace.`date '+%Y%m%d-%H:%M:%S'`" cp /dev/null $TRACEFILE DISABLE_IPTABLES_BATCH=1 fi # Default NAT_INTERNAL_NET to INTERNAL_NET, if not specified ############################################################ if [ -z "$NAT_INTERNAL_NET" ]; then NAT_INTERNAL_NET="$INTERNAL_NET" fi # IPv6 ICMPv6 types that are allowed, not including echo-request (128) ###################################################################### ICMPV6_SPECIAL_TYPES="133 134 135 136" # Check plugin bin path and fallback in case it's empty ####################################################### if [ -z "$PLUGIN_BIN_PATH" ]; then if [ -d "/usr/local/share/arno-iptables-firewall/plugins" ]; then PLUGIN_BIN_PATH="/usr/local/share/arno-iptables-firewall/plugins" elif [ -d "/usr/share/arno-iptables-firewall/plugins" ]; then PLUGIN_BIN_PATH="/usr/share/arno-iptables-firewall/plugins" fi fi # Check plugin bin path and fallback in case it's empty ####################################################### if [ -z "$PLUGIN_CONF_PATH" ]; then if [ -d "/etc/arno-iptables-firewall/plugins" ]; then PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins" fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/0000755000000000000000000000000012055611116024125 5ustar rootrootarno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/traffic-accounting-show0000755000000000000000000000327312055611115030603 0ustar rootroot#!/bin/sh TOTAL_IN=0 TOTAL_OUT=0 EOL=' ' show_human_size() { if [ $1 -lt 10000 ]; then echo "$1 Bytes" return 0 fi if [ $1 -lt 10000000 ]; then echo "$(($1 / 1024)) KiB" return 0 fi if [ $1 -lt 10000000000 ]; then echo "$(($1 / (1024*1024))) MiB" return 0 fi echo "$(($1 / (1024*1024*1024))) GiB" return 0 } # Program entry point if [ -n "$1" ]; then LOG_FILE="$1" else LOG_FILE="/var/log/traffic-accounting.log" fi echo "Bytes input:" echo "-------------" IFS=$EOL for LINE in `cat "$LOG_FILE" |sort -n --key=3 --reverse`; do hostname="$(echo "$LINE" |cut -s -d' ' -f1)" ip="$(echo "$LINE" |cut -s -d' ' -f2)" size="$(echo "$LINE" |cut -s -d' ' -f3)" if [ "$hostname" = "0/0" ]; then hostname="Other traffic" elif [ "$hostname" = "0.0.0.0/0" ]; then hostname="Other IPv4 traffic" elif [ "$hostname" = "::/0" ]; then hostname="Other IPv6 traffic" fi echo "$hostname ($ip): $(show_human_size $size)" TOTAL_IN=$(($TOTAL_IN + $size)) done echo "" echo "Total input traffic: $(show_human_size $TOTAL_IN)" echo "" echo "Bytes output:" echo "-------------" IFS=$EOL for LINE in `cat "$LOG_FILE" |sort -n --key=4 --reverse`; do hostname="$(echo "$LINE" |cut -s -d' ' -f1)" ip="$(echo "$LINE" |cut -s -d' ' -f2)" size="$(echo "$LINE" |cut -s -d' ' -f4)" if [ "$hostname" = "0/0" ]; then hostname="Other traffic" elif [ "$hostname" = "0.0.0.0/0" ]; then hostname="Other IPv4 traffic" elif [ "$hostname" = "::/0" ]; then hostname="Other IPv6 traffic" fi echo "$hostname ($ip): $(show_human_size $size)" TOTAL_OUT=$(($TOTAL_OUT + $size)) done echo "" echo "Total output traffic: $(show_human_size $TOTAL_OUT)" arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/50pptp-vpn.plugin0000644000000000000000000001554012055611115027302 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - PPTP VPN plugin =- # PLUGIN_NAME="PPTP VPN plugin" PLUGIN_VERSION="1.00 BETA" PLUGIN_CONF_FILE="pptp-vpn.conf" # # Last changed : February 21, 2011 # Requirements : AIF 2.0.0+ # Comments : This plugin adds all required rules for using a PPTP Server. # # Author : (C) Copyright 2011 by Lonnie Abelbeck & Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { local host net eif ppp_ifs="" IFS iptables -N PPTP_VPN_INPUT 2>/dev/null iptables -F PPTP_VPN_INPUT iptables -N PPTP_VPN_FORWARD_IN 2>/dev/null iptables -F PPTP_VPN_FORWARD_IN iptables -N PPTP_VPN_FORWARD_OUT 2>/dev/null iptables -F PPTP_VPN_FORWARD_OUT IFS=' ,' for eif in $EXT_IF; do case $eif in ppp+) echo "${INDENT}ERROR: Cannot distinguish between external and PPTP-VPN 'ppp+' interfaces." echo "${INDENT} ${PLUGIN_NAME} functionally is disabled." return 0 ;; ppp[0-9]*) ppp_ifs="$ppp_ifs${ppp_ifs:+ }$eif" ;; esac done # Setup PPTP VPN rules if [ -n "$ppp_ifs" ]; then echo "${INDENT}Excluding external interfaces '$ppp_ifs' from PPTP VPN" IFS=' ,' for eif in $ppp_ifs; do iptables -A PPTP_VPN_INPUT -i $eif -j RETURN iptables -A PPTP_VPN_FORWARD_IN -i $eif -j RETURN iptables -A PPTP_VPN_FORWARD_OUT -o $eif -j RETURN done fi if [ -n "$PPTP_VPN_ALLOW_HOSTS" ]; then echo "${INDENT}Allowing PPTP VPN packets to hosts: $PPTP_VPN_ALLOW_HOSTS" IFS=' ,' for host in $PPTP_VPN_ALLOW_HOSTS; do iptables -A PPTP_VPN_INPUT -d $host -j ACCEPT iptables -A PPTP_VPN_FORWARD_IN -d $host -j ACCEPT iptables -A PPTP_VPN_FORWARD_OUT -s $host -j ACCEPT done fi if [ -n "$PPTP_VPN_DENY_HOSTS" ]; then echo "${INDENT}Denying PPTP VPN packets to hosts: $PPTP_VPN_DENY_HOSTS" IFS=' ,' for host in $PPTP_VPN_DENY_HOSTS; do if [ "$PPTP_VPN_DENY_LOG" = "1" ]; then iptables -A PPTP_VPN_INPUT -d $host -m limit --limit 3/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:PPTP-VPN denied: " iptables -A PPTP_VPN_FORWARD_IN -d $host -m limit --limit 3/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:PPTP-VPN denied: " iptables -A PPTP_VPN_FORWARD_OUT -s $host -m limit --limit 3/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:PPTP-VPN denied: " fi iptables -A PPTP_VPN_INPUT -d $host -j DROP iptables -A PPTP_VPN_FORWARD_IN -d $host -j DROP iptables -A PPTP_VPN_FORWARD_OUT -s $host -j DROP done fi # Default policy, allow all the rest iptables -A PPTP_VPN_INPUT -j ACCEPT iptables -A PPTP_VPN_FORWARD_IN -j ACCEPT iptables -A PPTP_VPN_FORWARD_OUT -j ACCEPT # Filter ppp+ traffic related to the PPTP VPN if [ -n "$PPTP_VPN_NETS" ]; then echo "${INDENT}Applying rules for PPTP VPN nets $PPTP_VPN_NETS" IFS=' ,' for net in $PPTP_VPN_NETS; do # Adjust spoof check iptables -I SPOOF_CHK -i ppp+ -s $net -j RETURN # Insert rule in the INPUT chain iptables -A INPUT -i ppp+ -s $net -j PPTP_VPN_INPUT # Insert rules in the FORWARD chain iptables -A FORWARD -i ppp+ -s $net -j PPTP_VPN_FORWARD_IN iptables -A FORWARD -o ppp+ -d $net -j PPTP_VPN_FORWARD_OUT done fi echo "${INDENT}Allowing internet hosts $PPTP_VPN_TUNNEL_HOSTS to access the PPTP VPN service" IFS=' ,' for host in $(ip_range "$PPTP_VPN_TUNNEL_HOSTS"); do iptables -A EXT_INPUT_CHAIN -p gre -s $host -j ACCEPT iptables -A EXT_INPUT_CHAIN -p tcp --dport 1723 -s $host -j ACCEPT done return 0 } # Plugin restart function plugin_restart() { # Skip plugin_stop on a restart plugin_start return 0 } # Plugin stop function plugin_stop() { iptables -F PPTP_VPN_INPUT iptables -X PPTP_VPN_INPUT 2>/dev/null iptables -F PPTP_VPN_FORWARD_IN iptables -X PPTP_VPN_FORWARD_IN 2>/dev/null iptables -F PPTP_VPN_FORWARD_OUT iptables -X PPTP_VPN_FORWARD_OUT 2>/dev/null return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { # Sanity check if [ -z "$PPTP_VPN_TUNNEL_HOSTS" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; restart ) plugin_restart; PLUGIN_RET_VAL=$?;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/traffic-accounting-log-rotate0000755000000000000000000000103312055611115031670 0ustar rootroot#!/bin/sh log_file="/var/log/traffic-accounting.log" keeps=13 log_rotate() { # $1 = filename # $2 = keep count filename="$1" if [ -e "$filename.$2" ]; then rm -f "$filename.$2" fi for x in `seq $(($2 + 1)) -1 1`; do if [ -e "$filename.$x" ]; then mv "$filename.$x" "$filename.$(($x + 1))" fi done if [ -e "$filename" ]; then mv "$filename" "$filename.1" # Reset counters cat "$filename.1" |awk '{ print $1" "$2" 0 0" }' > "$filename" fi } # main log_rotate "$log_file" $keeps arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/90outbound-snat.plugin0000644000000000000000000001272512055611115030326 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Outbound SNAT plugin =- # PLUGIN_NAME="Outbound SNAT plugin" PLUGIN_VERSION="1.00 BETA" PLUGIN_CONF_FILE="outbound-snat.conf" # # Last changed : September 22, 2012 # Requirements : AIF 2.0.0+ # Comments : When a NAT'ed external interface has multiple IPv4 addresses, # it may be desirable to specify which internal IP's or CIDR's # use which external IPv4 addresses for outbound connections. # # Author : (C) Copyright 2012 by Lonnie Abelbeck & Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ get_extif_ipv4_addresses() { ip -o addr show dev "$1" 2>/dev/null \ | awk '$3 == "inet" { split($4, field, "/"); print field[1]; }' } get_extif_with_ipv4_address() { local host="$1" eif eip eips IFS IFS=' ,' for eif in $(wildcard_ifs $EXT_IF); do eips="$(get_extif_ipv4_addresses $eif)" if [ -n "$eips" ]; then unset IFS for eip in $eips; do if [ "$host" = "$eip" ]; then echo "$eif" return 0 fi done fi done return 1 } # Plugin start function plugin_start() { local rule net host eif IFS ip4tables -t nat -N OUTBOUND_SNAT 2>/dev/null ip4tables -t nat -F OUTBOUND_SNAT IFS=' ,' for rule in $OUTBOUND_SNAT_NET_HOST; do net="$(echo "$rule" |cut -s -d'>' -f1)" host="$(echo "$rule" |cut -s -d'>' -f2)" if [ -n "$net" -a -n "$host" ]; then # First, look for matching external interface with "host" address. eif="$(get_extif_with_ipv4_address $host)" if [ -n "$eif" ]; then # Apply to single external interface containing "host". echo "${INDENT}Outbound SNAT internal $net via external $host for interface: $eif" ip4tables -t nat -A OUTBOUND_SNAT -o $eif -s $net ! -d $net -j SNAT --to-source $host else # Apply to all external interface(s) if "host" is not currently found. echo "${INDENT}Outbound SNAT internal $net via external $host for interface(s): $EXT_IF" IFS=' ,' for eif in $EXT_IF; do ip4tables -t nat -A OUTBOUND_SNAT -o $eif -s $net ! -d $net -j SNAT --to-source $host done fi else echo "** WARNING: In Variable OUTBOUND_SNAT_NET_HOST, Rule: \"$rule\" is ignored." >&2 fi done ip4tables -t nat -A POSTROUTING -j OUTBOUND_SNAT return 0 } # Plugin restart function plugin_restart() { # Skip plugin_stop on a restart plugin_start return 0 } # Plugin stop function plugin_stop() { ip4tables -t nat -D POSTROUTING -j OUTBOUND_SNAT ip4tables -t nat -F OUTBOUND_SNAT ip4tables -t nat -X OUTBOUND_SNAT 2>/dev/null return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { # Sanity check if [ -z "$OUTBOUND_SNAT_NET_HOST" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; restart ) plugin_restart; PLUGIN_RET_VAL=$?;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/pptp-vpn.CHANGELOG0000644000000000000000000000013512055611115027120 0ustar rootrootVersion 1.00 BETA (February 21, 2011) ----------------------------------- + Initial version arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/90traffic-accounting.plugin0000644000000000000000000001377212055611115031275 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Traffic Accounting plugin =- # PLUGIN_NAME="Traffic Accounting plugin" PLUGIN_VERSION="1.20-BETA" PLUGIN_CONF_FILE="traffic-accounting.conf" # # Last changed : October 22, 2012 # Requirements : AIF 2.0.0 (or later) # Comments : This implements support for traffic accounting for # IPv4 & IPv6. It can take advantage of the # DynDNS-plugin (v1.20+) by using its hostname-cache. # You may want to use the plugin's DYNDNS_HOSTS_MISC # for that # # Author : (C) Copyright 2008-2012 by Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { # Enable Conntrack Accounting (kernel config CONFIG_NF_CT_ACCT) # CONFIG_NF_CT_ACCT is deprecated and will be removed sometime after kernel 2.6.27 sysctl net.netfilter.nf_conntrack_acct=1 2>/dev/null iptables -N ACCOUNTING_INPUT_CHAIN 2>/dev/null iptables -F ACCOUNTING_INPUT_CHAIN iptables -N ACCOUNTING_OUTPUT_CHAIN 2>/dev/null iptables -F ACCOUNTING_OUTPUT_CHAIN # Insert rule in the INPUT chain iptables -I INPUT 1 -j ACCOUNTING_INPUT_CHAIN # Insert rule in the OUTPUT chain iptables -I OUTPUT 1 -j ACCOUNTING_OUTPUT_CHAIN # Create hourly cron job echo "$TRAFFIC_ACCOUNTING_CRON root \"$PLUGIN_BIN_PATH/traffic-accounting-helper\" >/dev/null" >/etc/cron.d/traffic-accounting # Call the host-accounting-helper script at startup? if [ "$TRAFFIC_ACCOUNTING_RUN_AT_START" = "1" ]; then echo "${INDENT}Running helper script..." "$PLUGIN_BIN_PATH/traffic-accounting-helper" fi return 0 } # Plugin restart function plugin_restart() { ## Re-add standard chain rules that are flushed on a restart echo "${INDENT}Restarting..." # Insert rule in the INPUT chain iptables -I INPUT 1 -j ACCOUNTING_INPUT_CHAIN # Insert rule in the OUTPUT chain iptables -I OUTPUT 1 -j ACCOUNTING_OUTPUT_CHAIN # Call the host-accounting-helper script at startup? if [ "$TRAFFIC_ACCOUNTING_RUN_AT_START" = "1" ]; then echo "${INDENT}Running helper script..." "$PLUGIN_BIN_PATH/traffic-accounting-helper" fi return 0 } # Plugin stop function plugin_stop() { # Remove cron job rm -f /etc/cron.d/traffic-accounting # Store current values "$PLUGIN_BIN_PATH/traffic-accounting-helper" >/dev/null iptables -D INPUT -j ACCOUNTING_INPUT_CHAIN 2>/dev/null iptables -D OUTPUT -j ACCOUNTING_OUTPUT_CHAIN 2>/dev/null iptables -F ACCOUNTING_INPUT_CHAIN iptables -X ACCOUNTING_INPUT_CHAIN 2>/dev/null iptables -F ACCOUNTING_OUTPUT_CHAIN iptables -X ACCOUNTING_OUTPUT_CHAIN 2>/dev/null return 0 } # Plugin status function plugin_status() { # Store current values "$PLUGIN_BIN_PATH/traffic-accounting-helper" >/dev/null # Call parse script "$PLUGIN_BIN_PATH/traffic-accounting-show" return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$TRAFFIC_ACCOUNTING_CRON" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi if [ ! -x "$PLUGIN_BIN_PATH/traffic-accounting-helper" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The traffic-accounting-helper script can not be found or is not executable!\033[0m\n" >&2 return 1 fi if ! check_command dig nslookup; then printf "\033[40m\033[1;31m${INDENT}ERROR: Required command dig (or nslookup) is not available!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; restart ) plugin_restart; PLUGIN_RET_VAL=$?;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/dmz-dnat.CHANGELOG0000644000000000000000000000141612055611115027055 0ustar rootrootVersion 0.07BETA (August 14, 2011) ----------------------------------- * Changed to support parse_rule() Version 0.06BETA (September 19, 2010) ----------------------------------- * Changed to be IPv4-only Version 0.05BETA (May 14, 2009) ----------------------------------- + Lonnie's patch to include $OPEN_TCP, $OPEN_UDP, $OPEN_IP Version 0.04BETA (May 12, 2009) ----------------------------------- + Quieted some harmless error messages. Version 0.03BETA (May 10, 2009) ----------------------------------- + Updated to avoid NATting HOST_OPEN_TCP and HOST_OPEN_UDP. Version 0.02BETA (May 9, 2009) ----------------------------------- + Updated to use new POST_NAT_PREROUTING chain. Version 0.01BETA (May 7, 2009) ----------------------------------- + First initial version. arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/mac-address-filter.CHANGELOG0000644000000000000000000000063212055611115031004 0ustar rootrootVersion 1.1 (September 19, 2010) ------------------------------- + Updated to support mixed IPv4/IPv6 Version 1.0a (March 10, 2009) ------------------------------- ! Fixed incorrect IFS Version 1.0 (February 26, 2009) ------------------------------- ! Fixed typo in the sed syntax Version 0.1BETA (February 26, 2009) ------------------------------------ * First initial version (moved from the main script) arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/nat-loopback.CHANGELOG0000644000000000000000000000013512055611115027706 0ustar rootrootVersion 1.00 BETA (October 15, 2012) ------------------------------------ + Initial version arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/rpc.CHANGELOG0000644000000000000000000000035612055611115026125 0ustar rootrootVersion 0.2BETA (January 16, 2012) ---------------------------------- + Added RPC_NETS variable to restrict access * Few tweaks, fixes & cleanups Version 0.1BETA (January 16, 2012) ---------------------------------- - Initial versionarno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/sip-voip.CHANGELOG0000644000000000000000000000242312055611115027104 0ustar rootrootVersion 0.3BETA (October 13, 2010) ----------------------------------- + Added SIP_VOIP_REMOTE_HOSTS variable to limit access by source address. Version 0.22BETA (August 23, 2009) ----------------------------------- ! No, that wasn't a regression, it's supposed to be called 'modprobe'. Version 0.21BETA (August 22, 2009) ----------------------------------- ! Hopefully I'll stop introducing regressions one of these days. Version 0.20BETA (August 13, 2009) ----------------------------------- ! Fixed port / kernel check -- again. + Fixed IFS value so that $ports doesn't get split up if it contains commas. Version 0.15BETA (December 3, 2008) ----------------------------------- ! Fixed port / kernel check + Added proper stop() section Version 0.14BETA (November 30, 2008) ------------------------------------ ! Fixed plugin for kernels 2.6.25 and newer * Misc. tweaks Version 0.12BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.11BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template ! Config variable name mismatch (SIP_VOIP_PORTS vs. VOIP_SIP_PORTS. Changed it to SIP_VOIP_PORTS. Version 0.1BETA (January 30, 2008) ----------------------------------- + Initial version arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/20nat-loopback.plugin0000644000000000000000000002265012055611115030065 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - NAT Loopback plugin =- # PLUGIN_NAME="NAT Loopback plugin" PLUGIN_VERSION="1.00 BETA" PLUGIN_CONF_FILE="nat-loopback.conf" # # Last changed : October 15, 2012 # Requirements : AIF 2.0.0+ # Comments : NAT Loopback for local nets using existing NAT_FORWARD_TCP # and NAT_FORWARD_UDP rules. # Local nets may be able to use the external IPv4 address and # port to access NAT forwarded internal servers. # # Author : (C) Copyright 2012 by Lonnie Abelbeck & Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ NAT_LOOPBACK_DEFAULT_IPV4="/var/tmp/aif-nat-loopback-default-ipv4" nat_loopback_default_ext_ipv4() { local eif IFS IFS=' ,' for eif in $(wildcard_ifs $EXT_IF); do ip -o addr show dev $eif \ | awk '$3 == "inet" { split($4, field, "/"); print field[1]; nextfile; }' break # Only use first external interface done } nat_loopback_update_default_ipv4() { local old_defaultip="$1" defaultip="$2" old_match line cnt IFS unset IFS # Replace 'dot' with 'backslash-dot' for regex match # ${old_defaultip//./\.} would be better, but dash does not support it old_match="$(echo "$old_defaultip" | sed 's/\./\\./g')" cnt=1 ip4tables_save -t nat | grep -e '-A NAT_LOOPBACK_DNAT ' | while read line; do nline="$(echo "$line" | sed "s| ${old_match}/32| ${defaultip}/32|")" if [ "$nline" != "$line" ]; then ip4tables -t nat -R NAT_LOOPBACK_DNAT $cnt ${nline#-A NAT_LOOPBACK_DNAT } fi cnt=$(($cnt+1)) done cnt=1 ip4tables_save -t nat | grep -e '-A NAT_LOOPBACK_SNAT ' | while read line; do nline="$(echo "$line" | sed "s| ${old_match}$| ${defaultip}|")" if [ "$nline" != "$line" ]; then ip4tables -t nat -R NAT_LOOPBACK_SNAT $cnt ${nline#-A NAT_LOOPBACK_SNAT } fi cnt=$(($cnt+1)) done } # Plugin start function plugin_start() { local defaultip eif net IFS ip4tables -t nat -N NAT_LOOPBACK_DNAT 2>/dev/null ip4tables -t nat -F NAT_LOOPBACK_DNAT ip4tables -t nat -N NAT_LOOPBACK_SNAT 2>/dev/null ip4tables -t nat -F NAT_LOOPBACK_SNAT if [ -z "$NAT_LOOPBACK_NET" ]; then NAT_LOOPBACK_NET="$NAT_INTERNAL_NET" fi defaultip="$(nat_loopback_default_ext_ipv4)" if [ -z "$defaultip" ]; then # Use an arbitrary IPv4 Link-Local address as a placeholder # for the currently unknown default IPv4 address defaultip="169.254.25.54" fi echo "$defaultip" > "$NAT_LOOPBACK_DEFAULT_IPV4" echo "${INDENT}NAT Loopback default IPv4: $defaultip" echo "${INDENT}NAT Loopback internal net(s): $NAT_LOOPBACK_NET" if [ "$NAT_LOOPBACK_FORWARD" = "1" ]; then echo "${INDENT}NAT Loopback local forwards are enabled." else echo "${INDENT}NAT Loopback local forwards are disabled." fi unset IFS for rule in $NAT_FORWARD_TCP; do if parse_rule "$rule" NAT_FORWARD_TCP "interfaces:EXT_IF-destips-shosts-ports-dhost_dport"; then IFS=' ,' for shost in $(ip_range "$shosts"); do for port in $ports; do for destip in $destips; do for eif in $interfaces; do dport="$(get_ports_hp "$dhost_dport" "$port")" dhost="$(get_hosts_hp "$dhost_dport")" if [ "$destip" = "0/0" ]; then destip="$defaultip" fi if [ -n "$dhost" -a -n "$destip" ]; then for net in $NAT_LOOPBACK_NET; do ip4tables -t nat -A NAT_LOOPBACK_DNAT -s $net -d $destip \ -p tcp --dport $port -j DNAT --to-destination $(echo "$dhost_dport" |tr "$SEP-" '::') if [ "$NAT_LOOPBACK_FORWARD" = "1" ]; then ip4tables -A POST_FORWARD_CHAIN -s $net -d $dhost -p tcp --dport $dport -j ACCEPT fi ip4tables -t nat -A NAT_LOOPBACK_SNAT -s $net -d $dhost \ -p tcp --dport $dport -j SNAT --to-source $destip done fi done done done done fi done unset IFS for rule in $NAT_FORWARD_UDP; do if parse_rule "$rule" NAT_FORWARD_UDP "interfaces:EXT_IF-destips-shosts-ports-dhost_dport"; then IFS=' ,' for shost in $(ip_range "$shosts"); do for port in $ports; do for destip in $destips; do for eif in $interfaces; do dport="$(get_ports_hp "$dhost_dport" "$port")" dhost="$(get_hosts_hp "$dhost_dport")" if [ "$destip" = "0/0" ]; then destip="$defaultip" fi if [ -n "$dhost" -a -n "$destip" ]; then for net in $NAT_LOOPBACK_NET; do ip4tables -t nat -A NAT_LOOPBACK_DNAT -s $net -d $destip \ -p udp --dport $port -j DNAT --to-destination $(echo "$dhost_dport" |tr "$SEP-" '::') if [ "$NAT_LOOPBACK_FORWARD" = "1" ]; then ip4tables -A POST_FORWARD_CHAIN -s $net -d $dhost -p udp --dport $dport -j ACCEPT fi ip4tables -t nat -A NAT_LOOPBACK_SNAT -s $net -d $dhost \ -p udp --dport $dport -j SNAT --to-source $destip done fi done done done done fi done ip4tables -t nat -A PREROUTING -j NAT_LOOPBACK_DNAT ip4tables -t nat -A POSTROUTING -j NAT_LOOPBACK_SNAT return 0 } # Plugin restart function plugin_restart() { # Skip plugin_stop on a restart plugin_start return 0 } # Plugin stop function plugin_stop() { ip4tables -t nat -D PREROUTING -j NAT_LOOPBACK_DNAT ip4tables -t nat -D POSTROUTING -j NAT_LOOPBACK_SNAT ip4tables -t nat -F NAT_LOOPBACK_DNAT ip4tables -t nat -X NAT_LOOPBACK_DNAT 2>/dev/null ip4tables -t nat -F NAT_LOOPBACK_SNAT ip4tables -t nat -X NAT_LOOPBACK_SNAT 2>/dev/null rm -f "$NAT_LOOPBACK_DEFAULT_IPV4" return 0 } # Plugin status function plugin_status() { local defaultip old_defaultip if [ -f "$NAT_LOOPBACK_DEFAULT_IPV4" ]; then old_defaultip="$(cat "$NAT_LOOPBACK_DEFAULT_IPV4")" else old_defaultip="" fi defaultip="$(nat_loopback_default_ext_ipv4)" if [ -n "$defaultip" -a -n "$old_defaultip" ]; then if [ "$defaultip" != "$old_defaultip" ]; then if [ "$NAT_LOOPBACK_UPDATE_ON_STATUS" != "0" ]; then # update rules nat_loopback_update_default_ipv4 "$old_defaultip" "$defaultip" echo "$defaultip" > "$NAT_LOOPBACK_DEFAULT_IPV4" echo " NAT Loopback default IPv4 (updated): $defaultip" else echo " NAT Loopback default IPv4 needs updating from '$old_defaultip' to '$defaultip'" fi return 0 fi fi if [ -n "$old_defaultip" ]; then echo " NAT Loopback default IPv4: $old_defaultip" else echo " NAT Loopback default IPv4: None" fi return 0 } # Check sanity of eg. environment plugin_sanity_check() { # Sanity check return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; restart ) plugin_restart; PLUGIN_RET_VAL=$?;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/50transparent-proxy.plugin0000644000000000000000000001240112055611115031227 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Transparent Proxy plugin =- # PLUGIN_NAME="Transparent Proxy plugin" PLUGIN_VERSION="1.03" PLUGIN_CONF_FILE="transparent-proxy.conf" # # Last changed : September 19, 2010 # Requirements : kernel 2.6 + ip_nat + iptable_nat # Comments : This plugin enables transparent DNAT for internal hosts for # certain ports. Meaning you can redirect certain TCP/UDP ports (eg. http) # which should be redirected from a certain INET address to an # internal address. # Updated to be IPv4-only # # Author : (C) Copyright 2007-2010 by Arno van Amersfoort # Credits : Rok Potocnik for his initial idea # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { # Some required modules are already loaded by the main script: modprobe ip_nat modprobe iptable_nat # modprobe ip_table # Setup (transparent) proxy settings: ##################################### if [ -n "$FTP_PROXY_PORT" ]; then echo "${INDENT}Redirecting all internal FTP(port 21) traffic to proxy-port $FTP_PROXY_PORT" IFS=' ,' for interface in $INT_IF; do ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 21 -j REDIRECT --to-ports $FTP_PROXY_PORT done fi if [ -n "$SMTP_PROXY_PORT" ]; then echo "${INDENT}Redirecting all internal SMTP(port 25) traffic to proxy-port $SMTP_PROXY_PORT" IFS=' ,' for interface in $INT_IF; do ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 25 -j REDIRECT --to-ports $SMTP_PROXY_PORT done fi if [ -n "$HTTP_PROXY_PORT" ]; then echo "${INDENT}Redirecting all internal HTTP(port 80) traffic to proxy-port $HTTP_PROXY_PORT" IFS=' ,' for interface in $INT_IF; do ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 80 -j REDIRECT --to-ports $HTTP_PROXY_PORT done fi if [ -n "$POP3_PROXY_PORT" ]; then echo "${INDENT}Redirecting all internal POP3(port 110) traffic to proxy-port $POP3_PROXY_PORT" IFS=' ,' for interface in $INT_IF; do ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 110 -j REDIRECT --to-ports $POP3_PROXY_PORT done fi if [ -n "$HTTPS_PROXY_PORT" ]; then echo "${INDENT}Redirecting all internal HTTPs(port 443) traffic to proxy-port $HTTPS_PROXY_PORT" IFS=' ,' for interface in $INT_IF; do ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 443 -j REDIRECT --to-ports $HTTPS_PROXY_PORT done fi return 0 } # Plugin stop function plugin_stop() { return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { # if [ -z "$FTP_PROXY_PORT" -o -z "$SMTP_PROXY_PORT" ]; then # printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 # return 1 # fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi ././@LongLink0000000000000000000000000000014700000000000011567 Lustar rootrootarno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/50ssh-brute-force-protection.pluginarno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/50ssh-brute-force-protection.plug0000644000000000000000000001323512055611115032362 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - SSH Brute Force Protection plugin =- # PLUGIN_NAME="SSH Brute-Force Protection plugin" PLUGIN_VERSION="1.1a" PLUGIN_CONF_FILE="ssh-brute-force-protection.conf" # # Last changed : October 8, 2010 # Requirements : kernel 2.6 + ipt_recent or xt_recent # : AIF 1.9.2k (and later) # Comments : This plugin implements protecting for brute force # cracking by limiting the amount of connection attempts # for each source IP in specific time slot. Its # primarely intended for SSH/port 22 but in principle # it can be used for any TCP protocol # (eg. FTP/SMTP/IMAP etc. # Updated for mixed IPv4/IPv6 # # Author : (C) Copyright 2006-2010 by Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { if [ "$IPV6_DETECTED" = "1" ] && [ "$SSH_BFP_IPV6_ENABLE" = "0" ]; then echo "${INDENT}NOTE: Only IPv4 is protected." fi # Probe module xt_recent for IPv4/IPv6 or ipt_recent for IPv4: # (Allows checking for recent packets) modprobe_multi xt_recent ipt_recent # Create new SSH_CHK to insert SSH checker + whitelist: $IPTABLES -N SSH_CHK 2>/dev/null $IPTABLES -F SSH_CHK # Create new SSH_LOG_DROP chain for loggin' 'n droppin': $IPTABLES -N SSH_LOG_DROP 2>/dev/null $IPTABLES -F SSH_LOG_DROP $IPTABLES -A SSH_LOG_DROP -m limit --limit 1/m --limit-burst 1 -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:SSH Brute force attack?: " $IPTABLES -A SSH_LOG_DROP -j DROP if [ -n "$SSH_BFP_TRUSTED_HOSTS" ]; then # Create whitelist: echo "${INDENT}Allowing bypass of SSH protection checks for: $SSH_BFP_TRUSTED_HOSTS" IFS=' ,' for host in `ip_range "$SSH_BFP_TRUSTED_HOSTS"`; do $IPTABLES -A SSH_CHK -s $host -j RETURN done fi # Create rate1 & rate2 checker: $IPTABLES -A SSH_CHK -m recent --name sshchk --set $IPTABLES -A SSH_CHK -m recent --name sshchk --update \ --seconds $SSH_BFP_MAX_TIME1 --hitcount $SSH_BFP_MAX_RATE1 -j SSH_LOG_DROP $IPTABLES -A SSH_CHK -m recent --name sshchk --update \ --seconds $SSH_BFP_MAX_TIME2 --hitcount $SSH_BFP_MAX_RATE2 -j SSH_LOG_DROP # If no ports were not configured, use default of 22 if [ -z "$SSH_BFP_PORTS" ]; then SSH_BFP_PORTS="22" fi echo "${INDENT}Protecting TCP port(s): $SSH_BFP_PORTS" # Insert rule into the EXTERNAL INPUT chain: IFS=' ,' for port in $SSH_BFP_PORTS; do $IPTABLES -A EXT_INPUT_CHAIN -p tcp --dport $port -m state --state NEW -j SSH_CHK done return 0 } # Plugin stop function plugin_stop() { $IPTABLES -F SSH_CHK $IPTABLES -X SSH_CHK 2>/dev/null $IPTABLES -F SSH_LOG_DROP $IPTABLES -X SSH_LOG_DROP 2>/dev/null return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$SSH_BFP_MAX_RATE1" -o -z "$SSH_BFP_MAX_TIME1" -o -z "$SSH_BFP_MAX_RATE2" -o -z "$SSH_BFP_MAX_TIME2" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " if [ "$SSH_BFP_IPV6_ENABLE" = "0" ]; then IPTABLES="ip4tables" else IPTABLES="iptables" fi # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi unset IPTABLES else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/50ipsec-vpn.plugin0000644000000000000000000001407512055611115027424 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - IPsec VPN plugin =- # PLUGIN_NAME="IPsec VPN plugin" PLUGIN_VERSION="0.83BETA" PLUGIN_CONF_FILE="ipsec-vpn.conf" # # Last changed : March 9, 2011 # Requirements : AIF 2.0.0+ and kernel 2.6 + ipt_policy + iptable_nat # Comments : This plugin adds all required rules for using Racoon IPSEC. # # Author : (C) Copyright 2006-2010 by Philip Prindeville & Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : philipp AT redfish-solutions DOT com # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { local eif net ipver IFS modprobe ipt_policy # Allows use of policy match modprobe iptable_nat # We need the NAT table iptables -N VPN_INPUT 2>/dev/null iptables -F VPN_INPUT iptables -N VPN_FORWARD 2>/dev/null iptables -F VPN_FORWARD # If the user has specified a subset of remote networks, only allow those. if [ -n "$IPSEC_VPN_NETS" ]; then echo "${INDENT}Applying rules for VPN nets $IPSEC_VPN_NETS" IFS=' ,' for vnet in $IPSEC_VPN_NETS; do iptables -A VPN_INPUT -s $vnet -j ACCEPT iptables -A VPN_FORWARD -s $vnet -j ACCEPT done iptables -A VPN_INPUT -j DROP iptables -A VPN_FORWARD -j DROP else # Otherwise, we allow everything. iptables -A VPN_INPUT -j ACCEPT iptables -A VPN_FORWARD -j ACCEPT fi # Don't apply the usual filters for the external interface on # traffic that's just been decapulated. We treat it mostly like # internal traffic. # iptables -A EXT_INPUT_CHAIN -m policy --pol ipsec --dir in -j VPN_INPUT # (unnecessary since the -A INPUT...-j VPN_INPUT rule below supersedes this rule) echo "${INDENT}Allowing internet hosts $IPSEC_ALLOWED_HOSTS to access the VPN service" IFS=' ,' for host in `ip_range "$IPSEC_ALLOWED_HOSTS"`; do iptables -A EXT_INPUT_CHAIN -p udp --dport 500 -s $host -j ACCEPT get_numeric_ip_version "$host" ipver=$? if [ $ipver -eq 4 -o $ipver -eq 0 ]; then ip4tables -A EXT_INPUT_CHAIN -p esp -s $host -j ACCEPT ip4tables -A EXT_INPUT_CHAIN -p ah -s $host -j ACCEPT fi if [ "$IPV6_SUPPORT" = "1" ]; then if [ $ipver -eq 6 -o $ipver -eq 0 ]; then ip6tables -A EXT_INPUT_CHAIN -m esp -p esp -s $host -j ACCEPT ip6tables -A EXT_INPUT_CHAIN -m ah -s $host -j ACCEPT fi fi if [ "$IPSEC_NAT_TRAVERSAL" = "1" ]; then iptables -A EXT_INPUT_CHAIN -p udp --dport 4500 -s $host -j ACCEPT fi done local cnt=0 IFS=' ,' for eif in $EXT_IF; do for net in $INTERNAL_NET; do cnt=$((cnt + 1)) iptables -I SPOOF_CHK $cnt -i $eif -s $net -m policy --pol ipsec --dir in -j RETURN done done IFS=' ,' for eif in $EXT_IF; do # Allow IPSEC packets in after decapsulation ip4tables -t nat -A PREROUTING -i $eif -m policy --pol ipsec --dir in -j ACCEPT iptables -A FORWARD -i $eif -m policy --pol ipsec --dir in -j VPN_FORWARD iptables -A INPUT -i $eif -m policy --pol ipsec --dir in -j VPN_INPUT # Do not apply masquerading to outbound traffic ip4tables -t nat -A POSTROUTING -o $eif -m policy --pol ipsec --dir out -j ACCEPT done return 0 } # Plugin stop function plugin_stop() { local eif net IFS iptables -F VPN_INPUT iptables -X VPN_INPUT 2>/dev/null iptables -F VPN_FORWARD iptables -X VPN_FORWARD 2>/dev/null IFS=' ,' for eif in $EXT_IF; do for net in $INTERNAL_NET; do iptables -D SPOOF_CHK -i $eif -s $net -m policy --pol ipsec --dir in -j RETURN done done return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { # Sanity check if [ -z "$IPSEC_ALLOWED_HOSTS" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/50dyndns-host-open.plugin0000644000000000000000000001312412055611115030723 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - DynDNS Host Open plugin =- # PLUGIN_NAME="DynDNS Host Open plugin" PLUGIN_VERSION="1.31-BETA" PLUGIN_CONF_FILE="dyndns-host-open.conf" # # Last changed : November 5, 2012 # Requirements : kernel 2.6 + AIF 2.0.1 or better # Comments : This implements dynamic DNS (DynDNS) support for eg. opening ports # # Author : (C) Copyright 2008-2012 by Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # If HOST_CACHE_FILE is not defined, fallback to old DYNDNS variable if [ -n "$HOST_CACHE_FILE" ]; then DYNDNS_HOST_CACHE="$HOST_CACHE_FILE" else DYNDNS_HOST_CACHE="/var/tmp/aif_dyndns_host_cache" fi # Plugin start function plugin_start() { # Create new DYNDNS_CHAIN chain: iptables -N DYNDNS_CHAIN 2>/dev/null iptables -F DYNDNS_CHAIN # Insert rule into the main chain: iptables -A EXT_INPUT_CHAIN -j DYNDNS_CHAIN # Remove the cache file rm -f "$DYNDNS_HOST_CACHE" # Create cron job echo "$DYNDNS_HOST_OPEN_CRON root $PLUGIN_BIN_PATH/dyndns-host-open-helper >/dev/null" >/etc/cron.d/dyndns-host-open # Call the dyndns-helper script at startup? if [ "$DYNDNS_RUN_AT_START" = "1" ]; then echo "${INDENT}Running helper script..." "$PLUGIN_BIN_PATH/dyndns-host-open-helper" fi return 0 } # Plugin restart function plugin_restart() { ## Re-add standard chain rules that are flushed on a restart echo "${INDENT}Restarting..." # Insert rule into the main chain: iptables -A EXT_INPUT_CHAIN -j DYNDNS_CHAIN # Call the dyndns-helper script at startup? if [ "$DYNDNS_RUN_AT_START" = "1" ]; then echo "${INDENT}Running helper script..." "$PLUGIN_BIN_PATH/dyndns-host-open-helper" fi return 0 } # Plugin stop function plugin_stop() { # Remove cron job rm -f /etc/cron.d/dyndns-host-open # Remove the cache file rm -f "$DYNDNS_HOST_CACHE" iptables -D EXT_INPUT_CHAIN -j DYNDNS_CHAIN 2>/dev/null iptables -F DYNDNS_CHAIN iptables -X DYNDNS_CHAIN 2>/dev/null return 0 } # Plugin status function plugin_status() { iptables -L DYNDNS_CHAIN # Show IP->hostname mappings from our host-cache if [ -e "$DYNDNS_HOST_CACHE" ]; then echo "" echo "Showing hostname->IP mapping" echo "----------------------------" cat "$DYNDNS_HOST_CACHE" fi return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$DYNDNS_HOST_OPEN_TCP" -a -z "$DYNDNS_HOST_OPEN_UDP" -a \ -z "$DYNDNS_HOST_OPEN_IP" -a -z "$DYNDNS_HOST_OPEN_ICMP" -a \ -z "$DYNDNS_HOST_MISC" ] || [ -z "$DYNDNS_HOST_OPEN_CRON" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not (properly) setup!\033[0m\n" >&2 return 1 fi if [ ! -x "$PLUGIN_BIN_PATH/dyndns-host-open-helper" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The dyndns-host-open-helper script can not be found or is not executable!\033[0m\n" >&2 return 1 fi if ! check_command dig nslookup; then printf "\033[40m\033[1;31m${INDENT}ERROR: Required command dig (or nslookup) is not available!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; restart ) plugin_restart; PLUGIN_RET_VAL=$?;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/50linux-upnp-igd.plugin0000644000000000000000000000747612055611115030407 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Linux UPnP IGD plugin =- # PLUGIN_NAME="Linux UPnP IGD plugin" PLUGIN_VERSION="1.0a" PLUGIN_CONF_FILE="linux-upnp-igd.conf" # # Last changed : October 10, 2011 # Requirements : kernel 2.6 + linux-igd # Comments : An UPnP-enabled application can tell linux-igd what public ports # have to be forwarded back to the application. # This plugin adds a new chain into the FORWARD chain # where the UPnP daemon "linuxigd" can insert its ports. # In "upnpd.conf" you must set the forward_chain_name = UPNP_FORWARD # # Author : (C) Copyright 2007-2011 by Joerg Straube # Homepage : http://joerg.li/ # Email : j o e r g DOT s t r a u b e AT i a e t h DOT c h # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { # Create new UPNP_FORWARD chain to be used by linuxigd (aka upnpd): iptables -N UPNP_FORWARD 2>/dev/null iptables -F UPNP_FORWARD iptables -N UPNP_FORWARD_HOOK 2>/dev/null iptables -F UPNP_FORWARD_HOOK # Insert rule into the FORWARD chain: IFS=' ,' for eif in $EXT_IF; do iptables -A UPNP_FORWARD_HOOK -i $eif ! -o $eif -j UPNP_FORWARD done iptables -A FORWARD -j UPNP_FORWARD_HOOK return 0 } # Plugin stop function plugin_stop() { iptables -D FORWARD -j UPNP_FORWARD_HOOK 2>/dev/null iptables -F UPNP_FORWARD_HOOK iptables -X UPNP_FORWARD_HOOK 2>/dev/null iptables -F UPNP_FORWARD iptables -X UPNP_FORWARD 2>/dev/null return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/10mac-address-filter.plugin0000644000000000000000000001442012055611115031154 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - MAC Address Filter plugin =- # PLUGIN_NAME="MAC Address Filter plugin" PLUGIN_VERSION="1.1" PLUGIN_CONF_FILE="mac-address-filter.conf" # # Last changed : September 19, 2010 # Requirements : ipt_mac module # Comments : This plugin allows you to select the MAC addresses # that are allowed access for the specified interfaces # (eg. INT_IF) # # Author : (C) Copyright 2010 by Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { # Probe module ipt_recent (Allows checking for recent packets): modprobe ipt_mac # Allows specifying MAC address # Create new chains iptables -N MAC_FILTER_HOOK 2>/dev/null iptables -F MAC_FILTER_HOOK iptables -N MAC_FILTER 2>/dev/null iptables -F MAC_FILTER echo " Using interface(s): $MAC_ADDRESS_IF" # Here we filter the internal hosts using their MAC address (if used) ##################################################################### # Setup the mac addresses from our file printf "${INDENT}(Re)loading allowed internal MAC addresses from $MAC_ADDRESS_FILE: " # Allow IPv4 broadcasts and IPv6 "link-scope all-hosts multicast" ip4tables -A MAC_FILTER -d 255.255.255.255 -j RETURN if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A MAC_FILTER -d ff02::1 -j RETURN fi #iptables -A MAC_FILTER -m pkttype --pkt-type ! unicast -j RETURN #iptables -A MAC_FILTER -m addrtype --dst-type BROADCAST -j RETURN if [ -n "$INT_NET_BCAST_ADDRESS" ]; then IFS=' ,' for address in $INT_NET_BCAST_ADDRESS; do iptables -A MAC_FILTER -d $address -j RETURN done else IFS=' ,' for net in $INTERNAL_NET; do get_numeric_ip_version "$net" case $? in 4) # Class C net ip4tables -A MAC_FILTER -d $(echo "$net" |awk -F. '{ print $1"."$2"."$3".255" }') -j RETURN # Class B net ip4tables -A MAC_FILTER -d $(echo "$net" |awk -F. '{ print $1"."$2".255.255" }') -j RETURN # Class A net ip4tables -A MAC_FILTER -d $(echo "$net" |awk -F. '{ print $1".255.255.255" }') -j RETURN ;; esac done fi MCOUNT=0 IFS=' ' for LINE in `cat "$MAC_ADDRESS_FILE" |sed -e 's|#.*||' -e 's| *$||'`; do if [ -n "$LINE" ]; then src_mac="$(echo "$LINE" |awk '{ print $1 }')" src_ip="$(echo "$LINE" |awk '{ print $2 }')" if [ -z "$src_ip" ]; then src_ip="0/0" fi MCOUNT=$(($MCOUNT + 1)) iptables -A MAC_FILTER -m mac --mac-source $src_mac -s $src_ip -j RETURN fi done if [ "$MAC_ADDRESS_LOG" = "1" ]; then iptables -A MAC_FILTER \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:MAC address dropped: " fi # Anyone else is dropped iptables -A MAC_FILTER -j POST_INPUT_DROP_CHAIN IFS=' ,' for interface in $MAC_ADDRESS_IF; do iptables -A MAC_FILTER_HOOK -i $interface -j MAC_FILTER done # Insert chains iptables -A INPUT -j MAC_FILTER_HOOK iptables -A FORWARD -j MAC_FILTER_HOOK echo "$MCOUNT loaded" return 0 } # Plugin stop function plugin_stop() { iptables -D INPUT -j MAC_FILTER_HOOK 2>/dev/null iptables -D FORWARD -j MAC_FILTER_HOOK 2>/dev/null iptables -F MAC_FILTER_HOOK iptables -X MAC_FILTER_HOOK 2>/dev/null iptables -F MAC_FILTER iptables -X MAC_FILTER 2>/dev/null return 0 } # Plugin status function plugin_status() { # iptables -xnvL MAC_FILTER return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$MAC_ADDRESS_FILE" ] || [ ! -e "$MAC_ADDRESS_FILE" ]; then printf "\033[40m\033[1;31m${INDENT}NOTE: Cannot read the allowed internal MAC address file \"$MAC_ADDRESS_FILE\".\033[0m\n" >&2 return 1 fi if [ -z "$MAC_ADDRESS_IF" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/outbound-snat.CHANGELOG0000644000000000000000000000014112055611115030133 0ustar rootrootVersion 1.00 BETA (September 22, 2012) -------------------------------------- + Initial version arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/dyndns-host-open.CHANGELOG0000644000000000000000000000525312055611115030553 0ustar rootrootVersion 1.31-BETA (November 5, 2012) ------------------------------------ - Remove DYNDNS_SESSION_FAILED_DNS_SKIP option since it never worked the it supposed to anyway Version 1.30-BETA (October 23, 2012) ------------------------------------ * Refactor/cleanup helper script. No need to preinit cache anymore since we can fallback on our "old"-cache anyway * Use the host-cache file provided by the main script (environment). This makes it easier for plugins to use and allows the main script to clean up ! Host resolving was broken (regression) * Improve performance by reorganising the loops * Always execute iptables command even with an empty host_ip to make clear to the user it failed ! Sanity check didn't check for DYNDNS_HOST_MISC ! Fixed typos Version 1.24 (August 14, 2011) ---------------------------- * Changed to support parse_rule() in dyndns-host-open-helper Version 1.23 (July 14, 2011) ---------------------------- * Add proper locking for our helper script (like we already did for the traffic accounting plugin) Version 1.22 (July 14, 2011) ---------------------------- ! We should call the helper script on a restart(), if required Version 1.21 (May 13, 2011) --------------------------- * Change default DYNDNS_HOST_CACHE filename to be more consistent Version 1.2BETA (October 19, 2010) ---------------------------------- * Added plugin_restart() function support for AIF 2.0.0 Version 1.1BETA (January 21, 2010) ---------------------------------- + Adding proper caches + additional (tweak) settings for the config file + Improved sanity check * Pre-resolve all hostnames first before updating the rules in our helper script * Numerous tweaks + fixes Version 1.0 (March 7, 2009) --------------------------- * Tell gethostbyname() which nameserver to use (ns.dyndns.org) + Use OUR gethostbyname() to resolve the hostnames for iptables Version 0.25BETA (January 7, 2009) ---------------------------------- ! Fixes in the helper script Version 0.24BETA (November 24, 2008) ------------------------------------ ! Fixed missing IFS for ICMP rules Version 0.24BETA (November 17, 2008) ------------------------------------ * Minor tweaks Version 0.23BETA (October 10, 2008) ----------------------------------- * Cron update internal set to 15min. + made it user configurable * Misc. changs * Renamed helper script Version 0.22BETA (September 16, 2008) ------------------------------------ ! Small cosmetic fix Version 0.21BETA (September 8, 2008) ------------------------------------ * Small tweaks Version 0.20BETA (September 5, 2008) ------------------------------------ * It now automatically creates & removes the cron job * Minor cosmetic changes in the cron helper shell script arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/90dmz-dnat.plugin0000644000000000000000000001400612055611115027234 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - DMZ-host default port forwarding plugin =- # PLUGIN_NAME="DMZ-host DNAT plugin" PLUGIN_VERSION="0.07BETA (EXPERIMENTAL!)" PLUGIN_CONF_FILE="dmz-dnat.conf" # # Last changed : August 14, 2011 # Requirements : kernel 2.6 and AIF 2.0.1+ # Comments : This plugin allows forwarding of all traffic to a # "DMZ" host. It's only been tested with 1.9+. # Updated to be IPv4-only # Updated to support parse_rule() # # Author : (C) Copyright 2010-2011 by Philip A. Prindeville # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : philipp AT redfish-solutions DOT com # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { # Forward all traffic that doesn't match an explicit port-forward to the # DMZ host. ip4tables -t nat -N NAT_PREROUTING_LOCAL 2>/dev/null ip4tables -t nat -F NAT_PREROUTING_LOCAL ip4tables -t nat -A POST_NAT_PREROUTING_CHAIN -j NAT_PREROUTING_LOCAL # bail if ICMP... IFS=' ,' for eif in $EXT_IF; do ip4tables -t nat -A NAT_PREROUTING_LOCAL -i $eif -p icmp -j RETURN done local open_tcp="" open_udp="" open_ip="" unset IFS for rule in $OPEN_TCP; do open_tcp="$open_tcp $ANYHOST$SEP$rule" done # intercept HOST_OPEN_TCP and HOST_OPEN_UDP (sigh... duplicate code...) unset IFS for rule in $HOST_OPEN_TCP $open_tcp; do if parse_rule "$rule" HOST_OPEN_TCP "interfaces-destips-hosts-ports"; then IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do ip4tables -t nat -A NAT_PREROUTING_LOCAL -i $interface -s $host -d $destip -p tcp --dport $port -j RETURN done done done done fi done unset IFS for rule in $OPEN_UDP; do open_udp="$open_udp $ANYHOST$SEP$rule" done for rule in $HOST_OPEN_UDP $open_udp; do if parse_rule "$rule" HOST_OPEN_UDP "interfaces-destips-hosts-ports"; then IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do ip4tables -t nat -A NAT_PREROUTING_LOCAL -i $interface -s $host -d $destip -p udp --dport $port -j RETURN done done done done fi done unset IFS for rule in $OPEN_IP; do open_ip="$open_ip $ANYHOST$SEP$rule" done for rule in $HOST_OPEN_IP $open_ip; do if parse_rule "$rule" HOST_OPEN_IP "interfaces-destips-hosts-protos"; then IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do for destip in $destips; do for interface in $interfaces; do ip4tables -t nat -A NAT_PREROUTING_LOCAL -i $interface -s $host -d $destip -p $proto -j RETURN done done done done fi done ## ICMP??? echo "${INDENT}DMZ-DNAT: sending all non-local packets to $DMZ_IP" IFS=' ,' for eif in $EXT_IF; do ip4tables -t nat -A NAT_PREROUTING_LOCAL -i $eif -j DNAT --to-destination $DMZ_IP ip4tables -A POST_FORWARD_CHAIN -i $eif -d $DMZ_IP -j ACCEPT done return 0 } # Plugin stop function plugin_stop() { ip4tables -t nat -D POST_NAT_PREROUTING_CHAIN -j NAT_PREROUTING_LOCAL ip4tables -t nat -F NAT_PREROUTING_LOCAL ip4tables -t nat -X NAT_PREROUTING_LOCAL 2>/dev/null IFS=' ,' for eif in $EXT_IF; do ip4tables -D POST_FORWARD_CHAIN -i $eif -d $DMZ_IP -j ACCEPT done return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$DMZ_IP" ]; then printf "\033[40m\033[1;31m{$INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/ipv6-over-ipv4.CHANGELOG0000644000000000000000000000107612055611115030056 0ustar rootrootVersion 0.2BETA (October 8, 2010) ------------------------------------ + Added IPV6_OVER_IPV4_SERVER variable to restrict source packets ! Removed IPv4 rule allowing proto 58, which is icmpv6 IPv6 icmpv6 packets are handled by the main script Version 0.12BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.11BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template Version 0.1BETA (December 18, 2007) ----------------------------------- + First initial version. arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/dsl-ppp-modem.CHANGELOG0000644000000000000000000000106212055611115030012 0ustar rootrootVersion 1.0g (October 20, 2011) ------------------------------- ! Iptables negation changed in newer versions from intraposition to extraposition ! Indent missing (cosmetic) Version 1.0e (June 18, 2009) ---------------------------- ! Fixed stop section didn't remove the INPUT-hook properly causing the main script to report an error on restart Version 1.0c (March 17, 2009) ----------------------------- * Cleanup + Allow DHCP packets by default Version 1.0 (August 11, 2008) ----------------------------- * Simple move of the code out of the main script arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/90rpc.plugin0000644000000000000000000001025512055611115026304 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - RPC plugin =- # PLUGIN_NAME="RPCplugin" PLUGIN_VERSION="0.21-BETA" PLUGIN_CONF_FILE="rpc.conf" # # Last changed : January 17, 2012 # Requirements : kernel 2.6 # Comments : This plugin opens RPC ports # # Author : (C) Copyright 2011-2012 by Jared H. Hudson # Email : jhhudso AT volumehost DOT com # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { # Create new DYNDNS_CHAIN chain: iptables -N RPC_CHAIN 2>/dev/null iptables -F RPC_CHAIN # Insert rule into the main chain: iptables -A EXT_INPUT_CHAIN -j RPC_CHAIN echo "${INDENT}Enabling RPC service(s) $RPC_SERVICES for net(s) $RPC_NETS" IFS=' ,' for service in $RPC_SERVICES; do ports="$(rpcinfo -p |awk "/tcp.*$service/"' { print $4 }' |uniq)" echo "${INDENT}Adding TCP ports $ports for RPC service $service" for net in $RPC_NETS; do for port in $ports; do iptables -I RPC_CHAIN -p tcp -s $net --dport $port -j ACCEPT done done ports="$(rpcinfo -p | awk "/udp.*$service/"' {print $4}' |uniq)" echo "${INDENT}Adding UDP ports $ports for RPC service $service" for net in $RPC_NETS; do for port in $ports; do iptables -I RPC_CHAIN -p udp -s $net --dport $port -j ACCEPT done done done return 0 } # Plugin restart function plugin_restart() { ## Re-add standard chain rules that are flushed on a restart echo "${INDENT}Restarting..." # Insert rule into the main chain: iptables -A EXT_INPUT_CHAIN -j RPC_CHAIN return 0 } # Plugin stop function plugin_stop() { iptables -D EXT_INPUT_CHAIN -j RPC_CHAIN 2>/dev/null iptables -F RPC_CHAIN iptables -X RPC_CHAIN 2>/dev/null return 0 } # Plugin status function plugin_status() { iptables -L RPC_CHAIN return 0 } plugin_sanity_check() { if [ -z "$RPC_SERVICES" ] || [ -z "$RPC_NETS" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly setup!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; restart ) plugin_restart; PLUGIN_RET_VAL=$?;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/50ipv6-over-ipv4.plugin0000644000000000000000000000723312055611115030233 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - IPv6-over-IPv4 plugin =- # PLUGIN_NAME="IPv6-over-IPv4 plugin" PLUGIN_VERSION="0.2BETA" PLUGIN_CONF_FILE="ipv6-over-ipv4.conf" # # Last changed : October 8, 2010 # Requirements : kernel 2.6 with IPv6 support # Comments : This plugin opens the (IPv4) protocols to enable # IPv6 tunneling. Only works with AIF 1.9+ ! # # Author : (C) Copyright 2010 by Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { local src interface # Enable (allow) IPv6 tunnel traffic #################################### echo "${INDENT}Allowing IPv6 tunnel for $IPV6_OVER_IPV4_SERVER (INET) to interface(s): $IPV6_OVER_IPV4_IF" IFS=' ,' for src in $IPV6_OVER_IPV4_SERVER; do for interface in $IPV6_OVER_IPV4_IF; do ip4tables -A EXT_INPUT_CHAIN -s $src -i $interface -p 41 -j ACCEPT done done return 0 } # Plugin stop function plugin_stop() { return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$IPV6_OVER_IPV4_IF" -o -z "$IPV6_OVER_IPV4_SERVER" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/90ids-protection.plugin0000644000000000000000000001371612055611115030470 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - IDS-protection plugin =- # PLUGIN_NAME="IDS-protection plugin" PLUGIN_VERSION="1.1a" PLUGIN_CONF_FILE="ids-protection.conf" # # Last changed : October 8, 2010 # Requirements : kernel 2.6 + ipt_recent or xt_recent # : AIF 1.9.2k (and later) # Comments : This implements IDS protection aka Intrusion-Detection-System. # It will block remote hosts trying to eg. scan/access your # system on firewalled ports. # Updated for mixed IPv4/IPv6 # # Author : (C) Copyright 2007-2010 by Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------------------ # Plugin start function plugin_start() { if [ "$IPV6_DETECTED" = "1" ] && [ "$IDS_IPV6_ENABLE" = "0" ]; then echo "${INDENT}NOTE: Only IPv4 is protected." fi # Probe module xt_recent for IPv4/IPv6 or ipt_recent for IPv4: # (Allows checking for recent packets) modprobe_multi xt_recent ipt_recent # Create new IDS_LOG_DROP chain for loggin' 'n droppin': $IPTABLES -N IDS_LOG_DROP 2>/dev/null $IPTABLES -F IDS_LOG_DROP $IPTABLES -A IDS_LOG_DROP -m limit --limit 1/m --limit-burst 1 -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:IDS violation: " $IPTABLES -A IDS_LOG_DROP -j DROP # Create new IDS_CHK to insert IDS checker + whitelist: $IPTABLES -N IDS_CHK 2>/dev/null $IPTABLES -F IDS_CHK if [ -n "$IDS_TRUSTED_HOSTS" ]; then # Create whitelist: echo "${INDENT}Allowing bypass of IDS protection checks for: $IDS_TRUSTED_HOSTS" IFS=' ,' for host in `ip_range "$IDS_TRUSTED_HOSTS"`; do $IPTABLES -A IDS_CHK -s $host -j RETURN done fi # We also ignore ICMP traffic since we can not reliabily check it for IDS $IPTABLES -A IDS_CHK -p icmp -j RETURN if [ -n "$IDS_EXCLUDE_TCP" ]; then echo "${INDENT}Excluding IDS check for TCP port(s): $IDS_EXCLUDE_TCP" IFS=' ,' for port in $IDS_EXCLUDE_TCP; do $IPTABLES -A IDS_CHK -p tcp --dport $port -j RETURN done fi if [ -n "$IDS_EXCLUDE_UDP" ]; then echo "${INDENT}Excluding IDS check for UDP port(s): $IDS_EXCLUDE_UDP" IFS=' ,' for port in $IDS_EXCLUDE_UDP; do $IPTABLES -A IDS_CHK -p udp --dport $port -j RETURN done fi $IPTABLES -A IDS_CHK -m recent --set --name idschk $IPTABLES -A IDS_CHK -m recent --update --name idschk if [ -z "$IDS_INTERFACE" ]; then IDS_INTERFACE="$EXT_IF" fi IFS=' ,' for interface in $IDS_INTERFACE; do # Create rate1 & rate2 checker: $IPTABLES -A INPUT_CHAIN -i $interface -m recent --rcheck --seconds $IDS_MAX_TIME1 --hitcount $IDS_MAX_RATE1 --name idschk -j IDS_LOG_DROP $IPTABLES -A INPUT_CHAIN -i $interface -m recent --rcheck --seconds $IDS_MAX_TIME2 --hitcount $IDS_MAX_RATE2 --name idschk -j IDS_LOG_DROP # Insert rule into the POST_INPUT_DROP_CHAIN chain: $IPTABLES -A POST_INPUT_DROP_CHAIN -i $interface -m state --state NEW -j IDS_CHK done return 0 } # Plugin stop function plugin_stop() { $IPTABLES -F IDS_CHK $IPTABLES -X IDS_CHK 2>/dev/null $IPTABLES -F IDS_LOG_DROP $IPTABLES -X IDS_LOG_DROP 2>/dev/null return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$IDS_MAX_RATE1" -o -z "$IDS_MAX_TIME1" -o -z "$IDS_MAX_RATE2" -o -z "$IDS_MAX_TIME2" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " if [ "$IDS_IPV6_ENABLE" = "0" ]; then IPTABLES="ip4tables" else IPTABLES="iptables" fi # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi unset IPTABLES else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/50multiroute.plugin0000644000000000000000000001714412055611115027731 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Multirouting plugin =- # PLUGIN_NAME="Multirouting plugin" PLUGIN_VERSION="0.31BETA (EXPERIMENTAL!)" PLUGIN_CONF_FILE="multiroute.conf" # # Last changed : March 17, 2009 # Requirements : iproute2 (package) + kernel 2.6 with the following options set in: # Networking, Networking support, TCP/IP networking: # CONFIG_IP_ADVANCED_ROUTER=y (IP: advanced router) # CONFIG_IP_MULTIPLE_TABLES=y (IP: policy routing) # CONFIG_IP_ROUTE_MULTIPATH=y (IP: equal cost multipath) # # Comments : This plugin enables IP multirouting (load balancing). Note # that it does NOT support redundant connections (fallback when # one of the links is down). This is NOT a limitation of this # plugin, but of the current Linux kernel that does not support # this(yet). To obtain the information needed to configure this plugin # use the 'ifconfig' and 'route' commands. # # Author : (C) Copyright 2005-2009 by Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { if [ "$RP_FILTER_DISABLE" = "1" ]; then # In some cases the rp_filter gives some problems, so we disable it and # rely on the anti-spoof rules in the firewall echo "${INDENT}Disabling RP_FILTER..." echo "0" >/proc/sys/net/ipv4/conf/$MULTIROUTE_EXT_IF1/rp_filter echo "0" >/proc/sys/net/ipv4/conf/$MULTIROUTE_EXT_IF2/rp_filter fi # Purge, just in case ip rule del from $MULTIROUTE_EXT_IP1 lookup 1 2>/dev/null ip rule del from $MULTIROUTE_EXT_IP2 lookup 2 2>/dev/null # Setup source IP routing rules for external interface 1 echo "${INDENT}Setup source IP routing for $MULTIROUTE_EXT_IP1" ip rule add from $MULTIROUTE_EXT_IP1 lookup 1 # ip route replace 0/0 via $MULTIROUTE_EXT_ROUTER1 table 1 echo "${INDENT}Setting default route for $MULTIROUTE_EXT_IF1 to $MULTIROUTE_EXT_ROUTER1 (table 1)" ip route replace default via $MULTIROUTE_EXT_ROUTER1 dev $MULTIROUTE_EXT_IF1 table 1 echo "${INDENT}Setting route for $MULTIROUTE_INT_NET to $MULTIROUTE_INT_IP (table 1)" ip route replace $MULTIROUTE_INT_NET via $MULTIROUTE_INT_IP table 1 # Setup source IP routing rules for external interface 2 echo "${INDENT}Setup source IP routing for $MULTIROUTE_EXT_IP2" ip rule add from $MULTIROUTE_EXT_IP2 lookup 2 # ip route replace 0/0 via $MULTIROUTE_EXT_ROUTER2 table 2 echo "${INDENT}Setting default route for $MULTIROUTE_EXT_IF2 to $MULTIROUTE_EXT_ROUTER2 (table 2)" ip route replace default via $MULTIROUTE_EXT_ROUTER2 dev $MULTIROUTE_EXT_IF2 table 2 echo "${INDENT}Setting route for $MULTIROUTE_INT_NET to $MULTIROUTE_INT_IP (table 2)" ip route replace $MULTIROUTE_INT_NET via $MULTIROUTE_INT_IP table 2 # Destroy old routes ip route del default via $MULTIROUTE_EXT_ROUTER1 dev $MULTIROUTE_EXT_IF1 2>/dev/null ip route del default via $MULTIROUTE_EXT_ROUTER2 dev $MULTIROUTE_EXT_IF2 2>/dev/null # Setup the actual loadbalancing echo "${INDENT}Enabling loadbalancing" echo "${INDENT} Adding external interface $MULTIROUTE_EXT_IF1, gw=$MULTIROUTE_EXT_ROUTER1, weight=$MULTIROUTE_EXT_WEIGHT1" echo "${INDENT} Adding external interface $MULTIROUTE_EXT_IF2, gw=$MULTIROUTE_EXT_ROUTER2, weight=$MULTIROUTE_EXT_WEIGHT2" ip route add default equalize \ nexthop via $MULTIROUTE_EXT_ROUTER1 dev $MULTIROUTE_EXT_IF1 weight $MULTIROUTE_EXT_WEIGHT1 \ nexthop via $MULTIROUTE_EXT_ROUTER2 dev $MULTIROUTE_EXT_IF2 weight $MULTIROUTE_EXT_WEIGHT2 # Flush route cache # echo "1" >/proc/sys/net/ipv4/route/flush ip route flush cache return 0 } # Plugin stop function plugin_stop() { echo "${INDENT}Removing lookup rules" ip rule del from $MULTIROUTE_EXT_IP1 lookup 1 ip rule del from $MULTIROUTE_EXT_IP2 lookup 2 ip route del default via $MULTIROUTE_EXT_ROUTER1 dev $MULTIROUTE_EXT_IF1 2>/dev/null ip route del default via $MULTIROUTE_EXT_ROUTER2 dev $MULTIROUTE_EXT_IF2 2>/dev/null # Set default route to the first interface echo "${INDENT}Setting default (single) route to $MULTIROUTE_EXT_ROUTER1 on interface $MULTIROUTE_EXT_IF1" ip route add default via $MULTIROUTE_EXT_ROUTER1 dev $MULTIROUTE_EXT_IF1 # Flush route cache # echo "1" >/proc/sys/net/ipv4/route/flush ip route flush cache return 0 } # Plugin status function plugin_status() { ip rule show ip route show return 0 } # Check sanity of eg. environment plugin_sanity_check() { # Set default weight, if not specified if [ -z "$MULTIROUTE_EXT_WEIGHT1" ]; then MULTIROUTE_EXT_WEIGHT1=1 fi # Set default weight, if not specified if [ -z "$MULTIROUTE_EXT_WEIGHT2" ]; then MULTIROUTE_EXT_WEIGHT2=1 fi if [ -z "$MULTIROUTE_EXT_IF1" -o -z "$MULTIROUTE_EXT_ROUTER1" -o -z "$MULTIROUTE_EXT_IP1" -o \ -z "$MULTIROUTE_EXT_IF2" -o -z "$MULTIROUTE_EXT_ROUTER2" -o -z "$MULTIROUTE_EXT_IP2" -o \ -z "$MULTIROUTE_INT_IP" -o -z "$MULTIROUTE_INT_NET" -o \ $MULTIROUTE_EXT_WEIGHT1 -le 0 -o $MULTIROUTE_EXT_WEIGHT2 -le 0 ]; then printf "\033[40m\033[1;31m ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi ././@LongLink0000000000000000000000000000015000000000000011561 Lustar rootrootarno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/ssh-brute-force-protection.CHANGELOGarno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/ssh-brute-force-protection.CHANGE0000644000000000000000000000253312055611115032172 0ustar rootrootVersion 1.1 (September 21, 2010) ------------------------------------ * Updated for mixed IPv4/IPv6 Version 0.34BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.33BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template Version 0.32BETA (January 30, 2008) ------------------------------------ + Updated for new config file location / detection Version 0.31BETA (December 18, 2007) ------------------------------------ * Layout changes ! Fixed bug in port routine, rendering the plugin useless ! No port configured will now fallback to port 22 Version 0.30BETA (November 21, 2007) ------------------------------------ * Updated for new plugin model (with PLUGIN_CMD) + better layout + Added SSH_BFP_PORTS to allow the user to modify the SSH port used Version 0.24BETA (May 25, 2007) ------------------------------- + Added variable sanity check * Changes some variable names Version 0.23BETA (December 28, 2006) ------------------------------------ + Added dual rate checkers. You can now use one for a short interval and one for a long interval + Separate config file (new plugin standard) + Misc. cosmetic changes Version 0.2BETA (October 20, 2006) --------------------------------- + Added SSH trusted hosts variable for whitelisting of certain hosts arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/dyndns-host-open-helper0000755000000000000000000002006512055611115030543 0ustar rootroot#!/bin/bash # The plugin configuration file ############################### PLUGIN_CONF_FILE="dyndns-host-open.conf" # Location of the main configuration file for the firewall ########################################################## CONFIG_FILE=/etc/arno-iptables-firewall/firewall.conf # Check if the main config file exists and if so load it ######################################################## if [ -e "$CONFIG_FILE" ]; then . $CONFIG_FILE else echo "** ERROR: Could not read configuration file $CONFIG_FILE!" >&2 echo "** Please, check the file's location and (root) rights." >&2 exit 2 fi # Check if the environment file exists and if so, load it ######################################################### if [ -n "$ENV_FILE" ]; then . "$ENV_FILE" else if [ -f /usr/local/share/arno-iptables-firewall/environment ]; then . /usr/local/share/arno-iptables-firewall/environment else if [ -f /usr/share/arno-iptables-firewall/environment ]; then . /usr/share/arno-iptables-firewall/environment else echo "** ERROR: The environment file (ENV_FILE) has not been specified" >&2 echo "** in the configuration file. Try upgrading your config-file!" >&2 exit 2 fi fi fi # Define some global variables INDENT=' ' # If HOST_CACHE_FILE is not defined, fallback to old DYNDNS variable if [ -n "$HOST_CACHE_FILE" ]; then DYNDNS_HOST_CACHE="$HOST_CACHE_FILE" else DYNDNS_HOST_CACHE="/var/tmp/aif_dyndns_host_cache" fi # Check sanity of environment sanity_check() { if [ -z "$DYNDNS_HOST_OPEN_TCP" -a -z "$DYNDNS_HOST_OPEN_UDP" -a \ -z "$DYNDNS_HOST_OPEN_IP" -a -z "$DYNDNS_HOST_OPEN_ICMP" -a \ -z "$DYNDNS_HOST_MISC" ] || [ -z "$DYNDNS_HOST_OPEN_CRON" ]; then echo "** ERROR: The plugin config file is not (properly) setup!" >&2 return 1 fi # Check whether chain exists if ! ip4tables -nL DYNDNS_CHAIN >/dev/null 2>&1; then echo "** ERROR: DYNDNS_CHAIN does not exist! **" >&2 return 1 fi # Check if chain is inserted in the main chains if ! ip4tables -nL EXT_INPUT_CHAIN |grep -q '^DYNDNS_CHAIN '; then echo "** ERROR: DYNDNS_CHAIN is not inserted in the EXT_INPUT_CHAIN chain! **" >&2 return 1 fi if ! check_command dig nslookup; then echo "** ERROR: Required command dig (or nslookup) is not available!" >&2 return 1 fi return 0 } # Resolve hostname to an IP and store in our (new) cache # Arguments : $1 = hostname to resolve # Returns : Resolved host's IP in "$host_ip" dyndns_get_host_cached() { host_ip="" local host="$1" local retval=0 # Don't try to resolve stuff that's already numeric if is_numeric_ip "$host"; then host_ip="$host" return 0 fi # Check whether we already have it in our (new) cache host_ip=`grep "^$host " -m1 "${DYNDNS_HOST_CACHE}.new" |cut -s -f2 -d' '` if [ -n "$host_ip" ]; then return 0 fi printf "${INDENT}Resolving host \"$host\" -> " DNS_FAST_FAIL_ONCE="$DYNDNS_DNS_FAST_FAIL" host_ip=`gethostbyname "$host"` retval=$? if [ -z "$host_ip" -o $retval -ne 0 ]; then # Try to get from (old) cache, if allowed if [ "$DYNDNS_OLD_CACHE_FALLBACK" = "1" ]; then host_ip=`grep "^$host " -m1 "${DYNDNS_HOST_CACHE}" |cut -s -f2 -d' '` fi # (Re)check $host_ip if [ -z "$host_ip" ]; then printf "\033[40m\033[1;31mFAILED!\n\033[0m" echo "** ERROR($retval): Unresolvable host \"$host\", and no old IP to fallback on! **" >&2 else echo "$host_ip (cached)" echo "** WARNING($retval): Unresolvable host \"$host\". Re-using old IP ($host_ip)! **" >&2 fi else echo "$host_ip" fi echo "$host $host_ip" >>"${DYNDNS_HOST_CACHE}.new" return $retval } dyndns_host_open() { # Flush the DYNDNS_CHAIN iptables -F DYNDNS_CHAIN # Add TCP ports to allow for certain hosts ########################################## unset IFS for rule in $DYNDNS_HOST_OPEN_TCP; do if parse_rule "$rule" DYNDNS_HOST_OPEN_TCP "interfaces-destips-hosts-ports"; then echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for TCP port(s): $ports" IFS=',' for host in $hosts; do dyndns_get_host_cached $host # Returns $host_ip for interface in $interfaces; do for destip in $destips; do for port in $ports; do iptables -A DYNDNS_CHAIN -i $interface -s $host_ip -d $destip -p tcp --dport $port -j ACCEPT done done done done fi done # Add UDP ports to allow for certain hosts ########################################## unset IFS for rule in $DYNDNS_HOST_OPEN_UDP; do if parse_rule "$rule" DYNDNS_HOST_OPEN_UDP "interfaces-destips-hosts-ports"; then echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for UDP port(s): $ports" IFS=',' for host in $hosts; do dyndns_get_host_cached $host # Returns $host_ip for interface in $interfaces; do for destip in $destips; do for port in $ports; do iptables -A DYNDNS_CHAIN -i $interface -s $host_ip -d $destip -p udp --dport $port -j ACCEPT done done done done fi done # Add IP protocols to allow for certain hosts ############################################# unset IFS for rule in $DYNDNS_HOST_OPEN_IP; do if parse_rule "$rule" DYNDNS_HOST_OPEN_IP "interfaces-destips-hosts-protos"; then echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for IP protocol(s): $protos" IFS=',' for host in $hosts; do dyndns_get_host_cached $host # Returns $host_ip for interface in $interfaces; do for destip in $destips; do for proto in $protos; do iptables -A DYNDNS_CHAIN -i $interface -s $host_ip -d $destip -p $proto -j ACCEPT done done done done fi done # Add ICMP to allow for certain hosts ##################################### unset IFS for rule in $DYNDNS_HOST_OPEN_ICMP; do if parse_rule "$rule" DYNDNS_HOST_OPEN_ICMP "interfaces-destips-hosts"; then echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for ICMP-requests(ping)" IFS=',' for host in $hosts; do dyndns_get_host_cached $host # Returns $host_ip for interface in $interfaces; do for destip in $destips; do iptables -A DYNDNS_CHAIN -i $interface -s $host_ip -d $destip -p icmp --icmp-type echo-request -j ACCEPT done done done fi done # Store additional hosts in our cache, although this is a no-op for this # plugin, it does allow use of our name-cache by eg. other (aware) plugins unset IFS for host in $DYNDNS_HOST_MISC; do dyndns_get_host_cached $host done } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2 exit 1 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ]; then # Only proceed if environment ok if sanity_check; then # This is a critical section so we use a lockfile lockfile="/var/tmp/aif_dyndns_helper.lock" if ( set -o noclobber; echo "$$" > "$lockfile") 2> /dev/null; then # Setup int handler trap 'rm -f "$lockfile"; exit $?' INT TERM EXIT # Create new empty file printf "" >"${DYNDNS_HOST_CACHE}.new" # Parse rules dyndns_host_open; # Remove old cache file rm -f "$DYNDNS_HOST_CACHE" # Make our new cache file active mv "${DYNDNS_HOST_CACHE}.new" "$DYNDNS_HOST_CACHE" # Remove lockfile rm -f "$lockfile" # Disable int handler trap - INT TERM EXIT exit 0 else echo "Failed to acquire lockfile: $lockfile." >&2 echo "Held by $(cat $lockfile)" >&2 fi fi fi fi exit 1 arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/traffic-accounting.CHANGELOG0000644000000000000000000000442112055611115031104 0ustar rootrootVersion 1.20-BETA (October 23, 2012) ------------------------------------ * No longer generate/use our own hostcache but the one generated by the DynDNS-plugin. Requires DynDNS-plugin v1.20+ Version 1.12 (July 14, 2011) --------------------------- ! We should call the helper script on a restart(), if required Version 1.11 (May 13, 2011) --------------------------- * Since we have support for the restart() command now the DNS cache file can be removed on stop/start Version 1.1BETA (October 19, 2010) ------------------------------------ * Added plugin_restart() function support for AIF 2.0.0 * Updated for mixed IPv4/IPv6 Version 1.01BETA (March 1, 2010) -------------------------------- ! Adding hosts when the plugin/firewall was already running didn't work properly Version 1.0BETA (February 15, 2010) ---------------------------------- + Adding proper caches + additional (tweak) settings for the config file * Pre-resolve all hostnames first before updating the rules in our helper script * Numerous tweaks + fixes Version 0.33BETA (September 2, 2009) ------------------------------------ ! Fixed log rotation Version 0.32BETA (August 3, 2009) --------------------------------- ! Fixed rules in the input/output chains didn't return causing traffic to also be counted for the catch-all (0/0) rule Version 0.31BETA (July 14, 2009) -------------------------------- ! Fixed catch-all rule didn't work because iptables translates 0/0 to 0.0.0.0/0 Version 0.30BETA (July 1, 2009) ------------------------------- ! Fixed stupid bug that caused an infinite number of RETURN rules to build up in the traffic chains + Also show *other* traffic generated by undefined hosts * Temporary stuff now stored in /var/tmp + Have option to enable/disable DynDNS-try-first Version 0.23BETA (January 7, 2009) ---------------------------------- ! Fixes in the helper script Version 0.22BETA (November 19, 2008) ------------------------------------ ! Fix incorrect helper script name Version 0.21BETA (November 17, 2008) ------------------------------------ * Minor tweaks Version 0.2BETA (October 12, 2008) ---------------------------------- + Major cleanup + Better error handeling + Adding lockfile checking Version 0.1ALPHA (October 10, 2008) ------------------------------------ + First initial version arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/ipsec-vpn.CHANGELOG0000644000000000000000000000527612055611115027253 0ustar rootrootVersion 0.83BETA (March 9, 2011) -------------------------------- ! Removed Bash-ism Version 0.82BETA (November 2, 2010) ----------------------------------- + Added IPv6 support for matching AH headers * removed unnecessary EXT_INPUT_CHAIN rule Version 0.81BETA (September 19, 2010) ---------------------------------- * Changed '-t nat' calls via ip4tables Version 0.80BETA (August 23, 2009) ---------------------------------- + Use 'modprobe' wrapper instead of module_probe. Version 0.71BETA (June 30, 2009) -------------------------------- * Fixed IFS regression introduced in 0.70BETA. Version 0.70BETA (June 23, 2009) -------------------------------- * Added policy support to SPOOF_CHK rule to allow spoofing of local addresses on VPN connections (since IPsec address pool might come out of local subnet). Version 0.61BETA (May 1, 2009) ------------------------------ * Corrected some comments Version 0.60BETA (March 18, 2009) --------------------------------- + Support 1.9.0c stop + Added back support for IPSEC_VPN_NETS. Version 0.50BETA (February 26, 2009) ------------------------------------ * Transitioned to use the "policy" module to detect policy being applied to IPSec traffic, as well as to detect its state at the various stages (pre- and post-encapsulation/decapsulation). + Decrepecated the IPSEC_VPN_NETS variable for now, though it might come in handy in the future for detecting routing problems and policy mismatches. Version 0.41BETA (February 14, 2009) ------------------------------------ + Reintroduced NATting regression with 0.40BETA... sigh. Version 0.40BETA (February 9, 2009) ----------------------------------- + Added ipt_policy module + Use -m policy to see if packet is the result of decapsulating an AH or ESP packet; if so, don't process it in the EXT_INPUT_CHAIN + Fixed NAT issue where packets that were about to be encapsulated got NATted Version 0.31BETA (August 11, 2008) ---------------------------------- + Unknown Version 0.30BETA (July 20, 2008) -------------------------------- * Renamed plugin to "ipsec-vpn" + Added NAT traversal + Added OPEN AH UDP port (just in case) Version 0.25BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.24BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template Version 0.23BETA (January 30, 2008) ----------------------------------- + Updated for new config file location / detection Version 0.22BETA (May 25, 2007) ------------------------------- + Added variable sanity check * Changed some variable names Version 0.21BETA (January 9, 2006) ---------------------------------- + Updated for new plugin system (separate conf etc.) arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/ids-protection.CHANGELOG0000644000000000000000000000072112055611115030300 0ustar rootrootVersion 1.1 (September 21, 2010) ---------------------------- * Updated for mixed IPv4/IPv6 Version 1.02 (July 27, 2009) ---------------------------- + Implemented TCP & UDP port excludes * Always ignore ICMP packets for IDS checking Version 1.01 (May 9, 2009) -------------------------- + Version bump + minor tweaks * Option to set the interfaces to protect Version 0.21BETA (August 11, 2008) ---------------------------------- * First initial working version arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/traffic-shaper.CHANGELOG0000644000000000000000000000344112055611115030235 0ustar rootrootVersion 1.2.04 (October 17, 2010) -------------------------------- + Added SHAPER_IF variable to specify a single interface should EXT_IF contain more than one Version 1.2.02 (September 11, 2009) -------------------------------- + Reformat informational message about down- and up-load speeds. Version 1.2.01 (Augest 23, 2009) -------------------------------- + Call 'modprobe' directly and not module_probe as before. Version 1.2.00 (August 21, 2009) -------------------------------- + Give the actual downstream/upstream bandwidth for visual confirmation. Version 1.1.01 (March 22, 2009) ------------------------------- + Changed invocations of iptables to use short command names. + Now unload modules on 'stop'. + Check for presence of 'ip' and 'tc' during sanity routine. Version 1.1.00 (February 9, 2009) --------------------------------- + Added support for wildcard interface names (e.g. "ppp+"). Version 1.0.01 (December 6, 2008) --------------------------------- + Lonnie added support to DSCP, and HTB. Version 0.24BETA (December 1, 2008) ----------------------------------- ! Fixed last change broke busybox setups Version 0.23BETA (November 19, 2008) ------------------------------------ ! Fix error on Ubuntu Version 0.22BETA (November 17, 2008) ------------------------------------ - Cleanups Version 0.21BETA (August 11, 2008) ---------------------------------- + Added support for multiple interfaces VERSION 0.2BETA (February 19, 2008) ----------------------------------- ! Minor tweak for PLUGIN_RET_VAL + Updated according to the new plugin template + Changed config variables to have SHAPER_ prefix (since they might be shared by other similar plugins with different schedulers, like 'red' or 'cbq') VERSION 0.1BETA (February 12, 2008) ----------------------------------- + Initial version arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/transparent-proxy.CHANGELOG0000644000000000000000000000066212055611115031061 0ustar rootrootVersion 1.03 (September 19, 2010) -------------------------------- * Changed to be IPv4-only Version 1.02 (September 8, 2008) -------------------------------- ! Fixed incorrect configuration filename Version 1.01 (September 4, 2008) ------------------------------------ ! Fixed accidental DOS formating of the plugin Version 1.0 (August 9, 2008) ------------------------------------ * Simply move of the code from the main script arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/60traffic-shaper.plugin0000644000000000000000000003433112055611115030414 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - HTB & HFSC traffic shaper plugin =- # PLUGIN_NAME="Traffic-Shaper plugin" PLUGIN_VERSION="1.2.04 (htb: well tested, hfsc: experimental)" PLUGIN_CONF_FILE="traffic-shaper.conf" # # Last changed : October 17, 2010 # Requirements : kernel 2.6 + iproute # Comments : This plugin will shape traffic. It borrows heavily on # the logic of Maciej's original script (below), with # some minor changes to the actual bins that traffic # goes into (I made the catch-all [default] for traffic # be a higher priority than browsing or bulk data # transfer). # [LRA]: Added htb support from astshape in AstLinux # [LRA]: Classify by DSCP class # Author : (C) Copyright 2008-2010 by Philip Prindeville # Credits : Maciej Blizinski # Credits : Kristian Kielhofner # Credits : Lonnie Abelbeck # Homepage : http://www.voip-info.org/wiki/view/QoS+Linux+with+HFSC # http://media.blizinski.pl/code/hfsc.gz # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : philipp AT redfish-solutions DOT com # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Traffic classes: # 1:10 Highest Priority - Low Volume (ICMP, tcp-ACK, NTP, etc.) # 1:20 Streaming Media - VoIP (RTP, IAX2, etc.) # 1:30 Interactive - Shell (ssh, telnet, X, Vnc, etc.) # 1:40 Default (SIP-signaling) # 1:50 Bulk data transfer (HTTP, HTTPS, POP3, SMTP, FTP, etc.) # 1:60 Lowest priority (P2P) # Helper functions setclassbyport() { local pport="$1" class="$2" port sport proto IFS case $pport in t*) proto=tcp; port="${pport#t}" ;; u*) proto=udp; port="${pport#u}" ;; *) printf "\033[40m\033[1;31m${INDENT}ERROR: Unknown protocol/port $pport!\n\033[0m" >&2 return 1 ;; esac # We assume that on egress traffic, only the destination port is # significant, i.e. that we're not running any servers locally. iptables -t mangle -A SHAPER_CHAIN -m $proto -p $proto --dport $port -j CLASSIFY \ --set-class $class iptables -t mangle -A SHAPER_CHAIN -m $proto -p $proto --dport $port -j RETURN # If we are running servers locally, include the protocol/port from the # SHAPER_LOCAL_SERVER_PORTS variable to also generate a --sport classify rule. # Note that this could have been done using an associative array in a single pass. IFS=' ,' for sport in $SHAPER_LOCAL_SERVER_PORTS; do if [ "$sport" = "$pport" ]; then iptables -t mangle -A SHAPER_CHAIN -m $proto -p $proto --sport $port -j CLASSIFY \ --set-class $class iptables -t mangle -A SHAPER_CHAIN -m $proto -p $proto --sport $port -j RETURN break fi done return 0 } classify_by_port() { local port IFS # Automatically set UDP 123 (NTP) to highest priority class setclassbyport u123 1:10 IFS=' ,' for port in $SHAPER_STREAMINGMEDIA_PORTS; do setclassbyport $port 1:20 done IFS=' ,' for port in $SHAPER_INTERACTIVE_PORTS; do setclassbyport $port 1:30 done IFS=' ,' for port in $SHAPER_BULKDATA_PORTS; do setclassbyport $port 1:50 done IFS=' ,' for port in $SHAPER_P2P_PORTS; do setclassbyport $port 1:60 done } classify_special_packets() { # To speed up downloads while an upload is going on, put short ACK # packets in the high priority class: iptables -t mangle -A SHAPER_CHAIN \ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK \ -m length --length :64 \ -j CLASSIFY --set-class 1:10 iptables -t mangle -A SHAPER_CHAIN \ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK \ -m length --length :64 \ -j RETURN # put large (512+) icmp packets in bulk category iptables -t mangle -A SHAPER_CHAIN \ -p icmp \ -m length --length 512: \ -j CLASSIFY --set-class 1:50 iptables -t mangle -A SHAPER_CHAIN \ -p icmp \ -m length --length 512: \ -j RETURN # ICMP in the high priority class iptables -t mangle -A SHAPER_CHAIN \ -p icmp \ -m length --length :512 \ -j CLASSIFY --set-class 1:10 iptables -t mangle -A SHAPER_CHAIN \ -p icmp \ -m length --length :512 \ -j RETURN } classify_by_dscp_class() { # Classify by DSCP class # Assume VoIP audio is marked as EF, and SIP as CS3 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class CS7 -j CLASSIFY --set-class 1:10 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class CS6 -j CLASSIFY --set-class 1:10 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class EF -j CLASSIFY --set-class 1:20 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class CS5 -j CLASSIFY --set-class 1:30 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class CS4 -j CLASSIFY --set-class 1:30 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class AF41 -j CLASSIFY --set-class 1:30 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class AF42 -j CLASSIFY --set-class 1:30 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class AF43 -j CLASSIFY --set-class 1:30 # Default: --set-class 1:40 # CS0, CS3, AF31, AF32, AF33, AF21, AF22, AF23 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class CS2 -j CLASSIFY --set-class 1:50 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class AF11 -j CLASSIFY --set-class 1:50 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class AF12 -j CLASSIFY --set-class 1:50 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class AF13 -j CLASSIFY --set-class 1:50 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class CS1 -j CLASSIFY --set-class 1:60 } incoming_traffic_limit() { # Try to control the incoming traffic as well. # Set up ingress qdisc tc qdisc add dev $1 handle ffff: ingress # filter *everything* to it (0.0.0.0/0), drop everything that's # coming in too fast: tc filter add dev $1 parent ffff: protocol ip prio 100 u32 match ip src \ 0.0.0.0/0 police rate ${DOWNLINK}kbit burst $((1*$DOWNLINK/10))k drop flowid :1 } # Plugin start function plugin_start() { case $SHAPER_TYPE in hfsc) plugin_start_hfsc ;; *) plugin_start_htb ;; esac } # HFSC start function plugin_start_hfsc() { # Some required modules are already loaded by the main script: modprobe ip_nat # modprobe ip_table modprobe sch_hfsc printf "${INDENT}Shaping as %d/%d kb/s using '%s' for interface: %s\n" $DOWNLINK $UPLINK hfsc "$SHAPER_IF" iptables -t mangle -N SHAPER_CHAIN classify_special_packets classify_by_port classify_by_dscp_class IFS=' ,' for eif in $SHAPER_IF; do # tc doesn't take wildcards, so we need expansion done here for eif1 in $(wildcard_ifs $eif); do # add HFSC root qdisc tc qdisc add dev $eif1 root handle 1: hfsc default 40 # add main rate limit class tc class add dev $eif1 parent 1: classid 1:1 hfsc \ sc rate ${UPLINK}kbit ul rate ${UPLINK}kbit # Highest Priority: guarantee 2/10 uplink for 50ms, then 1/10 tc class add dev $eif1 parent 1:1 classid 1:10 hfsc \ sc m1 $((2*$UPLINK/10))kbit d 50ms m2 $((1*$UPLINK/10))kbit \ ul rate ${UPLINK}kbit # Streaming Media: guarantee 5/10 uplink for 200ms, then 4/10 tc class add dev $eif1 parent 1:1 classid 1:20 hfsc \ sc m1 $((5*$UPLINK/10))kbit d 200ms m2 $((4*$UPLINK/10))kbit \ ul rate ${UPLINK}kbit # Interactive traffic: guarantee 3/10 uplink for 50ms, then 3/10 tc class add dev $eif1 parent 1:1 classid 1:30 hfsc \ sc m1 $((3*$UPLINK/10))kbit d 50ms m2 $((3*$UPLINK/10))kbit \ ul rate ${UPLINK}kbit # Default traffic: don't guarantee for 500ms, then guarentee 3/20 tc class add dev $eif1 parent 1:1 classid 1:40 hfsc \ sc m1 0 d 500ms m2 $((3*$UPLINK/20))kbit \ ul rate ${UPLINK}kbit # Bulk data traffic: don't guarantee for 2 seconds, then guarantee 1/20 tc class add dev $eif1 parent 1:1 classid 1:50 hfsc \ sc m1 0 d 2s m2 $((1*$UPLINK/20))kbit \ ul rate ${UPLINK}kbit # P2P traffic: don't guarantee anything tc class add dev $eif1 parent 1:1 classid 1:60 hfsc \ sc m1 0 d 4s m2 1kbit \ ul rate ${UPLINK}kbit incoming_traffic_limit $eif1 done # add SHAPER_CHAIN chain to mangle table in iptables iptables -t mangle -A POSTROUTING -o $eif -j SHAPER_CHAIN done return 0 } # HTB start function plugin_start_htb() { # Some required modules are already loaded by the main script: modprobe ip_nat printf "${INDENT}Shaping as %d/%d kb/s using '%s' for interface: %s\n" $DOWNLINK $UPLINK htb "$SHAPER_IF" iptables -t mangle -N SHAPER_CHAIN classify_special_packets classify_by_port classify_by_dscp_class IFS=' ,' for eif in $SHAPER_IF; do # tc doesn't take wildcards, so we need expansion done here for eif1 in $(wildcard_ifs $eif); do #install root HTB, point default traffic to 1:40 tc qdisc add dev $eif1 root handle 1: htb default 40 #shape everything at $UPLINK speed to prevent queing tc class add dev $eif1 parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k # highest priority class 1:10 tc class add dev $eif1 parent 1:1 classid 1:10 htb rate ${UPLINK}kbit burst 6k prio 1 # streaming media class 1:20 tc class add dev $eif1 parent 1:1 classid 1:20 htb rate ${UPLINK}kbit burst 6k prio 2 # interactive class 1:30 tc class add dev $eif1 parent 1:1 classid 1:30 htb rate ${UPLINK}kbit burst 6k prio 3 # default class 1:40 tc class add dev $eif1 parent 1:1 classid 1:40 htb rate $((9*$UPLINK/10))kbit burst 6k prio 4 # bulk class 1:50 tc class add dev $eif1 parent 1:1 classid 1:50 htb rate $((8*$UPLINK/10))kbit burst 6k prio 5 # p2p class 1:60 tc class add dev $eif1 parent 1:1 classid 1:60 htb rate $((5*$UPLINK/10))kbit burst 6k prio 6 # all get Stochastic Fairness tc qdisc add dev $eif1 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev $eif1 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev $eif1 parent 1:30 handle 30: sfq perturb 10 tc qdisc add dev $eif1 parent 1:40 handle 40: sfq perturb 10 tc qdisc add dev $eif1 parent 1:50 handle 50: sfq perturb 10 tc qdisc add dev $eif1 parent 1:60 handle 60: sfq perturb 10 incoming_traffic_limit $eif1 done # add SHAPER_CHAIN chain to mangle table in iptables iptables -t mangle -A POSTROUTING -o $eif -j SHAPER_CHAIN done return 0 } # Plugin stop function plugin_stop() { IFS=' ,' for eif in $SHAPER_IF; do # tc doesn't take wildcards, so we need expansion done here for eif1 in $(wildcard_ifs $eif); do # Reset everything to a known state (cleared) tc qdisc del dev $eif1 root 2>/dev/null tc qdisc del dev $eif1 ingress 2>/dev/null done # Flush and delete tables iptables -t mangle -D POSTROUTING -o $eif -j SHAPER_CHAIN 2>/dev/null done iptables -t mangle -F SHAPER_CHAIN iptables -t mangle -X SHAPER_CHAIN 2>/dev/null return 0 } # Plugin status function plugin_status() { IFS=' ,' # tc doesn't take wildcards, so we need expansion done here for eif in $(wildcard_ifs $SHAPER_IF); do echo "${INDENT}[qdisc]" tc -s qdisc show dev $eif echo "" echo "${INDENT}[class]" tc -s class show dev $eif echo "" echo "${INDENT}[filter]" tc -s filter show dev $eif done echo "" echo "${INDENT}[iptables]" iptables -t mangle -L SHAPER_CHAIN -v -x 2>/dev/null return 0 } # Sanity check environment before actual start plugin_sanity_check() { if [ -z "$UPLINK" -o -z "$DOWNLINK" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\n\033[0m" >&2 return 1 fi count=0 IFS=' ,' for eif in $SHAPER_IF; do count=$((count+1)) done if [ "$count" -ne 1 ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: Only one external interface is supported!\n\033[0m" >&2 return 1 fi if ! check_command tc; then printf "\033[40m\033[1;31m${INDENT}ERROR: Required binary \"tc\" is not available!\n\033[0m" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Set default for old config file SHAPER_IF="$EXT_IF" # Check where to find conf CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/transparent-dnat.CHANGELOG0000644000000000000000000000137312055611115030626 0ustar rootrootVersion 0.30BETA (March 17, 2009) --------------------------------- * Cleanup * Misc. tweaks Version 0.23BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.22BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template Version 0.21BETA (January 30, 2008) ----------------------------------- * Changed hardcoded iptables to iptables Version 0.2BETA (November 15, 2007) ----------------------------------- * Plugin cleanup * Changed OUTPUT to PREROUTING chain (cleaner + faster) * Updated for new plugin model (with PLUGIN_CMD) + better layout Version 0.1BETA (May 26, 2006) ------------------------------------ * Initial version (courtesy of Rok Potocnik) arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/50transparent-dnat.plugin0000644000000000000000000001146612055611115031006 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Transparent DNAT plugin =- # PLUGIN_NAME="Transparent DNAT plugin" PLUGIN_VERSION="0.30BETA (EXPERIMENTAL!)" PLUGIN_CONF_FILE="transparent-dnat.conf" # # Last changed : March 19, 2009 # Requirements : kernel 2.6 + ip_nat + iptable_nat # Comments : This plugin enables transparent DNAT for internal hosts for # certain ports. Meaning you can redirect certain TCP/UDP ports (eg. http) # which should be redirected from a certain INET address to an # internal address. # # Author : (C) Copyright 2007-2009 by Arno van Amersfoort # Credits : Rok Potocnik for his initial idea # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------------------ # Plugin start function plugin_start() { # Some required modules are already loaded by the main script: modprobe ip_nat modprobe iptable_nat # modprobe ip_table echo "${INDENT}Using internal IP $DNAT_MY_INTERNAL_IP & external IP $DNAT_MY_EXTERNAL_IP" if [ -n "$DNAT_TCP_PORTS" ]; then echo "${INDENT}Enabling transparent DNAT for TCP port(s): $DNAT_TCP_PORTS" IFS=' ,' for interface in $INT_IF; do for port in $DNAT_TCP_PORTS; do ip4tables -t nat -A POSTROUTING -o $interface -p tcp --dport $port -d $DNAT_MY_INTERNAL_IP -j MASQUERADE ip4tables -t nat -A PREROUTING -i $interface -d $DNAT_MY_EXTERNAL_IP -p tcp --dport $port -j DNAT --to-destination $DNAT_MY_INTERNAL_IP done done else echo "${INDENT}No TCP ports configured" fi if [ -n "$DNAT_UDP_PORTS" ]; then echo "${INDENT}Enabling transparent DNAT for UDP port(s): $DNAT_UDP_PORTS" IFS=' ,' for interface in $INT_IF; do for port in $DNAT_UDP_PORTS; do ip4tables -t nat -A POSTROUTING -o $interface -p udp --dport $port -d $DNAT_MY_INTERNAL_IP -j MASQUERADE ip4tables -t nat -A PREROUTING -i $interface -d $DNAT_MY_EXTERNAL_IP -p udp --dport $port -j DNAT --to-destination $DNAT_MY_INTERNAL_IP done done else echo "${INDENT}No UDP ports configured" fi return 0 } # Plugin stop function plugin_stop() { return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$DNAT_MY_INTERNAL_IP" -o -z "$DNAT_MY_EXTERNAL_IP" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/50dsl-ppp-modem.plugin0000644000000000000000000001741012055611115030172 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - (A)DSL PPP Modem plugin =- # PLUGIN_NAME="(A)DSL PPP Modem plugin" PLUGIN_VERSION="1.0g" PLUGIN_CONF_FILE="dsl-ppp-modem.conf" # # Last changed : October 20, 2011 # Requirements : aif 1.9.2i+ & kernel 2.6 & iptable_nat & ip_nat & ipt_MASQUERADE # Comments : This implements support to (A)DSL PPP modems # # Author : (C) Copyright 2008-2011 by Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { echo "${INDENT}Applying rules for (A)DSL modem on interface: $MODEM_IF" if [ -n "$MODEM_IF_IP" ]; then echo "${INDENT}Setting up (antispoof) MODEM net: $MODEM_IF_IP/24" # Anti spoof protection for the modem net ######################################### ip4tables -A SPOOF_CHK ! -i $MODEM_IF -s "$MODEM_IF_IP/24" \ -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed (MODEM) packet: " ip4tables -A SPOOF_CHK ! -i $MODEM_IF -s "$MODEM_IF_IP/24" -j DROP fi # Create & flush our modem chain ip4tables -N MODEM_CHAIN 2>/dev/null ip4tables -F MODEM_CHAIN ip4tables -N MODEM_CHAIN_HOOK 2>/dev/null ip4tables -F MODEM_CHAIN_HOOK # This is only used if you have a (A)DSL modem using ppp (connected to an # ethernet interface) ######################################################################### if [ -n "$MODEM_IF_IP" ]; then if [ -n "$MODEM_IP" ]; then echo "${INDENT}Using MODEM IP $MODEM_IP" # Only allow traffic from the MODEM (check IP) to this machine ############################################################## ip4tables -A MODEM_CHAIN -s $MODEM_IP -d $MODEM_IF_IP -j ACCEPT else # Only allow traffic from the MODEM (no IP, so no checking) to this machine ########################################################################### ip4tables -A MODEM_CHAIN -d $MODEM_IF_IP -j ACCEPT fi elif [ -n "$MODEM_IP" ]; then echo "${INDENT}Using MODEM IP $MODEM_IP" # Only allow traffic from the MODEM (check IP) to this machine ############################################################## ip4tables -A MODEM_CHAIN -s $MODEM_IP -j ACCEPT else # Only allow traffic from the MODEM (no IP, so no checking) to this machine ########################################################################### ip4tables -A MODEM_CHAIN -j ACCEPT fi # Allow DHCP packets ip4tables -A MODEM_CHAIN -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j ACCEPT # Everything else is logged & dropped ip4tables -A MODEM_CHAIN \ -m limit --limit 1/s -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Dropped MODEM packet: " ip4tables -A MODEM_CHAIN -j DROP IFS=' ,' for interface in $MODEM_IF; do ip4tables -A MODEM_CHAIN_HOOK -i $interface -j MODEM_CHAIN done # Add our MODEM chain hook ip4tables -A INPUT -j MODEM_CHAIN_HOOK # Manage your modemsettings from computers on your LAN. For example with your browser via http://{MODEM_IP} ########################################################################################################### if [ -n "$MODEM_IP" -a -n "$MODEM_INTERNAL_NET" ]; then echo "${INDENT}Enabling (ADSL) modem (@$MODEM_IP) management for hosts(s): $MODEM_INTERNAL_NET" IFS=' ,' for net in `ip_range "$MODEM_INTERNAL_NET"`; do ip4tables -A FORWARD -o $MODEM_IF -s $net -j ACCEPT ip4tables -t nat -A POSTROUTING -o $MODEM_IF -s $net -d $MODEM_IP -j MASQUERADE done fi return 0 } # Plugin stop function plugin_stop() { ip4tables -D INPUT -j MODEM_CHAIN_HOOK 2>/dev/null ip4tables -F MODEM_CHAIN_HOOK ip4tables -X MODEM_CHAIN_HOOK 2>/dev/null ip4tables -F MODEM_CHAIN ip4tables -X MODEM_CHAIN 2>/dev/null return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$MODEM_IF" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi # Check whether MODEM_IF exists ############################### if ! check_interface $MODEM_IF; then printf "\033[40m\033[1;31m${INDENT}NOTE: Modem interface \"$MODEM_IF\" does NOT exist (yet?)\033[0m\n" >&2 fi # Make sure EXT_IF != MODEM_IF ############################## IFS=' ,' for eif in $EXT_IF; do if [ "$eif" = "$MODEM_IF" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: One or more interfaces specified in EXT_IF is the same as the\033[0m\n" >&2 printf "\033[40m\033[1;31m${INDENT} MODEM_IF! Please, check the configuration file.\033[0m\n" >&2 return 2 fi done # Make sure INT_IF != MODEM_IF ############################## IFS=' ,' for iif in $INT_IF; do if [ "$iif" = "$MODEM_IF" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: One or more interfaces specified in INT_IF is the same as the one in\033[0m\n" >&2 printf "\033[40m\033[1;31m${INDENT} MODEM_IF! Please, check the configuration file.\033[0m\n" >&2 return 3 fi done # Make sure MODEM_IF != lo / 127.0.0.1 ###################################### if [ "$MODEM_IF" = "lo" -o "$MODEM_IF" = "127.0.0.1" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The interface specified in MODEM_IF has the address or name of the local\033[0m\n" >&2 printf "\033[40m\033[1;31m${INDENT} loopback device! Please, check the configuration file.\033[0m\n" >&2 return 4 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/multiroute.CHANGELOG0000644000000000000000000000234312055611115027550 0ustar rootrootVersion 0.29BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.28BETA (February 18, 2008) ------------------------------------ * Added some extra del rules to purge the rule & route tables on start/stop Version 0.27BETA (February 18, 2008) ------------------------------------ ! Fixed several typos/bugs Version 0.26BETA (February 17, 2008) ------------------------------------ ! Fixed double || syntax error in sanity_check() Version 0.25BETA (February 16, 2008) ------------------------------------ + Implemented stop() section which will disable multirouting on stop Version 0.24BETA (February 14, 2008) ------------------------------------ + Added weight options for the external interfaces Version 0.23BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template Version 0.22BETA (January 30, 2008) ----------------------------------- + Updated for new config file location / detection Version 0.21BETA (May 25, 2007) ------------------------------------ + Added variable sanity check * Changed some variable names * Cosmetic improvements Version 0.20BETA (January 22, 2007) ------------------------------------ * Minor tweaks/changes arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/50sip-voip.plugin0000644000000000000000000001004612055611115027260 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - SIP-VOIP plugin =- # PLUGIN_NAME="SIP-VOIP plugin" PLUGIN_VERSION="0.3BETA" PLUGIN_CONF_FILE="sip-voip.conf" # # Last changed : October 13, 2010 # Requirements : kernel 2.6 + ip_conntrack_sip # Comments : This plugin will allow/enable SIP (VOIP) support # # Author : (C) Copyright 2010 by Arno van Amersfoort # Credits : Philip Prindeville for his initial idea # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { local port ports="" host IFS if [ -z "$SIP_VOIP_PORTS" ]; then SIP_VOIP_PORTS="5060" fi if [ -z "$SIP_VOIP_REMOTE_HOSTS" ]; then SIP_VOIP_REMOTE_HOSTS="0/0" fi # Some required modules are already loaded by the main script: modprobe ip_nat # modprobe ip_table echo "${INDENT}Using SIP UDP for $SIP_VOIP_REMOTE_HOSTS (INET) to port(s): $SIP_VOIP_PORTS" # We need the SIP module loaded of course IFS=' ,' for port in $SIP_VOIP_PORTS; do # Check for kernel 2.6.25 or newer if kernel_ver_chk 2 6 25; then ports="${ports:-ports=}${ports:+,}$port" else ports="$ports${ports:+ }ports=$port" fi done IFS=' ' modprobe ip_conntrack_sip $ports # Load the SIP NAT module only when required if [ "$NAT" = "1" ]; then modprobe ip_nat_sip fi IFS=' ,' for host in $SIP_VOIP_REMOTE_HOSTS; do for port in $SIP_VOIP_PORTS; do iptables -A EXT_INPUT_CHAIN -s $host -p udp --dport $port -j ACCEPT done done return 0 } # Plugin stop function plugin_stop() { return 0 } # Plugin status function plugin_status() { return 0 } # Sanity check environment before actual start plugin_sanity_check() { return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/traffic-accounting-helper0000755000000000000000000002450012055611115031076 0ustar rootroot#!/bin/bash # The plugin configuration file ############################### PLUGIN_CONF_FILE="traffic-accounting.conf" # Location of the main configuration file for the firewall ########################################################## CONFIG_FILE=/etc/arno-iptables-firewall/firewall.conf # Check if the main config file exists and if so load it ######################################################## if [ -e "$CONFIG_FILE" ]; then . $CONFIG_FILE else echo "ERROR: Could not read configuration file $CONFIG_FILE!" >&2 echo " Please, check the file's location and (root) rights." >&2 exit 2 fi # Check if the environment file exists and if so, load it ######################################################### if [ -n "$ENV_FILE" ]; then . "$ENV_FILE" else if [ -f /usr/local/share/arno-iptables-firewall/environment ]; then . /usr/local/share/arno-iptables-firewall/environment else if [ -f /usr/share/arno-iptables-firewall/environment ]; then . /usr/share/arno-iptables-firewall/environment else printf "\033[40m\033[1;31mERROR: The environment file (ENV_FILE) has not been specified\033[0m\n" >&2 printf "\033[40m\033[1;31m in the configuration file. Try upgrading your config-file!\033[0m\n" >&2 exit 2 fi fi fi # Define some global variables INDENT=' ' VERBOSE=0 if [ "$1" = "-v" ]; then VERBOSE=1 fi # If HOST_CACHE_FILE is not defined, fallback to old DYNDNS variable if [ -n "$HOST_CACHE_FILE" ]; then TA_HOST_CACHE="$HOST_CACHE_FILE" else TA_HOST_CACHE="/var/tmp/aif_dyndns_host_cache" fi # Check sanity of eg. environment sanity_check() { if [ -z "$TRAFFIC_ACCOUNTING_CRON" ]; then printf "** ERROR: The plugin config file is not properly set! **" >&2 return 1 fi # Check whether chains exists if ! ip4tables -nL ACCOUNTING_INPUT_CHAIN >/dev/null 2>&1; then echo "** ERROR: ACCOUNTING_INPUT_CHAIN does not exist! **" >&2 return 1 fi if ! ip4tables -nL ACCOUNTING_OUTPUT_CHAIN >/dev/null 2>&1; then echo "** ERROR: ACCOUNTING_OUTPUT_CHAIN does not exist! **" >&2 return 1 fi # Check if chains inserted in the main chains if ! ip4tables -nL INPUT |grep -q '^ACCOUNTING_INPUT_CHAIN '; then echo "** ERROR: ACCOUNTING_INPUT_CHAIN is not inserted in the INPUT chain! **" >&2 return 1 fi if ! ip4tables -nL OUTPUT |grep -q '^ACCOUNTING_OUTPUT_CHAIN '; then echo "** ERROR: ACCOUNTING_OUTPUT_CHAIN is not inserted in the OUTPUT chain! **" >&2 return 1 fi if ! check_command dig nslookup; then echo "** ERROR: Required command dig (or nslookup) is not available!" >&2 return 1 fi return 0 } # Parse/get hostname. Try to use # Resolve hostname to an IP and store in our (new) cache # Arguments : $1 = hostname to resolve # Returns : Resolved host's IP in "$host_ip" traffic_accounting_get_host() { local host="$1" host_ip="" if is_numeric_ip "$host"; then host_ip="$host" else printf "${INDENT}Resolving \"$host\" -> " if [ "$TRAFFIC_ACCOUNTING_USE_HOST_CACHE" != "0" ] && \ [ -n "$TA_HOST_CACHE" ] && [ -e "$TA_HOST_CACHE" ]; then host_ip=`grep "^$host " -m1 "$TA_HOST_CACHE" |cut -s -f2 -d' '` if [ -n "$host_ip" ]; then echo "$host_ip (cached)" fi fi if [ -z "$host_ip" ]; then # Perform normal lookup host_ip=`gethostbyname "$host"` if [ -n "$host_ip" ]; then echo "$host_ip" else printf "\033[40m\033[1;31mFAILED!\n\033[0m" fi fi fi } traffic_accounting_setup_rules() { # Touch the log file (just in case they doesn't exist yet): touch /var/log/traffic-accounting.log # Truncate file printf "" >/tmp/traffic-accounting.new # Process the input chain if [ "$VERBOSE" = "1" ]; then echo "Traffic Accounting Hosts:" echo "-------------------------" fi # Also include default unicast route addresses, (0.0.0.0/0 and ::/0) DEFAULT_ADDR="0.0.0.0/0" if [ "$IPV6_SUPPORT" = "1" ]; then DEFAULT_ADDR="$DEFAULT_ADDR ::/0" fi IFS=' ,' for host in $TRAFFIC_ACCOUNTING_HOSTS $DEFAULT_ADDR; do if [ "$VERBOSE" = "1" ]; then printf "Host=$host " fi old_entry="$(grep "^$host " /var/log/traffic-accounting.log)" old_ip="$(echo "$old_entry" |cut -s -d' ' -f2)" old_in_value="$(echo "$old_entry" |cut -s -d' ' -f3)" old_out_value="$(echo "$old_entry" |cut -s -d' ' -f4)" # If value is non-existant make it zero if [ -z "$old_in_value" ]; then old_in_value=0 fi # If value is non-existant make it zero if [ -z "$old_out_value" ]; then old_out_value=0 fi # Get host_ip traffic_accounting_get_host "$host" # If it fails use old IP if [ -z "$host_ip" ]; then continue; fi echo "${INDENT}Monitoring host \"$host\"" if [ "$VERBOSE" = "1" ]; then printf "old_ip=$old_ip host_ip=$host_ip " fi # Process input chain OLDFOUND=0 if [ -n "$old_ip" ]; then get_numeric_ip_version "$host_ip" case $? in 4) LCOUNT=0 IFS=$EOL for LINE in `ip4tables -xnvL ACCOUNTING_INPUT_CHAIN |sed -e "1,2d"`; do ipt_ip="$(echo "$LINE" |awk '{ print $8 }')" LCOUNT=$(($LCOUNT + 1)) if [ "$ipt_ip" = "$old_ip" ]; then ip4tables -R ACCOUNTING_INPUT_CHAIN $LCOUNT -s $host_ip -j RETURN if [ "$VERBOSE" = "1" ]; then printf "in_action=update " fi OLDFOUND=1 ipt_in_value="$(echo "$LINE" |awk '{ print $2 }')" break fi done ;; 6) if [ "$IPV6_SUPPORT" = "1" ]; then LCOUNT=0 IFS=$EOL for LINE in `ip6tables -xnvL ACCOUNTING_INPUT_CHAIN |sed -e "1,2d"`; do ipt_ip="$(echo "$LINE" |awk '{ print $7 }')" LCOUNT=$(($LCOUNT + 1)) if [ "$ipt_ip" = "$old_ip" ]; then ip6tables -R ACCOUNTING_INPUT_CHAIN $LCOUNT -s $host_ip -j RETURN if [ "$VERBOSE" = "1" ]; then printf "in_action=update " fi OLDFOUND=1 ipt_in_value="$(echo "$LINE" |awk '{ print $2 }')" break fi done fi ;; esac fi if [ $OLDFOUND -eq 0 ]; then if [ "$VERBOSE" = "1" ]; then printf "in_action=add " fi if [ "$host_ip" = "0.0.0.0/0" -o "$host_ip" = "::/0" ]; then iptables -A ACCOUNTING_INPUT_CHAIN -s $host_ip -j RETURN else iptables -I ACCOUNTING_INPUT_CHAIN 1 -s $host_ip -j RETURN fi # Preset values to zero as none exist yet ipt_in_value=0 fi # Process output chain OLDFOUND=0 if [ -n "$old_ip" ]; then get_numeric_ip_version "$host_ip" case $? in 4) LCOUNT=0 IFS=$EOL for LINE in `ip4tables -xnvL ACCOUNTING_OUTPUT_CHAIN |sed -e "1,2d"`; do ipt_ip="$(echo "$LINE" |awk '{ print $9 }')" LCOUNT=$(($LCOUNT + 1)) if [ "$ipt_ip" = "$old_ip" ]; then ip4tables -R ACCOUNTING_OUTPUT_CHAIN $LCOUNT -d $host_ip -j RETURN if [ "$VERBOSE" = "1" ]; then printf "out_action=update " fi OLDFOUND=1 ipt_out_value="$(echo "$LINE" |awk '{ print $2 }')" break fi done ;; 6) if [ "$IPV6_SUPPORT" = "1" ]; then LCOUNT=0 IFS=$EOL for LINE in `ip6tables -xnvL ACCOUNTING_OUTPUT_CHAIN |sed -e "1,2d"`; do ipt_ip="$(echo "$LINE" |awk '{ print $8 }')" LCOUNT=$(($LCOUNT + 1)) if [ "$ipt_ip" = "$old_ip" ]; then ip6tables -R ACCOUNTING_OUTPUT_CHAIN $LCOUNT -d $host_ip -j RETURN if [ "$VERBOSE" = "1" ]; then printf "out_action=update " fi OLDFOUND=1 ipt_out_value="$(echo "$LINE" |awk '{ print $2 }')" break fi done fi ;; esac fi if [ $OLDFOUND -eq 0 ]; then if [ "$VERBOSE" = "1" ]; then printf "out_action=add " fi if [ "$host_ip" = "0.0.0.0/0" -o "$host_ip" = "::/0" ]; then iptables -A ACCOUNTING_OUTPUT_CHAIN -d $host_ip -j RETURN else iptables -I ACCOUNTING_OUTPUT_CHAIN 1 -d $host_ip -j RETURN fi # Preset values to zero as none exist yet ipt_out_value=0 fi # Calculate new in value new_in_value=$(($old_in_value + $ipt_in_value)) # Calculate new out value new_out_value=$(($old_out_value + $ipt_out_value)) if [ "$VERBOSE" = "1" ]; then printf "old_in_val=$old_in_value ipt_in_val=$ipt_in_value new_in_val=$new_in_value old_out_val=$old_out_value ipt_out_val=$ipt_out_value new_out_val=$new_out_value" fi # Create entry in accounting file echo "$host $host_ip $new_in_value $new_out_value" >>/tmp/traffic-accounting.new if [ "$VERBOSE" = "1" ]; then printf "\n\n" fi done # FIXME: Don't use old-file if [ -e /var/log/traffic-accounting.log ]; then if [ -e /var/log/traffic-accounting.log.old ]; then rm -f /var/log/traffic-accounting.log.old fi mv /var/log/traffic-accounting.log /var/log/traffic-accounting.log.old fi mv /tmp/traffic-accounting.new /var/log/traffic-accounting.log } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2 exit 1 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ]; then # Only proceed if environment ok if sanity_check; then # This is a critical section so we use a lockfile lockfile="/var/tmp/aif_traffic_accounting_helper.lock" if ( set -o noclobber; echo "$$" > "$lockfile") 2> /dev/null; then # Setup int handler trap 'rm -f "$lockfile"; exit $?' INT TERM EXIT # Create actual rules traffic_accounting_setup_rules; # Remove lockfile rm -f "$lockfile" # Disable int handler trap - INT TERM EXIT exit 0 else echo "Failed to acquire lockfile: $lockfile." >&2 echo "Held by $(cat $lockfile)" >&2 fi fi fi fi exit 1 arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/plugins/linux-upnp-igd.CHANGELOG0000644000000000000000000000134412055611115030217 0ustar rootrootVersion 1.0a (October 10, 2011) --------------------------------- ! Iptables negation changed in newer versions from intraposition to extraposition Version 0.14BETA (August 4, 2008) --------------------------------- * Plugin should be disabled by default (ENABLED=0) * Rename to "linux-upnp-igd" Version 0.13BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.12BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template Version 0.11 (January 30, 2008) ------------------------------- + Updated for new config file location / detection Version 0.1 (September 5, 2007) ------------------------------- + Creation of the first version arno-iptables-firewall_2.0.1d/share/man/0000755000000000000000000000000012055611116016654 5ustar rootrootarno-iptables-firewall_2.0.1d/share/man/man1/0000755000000000000000000000000012055611116017510 5ustar rootrootarno-iptables-firewall_2.0.1d/share/man/man1/arno-fwfilter.10000644000000000000000000000247612055611115022361 0ustar rootroot.TH "ARNO_FWFILTER" "1" "September 2005" "Michael Hanke" "" .SH "NAME" arno\-fwfilter \- a filter script to make iptables firewall logs more readable for humans .SH "SYNOPSIS" \fBarno\-fwfilter\fR [\fIOPTIONS\fR] .SH "DESCRIPTION" \fBarno\-fwfilter\fR is a pipe filter script to make the firewall\-log better readable. Some usage examples are: .TP Static firewall log filtering: arno-fwfilter < logfile .TP Realtime firewall logging on tty10: tail \-\-follow | arno-fwfilter >/dev/tty10 & .SH "OPTIONS" .TP \fB\-\-help\fR, \fB\-h\fR Print the available options. .TP \fB\-\-html\-output\fR, \fB\-o\fR Use basic HTML to format the output .TP \fB\-\-no\-locations\fR, \fB\-l\fR Disable to (try to) obtain the IP's geographical location. By default, http://www.hostip.info/ is visited to get this information. .TP \fB\-\-no\-colors\fR, \fB\-c\fR Disable the use of colors in the output. .TP \fB\-\-single\-line\fR, \fB\-s\fR Put all information about an event in a single line .SH "SEE ALSO" .BR iptables "(8)", .BR arno\-iptables\-firewall "(8)" .PP The .I http://rocky.eld.leidenuniv.nl/ web site. .SH "AUTHOR" \fBarno\-fwfilter\fR was written by Arno van Amersfoort . .PP This manual page was written by Michael Hanke , for the Debian project (but may be used by others). arno-iptables-firewall_2.0.1d/share/man/man8/0000755000000000000000000000000012055611116017517 5ustar rootrootarno-iptables-firewall_2.0.1d/share/man/man8/arno-iptables-firewall.80000644000000000000000000000461312055611115024156 0ustar rootroot.TH "ARNO-IPTABLES-FIREWALL" "8" "March 14, 2012" "Michael Hanke" "" .SH "NAME" \fBarno\-iptables\-firewall\fR \- Single\- & multi\-homed firewall script with DSL/ADSL support. .SH "SYNOPSIS" .B /etc/init.d/arno\-iptables\-firewall [start|stop|status|force\-reload|restart] .SH "DESCRIPTION" \fBarno\-iptables\-firewall\fP is an iptables configuration script with support for both IPv4 & IPv6. While it is extremely easy to use one can nevertheless use it in quite complicated environments. .P All available options are explained in the extensively documented configuration file. .P The external interface of the system needs to be set up properly in the firewalls configuration file (EXT_IF). The default behavior of the firewall is to deny all incoming connections. .P For additional requirements not covered by the configuration file custom iptables rules can be placed in /etc/arno\-iptables\-firewall/custom\-rules. This file is automatically parsed by the service script. .P See the README file (eg. in .I /usr/(local/)share/doc/arno\-iptables\-firewall) for an example how to manage logging of firewall events through .B syslogd. .P The \fBarno\-fwfilter\fR script can be used to make the firewall logs more readable for humans (see manpage). .P Several plugins for the firewall script are available online. Plugins can be downloaded from .I http://rocky.eld.leidenuniv.nl/ Please see the README file for more information. .SH "FILES" .nf .ft B .ft /etc/init.d/arno\-iptables\-firewall system service script /etc/arno\-iptables\-firewall/firewall.conf firewall configuration /etc/arno\-iptables\-firewall/conf.d/ firewall configuration directory /etc/arno\-iptables\-firewall/custom\-rules custom iptables rules /etc/arno\-iptables\-firewall/blocked\-hosts host blacklist /etc/arno\-iptables\-firewall/mac\-addresses mac filter list .fi .LP Please note, that the last two files do exist in the initial configuration and their use is disabled in .B /etc/arno\-iptables\-firewall/firewall.conf .SH "SEE ALSO" .BR iptables "(8)", .BR arno\-fwfilter "(1)", .BR syslog.conf "(5)" .PP The .I http://rocky.eld.leidenuniv.nl/ web site. .SH "AUTHOR" arno\-iptables\-firewall was written by Arno van Amersfoort . .PP This manual page was written by Michael Hanke , for the Debian project (but may be used by others). arno-iptables-firewall_2.0.1d/contrib/0000755000000000000000000000000012055611116016437 5ustar rootrootarno-iptables-firewall_2.0.1d/contrib/Slackware/0000755000000000000000000000000012055611116020353 5ustar rootrootarno-iptables-firewall_2.0.1d/contrib/Slackware/syslog.conf0000644000000000000000000000404212055611115022541 0ustar rootroot# /etc/syslog.conf Example configuration file for syslogd on Slackware (you can optionally use this as a replacement). # This will redirect all kernel-debug logging to file /var/log/firewall.log. # Don't forget to touch(create) /var/log/firewall.log first & set "LOGLEVEL=debug" in the # configuration file (iptables-firewall.conf)! # For info about the format of this file, see "man syslog.conf" # and /usr/doc/sysklogd/README.linux. Note the '-' prefixing some # of these entries; this omits syncing the file after every logging. # In the event of a crash, some log information might be lost, so # if this is a concern to you then you might want to remove the '-'. # Be advised this will cause a performation loss if you're using # programs that do heavy logging. # Uncomment this to see kernel messages on the console. #kern.*;kern.!=debug /dev/console # Log anything 'info' or higher, but lower than 'warn'. # Exclude authpriv, cron, mail, and news. These are logged elsewhere. *.info;*.!warn;\ authpriv.none;cron.none;mail.none;news.none -/var/log/messages # Log anything 'warn' or higher. # Exclude authpriv, cron, mail, and news. These are logged elsewhere. *.warn;\ authpriv.none;cron.none;mail.none;news.none -/var/log/syslog # Debugging information is logged here. *.=debug;kern.!=debug -/var/log/debug # Logging for iptables kern.=debug -/var/log/firewall.log # Private authentication message logging: authpriv.* -/var/log/secure # Cron related logs: cron.* -/var/log/cron # Mail related logs: mail.* -/var/log/maillog # Emergency level messages go to all users: *.emerg * # This log is for news and uucp errors: uucp,news.crit -/var/log/spooler # Uncomment these if you'd like INN to keep logs on everything. # You won't need this if you don't run INN (the InterNetNews daemon). #news.=crit -/var/log/news/news.crit #news.=err -/var/log/news/news.err #news.notice -/var/log/news/news.notice arno-iptables-firewall_2.0.1d/contrib/adsl-failover0000755000000000000000000001545712055611115021130 0ustar rootroot#!/bin/bash # This script was written by Mark Cleverdon 22/11/2007 under the GPL license # email: mark at lanzarote1.com # # For automatic Failover from the main external network provider on failure # to a dialup modem or UMTS modem connection. # # REQUREMENTS # You must have IP forwarding enabled in the system. # ADSL connection with a static IP # wvdial must be installed and setup with a script that works for your service provider. # A firewall like arnos iptables firewall script or shorewall etc # # You can set this script in the system cron to check the connection at regular time intervals. # # METHODS USED IN THIS SCRIPT # We have both eth1 and ppp0 as external interfaces in iptables, if both were functioning at the same time # we would have load balancing (which could get expensive), but here we only need one active connection so # all we need to do is to adjust the dynamic IP address of the dialup connection in the firwall when there # is a problem in order to allow routing through the dialup device. Once the emergency is over we can can- # cel the dialup connection and the original routing will continue as usual with no need to adjust # the firewall again. When a new failure happens then the new IP address is assigned to the second external # interface (normally ppp0) and the firewall restarted to allow routing. # # PARAMETERS HERE # The normal external interface (DSL or cable etc) interface="eth1" normal_ext_ip="XXX.XXX.XXX.XXX" # Admin email address for failover notification admin_email="admin@your-domain" # The dialup device PCMCIA UMTS card or regular modem will normally be a ttyS0/1/2/3 etc # But here you need the device that wvdial returns which is generally ppp0 dialup_if="ppp0" # Full path and name of your firewall script I use Arnos iptables firewall firewall="/etc/arno-iptables-firewall.conf" # The /etc/init.d/firewall-script that your system uses to restart the firewall firestarter="/etc/init.d/arno-iptables-firewall" # WARNING if you are not using arnos firewall script you will need to edit the sed commands parameters below # eg. on line 111 of this script # sed 's/\(search string just before substitution \)[0-9]*.[0-9]*.[0-9]*.[0-9]*/\1'$OUT_IP'/g' $firewall # # The wvdial command for dialup (you must set this up previously) # eg. this would be like "myserver:#/wvdial internet" on the command line connection="internet" # The following are the ip address of any reliable public server ie. google.com # if all three servers fail then the dialup connection will be started. # But beware of ping_server1, it must be the most reliable of the three because # it is used in further tests on its own. # Further, note it is important to use IP addresses and not domain names because if # your system is totally isolated you will not be able to do name resolution. ping_server1="64.233.167.99" ping_server2="216.109.112.135" ping_server3="66.45.254.244" route add $ping_server1 gw $normal_ext_ip if (ping -w 5 -nq -I $interface $ping_server1 |grep '100%\ packet\ loss' 2>&1>/dev/null) then SERVER1="DOWN" else SERVER1="UP" fi route del $ping_server1 route add $ping_server2 gw $normal_ext_ip if (ping -w 5 -nq -I $interface $ping_server2 |grep '100%\ packet\ loss' 2>&1>/dev/null) then SERVER2="DOWN" else SERVER2="UP" fi route del $ping_server2 route add $ping_server3 gw $normal_ext_ip if (ping -w 5 -nq -I $interface $ping_server3 |grep '100%\ packet\ loss' 2>&1>/dev/null) then SERVER3="DOWN" else SERVER3="UP" fi route del $ping_server3 if [ "$SERVER1" = "DOWN" ] && [ "$SERVER2" = "DOWN" ] && [ "$SERVER3" = "DOWN" ] then echo "WARNING! -- We have an internet connection problem. I will attempt to discover the situation and fix it." if [[ "$interface"="eth1" ]] then echo . # Check to see if we have any connection at all (if not we dial) if (ping -w 5 -nq $ping_server1|grep '100%\ packet\ loss' 2>&1>/dev/null) then # Check for existing wvdial processes that may be hungup if (ps ax|grep wvdial) then echo "finishing any previous hung connection" killall wvdial sleep 15 fi echo . echo "Dialing out ...." wvdial $connection & sleep 25 if (ping -w 5 -nq -I $dialup_if $ping_server1|grep -v '100%\ packet\ loss' 2>&1>/dev/null) then # Pick up the new IP for adjusting the firewall script. OUT_IP=`ifconfig|grep -A 2 $dialup_if|grep inet\ addr:|sed 's/.*inet\ addr\:\([0-9]*.[0-9]*.[0-9]*.[0-9]*\).*/\1/g'` echo . echo "New public IP address is <$OUT_IP> from UMTS/dialup device $dialup." echo . echo "Restarting the Firewall routing for new connection." echo . # Make sure the original firewall script is saved (here we datestamp it just in case) cp -p $firewall $firewall.`date +"%d%m%Y%H%M%S"` sed 's/\(NAT_STATIC_IP="$normal_ext_ip \)[0-9]*.[0-9]*.[0-9]*.[0-9]*/\1'$OUT_IP'/g' $firewall >/tmp/firewall.conf mv /tmp/firewall.conf $firewall $firestarter restart # Get myself a copy of all this stuff for a remote firewall setup etc. echo "The ADSL connection has failed">/tmp/ifconfig_ppp0 echo ".">>/tmp/ifconfig_ppp0 echo "The new IP address is $OUT_IP">>/tmp/ifconfig_ppp0 ifconfig $dialup_if>>/tmp/ifconfig_ppp0 echo $OUT_IP>/tmp/FAILOVER_IP mail -s "FAILOVER IP $OUT_IP" $admin_email /tmp/FAILOVER_IP echo "The ADSL connection has failed">/tmp/ifconfig_ppp0 echo ".">>/tmp/ifconfig_ppp0 echo "The new IP address is $OUT_IP2">>/tmp/ifconfig_ppp0 echo ".">>/tmp/ifconfig_ppp0 ifconfig $dialup_if>>/tmp/ifconfig_ppp0 mail -s "NEW FAILOVER IP $OUT_IP2" $admin_email &1>/dev/null echo "The ADSL connection is now working">/tmp/ifconfig echo ".">>/tmp/ifconfig echo "Use the original connection information to connect">>/tmp/ifconfig echo ".">>/tmp/ifconfig mail -s "FAILOVER STOPED - ADSL OK" $admin_email "chmod 700" or "chmod +x" it # # If you want to run it upon boot, either add an entry in your "/etc/rc.d/rc.local" or # # (for eg. Debian) in "/etc/rcS.d/" create a symlink to the arno-iptables-firewall script # # ("ln -s /etc/init.d/arno-iptables-firewall script S99-arno-iptables-firewall script"). # ############################################################################################ PATH=/bin:/usr/bin:/sbin:/usr/sbin PROGRAM="/usr/local/sbin/arno-iptables-firewall" NAME="arno-iptables-firewall" # Be verbose(1)?: VERBOSE=0 test -x $PROGRAM || exit 0 . /lib/lsb/init-functions if [ "$VERBOSE" = "0" ]; then case "$1" in start) log_daemon_msg "Starting Arno's Iptables Firewall..." ;; stop) log_daemon_msg "Stopping Arno's Iptables Firewall..." ;; restart) log_daemon_msg "Restarting Arno's Iptables Firewall..." ;; force-reload) log_daemon_msg "(Forced) reloading Arno's Iptables Firewall..." ;; status) $PROGRAM $* exit $? ;; *) $PROGRAM exit 1 ;; esac # Call firewall script: result=`$PROGRAM $*` retval=$? else $PROGRAM $* retval=$? fi # Return value: exit $retval arno-iptables-firewall_2.0.1d/contrib/Debian/rsyslog.conf0000644000000000000000000000527212055611115022177 0ustar rootroot# /etc/rsyslog.conf Configuration file for rsyslog. # # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html ################# #### MODULES #### ################# $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # # Set the default permissions for all log files. # $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf ############### #### RULES #### ############### # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv,local7,daemon,lpr.none;\ kern.!=debug;\ cron.!=info -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.*;kern.!=debug -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # # Logging for INN news system. # news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice # Logging for iptables kern.=debug /var/log/firewall.log # # Some "catch-all" log files. # *.=debug;\ kern.!=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg * # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # #daemon,mail.*;\ # news.=crit;news.=err;news.=notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn /dev/tty8 # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, # you must invoke `xconsole' with the `-file' option: # # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably # busy site.. # daemon.*;mail.*;\ news.err;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole arno-iptables-firewall_2.0.1d/contrib/Redhat/0000755000000000000000000000000012055611116017646 5ustar rootrootarno-iptables-firewall_2.0.1d/contrib/Redhat/syslog.conf0000644000000000000000000000230112055611115022030 0ustar rootroot# /etc/syslog.conf Example configuration file for syslogd on RedHat (you can optionally use this as a replacement). # This will redirect all kernel-debug logging to file /var/log/firewall.log. # Don't forget to touch(create) /var/log/firewall.log first & set "LOGLEVEL=debug" in the # configuration file (iptables-firewall.conf)! # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages, plus log them on another # machine. *.emerg * # Save mail and news errors of level err and higher in a # special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # Log all iptables messages to /var/log/firewall.log kern.=debug /var/log/firewall.log arno-iptables-firewall_2.0.1d/contrib/Gentoo/0000755000000000000000000000000012055611116017672 5ustar rootrootarno-iptables-firewall_2.0.1d/contrib/Gentoo/firewall.conf0000644000000000000000000000013412055611115022343 0ustar rootroot# Set the location of the firewall script LOCATION="/usr/local/sbin/arno-iptables-firewall" arno-iptables-firewall_2.0.1d/contrib/Gentoo/rc.firewall0000644000000000000000000000234112055611115022024 0ustar rootroot#!/sbin/runscript opts="${opts} stats help reload" depend() { before net use logger } start() { ebegin "Loading Firewall..." ${LOCATION} start eend $? "WARNING: Failed to load Firewall" } stop() { ebegin "Stopping Firewall..." ${LOCATION} stop eend $? "WARNING: Failed to stop Firewall" } restart() { ebegin "Restarting Firewall..." ${LOCATION} restart eend $? "WARNING: Failed to restart Firewall" } stats() { ebegin "Firewall Status..." ${LOCATION} status eend $? "Failed to show status" } reload() { ebegin "Reloading Blackholes..." ${LOCATION} reload eend $? "WARNING: Failed to reload" } help() { ebegin "Options" echo "start = Start Firewall" echo "stop = Stop Firewall(set default policies to accept)" echo "restart = Restart Firewall" echo "reload = Reload blocked hosts(blackhole) file & mac address file" echo "stats = Shows Firewall Full Status" echo "help = Shows this message" echo "status = Shows rc-update status" echo "Remember: arno-iptables-firewall status [-t {table}][chain] for flexible status" eend $? } arno-iptables-firewall_2.0.1d/contrib/AstLinux/0000755000000000000000000000000012055611116020206 5ustar rootrootarno-iptables-firewall_2.0.1d/contrib/AstLinux/95adaptive-ban.plugin0000644000000000000000000001460012055611115024137 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Adaptive Ban plugin =- # PLUGIN_NAME="Adaptive Ban plugin" PLUGIN_VERSION="1.04 BETA" PLUGIN_CONF_FILE="adaptive-ban.conf" # # Last changed : November 20, 2011 # Requirements : AIF 2.0.0+ # Comments : Parse a log file for failed access with offending IP addresses # Ban the IP address after multiple failed attempts # # Author : (C) Copyright 2010-2011 by Lonnie Abelbeck # Homepage : http://www.astlinux.org/ # Credits : Fail2ban Project # Homepage : http://www.fail2ban.org/ # Credits : Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { local host net IFS iptables -N ADAPTIVE_BAN_DROP_CHAIN 2>/dev/null iptables -F ADAPTIVE_BAN_DROP_CHAIN iptables -A ADAPTIVE_BAN_DROP_CHAIN -m limit --limit 1/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Adaptive-Ban host: " if [ "$ADAPTIVE_BAN_REJECT" = "1" ]; then ip4tables -A ADAPTIVE_BAN_DROP_CHAIN -j REJECT --reject-with icmp-host-unreachable if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A ADAPTIVE_BAN_DROP_CHAIN -j REJECT --reject-with icmp6-addr-unreachable fi else iptables -A ADAPTIVE_BAN_DROP_CHAIN -j DROP fi iptables -N ADAPTIVE_BAN_CHAIN 2>/dev/null iptables -F ADAPTIVE_BAN_CHAIN if [ "$ADAPTIVE_BAN_WHITELIST_INTERNAL" != "0" ]; then printf "${INDENT}Adaptive Ban - Whitelisting INTERNAL net(s): " IFS=' ,' for net in $INTERNAL_NET; do printf "$net " iptables -A ADAPTIVE_BAN_CHAIN -s $net -j RETURN done echo "" fi if [ -n "$ADAPTIVE_BAN_WHITELIST" ]; then printf "${INDENT}Adaptive Ban - Whitelisting host(s): " IFS=' ,' for host in $ADAPTIVE_BAN_WHITELIST; do printf "$host " iptables -A ADAPTIVE_BAN_CHAIN -s $host -j RETURN done echo "" fi # Insert rule in the INPUT chain iptables -I INPUT -j ADAPTIVE_BAN_CHAIN # Insert rule in the FORWARD chain iptables -I FORWARD -j ADAPTIVE_BAN_CHAIN echo "${INDENT}File=$ADAPTIVE_BAN_FILE Time=$ADAPTIVE_BAN_TIME Count=$ADAPTIVE_BAN_COUNT Types=$ADAPTIVE_BAN_TYPES" "$PLUGIN_BIN_PATH/adaptive-ban-helper" start "$IP4TABLES" "$IP6TABLES" "$IPV6_SUPPORT" \ "$ADAPTIVE_BAN_FILE" "$ADAPTIVE_BAN_TIME" "$ADAPTIVE_BAN_COUNT" $ADAPTIVE_BAN_TYPES >/dev/null 2>&1 & return 0 } # Plugin stop function plugin_stop() { printf "${INDENT}Adaptive Ban - Stopping... " # Stop helper script on next iteration "$PLUGIN_BIN_PATH/adaptive-ban-helper" stop "$IP4TABLES" "$IP6TABLES" "$IPV6_SUPPORT" echo "Stopped." iptables -D INPUT -j ADAPTIVE_BAN_CHAIN iptables -D FORWARD -j ADAPTIVE_BAN_CHAIN iptables -F ADAPTIVE_BAN_CHAIN iptables -X ADAPTIVE_BAN_CHAIN 2>/dev/null iptables -F ADAPTIVE_BAN_DROP_CHAIN iptables -X ADAPTIVE_BAN_DROP_CHAIN 2>/dev/null return 0 } # Plugin status function plugin_status() { "$PLUGIN_BIN_PATH/adaptive-ban-helper" status "$IP4TABLES" "$IP6TABLES" "$IPV6_SUPPORT" return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ ! -x "$PLUGIN_BIN_PATH/adaptive-ban-helper" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The adaptive-ban-helper script can not be found or is not executable!\033[0m\n" >&2 return 1 fi if [ -z "$ADAPTIVE_BAN_FILE" -o -z "$ADAPTIVE_BAN_TIME" -o -z "$ADAPTIVE_BAN_COUNT" -o -z "$ADAPTIVE_BAN_TYPES" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi if [ "$PLUGIN_CMD" = "start" ] && [ ! -f "$ADAPTIVE_BAN_FILE" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: Input log file $ADAPTIVE_BAN_FILE does not exist!\033[0m\n" >&2 return 1 fi if ! check_command sort; then printf "\033[40m\033[1;31m${INDENT}ERROR: Required command sort is not available!\033[0m\n" >&2 return 1 fi if ! check_command uniq; then printf "\033[40m\033[1;31m${INDENT}ERROR: Required command uniq is not available!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -e "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 PLUGIN_RET_VAL=0 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if plugin_sanity_check; then case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi else PLUGIN_RET_VAL=0 fi fi arno-iptables-firewall_2.0.1d/contrib/AstLinux/adaptive-ban-helper0000644000000000000000000002106512055611115023744 0ustar rootroot#!/bin/bash LOCKFILE="/var/lock/aif_adaptive_ban.lock" ARGSFILE="/var/tmp/aif_adaptive_ban.args" TEMPFILE="/var/tmp/aif_adaptive_ban.temp" start_run() { local num file time count arg args argstime=0 filetime=0 ARGS IFS ARGS="$@" # Robust 'bash' method of creating/testing for a lockfile if ! ( set -o noclobber; echo "$$" > "$LOCKFILE" ) 2>/dev/null; then echo "$ARGS" > "$ARGSFILE" echo "adaptive-ban-helper: already running, lockfile \"$LOCKFILE\" exists, process id: $(cat "$LOCKFILE")." return 9 fi trap 'rm -f "$LOCKFILE" "$ARGSFILE" "$TEMPFILE"; exit $?' INT TERM EXIT echo "$ARGS" > "$ARGSFILE" # Delay to allow firewall script to complete idle_wait 45 while [ -f "$ARGSFILE" ]; do # Check whether chains exists if ! check_for_chain ADAPTIVE_BAN_CHAIN; then log_msg "ADAPTIVE_BAN_CHAIN does not exist" break fi if ! check_for_chain ADAPTIVE_BAN_DROP_CHAIN; then log_msg "ADAPTIVE_BAN_DROP_CHAIN does not exist" break fi ARGS="$(cat "$ARGSFILE")" file="" args="" num=0 unset IFS for arg in $ARGS; do num=$((num+1)) case "$num" in 1) file="$arg" ;; 2) time="$arg" ;; 3) count="$arg" ;; *) args="${args}${args:+ }$arg" ;; esac done if [ ! -f "$file" ]; then log_msg "Input log file $file does not exist" break fi if [ "$filetime" != "$(date -r "$file" "+%s")" -o "$argstime" != "$(date -r "$ARGSFILE" "+%s")" ]; then filter "$file" "$count" $args filetime="$(date -r "$file" "+%s")" argstime="$(date -r "$ARGSFILE" "+%s")" fi # Idle - interrupted if ARGSFILE is deleted idle_wait $time done rm -f "$LOCKFILE" "$ARGSFILE" "$TEMPFILE" trap - INT TERM EXIT return 0 } stop() { rm -f "$ARGSFILE" # If the background start_run() is in idle_wait() this ensures a clean stop. sleep 1 # If start_run() is not in idle_wait() we deal with that as well. # We could loop while LOCKFILE exists, but doesn't seem necessary. } status() { echo " Banned Hosts:" echo " ==============================" ip4tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "ADAPTIVE_BAN_DROP_CHAIN" { print " "$4 }' if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "ADAPTIVE_BAN_DROP_CHAIN" { print " "$3 }' fi echo " ------------------------------" echo "" echo " Whitelisted Hosts:" echo " ==============================" ip4tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "RETURN" { print " "$4 }' if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "RETURN" { print " "$3 }' fi echo " ------------------------------" echo "" } filter() { local file="$1" count="$2" type types PREFIX HOST IFS shift 2 types="$@" # regex to pull out offending IPv4/IPv6 address # HOST="([0-9a-fA-F:.]{7,})" unset IFS for type in $types; do # regex match the start of the syslog string # PREFIX=".*${type}\[[0-9]*]:[[:space:]]*" case "$type" in sshd) filter_sshd "$file" "$PREFIX" "$HOST" ;; asterisk) filter_asterisk "$file" "$PREFIX" "$HOST" ;; lighttpd) filter_lighttpd "$file" "$PREFIX" "$HOST" ;; mini_httpd) filter_mini_httpd "$file" "$PREFIX" "$HOST" ;; pptpd) filter_pptpd "$file" "$PREFIX" "$HOST" ;; *) log_msg "Unsupported type \"$type\"" continue ;; esac if [ $? -ne 0 ]; then log_msg "Filter Error for type \"$type\"" else count_attempts_then_ban "$count" "$type" fi rm -f "$TEMPFILE" done } filter_sshd() { local file="$1" PREFIX="$2" HOST="$3" sed -n -r -e "s/^${PREFIX}Failed (password|publickey) for .* from ${HOST}( port [0-9]*)?( ssh[0-9]*)?$/\2/p" \ -e "s/^${PREFIX}[iI](llegal|nvalid) user .* from ${HOST}[[:space:]]*$/\2/p" \ "$file" >"$TEMPFILE" } filter_asterisk() { local file="$1" PREFIX="$2" HOST="$3" sed -n -r -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - Wrong password$/\1/p" \ -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - No matching peer found$/\1/p" \ -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - Username\/auth name mismatch$/\1/p" \ -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - Device does not match ACL$/\1/p" \ -e "s/^${PREFIX}NOTICE.* '${HOST}' - Dialplan Noted Suspicious IP Address$/\1/p" \ -e "s/^${PREFIX}NOTICE.* ${HOST} failed to authenticate as '.*'$/\1/p" \ -e "s/^${PREFIX}NOTICE.* .*: No registration for peer '.*' \(from ${HOST}\)$/\1/p" \ -e "s/^${PREFIX}NOTICE.* .*: Host ${HOST} failed MD5 authentication for '.*' \(.*\)$/\1/p" \ "$file" >"$TEMPFILE" } filter_lighttpd() { local file="$1" PREFIX="$2" HOST="$3" sed -n -r -e "s/^${PREFIX}.* password doesn't match for .* IP: ${HOST}[[:space:]]*$/\1/p" \ -e "s/^${PREFIX}.* get_password failed, IP: ${HOST}[[:space:]]*$/\1/p" \ "$file" >"$TEMPFILE" } filter_mini_httpd() { local file="$1" PREFIX="$2" HOST="$3" sed -n -r -e "s/^${PREFIX}${HOST} authentication failure - access denied$/\1/p" \ "$file" >"$TEMPFILE" } filter_pptpd() { local file="$1" PREFIX="$2" HOST="$3" PPP_PREFIX=".*pppd\[[0-9]*]:[[:space:]]*" sed -n -r -e "/^${PPP_PREFIX}.* failed CHAP authentication$/ {N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;\ s/^.*\n${PREFIX}CTRL: Client ${HOST} control connection finished\n.*$/\1/p}" \ "$file" >"$TEMPFILE" } count_attempts_then_ban() { local count="$1" type="$2" line host IFS # Remove possible IPv4 port numbers, IPv4:PORT -> IPv4 sed -i -r -e 's/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):[0-9]+$/\1/' "$TEMPFILE" IFS=$'\n' for line in $(sort "$TEMPFILE" | uniq -c); do if [ "$(echo "$line" | awk '{ print $1; }')" -ge "$count" ]; then host="$(echo "$line" | awk '{ print $2; }')" ban_host "$host" "$type" fi done } ban_host() { local host="$1" type="$2" get_numeric_ip_version "$host" case $? in 4) if ! ip4tables -n -L ADAPTIVE_BAN_CHAIN | grep -q " ${host//./\.}[/ ]"; then ip4tables -A ADAPTIVE_BAN_CHAIN -s $host -j ADAPTIVE_BAN_DROP_CHAIN if [ $? -eq 0 ]; then log_msg "Banned IPv4 Host: $host Filter Type: $type" fi fi ;; 6) if [ "$IPV6_SUPPORT" = "1" ]; then if ! ip6tables -n -L ADAPTIVE_BAN_CHAIN | grep -q " ${host}[/ ]"; then ip6tables -A ADAPTIVE_BAN_CHAIN -s $host -j ADAPTIVE_BAN_DROP_CHAIN if [ $? -eq 0 ]; then log_msg "Banned IPv6 Host: $host Filter Type: $type" fi fi fi ;; esac } idle_wait() { local time="$1" cnt=0 while [ -f "$ARGSFILE" -a $cnt -lt $time ]; do cnt=$((cnt+1)) sleep 1 done } check_for_chain() { local err ip4tables -n -L "$1" >/dev/null 2>&1 err=$? if [ "$IPV6_SUPPORT" = "1" -a $err -eq 0 ]; then ip6tables -n -L "$1" >/dev/null 2>&1 err=$? fi return $err } ip4tables() { local result retval result="$($IP4TABLES "$@" 2>&1)" retval=$? if [ $retval -ne 0 ]; then log_msg "$IP4TABLES: ($retval) $result" elif [ -n "$result" ]; then echo "$result" fi return $retval } ip6tables() { local result retval result="$($IP6TABLES "$@" 2>&1)" retval=$? if [ $retval -ne 0 ]; then log_msg "$IP6TABLES: ($retval) $result" elif [ -n "$result" ]; then echo "$result" fi return $retval } get_numeric_ip_version() { case $1 in 0/0) ;; [0-9][0-9.][0-9.][0-9.][0-9.]*.*[0-9]) return 4 ;; [0-9]*.*/*[0-9]|[0-9]/*[0-9]|[1-9][0-9]/*[0-9]|[12][0-9][0-9]/*[0-9]) return 4 ;; *:*) return 6 ;; esac return 0 } log_msg() { logger -t "firewall: adaptive-ban" -p kern.info "$1" echo "$1" >&2 } # main ACTION="$1" IP4TABLES="$2" if [ -z "$IP4TABLES" -o "$IP4TABLES" = "ip4tables" ]; then ACTION="" fi IP6TABLES="$3" if [ -z "$IP6TABLES" -o "$IP6TABLES" = "ip6tables" ]; then ACTION="" fi IPV6_SUPPORT="$4" shift 4 case $ACTION in start) if [ -z "$1" -o -z "$2" -o -z "$3" -o -z "$4" ]; then echo "Usage: adaptive-ban-helper start ip4tables_path ip6tables_path ipv6_flag logfile time count args..." exit 1 fi start_run "$@" ;; stop) stop ;; status) status ;; *) echo "Usage: adaptive-ban-helper start|stop|status ip4tables_path ip6tables_path ipv6_flag" echo " [ logfile time count args... ]" exit 1 ;; esac arno-iptables-firewall_2.0.1d/contrib/AstLinux/adaptive-ban.conf0000644000000000000000000000357312055611115023417 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Adaptive Ban plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Log file where failed access attempts are derived # ------------------------------------------------------------------------------ ADAPTIVE_BAN_FILE="/var/log/messages" # The time in seconds between each iteration of analyzing the log file # ------------------------------------------------------------------------------ ADAPTIVE_BAN_TIME=120 # The number of log failures to ban host # ------------------------------------------------------------------------------ ADAPTIVE_BAN_COUNT=6 # A list of analysis types that are applied # Choose from: sshd asterisk lighttpd mini_httpd pptpd # ------------------------------------------------------------------------------ ADAPTIVE_BAN_TYPES="sshd asterisk" # By default, inbound packets from banned IP addresses will be silently DROP'ed # As an option, the packets can be REJECT'ed instead of being DROP'ed # Define ADAPTIVE_BAN_REJECT=1 for an ICMP error message to be returned # ------------------------------------------------------------------------------ ADAPTIVE_BAN_REJECT=0 # Bt default, INTERNAL (LAN) networks will be whitelisted against banning # As an option, this automatic whitelisting can be disabled # Define ADAPTIVE_BAN_WHITELIST_INTERNAL=0 to disable INTERNAL whitelisting # ------------------------------------------------------------------------------ ADAPTIVE_BAN_WHITELIST_INTERNAL=1 # Whitelist Hosts # A list of IP addresses whose traffic will never be banned # ------------------------------------------------------------------------------ ADAPTIVE_BAN_WHITELIST="" arno-iptables-firewall_2.0.1d/contrib/AstLinux/README0000644000000000000000000000102312055611115021061 0ustar rootrootAstLinux AIF Contributions +========================+ | www.astlinux.org | +========================+ 1) Adaptive Ban Plugin Parse a log file for failed access with offending IP addresses. Ban the IP address after multiple failed attempts. Simular in function to the Fail2ban project, www.fail2ban.org . The latest is available via the AstLinux SVN: http://astlinux.svn.sourceforge.net/viewvc/astlinux/branches/1.0/package/arnofw/adaptive-ban/ (Note: remove the SVN ".sh" suffixes to be used directly with generic AIF) arno-iptables-firewall_2.0.1d/CHANGELOG0000644000000000000000000002222512055611115016213 0ustar rootrootVersion 2.0.1d (November 16, 2012) ---------------------------------- + Reintroduce DNS fast fail option + add additional option (DNS_FAST_FAIL_ONCE) to allow plugins to use it + Added nat-loopback plugin for local nets using existing NAT_FORWARD_TCP and NAT_FORWARD_UDP rules. + Added new main command 'status-plugins [name]'. Useful [name] values are: dyndns-host-open, multiroute, nat-loopback, rpc, traffic-accounting and traffic-shaper. When [name] is specified, only that plugin is shown. For Example: $ arno-iptables-firewall status-plugins (shows all plugins status results) $ arno-iptables-firewall status-plugins dyndns-host-open (shows only dyndns-host-open plugin status results) + Added outbound-snat plugin to support when a NAT'ed external interface has multiple IPv4 addresses, it may be desirable to specify which internal IP's or CIDR's use which external IPv4 addresses for outbound connections. ! Fixed modprobe() function when using kmod. Apparently kmod doesn't echo anything (to stderr) when a module is not found?! ! Fix logging dropped packets matching (ie, not just TCP) for LAN_INET_FORWARD_CHAIN and DMZ_INET_FORWARD_CHAIN. + Added new variables LAN_INET_DEFAULT_POLICY_DROP, DMZ_INET_DEFAULT_POLICY_DROP and LAN_DEFAULT_POLICY_DROP to define the default policies. When undefined the 'automatic' policy is the default as with all previous versions. * Allow plugins to maintain a dynamic chain (e.g. MINIUPNPD) in the nat table and not get automatically flushed on a restart. * Improved traffic-accounting & dyndns-host-open plugins with a new host cache mechanism Version 2.0.1c (June 27, 2012) ------------------------------ ! Fix a script 'IFS' issue if IPv6 and DMZ is enabled together with DMZ_HOST_OPEN_IP (thanks to Ingmar Schraub) ! Newer kernels (3.4+) replaced ipt_LOG & ip6t_LOG with xt_LOG (thanks to Adam Young) Version 2.0.1b (March 16, 2012) ------------------------------- ! RESERVED_NET_DROP only worked when RESERVED_NET_LOG was enabled (regression) (thanks to gregoryach@gmail.com) ! Removed stray line in install.sh * Updated/corrected documentation Version 2.0.1a (March 7, 2012) ------------------------------ * Misc. tweaks for arno-fwfilter (thanks Mark van Dijk) * Use ls instead of [ -n (find) ] as it's much faster (thanks Lonnie) * As with previous versions, when LAN_INET_OPEN_xxx and LAN_INET_HOST_OPEN_xxx are NOT defined the default LAN->INET policy is ACCEPT. Changed is when *any* of these variables are defined the default LAN->INET policy is DROP for all ports and protocols, not just TCP/UDP/IP as before. * As with previous versions, when DMZ_INET_OPEN_xxx and DMZ_INET_HOST_OPEN_xxx are NOT defined the default DMZ->INET policy is ACCEPT. Changed is when *any* of these variables are defined the default DMZ->INET policy is DROP for all ports and protocols, not just TCP/UDP/IP as before. * Tweak the handling of some of the sysctl kernel settings. This now also allows disabling setting/resetting some settings (like forwarding) * Default UDP connection timeout to 60 seconds + Added support for new LOCAL_CONFIG_DIR variable, defaults to "/etc/arno-iptables-firewall/conf.d" (Debian bug #658458) ! Set default policy to DROP if either LAN_INET_HOST_OPEN_xxx or DMZ_INET_HOST_OPEN_xxx are defined, to match the documentation. (thanks Schilling Thomas Ing for reporting) * Improve documentation Version 2.0.1 (December 18, 2011) --------------------------------- - Removed DNS_FAST_FAIL & RESOLV_IPS since they are both obsolete * Few changes in the install/uninstall scripts. eg. arno-fwfilter now installs to /usr/local/bin instead Version 2.0.1-BETA1 (October 10, 2011) -------------------------------------- ! Fixed kernel_ver_chk() function to properly handle kernel 3. (thanks Gunawan Lim for reporting) ! Fixed variables containing REJECT_UDP with IPv6 enabled, it should use 'icmp6-addr-unreachable' for IPv6. * Updated "DynDNS Host Open" and "DMZ-DNAT" plugins to use new parse_rule() function. * AIF variables are now parsed with a common function, now missing fields are logged with a warning. * Misc. tweaks Version 2.0.0c (July 28, 2011) ----------------------------------- * Call insserv during configure, when available. This is required for eg. Debian/Ubuntu systems that use dependency based booting ! Fixed MULTICAST jumping should be done at the end of the EXT_INPUT_CHAIN, not at the beginning else users won't be able create "normal" rules for it * Updated several plugins * Several tweaks Version 2.0.0b (March 25, 2011) ------------------------------- + Perform kernel check when IPv6 support is enabled - Don't auto detect external interface settings during configure. It's too confusing and fills out the wrong values for certain setups (like laptops that are moved around) + Show platform information on start/restart when verbose ! remove bash-ism related to traffic-shaper plugin (Reported by Debian upstream, Debian bug #619496) ! remove bash-ism in ipsec-vpn plugin (Reported by Debian upstream, Debian bug #617510) ! workaround Busybox 'ash' bug when IPV6_SUPPORT is enabled + Added pptp-vpn plugin for local PPTP server support ! arno-fwfilter uses incorrect URL for location lookup (Debian bug #613631, thanks to Tony Evans for the patch) + Drop all IPv6 packets with Routing Header Type 0, new variable IPV6_DROP_RH_ZERO (thanks Klemen Mihevc) ! Fixed handling HOST_OPEN_ICMP, HOST_DENY_ICMP_NOLOG and HOST_DENY_ICMP variables with IPv6 addresses. (thanks Klemen Mihevc) * Tweaked NAT module loading + cosmetics. iptable_nat is a required module for AIF because of the plugin framework/helper chains so it's wrong to only load it when NAT is enabled in the main script. Version 2.0.0a (December 30, 2010) ---------------------------------------- ! Set IFS=' ' in our batch-functions else the wrappers fail in some cases - Removed old legacy plugin support that used the PLUGIN_PATH variable ! Fixed an issue when the value of IPV6_SUPPORT was changed then followed with a 'restart' * (Cosmetic) tweaks Version 2.0.0 (November 15, 2010) --------------------------------- ! dig wrapper using nslookup, extract IPv4 addresses over IPv6 addresses * ipsec-vpn plugin, removed unnecessary EXT_INPUT_CHAIN rule and added IPv6 support for matching AH headers Version 1.9.9-RC1 (October 25, 2010) ------------------------------------ - Removed deprecated check_binary() function from environment + Added support for an optional plugin_restart() function in plugins using a new plugin template, while supporting previous plugins without a plugin_restart() function * Refactor load_modules() using our new modprobe_multi() * Allow modprobe_multi() function arguments to be grouped by a comma + Use IDENT environment variable for plugins + Added SHAPER_IF variable to traffic-shaper plugin to specify a single external interface should the default EXT_IF value contain more than one interface + Added SIP_VOIP_REMOTE_HOSTS variable to sip-voip plugin to limit access by source address - Removed obsolete module_probe() function. Use modprobe() instead + Added IPV6_AUTO_CONFIGURATION variable to control autoconf when IP_FORWARDING = 0 + Added IPV6_OVER_IPV4_SERVER variable for ipv6-over-ipv4 plugin, restricting 6to4 source packets * Misc. tweaks & fixes Version 1.9.9-BETA1 (October 8, 2010) ------------------------------------- * Refactor setting kernel parameters ! Revert change that didn't masquerade IPv6/proto 41, so outgoing forwarded connections work properly + Added EXTERNAL_DHCPV6_SERVER variable to allow DHCPv6 clients on the *external* interface * The default INET->DMZ policy is now DROP. Common variables this change may effect are: INET_DMZ_HOST_OPEN_xxx and INET_DMZ_OPEN_xxx + Added support for Link-Local-Multicast ICMPv6 echo-request packets + Added LINK_LOCAL_DROP_LOG variable which controls logging of dropped IPv6 Link-Local addresses. + Added FORWARD_LINK_LOCAL variable which, by default (0), disables forwarding of IPv6 Link-Local addresses. + Added EXT_MULTICAST_CHAIN to handle external-inbound multicast traffic + Added DHCPv6 support for the EXT_IF_DHCP_IP variable. + Added a new variable FORWARD_DROP_LOG to disable logging dropped forwards when set to 0, defaults to 1. ! Fixed handling of destination host~port fields where only the host was specified. + Added a new set of variables INET_FORWARD_xxx to allow forwarding INET IPv6 and non-NAT'ed IPv4 packets to other interfaces. The format is similar to the IPv4 NAT_FORWARD_xxx without port mapping. + Added a new variable OPEN_ICMPV6 to allow independent control of INET ICMP for IPv4 and IPv6, enabled by default. ! Fixed handling of INET_DMZ_HOST_OPEN_xxx variables ! Fixed handling of INET_DMZ_HOST_DENY_xxx variables ! Fixed handling of INET_DMZ_DENY_TCP ! Fixed variable typo, INET_DMZ_HOST_DENY_TCP was not handled + Added IPv6 reserved network support, label logs by IPv4 and IPv6 ! Fixed RESERVED_NET_LOG is now independant from DROP_PRIVATE_ADDRESSES + Added option to the configure script to enable/disable IPv6 + several tweaks * Sanity check should always be the first thing we do since we probably can't write the log-file in case we're not root + Automatically disable IPV6_SUPPORT if IPv6 is not detected in the kernel + Add support for mixed IPv4/IPv6 when IPV6_SUPPORT=1 arno-iptables-firewall_2.0.1d/etc/0000755000000000000000000000000012055611116015552 5ustar rootrootarno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/0000755000000000000000000000000012055611116022115 5ustar rootrootarno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/firewall.conf0000644000000000000000000015213212055611115024574 0ustar rootroot############################################################################### # You should put this config-file in /etc/arno-iptables-firewall/ # ############################################################################### # --------------------------- Configuration file ------------------------------ # -= Arno's iptables firewall =- # Single- & multi-homed firewall script with DSL/ADSL support # # (C) Copyright 2001-2012 by Arno van Amersfoort # Co-authors : Lonnie Abelbeck & Philip Prindeville # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ----------------------------------------------------------------------------- # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for # more details. # You should have received a copy of the GNU General Public License along with # this program; if not, write to the Free Software Foundation Inc., 59 Temple # Place - Suite 330, Boston, MA 02111-1307, USA. # ----------------------------------------------------------------------------- ############################################################################### # External (internet) interface settings # ############################################################################### # The external interface(s) that will be protected (and used as internet # connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL # modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should # be space separated. # ----------------------------------------------------------------------------- EXT_IF="" # Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP # and/or (IPv6) DHCPv6 (from your ISP) # ----------------------------------------------------------------------------- EXT_IF_DHCP_IP=0 # (EXPERT SETTING!) Here you can specify your external(!) IPv4 subnet(s). You # should only use this if you for example have a corporate network and/or # running a DHCP server on your external(!) interface. Home users should # normally NOT touch this setting. Multiple subnets should be space separated. # Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)! # ----------------------------------------------------------------------------- #EXTERNAL_NET="" # (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts # on your external subnet. You only need to set this option if you want to use # the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast # address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving # this empty should work fine. Multiple addresses should be space separated. # ----------------------------------------------------------------------------- #EXT_NET_BCAST_ADDRESS="" # Enable this if THIS MACHINE is running an IPv4 DHCP(BOOTP) server for a subnet # on the external(!) interface. Note that you don't need this for internal # subnets, as for these nets everything is accepted by default. Don't forget to # configure the EXTERNAL_NET variable, to make this work. (IPv4 Only) # ----------------------------------------------------------------------------- EXTERNAL_DHCP_SERVER=0 # Enable this if THIS MACHINE is running an IPv6 DHCPv6 server for a Link-Local # address on the external(!) interface. Note that you don't need this for internal # subnets, as for these nets everything is accepted by default. (IPv6 Only) # ----------------------------------------------------------------------------- EXTERNAL_DHCPV6_SERVER=0 ############################################################################### # Internal (LAN) interface settings # ############################################################################### # Specify here your internal network (LAN) interface(s). Multiple(!) interfaces # should be space separated. Remark this if you don't have any internal network # interfaces. Note that by default ALL traffic is accepted from these # interfaces. # ----------------------------------------------------------------------------- INT_IF="" # Specify here the internal IPv4 subnet(s) which is/are connected to the # internal interface(s). For multiple interfaces(!) you can either specify # multiple subnets here or specify one big subnet for all internal interfaces. # Note that this variable is mainly used for antispoofing. # ----------------------------------------------------------------------------- #INTERNAL_NET="192.168.0.0/24" # Set this variable to 0 to disable antispoof checking for the internal nets # (EXPERT SETTING!) # ----------------------------------------------------------------------------- INTERNAL_NET_ANTISPOOF=1 # (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts # on your internal subnet. You only need to set this option if you want to use # the MAC filter AND you use a non-standard broadcast address # (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving # this empty should work fine. Multiple addresses (if you have multiple # internal nets) should be space separated. # ----------------------------------------------------------------------------- #INT_NET_BCAST_ADDRESS="" ############################################################################### # DMZ (aka DeMilitarized Zone) settings # ############################################################################### # Put in the following variable the network interfaces that are DMZ-classified. # You can also use this interface if you want to shield your Wireless network # from your LAN. # ----------------------------------------------------------------------------- DMZ_IF="" # Specify here the subnet which is connected to the DMZ interface (DMZ_IF). # For multiple interfaces(!) you can either specify multiple subnets here or # specify one big subnet for all DMZ interfaces. # ----------------------------------------------------------------------------- DMZ_NET="" # Set this variable to 0 to disable antispoof checking for the dmz nets # (EXPERT SETTING!) # ----------------------------------------------------------------------------- DMZ_NET_ANTISPOOF=1 ############################################################################### # NAT (Masquerade, SNAT, DNAT) settings (IPv4 only!) # ############################################################################### # Enable this if you want to perform NAT (masquerading) for your internal # network (LAN) (eg. share your internet connection with your internal # net(s) connected to eg. INT_IF) # ----------------------------------------------------------------------------- NAT=0 # (EXPERT SETTING!) In case you would like to use SNAT instead of # MASQUERADING then uncomment and set the IP or IPs here of your static # external address(es). Note that when multiple IPs are specified, SNAT # multiroute is enabled (load balancing over multiple external (internet) # interfaces, check the README file for more info). Note that the order of IPs # should match the order of interfaces (they belong to) in $EXT_IF! # ----------------------------------------------------------------------------- #NAT_STATIC_IP="193.2.1.1" # (EXPERT SETTING!) Use this variable only if you want specific subnets or # hosts to be able to access the internet. When no value is specified, your # whole internal net will have access. In both cases it's obviously only # meaningful when NAT is enabled. Note that you can also use this variable if # you want to use NAT for your DMZ. # ----------------------------------------------------------------------------- NAT_INTERNAL_NET="$INTERNAL_NET" # (EXPERT SETTING!) Enable this if you want to be able to redirect local ports # or protocols on your gateway using NAT forwards. # ----------------------------------------------------------------------------- NAT_LOCAL_REDIRECT=0 # NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to # an internal client through (D)NAT. Note that you can also use these # variables to forward ports to DMZ hosts. # # TCP/UDP form: # "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \ # {SRCIP3,...~}PORT3,...>DESTIP2{~port}" # # IP form: # "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \ # {SRCIP3~}PROTO3,PROTO4,...>DESTIP2" # # TCP/UDP port forward examples: # Simple (forward port 80 to internal host 192.168.0.10): # NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10" # Advanced (forward port 20 & 21 to 192.168.0.10 and # forward from 1.2.3.4 port 81 to 192.168.0.11 port 80: # NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80" # # IP protocol forward example: # (forward protocols 47 & 48 to 192.168.0.10) # NAT_FORWARD_IP="47,48>192.168.0.10" # # NOTE 1: {~port} is optional. Use it to redirect a specific port to a # different port on the internal client. # NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source # (inet) IP addresses. # (IPv4 Only) # ----------------------------------------------------------------------------- NAT_FORWARD_TCP="" NAT_FORWARD_UDP="" NAT_FORWARD_IP="" # TCP/UDP/IP forwards. Forward IPv6 and non-NAT'ed IPv4 ports or protocols # from the gateway to an internal client. Note that you can also use these # variables to forward ports to DMZ hosts. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1{~port} \ # SRCIP3,...>DESTIP2{~port}" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~PROTO \ # SRCIP3,...>DESTIP2~PROTO" # # TCP/UDP port forward examples: # Simple (IPv6 forward port 80 to internal host 2001:db8::2): # INET_FORWARD_TCP="::/0>2001:db8::2~80" # Simple (IPv4 non-NAT forward port 80 to internal host 192.168.0.10): # INET_FORWARD_TCP="0/0>192.168.0.10~80" # Advanced (forward all UDP ports for 2000::/3 net to 2001:db8::/32 net): # INET_FORWARD_UDP="2000::/3>2001:db8::/32" # # IP protocol forward example: # (forward protocol 58 (ICMPv6) to 2001:db8::2) # INET_FORWARD_IP="::/0>2001:db8::2~58" # # (IPv6 and non-NAT'ed IPv4 Only) # ----------------------------------------------------------------------------- INET_FORWARD_TCP="" INET_FORWARD_UDP="" INET_FORWARD_IP="" ############################################################################### # General settings # ############################################################################### # (EXPERT SETTING!) Location of the iptables-binary (use 'locate iptables' or # 'whereis iptables' to manually locate it), required for (default) IPv4 support # ----------------------------------------------------------------------------- IP4TABLES="/sbin/iptables" # (EXPERT SETTING!) Location of the ip6tables-binary (use 'locate ip6tables' or # 'whereis ip6tables' to manually locate it), required for IPv6 support # ----------------------------------------------------------------------------- IP6TABLES="/sbin/ip6tables" # (EXPERT SETTING!) Location of the environment file # ----------------------------------------------------------------------------- ENV_FILE="/usr/local/share/arno-iptables-firewall/environment" # (EXPERT SETTING!) Location of plugin binary & config files # ----------------------------------------------------------------------------- PLUGIN_BIN_PATH="/usr/local/share/arno-iptables-firewall/plugins" PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins" # Most people don't want to get any firewall logs being spit to the console. # This option makes the kernel ring buffer only log messages with level # "panic". # ----------------------------------------------------------------------------- DMESG_PANIC_ONLY=1 # Enable this if you want TOS mangling (RFC) # ----------------------------------------------------------------------------- MANGLE_TOS=0 # Enable this if you want to set the maximum packet size via the # Maximum Segment Size(through MSS field) # ----------------------------------------------------------------------------- SET_MSS=1 # Enable this if you want to increase the TTL value by one in the prerouting # chain. This hides the firewall when performing eg. traceroutes to internal # hosts. (IPv4 only!) # ----------------------------------------------------------------------------- TTL_INC=0 # (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in # the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels # (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target # support. Don't mess with this unless you really know what you are doing! # (IPv4 only!) # ----------------------------------------------------------------------------- #PACKET_TTL="64" # (EXPERT SETTING!) Enable this if you want our internal DNS functions to fail # "fast". This means a query will be tried only once and times out after 1 # second, the default is 3 tries and a 5 second timeout. # Note: The command 'dig' is preferred, 'nslookup' will be used if 'dig' is not # available, though the BusyBox 'nslookup' is not supported with this option. # ------------------------------------------------------------------------------- DNS_FAST_FAIL=0 # Enable this to support the IRC-protocol. # ----------------------------------------------------------------------------- USE_IRC=0 # (EXPERT SETTING!) Loosen the forward chain for the external interface(s). # Enable it to allow the use of protocols like UPnP. Note that it *could* be # less secure. # ----------------------------------------------------------------------------- LOOSE_FORWARD=0 # (EXPERT SETTING!) Enable (1) to allow IPv6 Link-Local addresses to be # forwarded between interfaces. (IPv6 Only) # ----------------------------------------------------------------------------- FORWARD_LINK_LOCAL=0 # (EXPERT SETTING!) Disable (0) to not drop all IPv6 packets with # Routing Header Type 0. Enabled by default. (IPv6 Only) # ----------------------------------------------------------------------------- IPV6_DROP_RH_ZERO=1 # (EXPERT SETTING!) Enable this if you want to drop packets originating from a # private address. # Note: To enable logging of dropped private addresses set RESERVED_NET_LOG=1 # ----------------------------------------------------------------------------- RESERVED_NET_DROP=0 # (EXPERT SETTING!) Protect this machine from being abused for a DRDOS-attack # ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!) # ----------------------------------------------------------------------------- DRDOS_PROTECT=0 # Enable (1) if you want to enable mixed IPv4/IPv6 traffic support # Disable (0) if you want to enable only IPv4 traffic support # ----------------------------------------------------------------------------- IPV6_SUPPORT=0 # This option fixes problems with SMB broadcasts when using nmblookup # ----------------------------------------------------------------------------- NMB_BROADCAST_FIX=0 # Set this to 0 to suppress "assuming module is compiled in kernel" messages # ----------------------------------------------------------------------------- COMPILED_IN_KERNEL_MESSAGES=1 # (EXPERT SETTING!) You can choose the default policy for the INPUT & FORWARD # chain here (1=DROP, 0=ACCEPT). The default policy is DROP. This means that # when there are no rule(s) available (yet), the packet will be DROPPED. In # practice this rule only does something while the firewall is starting. Once # it's started and all rules are in place, the default policy doesn't do # anything anymore. People that use eg. NFS and let their clients boot from NFS # (diskless client systems) probably want to disable this option to fix # "NFS server not responding" etc. errors on their clients. # ----------------------------------------------------------------------------- DEFAULT_POLICY_DROP=1 # (EXPERT SETTING!) (Other) trusted network interfaces for which ALL IP # traffic should be ACCEPTED. (multiple(!) interfaces should be space # separated). Be warned that anything TO and FROM these interfaces is allowed # (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world # (internet)! And of course putting one of your external interfaces here would # be extremely stupid. # ----------------------------------------------------------------------------- TRUSTED_IF="" # (EXPERT SETTING!) Put here the interfaces that should trust # each other (accept forward traffic). You can use | (piping-sign) to create # seperate interface groups. And (again) of course putting one of your external # interfaces here would be extremely stupid. # ----------------------------------------------------------------------------- IF_TRUSTS="" # Location of the custom iptables rules file (if any). # ----------------------------------------------------------------------------- CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules" # Location of the local (user/global) configuration file, if used # ----------------------------------------------------------------------------- LOCAL_CONFIG_FILE="" # Location of the local directory, if defined, containing *.conf file(s) # in that directory, and sources them for configuration variables. # Note: An undefined LOCAL_CONFIG_DIR variable defaults to the default below. # ----------------------------------------------------------------------------- LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d" # (EXPERT SETTING!) Set this (to 1) to disable the use of iptables-save and # iptables-restore to add rules in batch rather than one-by-one. Much slower # when disabled. BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature. # ----------------------------------------------------------------------------- DISABLE_IPTABLES_BATCH=0 # (EXPERT SETTING!) Set this (to 1) to enable tracing # ----------------------------------------------------------------------------- TRACE=0 ############################################################################### # Logging options - All logging is rate limited to prevent log flooding # ############################################################################### # Enable logging for explicitly blocked hosts. # ----------------------------------------------------------------------------- BLOCKED_HOST_LOG=1 # Enable logging for various stealth scans (reliable). # ----------------------------------------------------------------------------- SCAN_LOG=1 # Enable logging for possible stealth scans (less reliable). # ----------------------------------------------------------------------------- POSSIBLE_SCAN_LOG=1 # Enable logging for TCP-packets with bad flags. # ----------------------------------------------------------------------------- BAD_FLAGS_LOG=1 # Enable logging of invalid TCP packets. Keep disabled (0) by default to reduce # INVALID packets being logged because of lost (legimate) connections. When # debugging any problems, you should enable it (temporarily)! # ----------------------------------------------------------------------------- INVALID_TCP_LOG=0 # Enable logging of invalid UDP packets. Keep disabled (0) by default to reduce # INVALID packets being logged because of lost (legimate) connections. When # debugging any problems, you should enable it (temporarily)! # ----------------------------------------------------------------------------- INVALID_UDP_LOG=0 # Enable logging of invalid ICMP packets. Keep disabled (0) by default to reduce # INVALID packets being logged because of lost (legimate) connections. When # debugging any problems, you should enable it (temporarily)! # ----------------------------------------------------------------------------- INVALID_ICMP_LOG=0 # Enable (1) logging of source IPs with reserved or private addresses. # ----------------------------------------------------------------------------- RESERVED_NET_LOG=0 # Enable logging of fragmented packets. # ----------------------------------------------------------------------------- FRAG_LOG=1 # Enable logging of denied local (OUTPUT) connections. # ----------------------------------------------------------------------------- INET_OUTPUT_DENY_LOG=1 # Enable logging of denied LAN output (FORWARD) connections. # ----------------------------------------------------------------------------- LAN_OUTPUT_DENY_LOG=1 # Enable logging of denied LAN INPUT connections. # ----------------------------------------------------------------------------- LAN_INPUT_DENY_LOG=1 # Enable logging of denied DMZ output (FORWARD) connections. # ----------------------------------------------------------------------------- DMZ_OUTPUT_DENY_LOG=1 # Enable logging of denied DMZ input (FORWARD) connections. # ----------------------------------------------------------------------------- DMZ_INPUT_DENY_LOG=1 # Enable logging of dropped FORWARD packets. # ----------------------------------------------------------------------------- FORWARD_DROP_LOG=1 # Enable logging of dropped IPv6 Link-Local forwarded packets. # Note: requires FORWARD_LINK_LOCAL=0 (IPv6 Only) # ----------------------------------------------------------------------------- LINK_LOCAL_DROP_LOG=1 # Enable logging of dropped ICMP-request packets (ping). # ----------------------------------------------------------------------------- ICMP_REQUEST_LOG=1 # Enable logging of dropped "other" ICMP packets. # ----------------------------------------------------------------------------- ICMP_OTHER_LOG=1 # Enable logging of normal connection attempts to privileged TCP ports. # ----------------------------------------------------------------------------- PRIV_TCP_LOG=1 # Enable logging of normal connection attempts to privileged UDP ports. # ----------------------------------------------------------------------------- PRIV_UDP_LOG=1 # Enable logging of normal connection attempts to unprivileged TCP ports. # ----------------------------------------------------------------------------- UNPRIV_TCP_LOG=1 # Enable logging of normal connection attempts to unprivileged UDP ports. # ----------------------------------------------------------------------------- UNPRIV_UDP_LOG=1 # Enable logging of IPv4 IGMP packets # ----------------------------------------------------------------------------- IGMP_LOG=1 # Enable logging of normal connection attempts to "other-IP"-protocols (non # TCP/UDP/ICMP/IGMP). # ----------------------------------------------------------------------------- OTHER_IP_LOG=1 # Enable logging for ICMP flooding. # ----------------------------------------------------------------------------- ICMP_FLOOD_LOG=1 # (EXPERT SETTING!) The location of the dedicated firewall log file. When # enabled the firewall script will also log start/stop etc. info to this file # as well. Note that in order to make this work, you should also configure # syslogd to log firewall messages to this file (see LOGLEVEL below for further # info). # ----------------------------------------------------------------------------- #FIREWALL_LOG="/var/log/firewall.log" # (EXPERT SETTING!) Current log-level ("info": default kernel syslog level) # "debug": can be used to log to /var/log/firewall.log, but you have to configure # syslogd accordingly (see included syslogd.conf examples). # ----------------------------------------------------------------------------- LOGLEVEL="info" # Put in the following variables which hosts you want to log certain incoming # connection attempts for. # TCP/UDP port format (LOG_HOST_INPUT_xxx): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (LOG_HOST_INPUT_IP): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # ----------------------------------------------------------------------------- LOG_HOST_INPUT_TCP="" LOG_HOST_INPUT_UDP="" LOG_HOST_INPUT_IP="" # Put in the following variables which hosts you want to log certain outgoing # connection attempts for. # TCP/UDP port format (LOG_HOST_OUTPUT_xxx): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (LOG_HOST_OUTPUT_IP): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # ----------------------------------------------------------------------------- LOG_HOST_OUTPUT_TCP="" LOG_HOST_OUTPUT_UDP="" LOG_HOST_OUTPUT_IP="" # Put in the following variables which services you want to log incoming # connection attempts for. # ----------------------------------------------------------------------------- LOG_INPUT_TCP="" LOG_INPUT_UDP="" LOG_INPUT_IP="" # Put in the following variables which services you want to log outgoing # connection attempts for. # ----------------------------------------------------------------------------- LOG_OUTPUT_TCP="" LOG_OUTPUT_UDP="" LOG_OUTPUT_IP="" # Put in the following variable which hosts you want to log incoming connection # (attempts) for. # ----------------------------------------------------------------------------- LOG_HOST_INPUT="" # Put in the following variable which hosts you want to log outgoing connection # (attempts) to. # ----------------------------------------------------------------------------- LOG_HOST_OUTPUT="" ############################################################################### # sysctl based settings (EXPERT SETTINGS!) # ############################################################################### # Enable for synflood protection (through /proc/.../tcp_syncookies). # ----------------------------------------------------------------------------- SYN_PROT=1 # Enable this to reduce the ability of others DOS'ing your machine. # ----------------------------------------------------------------------------- REDUCE_DOS_ABILITY=1 # Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces. # ----------------------------------------------------------------------------- ECHO_IGNORE=0 # Enable to log packets with impossible addresses to the kernel log. # ----------------------------------------------------------------------------- LOG_MARTIANS=0 # Only disable this if you're NOT using forwarding (required for NAT etc.) for # increased security. # Note: If enabled and IPV6 enabled, local IPv6 autoconf will be disabled. # ----------------------------------------------------------------------------- IP_FORWARDING=1 # (EXPERT SETTING!) Only disable this if IP_FORWARDING is disabled and # you do not use autoconf to obtain your IPv6 address. # Note: This is ignored if IP_FORWARDING is enabled. (IPv6 Only) # ----------------------------------------------------------------------------- IPV6_AUTO_CONFIGURATION=1 # Enable if you want to accept ICMP redirect messages. Should be set to "0" in # case of a router. # ----------------------------------------------------------------------------- ICMP_REDIRECT=0 # Enable/modify this if you want to be a able to handle a larger (or smaller) # number of simultaneous connections. For high traffic machines I recommend to # use a value of at least 16384 (note that a higher value (obviously) also uses # more memory). # ----------------------------------------------------------------------------- CONNTRACK=16384 # Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default, # as some routers are still not compatible with this. # ----------------------------------------------------------------------------- ECN=0 # Enable to drop connections from non-routable IPs, eg. prevent source # routing. By default the firewall itself also provides rules against source # routing. Note than when you use eg. VPN (Freeswan), you should probably # disable this setting. # ----------------------------------------------------------------------------- RP_FILTER=1 # Protect against source routed packets. Attackers can use source routing to # generate traffic pretending to be from inside your network, but which is # routed back along the path from which it came, namely outside, so attackers # can compromise your network. Source routing is rarely used for legitimate # purposes, so normally you should always leave this enabled(1)! # ----------------------------------------------------------------------------- SOURCE_ROUTE_PROTECTION=1 # Here we set the local port range (ports from which connections are # initiated from our site). Don't mess with this unless you really know what # you are doing! # ----------------------------------------------------------------------------- LOCAL_PORT_RANGE="32768 61000" # Here you can change the default TTL used for sending packets. The value # should be between 10 and 255. Don't mess with this unless you really know # what you are doing! # ----------------------------------------------------------------------------- DEFAULT_TTL=64 # In most cases pmtu discovery is ok, but in some rare cases (when having # problems) you might want to disable it. # ----------------------------------------------------------------------------- NO_PMTU_DISCOVERY=0 ############################################################################### # Firewall policies for the LAN (EXPERT SETTINGS!) # ############################################################################### ############################################################################### # LAN_xxx = LAN->localhost(this machine) input access rules # # # # Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the # # default policy for this chain is accept (unless denied through # # LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)! # ############################################################################### # Disable this (set to "") to automatically set default policy as above. # When set to "1" the LAN->localhost default policy will always be DROP # When set to "0" the LAN->localhost default policy will always be ACCEPT # ----------------------------------------------------------------------------- LAN_DEFAULT_POLICY_DROP="" # Enable this to allow for ICMP-requests(ping) from your LAN # ----------------------------------------------------------------------------- LAN_OPEN_ICMP=1 # Put in the following variables the TCP/UDP ports or IP protocols TO # (remote end-point) which the LAN hosts are permitted to connect to. # ----------------------------------------------------------------------------- LAN_OPEN_TCP="" LAN_OPEN_UDP="" LAN_OPEN_IP="" # Put in the following variables the TCP/UDP ports or IP protocols TO (remote # end-point) which LAN hosts are NOT permitted to connect to. # ----------------------------------------------------------------------------- LAN_DENY_TCP="" LAN_DENY_UDP="" LAN_DENY_IP="" # Put in the following variables the TCP/UDP ports or IP # protocols TO (remote end-point) which certain LAN hosts are # permitted to connect to. # # TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (LAN_INPUT_HOST_OPEN_xxx): # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..." # ----------------------------------------------------------------------------- LAN_HOST_OPEN_TCP="" LAN_HOST_OPEN_UDP="" LAN_HOST_OPEN_IP="" # Put in the following variables the TCP/UDP ports or IP protocols TO (remote # end-point) which certain LAN hosts are NOT permitted to connect to. # # TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (LAN_INPUT_HOST_DENY_xxx): # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..." # ----------------------------------------------------------------------------- LAN_HOST_DENY_TCP="" LAN_HOST_DENY_UDP="" LAN_HOST_DENY_IP="" ############################################################################### # LAN_INET_xxx = LAN->internet access rules (forward) # # # # Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are # # NOT used, the default policy will be accept for LAN->INET (unless denied # # through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! # ############################################################################### # Disable this (set to "") to automatically set default policy as above. # When set to "1" the LAN->INET default policy will always be DROP # When set to "0" the LAN->INET default policy will always be ACCEPT # ----------------------------------------------------------------------------- LAN_INET_DEFAULT_POLICY_DROP="" # Enable this to allow for ICMP-requests(ping) for LAN->INET # ----------------------------------------------------------------------------- LAN_INET_OPEN_ICMP=1 # Put in the following variables the TCP/UDP ports or IP # protocols TO (remote end-point) which the LAN hosts are # permitted to connect to via the external (internet) interface. # ----------------------------------------------------------------------------- LAN_INET_OPEN_TCP="" LAN_INET_OPEN_UDP="" LAN_INET_OPEN_IP="" # Put in the following variables the TCP/UDP ports or IP protocols TO (remote # end-point) which the LAN hosts are NOT permitted to connect to # via the external (internet) interface. Examples of usage are for blocking # IRC (TCP 6666:6669) for the internal network. # ----------------------------------------------------------------------------- LAN_INET_DENY_TCP="" LAN_INET_DENY_UDP="" LAN_INET_DENY_IP="" # Put in the following variables which LAN hosts you want to allow to certain # hosts/services on the internet. By default all services are allowed. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # TCP/UDP examples: # Simple: # (Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)): # LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80" # Advanced: # (Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and # allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)): # LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 192.168.0.10>80" # # IP protocol example: # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)) # LAN_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ----------------------------------------------------------------------------- LAN_INET_HOST_OPEN_TCP="" LAN_INET_HOST_OPEN_UDP="" LAN_INET_HOST_OPEN_IP="" # Put in the following variables which DMZ hosts you want to deny to certain # hosts/services on the internet. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # TCP/UDP examples: # Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)): # LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~80" # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and # deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)): # LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 192.168.0.10>1.2.3.4~80" # # IP protocol example: # (Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)): # LAN_INET_HOST_DENY_IP="0/0>1.2.3.4~47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ----------------------------------------------------------------------------- LAN_INET_HOST_DENY_TCP="" LAN_INET_HOST_DENY_UDP="" LAN_INET_HOST_DENY_IP="" ############################################################################### # Firewall policies for the DMZ (EXPERT SETTINGS!) # ############################################################################### ############################################################################### # DMZ_xxx = DMZ->localhost(this machine) input access rules # ############################################################################### # Enable this to allow ICMP-requests(ping) from the DMZ # ----------------------------------------------------------------------------- DMZ_OPEN_ICMP=1 # Put in the following variables which DMZ hosts are permitted to connect to # certain the TCP/UDP ports, IP protocols or ICMP. By default all (local) # services are blocked for DMZ hosts. # ----------------------------------------------------------------------------- DMZ_OPEN_TCP="" DMZ_OPEN_UDP="" DMZ_OPEN_IP="" # Put in the following variables which DMZ hosts you want to allow for certain # services. By default all (local) services are blocked for DMZ hosts. # TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (DMZ_HOST_OPEN_IP): # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..." # ----------------------------------------------------------------------------- DMZ_HOST_OPEN_TCP="" DMZ_HOST_OPEN_UDP="" DMZ_HOST_OPEN_IP="" ############################################################################### # INET_DMZ_xxx = Internet->DMZ access rules (forward) # # # # Note: As of Version 2.0.0 the default policy has changed to DROP # # Previous to Version 2.0.0 the default policy was ACCEPT # ############################################################################### # Enable this to make the default policy allow for ICMP(ping) for INET->DMZ # ----------------------------------------------------------------------------- INET_DMZ_OPEN_ICMP=0 # Put in the following variables which INET hosts are permitted to connect to # certain the TCP/UDP ports or IP protocols in the DMZ. # ----------------------------------------------------------------------------- INET_DMZ_OPEN_TCP="" INET_DMZ_OPEN_UDP="" INET_DMZ_OPEN_IP="" # Put in the following variables which INET hosts are NOT permitted to connect # to certain the TCP/UDP ports or IP protocols in the DMZ. # ----------------------------------------------------------------------------- INET_DMZ_DENY_TCP="" INET_DMZ_DENY_UDP="" INET_DMZ_DENY_IP="" # Put in the following variables which INET hosts you want to allow to certain # hosts/services on the DMZ net. By default all services are dropped. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # TCP/UDP examples: # Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)): # INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~80" # Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and # allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)): # INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" # # IP protocol example: # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts ) # INET_DMZ_HOST_OPEN_IP="0/0>1.2.3.4~47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ----------------------------------------------------------------------------- INET_DMZ_HOST_OPEN_TCP="" INET_DMZ_HOST_OPEN_UDP="" INET_DMZ_HOST_OPEN_IP="" # Put in the following variables which INET hosts you want to deny to certain # hosts/services on the DMZ net. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # TCP/UDP examples: # Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)): # INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~80" # Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and # deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)): # INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" # # IP protocol example: # (Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts): # INET_DMZ_HOST_DENY_IP="0/0>1.2.3.4~47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ----------------------------------------------------------------------------- INET_DMZ_HOST_DENY_TCP="" INET_DMZ_HOST_DENY_UDP="" INET_DMZ_HOST_DENY_IP="" ############################################################################### # DMZ_INET_xxx = DMZ->internet access rules (forward) # # # # Note that when the DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx variables are # # NOT used, the default policy will be accept for DMZ->INET (unless denied # # through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! # ############################################################################### # Disable this (set to "") to automatically set default policy as above. # When set to "1" the DMZ->INET default policy will always be DROP # When set to "0" the DMZ->INET default policy will always be ACCEPT # ----------------------------------------------------------------------------- DMZ_INET_DEFAULT_POLICY_DROP="" # Enable this to make the default policy allow for ICMP(ping) for DMZ->INET # ----------------------------------------------------------------------------- DMZ_INET_OPEN_ICMP=1 # Put in the following variables the TCP/UDP ports or IP # protocols TO (remote end-point) which the DMZ hosts are # permitted to connect to via the external (internet) interface. # ----------------------------------------------------------------------------- DMZ_INET_OPEN_TCP="" DMZ_INET_OPEN_UDP="" DMZ_INET_OPEN_IP="" # Put in the following variables the TCP/UDP ports or IP protocols TO (remote # end-point) which the DMZ hosts are NOT permitted to connect to # via the external (internet) interface. Examples of usage are for blocking # IRC (TCP 6666:6669) for the internal network. # ----------------------------------------------------------------------------- DMZ_INET_DENY_TCP="" DMZ_INET_DENY_UDP="" DMZ_INET_DENY_IP="" # Put in the following variables which DMZ hosts you want to allow to certain # hosts/services on the internet. By default all services are allowed. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~sprotocol" # # TCP/UDP examples: # Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)): # DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80" # Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and # allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)): # DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" # # IP protocol example: # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts): # DMZ_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ----------------------------------------------------------------------------- DMZ_INET_HOST_OPEN_TCP="" DMZ_INET_HOST_OPEN_UDP="" DMZ_INET_HOST_OPEN_IP="" # Put in the following variables which DMZ hosts you want to deny to certain # hosts/services on the internet. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # TCP/UDP examples: # Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)): # DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~80" # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and # deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)): # DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" # # IP protocol example: # (Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)): # DMZ_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ----------------------------------------------------------------------------- DMZ_INET_HOST_DENY_TCP="" DMZ_INET_HOST_DENY_UDP="" DMZ_INET_HOST_DENY_IP="" ############################################################################### # DMZ_LAN_xxx = DMZ->LAN access rules (forward) # ############################################################################### # Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN # ----------------------------------------------------------------------------- DMZ_LAN_OPEN_ICMP=0 # Put in the following variables which DMZ hosts you want to allow to certain # hosts/services on the LAN (net). # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # TCP/UDP examples: # Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)): # DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80" # Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and # allow port 80 for DMZ host 5.6.7.8 (only) on LAN host # 1.2.3.4): # DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" # # IP protocol example: # (Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)): # DMZ_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ----------------------------------------------------------------------------- DMZ_LAN_HOST_OPEN_TCP="" DMZ_LAN_HOST_OPEN_UDP="" DMZ_LAN_HOST_OPEN_IP="" ############################################################################### # Firewall policies for the external (inet) interface (default policy = drop) # ############################################################################### # Put in the following variable which hosts (subnets) you want have full access # via your internet (EXT_IF) connection(!). This is especially meant for # networks/servers which use NIS/NFS, as these protocols require all ports # to be open. # NOTE: Don't mistake this variable with the one used for internal nets. # ----------------------------------------------------------------------------- FULL_ACCESS_HOSTS="" # Put in the following variable which TCP/UDP ports you don't want to # see broadcasts from (eg. DHCP (67/68) on your EXTERNAL interface. Note that # to make this properly work you also need to set "EXTERNAL_NET"! # ----------------------------------------------------------------------------- BROADCAST_TCP_NOLOG="" #BROADCAST_UDP_NOLOG="67 68" # Put in the following variables which hosts you want to allow for certain # services. # TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (HOST_OPEN_IP): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # # ICMP protocol format (HOST_OPEN_ICMP): # "host1 host2 ...." # ----------------------------------------------------------------------------- HOST_OPEN_TCP="" HOST_OPEN_UDP="" HOST_OPEN_IP="" HOST_OPEN_ICMP="" # Put in the following variables which hosts you want to DENY(DROP) for certain # services (and logged). # to DENY(DROP) for certain hosts. # TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (HOST_DENY_IP): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # # ICMP protocol format (HOST_DENY_ICMP): # "host1 host2 ...." # ----------------------------------------------------------------------------- HOST_DENY_TCP="" HOST_DENY_UDP="" HOST_DENY_IP="" HOST_DENY_ICMP="" # Put in the following variables which hosts you want to DENY(DROP) for certain # services but NOT logged. # TCP/UDP port format (HOST_DENY_xxx_NOLOG): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (HOST_DENY_IP_NOLOG): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # # ICMP protocol format (HOST_DENY_ICMP_NOLOG): # "host1 host2 ...." # ----------------------------------------------------------------------------- HOST_DENY_TCP_NOLOG="" HOST_DENY_UDP_NOLOG="" HOST_DENY_IP_NOLOG="" HOST_DENY_ICMP_NOLOG="" # Put in the following variables which hosts you want to REJECT (instead of # DROP) for certain TCP/UDP ports. # TCP/UDP port format (HOST_REJECT_xxx): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # ----------------------------------------------------------------------------- HOST_REJECT_TCP="" HOST_REJECT_UDP="" # Put in the following variables which hosts you want to REJECT (instead of # DROP) for certain services but NOT logged. # TCP/UDP port format (HOST_REJECT_xxx_NOLOG): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # ----------------------------------------------------------------------------- HOST_REJECT_TCP_NOLOG="" HOST_REJECT_UDP_NOLOG="" # Put in the following variables which services THIS machine is NOT # permitted to connect TO (remote end-point) via the external (internet) # interface. For example for blocking IRC (tcp 6666:6669). # ----------------------------------------------------------------------------- DENY_TCP_OUTPUT="" DENY_UDP_OUTPUT="" DENY_IP_OUTPUT="" # Put in the following variables to which hosts THIS machine is NOT # permitted to connect TO for certain services (remote end-point) # via the external (internet) interface. In principle you can also # use this to put your machine in a "virtual-DMZ" by blocking all traffic # to your local subnet. # TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (HOST_DENY_IP_OUTPUT): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # ----------------------------------------------------------------------------- HOST_DENY_TCP_OUTPUT="" HOST_DENY_UDP_OUTPUT="" HOST_DENY_IP_OUTPUT="" # Enable (1) to make the default policy allow for IPv4 ICMP (ping) for INET access # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted. # ----------------------------------------------------------------------------- OPEN_ICMP=0 # Disable (0) to make the default policy drop IPv6 ICMPv6 for INET access # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted. # ----------------------------------------------------------------------------- OPEN_ICMPV6=1 # Put in the following variables which ports or IP protocols you want to leave # open to the whole world. # ----------------------------------------------------------------------------- OPEN_TCP="" OPEN_UDP="" OPEN_IP="" # Put in the following variables the TCP/UDP ports you want to DENY(DROP) for # everyone (and logged). Also use these variables if you want to log connection # attempts to these ports from everyone (also trusted/full access hosts). # In principle you don't need these variables, as everything is already blocked # (denied) by default, but just exists for consistency. # ----------------------------------------------------------------------------- DENY_TCP="" DENY_UDP="" # Put in the following variables which ports you want to DENY(DROP) for # everyone but NOT logged. This is very useful if you have constant probes on # the same port(s) over and over again (code red worm) and don't want your logs # flooded with it. # ----------------------------------------------------------------------------- DENY_TCP_NOLOG="" DENY_UDP_NOLOG="" # Put in the following variables the TCP/UDP ports you want to REJECT (instead # of DROP) for everyone (and logged). # ----------------------------------------------------------------------------- REJECT_TCP="" REJECT_UDP="" # Put in the following variables the TCP/UDP ports you want to REJECT (instead # of DROP) for everyone but NOT logged. # ----------------------------------------------------------------------------- REJECT_TCP_NOLOG="" REJECT_UDP_NOLOG="" # Put in the following variable which hosts you want to block (blackhole, # dropping every packet from the host). # ----------------------------------------------------------------------------- BLOCK_HOSTS="" # Blocked Hosts are by default blocked in both Inbound and Outbound directions. # If only Inbound blocking is desired, set to 0 to disable bidirectional blocking. # ----------------------------------------------------------------------------- BLOCK_HOSTS_BIDIRECTIONAL=1 # Uncomment & specify here the location of the file that contains a list of # hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as # w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file # should always contain a carriage-return (enter)! # ----------------------------------------------------------------------------- #BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts" arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/0000755000000000000000000000000012055611116023576 5ustar rootrootarno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/ssh-brute-force-protection.conf0000644000000000000000000000301112055611115031633 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - SSH Brute Force Protection plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Specify here the port(s) you want the SSH checks to apply to. Note that this # plugin does NOT open the ports for you, this must be done in the main script # with eg. OPEN_TCP! # ------------------------------------------------------------------------------ SSH_BFP_PORTS="22" # Specify here the hosts you want to allow to bypass the SSH protection checks # ------------------------------------------------------------------------------ SSH_BFP_TRUSTED_HOSTS="" # 1st set of maximum allowed connection attempts # (default: 4 connections/60 seconds) # ------------------------------------------------------------------------------ SSH_BFP_MAX_RATE1="4" SSH_BFP_MAX_TIME1="60" # 2nd set of maximum allowed connection attempts # (default: 10 connections/1800 seconds) # ------------------------------------------------------------------------------ SSH_BFP_MAX_RATE2="10" SSH_BFP_MAX_TIME2="1800" # (EXPERT SETTING!) If ip6tables '-m recent' IPv6 support is not available: # Disable (0) if the kernel module xt_recent is not available, only IPv4 will be used. # ------------------------------------------------------------------------------ SSH_BFP_IPV6_ENABLE=1 arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/transparent-dnat.conf0000644000000000000000000000166412055611115027740 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Transparent DNAT plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Specify here the internal IP of this host (the IP that will be redirected TO) # ------------------------------------------------------------------------------ DNAT_MY_INTERNAL_IP="" # Specify here the external IP (the IP that will be redirected FROM) # ------------------------------------------------------------------------------ DNAT_MY_EXTERNAL_IP="" # Specify here the ports you want to enable transparent DNAT for (multiple ports comma separated) # ------------------------------------------------------------------------------ DNAT_TCP_PORTS="" DNAT_UDP_PORTS="" arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/nat-loopback.conf0000644000000000000000000000334512055611115027023 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - NAT Loopback plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # NAT Loopback for local nets using existing NAT_FORWARD_TCP and NAT_FORWARD_UDP # rules. # Note: The default external IPv4 address is obtained from the first # interface defined in the EXT_IF variable. # # Limit local nets by defining NAT_LOOPBACK_NET, a space separated list. # Defaults to NAT_INTERNAL_NET if not defined. # # Example: # NAT_LOOPBACK_NET="192.168.1.0/24" # (IPv4 Only) # ------------------------------------------------------------------------------ NAT_LOOPBACK_NET="" # When local servers are in another LAN they are unreachable (by default) unless # FORWARD rules are created. When NAT_LOOPBACK_FORWARD is set to "1" the # FORWARD rules to the servers are created for all subnets in NAT_LOOPBACK_NET. # # Defaults to no added forwards if not set to "1" # ------------------------------------------------------------------------------ NAT_LOOPBACK_FORWARD=0 # When this plugin's status is called, if the default external IPv4 address # has changed, the NAT_LOOPBACK_DNAT and NAT_LOOPBACK_SNAT chains will be # updated with the new address. Set NAT_LOOPBACK_UPDATE_ON_STATUS to "0" # to disable this automatic update on status. # # Example: # $ arno-iptables-firewall status-plugins nat-loopback # # Defaults to update on status if not set to "0" # ------------------------------------------------------------------------------ NAT_LOOPBACK_UPDATE_ON_STATUS=1 arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/outbound-snat.conf0000644000000000000000000000173012055611115027247 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Outbound SNAT plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # When a NAT'ed external interface has multiple IPv4 addresses, it may be # desirable to specify which internal IP's or CIDR's use which external # IPv4 addresses for outbound connections. # # Format: (space or comma separated) # "SRCIP1>VIAIP1 SRCIP2>VIAIP2 ... SRCIPn>VIAIPn" # # Note 1: SRCIP (internal) may be a single IP or CIDR address. # # Note 2: VIAIP (external) must be a single IP address # # Example: # OUTBOUND_SNAT_NET_HOST="192.168.1.20>1.2.3.10 192.168.10/24>1.2.3.11" # (IPv4 Only) # ------------------------------------------------------------------------------ OUTBOUND_SNAT_NET_HOST="" arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/traffic-shaper.conf0000644000000000000000000000375312055611115027352 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Traffic-Shaper plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # The external interface used to perform traffic shaping # ------------------------------------------------------------------------------ SHAPER_IF="$EXT_IF" # The next three parameters need to be configured. The rest can be used # as is, unless you have particular requirements. (These should be globals) # ------------------------------------------------------------------------------ DOWNLINK=3072 UPLINK=832 # Specify qdisc type: htb (default) or hfsc SHAPER_TYPE="htb" # Most users can leave the port classification as is. The notation signifies # the destination port on *outbound* traffic. Ports are prefixed by 'u' for # UDP and 't' for TCP. Ranges are given as 5060:5064. # # Additionally, packets tagged with DSCP classes EF, CS3, etc. # will be automatically placed with the proper priority. # ------------------------------------------------------------------------------ # Higher Priority - Streaming Media - VoIP (RTP, IAX2, etc.) SHAPER_STREAMINGMEDIA_PORTS="u4569 u1720 u1731" # High Priority - Interactive - Shell (ssh, telnet, X, Vnc, etc.) SHAPER_INTERACTIVE_PORTS="u53 t22 u1194 t3389 u5060:5064 t5900" # Medium Priority - Default (SIP-signaling) # Default, no ports defined # Low Priority - Bulk data transfer (HTTP, HTTPS, POP3, SMTP, FTP, etc.) SHAPER_BULKDATA_PORTS="t20 t21 t25 t80 t110 t137:139 u137:139 t143 t443 t465 t515 t993 t8080" # Lowest Priority - P2P (BitTorrent) SHAPER_P2P_PORTS="" # (EXPERT SETTING!) If there are servers running locally, include # the protocol/port from any of the above SHAPER PORTS to also match # on the source port in addition to the destination port. SHAPER_LOCAL_SERVER_PORTS="" arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/ids-protection.conf0000644000000000000000000000310612055611115027407 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - IDS Protection plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Interface(s) that should be protected by IDS. Default is all external interfaces # ------------------------------------------------------------------------------ IDS_INTERFACE="" # Specify here the hosts you want to allow to bypass the IDS protection checks # ------------------------------------------------------------------------------ IDS_TRUSTED_HOSTS="" # Specify here the TCP & UDP ports you like to exclude from IDS checking # ------------------------------------------------------------------------------ IDS_EXCLUDE_TCP="" IDS_EXCLUDE_UDP="" # 1st set of maximum allowed connection attempts (default: 4 connections/60 seconds) # ------------------------------------------------------------------------------ IDS_MAX_RATE1="4" IDS_MAX_TIME1="60" # 2nd set of maximum allowed connection attempts (default: 10 connections/1800 seconds) # ------------------------------------------------------------------------------ IDS_MAX_RATE2="10" IDS_MAX_TIME2="1800" # (EXPERT SETTING!) If ip6tables '-m recent' IPv6 support is not available: # Disable (0) if the kernel module xt_recent is not available, only IPv4 will be used. # ------------------------------------------------------------------------------ IDS_IPV6_ENABLE=1 arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/pptp-vpn.conf0000644000000000000000000000435312055611115026235 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - PPTP VPN plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # ------------------------------------------------------------------------------ # PPTP VPN Server Support # Note: The PPP interface wildcard 'ppp+' is used, along with PPTP_VPN_NETS to # identify PPTP VPN traffic. # # If PPP interfaces are specified for the external interface, they will # automatically be excluded from the PPTP VPN interface list. Should EXT_IF # contain 'ppp+' this plugin will be disabled. # ------------------------------------------------------------------------------ # Define the local network where PPTP remote clients appear on, possibly # via proxyarp in an unused LAN/DMZ address range. # Examples: # 16 clients, 192.168.1.224-239 range, PPTP_VPN_NETS="192.168.1.224/28" # 8 clients, 192.168.1.232-239 range, PPTP_VPN_NETS="192.168.1.232/29" # 4 clients, 192.168.1.236-239 range, PPTP_VPN_NETS="192.168.1.236/30" # # PPTP_VPN_NETS must be defined to allow PPTP VPN traffic # ------------------------------------------------------------------------------ PPTP_VPN_NETS="" # Specify the tunnel external hosts that are allowed to connect to the PPTP VPN # service ports, any by default: # ------------------------------------------------------------------------------ PPTP_VPN_TUNNEL_HOSTS="0/0" # By default all valid PPTP VPN packets are allowed, use PPTP_VPN_ALLOW_HOSTS # and PPTP_VPN_DENY_HOSTS to restrict local PPTP VPN traffic. # # PPTP_VPN_ALLOW_HOSTS used in conjunction with PPTP_VPN_DENY_HOSTS, otherwise # the default policy is to allow. # ------------------------------------------------------------------------------ PPTP_VPN_ALLOW_HOSTS="" # Deny PPTP VPN packets to specified hosts, networks # ------------------------------------------------------------------------------ PPTP_VPN_DENY_HOSTS="" # Enable (1) logging of denied PPTP VPN packets # ------------------------------------------------------------------------------ PPTP_VPN_DENY_LOG=0 arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/traffic-accounting.conf0000644000000000000000000000250612055611115030215 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Traffic Accounting plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Enable this to call the helper script at start, so it has immediate effect # This only works if your network interface is already up and/or DNS services # are available. # ------------------------------------------------------------------------------ TRAFFIC_ACCOUNTING_RUN_AT_START=1 # Specify here the cron time(s) to execute the helper script (leave default # if you don't know what it is). # ------------------------------------------------------------------------------ TRAFFIC_ACCOUNTING_CRON="5 * * * *" # Set this option to use the hostcache generated by the DynDNS-plugin. This # allows monitoring dynamic IPs with static names # ------------------------------------------------------------------------------ TRAFFIC_ACCOUNTING_USE_HOST_CACHE=1 # Put in the following variables which hosts (names!) you want to do # accounting for (space separated). # ------------------------------------------------------------------------------ TRAFFIC_ACCOUNTING_HOSTS="" arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/transparent-proxy.conf0000644000000000000000000000111412055611115030161 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Transparent Proxy plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # (Transparent) proxy settings # ------------------------------------------------------------------------------ #HTTP_PROXY_PORT="3128" HTTPS_PROXY_PORT="" FTP_PROXY_PORT="" SMTP_PROXY_PORT="" POP3_PROXY_PORT="" arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/mac-address-filter.conf0000644000000000000000000000241412055611115030113 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - MAC Address Filter plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Specify interfaces that the MAC Addresses Filter is applied (eg. INT_IF) # ------------------------------------------------------------------------------ MAC_ADDRESS_IF="$INT_IF" # Enable logging for not-allowed MAC addresses (if used). # ----------------------------------------------------------------------------- MAC_ADDRESS_LOG=1 # Specify the location here of the file that contains the MAC addresses of the # hosts on the interfaces specified in "$MAC_ADDRESS_IF" that are allowed. # The MAC addresses should be written like 00:11:22:33:44:55 optionally followed # by an (space-seperated) IP address, to lock the MAC-address to a certain IP. # Each line should contain one MAC address (+optional IP address) and the last # line should contain a carriage-return! # ----------------------------------------------------------------------------- MAC_ADDRESS_FILE="/etc/arno-iptables-firewall/mac-addresses" arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/rpc.conf0000644000000000000000000000114112055611115025225 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - RPC plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # RPC services to enable # ------------------------------------------------------------------------------ RPC_SERVICES="" # Nets to allow for RPC services # ------------------------------------------------------------------------------ RPC_NETS=""arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/dyndns-host-open.conf0000644000000000000000000000403312055611115027655 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - DynDNS Host Open plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Enable this to call the helper script at start, so it has immediate effect # This only works if your network interface is already up and/or DNS services # are available. # ------------------------------------------------------------------------------ DYNDNS_RUN_AT_START=1 # Specify here the cron time(s) to execute the helper script (leave default # if you don't know what it is). # ------------------------------------------------------------------------------ DYNDNS_HOST_OPEN_CRON="0,15,30,45 * * * *" # Enable this option to "fast-fail" when performing DNS queries. When enabled # a query is only tried once and times out after 1 second # ------------------------------------------------------------------------------ DYNDNS_DNS_FAST_FAIL=0 # This option allows the plugin to fallback on the "old" cache in case the # hostname can't be resolved # ------------------------------------------------------------------------------ DYNDNS_OLD_CACHE_FALLBACK=1 # Put in the following variables which (dyndns) hosts (names) you want to allow # for certain services. # TCP/UDP port format (DYNDNS_HOST_OPEN_TCP & DYNDNS_HOST_OPEN_UDP): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (DYNDNS_HOST_OPEN_IP): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # # ICMP protocol format (DYNDNS_HOST_OPEN_ICMP): # "host1 host2 ...." # ------------------------------------------------------------------------------ DYNDNS_HOST_OPEN_TCP="" DYNDNS_HOST_OPEN_UDP="" DYNDNS_HOST_OPEN_IP="" DYNDNS_HOST_OPEN_ICMP="" # Additional DynDNS hosts you want to store in the name cache for later use by # eg. DynDNS-compatible plugins DYNDNS_HOST_MISC="" arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/linux-upnp-igd.conf0000644000000000000000000000075312055611115027331 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Linux UPnP IGD plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # We don't have parameters for now... # ------------------------------------------------------------------------------ arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/ipsec-vpn.conf0000644000000000000000000000170312055611115026351 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - IPsec VPN plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Specify here both the local & remove subnets that participate in the VPN. # If no networks are named, then all implicitly allowed (i.e. 0/0). # ------------------------------------------------------------------------------ IPSEC_VPN_NETS="" # Specify here the inet-hosts that are allowed to connect to the ipsec service # ports: # ------------------------------------------------------------------------------ IPSEC_ALLOWED_HOSTS="0/0" # To enable UDP-encapsulation for NAT traversal: # ------------------------------------------------------------------------------ IPSEC_NAT_TRAVERSAL=0 arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/dmz-dnat.conf0000644000000000000000000000100612055611115026157 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - DMZ-host port forwarding plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # The host which receives traffic by default # ------------------------------------------------------------------------------ DMZ_IP="" arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/multiroute.conf0000644000000000000000000000231012055611115026651 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Multirouting plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # RP_FILTER settings (Only set this to 0, if you know what you're doing) # ------------------------------------------------------------------------------ RP_FILTER_DISABLE=1 # Settings for the first interface: # ------------------------------------------------------------------------------ MULTIROUTE_EXT_IF1=eth0 MULTIROUTE_EXT_ROUTER1=1.2.3.5 MULTIROUTE_EXT_IP1=5.6.7.9 MULTIROUTE_EXT_WEIGHT1=1 # Settings for the second interface: # ------------------------------------------------------------------------------ MULTIROUTE_EXT_IF2=eth1 MULTIROUTE_EXT_ROUTER2=1.2.3.4 MULTIROUTE_EXT_IP2=5.6.7.8 MULTIROUTE_EXT_WEIGHT2=1 # Optional settings if you also use an internal interface (for your LAN/gateway) # ------------------------------------------------------------------------------ MULTIROUTE_INT_IP=192.168.0.1 MULTIROUTE_INT_NET=192.168.0.0/24 arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/dsl-ppp-modem.conf0000644000000000000000000000453012055611115027124 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Transparent DNAT plugin =- # ------------------------------------------------------------------------------ ############################################################################### # (ADSL) Modem settings # # # # The MODEM_xxx options should (only) be used when you have an ((A)DSL) # # modem which works with a ppp-connection between the modem and the # # host the modem is connected to. # # # # You can check whether this applies for your (hardware) setup with # # 'ifconfig' (a 'ppp' device is shown). # # This means that if your modem is bridging or an NAT router) or the # # network interface the modem is connected to doesn't have an IP, you # # should leave the MODEM_xxx options disabled (=default)! # ############################################################################### # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # The physical(!) network interface your ADSL modem is connected to (this is # not ppp0!). # ------------------------------------------------------------------------------ #MODEM_IF="eth1" # (optional) The IP of the network interface (MODEM_IF) your ADSL modem is # connected to (IP shown for the modem interface (MODEM_IF) in 'ifconfig'). # ------------------------------------------------------------------------------ #MODEM_IF_IP="10.0.0.150" # (optional) The IP of your (A)DSL modem itself. # ------------------------------------------------------------------------------ #MODEM_IP="10.0.0.138" # (EXPERT SETTING!). Here you can specify the hosts/local net(s) that should # have access to the (A)DSL modem itself (manage modem settings, if supported # by your modem!). The default setting ("$INTERNAL_NET") allows access from # everybody on your LAN. # ------------------------------------------------------------------------------ #MODEM_INTERNAL_NET="$INTERNAL_NET" arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/sip-voip.conf0000644000000000000000000000145212055611115026214 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - SIP-VOIP plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # This plugin automatically opens inbound RTP voice ports by tracking # the inbound (INET) SIP sessions. # # Specify the UDP port(s) for SIP (default is 5060) # ------------------------------------------------------------------------------ SIP_VOIP_PORTS="5060" # Specify the allowed remote hosts(s) for SIP (default is all hosts) # ------------------------------------------------------------------------------ SIP_VOIP_REMOTE_HOSTS="0/0" arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/plugins/ipv6-over-ipv4.conf0000644000000000000000000000162512055611115027165 0ustar rootroot# ------------------------------------------------------------------------------ # -= Arno's iptables firewall - IPv6-over-IPv4 plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # The IPv4 address of the IPv6 tunnel server # For a 6in4 static tunnel define with the remote IPv4 address # For a 6to4 relay tunnel define with 0/0 # ------------------------------------------------------------------------------ IPV6_OVER_IPV4_SERVER="0/0" # The external interface(s) to allow IPv4 packets for the IPv6 tunnel # ------------------------------------------------------------------------------ IPV6_OVER_IPV4_IF="" # Note: Be sure to add the IPv6 tunnel interface (ex. he-ipv6) to the EXT_IF # variable in your configuration. arno-iptables-firewall_2.0.1d/etc/arno-iptables-firewall/custom-rules0000644000000000000000000000014612055611115024502 0ustar rootroot# Put any custom (iptables) rules here down below: ################################################## arno-iptables-firewall_2.0.1d/etc/init.d/0000755000000000000000000000000012055611116016737 5ustar rootrootarno-iptables-firewall_2.0.1d/etc/init.d/arno-iptables-firewall0000755000000000000000000000332612055611115023233 0ustar rootroot#!/bin/sh # # chkconfig: 2345 11 89 # description: init.d script for Arno's iptables firewall ### BEGIN INIT INFO # Provides: arno-iptables-firewall # Required-Start: $local_fs $remote_fs $network # Required-Stop: $local_fs $remote_fs $network # Default-Start: S # Default-Stop: 0 6 # Short-Description: Setup iptables firewall configuration ### END INIT INFO ############################################################################################ # You should put this script in eg. "/etc/init.d/" . # # Furthermore make sure it's executable! -> "chmod 700" or "chmod +x" it # # If you want to run it upon boot, either add an entry in your "/etc/rc.d/rc.local" or # # (for eg. Debian) in "/etc/rcS.d/" create a symlink to the arno-iptables-firewall script # # ("ln -s /etc/init.d/arno-iptables-firewall script S99-arno-iptables-firewall script"). # ############################################################################################ PATH=/bin:/usr/bin:/sbin:/usr/sbin PROGRAM="/usr/local/sbin/arno-iptables-firewall" # Be verbose(1)?: VERBOSE=0 test -x $PROGRAM || exit 0 if [ "$VERBOSE" = "0" ]; then case "$1" in start) echo "Starting Arno's Iptables Firewall..." ;; stop) echo "Stopping Arno's Iptables Firewall..." ;; restart) echo "Restarting Arno's Iptables Firewall..." ;; force-reload) echo "(Forced) reloading Arno's Iptables Firewall..." ;; status) $PROGRAM $* exit $? ;; *) $PROGRAM exit 1 ;; esac # Call firewall script: result=`$PROGRAM $*` retval=$? else $PROGRAM $* retval=$? fi # Return value: exit $retval arno-iptables-firewall_2.0.1d/configure.sh0000755000000000000000000002057212055611115017324 0ustar rootroot#!/bin/bash MY_VERSION="1.02d" # ------------------------------------------------------------------------------------------ # -= Arno's iptables firewall =- # Single- & multi-homed firewall script with DSL/ADSL support # # ~ In memory of my dear father ~ # # (C) Copyright 2001-2011 by Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------------------ # Check if the environment file exists and if so, load it ######################################################### if [ -f ./share/arno-iptables-firewall/environment ]; then . ./share/arno-iptables-firewall/environment else printf "\033[40m\033[1;31mERROR: Could not read environment file ./share/arno-iptables-firewall/environment!\033[0m\n" >&2 exit 2 fi # Allow user to override firewall.conf location (undocumented) FIREWALL_CONF=${1:-/etc/arno-iptables-firewall/firewall.conf} sanity_check() { # root check if [ "$(id -u)" != "0" ]; then printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n" >&2 exit 1 fi check_command_error sed check_command_error chmod check_command_error chown check_command_error cp check_command_error ln check_command_error rm check_command_error ip check_command_error cut check_command_error diff check_command_error sed } change_conf_var() { if ! grep -E -q "^#?$2=" "$1"; then printf "\033[40m\033[1;31mERROR: Variable \"$2\" not found in \"$1\". File is probably outdated!\033[0m\n" >&2 elif [ -n "$3" ]; then sed -i -e "s~^#\?$2=.*$~$2=\"$3\"~" "$1" fi } get_conf_var() { printf "$1 " read answer if [ -z "$answer" ]; then if [ -n "$4" ]; then # echo "$4" change_conf_var "$2" "$3" "$4" # else # echo "(None)" fi else change_conf_var "$2" "$3" "$answer" fi return 0 } get_user_yn() { printf "$1 " read -s -n1 answer if [ "$answer" = "y" -o "$answer" = "Y" ]; then echo "Yes" return 0 fi if [ "$answer" = "n" -o "$answer" = "N" ]; then echo "No" return 1 fi # Fallback to default if [ "$2" = "y" ]; then echo "Yes" return 0 else echo "No" return 1 fi } verify_interfaces() { if [ -z "$1" ]; then if ! get_user_yn "No interface(s) specified. These are required! Continue anyway(Y/N)?" "n"; then return 1 fi fi IFS=' ,' for interface in $1; do if ! check_interface $interface; then if ! get_user_yn "Interface \"$interface\" does not exist (yet). Continue anyway(Y/N)?" "n"; then return 1 fi fi done return 0 } setup_conf_file() { # Create backup of old config cp -fvb "$FIREWALL_CONF" /etc/arno-iptables-firewall.conf.bak printf "We will now setup the most basic settings of the firewall\n\n" while true; do printf "What is your external (aka. internet) interface (multiple interfaces should be comma separated)? " read EXT_IF if verify_interfaces $EXT_IF; then change_conf_var "$FIREWALL_CONF" "EXT_IF" "$EXT_IF" break fi done if get_user_yn "Does your external interface get its IP through DHCP (Y/N)?" "n"; then change_conf_var "$FIREWALL_CONF" "EXT_IF_DHCP_IP" "1" else change_conf_var "$FIREWALL_CONF" "EXT_IF_DHCP_IP" "0" fi if get_user_yn "Do you want to enable IPv6 support (Y/N)?" "y"; then change_conf_var "$FIREWALL_CONF" "IPV6_SUPPORT" "1" else change_conf_var "$FIREWALL_CONF" "IPV6_SUPPORT" "0" fi if get_user_yn "Do you want to be pingable from the internet (Y/N)?" "n"; then change_conf_var "$FIREWALL_CONF" "OPEN_ICMP" "1" else change_conf_var "$FIREWALL_CONF" "OPEN_ICMP" "0" fi get_conf_var "Which TCP ports do you want to allow from the internet? (eg. 22=SSH, 80=HTTP, etc.) (comma separate multiple ports)?" "$FIREWALL_CONF" "OPEN_TCP" "" get_conf_var "Which UDP ports do you want to allow from the internet? (eg. 53=DNS, etc.) (comma separate multiple ports)?" "$FIREWALL_CONF" "OPEN_UDP" "" if get_user_yn "Do you have an internal(aka LAN) interface that you want to setup (Y/N)?" "n"; then while true; do printf "What is your internal interface (aka. LAN interface)? " read INT_IF if verify_interfaces $INT_IF; then change_conf_var "$FIREWALL_CONF" "INT_IF" "$INT_IF" local INTERNAL_NET="" local INT_NET_BCAST_ADDRESS="" IFS=' ,' for interface in $INT_IF; do INTERNAL_NET="$INTERNAL_NET${INTERNAL_NET:+ }$(get_network_ipv4_address_mask $interface)" INT_NET_BCAST_ADDRESS="$INT_NET_BCAST_ADDRESS${INT_NET_BCAST_ADDRESS:+ }$(get_network_ipv4_broadcast $interface)" done if [ -n "$INTERNAL_NET" ] && [ -n "$INT_NET_BCAST_ADDRESS" ]; then echo "* Auto-detected internal IPv4 net(s): $INTERNAL_NET" echo "* Auto-detected internal IPv4 broadcast address(es): $INT_NET_BCAST_ADDRESS" change_conf_var "$FIREWALL_CONF" "INTERNAL_NET" "$INTERNAL_NET" change_conf_var "$FIREWALL_CONF" "INT_NET_BCAST_ADDRESS" "$INT_NET_BCAST_ADDRESS" if get_user_yn "Do you want to enable NAT/masquerading for your internal subnet (Y/N)?" "n"; then change_conf_var "$FIREWALL_CONF" "NAT" "1" change_conf_var "$FIREWALL_CONF" "NAT_INTERNAL_NET" '\$INTERNAL_NET' else change_conf_var "$FIREWALL_CONF" "NAT" "0" fi fi break fi done fi # Set the correct permissions on the config file chmod 755 /etc/init.d/arno-iptables-firewall chown 0:0 "$FIREWALL_CONF" /etc/init.d/arno-iptables-firewall chmod 600 "$FIREWALL_CONF" } # main line: AIF_VERSION="$(grep "MY_VERSION=" ./bin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")" printf "\033[40m\033[1;32mArno's Iptables Firewall Script v$AIF_VERSION\033[0m\n" printf "Configure Script v$MY_VERSION\n" echo "-------------------------------------------------------------------------------" sanity_check; # Remove any symlinks in rc*.d out of the way rm -f /etc/rc*.d/*arno-iptables-firewall if get_user_yn "Do you want to start the firewall at boot (via /etc/init.d/) (Y/N)?" "y"; then if [ -d /etc/rcS.d ]; then ln -sv /etc/init.d/arno-iptables-firewall /etc/rcS.d/S41arno-iptables-firewall else ln -sv /etc/init.d/arno-iptables-firewall /etc/rc2.d/S11arno-iptables-firewall fi # Check for insserv. Used for dependency based booting on eg. Debian INSSERV="$(find_command /sbin/insserv)" if [ -n "$INSSERV" ]; then "$INSSERV" arno-iptables-firewall fi fi if get_user_yn "Do you want the init script to be verbose (print out what it's doing) (Y/N)?" "n"; then change_conf_var /etc/init.d/arno-iptables-firewall "VERBOSE" "1" else change_conf_var /etc/init.d/arno-iptables-firewall "VERBOSE" "0" fi if diff ./etc/arno-iptables-firewall/firewall.conf "$FIREWALL_CONF" >/dev/null; then if get_user_yn "Your firewall.conf is not configured yet.\nDo you want me to help you setup a basic configuration (Y/N)?" "y"; then setup_conf_file; else echo "* Skipped" fi else if get_user_yn "Your firewall.conf looks already customized.\nModify configuration (Y/N)?" "n"; then setup_conf_file; else echo "* Skipped" fi fi echo "" echo "** Configuration done **" echo "" exit 0 arno-iptables-firewall_2.0.1d/gpl_license.txt0000644000000000000000000004313212055611115020026 0ustar rootroot GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. arno-iptables-firewall_2.0.1d/uninstall.sh0000755000000000000000000000613612055611115017354 0ustar rootroot#!/bin/bash MY_VERSION="1.0a" # ------------------------------------------------------------------------------------------ # -= Arno's iptables firewall =- # Single- & multi-homed firewall script with DSL/ADSL support # # ~ In memory of my dear father ~ # # (C) Copyright 2001-2012 by Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------------------ sanity_check() { # root check if [ "$(id -u)" != "0" ]; then printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n" >&2 exit 1 fi } get_user_yn() { printf "$1 " while true; do read -s -n1 answer # Fallback to default if [ -z "$answer" ]; then answer="$2" fi if [ "$answer" = "y" -o "$answer" = "Y" ]; then echo "Yes" return 0 fi if [ "$answer" = "n" -o "$answer" = "N" ]; then echo "No" return 1 fi done } # main line: AIF_VERSION="$(grep "MY_VERSION=" ./bin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")" printf "\033[40m\033[1;32mArno's Iptables Firewall Script v$AIF_VERSION\033[0m\n" printf "Uninstall Script v$MY_VERSION\n" echo "-------------------------------------------------------------------------------" sanity_check; if ! get_user_yn "Continue uninstall (Y/N)? " "n"; then echo "*Uninstall aborted!" exit 1 fi rm -fv /usr/local/sbin/arno-iptables-firewall rm -fv /usr/local/sbin/arno-fwfilter rm -fv /usr/local/bin/arno-fwfilter rm -rfv /usr/local/share/arno-iptables-firewall rm -fv /usr/local/share/man/man8/arno-iptables-firewall.8.gz rm -fv /usr/local/share/man/man8/arno-fwfilter.1.gz rm -fv /etc/init.d/arno-iptables-firewall rm -fv /etc/rc*.d/*arno-iptables-firewall if get_user_yn "Also remove ALL configuration files from /etc/arno-iptables-firewall/ (Y/N)?" "n"; then rm -rfv /etc/arno-iptables-firewall else echo "* Skipped" fi echo "" echo "** Uninstall done **" echo "" exit 0 arno-iptables-firewall_2.0.1d/bin/0000755000000000000000000000000012055611116015547 5ustar rootrootarno-iptables-firewall_2.0.1d/bin/arno-iptables-firewall0000755000000000000000000057315012055611115022052 0ustar rootroot#!/bin/sh MY_VERSION="2.0.1d" # Location of the main configuration file for the firewall ########################################################## CONFIG_FILE=/etc/arno-iptables-firewall/firewall.conf # ------------------------------------------------------------------------------ # -= Arno's iptables firewall =- # Single- & multi-homed firewall script with DSL/ADSL support # # ~ In memory of my dear father ~ # # (C) Copyright 2001-2012 by Arno van Amersfoort # Co-authors : Lonnie Abelbeck & Philip Prindeville # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ printf "\033[40m\033[1;32mArno's Iptables Firewall Script v$MY_VERSION\033[0m\n" echo "-------------------------------------------------------------------------------" # Check if the main config file exists and if so load it ######################################################## if [ -e "$CONFIG_FILE" ]; then . "$CONFIG_FILE" else printf "\033[40m\033[1;31mERROR: Could not read configuration file $CONFIG_FILE!\033[0m\n" >&2 printf "\033[40m\033[1;31m Please, check the file's location and (root) rights.\033[0m\n" >&2 exit 2 fi # Check if the environment file exists and if so, load it ######################################################### if [ -z "$ENV_FILE" ]; then if [ -f /usr/local/share/arno-iptables-firewall/environment ]; then ENV_FILE="/usr/local/share/arno-iptables-firewall/environment" else if [ -f /usr/share/arno-iptables-firewall/environment ]; then ENV_FILE="/usr/share/arno-iptables-firewall/environment" else printf "\033[40m\033[1;31mERROR: The environment file (ENV_FILE) has not been specified\033[0m\n" >&2 printf "\033[40m\033[1;31m in the configuration file. Try upgrading your config-file!\033[0m\n" >&2 exit 2 fi fi fi if [ -e "$ENV_FILE" ]; then . "$ENV_FILE" else printf "\033[40m\033[1;31mERROR: Could not read environment file \"$ENV_FILE\"!\033[0m\n" >&2 printf "\033[40m\033[1;31m Please, check the file's location and (root) rights.\033[0m\n" >&2 exit 2 fi sanity_check() { # root check if [ "$(id -u)" != "0" ]; then printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n" >&2 exit 1 fi # Check whether the required binaries exist and are executable ############################################################## check_command_error iptables if [ "$IPV6_DETECTED" = "1" ]; then check_command_error ip6tables fi check_command_error awk check_command_error tr check_command_error ip check_command_error cut check_command_error uname check_command_error sed check_command_error cat check_command_error date check_command_error modprobe check_command_error sysctl check_command_error head check_command_error tail check_command_error wc check_command_error logger check_command_warning dig nslookup if [ "$IPV6_SUPPORT" = "1" ]; then if ! kernel_ver_chk 2 6 24; then printf "\033[40m\033[1;31mWARNING: IPv6 support is enabled but your kernel is rather old (<2.6.24)! This *could* cause problems...\033[0m\n" >&2 fi fi } config_check() { # Make sure EXT_IF != "" ######################## if [ -z "$EXT_IF" ]; then printf "\033[40m\033[1;31mERROR: The required variable EXT_IF is empty!\033[0m\n" >&2 printf "\033[40m\033[1;31m Please, check the configuration file.\033[0m\n" >&2 exit 2 fi # Check whether EXT_IF exists ############################# IFS=' ,' for interface in $EXT_IF; do if ! check_interface $interface; then printf "\033[40m\033[1;31mWARNING: External interface $interface does NOT exist (yet?)\033[0m\n" >&2 fi done # Check whether INT_IF exists ############################# IFS=' ,' for interface in $INT_IF; do if ! check_interface $interface; then printf "\033[40m\033[1;31mWARNING: Internal interface $interface does NOT exist (yet?)\033[0m\n" >&2 fi done # Check whether DMZ_IF exists ############################# IFS=' ,' for interface in $DMZ_IF; do if ! check_interface $interface; then printf "\033[40m\033[1;31mWARNING: DMZ interface $interface does NOT exist (yet?)\033[0m\n" >&2 fi done # Check whether TRUSTED_IF exists ################################# IFS=' ,' for interface in $TRUSTED_IF; do if ! check_interface $interface; then printf "\033[40m\033[1;31mWARNING: Trusted interface $interface does NOT exist (yet?)\033[0m\n" >&2 fi done # Make sure INT_IF != EXT_IF ############################ IFS=' ,' for eif in $EXT_IF; do for iif in $INT_IF; do if [ "$iif" = "$eif" ]; then printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF is the same as one in\033[0m\n" >&2 printf "\033[40m\033[1;31m INT_IF! Please, check the configuration file.\033[0m\n" >&2 exit 3 fi done done # Make sure EXT_IF != lo / 127.0.0.1 #################################### IFS=' ,' for eif in $EXT_IF; do if [ "$eif" = "lo" -o "$eif" = "127.0.0.1" ]; then printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF has the address or name of the\033[0m\n" >&2 printf "\033[40m\033[1;31m local loopback device! Please, check the configuration file.\033[0m\n" >&2 exit 6 fi done # Make sure INT_IF != lo / 127.0.0.1 #################################### IFS=' ,' for iif in $INT_IF; do if [ "$iif" = "lo" -o "$iif" = "127.0.0.1" ]; then printf "\033[40m\033[1;31mERROR: At least one of the interfaces specified in INT_IF has the address or\033[0m\n" >&2 printf "\033[40m\033[1;31m name of the local loopback device! Please, check the configuration file.\033[0m\n" >&2 exit 7 fi done # If support for an DHCP server serving an external net is enabled, we # also need to know what the external net is. ########################################################################## if [ "$EXTERNAL_DHCP_SERVER" = "1" -a -z "$EXTERNAL_NET" ]; then printf "\033[40m\033[1;31mERROR: You have enabled external DHCP server support but required variable\033[0m\n" >&2 printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n" >&2 exit 10 fi # We can only perform NAT if NAT_INTERNAL_NET is defined if [ "$NAT" = "1" -a -z "$NAT_INTERNAL_NET" ]; then printf "\033[40m\033[1;31mERROR: Unable to enable NAT because there's no (NAT_)INTERNAL_NET specified!\033[0m\n" >&2 exit 11 fi # If support the nmb_broadcast_fix is enabled we need the EXTERNAL_NET set ########################################################################## if [ "$NMB_BROADCAST_FIX" = "1" -a -z "$EXTERNAL_NET" ]; then printf "\033[40m\033[1;31mERROR: You have enabled the NMB_BROADCAST_FIX but required variable\033[0m\n" >&2 printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n" >&2 exit 12 fi # Warn if no_broadcast variables are used and external net is NOT defined ########################################################################## if [ -n "$BROADCAST_TCP_NOLOG" -o -n "$BROADCAST_UDP_NOLOG" ]; then if [ -z "$EXTERNAL_NET" -a -z "$EXT_NET_BCAST_ADDRESS" ]; then printf "\033[40m\033[1;31mWARNING: You are using the BROADCAST_xxx_NOLOG variables but EXTERNAL_NET and EXT_NET_BCAST_ADDRESS\033[0m\n" >&2 printf "\033[40m\033[1;31m have NOT been defined!\033[0m\n" >&2 fi fi # Check whether we know the plugin binary path ############################################## if [ ! -d "$PLUGIN_BIN_PATH" ]; then printf "\033[40m\033[1;31mERROR: The PLUGIN_BIN_PATH ($PLUGIN_BIN_PATH) does not exist!\033[0m\n" >&2 printf "\033[40m\033[1;31m Please check your installation and/or configuration file.\033[0m\n" >&2 exit 2 fi # Check whether we know the plugin config path ############################################## if [ ! -d "$PLUGIN_CONF_PATH" ]; then printf "\033[40m\033[1;31mERROR: The PLUGIN_CONF_PATH ($PLUGIN_CONF_PATH) does not exist!\033[0m\n" >&2 printf "\033[40m\033[1;31m Please check your installation and/or configuration file.\033[0m\n" >&2 exit 2 fi } load_modules() { unset IFS # Set indent for functions INDENT=' ' echo "Checking/probing Iptables modules:" # Required; all IPv4 modules depend on this one modprobe ip_tables if [ "$IPV6_SUPPORT" = "1" ]; then modprobe ip6_tables fi # Allows connection tracking state match, which allows you to # write rules matching the state of a connection modprobe_multi nf_conntrack ip_conntrack if [ "$IPV6_SUPPORT" = "1" ]; then modprobe nf_conntrack_ipv6 fi # Permits active FTP; requires ip_conntrack modprobe_multi nf_conntrack_ftp ip_conntrack_ftp # Allows tracking for various protocols, placing entries in the conntrack table etc. if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_conntrack "ipt_conntrack,ip6t_conntrack" else modprobe_multi xt_conntrack ipt_conntrack fi # Allows log limits if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_limit "ipt_limit,ip6t_limit" else modprobe_multi xt_limit ipt_limit fi # Permits packet state checking (SYN, SYN-ACK, ACK, and so on). if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_state "ipt_state,ip6t_state" else modprobe_multi xt_state ipt_state fi # Allows packet specifications on multiple ports if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_multiport "ipt_multiport,ip6t_multiport" else modprobe_multi xt_multiport ipt_multiport fi # Implement the filter table: modprobe iptable_filter if [ "$IPV6_SUPPORT" = "1" ]; then modprobe ip6table_filter fi # Implement the mangle table modprobe iptable_mangle if [ "$IPV6_SUPPORT" = "1" ]; then modprobe ip6table_mangle fi # Implement the REJECT target modprobe ipt_REJECT if [ "$IPV6_SUPPORT" = "1" ]; then modprobe ip6t_REJECT fi # Implement the LOG target if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_LOG "ipt_LOG,ip6t_LOG" else modprobe_multi xt_LOG ipt_LOG fi if [ "$SET_MSS" != "0" ]; then # Implement the TCPMSS target if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_TCPMSS "ipt_TCPMSS,ip6t_TCPMSS" else modprobe_multi xt_TCPMSS ipt_TCPMSS fi fi if [ "$MANGLE_TOS" != "0" ]; then # Implement the TOS target if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_DSCP "ipt_DSCP,ip6t_DSCP" "ipt_TOS,ip6t_TOS" else modprobe_multi xt_DSCP ipt_DSCP ipt_TOS fi fi if [ "$PACKET_TTL" = "1" -o "$TTL_INC" = "1" ]; then # Load the TTL target: modprobe ipt_TTL fi # (Currently) unused modules: # modprobe ipt_addrtype # Allows matching src/dst address type (BROKEN!) # modprobe ipt_pkttype # Permits checking for packet type (BROADCAST, MULTICAST etc.) (BROKEN!) # modprobe ip_queue # Allows queuing packets to user space # modprobe ipt_owner # Permits user/group checking on OUTPUT packets # modprobe ipt_mark # Allows use of mark match # modprobe ip_conntrack_egg # Implement the NAT table modprobe iptable_nat if [ "$NAT" = "1" -o -n "$NAT_FORWARD_TCP" -o -n "$NAT_FORWARD_UDP" -o -n "$NAT_FORWARD_IP" ]; then # Load the module implementing DNAT/SNAT/NAT support modprobe_multi nf_nat ip_nat fi if [ "$NAT" = "1" ]; then modprobe_multi nf_nat_ftp ip_nat_ftp # Permits active FTP via nat; requires ip_conntrack & iptable_nat if [ -z "$NAT_STATIC_IP" ]; then # Load the MASQUERADE target: modprobe ipt_MASQUERADE fi fi if [ "$USE_IRC" = "1" ]; then # echo "Enabling IRC DCC module support..." modprobe_multi nf_conntrack_irc ip_conntrack_irc #ports=6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001 if [ "$NAT" = "1" ]; then modprobe_multi nf_nat_irc ip_nat_irc #ports=6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001 fi fi echo " Module check done..." } setup_misc() { # Remove any stale plugin restart file rm -f "$PLUGIN_LOAD_FILE_RESTART" # Remove stale host-cache file rm -f "$HOST_CACHE_FILE" # Most people don't want to get any firewall logs being spit to the console # This option makes the kernel ring buffer only log messages with level "panic" if [ "$DMESG_PANIC_ONLY" = "1" ]; then echo "Setting the kernel ring buffer to only log panic messages to the console" # dmesg -c # Clear ring buffer dmesg -n 1 # Only show panic messages on the console fi } setup_kernel_settings() { # Set INDENT value for functions INDENT=' ' echo "Configuring general kernel parameters:" # Set the maximum number of connections to track. # The kernel "default" depends on the available amount of RAM, 128 MB of RAM -> 8192 # possible entries, 256 MB of RAM --> 16376 possible entries, etc... ####################################################################################### if [ -n "$CONNTRACK" -a "$CONNTRACK" != "0" ]; then echo " Setting the max. amount of simultaneous connections to $CONNTRACK" sysctl_multi -w net.nf_conntrack_max=$CONNTRACK \ net.ipv4.netfilter.ip_conntrack_max=$CONNTRACK \ net.ipv4.ip_conntrack_max=$CONNTRACK fi # Change some default timings to fix false logs generated by "lost connections" # Defaults: # echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout # echo 180 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream # echo 10 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close # echo 300 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans # echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait # echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack # echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait # echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait # echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv # echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent # echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout # echo 1200 > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout ############################################################################### # echo " Setting default conntrack timeouts" # This is to fix issues with DNS: sysctl_multi -w net.netfilter.nf_conntrack_udp_timeout=60 \ net.ipv4.netfilter.ip_conntrack_udp_timeout=60 # sysctl_multi -w net.netfilter.nf_conntrack_udp_timeout_stream=180 \ # net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180 # Enable Conntrack Accounting (kernel config CONFIG_NF_CT_ACCT) # CONFIG_NF_CT_ACCT is deprecated and will be removed sometime after kernel 2.6.27 sysctl -w net.netfilter.nf_conntrack_acct=1 2>/dev/null # Always set IPv4 options for IPv4 or IPv4/IPv6 ###################################################### echo "Configuring kernel parameters:" # Disable ICMP send_redirect ############################ echo " Disabling send redirects" sysctl_set_all "net.ipv4.conf" "send_redirects" 0 if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "send_redirects" 0 fi # Don't accept source routed packets. # Attackers can use source routing to generate # traffic pretending to be from inside your network, but which is routed back along # the path from which it came, namely outside, so attackers can compromise your # network. Source routing is rarely used for legitimate purposes. ################################################################################### if [ "$SOURCE_ROUTE_PROTECTION" = "0" ]; then echo " DISABLING protection against source routed packets" sysctl_set_all "net.ipv4.conf" "accept_source_route" 1 if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "accept_source_route" 1 fi else echo " Enabling protection against source routed packets" sysctl_set_all "net.ipv4.conf" "accept_source_route" 0 if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "accept_source_route" 0 fi fi # ICMP Broadcasting protection (smurf amplifier protection) ########################################################### sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # ICMP Dead Error Messages protection ##################################### sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # IP forwarding (need it to perform for example NAT) #################################################### if [ "$IP_FORWARDING" = "1" ]; then echo " Enabling packet forwarding" sysctl_set_all "net.ipv4.conf" "forwarding" 1 || sysctl -w net.ipv4.ip_forward=1 || { printf "\033[40m\033[1;31m WARNING: net.ipv4.conf.*.forwarding (or net.ipv4.ip_forward) could not be set! If you're using\033[0m\n" >&2 printf "\033[40m\033[1;31m NAT or any other type of forwarding this may be a problem.\033[0m\n" >&2 } if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "forwarding" 1 echo " Disabling Local IPv6 Auto-Configuration" sysctl_set_all "net.ipv6.conf" "autoconf" 0 sysctl_set_all "net.ipv6.conf" "accept_ra" 0 fi elif [ "$IP_FORWARDING" = "0" ]; then echo " DISABLING packet forwarding" sysctl_set_all "net.ipv4.conf" "forwarding" 0 2>/dev/null || sysctl -w -e net.ipv4.ip_forward=0 2>/dev/null if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "forwarding" 0 2>/dev/null if [ "$IPV6_AUTO_CONFIGURATION" != "0" ]; then echo " Enabling IPv6 Auto-Configuration" sysctl_set_all "net.ipv6.conf" "autoconf" 1 sysctl_set_all "net.ipv6.conf" "accept_ra" 1 else echo " DISABLING IPv6 Auto-Configuration" sysctl_set_all "net.ipv6.conf" "autoconf" 0 sysctl_set_all "net.ipv6.conf" "accept_ra" 0 fi fi fi # Enable some general settings ############################## echo " Setting some kernel performance options" sysctl -w net.ipv4.tcp_window_scaling=1 sysctl -w net.ipv4.tcp_timestamps=1 sysctl -w net.ipv4.tcp_sack=1 sysctl -w net.ipv4.tcp_dsack=1 sysctl -w net.ipv4.tcp_fack=1 sysctl -w net.ipv4.tcp_low_latency=0 # Reduce DoS'ing ability by reducing timeouts ############################################################# if [ "$REDUCE_DOS_ABILITY" = "1" ]; then echo " Enabling reduction of the DoS'ing ability" sysctl -w net.ipv4.tcp_fin_timeout=30 sysctl -w net.ipv4.tcp_keepalive_time=1800 # Set number of times to retry SYN in a new connection sysctl -w net.ipv4.tcp_syn_retries=3 # Set number of times to retry a SYN-ACK in a half-open new connections sysctl -w net.ipv4.tcp_synack_retries=2 # Enable a fix for RFC1337 - time-wait assassination hazards in TCP sysctl -w net.ipv4.tcp_rfc1337=1 elif [ "$REDUCE_DOS_ABILITY" = "0" ]; then echo " Disabling reduction of the DoS'ing ability" # Defaults: sysctl -w net.ipv4.tcp_fin_timeout=60 sysctl -w net.ipv4.tcp_keepalive_time=7200 sysctl -w net.ipv4.tcp_syn_retries=5 sysctl -w net.ipv4.tcp_synack_retries=5 sysctl -w net.ipv4.tcp_rfc1337=0 fi # Set out local port range. Kernel default = "1024 4999" ######################################################## if [ -z "$LOCAL_PORT_RANGE" ]; then LOCAL_PORT_RANGE="32768 61000" fi sysctl -w net.ipv4.ip_local_port_range="$LOCAL_PORT_RANGE" # Now we change the LOCAL_PORT_RANGE for further use by iptables (replace space with :) LOCAL_PORT_RANGE="$(echo "$LOCAL_PORT_RANGE" |tr ' ' ':')" # Add synflood protection? ########################## if [ "$SYN_PROT" != "0" ]; then echo " Enabling SYN-flood protection via SYN-cookies" sysctl -w net.ipv4.tcp_syncookies=1 else echo " Disabling SYN-flood protection via SYN-cookies" sysctl -w net.ipv4.tcp_syncookies=0 fi # Use rp_filter to drop connections from non-routable IPs ###################################################################### if [ "$RP_FILTER" = "1" ]; then echo " Enabling anti-spoof with rp_filter" sysctl_set_all "net.ipv4.conf" "rp_filter" 1 elif [ "$RP_FILTER" = "0" ]; then echo " Disabling anti-spoof with rp_filter" sysctl_set_all "net.ipv4.conf" "rp_filter" 0 fi # Block ALL ICMP echo requests? ############################### if [ "$ECHO_IGNORE" = "1" ]; then echo " Blocking all ICMP echo-requests" sysctl -w net.ipv4.icmp_echo_ignore_all=1 elif [ "$ECHO_IGNORE" = "0" ]; then sysctl -w net.ipv4.icmp_echo_ignore_all=0 fi # Log martians? ############### if [ "$LOG_MARTIANS" = "1" ]; then echo " Enabling the logging of martians" sysctl_set_all "net.ipv4.conf" "log_martians" 1 elif [ "$LOG_MARTIANS" = "0" ]; then echo " Disabling the logging of martians" sysctl_set_all "net.ipv4.conf" "log_martians" 0 fi # Accept ICMP redirect messages? ################################ if [ "$ICMP_REDIRECT" = "1" ]; then echo " Enabling the acception of ICMP-redirect messages" sysctl_set_all "net.ipv4.conf" "accept_redirects" 1 if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "accept_redirects" 1 fi elif [ "$ICMP_REDIRECT" = "0" ]; then echo " Disabling the acception of ICMP-redirect messages" sysctl_set_all "net.ipv4.conf" "accept_redirects" 0 if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "accept_redirects" 0 fi fi # Enable ECN? (Explicit Congestion Notification) ################################################ if [ "$ECN" = "1" ]; then echo " Enabling ECN (Explicit Congestion Notification)" sysctl -w net.ipv4.tcp_ecn=1 elif [ "$ECN" = "0" ]; then echo " Disabling ECN (Explicit Congestion Notification)" sysctl -w net.ipv4.tcp_ecn=0 fi # This enables dynamic-address hacking which makes the # life with Diald and similar programs much easier. ###################################################### if [ "$EXT_IF_DHCP_IP" = "1" ]; then echo " Enabling kernel support for dynamic IPs" sysctl -w net.ipv4.ip_dynaddr=1 elif [ "$EXT_IF_DHCP_IP" = "0" ]; then echo " Disabling kernel support for dynamic IPs" sysctl -w net.ipv4.ip_dynaddr=0 fi # In most cases pmtu discovery is ok, but in some rare cases (when having problems) # you might want to disable it. if [ "$NO_PMTU_DISCOVERY" = "1" ]; then echo " Disabling PMTU discovery" sysctl -w net.ipv4.ip_no_pmtu_disc=1 elif [ "$NO_PMTU_DISCOVERY" = "0" ]; then echo " Enabling PMTU discovery" sysctl -w net.ipv4.ip_no_pmtu_disc=0 fi # Time To Live (TTL) is the term for a data field in the internet protocol. # TTL is today interpreted to indicate the maximum number of routers a packet may transit. # Each router that handles a packet will decrement the TTL field by 1. # Raise if you have a huge network. # Set the default ttl. (Kernel Default: 64) ########################################################################################### if [ -n "$DEFAULT_TTL" ]; then if [ $DEFAULT_TTL -gt 9 -a $DEFAULT_TTL -lt 256 ]; then echo " Setting default TTL=$DEFAULT_TTL" sysctl -w net.ipv4.ip_default_ttl=$DEFAULT_TTL else printf "\033[40m\033[1;31m WARNING: Ingoring invalid value for DEFAULT_TTL ($DEFAULT_TTL), it should be between 10 and 255!\033[0m\n" >&2 fi fi # Increase the default queuelength. (Kernel Default: 1024) ########################################################## # sysctl -w -e net.ipv4.ip_queue_maxlen=2048 echo " Flushing route table" sysctl -w net.ipv4.route.flush=1 if [ "$IPV6_SUPPORT" = "1" ]; then sysctl -w net.ipv6.route.flush=1 fi echo " Kernel setup done..." # Return "no error" return 0 } init_firewall_chains() { echo "Initializing firewall chains" # Set INDENT for functions INDENT=' ' # Attempt to flush all IPv4 chains ################################## ip4tables -F ip4tables -X # Flush builtin IPv4 chains ########################### ip4tables -F INPUT ip4tables -F OUTPUT ip4tables -F FORWARD # Flush rules in nat/mangle tables ################################## ip4tables -t nat -F ip4tables -t nat -X ip4tables -t mangle -F ip4tables -t mangle -X if [ "$IPV6_DETECTED" = "1" ]; then # Attempt to flush all IPv6 chains ################################## ip6tables -F ip6tables -X # Flush builtin IPv6 chains ########################### ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD # Flush rules in mangle table ############################# ip6tables -t mangle -F ip6tables -t mangle -X fi # Create our "base" chains ########################## iptables -N BASE_INPUT_CHAIN iptables -N BASE_FORWARD_CHAIN iptables -N BASE_OUTPUT_CHAIN # Accept packets of ESTABLISHED connections ########################################### iptables -A BASE_INPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT iptables -A BASE_FORWARD_CHAIN -m state --state ESTABLISHED -j ACCEPT iptables -A BASE_OUTPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT # Accept packets of RELATED connections ####################################### iptables -A BASE_INPUT_CHAIN -m state --state RELATED -p tcp --dport 1024: -j ACCEPT iptables -A BASE_INPUT_CHAIN -m state --state RELATED -p udp --dport 1024: -j ACCEPT iptables -A BASE_INPUT_CHAIN -m state --state RELATED -p icmp -j ACCEPT iptables -A BASE_FORWARD_CHAIN -m state --state RELATED -p tcp --dport 1024: -j ACCEPT iptables -A BASE_FORWARD_CHAIN -m state --state RELATED -p udp --dport 1024: -j ACCEPT iptables -A BASE_FORWARD_CHAIN -m state --state RELATED -p icmp -j ACCEPT # Drop all IPv6 packets with Routing Header Type 0 ################################################## if [ "$IPV6_SUPPORT" = "1" -a "$IPV6_DROP_RH_ZERO" != "0" ]; then if try_ip6tables -A BASE_INPUT_CHAIN -m rt --rt-type 0 -j DROP; then ip6tables -A BASE_FORWARD_CHAIN -m rt --rt-type 0 -j DROP ip6tables -A BASE_OUTPUT_CHAIN -m rt --rt-type 0 -j DROP else echo " WARNING: IPv6 Routing Header Type 0 matching not supported" fi fi # Accept all packets for the loopback device ############################################ iptables -A BASE_INPUT_CHAIN -i lo -j ACCEPT iptables -A BASE_FORWARD_CHAIN -i lo -j ACCEPT iptables -A BASE_OUTPUT_CHAIN -o lo -j ACCEPT # Insert our base chains ######################## iptables -A INPUT -j BASE_INPUT_CHAIN iptables -A FORWARD -j BASE_FORWARD_CHAIN iptables -A OUTPUT -j BASE_OUTPUT_CHAIN # Create several chains that we will use later on ################################################# create_user_chains; # Reset the iptables counters iptables -Z iptables -t mangle -Z ip4tables -t nat -Z } # Check if the base chains are appropriate for the IPV6_SUPPORT setting ####################################################################### check_for_base_chains() { local ipv4_rtn ipv6_rtn ip4tables -nL BASE_INPUT_CHAIN >/dev/null 2>&1 ipv4_rtn=$? if [ "$IPV6_DETECTED" = "1" ]; then ip6tables -nL BASE_INPUT_CHAIN >/dev/null 2>&1 ipv6_rtn=$? else # No IPv6 available, therefore no ip6tables call # Set a return error result of 1 to specify no IPv6 BASE_INPUT_CHAIN ipv6_rtn=1 fi if [ "$IPV6_SUPPORT" = "1" ]; then if [ $ipv4_rtn -eq 0 -a $ipv6_rtn -eq 0 ]; then echo "yes" elif [ $ipv4_rtn -eq 0 ]; then echo "other" else echo "no" fi else if [ $ipv4_rtn -eq 0 -a $ipv6_rtn -eq 0 ]; then echo "other" elif [ $ipv4_rtn -eq 0 ]; then echo "yes" else echo "no" fi fi } setup_default_policies() { # Set the default policies for the builtin INPUT & FORWARD tables. The # default for other chains (eg. OUTPUT) is always set to ACCEPT. ####################################################################### if [ "$DEFAULT_POLICY_DROP" != "0" ]; then echo " Setting all default policies to DROP while \"setting up firewall rules\"" iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP else echo " WARNING: Setting all default policies to ACCEPT while \"setting up firewall rules\"" iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT fi if [ "$IPV6_SUPPORT" = "1" ]; then echo "IPv4/IPv6 mixed mode selected" elif [ "$IPV6_DETECTED" = "1" ]; then echo "IPv4 mode selected but IPv6 available, DROP all IPv6 packets" ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP # Allow IPv6 traffic from the loopback (localhost) ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A FORWARD -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT # DROP all IPv6 traffic ip6tables -A INPUT -j DROP ip6tables -A FORWARD -j DROP ip6tables -A OUTPUT -j DROP else echo "IPv4 mode selected, no IPv6 available" fi # The POST_INPUT_DROP_CHAIN should temporarily DROP for now # We'll change this once the rules are in place ########################################################### iptables -A POST_INPUT_DROP_CHAIN -j DROP # The HOST_BLOCK_DROP chain should always DROP ########################################################### if [ "$BLOCKED_HOST_LOG" != "0" ]; then iptables -A HOST_BLOCK_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Blocked host(s): " fi iptables -A HOST_BLOCK_DROP -j DROP # The LINK_LOCAL_DROP chain should always DROP ########################################################### if [ "$IPV6_SUPPORT" = "1" ]; then if [ "$LINK_LOCAL_DROP_LOG" != "0" ]; then ip6tables -A LINK_LOCAL_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Dropped Link-Local: " fi ip6tables -A LINK_LOCAL_DROP -j DROP fi } ################################################################################################################## ## Chain VALID_CHK - Check packets for invalid flags etc. ## ################################################################################################################## setup_valid_chk_chain() { ## Log scanning of nmap etc. ############################ if [ "$SCAN_LOG" != "0" ]; then echo "Logging of stealth scans (nmap probes etc.) enabled" # (NMAP) FIN/URG/PSH #################### iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth XMAS scan: " # SYN/RST/ACK/FIN/URG ##################### iptables -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth XMAS-PSH scan: " # ALL/ALL ######### iptables -A VALID_CHK -p tcp --tcp-flags ALL ALL \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth XMAS-ALL scan: " # NMAP FIN Stealth ################## iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth FIN scan: " # SYN/RST ######### iptables -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth SYN/RST scan: " # SYN/FIN (probably) #################### iptables -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth SYN/FIN scan?: " # Null scan ########### iptables -A VALID_CHK -p tcp --tcp-flags ALL NONE \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth Null scan: " else echo "Logging of stealth scans (nmap probes etc.) disabled" fi # Drop (NMAP) scan packets: ########################### # NMAP FIN/URG/PSH ################## iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH -j POST_INPUT_DROP_CHAIN # SYN/RST/ACK/FIN/URG ##################### iptables -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j POST_INPUT_DROP_CHAIN # ALL/ALL Scan ############## iptables -A VALID_CHK -p tcp --tcp-flags ALL ALL -j POST_INPUT_DROP_CHAIN # NMAP FIN Stealth ################## iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN -j POST_INPUT_DROP_CHAIN # SYN/RST ######### iptables -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST -j POST_INPUT_DROP_CHAIN # SYN/FIN -- Scan(probably) ########################### iptables -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j POST_INPUT_DROP_CHAIN # NMAP Null Scan ################ iptables -A VALID_CHK -p tcp --tcp-flags ALL NONE -j POST_INPUT_DROP_CHAIN # Log packets with bad flags? ############################# if [ "$BAD_FLAGS_LOG" != "0" ]; then echo "Logging of packets with bad TCP-flags enabled" iptables -A VALID_CHK -p tcp --tcp-option 64 \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Bad TCP flag(64): " iptables -A VALID_CHK -p tcp --tcp-option 128 \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Bad TCP flag(128): " else echo "Logging of packets with bad TCP-flags disabled" fi # Drop packets with bad tcp flags ################################# iptables -A VALID_CHK -p tcp --tcp-option 64 -j POST_INPUT_DROP_CHAIN iptables -A VALID_CHK -p tcp --tcp-option 128 -j POST_INPUT_DROP_CHAIN # These packets are normally from "lost connection" and thus can generate false alarms # So we might want to ignore such packets ###################################################################################### # if [ "$LOST_CONNECTION_LOG" != "1" ]; then # iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK -j POST_INPUT_DROP_CHAIN # iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -j POST_INPUT_DROP_CHAIN # iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j POST_INPUT_DROP_CHAIN # iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,FIN -j POST_INPUT_DROP_CHAIN # iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,RST -j POST_INPUT_DROP_CHAIN # iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -j POST_INPUT_DROP_CHAIN # fi # Here we add some protection from random packets we receive, such as random sweeps from other # (possible) hacked computers, or just packets who are invalid, not belonging to ANY connection ############################################################################################### if [ "$INVALID_TCP_LOG" = "1" ]; then echo "Logging of INVALID TCP packets enabled" iptables -A VALID_CHK -p tcp -m state --state INVALID \ -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID TCP: " else echo "Logging of INVALID TCP packets disabled" fi if [ "$INVALID_UDP_LOG" = "1" ]; then echo "Logging of INVALID UDP packets enabled" iptables -A VALID_CHK -p udp -m state --state INVALID \ -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID UDP: " else echo "Logging of INVALID UDP packets disabled" fi if [ "$INVALID_ICMP_LOG" = "1" ]; then echo "Logging of INVALID ICMP packets enabled" # Only log INVALID ICMP-request packets when we also want to log "normal" ICMP-request packets if [ "$ICMP_REQUEST_LOG" != "0" ]; then iptables -A VALID_CHK -p icmp --icmp-type echo-request -m state --state INVALID \ -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID ICMP-request: " fi # Only log INVALID ICMP-other when enabled in the config if [ "$ICMP_OTHER_LOG" != "0" ]; then iptables -A VALID_CHK -p icmp ! --icmp-type echo-request -m state --state INVALID \ -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID ICMP-other: " fi else echo "Logging of INVALID ICMP packets disabled" fi # Drop invalid packets ###################### iptables -A VALID_CHK -m state --state INVALID -j POST_INPUT_DROP_CHAIN # Fragmentation cannot happen with IPV6 (and maybe even not with iptables/ipv4?) ## Log fragmented packets ######################### if [ "$FRAG_LOG" = "1" ]; then echo "Logging of fragmented packets enabled" ip4tables -A VALID_CHK -f -m limit --limit 3/m --limit-burst 1 -j LOG --log-prefix "AIF:Fragment packet: " else echo "Logging of IPv4 fragmented packets disabled" fi # Drop fragmented packets ######################### ip4tables -A VALID_CHK -f -j DROP } ################################################################################################################ ## Chain RESERVED_NET_CHK - Check if the source addresses of the packets are (in)valid ## ################################################################################################################ setup_reserved_net_chk_chain() { # Log access from reserved addresses #################################### if [ "$RESERVED_NET_LOG" = "1" ]; then echo "Logging of access from reserved nets enabled" ip4tables -A RESERVED_NET_CHK -s 10.0.0.0/8 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Private address: " ip4tables -A RESERVED_NET_CHK -s 172.16.0.0/12 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Private address: " ip4tables -A RESERVED_NET_CHK -s 192.168.0.0/16 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Private address: " ip4tables -A RESERVED_NET_CHK -s 169.254.0.0/16 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Link-local address: " ip4tables -A RESERVED_NET_CHK -s 224.0.0.0/24 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Multicast address: " ip4tables -A RESERVED_NET_CHK -s 239.0.0.0/24 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Multicast address: " if [ "$IPV6_SUPPORT" = "1" ]; then # IPv6 not 2000::/3 is non-Global Unicast ip6tables -A RESERVED_NET_CHK ! -s 2000::/3 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv6 non-Global address: " fi else echo "Logging of access from reserved nets disabled" fi if [ "$RESERVED_NET_DROP" = "1" ]; then # rp_filter drops some of these addresses, but just to be sure :) ################################################################ #echo "Denying access from reserved addresses..." ip4tables -A RESERVED_NET_CHK -s 10.0.0.0/8 -j POST_INPUT_DROP_CHAIN ip4tables -A RESERVED_NET_CHK -s 172.16.0.0/12 -j POST_INPUT_DROP_CHAIN ip4tables -A RESERVED_NET_CHK -s 192.168.0.0/16 -j POST_INPUT_DROP_CHAIN ip4tables -A RESERVED_NET_CHK -s 169.254.0.0/16 -j POST_INPUT_DROP_CHAIN ip4tables -A RESERVED_NET_CHK -s 224.0.0.0/24 -j POST_INPUT_DROP_CHAIN ip4tables -A RESERVED_NET_CHK -s 239.0.0.0/24 -j POST_INPUT_DROP_CHAIN if [ "$IPV6_SUPPORT" = "1" ]; then # IPv6 not 2000::/3 is non-Global Unicast ip6tables -A RESERVED_NET_CHK ! -s 2000::/3 -j POST_INPUT_DROP_CHAIN fi fi } ################################################################################################################ ## Chain SPOOF_CHK - Check if the source address is not spoofed ## ################################################################################################################ setup_spoof_chk_chain() { # Anti-spoof protection for the internal net if [ -n "$INT_IF" -a -n "$INTERNAL_NET" ]; then if [ "$INTERNAL_NET_ANTISPOOF" != "0" ]; then printf "Setting up antispoof for INTERNAL net(s): " IFS=' ,' for net in $INTERNAL_NET; do printf "$net " for interface in $INT_IF; do # Any internal net is valid iptables -A SPOOF_CHK -i $interface -s $net -j RETURN done iptables -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed packet: " iptables -A SPOOF_CHK -s $net -j POST_INPUT_DROP_CHAIN done echo "" else echo "Antispoof for INTERNAL net(s) DISABLED!" fi fi # Anti-spoof protection for the DMZ net if [ -n "$DMZ_IF" -a -n "$DMZ_NET" ]; then if [ "$DMZ_NET_ANTISPOOF" != "0" ]; then printf "Setting up antispoof for DMZ net(s): " IFS=' ,' for net in $DMZ_NET; do printf "$net " for interface in $DMZ_IF; do # Any dmz net is valid iptables -A SPOOF_CHK -i $interface -s $net -j RETURN done iptables -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed packet: " iptables -A SPOOF_CHK -s $net -j POST_INPUT_DROP_CHAIN done echo "" else echo "Antispoof for DMZ net(s) DISABLED!" fi fi # Everything else is valid iptables -A SPOOF_CHK -j RETURN } ################################################################ # Setup rules to forward INET IPv6 and non-NAT'ed IPv4 traffic # ################################################################ setup_inet_forward_rules() { # TCP ports to ALLOW for certain INET hosts ######################################### unset IFS for rule in $INET_FORWARD_TCP; do if parse_rule "$rule" INET_FORWARD_TCP "interfaces:EXT_IF-shosts-dhosts-ports:ANYPORT"; then echo "$(show_if_ip "$interfaces")Forwarding(non-NAT) TCP port(s): $ports from $shosts(INET) to $dhosts" IFS=' ,' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A EXT_FORWARD_IN_CHAIN -i $interface ! -o $interface -s $shost -d $dhost -p tcp --dport $port -j ACCEPT done done done done fi done # UDP ports to ALLOW for certain INET hosts ######################################### unset IFS for rule in $INET_FORWARD_UDP; do if parse_rule "$rule" INET_FORWARD_UDP "interfaces:EXT_IF-shosts-dhosts-ports:ANYPORT"; then echo "$(show_if_ip "$interfaces")Forwarding(non-NAT) UDP port(s): $ports from $shosts(INET) to $dhosts" IFS=' ,' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A EXT_FORWARD_IN_CHAIN -i $interface ! -o $interface -s $shost -d $dhost -p udp --dport $port -j ACCEPT done done done done fi done # (Other) IP protocols to ALLOW for certain INET hosts ###################################################### unset IFS for rule in $INET_FORWARD_IP; do if parse_rule "$rule" INET_FORWARD_IP "interfaces:EXT_IF-shosts-dhosts-protos"; then echo "$(show_if_ip "$interfaces")Forwarding(non-NAT) IP protocol(s): $protos from $shosts(INET) to $dhosts" IFS=' ,' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do iptables -A EXT_FORWARD_IN_CHAIN -i $interface ! -o $interface -s $shost -d $dhost -p $proto -j ACCEPT done done done done fi done } ################################################## # Setup chain for the DMZ input traffic # ################################################## setup_dmz_input_chain() { # Add TCP ports to allow for certain hosts ########################################## unset IFS for rule in $DMZ_HOST_OPEN_TCP; do if parse_rule "$rule" DMZ_HOST_OPEN_TCP "hosts-ports"; then echo " Allowing $hosts(DMZ) for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do iptables -A DMZ_INPUT_CHAIN -s $host -p tcp --dport $port -j ACCEPT done done fi done # Add UDP ports to allow for certain hosts ########################################## unset IFS for rule in $DMZ_HOST_OPEN_UDP; do if parse_rule "$rule" DMZ_HOST_OPEN_UDP "hosts-ports"; then echo " Allowing $hosts(DMZ) for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do iptables -A DMZ_INPUT_CHAIN -s $host -p udp --dport $port -j ACCEPT done done fi done # Add IP protocols to allow for certain hosts ############################################# unset IFS for rule in $DMZ_HOST_OPEN_IP; do if parse_rule "$rule" DMZ_HOST_OPEN_IP "hosts-protos"; then echo " Allowing $hosts(DMZ) for IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do iptables -A DMZ_INPUT_CHAIN -s $host -p $proto -j ACCEPT done done fi done # Adding TCP ports NOT to be firewalled ####################################### if [ -n "$DMZ_OPEN_TCP" ]; then echo " Allowing TCP port(s): $DMZ_OPEN_TCP" IFS=' ,' for port in $DMZ_OPEN_TCP; do iptables -A DMZ_INPUT_CHAIN -p tcp --dport $port -j ACCEPT done fi # Adding UDP ports NOT to be firewalled ####################################### if [ -n "$DMZ_OPEN_UDP" ]; then echo " Allowing UDP port(s): $DMZ_OPEN_UDP" IFS=' ,' for port in $DMZ_OPEN_UDP; do iptables -A DMZ_INPUT_CHAIN -p udp --dport $port -j ACCEPT done fi # Adding IP protocols NOT to be firewalled ########################################## if [ -n "$DMZ_OPEN_IP" ]; then echo " Allowing IP protocol(s): $DMZ_OPEN_IP" IFS=' ,' for proto in $DMZ_OPEN_IP; do iptables -A DMZ_INPUT_CHAIN -p $proto -j ACCEPT done fi # Allow to send ICMP packets? ############################# if [ "$DMZ_OPEN_ICMP" != "0" ]; then echo " Allowing ICMP-requests(ping)" iptables -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT if [ "$IPV6_SUPPORT" = "1" ]; then unset IFS for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do ip6tables -A DMZ_INPUT_CHAIN -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT done fi fi # Log incoming ICMP-request packets? #################################### if [ "$ICMP_REQUEST_LOG" != "0" ]; then iptables -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " fi # Drop ICMP packets iptables -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request -j DROP # Log everything else iptables -A DMZ_INPUT_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ-INPUT denied: " # Everything else is denied iptables -A DMZ_INPUT_CHAIN -j DROP } ################################################## # Setup chain for the DMZ-to-LAN forward traffic # ################################################## setup_dmz_lan_forward_chain() { echo " Setting up DMZ->LAN policy" # TCP ports to ALLOW for certain DMZ hosts ########################################## unset IFS for rule in $DMZ_LAN_HOST_OPEN_TCP; do if parse_rule "$rule" DMZ_LAN_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT done done done fi done # UDP ports to ALLOW for certain DMZ hosts ########################################## unset IFS for rule in $DMZ_LAN_HOST_OPEN_UDP; do if parse_rule "$rule" DMZ_LAN_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " Allowing $shosts(DMZ) to $dhosts(LAN) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $port -j ACCEPT done done done fi done # IP protocol(s) to ALLOW for certain DMZ hosts ############################################### unset IFS for rule in $DMZ_LAN_HOST_OPEN_IP; do if parse_rule "$rule" DMZ_LAN_HOST_OPEN_IP "shosts:ANYHOST-dhosts-protos"; then echo " Allowing $shosts(DMZ) to $dhosts(LAN) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT done done done fi done # Allow ICMP-requests(ping) for DMZ->LAN? ########################################## if [ "$DMZ_LAN_OPEN_ICMP" = "1" ]; then echo " Allowing ICMP-requests(ping)" iptables -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 20/second --limit-burst 100 -j ACCEPT fi # Log incoming ICMP-request packets? #################################### if [ "$ICMP_REQUEST_LOG" != "0" ]; then iptables -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " fi # Drop ICMP packets iptables -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP # Log everything else iptables -A DMZ_LAN_FORWARD_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->LAN denied: " # Everything else is denied iptables -A DMZ_LAN_FORWARD_CHAIN -j DROP } ################################################### # Setup chain for the INET-to-DMZ forward traffic # ################################################### setup_inet_dmz_forward_chain() { echo " Setting up INET->DMZ policy" # TCP ports to ALLOW for certain INET hosts ######################################### unset IFS for rule in $INET_DMZ_HOST_OPEN_TCP; do if parse_rule "$rule" INET_DMZ_HOST_OPEN_TCP "interfaces-shosts-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(INET) to $dhosts(DMZ) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p tcp --dport $port -j ACCEPT done done done done fi done # UDP ports to ALLOW for certain INET hosts ######################################### unset IFS for rule in $INET_DMZ_HOST_OPEN_UDP; do if parse_rule "$rule" INET_DMZ_HOST_OPEN_UDP "interfaces-shosts-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(INET) to $dhosts(DMZ) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p udp --dport $port -j ACCEPT done done done done fi done # (Other) IP protocols to ALLOW for certain INET hosts ###################################################### unset IFS for rule in $INET_DMZ_HOST_OPEN_IP; do if parse_rule "$rule" INET_DMZ_HOST_OPEN_IP "interfaces-shosts-dhosts-protos"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(INET) to $dhosts(DMZ) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p $proto -j ACCEPT done done done done fi done # TCP ports to DENY for certain INET hosts ######################################### unset IFS for rule in $INET_DMZ_HOST_DENY_TCP; do if parse_rule "$rule" INET_DMZ_HOST_DENY_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Denying $shosts(INET) to $dhosts(DMZ) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p tcp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p tcp --dport $port -j DROP done done done done fi done # UDP ports to DENY for certain INET hosts ######################################### unset IFS for rule in $INET_DMZ_HOST_DENY_UDP; do if parse_rule "$rule" INET_DMZ_HOST_DENY_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Denying $shosts(INET) to $dhosts(DMZ) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p udp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p udp --dport $port -j DROP done done done done fi done # (Other) IP protocols to DENY for certain INET hosts ##################################################### unset IFS for rule in $INET_DMZ_HOST_DENY_IP; do if parse_rule "$rule" INET_DMZ_HOST_DENY_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then echo " $(show_if_ip "$interfaces")Denying $shosts(INET) to $dhosts(DMZ) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p $proto \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -s $shost -d $dhost -p $proto -j DROP done done done done fi done # Allow only certain TCP ports to be used from the INET->DMZ? ############################################################# unset IFS for rule in $INET_DMZ_OPEN_TCP; do if parse_rule "$rule" INET_DMZ_OPEN_TCP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing TCP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p tcp --dport $port -j ACCEPT done done done fi done # Allow only certain UDP ports to be used from the INET->DMZ? ############################################################# unset IFS for rule in $INET_DMZ_OPEN_UDP; do if parse_rule "$rule" INET_DMZ_OPEN_UDP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing UDP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p udp --dport $port -j ACCEPT done done done fi done # Allow only certain IP protocols to be used from the INET->DMZ? ################################################################ unset IFS for rule in $INET_DMZ_OPEN_IP; do if parse_rule "$rule" INET_DMZ_OPEN_IP "interfaces-destips-protos"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing IP protocol(s): $protos" IFS=',' for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p $proto -j ACCEPT done done done fi done # Allow ICMP-requests(ping) for INET->DMZ? ########################################## if [ "$INET_DMZ_OPEN_ICMP" = "1" ]; then echo " Allowing ICMP-requests(ping)" iptables -A INET_DMZ_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 20/second --limit-burst 100 -j ACCEPT fi # TCP ports to DENY for INET->DMZ ################################# unset IFS for rule in $INET_DMZ_DENY_TCP; do if parse_rule "$rule" INET_DMZ_DENY_TCP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying TCP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p tcp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p tcp --dport $port -j DROP done done done fi done # UDP ports to DENY for INET->DMZ ################################# unset IFS for rule in $INET_DMZ_DENY_UDP; do if parse_rule "$rule" INET_DMZ_DENY_UDP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying UDP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p udp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p udp --dport $port -j DROP done done done fi done # IP protocols to DENY for INET->DMZ #################################### unset IFS for rule in $INET_DMZ_DENY_IP; do if parse_rule "$rule" INET_DMZ_DENY_IP "interfaces-destips-protos"; then echo " $(show_if_ip "$interfaces" "$destips")Denying IP protocol(s): $protos" IFS=',' for proto in $protos; do for destip in $destips; do for interface in $interfaces; do if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p $proto -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN -i $interface -d $destip -p $proto -j DROP done done done fi done # Log incoming ICMP-request packets? #################################### if [ "$ICMP_REQUEST_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " fi echo " Denying all other INET->DMZ packets" # Drop ICMP packets iptables -A INET_DMZ_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN \ -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN -j DROP } ################################################### # Setup chain for the DMZ-to-INET forward traffic # ################################################### setup_dmz_inet_forward_chain() { echo " Setting up DMZ->INET policy" # TCP ports to ALLOW for certain DMZ hosts ######################################### unset IFS for rule in $DMZ_INET_HOST_OPEN_TCP; do if parse_rule "$rule" DMZ_INET_HOST_OPEN_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing $shosts(DMZ) to $dhosts(INET) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p tcp --dport $port -j ACCEPT done done done done fi done # UDP ports to ALLOW for certain DMZ hosts ######################################### unset IFS for rule in $DMZ_INET_HOST_OPEN_UDP; do if parse_rule "$rule" DMZ_INET_HOST_OPEN_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(DMZ) to $dhosts(INET) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p udp --dport $port -j ACCEPT done done done done fi done # (Other) IP protocols to ALLOW for certain DMZ hosts ##################################################### unset IFS for rule in $DMZ_INET_HOST_OPEN_IP; do if parse_rule "$rule" DMZ_INET_HOST_OPEN_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(DMZ) to $dhosts(INET) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p $proto -j ACCEPT done done done done fi done # TCP ports to DENY for certain DMZ hosts ######################################### unset IFS for rule in $DMZ_INET_HOST_DENY_TCP; do if parse_rule "$rule" DMZ_INET_HOST_DENY_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Denying $shosts(DMZ) to $dhosts(INET) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p tcp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host DMZ->INET denied: " fi iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p tcp --dport $port -j DROP done done done done fi done # UDP ports to DENY for certain DMZ hosts ######################################### unset IFS for rule in $DMZ_INET_HOST_DENY_UDP; do if parse_rule "$rule" DMZ_INET_HOST_DENY_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Denying $shosts(DMZ) to $dhosts(INET) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p udp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host DMZ->INET denied: " fi iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p udp --dport $port -j DROP done done done done fi done # (Other) IP protocols to DENY for certain DMZ hosts ##################################################### unset IFS for rule in $DMZ_INET_HOST_DENY_IP; do if parse_rule "$rule" DMZ_INET_HOST_DENY_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then echo " $(show_if_ip "$interfaces")Denying $shosts(DMZ) to $dhosts(INET) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p $proto \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host DMZ->INET denied: " fi iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p $proto -j DROP done done done done fi done # Allow only certain TCP ports to be used from the DMZ->INET? ############################################################# unset IFS for rule in $DMZ_INET_OPEN_TCP; do if parse_rule "$rule" DMZ_INET_OPEN_TCP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Allowing TCP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -p tcp --dport $port -j ACCEPT done done fi done # Allow only certain UDP ports to be used from the DMZ->INET? ############################################################# unset IFS for rule in $DMZ_INET_OPEN_UDP; do if parse_rule "$rule" DMZ_INET_OPEN_UDP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Allowing UDP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -p udp --dport $port -j ACCEPT done done fi done # Allow only certain IP protocols to be used from the DMZ->INET? ################################################################ unset IFS for rule in $DMZ_INET_OPEN_IP; do if parse_rule "$rule" DMZ_INET_OPEN_IP "interfaces-protos"; then echo " $(show_if_ip "$interfaces")Allowing IP protocol(s): $protos" IFS=',' for proto in $protos; do for interface in $interfaces; do iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -p $proto -j ACCEPT done done fi done # Allow ICMP-requests(ping) for DMZ->INET? ########################################## if [ "$DMZ_INET_OPEN_ICMP" != "0" ]; then echo " Allowing ICMP-requests(ping)" iptables -A DMZ_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 20/second --limit-burst 100 -j ACCEPT fi # TCP ports to DENY for DMZ->INET ################################# unset IFS for rule in $DMZ_INET_DENY_TCP; do if parse_rule "$rule" DMZ_INET_DENY_TCP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Denying TCP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -p tcp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: " fi iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -p tcp --dport $port -j DROP done done fi done # UDP ports to DENY for DMZ->INET ################################# unset IFS for rule in $DMZ_INET_DENY_UDP; do if parse_rule "$rule" DMZ_INET_DENY_UDP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Denying UDP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -p udp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: " fi iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -p udp --dport $port -j DROP done done fi done # IP protocols to DENY for DMZ->INET #################################### unset IFS for rule in $DMZ_INET_DENY_IP; do if parse_rule "$rule" DMZ_INET_DENY_IP "interfaces-protos"; then echo " $(show_if_ip "$interfaces")Denying IP protocol(s): $protos" IFS=',' for proto in $protos; do for interface in $interfaces; do if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -p $proto -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: " fi iptables -A DMZ_INET_FORWARD_CHAIN -o $interface -p $proto -j DROP done done fi done # Log incoming ICMP-request packets? #################################### if [ "$ICMP_REQUEST_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " fi # Drop ICMP packets iptables -A DMZ_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP # Set the default policy (switch to DROP for a protocol when xxx_OPEN_xxx variable is used) ########################################################################################### if [ -z "$DMZ_INET_OPEN_TCP" -a -z "$DMZ_INET_HOST_OPEN_TCP" -a \ -z "$DMZ_INET_OPEN_UDP" -a -z "$DMZ_INET_HOST_OPEN_UDP" -a \ -z "$DMZ_INET_OPEN_IP" -a -z "$DMZ_INET_HOST_OPEN_IP" -a -z "$DMZ_INET_DEFAULT_POLICY_DROP" ] \ || [ "$DMZ_INET_DEFAULT_POLICY_DROP" = "0" ]; then echo " Allowing all (other) ports/protocols" iptables -A DMZ_INET_FORWARD_CHAIN -j ACCEPT else if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: " fi echo " Denying all (other) ports/protocols" iptables -A DMZ_INET_FORWARD_CHAIN -j DROP fi } ######################################### # Setup chain for the LAN input traffic # ######################################### setup_int_input_chain() { # TCP ports to OPEN for certain LAN hosts ######################################### unset IFS for rule in $LAN_HOST_OPEN_TCP; do if parse_rule "$rule" LAN_HOST_OPEN_TCP "hosts-ports"; then echo " Allowing $hosts(LAN) for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do iptables -A INT_INPUT_CHAIN -s $host -p tcp --dport $port -j ACCEPT done done fi done # UDP ports to OPEN for certain LAN hosts ######################################### unset IFS for rule in $LAN_HOST_OPEN_UDP; do if parse_rule "$rule" LAN_HOST_OPEN_UDP "hosts-ports"; then echo " Allowing $hosts(LAN) for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do iptables -A INT_INPUT_CHAIN -s $host -p udp --dport $port -j ACCEPT done done fi done # IP protocols to OPEN for certain LAN hosts ############################################ unset IFS for rule in $LAN_HOST_OPEN_IP; do if parse_rule "$rule" LAN_HOST_OPEN_IP "hosts-protos"; then echo " Allowing $hosts(LAN) for IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do iptables -A INT_INPUT_CHAIN -s $host -p $proto -j ACCEPT done done fi done # TCP ports to DENY for certain LAN hosts ######################################### unset IFS for rule in $LAN_HOST_DENY_TCP; do if parse_rule "$rule" LAN_HOST_DENY_TCP "hosts:ANYHOST-ports:ANYPORT"; then echo " Denying $hosts(LAN) for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -s $host -p tcp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN denied: " fi iptables -A INT_INPUT_CHAIN -s $host -p tcp --dport $port -j DROP done done fi done # UDP ports to DENY for certain LAN hosts ######################################### unset IFS for rule in $LAN_HOST_DENY_UDP; do if parse_rule "$rule" LAN_HOST_DENY_UDP "hosts:ANYHOST-ports:ANYPORT"; then echo " Denying $hosts(LAN) for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -s $host -p udp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN denied: " fi iptables -A INT_INPUT_CHAIN -s $host -p udp --dport $port -j DROP done done fi done # IP protocols to DENY for certain LAN hosts ############################################ unset IFS for rule in $LAN_HOST_DENY_IP; do if parse_rule "$rule" LAN_HOST_DENY_IP "hosts:ANYHOST-protos"; then echo " Denying $hosts(LAN) for IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -s $host -p $proto \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN denied: " fi iptables -A INT_INPUT_CHAIN -s $host -p $proto -j DROP done done fi done # Allow only certain TCP ports to be used from the LAN? ####################################################### if [ -n "$LAN_OPEN_TCP" ]; then echo " Allowing TCP port(s): $LAN_OPEN_TCP" IFS=' ,' for port in $LAN_OPEN_TCP; do iptables -A INT_INPUT_CHAIN -p tcp --dport $port -j ACCEPT done fi # Allow only certain UDP ports to be used from the LAN? ####################################################### if [ -n "$LAN_OPEN_UDP" ]; then echo " Allowing UDP port(s): $LAN_OPEN_UDP" IFS=' ,' for port in $LAN_OPEN_UDP; do iptables -A INT_INPUT_CHAIN -p udp --dport $port -j ACCEPT done fi # Allow only certain IP protocols to be used from the LAN? ########################################################## if [ -n "$LAN_OPEN_IP" ]; then echo " Allowing IP protocol(s): $LAN_OPEN_IP" IFS=' ,' for proto in $LAN_OPEN_IP; do iptables -A INT_INPUT_CHAIN -p $proto -j ACCEPT done fi # Allow world to send ICMP packets? ################################### if [ "$LAN_OPEN_ICMP" != "0" ]; then echo " Allowing ICMP-requests(ping)" iptables -A INT_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT fi # TCP ports to DENY for LAN hosts ################################# if [ -n "$LAN_DENY_TCP" ]; then echo " Denying TCP port(s): $LAN_DENY_TCP" IFS=' ,' for port in $LAN_DENY_TCP; do if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -p tcp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN-INPUT denied: " fi iptables -A INT_INPUT_CHAIN -p tcp --dport $port -j DROP done fi # UDP ports to DENY for LAN hosts ################################# if [ -n "$LAN_DENY_UDP" ]; then echo " Denying UDP port(s): $LAN_DENY_UDP" IFS=' ,' for port in $LAN_DENY_UDP; do if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -p udp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN-INPUT denied: " fi iptables -A INT_INPUT_CHAIN -p udp --dport $port -j DROP done fi # IP protocols to DENY for LAN hosts #################################### if [ -n "$LAN_DENY_IP" ]; then echo " Denying IP protocol(s): $LAN_DENY_IP" IFS=' ,' for proto in $LAN_DENY_IP; do if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -p $proto -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN-INPUT denied: " fi iptables -A INT_INPUT_CHAIN -p $proto -j DROP done fi # Log incoming ICMP-request packets? #################################### if [ "$ICMP_REQUEST_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " fi # Drop ICMP packets iptables -A INT_INPUT_CHAIN -p icmp --icmp-type echo-request -j DROP # Set the default policy ######################## if [ -z "$LAN_OPEN_TCP" -a -z "$LAN_HOST_OPEN_TCP" -a \ -z "$LAN_OPEN_UDP" -a -z "$LAN_HOST_OPEN_UDP" -a \ -z "$LAN_OPEN_IP" -a -z "$LAN_HOST_OPEN_IP" -a -z "$LAN_DEFAULT_POLICY_DROP" ] \ || [ "$LAN_DEFAULT_POLICY_DROP" = "0" ]; then echo " Allowing all (other) ports/protocols" iptables -A INT_INPUT_CHAIN -j ACCEPT else echo " Denying all (other) ports/protocols" if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN-INPUT denied: " fi iptables -A INT_INPUT_CHAIN -j DROP fi } ################################################### # Setup chain for the LAN-to-INET forward traffic # ################################################### setup_lan_inet_forward_chain() { echo " Setting up LAN->INET policy" # TCP ports to ALLOW for certain LAN hosts ######################################### unset IFS for rule in $LAN_INET_HOST_OPEN_TCP; do if parse_rule "$rule" LAN_INET_HOST_OPEN_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(LAN) to $dhosts(INET) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A LAN_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p tcp --dport $port -j ACCEPT done done done done fi done # UDP ports to ALLOW for certain LAN hosts ######################################### unset IFS for rule in $LAN_INET_HOST_OPEN_UDP; do if parse_rule "$rule" LAN_INET_HOST_OPEN_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(LAN) to $dhosts(INET) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A LAN_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p udp --dport $port -j ACCEPT done done done done fi done # (Other) IP protocols to ALLOW for certain LAN hosts ##################################################### unset IFS for rule in $LAN_INET_HOST_OPEN_IP; do if parse_rule "$rule" LAN_INET_HOST_OPEN_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(LAN) to $dhosts(INET) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do iptables -A LAN_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p $proto -j ACCEPT done done done done fi done # TCP ports to DENY for certain LAN hosts ######################################### unset IFS for rule in $LAN_INET_HOST_DENY_TCP; do if parse_rule "$rule" LAN_INET_HOST_DENY_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Denying $shosts(LAN) to $dhosts(INET) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p tcp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN->INET denied: " fi iptables -A LAN_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p tcp --dport $port -j DROP done done done done fi done # UDP ports to DENY for certain LAN hosts ######################################### unset IFS for rule in $LAN_INET_HOST_DENY_UDP; do if parse_rule "$rule" LAN_INET_HOST_DENY_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Denying $shosts(LAN) to $dhosts(INET) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p udp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN->INET denied: " fi iptables -A LAN_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p udp --dport $port -j DROP done done done done fi done # (Other) IP protocols to DENY for certain LAN hosts ##################################################### unset IFS for rule in $LAN_INET_HOST_DENY_IP; do if parse_rule "$rule" LAN_INET_HOST_DENY_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then echo " $(show_if_ip "$interfaces")Denying $shosts(LAN) to $dhosts(INET) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p $proto \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN->INET denied: " fi iptables -A LAN_INET_FORWARD_CHAIN -o $interface -s $shost -d $dhost -p $proto -j DROP done done done done fi done # Allow only certain udp ports to be used from the LAN->INET? ############################################################# unset IFS for rule in $LAN_INET_OPEN_TCP; do if parse_rule "$rule" LAN_INET_OPEN_TCP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Allowing TCP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do iptables -A LAN_INET_FORWARD_CHAIN -o $interface -p tcp --dport $port -j ACCEPT done done fi done # Allow only certain UDP ports to be used from the LAN->INET? ############################################################# unset IFS for rule in $LAN_INET_OPEN_UDP; do if parse_rule "$rule" LAN_INET_OPEN_UDP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Allowing UDP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do iptables -A LAN_INET_FORWARD_CHAIN -o $interface -p udp --dport $port -j ACCEPT done done fi done # Allow only certain IP protocols to be used from the LAN->INET? ################################################################ unset IFS for rule in $LAN_INET_OPEN_IP; do if parse_rule "$rule" LAN_INET_OPEN_IP "interfaces-protos"; then echo " $(show_if_ip "$interfaces")Allowing IP protocol(s): $protos" IFS=',' for proto in $protos; do for interface in $interfaces; do iptables -A LAN_INET_FORWARD_CHAIN -o $interface -p $proto -j ACCEPT done done fi done # Allow ICMP-requests(ping) for LAN->INET? ########################################## if [ "$LAN_INET_OPEN_ICMP" != "0" ]; then echo " Allowing ICMP-requests(ping)" iptables -A LAN_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 20/second --limit-burst 100 -j ACCEPT fi # TCP ports to DENY for LAN->INET ################################# unset IFS for rule in $LAN_INET_DENY_TCP; do if parse_rule "$rule" LAN_INET_DENY_TCP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Denying TCP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN -o $interface -p tcp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: " fi iptables -A LAN_INET_FORWARD_CHAIN -o $interface -p tcp --dport $port -j DROP done done fi done # UDP ports to DENY for LAN->INET ################################# unset IFS for rule in $LAN_INET_DENY_UDP; do if parse_rule "$rule" LAN_INET_DENY_UDP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Denying UDP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN -o $interface -p udp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: " fi iptables -A LAN_INET_FORWARD_CHAIN -o $interface -p udp --dport $port -j DROP done done fi done # IP protocols to DENY for LAN->INET #################################### unset IFS for rule in $LAN_INET_DENY_IP; do if parse_rule "$rule" LAN_INET_DENY_IP "interfaces-protos"; then echo " $(show_if_ip "$interfaces")Denying IP protocol(s): $protos" IFS=',' for proto in $protos; do for interface in $interfaces; do if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN -o $interface -p $proto -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: " fi iptables -A LAN_INET_FORWARD_CHAIN -o $interface -p $proto -j DROP done done fi done # Log incoming ICMP-request packets? #################################### if [ "$ICMP_REQUEST_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " fi # Drop ICMP packets iptables -A LAN_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP # Set the default policy (switch to DROP for a protocol when xxx_OPEN_xxx variable is used) ########################################################################################### if [ -z "$LAN_INET_OPEN_TCP" -a -z "$LAN_INET_HOST_OPEN_TCP" -a \ -z "$LAN_INET_OPEN_UDP" -a -z "$LAN_INET_HOST_OPEN_UDP" -a \ -z "$LAN_INET_OPEN_IP" -a -z "$LAN_INET_HOST_OPEN_IP" -a -z "$LAN_INET_DEFAULT_POLICY_DROP" ] \ || [ "$LAN_INET_DEFAULT_POLICY_DROP" = "0" ]; then echo " Allowing all (other) ports/protocols" iptables -A LAN_INET_FORWARD_CHAIN -j ACCEPT else if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: " fi echo " Denying all (other) ports/protocols" iptables -A LAN_INET_FORWARD_CHAIN -j DROP fi } ###################################################################################################################### ## Chain EXT_INPUT_CHAIN - Checks all incoming packets for the EXTERNAL interface(s) ## ###################################################################################################################### setup_ext_input_chain() { ## Log scanning of port 0 fingerprinting ######################################## if [ "$SCAN_LOG" != "0" ]; then iptables -A EXT_INPUT_CHAIN -p tcp --dport 0 \ -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Port 0 OS fingerprint: " iptables -A EXT_INPUT_CHAIN -p udp --dport 0 \ -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Port 0 OS fingerprint: " fi # Drop port 0 scan packets ########################## iptables -A EXT_INPUT_CHAIN -p tcp --dport 0 -j POST_INPUT_DROP_CHAIN iptables -A EXT_INPUT_CHAIN -p udp --dport 0 -j POST_INPUT_DROP_CHAIN ## Log scanning of source port 0 ################################ if [ "$SCAN_LOG" != "0" ]; then iptables -A EXT_INPUT_CHAIN -p tcp --sport 0 \ -m limit --limit 6/h --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:TCP source port 0: " iptables -A EXT_INPUT_CHAIN -p udp --sport 0 \ -m limit --limit 6/h --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UDP source port 0: " fi # Drop source port 0 packets ############################ iptables -A EXT_INPUT_CHAIN -p tcp --sport 0 -j POST_INPUT_DROP_CHAIN iptables -A EXT_INPUT_CHAIN -p udp --sport 0 -j POST_INPUT_DROP_CHAIN # Here we add support for DHCP assigned IP ########################################## if [ "$EXT_IF_DHCP_IP" = "1" ]; then echo " Enabling support for DHCP-assigned-IP (DHCP client)" # Allow this host to be an DHCP client: ip4tables -A EXT_INPUT_CHAIN -p udp --sport 67 --dport 68 -j ACCEPT if [ "$IPV6_SUPPORT" = "1" ]; then # Allow this host to be an DHCPv6 client: ip6tables -A EXT_INPUT_CHAIN -p udp --sport 547 --dport 546 -j ACCEPT fi fi # Support for a DHCP/BootP service on the EXTERNAL interface ############################################################ if [ "$EXTERNAL_DHCP_SERVER" = "1" ]; then echo " Enabling support for DHCP/BOOTP (DHCP server) for subnet(s): $EXTERNAL_NET" IFS=' ,' for net in $EXTERNAL_NET; do # Allow this host to be a DHCP/BOOTP-server: ip4tables -A EXT_INPUT_CHAIN -d 255.255.255.255 -p udp --dport 67 -j ACCEPT ip4tables -A EXT_INPUT_CHAIN -s $net -p udp --dport 67 -j ACCEPT # ip4tables -A EXT_INPUT_CHAIN -d 255.255.255.255 -p udp --sport 68 --dport 67 -j ACCEPT # ip4tables -A EXT_INPUT_CHAIN -s $net -p udp --sport 68 --dport 67 -j ACCEPT # Extra rules to allow packets from other dhcp servers in the same segment ip4tables -A EXT_INPUT_CHAIN -s $net -d 255.255.255.255 -p udp --sport 67 --dport 68 -j ACCEPT done fi # Support for a DHCPv6 service on the EXTERNAL interface ######################################################## if [ "$IPV6_SUPPORT" = "1" -a "$EXTERNAL_DHCPV6_SERVER" = "1" ]; then echo " Enabling support for DHCPv6 server on external interface(s)" # Allow only Link-Local clients ip6tables -A EXT_INPUT_CHAIN -s fe80::/10 -p udp --dport 547 -j ACCEPT fi # This is the fix(hack) for nmb broadcast packets (nmblookup/Samba) ################################################################### if [ "$NMB_BROADCAST_FIX" = "1" ]; then echo " Enabling support for NMB-broadcasts(Samba) for subnet(s): $EXTERNAL_NET" IFS=' ,' for net in $EXTERNAL_NET; do ip4tables -A EXT_INPUT_CHAIN -s $net -p udp --sport 137 --dport "$LOCAL_PORT_RANGE" -j ACCEPT done fi # Enable logging of blocked hosts? ################################## if [ "$BLOCKED_HOST_LOG" != "0" ]; then echo " Logging of explicitly blocked hosts enabled" else echo " Logging of explicitly blocked hosts disabled" fi # Enable logging of denied output connections? ############################################## if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then echo " Logging of denied local output connections enabled" else echo " Logging of denied local output connections disabled" fi # Add TCP ports to allow for certain hosts ########################################## unset IFS for rule in $HOST_OPEN_TCP; do if parse_rule "$rule" HOST_OPEN_TCP "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p tcp --dport $port -j ACCEPT done done done done fi done # Add UDP ports to allow for certain hosts ########################################## unset IFS for rule in $HOST_OPEN_UDP; do if parse_rule "$rule" HOST_OPEN_UDP "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p udp --dport $port -j ACCEPT done done done done fi done # Add IP protocols to allow for certain hosts ############################################# unset IFS for rule in $HOST_OPEN_IP; do if parse_rule "$rule" HOST_OPEN_IP "interfaces-destips-hosts-protos"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts for IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p $proto -j ACCEPT done done done done fi done # Add ICMP to allow for certain hosts ##################################### unset IFS for rule in $HOST_OPEN_ICMP; do if parse_rule "$rule" HOST_OPEN_ICMP "interfaces-destips-hosts"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts for ICMP-requests(ping)" IFS=',' for host in `ip_range "$hosts"`; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p icmp --icmp-type echo-request -j ACCEPT done done done fi done # Add TCP ports to REJECT for certain hosts but NOT logged ########################################################## unset IFS for rule in $HOST_REJECT_TCP_NOLOG; do if parse_rule "$rule" HOST_REJECT_TCP_NOLOG "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting $hosts for TCP port(s) (NO LOG): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p tcp --dport $port -j REJECT --reject-with tcp-reset done done done done fi done # Add UDP ports to REJECT for certain hosts NOT logged ###################################################### unset IFS for rule in $HOST_REJECT_UDP_NOLOG; do if parse_rule "$rule" HOST_REJECT_UDP_NOLOG "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting $hosts for UDP port(s) (NO LOG): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do ip4tables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p udp --dport $port -j REJECT --reject-with icmp-host-unreachable if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p udp --dport $port -j REJECT --reject-with icmp6-addr-unreachable fi done done done done fi done # Add TCP ports to REJECT for certain hosts ########################################### unset IFS for rule in $HOST_REJECT_TCP; do if parse_rule "$rule" HOST_REJECT_TCP "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting $hosts for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p tcp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise TCP rejected: " iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p tcp --dport $port -j REJECT --reject-with tcp-reset done done done done fi done # Add UDP ports to REJECT for certain hosts ########################################### unset IFS for rule in $HOST_REJECT_UDP; do if parse_rule "$rule" HOST_REJECT_UDP "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting $hosts for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p udp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise UDP rejected: " ip4tables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p udp --dport $port -j REJECT --reject-with icmp-host-unreachable if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p udp --dport $port -j REJECT --reject-with icmp6-addr-unreachable fi done done done done fi done # Add TCP ports to DENY for certain hosts but NOT logged ######################################################## unset IFS for rule in $HOST_DENY_TCP_NOLOG; do if parse_rule "$rule" HOST_DENY_TCP_NOLOG "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for TCP port(s) (NO LOG): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p tcp --dport $port -j POST_INPUT_DROP_CHAIN done done done done fi done # Add UDP ports to DENY for certain hosts but NOT logged ######################################################## unset IFS for rule in $HOST_DENY_UDP_NOLOG; do if parse_rule "$rule" HOST_DENY_UDP_NOLOG "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for UDP port(s) (NO LOG): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p udp --dport $port -j POST_INPUT_DROP_CHAIN done done done done fi done # Add IP protocols to DENY for certain hosts but NOT logged ########################################################### unset IFS for rule in $HOST_DENY_IP_NOLOG; do if parse_rule "$rule" HOST_DENY_IP_NOLOG "interfaces-destips-hosts-protos"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for IP protocol(s) (NO LOG): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p $proto -j POST_INPUT_DROP_CHAIN done done done done fi done # Add ICMP-request to DENY for certain hosts but NOT logged ############################################################ unset IFS for rule in $HOST_DENY_ICMP_NOLOG; do if parse_rule "$rule" HOST_DENY_ICMP_NOLOG "interfaces-destips-hosts"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for ICMP-requests(ping)" IFS=',' for host in `ip_range "$hosts"`; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p icmp --icmp-type echo-request -j POST_INPUT_DROP_CHAIN done done done fi done # Add TCP ports to DENY for certain hosts ######################################### unset IFS for rule in $HOST_DENY_TCP; do if parse_rule "$rule" HOST_DENY_TCP "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p tcp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET denied: " iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p tcp --dport $port -j POST_INPUT_DROP_CHAIN done done done done fi done # Add UDP ports to DENY for certain hosts ######################################### unset IFS for rule in $HOST_DENY_UDP; do if parse_rule "$rule" HOST_DENY_UDP "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p udp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET denied: " iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -p udp --dport $port -j POST_INPUT_DROP_CHAIN done done done done fi done # Add IP protocols to DENY for certain hosts ############################################ unset IFS for rule in $HOST_DENY_IP; do if parse_rule "$rule" HOST_DENY_IP "interfaces-destips-hosts-protos"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -s $host -p $proto \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET denied: " iptables -A EXT_INPUT_CHAIN -s $host -p $proto -j POST_INPUT_DROP_CHAIN done done done done fi done # Add ICMP-request to DENY for certain hosts ############################################ unset IFS for rule in $HOST_DENY_ICMP; do if parse_rule "$rule" HOST_DENY_ICMP "interfaces-destips-hosts"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for ICMP-requests(ping)" IFS=',' for host in `ip_range "$hosts"`; do for destip in $destips; do for interface in $interfaces; do if [ "$ICMP_DROP_LOG" != "0" ]; then iptables -A EXT_INPUT_CHAIN -s $host -p icmp --icmp-type echo-request -m limit --limit 1/h --limit-burst 1 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET denied: " fi iptables -A EXT_INPUT_CHAIN -s $host -p icmp --icmp-type echo-request -j POST_INPUT_DROP_CHAIN done done done fi done # Adding TCP ports to be denied for everyone ############################################ unset IFS for rule in $DENY_TCP; do if parse_rule "$rule" DENY_TCP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying ANYHOST for TCP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -d $destip -p tcp --dport $port \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-INPUT denied: " iptables -A EXT_INPUT_CHAIN -i $interface -d $destip -p tcp --dport $port -j POST_INPUT_DROP_CHAIN done done done fi done # Adding UDP ports to be denied for everyone ############################################ unset IFS for rule in $DENY_UDP; do if parse_rule "$rule" DENY_UDP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying ANYHOST for UDP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -d $destip -p udp --dport $port \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-INPUT denied: " iptables -A EXT_INPUT_CHAIN -i $interface -d $destip -p udp --dport $port -j POST_INPUT_DROP_CHAIN done done done fi done # Adding TCP ports to be rejected for everyone ############################################## unset IFS for rule in $REJECT_TCP; do if parse_rule "$rule" REJECT_TCP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting ANYHOST for TCP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -d $destip -p tcp --dport $port \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Rejected TCP port: " iptables -A EXT_INPUT_CHAIN -i $interface -d $destip -p tcp --dport $port -j REJECT --reject-with tcp-reset done done done fi done # Adding UDP ports to be rejected for everyone ############################################## unset IFS for rule in $REJECT_UDP; do if parse_rule "$rule" REJECT_UDP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting ANYHOST for UDP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -p udp --dport $port \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Rejected UDP port: " ip4tables -A EXT_INPUT_CHAIN -p udp --dport $port -j REJECT --reject-with icmp-host-unreachable if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A EXT_INPUT_CHAIN -p udp --dport $port -j REJECT --reject-with icmp6-addr-unreachable fi done done done fi done # Adding the "full access hosts" ################################ unset IFS for rule in $FULL_ACCESS_HOSTS; do if parse_rule "$rule" FULL_ACCESS_HOSTS "interfaces-destips-hosts"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts full (inbound) access" IFS=',' for host in `ip_range "$hosts"`; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -s $host -d $destip -j ACCEPT done done done fi done # TCP ports to DENY but NOT to LOG ################################## unset IFS for rule in $DENY_TCP_NOLOG; do if parse_rule "$rule" DENY_TCP_NOLOG "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying ANYHOST for TCP port(s) (NO LOG): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -d $destip -p tcp --dport $port -j POST_INPUT_DROP_CHAIN done done done fi done # UDP ports to DENY but NOT to LOG ################################## unset IFS for rule in $DENY_UDP_NOLOG; do if parse_rule "$rule" DENY_UDP_NOLOG "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying ANYHOST for UDP port(s) (NO LOG): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -d $destip -p udp --dport $port -j POST_INPUT_DROP_CHAIN done done done fi done # TCP ports to REJECT but NOT to LOG #################################### unset IFS for rule in $REJECT_TCP_NOLOG; do if parse_rule "$rule" REJECT_TCP_NOLOG "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting ANYHOST for TCP port(s) (NO LOG): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -d $destip -p tcp --dport $port -j REJECT --reject-with tcp-reset done done done fi done # UDP ports to REJECT but NOT to LOG #################################### unset IFS for rule in $REJECT_UDP_NOLOG; do if parse_rule "$rule" REJECT_UDP_NOLOG "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting ANYHOST for UDP port(s) (NO LOG): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do ip4tables -A EXT_INPUT_CHAIN -i $interface -d $destip -p udp --dport $port -j REJECT --reject-with icmp-host-unreachable if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A EXT_INPUT_CHAIN -i $interface -d $destip -p udp --dport $port -j REJECT --reject-with icmp6-addr-unreachable fi done done done fi done # Check the packet source address ################################# if [ "$RESERVED_NET_DROP" = "1" ]; then echo " Packets will be checked for reserved source addresses" else echo " Packets will NOT be checked for reserved source addresses" fi if [ "$RESERVED_NET_DROP" = "1" -o "$RESERVED_NET_LOG" = "1" ]; then iptables -A EXT_INPUT_CHAIN -j RESERVED_NET_CHK fi # Do NOT allow DRDOS abuse (Distributed Reflection Denial Of Service attack) ############################################################################ if [ "$DRDOS_PROTECT" = "1" ]; then echo " Enabling protection against DRDOS-abuse" iptables -A EXT_INPUT_CHAIN -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 \ -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Possible DRDOS abuse: " iptables -A EXT_INPUT_CHAIN -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 \ -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Possible DRDOS abuse: " iptables -A EXT_INPUT_CHAIN -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j POST_INPUT_DROP_CHAIN iptables -A EXT_INPUT_CHAIN -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j POST_INPUT_DROP_CHAIN fi # Adding TCP ports NOT to be firewalled ####################################### unset IFS for rule in $OPEN_TCP; do if parse_rule "$rule" OPEN_TCP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing ANYHOST for TCP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -d $destip -p tcp --dport $port -j ACCEPT done done done fi done # Adding UDP ports NOT to be firewalled ####################################### unset IFS for rule in $OPEN_UDP; do if parse_rule "$rule" OPEN_UDP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing ANYHOST for UDP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -d $destip -p udp --dport $port -j ACCEPT done done done fi done # Adding IP protocols NOT to be firewalled ########################################## unset IFS for rule in $OPEN_IP; do if parse_rule "$rule" OPEN_IP "interfaces-destips-protos"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing ANYHOST for IP protocol(s): $protos" IFS=',' for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -i $interface -d $destip -p $proto -j ACCEPT done done done fi done # Allow world to send IPv4 ICMP packets? ######################################## if [ "$OPEN_ICMP" = "1" ]; then echo " Allowing ANYHOST to send IPv4 ICMP-requests (ping)" ip4tables -A EXT_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT else echo " Denying ANYHOST to send IPv4 ICMP-requests (ping)" fi # Allow world to send IPv6 ICMPv6 packets? ########################################## if [ "$IPV6_SUPPORT" = "1" ]; then if [ "$OPEN_ICMPV6" != "0" ]; then echo " Allowing ANYHOST to send IPv6 ICMPv6-requests" ip6tables -A EXT_INPUT_CHAIN -p icmpv6 --icmpv6-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT else echo " Denying ANYHOST to send IPv6 ICMPv6-requests" fi fi # Logging of possible stealth scans ################################### if [ "$POSSIBLE_SCAN_LOG" = "1" ]; then echo " Logging of possible stealth scans enabled" if [ "$UNPRIV_TCP_LOG" != "0" ]; then iptables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport 1024: \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth scan? (UNPRIV): " fi if [ "$PRIV_TCP_LOG" != "0" ]; then iptables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport :1023 \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth scan? (PRIV): " fi else echo " Logging of possible stealth scans disabled" fi # General stealth scan drop ########################### iptables -A EXT_INPUT_CHAIN -p tcp ! --syn -j POST_INPUT_DROP_CHAIN # Setup IPv4 chain to handle broadcast traffic ############################################## ip4tables -A EXT_INPUT_CHAIN -d 255.255.255.255 -j EXT_BROADCAST_CHAIN # ip4tables -A EXT_INPUT_CHAIN -m pkttype --pkt-type broadcast -j EXT_BROADCAST_CHAIN # ip4tables -A EXT_INPUT_CHAIN -m addrtype --dst-type BROADCAST -j EXT_BROADCAST_CHAIN if [ -n "$EXT_NET_BCAST_ADDRESS" ]; then IFS=' ,' for address in $EXT_NET_BCAST_ADDRESS; do ip4tables -A EXT_INPUT_CHAIN -d $address -j EXT_BROADCAST_CHAIN done else IFS=' ,' for net in $EXTERNAL_NET; do # Class C net ip4tables -A EXT_INPUT_CHAIN -d $(echo $net |awk -F. '{ print $1"."$2"."$3".255" }') \ -j EXT_BROADCAST_CHAIN # Class B net ip4tables -A EXT_INPUT_CHAIN -d $(echo $net |awk -F. '{ print $1"."$2".255.255" }') \ -j EXT_BROADCAST_CHAIN # Class A net ip4tables -A EXT_INPUT_CHAIN -d $(echo $net |awk -F. '{ print $1".255.255.255" }') \ -j EXT_BROADCAST_CHAIN done fi # Handle multicast traffic ########################## ip4tables -A EXT_INPUT_CHAIN -d 224.0.0.0/4 -j EXT_MULTICAST_CHAIN if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A EXT_INPUT_CHAIN -d ff00::/8 -j EXT_MULTICAST_CHAIN fi # Log packets to privileged TCP ports? ################################################## if [ "$PRIV_TCP_LOG" != "0" ]; then echo " Logging of (other) packets to PRIVILEGED TCP ports enabled" iptables -A EXT_INPUT_CHAIN -p tcp --dport :1023 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV TCP packet: " iptables -A EXT_MULTICAST_CHAIN -p tcp --dport :1023 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV TCP multicast: " iptables -A EXT_BROADCAST_CHAIN -p tcp --dport :1023 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV TCP broadcast: " else echo " Logging of (other) packets to PRIVILEGED TCP ports disabled" fi # Log packets to privileged UDP ports? ################################################## if [ "$PRIV_UDP_LOG" != "0" ]; then echo " Logging of (other) packets to PRIVILEGED UDP ports enabled" iptables -A EXT_INPUT_CHAIN -p udp --dport :1023 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV UDP packet: " iptables -A EXT_MULTICAST_CHAIN -p udp --dport :1023 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV UDP multicast: " iptables -A EXT_BROADCAST_CHAIN -p udp --dport :1023 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV UDP broadcast: " else echo " Logging of (other) packets to PRIVILEGED UDP ports disabled" fi # Log packets to unprivileged TCP ports? #################################################### if [ "$UNPRIV_TCP_LOG" != "0" ]; then echo " Logging of (other) packets to UNPRIVILEGED TCP ports enabled" iptables -A EXT_INPUT_CHAIN -p tcp --dport 1024: \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV TCP packet: " iptables -A EXT_MULTICAST_CHAIN -p tcp --dport 1024: \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV TCP multicast: " iptables -A EXT_BROADCAST_CHAIN -p tcp --dport 1024: \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV TCP broadcast: " else echo " Logging of (other) packets to UNPRIVILEGED TCP ports disabled" fi # Log packets to unprivileged UDP ports? #################################################### if [ "$UNPRIV_UDP_LOG" != "0" ]; then echo " Logging of (other) packets to UNPRIVILEGED UDP ports enabled" iptables -A EXT_INPUT_CHAIN -p udp --dport 1024: \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV UDP packet: " iptables -A EXT_MULTICAST_CHAIN -p udp --dport 1024 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV UDP multicast: " iptables -A EXT_BROADCAST_CHAIN -p udp --dport 1024 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV UDP broadcast: " else echo "Logging of (other) packets to UNPRIVILEGED UDP ports disabled" fi # Do we want to log igmp packets? ############################################# if [ "$IGMP_LOG" != "0" ]; then echo " Logging of IGMP packets enabled" ip4tables -A EXT_INPUT_CHAIN -p 2 \ -m limit --limit 1/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IGMP packet: " else echo " Logging of IPv4 IGMP packets disabled" fi # Allow all packets that have been locally redirected ##################################################### if [ "$NAT_LOCAL_REDIRECT" = "1" ]; then echo " Enabling support for NAT local redirect" ip4tables -A EXT_INPUT_CHAIN -m conntrack --ctstate DNAT -j ACCEPT fi # Finally drop all in the broadcast chain iptables -A EXT_BROADCAST_CHAIN -j DROP # Jump into the POST_INPUT_CHAIN before we start to DROP iptables -A EXT_INPUT_CHAIN -j POST_INPUT_CHAIN if [ "$ICMP_REQUEST_LOG" != "0" ]; then echo " Logging of dropped ICMP-request(ping) packets enabled" iptables -A EXT_INPUT_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " iptables -A EXT_MULTICAST_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-multicast-request: " else echo " Logging of dropped ICMP-request(ping) packets disabled" fi if [ "$ICMP_OTHER_LOG" != "0" ]; then echo " Logging of dropped other ICMP packets enabled" iptables -A EXT_INPUT_CHAIN -p icmp ! --icmp-type echo-request \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-other: " iptables -A EXT_MULTICAST_CHAIN -p icmp ! --icmp-type echo-request \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-multicast-other: " else echo " Logging of dropped other ICMP packets disabled" fi # Drop all in the multicast chain iptables -A EXT_MULTICAST_CHAIN -j DROP # Drop all "standard" IP protocols ################################## iptables -A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN iptables -A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN ip4tables -A EXT_INPUT_CHAIN -p 2 -j POST_INPUT_DROP_CHAIN iptables -A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN # Do we want to log non udp/tcp/icmp packets? ############################################# if [ "$OTHER_IP_LOG" != "0" ]; then echo " Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled" iptables -A EXT_INPUT_CHAIN \ -m limit --limit 1/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Other connect: " else echo " Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets disabled" fi # Drop all remaining packets ############################ iptables -A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN } ###################################################################################################################### ## Chain EXT_ICMP_FLOOD_CHAIN - Checks all ICMP (flooded) packets for the EXTERNAL interface(s) ## ###################################################################################################################### setup_ext_icmp_flood_chain() { # Log of ICMP flooding ###################### if [ "$ICMP_FLOOD_LOG" != "0" ]; then echo " Logging of ICMP flooding enabled" iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type destination-unreachable \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-unreachable flood: " iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type destination-unreachable -j POST_INPUT_DROP_CHAIN iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type time-exceeded \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-time-exceeded fld: " iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type time-exceeded -j POST_INPUT_DROP_CHAIN iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type parameter-problem \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-param-problem fld: " iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type parameter-problem -j POST_INPUT_DROP_CHAIN iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request(ping) fld: " iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-request -j POST_INPUT_DROP_CHAIN iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-reply \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-reply(pong) flood: " iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-reply -j POST_INPUT_DROP_CHAIN ip4tables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type source-quench \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-source-quench fld: " ip4tables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type source-quench -j POST_INPUT_DROP_CHAIN if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type packet-too-big \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-packet-too-big fld: " ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type packet-too-big -j POST_INPUT_DROP_CHAIN fi # All other ICMP into the general log rule iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP(other) flood: " else echo " Logging of ICMP flooding disabled" fi # Drop any ICMP packets left iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN } ###################################################################################################################### ## Chain EXT_OUTPUT_CHAIN - Checks all outgoing packets for the EXTERNAL interface(s) ## ###################################################################################################################### setup_ext_output_chain() { # This rule is for hostwise OUTPUT TCP blocking ############################################### unset IFS for rule in $HOST_DENY_TCP_OUTPUT; do if parse_rule "$rule" HOST_DENY_TCP_OUTPUT "interfaces-srcips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$srcips")Denying $hosts for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for interface in $interfaces; do for srcip in $srcips; do if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN -o $interface -s $srcip -d $host -p tcp --dport $port \ -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: " fi iptables -A EXT_OUTPUT_CHAIN -o $interface -s $srcip -d $host -p tcp --dport $port -j DROP done done done done fi done # This rule is for hostwise OUTPUT UDP blocking ############################################### unset IFS for rule in $HOST_DENY_UDP_OUTPUT; do if parse_rule "$rule" HOST_DENY_UDP_OUTPUT "interfaces-srcips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$srcips")Denying $hosts for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for interface in $interfaces; do for srcip in $srcips; do if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN -o $interface -s $srcip -d $host -p udp --dport $port \ -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: " fi iptables -A EXT_OUTPUT_CHAIN -o $interface -s $srcip -d $host -p udp --dport $port -j DROP done done done done fi done # This rule is for hostwise OUTPUT IP blocking ############################################## unset IFS for rule in $HOST_DENY_IP_OUTPUT; do if parse_rule "$rule" HOST_DENY_IP_OUTPUT "interfaces-srcips-hosts-protos"; then echo " $(show_if_ip "$interfaces" "$srcips")Denying $hosts for IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do for interface in $interfaces; do for srcip in $srcips; do if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN -o $interface -s $srcip -d $host -p $proto \ -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: " fi iptables -A EXT_OUTPUT_CHAIN -o $interface -s $srcip -d $host -p $proto -j DROP done done done done fi done # Adding the "full access hosts" ################################ unset IFS for rule in $FULL_ACCESS_HOSTS; do if parse_rule "$rule" FULL_ACCESS_HOSTS "interfaces-srcips-hosts"; then echo " $(show_if_ip "$interfaces")Allowing $hosts full (outbound) access" IFS=',' for host in `ip_range "$hosts"`; do for interface in $interfaces; do for srcip in $srcips; do iptables -A EXT_OUTPUT_CHAIN -o $interface -s $srcip -d $host -j ACCEPT done done done fi done # This rule is for local OUTPUT TCP blocking ############################################ unset IFS for rule in $DENY_TCP_OUTPUT; do if parse_rule "$rule" DENY_TCP_OUTPUT "interfaces-srcips-ports"; then echo " $(show_if_ip "$interfaces" "$srcips")Denying TCP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do for srcip in $srcips; do if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN -o $interface -s $srcip -p tcp --dport $port \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: " fi iptables -A EXT_OUTPUT_CHAIN -o $interface -s $srcip -p tcp --dport $port -j DROP done done done fi done # This rule is for local OUTPUT UDP blocking ############################################ unset IFS for rule in $DENY_UDP_OUTPUT; do if parse_rule "$rule" DENY_UDP_OUTPUT "interfaces-srcips-ports"; then echo " $(show_if_ip "$interfaces" "$srcips")Denying UDP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do for srcip in $srcips; do if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN -o $interface -s $srcip -p udp --dport $port \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: " fi iptables -A EXT_OUTPUT_CHAIN -o $interface -s $srcip -p udp --dport $port -j DROP done done done fi done # This rule is for local OUTPUT IP blocking ############################################ unset IFS for rule in $DENY_IP_OUTPUT; do if parse_rule "$rule" DENY_IP_OUTPUT "interfaces-srcips-protos"; then echo " $(show_if_ip "$interfaces" "$srcips")Denying IP protocol(s): $protos" IFS=',' for proto in $protos; do for interface in $interfaces; do for srcip in $srcips; do if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN -o $interface -s $srcip -p $proto \ -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: " fi iptables -A EXT_OUTPUT_CHAIN -o $interface -s $srcip -p $proto -j DROP done done done fi done } # Helper chain to catch broadcast traffic setup_ext_broadcast_chain() { # Disable logging of certain TCP broadcasts on the external interface ##################################################################### unset IFS for rule in $BROADCAST_TCP_NOLOG; do if parse_rule "$rule" BROADCAST_TCP_NOLOG "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Logging of external subnet broadcasts disabled for TCP port(s): $ports" IFS=' ,' for port in $ports; do for interface in $interfaces; do iptables -A EXT_BROADCAST_CHAIN -i $interface -p tcp --dport $port -j DROP done done fi done # Disable logging of certain UDP broadcasts on the external interface ########################################################################################## unset IFS for rule in $BROADCAST_UDP_NOLOG; do if parse_rule "$rule" BROADCAST_UDP_NOLOG "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Logging of external subnet broadcasts disabled for UDP port(s): $ports" IFS=' ,' for port in $ports; do for interface in $interfaces; do iptables -A EXT_BROADCAST_CHAIN -i $interface -p udp --dport $port -j DROP done done fi done } # This creates the input logging rules ########################################################## setup_input_log() { # This rule is for local INPUT TCP watching ############################################ unset IFS for rule in $LOG_INPUT_TCP; do if parse_rule "$rule" LOG_INPUT_TCP "interfaces-destips-ports"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming TCP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT -i $interface -d $destip -p tcp --dport $port -m state --state NEW -m limit \ --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:TCP INPUT log: " done done done fi done # This rule is for local INPUT UDP watching ########################################### unset IFS for rule in $LOG_INPUT_UDP; do if parse_rule "$rule" LOG_INPUT_UDP "interfaces-destips-ports"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming UDP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT -i $interface -d $destip -p udp --dport $port -m state --state NEW -m limit \ --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UDP INPUT log: " done done done fi done # This rule is for local INPUT IP watching ########################################## unset IFS for rule in $LOG_INPUT_IP; do if parse_rule "$rule" LOG_INPUT_IP "interfaces-destips-protos"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming IP protocol(s): $protos" IFS=',' for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT -i $interface -d $destip -p $proto -m state --state NEW -m limit \ --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IP INPUT log: " done done done fi done # Hostwise logging of input connection attempts ############################################### unset IFS for rule in $LOG_HOST_INPUT; do if parse_rule "$rule" LOG_HOST_INPUT "interfaces-destips-hosts"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming connections of: $hosts" IFS=',' for host in `ip_range "$hosts"`; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT -i $interface -s $host -d $destip -m state --state NEW \ -m limit --limit 12/m --limit-burst 50 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise INPUT log: " done done done fi done # Hostwise logging of certain TCP port connection attempts ########################################################## unset IFS for rule in $LOG_HOST_INPUT_TCP; do if parse_rule "$rule" LOG_HOST_INPUT_TCP "interfaces-destips-hosts-ports"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming connections of $hosts to TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT -i $interface -s $host -d $destip -p tcp --dport $port -m state --state NEW \ -m limit --limit 12/m --limit-burst 5 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise TCP log (IN): " done done done done fi done # Hostwise logging of certain UDP port connection attempts ########################################################## unset IFS for rule in $LOG_HOST_INPUT_UDP; do if parse_rule "$rule" LOG_HOST_INPUT_UDP "interfaces-destips-hosts-ports"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming connections of $hosts to UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT -i $interface -s $host -d $destip -p udp --dport $port -m state --state NEW \ -m limit --limit 12/m --limit-burst 5 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise UDP INPUT log: " done done done done fi done # Hostwise logging of certain IP protocols connection attempts ############################################################## unset IFS for rule in $LOG_HOST_INPUT_IP; do if parse_rule "$rule" LOG_HOST_INPUT_IP "interfaces-destips-hosts-protos"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming connections of $hosts to IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT -i $interface -s $host -d $destip -p $proto -m state --state NEW \ -m limit --limit 12/m --limit-burst 5 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise IP INPUT log: " done done done done fi done } # This creates the output logging rules ########################################################## setup_output_log() { # This rule is for local OUTPUT TCP watching ############################################ unset IFS for rule in $LOG_OUTPUT_TCP; do if parse_rule "$rule" LOG_OUTPUT_TCP "interfaces-srcips-ports"; then echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing TCP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do for srcip in $srcips; do iptables -A OUTPUT -o $interface -s $srcip -p tcp --dport $port -m state --state NEW -m limit \ --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:TCP OUTPUT log: " done done done fi done # This rule is for local OUTPUT UDP watching ############################################ unset IFS for rule in $LOG_OUTPUT_UDP; do if parse_rule "$rule" LOG_OUTPUT_UDP "interfaces-srcips-ports"; then echo "$(show_if_ip "$interfaces")Logging outgoing UDP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do for srcip in $srcips; do iptables -A OUTPUT -o $interface -s $srcip -p udp --dport $port -m state --state NEW -m limit \ --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UDP OUTPUT log: " done done done fi done # This rule is for local OUTPUT IP watching ########################################### unset IFS for rule in $LOG_OUTPUT_IP; do if parse_rule "$rule" LOG_OUTPUT_IP "interfaces-srcips-protos"; then echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing IP protocol(s): $protos" IFS=',' for proto in $protos; do for interface in $interfaces; do for srcip in $srcips; do iptables -A OUTPUT -o $interface -s $srcip -p $proto -m state --state NEW -m limit \ --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IP OUTPUT log: " done done done fi done # Hostwise logging of output connection attempts ################################################ unset IFS for rule in $LOG_HOST_OUTPUT; do if parse_rule "$rule" LOG_HOST_OUTPUT "interfaces-srcips-hosts"; then echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing connections to: $hosts" IFS=',' for host in `ip_range "$hosts"`; do for interface in $interfaces; do for srcip in $srcips; do iptables -A OUTPUT -o $interface -s $srcip -d $host -m state --state NEW \ -m limit --limit 12/m --limit-burst 50 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise OUTPUT log: " done done done fi done # Hostwise logging of certain TCP port connection attempts ########################################################## unset IFS for rule in $LOG_HOST_OUTPUT_TCP; do if parse_rule "$rule" LOG_HOST_OUTPUT_TCP "interfaces-srcips-hosts-ports"; then echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing connections of $hosts to TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for interface in $interfaces; do for srcip in $srcips; do iptables -A OUTPUT -o $interface -s $srcip -d $host -p tcp --dport $port -m state --state NEW \ -m limit --limit 12/m --limit-burst 5 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host TCP log (OUT): " done done done done fi done # Hostwise logging of certain UDP port connection attempts ########################################################## unset IFS for rule in $LOG_HOST_OUTPUT_UDP; do if parse_rule "$rule" LOG_HOST_OUTPUT_UDP "interfaces-srcips-hosts-ports"; then echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing connections of $hosts to UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for interface in $interfaces; do for srcip in $srcips; do iptables -A OUTPUT -o $interface -s $srcip -d $host -p udp --dport $port -m state --state NEW \ -m limit --limit 12/m --limit-burst 5 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host UDP log (OUT): " done done done done fi done # Hostwise logging of certain IP protocols connection attempts ############################################################## unset IFS for rule in $LOG_HOST_OUTPUT_IP; do if parse_rule "$rule" LOG_HOST_OUTPUT_IP "interfaces-srcips-hosts-protos"; then echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing connections of $hosts to IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do for interface in $interfaces; do for srcip in $srcips; do iptables -A OUTPUT -o $interface -s $srcip -d $host -p $proto -m state --state NEW \ -m limit --limit 12/m --limit-burst 5 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host IP log (OUT): " done done done done fi done } # This creates the separate host block ###################################### setup_hostblock_chain() { if iptables -F HOST_BLOCK_SRC 2>&1 |grep -q "No chain" || \ iptables -F HOST_BLOCK_DST 2>&1 |grep -q "No chain"; then printf "\033[40m\033[1;31mERROR: The firewall isn't running!\033[0m\n" >&2 printf "\033[40m\033[1;31m You should first run this script with the \"start\" command.\033[0m\n" >&2 return 5 fi # Return if no Blocked Hosts are defined if [ -z "$BLOCK_HOSTS" -a -z "$BLOCK_HOSTS_FILE" ]; then return fi if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then echo "Blocking (blackhole) direction: Inbound and Outbound" else echo "Blocking (blackhole) direction: Inbound Only" fi # Set default to DROP all while rules are added iptables -A HOST_BLOCK_SRC -j DROP iptables -A HOST_BLOCK_DST -j DROP iptables_batch start iptables_batch init HOST_BLOCK_SRC iptables_batch init HOST_BLOCK_DST if [ -n "$BLOCK_HOSTS" ]; then printf "Blocking (blackhole) host(s): " IFS=' ,' for hosts in $BLOCK_HOSTS; do printf "$hosts " for host in `ip_range "$hosts"`; do get_numeric_ip_version "$host" case $? in 4) ip4tables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_DROP if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip4tables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DROP fi ;; 6) if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_DROP if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip6tables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DROP fi fi ;; esac done done echo "" fi # Setup the blocked hosts from our file if [ -n "$BLOCK_HOSTS_FILE" ]; then if [ -e "$BLOCK_HOSTS_FILE" ]; then local cur_cnt=0 total_cnt total_cnt=$(( $(cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |wc -l) )) echo "(Re)loading list of BLOCKED hosts from $BLOCK_HOSTS_FILE..." if [ $total_cnt -gt 0 ]; then progress_bar $cur_cnt $total_cnt # Support both a '#' and a ';' as a comment delimiter in BLOCK_HOSTS_FILE file unset IFS cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |while read hosts; do cur_cnt=$(($cur_cnt + 100)) progress_bar $cur_cnt $total_cnt if [ -n "$hosts" ]; then IFS=',' for host in `ip_range "$hosts"`; do get_numeric_ip_version "$host" case $? in 4) ip4tables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_DROP if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip4tables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DROP fi ;; 6) if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_DROP if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip6tables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DROP fi fi ;; esac done unset IFS fi done printf "........." fi echo "$total_cnt host line(s) read" else printf "\033[40m\033[1;31mNOTE: Cannot read the blocked hosts file \"$BLOCK_HOSTS_FILE\".\033[0m\n" fi fi iptables_batch apply HOST_BLOCK_SRC iptables_batch apply HOST_BLOCK_DST iptables_batch stop # All Blocked Host rules are applied # Remove default rule at the beginning of the HOST_BLOCK_SRC and HOST_BLOCK_DST chains iptables -D HOST_BLOCK_SRC 1 iptables -D HOST_BLOCK_DST 1 } setup_mangle_tables() { # The following line is intended to hide the firewall during a traceroute. ########################################################################## if [ "$TTL_INC" = "1" ]; then echo "Enabling TTL-increase for the PREROUTING chain" IFS=' ,' for interface in $EXT_IF; do ip4tables -t mangle -A PREROUTING -i $interface -j TTL --ttl-inc 1 done fi # Set TTL on outgoing & forwarded packets: ########################################## if [ -n "$PACKET_TTL" ]; then if [ $PACKET_TTL -gt 9 -a $PACKET_TTL -lt 256 ]; then echo "Setting TTL=$PACKET_TTL for the FORWARD & OUTPUT chains" IFS=' ,' for interface in $EXT_IF; do ip4tables -t mangle -A FORWARD -o $interface -j TTL --ttl-set $PACKET_TTL ip4tables -t mangle -A OUTPUT -o $interface -j TTL --ttl-set $PACKET_TTL done else printf "\033[40m\033[1;31m WARNING: Ingoring invalid value for PACKET_TTL ($PACKET_TTL), it should be between 10 and 255!\033[0m\n" >&2 fi fi # Mangles the TOS on standard ports so they get priority in routers ################################################################### # TOS table # Options: # Normal-Service = 0 (0x00) # Minimize-Cost = 2 (0x02) # Maximize-Reliability = 4 (0x04) # Maximize-Throughput = 8 (0x08) # Minimize-Delay = 16 (0x10) if [ "$MANGLE_TOS" = "1" ]; then echo "Enabling mangling TOS" # ToS: Client Applications; data => tos_client # Most of these are the RFC 1060/1349 suggested TOS values, yours might vary. # To view mangle table, type: iptables -L -t mangle IFS=' ,' for interface in $EXT_IF; do # Mangle values of packets created locally. iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 23 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 25 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p udp --dport 53 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 67 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 113 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 123 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput done # Rules to mangle TOS values of packets routed through the firewall iptables -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p udp --dport 53 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 67 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 113 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 123 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput fi } setup_tcp_mss() { # Besides MTU, there is yet another way to set the maximum packet size, the so called Maximum Segment Size. # This is a field in the TCP Options part of a SYN packet. # The good thing about this is that by setting the MSS value, you are telling the remote side unequivocally # 'do not ever try to send me packets bigger than this value'. No ICMP traffic is needed to get this to work. # In order for this to work you need at least iptables-1.2.1a and Linux 2.4.3 or higher. ################################################################################################################## if [ "$SET_MSS" = "1" ]; then echo "Enabling setting the maximum packet size via MSS" IFS=' ,' for interface in $EXT_IF; do iptables -A FORWARD -o $interface -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A OUTPUT -o $interface -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu if [ "$NAT" = "1" ]; then ip4tables -t nat -A POSTROUTING -o $interface -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu fi done fi } plugins_start() { # Truncate/create file cp -f /dev/null "$PLUGIN_LOAD_FILE" printf "Checking for (user) plugins in $PLUGIN_BIN_PATH..." # Check for plugins in our plugins binary path: if ls "$PLUGIN_BIN_PATH"/*.plugin >/dev/null 2>&1; then echo "" plugin_count=0 unset IFS for plugin in "$PLUGIN_BIN_PATH"/*.plugin; do PLUGIN_CMD=start if [ -e "$PLUGIN_LOAD_FILE_RESTART" ]; then IFS=$EOL for plugin_restart in `cat "$PLUGIN_LOAD_FILE_RESTART"`; do if [ "$plugin_restart" = "$plugin" ]; then if grep -q "^plugin_restart\(\)" "$plugin"; then PLUGIN_CMD=restart fi break fi done fi # Preset ENABLED=0 to make sure the plugin only # gets loaded if the config has an explicit ENABLED=1: ENABLED=0 # Set indent INDENT=' ' # Explicit unset IFS, just in case unset IFS # Source the plugin: . "$plugin" # By checking the ENABLED variable, we know whether the plugin # was actually loaded. If so increase the plugin count: if [ "$ENABLED" = "1" ]; then echo "$plugin" >> "$PLUGIN_LOAD_FILE" plugin_count=$(($plugin_count + 1)) fi done rm -f "$PLUGIN_LOAD_FILE_RESTART" echo " Loaded $plugin_count plugin(s)..." else echo "None found" fi } plugins_stop() { local restart="$1" # Remove any stale plugin restart file rm -f "$PLUGIN_LOAD_FILE_RESTART" if [ -e "$PLUGIN_LOAD_FILE" ]; then echo "Stopping (user) plugins..." IFS=$EOL for plugin in `cat "$PLUGIN_LOAD_FILE"`; do plugin_name="$(basename "$plugin" |sed 's/^[0-9]*//')" if [ -e "$plugin" ]; then plugin_file="$plugin" else # If we can't find it, ignore the priority number in front of the plugin-filename plugin_file="$(ls "$PLUGIN_BIN_PATH"/*.plugin |grep "[0-9]*$plugin_name$" |head -n1)" fi if [ -e "$plugin_file" ]; then # Only issue the stop command for plugins that support it: if grep -q "^plugin_stop\(\)" "$plugin_file"; then # Preset ENABLED=0 to make sure the plugin only # gets loaded if the config has an explicit ENABLED=1: ENABLED=0 # Set indent INDENT=' ' PLUGIN_CMD=stop if [ "$restart" = "restart" ] && grep -q "^plugin_restart\(\)" "$plugin_file"; then echo "$plugin" >> "$PLUGIN_LOAD_FILE_RESTART" PLUGIN_CMD=stop-restart fi # Explicit unset IFS, just in case unset IFS # Source the plugin: . "$plugin_file" fi else printf "\033[40m\033[1;31mERROR: Could not stop plugin \"$plugin_name\" as it does no exist!\033[0m\n" >&2 fi done rm -f "$PLUGIN_LOAD_FILE" fi } plugins_status() { local match="$1" # Load/insert user plugins if [ -e "$PLUGIN_LOAD_FILE" ]; then printf "\nShowing status of (user) plugins:${match:+ $match}\n" echo "---------------------------------" IFS=$EOL for plugin in `cat "$PLUGIN_LOAD_FILE"`; do # Only issue the status command for plugins that support the PLUGIN_CMD-variable: if grep -q "^plugin_status\(\)" "$plugin"; then if [ "${plugin%$match.plugin}" != "${plugin}" ]; then # Preset ENABLED=0 to make sure the plugin only # gets loaded if the config has an explicit ENABLED=1: ENABLED=0 # Set indent INDENT=' ' PLUGIN_CMD=status # Source the plugin: printf "=>" . "$plugin" echo "" fi fi done fi } # Here the actual iptables rules are loaded ########################################### setup_firewall_rules() { echo "Using loglevel \"$LOGLEVEL\" for syslogd" echo "" echo "Setting up firewall rules:" echo "-------------------------------------------------------------------------------" # Setup all TCP MSS stuff ######################### setup_tcp_mss; # Setup all mangle stuff ######################## setup_mangle_tables; # Setup basic input/forward/output/... chains ############################################# iptables -A INPUT -j INPUT_CHAIN iptables -A FORWARD -j FORWARD_CHAIN iptables -A OUTPUT -j OUTPUT_CHAIN ip4tables -t nat -A PREROUTING -j NAT_PREROUTING_CHAIN ip4tables -t nat -A POSTROUTING -j NAT_POSTROUTING_CHAIN # Block all hosts in the custom blocked hosts file ################################################## iptables -A INPUT -j HOST_BLOCK_SRC iptables -A FORWARD -j HOST_BLOCK_SRC iptables -A FORWARD -j HOST_BLOCK_DST iptables -A OUTPUT -j HOST_BLOCK_DST # Allow DNS out for plugins and iptables while setting up rules ############################################################### iptables -A OUTPUT_CHAIN -p udp --dport 53 -j ACCEPT iptables -A OUTPUT_CHAIN -p tcp --dport 53 -j ACCEPT # Setup global helper chains ############################ setup_valid_chk_chain; setup_reserved_net_chk_chain; setup_spoof_chk_chain; # Check if source address is spoofed #################################### iptables -A INPUT -j SPOOF_CHK # Setup rules for input/output logging ###################################### setup_input_log; setup_output_log; # Explicit unset IFS, just in case unset IFS # Insert the custom rules ######################### if [ -e "$CUSTOM_RULES" ]; then echo "Reading custom rules from $CUSTOM_RULES" . $CUSTOM_RULES fi # Start (user) plugins ###################### plugins_start; # Drop outgoing fragmented packets (this should in principle never happen because of netfilter's # packet defragmentation ################################################################################################ ip4tables -A OUTPUT -f \ -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Fragment packet: " ip4tables -A OUTPUT -f -j DROP # Setup helper chains for EXTERNAL input traffic: echo "Setting up external(INET) INPUT policy" setup_ext_broadcast_chain; setup_ext_icmp_flood_chain; setup_ext_input_chain; # Setup helper chains for EXTERNAL output traffic: echo "Setting up external(INET) OUTPUT policy" setup_ext_output_chain; # This is used for your external (untrusted) interfaces ####################################################### COUNT=0 IFS=' ,' for interface in $EXT_IF; do COUNT=$(($COUNT + 1)) EXTIF_NET=$(echo "$EXTERNAL_NET" |awk "{ print \$$COUNT }") printf "Applying external(INET) policy to interface: $interface" if [ -z "$EXTIF_NET" ]; then echo " (without an external subnet specified)" else echo " (EXTERNAL_NET=$EXTIF_NET)" fi # Apply external (internet) interface policy for the output chain: ################################################################## iptables -A OUTPUT -o $interface -j EXT_OUTPUT_CHAIN # We must allow special icmpv6 packets since CONNTRACK doesn't handle all icmpv6 types: ####################################################################################### if [ "$IPV6_SUPPORT" = "1" -a "$OPEN_ICMPV6" != "0" ]; then for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT done fi # Apply external (internet) interface policy for the input chain: ################################################################# # Check packets for invalid flags: iptables -A INPUT -i $interface -j VALID_CHK # Perform check: ################ # Non-ICMP traffic: iptables -A INPUT -i $interface ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN # ICMP traffic (rate limited): iptables -A INPUT -i $interface -p icmp -m state --state NEW \ -m limit --limit 60/second --limit-burst 100 -j EXT_INPUT_CHAIN # ICMP traffic (flood) iptables -A INPUT -i $interface -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN done # Setup input rules for your internal net ######################################### if [ -n "$INT_IF" ]; then # Setup helper chain for the LAN: echo "Setting up internal(LAN) INPUT policy" setup_int_input_chain; IFS=' ,' for interface in $INT_IF; do echo "Applying internal(LAN) policy to interface: $interface" iptables -A INPUT -i $interface -j INT_INPUT_CHAIN iptables -A OUTPUT -o $interface -j INT_OUTPUT_CHAIN done fi # Setup input rules for your DMZ net #################################### if [ -n "$DMZ_IF" ]; then # Setup helper chain for the DMZ: echo "Setting up DMZ INPUT policy" setup_dmz_input_chain; IFS=' ,' for interface in $DMZ_IF; do echo "Applying DMZ policy to interface: $interface" iptables -A INPUT -i $interface -j DMZ_INPUT_CHAIN iptables -A OUTPUT -o $interface -j DMZ_OUTPUT_CHAIN done fi # Accept all packets on "other" interfaces ########################################## if [ -n "$TRUSTED_IF" ]; then echo "Accepting ALL INPUT packets from trusted interface(s): $TRUSTED_IF" IFS=' ,' for interface in $TRUSTED_IF; do iptables -A INPUT -i $interface -j ACCEPT done fi # Jump to the POST INPUT chain ############################## iptables -A INPUT -j POST_INPUT_CHAIN # Everything else is logged & dropped in INPUT (just in case)... ################################################################ iptables -A INPUT -m limit --limit 1/s -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Dropped INPUT packet: " iptables -A INPUT -j DROP # Drop all packets at the end of the POST_INPUT_DROP_CHAIN iptables -A POST_INPUT_DROP_CHAIN -j DROP # Remove the temp rule at the beginning of the POST_INPUT_DROP_CHAIN iptables -D POST_INPUT_DROP_CHAIN 1 ############################################################################################### # FORWARD rules # ############################################################################################### # Drop forward traffic to/from IPv6 Link Local Addresses ######################################################## if [ "$IPV6_SUPPORT" = "1" ]; then if [ "$FORWARD_LINK_LOCAL" != "1" ]; then ip6tables -A FORWARD -s fe80::/10 -j LINK_LOCAL_DROP ip6tables -A FORWARD -d fe80::/10 -j LINK_LOCAL_DROP else echo "IPv6 Link-Local Addresses are forwarded!" fi fi # Allow forward traffic from "trusted-if" ######################################### if [ -n "$TRUSTED_IF" ]; then echo "Accepting ALL FORWARD packets for trusted interface(s): $TRUSTED_IF" IFS=' ,' for interface in $TRUSTED_IF; do # Allow forward traffic in: iptables -A FORWARD -i $interface -j ACCEPT # Allow forward traffic out: iptables -A FORWARD -o $interface -j ACCEPT done fi # Source the IN/OUT chains for the external interface(s) ######################################################## IFS=' ,' for eif in $EXT_IF; do iptables -A FORWARD -i $eif -j EXT_FORWARD_IN_CHAIN iptables -A FORWARD -o $eif -j EXT_FORWARD_OUT_CHAIN done # Source the IN/OUT chains for the internal interface(s) ######################################################## IFS=' ,' for iif in $INT_IF; do iptables -A FORWARD -i $iif -j INT_FORWARD_IN_CHAIN iptables -A FORWARD -o $iif -j INT_FORWARD_OUT_CHAIN done # Source the IN/OUT chains for the dmz interface(s) ######################################################## IFS=' ,' for dif in $DMZ_IF; do iptables -A FORWARD -i $dif -j DMZ_FORWARD_IN_CHAIN iptables -A FORWARD -o $dif -j DMZ_FORWARD_OUT_CHAIN done # Check source address for spoofing ################################### iptables -A FORWARD -j SPOOF_CHK # Check if the incoming packet is (in)valid ########################################### iptables -A EXT_FORWARD_IN_CHAIN -j VALID_CHK # Check if incoming packet sources are (in)valid ################################################ if [ "$RESERVED_NET_DROP" = "1" -o "$RESERVED_NET_LOG" = "1" ]; then iptables -A EXT_FORWARD_IN_CHAIN -j RESERVED_NET_CHK fi # Setup forward policy for the DMZ ################################## if [ -n "$DMZ_IF" ]; then echo "Setting up DMZ FORWARD policy" if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then echo " Logging of denied DMZ (forward) output connections enabled" else echo " Logging of denied DMZ (forward) output connections disabled" fi if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then echo " Logging of denied DMZ (forward) input connections enabled" else echo " Logging of denied DMZ (forward) input connections disabled" fi # Setup helper chains for the DMZ: setup_inet_dmz_forward_chain; setup_dmz_inet_forward_chain; setup_dmz_lan_forward_chain; IFS=' ,' for dif in $DMZ_IF; do echo "Applying DMZ FORWARD policy to interface: $dif" # Always make subnets on the SAME interface trust each other iptables -A FORWARD -i $dif -o $dif -j ACCEPT for eif in $EXT_IF; do # Apply policy for inet->DMZ traffic iptables -A FORWARD -i $eif -o $dif -j INET_DMZ_FORWARD_CHAIN # Apply policy for DMZ->inet traffic iptables -A FORWARD -i $dif -o $eif -j DMZ_INET_FORWARD_CHAIN done # Apply policy for DMZ->LAN traffic & LAN->DMZ traffic for iif in $INT_IF; do # Apply policy for DMZ->LAN iptables -A FORWARD -i $dif -o $iif -j DMZ_LAN_FORWARD_CHAIN # Apply policy for LAN->DMZ (allow all) iptables -A FORWARD -i $iif -o $dif -j ACCEPT done done fi # Forward traffic for LAN interface(s) that trust each other ####################################################################### IFS=$SEP3 for if_group in $IF_TRUSTS; do echo "Setting up trust FORWARD policy for interface(s): $if_group" IFS=' ,' for input_if in $if_group; do for output_if in $if_group; do if [ "$input_if" != "$output_if" ]; then iptables -A FORWARD -i $input_if -o $output_if -j ACCEPT fi done done done # Additional rules for the internal subnet(s) ############################################# if [ -n "$INT_IF" ]; then echo "Setting up internal(LAN) FORWARD policy" # Enable logging of denied LAN output connections? ################################################## if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then echo " Logging of denied LAN->INET FORWARD connections enabled" else echo " Logging of denied LAN->INET FORWARD connections disabled" fi # Setup helper chain for the LAN: setup_lan_inet_forward_chain; IFS=' ,' for iif in $INT_IF; do echo "Applying internal(LAN) FORWARD policy to interface: $iif" # Always make subnets on the SAME interface trust each other iptables -A FORWARD -i $iif -o $iif -j ACCEPT for eif in $EXT_IF; do iptables -A FORWARD -i $iif -o $eif -j LAN_INET_FORWARD_CHAIN done done fi ############################################################################## # Masquerade (NAT) or SNAT. Share the gateway's internet connection with # # the internal network # ############################################################################## if [ "$NAT" = "1" ]; then if [ -n "$NAT_STATIC_IP" ]; then echo "Enabling SNAT via external interface(s): $EXT_IF" printf " Adding (internal) host(s): " IFS=' ,' for net in $NAT_INTERNAL_NET; do printf "$net " COUNT=0 for interface in $EXT_IF; do COUNT=$(($COUNT + 1)) # x++; STATIC_IP=$(echo "$NAT_STATIC_IP" |awk "{ print \$$COUNT }") ip4tables -t nat -A POSTROUTING -o $interface -s $net ! -d $net -j SNAT --to-source $STATIC_IP done done echo "" else # All internal traffic is masqueraded externally ################################################ echo "Enabling masquerading(NAT) via external interface(s): $EXT_IF" printf " Adding (internal) host(s): " IFS=' ,' for net in $NAT_INTERNAL_NET; do printf "$net " for interface in $EXT_IF; do # The "! -d $net" is to avoid problems with Freeswan etc. ip4tables -t nat -A POSTROUTING -o $interface -s $net ! -d $net -j MASQUERADE done done echo "" fi fi # Port / protocol forwarding. Forward ports or protocols on the internet-gateway to machines in our LAN ####################################################################################################### # NAT TCP port forwards ####################### unset IFS for rule in $NAT_FORWARD_TCP; do if parse_rule "$rule" NAT_FORWARD_TCP "interfaces:EXT_IF-destips-shosts-ports-dhost_dport"; then echo "$(show_if_ip "$interfaces" "$destips")Forwarding(NAT) TCP port(s) $(show_hosts_ports "$shosts" "$ports") to $(echo "$dhost_dport" |tr "$SEP-" '::')" IFS=' ,' for shost in `ip_range "$shosts"`; do for port in $ports; do for destip in $destips; do # Portforward for all specified interfaces for eif in $interfaces; do # This code makes it possible to forward to a different port on the internal host dport=`get_ports_hp "$dhost_dport" "$port"` ip4tables -t nat -A PREROUTING -i $eif -s $shost -d $destip -p tcp --dport $port -j DNAT --to-destination `echo "$dhost_dport" |tr "$SEP-" '::'` dhost=`get_hosts_hp "$dhost_dport"` if [ -n "$dhost" ]; then ip4tables -A EXT_FORWARD_IN_CHAIN -i $eif ! -o $eif -s $shost -d $dhost -p tcp --dport $dport -j ACCEPT fi done done done done fi done # NAT UDP port forwards ####################### unset IFS for rule in $NAT_FORWARD_UDP; do if parse_rule "$rule" NAT_FORWARD_UDP "interfaces:EXT_IF-destips-shosts-ports-dhost_dport"; then echo "$(show_if_ip "$interfaces" "$destips")Forwarding(NAT) UDP port(s) $(show_hosts_ports "$shosts" "$ports") to $(echo "$dhost_dport" |tr "$SEP-" '::')" IFS=' ,' for shost in `ip_range "$shosts"`; do for port in $ports; do for destip in $destips; do # Portforward for all specified interfaces for eif in $interfaces; do # This code makes it possible to forward to a different port on the internal host dport=`get_ports_hp "$dhost_dport" "$port"` ip4tables -t nat -A PREROUTING -i $eif -s $shost -d $destip -p udp --dport $port -j DNAT --to-destination `echo "$dhost_dport" |tr "$SEP-" '::'` dhost=`get_hosts_hp "$dhost_dport"` if [ -n "$dhost" ]; then ip4tables -A EXT_FORWARD_IN_CHAIN -i $eif ! -o $eif -s $shost -d $dhost -p udp --dport $dport -j ACCEPT fi done done done done fi done # Non-TCP/UDP port forwards (protocol based) ############################################ unset IFS for rule in $NAT_FORWARD_IP; do if parse_rule "$rule" NAT_FORWARD_IP "interfaces:EXT_IF-destips-shosts-protos-dhost"; then echo "$(show_if_ip "$interfaces" "$destips")Forwarding(NAT) IP protocol(s) $(show_hosts_ports "$shosts" "$protos") to $dhost" IFS=' ,' for shost in `ip_range "$shosts"`; do for proto in $protos; do for destip in $destips; do for eif in $interfaces; do ip4tables -t nat -A PREROUTING -i $eif -s $shost -d $destip -p $proto -j DNAT --to-destination $dhost if [ -n "$dhost" ]; then ip4tables -A EXT_FORWARD_IN_CHAIN -i $eif ! -o $eif -s $shost -d $dhost -p $proto -j ACCEPT fi done done done done fi done # Setup rules to allow INET IPv6 and non-NAT'ed IPv4 traffic in FORWARD chain setup_inet_forward_rules; # Do we want to loose the forward chain to make use of protocols like UPnP possible? #################################################################################### if [ "$LOOSE_FORWARD" = "1" ]; then echo "Security is LOOSENED for external interface(s) in the FORWARD chain!" # Loose the forward chain IFS=' ,' for eif in $EXT_IF; do iptables -A FORWARD -i $eif ! -o $eif -j ACCEPT done else echo "Security is ENFORCED for external interface(s) in the FORWARD chain" fi # Jump to the post forward chain iptables -A FORWARD -j POST_FORWARD_CHAIN # Everything else is logged & dropped in FORWARD if [ "$FORWARD_DROP_LOG" != "0" ]; then echo " Logging of dropped FORWARD packets enabled" iptables -A FORWARD -m limit --limit 1/m --limit-burst 3 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Dropped FORWARD packet: " else echo " Logging of dropped FORWARD packets disabled" fi iptables -A FORWARD -j DROP # Post/pre routing post chains ip4tables -t nat -A PREROUTING -j POST_NAT_PREROUTING_CHAIN ip4tables -t nat -A POSTROUTING -j POST_NAT_POSTROUTING_CHAIN # Mark outgoing packets for traffic shaping? ############################################ #if [ "$TRAFFIC_SHAPING" = "1" ]; then # iptables -t mangle -I OUTPUT -m length --length 0:500 -j MARK --set-mark 1 # iptables -t mangle -I OUTPUT -m length --length 500:1500 -j MARK --set-mark 2 #fi # Jump to the post output chain iptables -A OUTPUT -j POST_OUTPUT_CHAIN # Everything else is accepted in OUTPUT iptables -A OUTPUT -j ACCEPT # Clean-up DNS output rules iptables -D OUTPUT_CHAIN 2 iptables -D OUTPUT_CHAIN 1 } # Create our custom chains create_user_chains() { # General chains iptables -N HOST_BLOCK_SRC iptables -N HOST_BLOCK_DST iptables -N HOST_BLOCK_DROP iptables -N VALID_CHK iptables -N RESERVED_NET_CHK iptables -N SPOOF_CHK iptables -N INPUT_CHAIN iptables -N FORWARD_CHAIN iptables -N OUTPUT_CHAIN ip4tables -t nat -N NAT_PREROUTING_CHAIN ip4tables -t nat -N NAT_POSTROUTING_CHAIN iptables -N POST_INPUT_DROP_CHAIN iptables -N POST_INPUT_CHAIN iptables -N POST_FORWARD_CHAIN iptables -N POST_OUTPUT_CHAIN ip4tables -t nat -N POST_NAT_PREROUTING_CHAIN ip4tables -t nat -N POST_NAT_POSTROUTING_CHAIN if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -N LINK_LOCAL_DROP fi # Interface-2-interface chains iptables -N DMZ_LAN_FORWARD_CHAIN iptables -N INET_DMZ_FORWARD_CHAIN iptables -N DMZ_INET_FORWARD_CHAIN iptables -N LAN_INET_FORWARD_CHAIN # Chains for the external interface iptables -N EXT_MULTICAST_CHAIN iptables -N EXT_BROADCAST_CHAIN iptables -N EXT_ICMP_FLOOD_CHAIN iptables -N EXT_INPUT_CHAIN iptables -N EXT_FORWARD_IN_CHAIN iptables -N EXT_FORWARD_OUT_CHAIN iptables -N EXT_OUTPUT_CHAIN # INT(LAN) chains iptables -N INT_INPUT_CHAIN iptables -N INT_FORWARD_IN_CHAIN iptables -N INT_FORWARD_OUT_CHAIN iptables -N INT_OUTPUT_CHAIN # DMZ chains iptables -N DMZ_INPUT_CHAIN iptables -N DMZ_FORWARD_IN_CHAIN iptables -N DMZ_FORWARD_OUT_CHAIN iptables -N DMZ_OUTPUT_CHAIN } # Flush our custom chains flush_user_chains() { # General chains iptables -F HOST_BLOCK_SRC iptables -F HOST_BLOCK_DST iptables -F HOST_BLOCK_DROP iptables -F VALID_CHK iptables -F RESERVED_NET_CHK iptables -F SPOOF_CHK iptables -F INPUT_CHAIN iptables -F FORWARD_CHAIN iptables -F OUTPUT_CHAIN iptables -F POST_INPUT_DROP_CHAIN iptables -F POST_INPUT_CHAIN iptables -F POST_FORWARD_CHAIN iptables -F POST_OUTPUT_CHAIN ip4tables -t nat -F NAT_PREROUTING_CHAIN ip4tables -t nat -F NAT_POSTROUTING_CHAIN ip4tables -t nat -F POST_NAT_PREROUTING_CHAIN ip4tables -t nat -F POST_NAT_POSTROUTING_CHAIN if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -F LINK_LOCAL_DROP fi # Interface-2-interface chains iptables -F DMZ_LAN_FORWARD_CHAIN iptables -F INET_DMZ_FORWARD_CHAIN iptables -F DMZ_INET_FORWARD_CHAIN iptables -F LAN_INET_FORWARD_CHAIN # Chains for the external interface iptables -F EXT_MULTICAST_CHAIN iptables -F EXT_BROADCAST_CHAIN iptables -F EXT_ICMP_FLOOD_CHAIN iptables -F EXT_INPUT_CHAIN iptables -F EXT_FORWARD_IN_CHAIN iptables -F EXT_FORWARD_OUT_CHAIN iptables -F EXT_OUTPUT_CHAIN # INT(LAN) chains iptables -F INT_INPUT_CHAIN iptables -F INT_FORWARD_IN_CHAIN iptables -F INT_FORWARD_OUT_CHAIN iptables -F INT_OUTPUT_CHAIN # DMZ chains iptables -F DMZ_INPUT_CHAIN iptables -F DMZ_FORWARD_IN_CHAIN iptables -F DMZ_FORWARD_OUT_CHAIN iptables -F DMZ_OUTPUT_CHAIN } stop_firewall() { # Set default IPv4 policies ip4tables -P INPUT ACCEPT ip4tables -P FORWARD DROP ip4tables -P OUTPUT ACCEPT # Flush builtin IPv4 chains ip4tables -F INPUT ip4tables -F OUTPUT ip4tables -F FORWARD # Flush rules in the mangle/nat tables ip4tables -t mangle -F ip4tables -t mangle -X ip4tables -t nat -F ip4tables -t nat -X # Attempt to flush all IPv4 chains ip4tables -F ip4tables -X if [ "$IPV6_DETECTED" = "1" ]; then # Set default IPv6 policies ip6tables -P INPUT ACCEPT ip6tables -P FORWARD DROP ip6tables -P OUTPUT ACCEPT # Flush builtin IPv6 chains ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD # Flush rules in the mangle table ip6tables -t mangle -F ip6tables -t mangle -X # Attempt to flush all IPv6 chains ip6tables -F ip6tables -X fi } reinit_firewall_chains() { echo "Reinitializing firewall chains" # Set INDENT for functions INDENT=' ' # Create chains, just in case create_user_chains 2>/dev/null # Flush our user chains flush_user_chains; # Temporarily set OUTPUT default policy to ACCEPT # Without it, active states will be flushed. iptables -P OUTPUT ACCEPT # Flush builtin IPv4 chains ip4tables -F INPUT ip4tables -F OUTPUT ip4tables -F FORWARD # Flush builtin IPv4 nat chains ip4tables -t nat -F PREROUTING ip4tables -t nat -F OUTPUT ip4tables -t nat -F POSTROUTING # Flush builtin IPv4 mangle chains # We don't have to be selective by chain since we don't # expect any external, dynamically managed mangle chains ip4tables -t mangle -F if [ "$IPV6_DETECTED" = "1" ]; then # Flush builtin IPv6 chains ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD # Flush builtin IPv6 mangle chains # We don't have to be selective by chain since we don't # expect any external, dynamically managed mangle chains ip6tables -t mangle -F fi # Restore our base chains (which weren't flushed so any # running connections should be maintained ####################################################### iptables -A INPUT -j BASE_INPUT_CHAIN iptables -A FORWARD -j BASE_FORWARD_CHAIN iptables -A OUTPUT -j BASE_OUTPUT_CHAIN } stop_block_firewall() { # Temporarely set default IPv4 policies to DROP, # to not even have a small window of opportunity ################################################ ip4tables -P INPUT DROP ip4tables -P FORWARD DROP ip4tables -P OUTPUT DROP # Flush builtin IPv4 chains ip4tables -F INPUT ip4tables -F OUTPUT ip4tables -F FORWARD # Flush nat/mangle table rules ip4tables -t mangle -F ip4tables -t mangle -X ip4tables -t nat -F ip4tables -t nat -X # Attempt to flush all IPv4 chains ip4tables -F ip4tables -X if [ "$IPV6_DETECTED" = "1" ]; then # Temporarely set default IPv6 policies to DROP, # to not even have a small window of opportunity ################################################ ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP # Flush builtin IPv6 chains ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD # Flush mangle table rules ip6tables -t mangle -F ip6tables -t mangle -X # Attempt to flush all IPv6 chains ip6tables -F ip6tables -X fi # Deny traffic from our internet interfaces IFS=' ,' for interface in $EXT_IF; do ip4tables -A INPUT -i $interface -j DROP if [ "$IPV6_DETECTED" = "1" ]; then ip6tables -A INPUT -i $interface -j DROP fi done # Allow IPv4 traffic from the loopback (localhost) ip4tables -A INPUT -i lo -j ACCEPT ip4tables -A FORWARD -i lo -j ACCEPT ip4tables -A OUTPUT -o lo -j ACCEPT # Set default IPv4 policies ip4tables -P INPUT ACCEPT ip4tables -P FORWARD DROP ip4tables -P OUTPUT ACCEPT if [ "$IPV6_DETECTED" = "1" ]; then # Allow IPv6 traffic from the loopback (localhost) ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A FORWARD -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT # Set default IPv6 policies ip6tables -P INPUT ACCEPT ip6tables -P FORWARD DROP ip6tables -P OUTPUT ACCEPT fi } show_status() { # Check if the user gave any parameters if [ -z "$1" ]; then iptables -xnvL if [ "$NAT" = "1" ]; then ip4tables -t nat -xnvL fi if [ "$MANGLE_TOS" = "1" ]; then iptables -t mangle -nvL fi # Show plugin status plugins_status; else #iptables -nvL $2 $3 $4 $5 iptables -xnvL $@ fi } show_start() { DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` echo "$DATE ** Starting Arno's Iptables Firewall v$MY_VERSION **" >> $FIREWALL_LOG echo "** Starting Arno's Iptables Firewall v$MY_VERSION **" |logger -t firewall -p kern.info } show_restart() { DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` echo "$DATE ** Restarting Arno's Iptables Firewall v$MY_VERSION **" >> $FIREWALL_LOG echo "** Restarting Arno's Iptables Firewall v$MY_VERSION **" |logger -t firewall -p kern.info } show_stop() { DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` printf "$DATE \033[40m\033[1;32mStopping Arno's Iptables Firewall v$MY_VERSION\033[0m\n" echo "$DATE ** Stopping Arno's Iptables Firewall v$MY_VERSION **" >> $FIREWALL_LOG echo "** Stopping Arno's Iptables Firewall v$MY_VERSION **" |logger -t firewall -p kern.info } show_stop_blocked() { DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` printf "$DATE \033[40m\033[1;31mFIREWALL DISABLED & BLOCKING ALL INTERNET TRAFFIC!\033[0m\n" } # Now show the final message show_applied() { echo "" DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` if [ "$RULE_WARNING" = "1" ]; then printf "$DATE \033[40m\033[1;31mWARNING: Not all firewall rules are applied.\033[0m\n" >&2 echo "$DATE ** WARNING: Not all firewall rules are applied **" >> $FIREWALL_LOG echo "** WARNING: Not all firewall rules are applied **" |logger -t firewall -p kern.info else printf "$DATE \033[40m\033[1;32mAll firewall rules applied.\033[0m\n" echo "$DATE ** All firewall rules applied **" >> $FIREWALL_LOG echo "** All firewall rules applied **" |logger -t firewall -p kern.info fi } show_disabled() { DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` printf "$DATE \033[40m\033[1;31mFIREWALL DISABLED!\033[0m\n" } show_help() { echo "Usage: `basename $0` { start | stop | restart | force-reload | status }" >&2 echo "start = Start firewall" >&2 echo "stop = Stop firewall" >&2 echo "stop-block = Stop firewall & block all internet packets" >&2 echo "restart = Restart firewall" >&2 echo "force-reload = Reload blocked hosts (blackhole) file" >&2 echo "check-conf = Check configuration file (only)" >&2 echo "status [-t {table}] [chain] = View firewall ruleset ([chain] & [-t {table}] are optional)" >&2 echo "status-plugins [name] = View plugins status (view only plugin [name] is optional)" >&2 } main_stop() { plugins_stop; if [ "$1" = "block" ]; then stop_block_firewall; else stop_firewall; fi } main_start() { load_modules; setup_misc; setup_kernel_settings; init_firewall_chains; setup_default_policies; setup_hostblock_chain; setup_firewall_rules; } main_restart() { plugins_stop restart; load_modules; # setup_misc; setup_kernel_settings; reinit_firewall_chains; setup_default_policies; setup_hostblock_chain; setup_firewall_rules; } start_restart() { # Show uname information echo "Platform: $(uname -s -r -m)" config_check; # Check whether we are actually stopped case $(check_for_base_chains) in no) main_start;; yes) main_restart;; other) main_stop; main_start;; esac show_applied; } # int main (char *argv) ####################### # Check commandline supplied argument: case "$1" in 'start' ) sanity_check; show_start; start_restart;; 'restart' ) sanity_check; show_restart; start_restart;; 'force-reload' ) sanity_check; config_check; setup_hostblock_chain; show_applied;; 'stop' ) sanity_check; show_stop; main_stop; show_disabled;; 'stop-block' ) sanity_check; show_stop; main_stop block; show_stop_blocked;; 'status' ) shift; show_status $@;; 'status-plugins' ) shift; plugins_status $@;; 'check-conf' ) config_check;; * ) printf "\033[40m\033[1;31mERROR: Bad or missing parameter(s)\033[0m\n" >&2; show_help;; esac exit $RULE_WARNING arno-iptables-firewall_2.0.1d/bin/arno-fwfilter0000755000000000000000000005767412055611115020276 0ustar rootroot#!/bin/bash # # description: Firewall-log filter script (fwfilter) # Last update: February 24, 2012 # Usage examples (make sure arno-fwfilter is executable!): # -------------------------------------------------------- # Static firewall log filtering : cat /var/log/messages |arno-fwfilter # or # Static firewall log filtering : cat /var/log/firewall |arno-fwfilter # Realtime firewall logging on TTY10 : tail --follow /var/log/messages |fwfilter >/dev/tty10 & # Example on how to disable kernel debug logging : cat /var/log/messages |grep -v kernel |arno-fwfilter # Email firewall logs to root : cat /var/log/firewall |arno-fwfilter --html-output --no-colors |mail -s "Firewall Log" -a "Content-Type: text/html; charset=us-ascii" root # ------------------------------------------------------------------------------------------ # -= Arno's iptables firewall =- # Firewall-log filter script (arno-fwfilter) # # (C) Copyright 2001-2012 by Arno van Amersfoort # Homepage : http://rocky.eld.leidenuniv.nl/ # Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------------------ # Some of the information used to create this script was obtained from: # - http://www.naplifirewall.com/faqfirewalling.htm # - http://www.portsdb.org # ------------------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------------------- # Options: ########## # Enable this option if you want to resolve IP adresses to names (requires "dig") RESOLVE_NAMES=1 # Enable this option if you want to (try to) obtain the IPs geographical location (can be very slow!) (requires "curl") SHOW_LOCATION=0 # Enable this option if you want to resolve both the source and target host when doing location/name lookups (slower) FULL_INFO=0 # Enable this option to use ANSI colors (increases readability) USE_ANSI_COLORS=1 # Enable this if you want the output to be (colored) html formatted (for emails etc.) USE_HTML=0 # Enable this if you want want to put all information on a single line USE_1ROW=0 # Use this variable if your awk binary is in a non-default location (use 'locate awk' or 'whereis # awk' to manually locate it). AWK_BIN="" ################################################################################################# # Parse commandline options (taken from the getopt examples from the Debian util-linux package) # ################################################################################################# # Note that we use `"$@"' to let each command-line parameter expand to a # separate word. The quotes around `$@' are essential! # We need CLOPTS as the `eval set --' would nuke the return value of getopt. CLOPTS=`getopt -o h,r,o,l,c,s --long help,no-resolve,html-output,no-locations,no-colors,single-line -n 'arno-fwfilter' -- "$@"` if [ $? != 0 ] ; then echo "Terminating..." >&2 exit 1 fi # Note the quotes around `$CLOPTS': they are essential! eval set -- "$CLOPTS" while true; do case "$1" in -r|--no-resolve) RESOLVE_NAMES=0; shift;; -o|--html-output) USE_HTML=1; shift;; -l|--no-locations) SHOW_LOCATION=0; shift;; -c|--no-colors) USE_ANSI_COLORS=0; shift;; -s|--single-line) USE_1ROW=1; shift;; -h|--help) echo "Options:" echo "-h, --help - Print this help" echo "-r, --no-resolve - Disable resolving of IPs to names" echo "-o, --html-output - Use basic HTML to format the output" echo "-l, --no-locations - Disable obtaining the IPs geographical location" echo "-c, --no-colors - Disable the use of (ANSI) colors in the output" echo "-s, --single-line - Put all information about an event in a single line" exit 0 # nothing left to do ;; --) shift ; break ;; *) echo "Internal error!"; exit 1;; esac done if [ -z "$AWK_BIN" ]; then if [ -x '/bin/gawk' ]; then AWK_BIN='/bin/gawk' else if [ -x '/usr/bin/gawk' ]; then AWK_BIN='/usr/bin/gawk' else if [ -x '/bin/awk' ]; then AWK_BIN='/bin/awk' else if [ -x '/usr/bin/awk' ]; then AWK_BIN='/usr/bin/awk' fi fi fi fi fi if [ -z "$AWK_BIN" ]; then echo "ERROR: Could not locate the AWK binary (is it installed?)." echo "You may want to configure it yourself inside this script." else # Test what awk version is used (gawk, mawk etc...) test=`$AWK_BIN -W version 2>/dev/null |grep -i mawk` if [ -n "$test" ]; then # AWK_BIN=$(echo "$AWK_BIN -W interactive") echo "The configured AWK binary is MAWK, which does not work with the script. Please use GAWK instead" exit 1 fi if [ "$USE_HTML" = "1" ]; then echo 'Firewall Log' echo '' echo '' fi $AWK_BIN ' # This is the function which performs the portname lookups ########################################################## function portname_lookup(port_str) { port=strtonum(port_str) if (port==0) return("Invalid Port(0)") if (port==1) return("SGI Irix TCPMUX(1)") if (port==7) return("Echo-Server(7)") if (port==9) return("Discard-Server(9)") if (port==11) return("Unix Sysstat(11)") if (port==13) return("Daytime-Server(13)") if (port==19) return("Chargen(19)") if (port==20) return("FTP-Data(20)") if (port==21) return("FTP(21)") if (port==22) return("SSH(22)") if (port==23) return("Telnet(23)") if (port==25) return("SMTP(25)") if (port==37) return("Time(37)") if (port==43) return("Who-IS(43)") if (port==53) return("DNS(53)") if (port==59) return("Ident(59)") if (port==67) return("BootP Server(67)") if (port==68) return("BootP Client(68)") if (port==69) return("TFTP(69)") if (port==79) return("Finger(79)") if (port==80) return("HTTP(80)") if (port==88) return("KRB5(88)") if (port==98) return("LinuxConf(98)") if (port==109) return("POP2(109)") if (port==110) return("POP3(110)") if (port==111) return("SunRPC/RPCbind(111)") if (port==113) return("IDENT(113)") if (port==119) return("NNTP News(119)") if (port==123) return("NTP(123)") if (port==135) return("MS RPC(135)") if (port==137) return("SMB Name(137)") if (port==138) return("SMB Data(138)") if (port==139) return("SMB Session(139)") if (port==143) return("IMAP(143)") if (port==161) return("SNMP(161)") if (port==177) return("XDMCP(177)") if (port==389) return("LDAP(389)") if (port==443) return("HTTPS(443)") if (port==445) return("MSFT DS(445)") if (port==464) return("KPASSWD(464)") if (port==465) return("SMTP-SSL(465)") if (port==500) return("Appleshare(500)") if (port==513) return("Rwho(513)") if (port==515) return("Printer(515)") if (port==520) return("Route(520)") if (port==524) return("NCP(524)") if (port==525) return("TimeServer(525)") if (port==535) return("CORBA IIOP(535)") if (port==554) return("RealServer(554)") if (port==555) return("phAse zero(555)") if (port==600) return("PC Server Backdoor(600)") if (port==635) return("Linux Mountd bug(635)") if (port==636) return("LDAPs(636)") if (port==691) return("MS-Exchange(691)") if (port==993) return("IMAPs(993)") if (port==995) return("POP3s(995)") if (port==1025) return("NFS(1025)") if (port==1026) return("Windows-Message-Service(1026)") if (port==1027) return("Windows-Message-Service(1027)") if (port==1080) return("SOCKS(1080)") if (port==1114) return("SQL(1114)") if (port==1214) return("KaZaa(1214)") if (port==1243) return("Sub-7(1243)") if (port==1394) return("Network Log Client(1394)") if (port==1433) return("MS-SQL(1433)") if (port==1434) return("MS-SQL monitor(1434)") if (port==1524) return("Trin 00(1524)") if (port==1662) return("Netview-aix-2(1662)") if (port==1723) return("PPtP(1723)") if (port==1883) return("IBM MQSeries SCADA(1883)") if (port==1900) return("UPnP(1900)") if (port==1999) return("Backdoor-G or Sub-7 2.x(1999)") if (port==2002) return("Cisco Secure ACS WebServer(2002)") if (port==2049) return("NFS(2049)") if (port==2243) return("Magicom Protocol(2243)") if (port==2343) return("Nati logos(2343)") if (port==2772) return("Sub-7 ScreenCapture(2772)") if (port==2773) return("Sub-7 KeyLogger(2773)") if (port==3127) return("MyDoom Backdoor(3127)") if (port==3128) return("Squid(3128)") if (port==3129) return("Masters Paradise(3129)") if (port==3268) return("globalcat-LDAP(3268)") if (port==3449) return("HotU Chat(3449)") if (port==4500) return("MS IPsec NAT-T(4500)") if (port==4662) return("eDonkey(4662)") if (port==5000) return("UPnP(5000)") if (port==5060) return("SIP(5060)") if (port==5061) return("SIP over TLS(5061)") if (port==5500) return("VNC(5500)") if (port==5554) return("Sasser-backdoor(5554)") if (port==5623) return("pcAnywhere(5623)") if (port==5800) return("VNC-data(5800)") if (port==5900) return("VNC-HTTP(5900)") if (port==6346) return("GNUtella(6346)") if (port==6670) return("Deep Throat(6670)") if (port==6711) return("Sub-7(6711)") if (port==6712) return("Sub-7(6712)") if (port==6713) return("Sub-7(6713)") if (port==6776) return("Backdoor-G or Sub-7(6776)") if (port==6969) return("GateCrasher(6969)") if (port==6970) return("RealAudio(6970)") if (port==7215) return("Sub-7 Matrix Chat(7215)") if (port==7777) return("Unreal or Klingon Honor Guard(7777)") if (port==7778) return("Unreal Tournament(7778)") if (port==8080) return("HTTP Alternate(8080)") if (port==9100) return("JetDirect(9100)") if (port==10000) return("Webadmin(10000)") if (port==10008) return("Cheeseworm(10008)") if (port==12345) return("Netbus(12345)") if (port==12346) return("Netbus(12346)") if (port==13223) return("PowWow(13223)") if (port==16660) return("Stacheldraht(16660)") if (port==16959) return("Sub-7(16959)") if (port==17027) return("Conducent(17027)") if (port==20034) return("Netbus 2 Pro(20034)") if (port==20002) return("Acidkor(20002)") if (port==21544) return("Girlfriend(21544)") if (port==22450) return("Sin(22450)") if (port==23456) return("EvilFTP(23456)") if (port==26000) return("Quake(26000)") if (port==26900) return("Hexen 2(26900)") if (port==26950) return("Hexen World(26950)") if (port==27015) return("Half-life Or Team Fortress Classic(27015)") if (port==27374) return("Backdoor-G or Sub-7(27374)") if (port==27444) return("Trin 00(27444)") if (port==27500) return("Quake World(27500)") if (port==27665) return("Trin 00(27665)") if (port>=27910 && port<=27961) return(sprintf("Quake(%i)", port)) if (port>=28000 && port<=28008) return(sprintf("Starsiege Tribes(%i)", port)) if (port==28910) return("Heretic 2(28910)") if (port==30100) return("NetSphere(30100)") if (port==31335) return("Trin 00(31335)") if (port==31337) return("Back Orifice(31337)") if (port==31338) return("Back Orifice(31338)") if (port==31789) return("Hack'a'Tack(31789)") if (port==31337) return("Back Orifice(31337)") if (port>=32770 && port<=32900) return(sprintf("SUN-RPC Portmapper(%i)",port)) if (port==33270) return("Trinity v3(33270)") if (port>=33434 && port<=33600) return(sprintf("Traceroute?(%i)",port)) if (port==41508) return("Inoculan(41508)") if (port==50505) return("Sockets de Troi(50505)") if (port==54283) return("Sub-7 Spy port(54283)") if (port==54320) return("Back Orifice 2K(54320)") if (port==54321) return("Back Orifice 2K(54321)") if (port==60001) return("Stacheldraht(60001)") if (port==65000) return("Stacheldraht(65000)") # If nothing else matches just return the port number return(port_str) } # This is the function which performs the ICMP lookups ###################################################### function ICMP_lookup(type, code) { if (type==0 && code==0) return ("Echo reply") if (type==3 && code==0) return ("Network unreachable") if (type==3 && code==1) return ("Host unreachable") if (type==3 && code==2) return ("Protocol unreachable") if (type==3 && code==3) return ("Port unreachable") if (type==3 && code==4) return ("Fragmentation needed but no frag. bit set") if (type==3 && code==5) return ("Source routing failed") if (type==3 && code==6) return ("Destination network unknown") if (type==3 && code==7) return ("Destination host unknown") if (type==3 && code==8) return ("Source host isolated") if (type==3 && code==9) return ("Destination network administratively prohibited") if (type==3 && code==10) return ("Destination host administratively prohibited") if (type==3 && code==11) return ("Network unreachable for TOS") if (type==3 && code==12) return ("Host unreachable for TOS") if (type==3 && code==13) return ("Communication administratively prohibited by filtering") if (type==3 && code==14) return ("Host precedence violation") if (type==3 && code==15) return ("Precedence cutoff in effect") if (type==4 && code==0) return ("Source quench") if (type==5 && code==0) return ("Redirect for network") if (type==5 && code==1) return ("Redirect for host") if (type==5 && code==2) return ("Redirect for TOS and network") if (type==5 && code==3) return ("Redirect for TOS and host") if (type==8 && code==0) return ("Echo request") if (type==9 && code==0) return ("Router advertisement") if (type==9 && code==16) return ("Does not route common traffic") if (type==10 && code==0) return ("Route solicitation") if (type==11 && code==0) return ("TTL equals 0 during transit") if (type==11 && code==1) return ("TTL equals 0 during reassembly") if (type==12 && code==0) return ("IP header bad (catchall error)") if (type==12 && code==1) return ("Required options missing") if (type==12 && code==2) return ("Bad Length") if (type==13 && code==0) return ("Timestamp request") if (type==14 && code==0) return ("Timestamp reply (obsolete)") if (type==15 && code==0) return ("Information request") if (type==16 && code==0) return ("Information reply") if (type==17 && code==0) return ("Address mask request") if (type==18 && code==0) return ("Address mask reply") if (type==30 && code==0) return ("Outbound Packet succesfully forwarded") if (type==30 && code==1) return ("No route for Outbound Packet; packet discarded") if (type==40 && code==0) return ("Bad SPI") if (type==40 && code==1) return ("Authentication Failed") if (type==40 && code==2) return ("Decompression Failed") if (type==40 && code==3) return ("Decryption Failed") if (type==40 && code==4) return ("Need Authentication") if (type==40 && code==5) return ("Need Authorization") # If nothing else matches just return unknown return("Unknown ICMP type/code") } # Main program ############## { if (match($0, "IN=") != 0 || match($0, "firewall") != 0 || match($0, "Firewall") != 0 || match($0, "kernel") != 0) { if (match($0, "IN=") == 0) { printf("%s", $0) } else { # Check whether it is an incoming or outgoing packet if (match($0, "IN= ") != 0) INPUT=0; else INPUT=1 if (match($0, "OUT= ") != 0) OUTPUT=0; else OUTPUT=1 for (i = 1; i <= NF; i++) # First show message, SRC etc. { if (substr($i,1,4) == "SRC=") SRC_HOST=substr($i, 5, length($i) - 4) if (substr($i,1,4) == "DST=") DST_HOST=substr($i, 5, length($i) - 4) if (substr($i,1,4) != "MAC=" && substr($i,1,4) != "SRC=" && substr($i,1,4) != "DST=" && $i != "IN=" && $i != "OUT=" ) { if ($(i+1) != "kernel:" && $i != "kernel:" && $i != "[kernel]" ) { if (i==1) printf("%s", $i) else if (i==2 && length($2)==1) # We always want 2 digits for the date-day: printf(" 0%s", $i) else printf(" %s", $i) } } if (substr($i,1,4) == "SRC=") { if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;36m") if (USE_HTML==1) printf("") printf(" %s", $i) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") } if (substr($i,1,4) == "DST=") { # Show destination ################## if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;35m") if (USE_HTML==1) printf("") printf(" %s", $i) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") if (INPUT==1 || FULL_INFO==1) { if (RESOLVE_NAMES==1 || SHOW_LOCATION==1) if (USE_1ROW==0) { if (USE_HTML==1) printf("
\n                         "); else printf("\n ") } if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;36m") if (USE_HTML==1) printf("") if (RESOLVE_NAMES==1) { # If multiple names exist for one IP then only use the first (head -n1) syscall=sprintf("printf \" $(dig +short +time=1 +tries=1 -x %s 2>/dev/null |head -n1 |grep -v \";;.*\" |sed s,.$,\" \",)\" 2>/dev/null", SRC_HOST) system(syscall) } if (SHOW_LOCATION==1) { syscall=sprintf("curl -L --silent --connect-timeout 1 http://api.hostip.info/get_html.php?ip=%s 2>/dev/null |grep -e \"Country:\" -e \"City:\" |while read line; do printf \" $line\"; done", SRC_HOST) system(syscall) } } if (OUTPUT==1 || FULL_INFO==1) { if (RESOLVE_NAMES==1 || SHOW_LOCATION==1) if (USE_1ROW==0) { if (USE_HTML==1) printf("
\n                         "); else printf("\n ") } if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;35m") if (USE_HTML==1) printf("") if (RESOLVE_NAMES==1) { # If multiple names exist for one IP then only use the first (head -n1) syscall=sprintf("printf \" $(dig +short +time=1 +tries=1 -x %s 2>/dev/null |head -n1 |grep -v \";;.*\" |sed s,.$,\" \",)\" 2>/dev/null", DST_HOST) system(syscall) } if (SHOW_LOCATION==1) { syscall=sprintf("curl -L --silent --connect-timeout 1 http://api.hostip.info/get_html.php?ip=%s 2>/dev/null |grep -e \"Country:\" -e \"City:\" |while read line; do printf \" $line\"; done", DST_HOST) system(syscall) } } if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") break } } if (i==NF) { if (USE_HTML==1) printf("
") printf("\n") } else { offset=i+1 if (USE_1ROW==0) { if (USE_HTML==1) printf("
\n                         "); else printf("\n ") } else printf(" ") } save_offset=++offset; for (i = offset; i <= NF; i++) if (substr($i,1,6) == "PROTO=") break; offset=i # First show PROTO= if ($offset == "PROTO=UDP") { if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;33m") if (USE_HTML==1) printf("") printf(" %s", $offset) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") } else if ($offset == "PROTO=TCP") { if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;32m") if (USE_HTML==1) printf("") printf(" %s", $offset) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") } else if ($offset == "PROTO=ICMP") { if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;34m") if (USE_HTML==1) printf("") printf(" %s", $offset) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") } else { printf(" %s", $offset) } if (substr($(offset+1),1,4)=="SPT=") { # Second show DPT= if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;31m") if (USE_HTML==1) printf("") printf(" DPT=%s", portname_lookup(substr($(offset+2), 5, length($(offset+2))-4))) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") # Third show SPT= printf(" SPT=%s", portname_lookup(substr($(offset+1), 5, length($(offset+1))-4))) } if ($(offset)=="PROTO=ICMP") { # Resolve type/code if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;31m") if (USE_HTML==1) printf("") type=strtonum(substr($(offset+1), 6, length($(offset+1))-5)) code=strtonum(substr($(offset+2), 6, length($(offset+2))-5)) printf(" TYPE/CODE=%s(%i,%i)", ICMP_lookup(type, code), type, code) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") } ICMP_INFO=0 for (i = save_offset; i <= NF; i++) # Show all other info { if (substr($i,1,1) == "[") ICMP_INFO=1 if (ICMP_INFO==1) { if (substr($i,1,5) != "PREC=" && substr($i,1,4) != "TOS=" && substr($i,1,3) != "ID=" \ && i != 4 && i != 5 && substr($i,1,2) != "DF" \ && $i != "RES=0x00" && $i != "URGP=0") printf(" %s", $i) } else { if (substr($i,1,6) != "PROTO=" && substr($i,1,5) != "PREC=" && substr($i,1,4) != "TOS=" && substr($i,1,3) != "ID=" \ && substr($i,1,4) != "LEN=" && i != 4 && i != 5 && substr($i,1,2) != "DF" && substr($i,1,4) != "SPT=" && substr($i,1,4) != "DPT=" \ && $i != "RES=0x00" && $i != "URGP=0" && substr($i,1,7) != "WINDOW=" && substr($i,1,5) != "TYPE=" && substr($i,1,5) != "CODE=") printf(" %s", $i) } } } if (USE_HTML==1) printf("
") printf("\n") } } ' RESOLVE_NAMES=$RESOLVE_NAMES SHOW_LOCATION=$SHOW_LOCATION USE_ANSI_COLORS=$USE_ANSI_COLORS USE_1ROW=$USE_1ROW USE_HTML=$USE_HTML if [ "$USE_HTML" = "1" ]; then echo "" fi fi arno-iptables-firewall_2.0.1d/README0000644000000000000000000010165012055611115015661 0ustar rootroot -= Arno's iptables firewall =- Single- & multi-homed firewall script with DSL/ADSL support ~ In memory of my dear father ~ (C) Copyright 2001-2012 by Arno van Amersfoort. Co-authors : Lonnie Abelbeck & Philip Prindeville Homepage : http://rocky.eld.leidenuniv.nl/ Freshmeat : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l (note: you must remove all spaces and substitute the @ and the . at the proper locations!) ------------------------------------------------------------------------------- This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ------------------------------------------------------------------------------- A MESSAGE FROM THE AUTHOR: -------------------------- Almost *all* my work is distributed under the terms of the GNU GPL License, which means it's free (open-source) software. If you like my work or you want me to implement a certain feature, you are encouraged to donate money. You can (preferably) donate directly to me through my bank account (mail me for my IBAN number (International Bank Account Number). Or you can donate it to one of my favourite charity organisations: - foundations for cancer research (in The Netherlands: "KWF Kanker Bestrijding"); - foundations for brain desease research (in The Netherlands: "De Hersenstichting"); - foundations for the welfare of animals ("IFAW" or in the Netherlands: "De Dierenbescherming") Note that *ALL* donations I receive go to one of the above foundations. I can also provide paid support (for commercial businesses). For example for firewall customisation, (special) feature requests or other support. Just contact me and we can work something out. IMPORTANT NOTE: --------------- I don't provide enduser support on my email address. Any problems & questions directly related to the use/implementation of my firewall should go to the mailinglist, for which you can sign up on my website. Also consult the FAQs before reporting a problem/question. Please use this way as I'm simply too busy to help everybody out with every (trivial) issue. Furthermore read the information in the troubleshooting section below! An explanation of the files in the package: ------------------------------------------- /bin/arno-iptables-firewall : The actual firewall script, core of Arno's iptables firewall. You should put this file in eg. /usr/local/sbin/ . You should make sure it's executable (use "chmod 700 or chmod +x). /bin/arno-fwfilter : A pipe filter script to make the firewall-log better readable. It can be used for example in conjuction with a tail to log your firewall to local tty10 (-12). It can be used for both /var/log/messages and /var/log/firewall (or whatever name you configured syslogd), depending on the log-level specified in the configuration file. An example on how to use it can be found in the beginning of the fwfilter script. Any options for fwfilter can be configured within the script itself. You should put this file in eg. /usr/local/bin/. /etc/arno-iptables-firewall/firewall.conf : The configuration file used for Arno's iptables firewall script. Normally you should put it in /etc/arno-iptables-firewall/. Make sure root is owner/group (with "chown 0:0"). /etc/arno-iptables-firewall/plugins/ : Put any plugin config files (.conf files) for my firewall in this directory. /etc/arno-iptables-firewall/conf.d/ : Put any (override) configuration files in the directory. Any files here with a .conf-extension(!) will be sourced AFTER the main firewall.conf file has been read. /etc/arno-iptables-firewall/custom-rules : Put any (iptables) custom rules in this file. This file should be put in /etc/arno-iptables-firewall/ . Make sure root is owner/group (with "chown 0:0"). /etc/init.d/arno-iptables-firewall : The init.d script to start/stop the script at boot etc. On some (older) distributions you may need to put it in /etc/rc.d/ (instead of /etc/init.d). You should make sure it's executable (use "chmod 700 or chmod +x). Inside this script you can also enable VERBOSE(=1) logging for eg. debugging purposes. /share/arno-iptables-firewall/environment : This is the environment-file required by the firewall and some plugins. It contains several global functions. It should normally be put in /usr/local/share/ on your local system. /share/arno-iptables-firewall/plugins/ : Put any plugin binaries (.plugin files) for my firewall in this directory. It should normally be put in /usr/local/share/ on your local system. /share/man/man8/arno-iptables-firewall.8 : A man page for the arno-iptables-firewall script. /share/man/man1/arno-fwfilter.1 : A man page for the arno-fwfilter script. /CHANGELOG : The version changelog of my firewall. /README : "This" file. /configure.sh : Script to setup a basic configuration. /install.sh : Install script to deploy my firewall on your system. /uninstall.sh : Uninstall script to remove my firewall from your system. /contrib/ : Directory contains any misc. (user contributed) files (scripts etc.) It also contains examples on how to modify your syslogger to log your firewall stuff into a separate file. ------------------------------------------ | Some IMPORTANT (security) information: | ------------------------------------------ 1) If possible try to start the firewall before you enable your (ADSL) internet connection (if possible). For an ppp-interface that doesn't exist yet you can use the wildcard device called "ppp+" (but you can only use ppp+ if there aren't any other ppp interfaces!). 2) Don't change any (security) settings ('EXPERT SETTINGS') if you don't really understand what they mean. Changing them anyway could have a big impact on the security of your machine. 3) I get a lot of emails from people complaining that their webserver etc. stopped working after installing my firewall. This is the CORRECT behaviour for a firewall: BLOCKING ALL incoming traffic by default! Configure your eg. OPEN_TCP accordingly! ----------------- | General hints | ----------------- 1) For IPv4 addresses you can use IP ranges in all variables by specifying it as eg. "192.168.1.10-50" (which would make the range start with 192.168.1.10 and end at 192.168.1.50). Note that this only works for Class-C(/24) ranges, so specifying eg. 192.168.1.1-192.168.2.1 does NOT work! 2) My firewall has mixed IPv4/IPv6 support. You can switch from IPv4-only to IPv4/IPv6 support by simply setting "IPV6_SUPPORT=1" in the config file. 3) You can use the $ANYPORT and $ANYHOST macros to specify "ALL ports" or "ALL hosts" in the configuration variables/rules. 4) The default separator for configuration-variables/rules is ~. For source target definitions the separator to separate source and target is >. All of this is also explained (with examples) in the configuration file. 5) For configuration-variables/rules which are related to the external (internet) interface one can restrict the interface(s) for which it is applied to by adding either "{interface1,interface2,...}#" or "{interface_ip1,interface_ip2}#" at the beginning of the rule. The latter is especially handy for aliased interfaces. Example 1: OPEN_TCP="eth0#22", would only open TCP port 22 (SSH) for interface eth0 Example 2: OPEN_TCP="1.2.3.4#22", would only open TCP port 22 (SSH) for interface which has the IP 1.2.3.4 This feature can also be used to enable NAT port forwarding for certain (external) interfaces. Examples: Example 1: NAT_FORWARD_TCP="eth0#0/0~22>{internal_host}" means: - Forwards TCP port 22; - Forward is available for the whole world (0/0); - Forward is applied to eth0 only; - {internal_host} is the host the port should be forwarded to. Example 2: NAT_FORWARD_TCP="1.2.3.4#0/0~80>{internal_host}" means: - Forwards TCP port 80; - Forward is available for the whole world (0/0); - Forward is applied to the (external) (aliased) interface with IP 1.2.3.4; - {internal_host} is the host the port should be forwarded to. 6) Port ranges should be written as port_start:port_end, eg. "137:139" would select ports 137,138 and 139. ----------------------------------------- | Debian package repository information | ----------------------------------------- When you are using Debian (or a Debian-flavor: Ubuntu, Kubuntu etc.), you can either use the package that comes with the distribution or you can use Michael Hanke's package repository. Simply add: deb http://apsy.gse.uni-magdeburg.de/debian sarge main to your /etc/apt/sources.list and installing the firewall is then as easy as: apt-get install arno-iptables-firewall That way one can automatically profit from any package update. Even if no binary package is available one could build it by adding: deb-src http://apsy.gse.uni-magdeburg.de/debian/source ./ to /etc/apt/sources.list and execute: apt-src install arno-iptables-firewall apt-src build arno-iptables-firewall NOTE: Currently there is no package available yet for the 1.9-branch, only for version 1.8. If you like to run 1.9, which is recommended, use the .tgz-version from my website. --------------- | Quick setup | --------------- If you want to have it running ASAP or are a novice user, than this is the part that's important. Remember that my firewall has a lot of other useful features which will NOT be used in this way. On the other hand, various security features are enabled by default to protect you from hostile attacks. 1) First we've to check whether your Linux setup is OK in order to make the script work correctly: - It needs iptables and iproute(2) to be installed (probably come as packages with your distro). - It requires a POSIX compliant /bin/sh (should live on any UNIX system by default) - My scripts need the following binaries (in your path): iptables (obviously), ip (from the iproute package), sysctl, modprobe, logger, uname, date, awk, tr, grep, sed, cut, head, tail, wc, which, & cat. - If you plan to use DNS resolving (eg. for certain plugins) then the binary 'dig' (from the dnsutils package) or as a fall-back 'nslookup' should also be available. 2) Now we need to determine whether you have a single- or dual-homed machine. Single means you ONLY have one network-interface, which is the one connected to the outside "evil" world (internet). Dual-homed also have a local subnet connected to an additional network interface. 3) Run the install script and follow the instructions: ./install.sh a) Configure your external network interfaces, EXT_IF. In case of a dual(multi)-homed it's the interface which is connected to the internet, in case of a LAN it's the one connected to your network. When you have an (dynamically) IP assigned to you (by your ISP) via DHCP, you should set "EXT_IF_DHCP_IP=1" else leave it off (0, default). If you have multiple (non-aliased) external interfaces, you should ALL specify them here (space separated). Note that for aliased interfaces you should only specify the "parent"-interface in EXT_IF. So if you have eth0, eth0:1 and eth0:2, you should make EXT_IF="eth0" (only). b) When your public IP is assigned to you by your ISP (through DHCP) then you should enable support for an DHCP external assigned IP. c) Now we configure what ports should be open for the outside world. If you eg. are running an HTTP-server(port 80), an SSH-server(port 22), and/or an FTP-server (port 21) which should be accessible from the internet you should configure the OPEN_TCP / OPEN_UDP variables like this: OPEN_TCP="21 22 80" OPEN_UDP="" d) For dual-homed machines you should also configure INT_IF, the interface used for the local network and you should set your local subnet range in "INTERNAL_NET=". If you want your internal network to be able to access the internet (aka. internet-sharing), you should also enable NAT (masquerading) by setting "NAT=1"). For single-homed machines (part of a LAN), you shouldn't touch INT_IF (leave it disabled) and just stick to using EXT_IF. 4) Now your firewall is ready but I'd suggest to review this additional info: a) In case you use an (A)DSL modem (which works with a PPtP connection to your machine) you should enable the dsl-ppp-modem plugin (You can verify this with 'ifconfig', if a ppp device with your public IP exists you need this). We must enable/configure the dsl-ppp-modem plugin via /etc/arno-iptables-firewall/dsl-ppp-modem.conf by setting ENABLED=1. Now we must configure the network interface(ethX) to which your modem is physically connected (=MODEM_IF, which is commented(#) out by default), and this is NOT ppp+, ppp0 etc.! Here are some examples on how to do it for some providers (it's assumed that the modem is connected to eth0): PPPoE connection with a static public IP (eg. MxStream in the Netherlands) (setup with the ADSL4Linux package from http://www.adsl4linux.nl): - MODEM_IF="eth0" - MODEM_IF_IP="10.0.0.150" - MODEM_IP="10.0.0.138" # Make sure this IP corresponds to the one used by your modem! T-DSL (Germany) with a dynamic public IP: - MODEM_IF="eth0" - MODEM_IF_IP="192.168.99.1" - MODEM_IP="" PPPoA connection with a dynamic public IP: - MODEM_IF="eth0" - MODEM_IF_IP="" # This MUST be unset("") (default) - MODEM_IP="10.0.0.138" # Make sure this IP corresponds to the one used by your modem! NOTE 1: For extra security you *can* set the IP of your modem (MODEM_IP), but it's not neccessary (anymore). If you don't know its IP or believe it doesn't have an IP, you can leave MODEM_IP="". The same applies for the IP of the modem network interface (MODEM_IF_IP). NOTE 2: If both your modem AND your network interface don't have an IP you probably don't have to configure your modem settings (at all). NOTE 3: In case of a PPPoA (PPP-over-ATM) you MUST leave MODEM_IF_IP empty(="")! NOTE 4: Don't forget to set EXT_IF_DHCP_IP=1 in firewall.conf too, in case your ISP uses DHCP. b) In case your on a corporate network which uses public IPs I'd suggest to add your local subnet (range) to "FULL_ACCESS_HOSTS". c) Some people mentioned that protocols like IRC or some (older) FTP/POP3/SMTP servers don't work (properly) if port 113(Identd) is filtered (firewalled). I really hate the fact that these type of protocols still depend on the "not-so-secure" IDENT-protocol. But if you really need it, you can do 2 things to make them work properly: 1) If you don't want to run an IDENT-daemon, simply add port 113 to the REJECT_TCP-variable (Recommended). 2) Or if you really want to run an IDENT-daemon, you should add port 113 to the OPEN_TCP-variable. (Not recommended) 9) You're now ready to start the firewall by issueing: "/etc/init.d/arno-iptables-firewall start" Everything should be working OK now, if it doesn't, carefully review all steps and your configuration. For troubleshouting you can first consult the FAQs on my webpage. NOTE 1: Make sure that when you use NAT, you should properly configure the client's "default gateway" and the (public) DNS server(s) it should use! Note that you don't have to setup any proxy settings in eg. your client's browser. NOTE 2: Additional (more advanced) options are (also) explained in the configuration-file comments and in the QA's on my webpage (eg. IPSec VPN support). Troubleshooting: What if it doesn't work?: ------------------------------------------------------------------------------ 1) Check your settings (.conf) at least 10 times. It's quite common for a human being to make mistakes. TIPS / Common errors: - Make sure that EXT_IF, MODEM_IF and/or INT_IF are not the same. If they are, YOU made a mistake, as they can never EVER be the same! - Another error I once saw was someone that used something like "127.0.0.0/24" for his local subnet. "127.0.0.0" is the address of the local loopback and therefor should never ever appear in the configuration file! 2) Obtain the latest version of your (distribution) kernel & iptables. 3) Make sure your (self-built) kernel supports all required options. 4) Carefully inspect the output generated when issueing "arno-iptables-firewall start" 5) Read the README file at least 3 times 6) Download the latest (beta) version of my script and check whether this fixes your problem. 7) Read the README file one more time and review your .conf-file also one more time, just in case ;-) 8) Do NOT send enduser requests to my personal email address, instead post your question/problem on the firewall mailing list. Provide us with: - your (firewall) *.conf files - the screen output of "/usr/local/sbin/arno-iptables-firewall start" (or whatever it is located) - the output of 'ifconfig' - (firewall) logs - a trace log. You can enable tracing in the firewall.conf file - the version of my script you're using (or date if you use the development script) - detailed explanation of your setup - and anything else that might help Remember that people that don't obey these rules, get a low, very low priority, or won't get any reaction at all! Plugin support ------------------------------------------------------------ As of version 1.8.7-RC2 my firewall also supports plugins -> little scripts that implement specific stuff which doesn't exist in the main script (yet). They latest versions of all supported plugins can be found here: http://rocky.eld.leidenuniv.nl/iptables-firewall/plugins/ Notes on plugins: ----------------- 1) Plugins should be put in /etc/arno-iptables-firewall/plugins/ 2) The priority/loading order of the plugins can be adjusted by the changing the number in front of the plugin-name (50=default). Increasing the number gives lower priority, decreasing the number gives higher priority. 3) All plugins have an option called "ENABLED" (in their config file) which is set to 0 by default, meaning it is disabled. So if you actually want to use a plugin, you have to make ENABLED=1 4) Plugins can have their own additional set of configuration variables, don't forget to set/review those too. Everyone is invited to write their own plugins to implement other things, and to submit them. Notes on writing your own plugins --------------------------------- 1) When you write your own plugins, make sure you know what you're doing. You can severely compromise security or break things with buggy plugins. 2) Submit plugins to me, if you think they can be of use to others, but note that I always reserve the right to decline the plugin (because it was eg. poorly written). Submitted plugins must be (at least) compatible with the GPLv2 license. 3) The plugin should have/use these variables: - PLUGIN_NAME (Plugin name/description) - PLUGIN_VERSION (Plugin version) - PLUGIN_CONF_FILE (Location of the plugin config file) Furthermore it should honour the ENABLED variable from the config-file to enable/disable the plugin. Use one of my plugins as a template(skeleton) for writing your own plugins (I recommend to have a look at the "SSH Brute-Force protection"-plugin), in this way it's easier to understand it for me and for others. 4) Plugins should have a separate config file (.conf) with all user variables(settings). It should at least contain the "ENABLED="-variable to enable/disable the plugin. 5) Plugins should also have a separate file with their CHANGELOG (.changelog) 6) Plugins should be preferably POSIX shell compatible (eg. work with "Dash") 7) Plugins can use all variables/functions/chains from the main-script and main configuration file. Plugin specific configuration variables should be put inside the plugin's configuration file (.conf). 8) Make sure that when you create new iptables-chains, they don't conflict with the main script or other plugins. The same goes for the iptables MARK-module, make sure that you use an unique MARK-number that doesn't conflict with other plugins. 9) Plugins should in principle always cleanup up their own chains (and possibly other stuff) they created at start when stopping. 10) A list of available chains created by AIF's main script can be found below. Note that I strongly recommend NOT to directly use any builtin iptables chains like INPUT/OUTPUT/FORWARD/PREROUTING/POSTROUTING. Only do this when it's absolutely necessary! Available iptables chains created by Arno's Iptables Firewall ------------------------------------------------------------- BASE_INPUT_CHAIN - Base input chain. For internal use by AIF only! BASE_OUTPUT_CHAIN - Base output chain. For internal use by AIF only! BASE_FORWARD_CHAIN - Base forward chain. For internal use by AIF only! INPUT_CHAIN - AIF's main INPUT chain. Use this if you want to insert rules in the INPUT chain OUTPUT_CHAIN - AIF's main OUTPUT chain. Use this if you want to insert rules in the OUTPUT chain FORWARD_CHAIN - AIF's main FORWARD chain. Use this if you want to insert rules in the FORWARD chain EXT_INPUT_CHAIN - External-net INPUT chain EXT_OUTPUT_CHAIN - External-net OUTPUT chain EXT_BROADCAST_CHAIN - External-net chain for broadcast traffic EXT_MULTICAST_CHAIN - External-net chain for multicast traffic EXT_FORWARD_IN_CHAIN - External-net FORWARD chain for INcoming traffic EXT_FORWARD_OUT_CHAIN - External-net FORWARD chain for OUTgoing traffic EXT_ICMP_FLOOD_CHAIN - External-net chain where ICMP packets go which are considered a "flood" DMZ_FORWARD_IN_CHAIN - DMZ FORWARD chain for INcoming traffic DMZ_FORWARD_OUT_CHAIN - DMZ FORWARD chain for OUTgoing traffic DMZ_INET_FORWARD_CHAIN - DMZ to internet/external-net forward chain DMZ_INPUT_CHAIN - DMZ INPUT chain DMZ_LAN_FORWARD_CHAIN - DMZ to LAN/internal-net forward chain DMZ_OUTPUT_CHAIN - DMZ output chain INET_DMZ_FORWARD_CHAIN - External-net(internet) to DMZ forward chain HOST_BLOCK_DROP - Chain where packets from dropped blocked hosts go HOST_BLOCK_DST - Chain containing the list of destination based blocked hosts HOST_BLOCK_SRC - Chain containing the list of source based blocked hosts INT_FORWARD_IN_CHAIN - Internal-net FORWARD chain for INcoming traffic INT_FORWARD_OUT_CHAIN - Internal-net FORWARD chain for OUTcoming traffic INT_INPUT_CHAIN - Internal-net INPUT chain INT_OUTPUT_CHAIN - Internal-net OUTPUT chain LAN_INET_FORWARD_CHAIN - LAN to internet (external net) forward chain POST_INPUT_CHAIN - This chain is always processed last(post) in the INPUT chain POST_OUTPUT_CHAIN - This chain is always processed last(post) in the OUTPUT chain POST_FORWARD_CHAIN - This chain is always processed last(post in the FORWARD chain POST_INPUT_DROP_CHAIN - Packets dropped at the end of the INPUT chain end up in this chain (Used for eg. IDS) RESERVED_NET_CHK - This chain holds the list of reserved nets to check against SPOOF_CHK - This chain contains rules for spoof checking VALID_CHK - This chain contains rules for checking whether a packet is valid NAT_POSTROUTING_CHAIN - NAT (-t nat) POSTROUTING chain NAT_PREROUTING_CHAIN - NAT (-t nat) PREROUTING chain POST_NAT_POSTROUTING_CHAIN - This chain is always processed last(post) in the NAT (-t nat) POSTROUTING chain POST_NAT_PREROUTING_CHAIN - This chain is always processed last(post) in the NAT (-t nat) PREROUTING chain Loadbalancing/multirouting (with multiroute masquerade/SNAT) ------------------------------------------------------------ My firewall also supports multirouting (loadbalancing), optionally in conjunction with NAT. Although this works with both conventional masquerading and SNAT, it's strongly recommended to use SNAT. This is because the latter is known to have a much lower chance of causing problems. Also note that I haven't found a way (yet) to make this work with dynamic external(internet) IP's, meaning you need static IP's from your ISP. First of all, if you want to use multirouting, make sure that your (vanilla)-kernel has the following network features enabled (eg. when building from source): - CONFIG_IP_ADVANCED_ROUTER=y - CONFIG_IP_MULTIPLE_TABLES=y - CONFIG_IP_ROUTE_MULTIPATH=y Second, you should configure/enable the multiroute-plugin. And last but not least, you should setup the firewall: adding (all) the used external interfaces to EXT_IF. And when SNAT is used, add the corresponding external IPs to NAT_STATIC_IP. That's it! NOTE: Redundant connections are (currently) not supported! This is limitation of the (current) Linux kernel (not of my firewall). Info when building your own kernel (2.4 & 2.6) through "make menuconfig": ------------------------------------------------------------------------------- For the firewall to work properly you need the following options enabled (as modules or compiled in your kernel): - "Loadable module support" - "Enable loadable module support" (If you want to build iptables as modules) - "Automatic kernel module loading" (Strongly recommended if you build iptables as modules) (Only available in newer 2.6 kernels) - "Networking", "Networking Support", "Networking Options" : - "Packet socket" (If you want to use dhcp client and/or server) - "TCP/IP networking" - "IP: Multicasting" - "IP: advanced router" - "IP: policy routing" (If you want to use load balancing, eg. multiroute masquerading) - "IP: equal cost multipath" (If you want to use load balancing, eg. multiroute masquerading) - "IP: TCP syncookie support" - ("Network packet filtering") - "Core Netfilter Configuration" (For kernel =>2.6.16) - "Netfilter Xtables support (Required for ip_tables)" - "MARK" target support (Only required for special purposes like eg. traffic shaping & kernel 2.6 VPN support) - "conntrack" connection tracking match support - "limit" match support - "mac" address match support (If you want to use MAC filtering) - "state" match support - "tcpmss" match support (If you want to use tcpmss clamping) - "IP: Netfilter Configuration": - "Connection tracking" - "Connection tracking flow accounting" (If you want to do accounting on your network traffic. (kernel 2.6 only) - "FTP protocol support" - "IP tables support" (NOTE: The order of sub-options can differ between kernel versions): - "Multiple port match support" - "TOS match support" (If you want to use TOS mangling) - "recent match support" (required for IDS & SSH brute-force protection) - "TTL match support" (If you want to use TTL manipulation) - "limit match support" (kernel <2.6.16) - "MAC address match support" (If you want to use MAC filtering) (kernel <2.6.16) - "Multiple port match support" (kernel <2.6.16) - "tcpmss match support" (If you use tcpmss clamping) (kernel <2.6.16) - "Connection state match support" (Kernel <2.6.16) - "Packet filtering" (kernel <2.6.16) - "REJECT target support" - "LOG target support" - "TCPMSS target support (If you want to use tcpmss-clamping) - "Full NAT" (If you use NAT/masquerading aka internet-sharing or transparent proxies) - "MASQUERADE target" (If you want to use masquerading) - "REDIRECT target support" (If you want to use port- forwarding, -redirection or transparent proxies) - "Packet mangling" - "TOS target support" (If you want to use TOS mangling) - "MARK target support" (Only required for special purposes like eg. traffic shaping & kernel 2.6 VPN support) (kernel <2.6.16) - "TTL target support" (if you want to use TTL manipulation Kernel configuration - Special issues ------------------------------------- Some kernel versions, or series of versions, may have unique issues, below are topics related to the scope of this firewall script. 1) Starting with kernel version 2.6.27, CONFIG_NF_CT_ACCT is deprecated, the result when the "nf_conntrack" module is loaded and the kernel has CONFIG_NF_CT_ACCT=y set, the following message is displayed: "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or sysctl net.netfilter.nf_conntrack_acct=1 to enable it." The message is harmless, and can be safely ignored. The main script also sets net.netfilter.nf_conntrack_acct=1 in the case CONFIG_NF_CT_ACCT is not set. Though, if you find this message annoying, it can be silenced via "make menuconfig": -- Core Netfilter Configuration -- Netfilter connection tracking support [ ] Connection tracking flow accounting if "Connection tracking flow accounting" can't be disabled, then disabling < > "connbytes" per-connection counter match support may be required because of dependencies. The resulting configuration settings are: CONFIG_NF_CONNTRACK=m # CONFIG_NF_CT_ACCT is not set # CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set CONFIG_NF_CT_ACCT was scheduled to be removed in 2.6.29, but has not yet been removed, as of writing.