pax_global_header00006660000000000000000000000064146441752010014516gustar00rootroot0000000000000052 comment=4651194df5f985ebfc989da0a20d62b9baecf314 aif-2.1.2a/000077500000000000000000000000001464417520100124205ustar00rootroot00000000000000aif-2.1.2a/CHANGELOG000066400000000000000000000422271464417520100136410ustar00rootroot00000000000000Version 2.1.2a (July 12, 2024) ---------------------------- ! dig wrapper function was broken since 2.1.2 * No longer send nslookup/dig stderr to /dev/null Version 2.1.2 (May 16, 2024) ---------------------------- * Enable IPv6 name record lookups for dig-wrapper. This indirectly enables IPv6/AAAA-record support for dyndns-host-open (& traffic-accounting) plugin ! Prevent systemd from terminating the job manager when some rules fail * Renamed xxx_OUTPUT to INET_OUTPUT_xxx for clarity/consistency + Additional INET_OUTPUT_xxx settings to have better control of internet access on this machine * Reorder some code/settings for clarity/consistency Version 2.1.1a (February 28, 2023) ---------------------------------- ! Newer kernels no longer provide sysctl net.netfilter.nf_conntrack_helper. Workaround by performing kernel version check * Move start script handling from configure script to install script + Missing LAN_LAN_OPEN_ICMP setting Version 2.1.1 (September 16, 2020) ---------------------------------- * Improve stdout/stderr handling in ip4tables/ip6tables/ip4tables_restore/ip6tables_restore functions ! ip4tables/ip6tables functions were broken for multiline result since 2.1.0 breaking eg. the traffic-accounting-plugin + Enable logrotate for /var/log/arno-iptables-firewall * Cleanup log handling + rename /var/log/firewall.log to /var/log/arno-iptables-firewall * Refactor lock_enter/lock_enter_single ! Stale lock file removal didn't work properly * Detect if dist version is already installed and generate a warning in that case * Get rid of ENV_FILE/PLUGIN_CONF_PATH/PLUGIN_BIN_PATH setting in config file and improve autodetection Version 2.1.0 (January 3, 2020) ------------------------------- ! systemd script had private tmp enabled causing problems with the job manager * Use start-stop-daemon to start the job manager. Hopefully fixes the issue of it sometimes terminating suddenly * Some tweaks/cleanups for the job manager ! Potential systemd service file shutdown problem (thanks to Sven Geuer from Debian upstream) * Have installer install rsyslog config file, if rsyslog is available ! Fixed (dynamic) host multi IP handling in plugins * Default FRAG_DROP to off * Tweaks in the job manager process Version 2.1.0-RC2 (February 13, 2019) ------------------------------------- ! ipt_if() expansion didn't work as it should * Improve copy/overwrite logic in install.sh * Tweak job manager start/stop logic Version 2.1.0-RC1 (February 10, 2019) ------------------------------------- ! The install and configure scripts didn't work properly on systems without an /etc/init.d directory (eg. Arch Linux) ! Error handling in the plugin helpers was broken * Workaround non-working + interface wildcard in nftables's iptables binary * It's useless to reset the counters when we've just flushed all chains - Get rid of the BAD_TCP_FLAGS setting, which in fact always was a "bad tcp options" setting. This also fixes problems with nftables's iptables emulation ! aif-job-processor lock was not removed when jobs file became empty * Change FRAG_LOG option to FRAG_DROP to allow disabling fragment dropping (eg. for broken nftables) * Backport systemd updates/improvements from Debian (thanks Sven Geuer) Version 2.1.0-BETA1 (June 29, 2018) ----------------------------------- * Move dynamic host handling (no longer via DynDNS-host-open plugin but handled internally) + Capability for hostnames resolving to multiple IPs in dynamic host support + New job manager to accommodate improved (plugin) helper support (replaces cron jobs) * Move duplicate code from some of the plugins to environment (like locking for instance) * Various other tweaks/refactoring Version 2.0.3 (June 28, 2018) ----------------------------- ! Missing mention in man page of arno-fwfilter's --no-resolve option ! Various fixes in the installer * Improvements in the parasitic net plugin * Various tweaks Version 2.0.2a (October 26, 2017) --------------------------------- ! Fixed log line being too long (>28 chars) ! Fixed systemd installation failed on some systems ! Service file should start AIF after network is up and local filesystems are mounted * Tweaks/improvements in configure/install scripts Version 2.0.2 (July 28, 2017) ----------------------------- + Added new Parasitic Network plugin, allows "clients" on the same subnet to use this device as a gateway upstream. * Improve lock-file handling in the "DynDNS Host Open" and "Traffic Accounting" plugins. + Disable nf_conntrack automatic helper assignment when possible, attach with CT target, Issue #35 ! Fixed IPv6 NAT table was not flushed on start/stop/restart, Issue #36 + Added EXT_IF_DHCPV6_IPV6 config variable supporting DHCPv6 when DHCP is not enabled, Issue #34 + Added ability to selectively log blocked hosts by inbound and outbound direction. BLOCKED_HOST_LOG Options: 0 = Disable, 1 = Inbound & Outbound, 2 = Inbound, 3 = Outbound Version 2.0.1g (October 11, 2016) --------------------------------- + Added new BLOCK_NETSET_DIR variable which efficiently creates ipsets for blocklists using .netset files. + Added expert DEFAULT_NETSET_WHITELIST and DEFAULT_NETSET_WHITELISTV6 variables when BLOCK_NETSET_DIR is defined. + Added ipset support when IPTABLES_IPSET=1 and ipset is installed, disabled by default, Issues: #1, #24, #31 + Added LAN to DMZ forwarding policy, new optional LAN_DMZ_ALLOW_IF variable, Issue #30 + Added NAT_IF option to optionally specify external interfaces to be used for NAT + Added LAN to LAN (Inter-LAN) filtering rules, LAN_LAN_HOST_OPEN_xxx, Issue #28 - Removed unused INT_FORWARD_IN_CHAIN and INT_FORWARD_OUT_CHAIN user chains, related to Issue #28 Note: Any custom rule or plugin should generally use the FORWARD_CHAIN or POST_FORWARD_CHAIN to access the FORWARD chain. Additionally, the new LAN_LAN_HOST_OPEN_xxx rules natively handle Inter-LAN filtering. * New support for ICMPv6 Multicast Listener Discovery, enable with OPEN_ICMPV6_MLD=1, disabled by default * Keep external ICMPv6 packets appearing as annoying logs, common with native IPv6 ISP's. Thanks to David Kerr + Added new PPTP VPN Passthrough plugin, suggested by Yuriy Cherniavsky, Issue #27 * Detect and remove stale lockfiles for plugin helpers ! Support kernel version check where "uname -r" doesn't contain a '-' character ! Leave the IPv6 sysctl accept_ra setting alone when forwarding=1, fixes WAN DHCPv6-client, Issue #21 Version 2.0.1f (October 1, 2015) -------------------------------- * Honour Debian recommendations for systemd service file ! Enable xtables lock "wait" option found in iptables 1.4.20+, Issue #17 ! Using NAT_STATIC_IP with multiple ext interfaces would fail in case not enough ext IPs were specified * Don't hardcode IP4TABLES/IP6TABLES binary in the config file. Just autodetect it like the other binaries ! Misc. fixes for newer SuSE & Redhat systems concerning systemd & init * Moved get host cache logic from traffic accounting plugin to environment to avoid (future) code duplication ! Fixed NAT_LOCAL_REDIRECT=1 packets from being logged as if they were dropped + Added tcp_be_liberal option + Allow rp_filter to be mode 2 (loose) ! Fixed functions get_ifs() and get_ips() with a '#', distinguish IPv4 from VLAN interfaces and check for IPv6 addresses (thanks to Mike C. Fletcher) * Improve y/n user handling * Improve log handling for dyndns plugin + Try to auto detect external net settings automatically on start * Improve error handling especially for plugins * Several plugin updates Version 2.0.1e (February 2, 2014) --------------------------------- * Updated arno-fwfilter * Updated install.sh for Git * traffic-shaper plugin, allow DOWNLINK=0 to disable inbound (ingress) shaping * Updated Gentoo init script (thanks to Erki Ferenc) - Removed some Gentoo specific stuff that isn't required anymore - Removed TRACE option. It's broken and there's no good way to implement it + Added DMZ_INPUT_DENY_LOG variable support for default "AIF:DMZ-INPUT denied:" logs, "0" disables logs + Added DMZ_OUTPUT_DENY_LOG variable support for default "AIF:DMZ->LAN denied:" logs, "0" disables logs * DYNDNS & Traffic Accounting Plugin refactor * Misc. tweaks Version 2.0.1d (November 16, 2012) ---------------------------------- + Reintroduce DNS fast fail option + add additional option (DNS_FAST_FAIL_ONCE) to allow plugins to use it + Added nat-loopback plugin for local nets using existing NAT_FORWARD_TCP and NAT_FORWARD_UDP rules. + Added new main command 'status-plugins [name]'. Useful [name] values are: dyndns-host-open, multiroute, nat-loopback, rpc, traffic-accounting and traffic-shaper. When [name] is specified, only that plugin is shown. For Example: $ arno-iptables-firewall status-plugins (shows all plugins status results) $ arno-iptables-firewall status-plugins dyndns-host-open (shows only dyndns-host-open plugin status results) + Added outbound-snat plugin to support when a NAT'ed external interface has multiple IPv4 addresses, it may be desirable to specify which internal IP's or CIDR's use which external IPv4 addresses for outbound connections. ! Fixed modprobe() function when using kmod. Apparently kmod doesn't echo anything (to stderr) when a module is not found?! ! Fix logging dropped packets matching (ie, not just TCP) for LAN_INET_FORWARD_CHAIN and DMZ_INET_FORWARD_CHAIN. + Added new variables LAN_INET_DEFAULT_POLICY_DROP, DMZ_INET_DEFAULT_POLICY_DROP and LAN_DEFAULT_POLICY_DROP to define the default policies. When undefined the 'automatic' policy is the default as with all previous versions. * Allow plugins to maintain a dynamic chain (e.g. MINIUPNPD) in the nat table and not get automatically flushed on a restart. * Improved traffic-accounting & dyndns-host-open plugins with a new host cache mechanism Version 2.0.1c (June 27, 2012) ------------------------------ ! Fix a script 'IFS' issue if IPv6 and DMZ is enabled together with DMZ_HOST_OPEN_IP (thanks to Ingmar Schraub) ! Newer kernels (3.4+) replaced ipt_LOG & ip6t_LOG with xt_LOG (thanks to Adam Young) Version 2.0.1b (March 16, 2012) ------------------------------- ! RESERVED_NET_DROP only worked when RESERVED_NET_LOG was enabled (regression) (thanks to gregoryach@gmail.com) ! Removed stray line in install.sh * Updated/corrected documentation Version 2.0.1a (March 7, 2012) ------------------------------ * Misc. tweaks for arno-fwfilter (thanks Mark van Dijk) * Use ls instead of [ -n (find) ] as it's much faster (thanks Lonnie) * As with previous versions, when LAN_INET_OPEN_xxx and LAN_INET_HOST_OPEN_xxx are NOT defined the default LAN->INET policy is ACCEPT. Changed is when *any* of these variables are defined the default LAN->INET policy is DROP for all ports and protocols, not just TCP/UDP/IP as before. * As with previous versions, when DMZ_INET_OPEN_xxx and DMZ_INET_HOST_OPEN_xxx are NOT defined the default DMZ->INET policy is ACCEPT. Changed is when *any* of these variables are defined the default DMZ->INET policy is DROP for all ports and protocols, not just TCP/UDP/IP as before. * Tweak the handling of some of the sysctl kernel settings. This now also allows disabling setting/resetting some settings (like forwarding) * Default UDP connection timeout to 60 seconds + Added support for new LOCAL_CONFIG_DIR variable, defaults to "/etc/arno-iptables-firewall/conf.d" (Debian bug #658458) ! Set default policy to DROP if either LAN_INET_HOST_OPEN_xxx or DMZ_INET_HOST_OPEN_xxx are defined, to match the documentation. (thanks Schilling Thomas Ing for reporting) * Improve documentation Version 2.0.1 (December 18, 2011) --------------------------------- - Removed DNS_FAST_FAIL & RESOLV_IPS since they are both obsolete * Few changes in the install/uninstall scripts. eg. arno-fwfilter now installs to /usr/local/bin instead Version 2.0.1-BETA1 (October 10, 2011) -------------------------------------- ! Fixed kernel_ver_chk() function to properly handle kernel 3. (thanks Gunawan Lim for reporting) ! Fixed variables containing REJECT_UDP with IPv6 enabled, it should use 'icmp6-addr-unreachable' for IPv6. * Updated "DynDNS Host Open" and "DMZ-DNAT" plugins to use new parse_rule() function. * AIF variables are now parsed with a common function, now missing fields are logged with a warning. * Misc. tweaks Version 2.0.0c (July 28, 2011) ----------------------------------- * Call insserv during configure, when available. This is required for eg. Debian/Ubuntu systems that use dependency based booting ! Fixed MULTICAST jumping should be done at the end of the EXT_INPUT_CHAIN, not at the beginning else users won't be able create "normal" rules for it * Updated several plugins * Several tweaks Version 2.0.0b (March 25, 2011) ------------------------------- + Perform kernel check when IPv6 support is enabled - Don't auto detect external interface settings during configure. It's too confusing and fills out the wrong values for certain setups (like laptops that are moved around) + Show platform information on start/restart when verbose ! remove bash-ism related to traffic-shaper plugin (Reported by Debian upstream, Debian bug #619496) ! remove bash-ism in ipsec-vpn plugin (Reported by Debian upstream, Debian bug #617510) ! workaround Busybox 'ash' bug when IPV6_SUPPORT is enabled + Added pptp-vpn plugin for local PPTP server support ! arno-fwfilter uses incorrect URL for location lookup (Debian bug #613631, thanks to Tony Evans for the patch) + Drop all IPv6 packets with Routing Header Type 0, new variable IPV6_DROP_RH_ZERO (thanks Klemen Mihevc) ! Fixed handling HOST_OPEN_ICMP, HOST_DENY_ICMP_NOLOG and HOST_DENY_ICMP variables with IPv6 addresses. (thanks Klemen Mihevc) * Tweaked NAT module loading + cosmetics. iptable_nat is a required module for AIF because of the plugin framework/helper chains so it's wrong to only load it when NAT is enabled in the main script. Version 2.0.0a (December 30, 2010) ---------------------------------------- ! Set IFS=' ' in our batch-functions else the wrappers fail in some cases - Removed old legacy plugin support that used the PLUGIN_PATH variable ! Fixed an issue when the value of IPV6_SUPPORT was changed then followed with a 'restart' * (Cosmetic) tweaks Version 2.0.0 (November 15, 2010) --------------------------------- ! dig wrapper using nslookup, extract IPv4 addresses over IPv6 addresses * ipsec-vpn plugin, removed unnecessary EXT_INPUT_CHAIN rule and added IPv6 support for matching AH headers Version 1.9.9-RC1 (October 25, 2010) ------------------------------------ - Removed deprecated check_binary() function from environment + Added support for an optional plugin_restart() function in plugins using a new plugin template, while supporting previous plugins without a plugin_restart() function * Refactor load_modules() using our new modprobe_multi() * Allow modprobe_multi() function arguments to be grouped by a comma + Use IDENT environment variable for plugins + Added SHAPER_IF variable to traffic-shaper plugin to specify a single external interface should the default EXT_IF value contain more than one interface + Added SIP_VOIP_REMOTE_HOSTS variable to sip-voip plugin to limit access by source address - Removed obsolete module_probe() function. Use modprobe() instead + Added IPV6_AUTO_CONFIGURATION variable to control autoconf when IP_FORWARDING = 0 + Added IPV6_OVER_IPV4_SERVER variable for ipv6-over-ipv4 plugin, restricting 6to4 source packets * Misc. tweaks & fixes Version 1.9.9-BETA1 (October 8, 2010) ------------------------------------- * Refactor setting kernel parameters ! Revert change that didn't masquerade IPv6/proto 41, so outgoing forwarded connections work properly + Added EXTERNAL_DHCPV6_SERVER variable to allow DHCPv6 clients on the *external* interface * The default INET->DMZ policy is now DROP. Common variables this change may effect are: INET_DMZ_HOST_OPEN_xxx and INET_DMZ_OPEN_xxx + Added support for Link-Local-Multicast ICMPv6 echo-request packets + Added LINK_LOCAL_DROP_LOG variable which controls logging of dropped IPv6 Link-Local addresses. + Added FORWARD_LINK_LOCAL variable which, by default (0), disables forwarding of IPv6 Link-Local addresses. + Added EXT_MULTICAST_CHAIN to handle external-inbound multicast traffic + Added DHCPv6 support for the EXT_IF_DHCP_IP variable. + Added a new variable FORWARD_DROP_LOG to disable logging dropped forwards when set to 0, defaults to 1. ! Fixed handling of destination host~port fields where only the host was specified. + Added a new set of variables INET_FORWARD_xxx to allow forwarding INET IPv6 and non-NAT'ed IPv4 packets to other interfaces. The format is similar to the IPv4 NAT_FORWARD_xxx without port mapping. + Added a new variable OPEN_ICMPV6 to allow independent control of INET ICMP for IPv4 and IPv6, enabled by default. ! Fixed handling of INET_DMZ_HOST_OPEN_xxx variables ! Fixed handling of INET_DMZ_HOST_DENY_xxx variables ! Fixed handling of INET_DMZ_DENY_TCP ! Fixed variable typo, INET_DMZ_HOST_DENY_TCP was not handled + Added IPv6 reserved network support, label logs by IPv4 and IPv6 ! Fixed RESERVED_NET_LOG is now independant from DROP_PRIVATE_ADDRESSES + Added option to the configure script to enable/disable IPv6 + several tweaks * Sanity check should always be the first thing we do since we probably can't write the log-file in case we're not root + Automatically disable IPV6_SUPPORT if IPv6 is not detected in the kernel + Add support for mixed IPv4/IPv6 when IPV6_SUPPORT=1 aif-2.1.2a/README000066400000000000000000000770331464417520100133120ustar00rootroot00000000000000 -= Arno's Iptables Firewall(AIF) =- Single- & multi-homed firewall script with DSL/ADSL support ~ In memory of my dear parents ~ (C) Copyright 2001-2024 by Arno van Amersfoort & Lonnie Abelbeck Web : https://github.com/arno-iptables-firewall/aif Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m (note: you must remove all spaces and substitute the @ and the . at the proper locations!) ------------------------------------------------------------------------------- This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ------------------------------------------------------------------------------- A MESSAGE FROM THE AUTHOR: -------------------------- Almost *all* my work is distributed under the terms of the GNU GPL License, which means it's free (open-source) software. If you like my work or you want me to implement a certain feature, you are encouraged to donate money. You can (preferably) donate directly to me through my bank account (mail me for my IBAN number (International Bank Account Number). My favourite charity organisations are: - foundations for cancer research (in The Netherlands: "KWF Kanker Bestrijding"); - foundations for brain desease research (in The Netherlands: "De Hersenstichting"); - foundations for the welfare of animals ("IFAW" or in the Netherlands: "De Dierenbescherming") Note that *ALL* donations I receive go to one of the above foundations. IMPORTANT NOTE: --------------- I don't provide enduser support by email, I'm simply too busy to help everybody out with every (trivial) issue. Bugs may be reported on Github. Please ask any other questions on Stackexchange/Stackoverflow/Reddit/etc. Also consult the FAQs before reporting a problem/question. Furthermore read the information in the troubleshooting section below! An explanation of the files in the package: ------------------------------------------- /bin/arno-iptables-firewall : The actual firewall script, core of Arno's Iptables Firewall(AIF). You should put this file in eg. /usr/local/sbin/ . You should make sure it's executable (use "chmod 700 or chmod +x). /bin/arno-fwfilter : A pipe filter script to make the firewall-log better readable. It can be used for example in conjuction with a tail to log your firewall to local tty10 (-12). It can be used for both /var/log/messages and /var/log/firewall (or whatever name you configured syslogd), depending on the log-level specified in the configuration file. An example on how to use it can be found in the beginning of the fwfilter script. Any options for fwfilter can be configured within the script itself. You should put this file in eg. /usr/local/bin/. /etc/arno-iptables-firewall/firewall.conf : The configuration file used for Arno's Iptables Firewall(AIF). Normally you should put it in /etc/arno-iptables-firewall/. Make sure root is owner/group (with "chown 0:0"). /etc/arno-iptables-firewall/plugins/ : Any plugin config files (.conf files) are stored here. /etc/arno-iptables-firewall/conf.d/ : Put any (override) configuration files in the directory. Any files here with a .conf-extension(!) will be sourced AFTER the main firewall.conf file has been read. /etc/arno-iptables-firewall/custom-rules : Put any (iptables) custom rules in this file. This file should be put in /etc/arno-iptables-firewall/ . Make sure root is owner/group (with "chown 0:0"). /lib/systemd/system/arno-iptables-firewall.service : The systemd service file. Depending on your system it should be put in either /usr/lib/systemd/system, /lib/systemd/system or /etc/systemd/system /etc/init.d/arno-iptables-firewall : The init.d script (for older systems still using init.d). On some (older) distributions you may need to put it in /etc/rc.d/ (instead of /etc/init.d). You should make sure it's executable (use "chmod 700 or chmod +x). Inside this script you can also enable VERBOSE(=1) logging for eg. debugging purposes. /share/arno-iptables-firewall/environment : This is the environment-file required by the firewall and plugins. It contains several global functions. It should normally be put in /usr/local/share/. /share/arno-iptables-firewall/plugins/ : Put any plugin binaries (.plugin files) for my firewall in this directory. It should normally be put in /usr/local/share/. /share/man/man8/arno-iptables-firewall.8 : A man page for the arno-iptables-firewall script. /share/man/man1/arno-fwfilter.1 : A man page for the arno-fwfilter script. /CHANGELOG : The version changelog of my firewall. /README : "This" file. /configure.sh : Script to setup a basic configuration. /install.sh : Install script to deploy my firewall on your system. /uninstall.sh : Uninstall script to remove my firewall from your system. /contrib/ : Directory contains any misc. (user contributed) files (scripts etc.) It also contains examples on how to modify your syslogger to log your firewall stuff into a separate file. ----------------------------------------- | Some IMPORTANT (security) information | ----------------------------------------- 1) If possible try to start the firewall before you enable your (ADSL) internet connection. For an ppp-interface that doesn't exist yet you can use the wildcard device called "ppp+" (but you can only use ppp+ if there aren't any other ppp interfaces!). 2) Don't change any (security) settings ('EXPERT SETTINGS') if you don't really understand what they mean. Changing them anyway could have a big impact on the security of your machine. 3) I get a lot of emails from people complaining that their webserver etc. stopped working after installing my firewall. This is the CORRECT behaviour for a firewall: BLOCKING ALL incoming traffic by default! Configure your eg. OPEN_TCP accordingly! ----------------- | General hints | ----------------- 1) For IPv4 addresses you can use IP ranges in all variables by specifying it as eg. "192.168.1.10-50" (which would make the range start with 192.168.1.10 and end at 192.168.1.50). Note that this only works for Class-C(/24) ranges, so specifying eg. 192.168.1.1-192.168.2.1 does NOT work! 2) My firewall has mixed IPv4/IPv6 support. You can switch from IPv4-only to IPv4/IPv6 support by simply setting "IPV6_SUPPORT=1" in the config file. 3) You can use the $ANYPORT and $ANYHOST macros to specify "ALL ports" or "ALL hosts" in the configuration variables/rules. 4) The configuration variables use several "special" (seperator) characters: ' ' (space): Used to seperate rules (eg. 'rule1 rule2') ',' : Used for lists of ports, hosts or protocols (eg. '21,22,23') '~' : Used for host-port seperation (eg. '192.168.1.1~22') '>' : Used for source-to-target seperation (eg. '192.168.1.1>10.0.0.3') '#' : Used for external interface(-IP) restrictions (eg. 'eth0>rule') Also see 5) You may want to have a look at the configuration file in /etc/arno-iptables-firewall/ for additional information (and examples) 5) For configuration-variables/rules which are related to the external (internet) interface one can restrict the interface(s) for which it is applied to by adding either "{interface1,interface2,...}#" or "{interface_ip1,interface_ip2}#" at the beginning of the rule. The latter is especially handy for aliased interfaces. Example 1: OPEN_TCP="eth0#22", would only open TCP port 22 (SSH) for interface eth0 Example 2: OPEN_TCP="1.2.3.4#22", would only open TCP port 22 (SSH) for interface which has the IP 1.2.3.4 This feature can also be used to enable NAT port forwarding for certain (external) interfaces. Examples: Example 1: NAT_FORWARD_TCP="eth0#0/0~22>{internal_host}" means: - Forwards TCP port 22; - Forward is available for the whole world (0/0); - Forward is applied to eth0 only; - {internal_host} is the host the port should be forwarded to. Example 2: NAT_FORWARD_TCP="1.2.3.4#0/0~80>{internal_host}" means: - Forwards TCP port 80; - Forward is available for the whole world (0/0); - Forward is applied to the (external) (aliased) interface with IP 1.2.3.4; - {internal_host} is the host the port should be forwarded to. 6) Port ranges should be written as port_start:port_end, eg. "137:139" would select ports 137,138 and 139. --------------- | Quick setup | --------------- If you want to have it running ASAP or are a novice user, than this is the part that's important. Remember that my firewall has a lot of other useful features which will NOT be used in this way. On the other hand, various security features are enabled by default to protect you from hostile attacks. 1) First we've to check whether your Linux setup is OK in order to make the script work correctly: - It needs iptables and iproute(2) to be installed (probably come as packages with your distro). - It requires a POSIX compliant /bin/sh (should live on any UNIX system by default) - My scripts need the following binaries (in your path): iptables (obviously), ip (from the iproute package), sysctl, modprobe, logger, uname, date, awk, tr, grep, sed, cut, head, tail, wc, which, & cat. - If you plan to use DNS resolving (eg. for certain plugins) then the binary 'dig' (from the dnsutils package) or as a fall-back 'nslookup' should also be available. 2) Now we need to determine whether you have a single- or dual-homed machine. Single means you ONLY have one network-interface, which is the one connected to the outside "evil" world (internet). Dual-homed also have a local subnet connected to an additional network interface. 3) Run the install script and follow the instructions: ./install.sh a) Configure your external network interfaces, EXT_IF. In case of a dual(multi)-homed it's the interface which is connected to the internet, in case of a LAN it's the one connected to your network. When you have an (dynamically) IP assigned to you (by your ISP) via DHCP, you should set "EXT_IF_DHCP_IP=1" else leave it off (0, default). If you have multiple (non-aliased) external interfaces, you should ALL specify them here (space separated). Note that for aliased interfaces you should only specify the "parent"-interface in EXT_IF. So if you have eth0, eth0:1 and eth0:2, you should make EXT_IF="eth0" (only). b) When your public IP is assigned to you by your ISP (through DHCP) then you should enable support for an DHCP external assigned IP. c) Now we configure what ports should be open for the outside world. If you eg. are running an HTTP-server(port 80), an SSH-server(port 22), and/or an FTP-server (port 21) which should be accessible from the internet you should configure the OPEN_TCP / OPEN_UDP variables like this: OPEN_TCP="21 22 80" OPEN_UDP="" d) For dual-homed machines you should also configure INT_IF, the interface used for the local network and you should set your local subnet range in "INTERNAL_NET=". If you want your internal network to be able to access the internet (aka. internet-sharing), you should also enable NAT (masquerading) by setting "NAT=1"). For single-homed machines (part of a LAN), you shouldn't touch INT_IF (leave it disabled) and just stick to using EXT_IF. 4) Now your firewall is ready but I'd suggest to review this additional info: a) In case you use an (A)DSL modem (which works with a PPtP connection to your machine) you should enable the dsl-ppp-modem plugin (You can verify this with 'ifconfig', if a ppp device with your public IP exists you need this). We must enable/configure the dsl-ppp-modem plugin via /etc/arno-iptables-firewall/dsl-ppp-modem.conf by setting ENABLED=1. Now we must configure the network interface(ethX) to which your modem is physically connected (=MODEM_IF, which is commented(#) out by default), and this is NOT ppp+, ppp0 etc.! Here are some examples on how to do it for some providers (it's assumed that the modem is connected to eth0): PPPoE connection with a static public IP (eg. MxStream in the Netherlands) (setup with the ADSL4Linux package from http://www.adsl4linux.nl): - MODEM_IF="eth0" - MODEM_IF_IP="10.0.0.150" - MODEM_IP="10.0.0.138" # Make sure this IP corresponds to the one used by your modem! T-DSL (Germany) with a dynamic public IP: - MODEM_IF="eth0" - MODEM_IF_IP="192.168.99.1" - MODEM_IP="" PPPoA connection with a dynamic public IP: - MODEM_IF="eth0" - MODEM_IF_IP="" # This MUST be unset("") (default) - MODEM_IP="10.0.0.138" # Make sure this IP corresponds to the one used by your modem! NOTE 1: For extra security you *can* set the IP of your modem (MODEM_IP), but it's not neccessary (anymore). If you don't know its IP or believe it doesn't have an IP, you can leave MODEM_IP="". The same applies for the IP of the modem network interface (MODEM_IF_IP). NOTE 2: If both your modem AND your network interface don't have an IP you probably don't have to configure your modem settings (at all). NOTE 3: In case of a PPPoA (PPP-over-ATM) you MUST leave MODEM_IF_IP empty(="")! NOTE 4: Don't forget to set EXT_IF_DHCP_IP=1 in firewall.conf too, in case your ISP uses DHCP. b) In case your on a corporate network which uses public IPs I'd suggest to add your local subnet (range) to "FULL_ACCESS_HOSTS". c) Some people mentioned that protocols like IRC or some (older) FTP/POP3/SMTP servers don't work (properly) if port 113(Identd) is filtered (firewalled). I really hate the fact that these type of protocols still depend on the "not-so-secure" IDENT-protocol. But if you really need it, you can do 2 things to make them work properly: 1) If you don't want to run an IDENT-daemon, simply add port 113 to the REJECT_TCP-variable (Recommended). 2) Or if you really want to run an IDENT-daemon, you should add port 113 to the OPEN_TCP-variable. (Not recommended) 9) You're now ready to start the firewall by issueing: "/etc/init.d/arno-iptables-firewall start" Everything should be working OK now, if it doesn't, carefully review all steps and your configuration. For troubleshouting you can first consult the FAQs on my webpage. NOTE 1: Make sure that when you use NAT, you should properly configure the client's "default gateway" and the (public) DNS server(s) it should use! Note that you don't have to setup any proxy settings in eg. your client's browser. NOTE 2: Additional (more advanced) options are (also) explained in the configuration-file comments and in the QA's on my webpage (eg. IPSec VPN support). Troubleshooting: What if it doesn't work?: ------------------------------------------------------------------------------ 1) Check your settings (.conf) at least 10 times. It's quite common for a human being to make mistakes. TIPS / Common errors: - Make sure that EXT_IF, MODEM_IF and/or INT_IF are not the same. If they are, YOU made a mistake, as they can never EVER be the same! - Another error I once saw was someone that used something like "127.0.0.0/24" for his local subnet. "127.0.0.0" is the address of the local loopback and therefor should never ever appear in the configuration file! 2) Obtain the latest version of your (distribution) kernel & iptables. 3) Make sure your (self-built) kernel supports all required options. 4) Carefully inspect the output generated when issueing "arno-iptables-firewall start" 5) Read the README file at least 3 times 6) Download the latest (beta) version of my script and check whether this fixes your problem. 7) Read the README file one more time and review your .conf-file also one more time, just in case ;-) 8) Do NOT send enduser requests to my personal email address, instead post your question/problem on the firewall mailing list. Provide us with: - your (firewall) *.conf files - the screen output of "/usr/local/sbin/arno-iptables-firewall start" (or whatever it is located) - the output of 'ifconfig' - (firewall) logs - the version of my script you're using (or date if you use the development script) - detailed explanation of your setup - and anything else that might help Remember that people that don't obey these rules, get a low, very low priority, or won't get any reaction at all! Plugin support ------------------------------------------------------------------------------ As of version 1.8.7-RC2 my firewall also supports plugins -> little scripts that implement specific functionality. Notes on plugins: ----------------- 1) Plugin config files can be found in /etc/arno-iptables-firewall/plugins/ 2) All plugins have an option called "ENABLED" (in their config file) which is set to 0 by default, meaning it is disabled. So if you actually want to use a plugin, you have to make ENABLED=1 3) Plugins can have their own additional set of configuration variables, don't forget to set/review those too. Everyone is invited to write their own plugins to implement other things, and to submit to us. Notes on writing your own plugins --------------------------------- 1) When you write your own plugins, make sure you know what you're doing. You can severely compromise security or break things with buggy plugins. 2) Submit plugins to me, if you think they can be of use to others, but note that I always reserve the right to decline the plugin (because it was eg. poorly written). Submitted plugins must be (at least) compatible with the GPLv2 license. 3) The plugin should have/use these variables: - PLUGIN_NAME (Plugin name/description) - PLUGIN_VERSION (Plugin version) - PLUGIN_CONF_FILE (Location of the plugin config file) Furthermore it should honour the ENABLED variable from the config-file to enable/disable the plugin. Use one of my plugins as a template(skeleton) for writing your own plugins (I recommend to have a look at the "SSH Brute-Force protection"-plugin), in this way it's easier to understand it for me and for others. 4) Plugins should have a separate config file (.conf) with all user variables(settings). It should at least contain the "ENABLED="-variable to enable/disable the plugin. 5) Plugins should also have a separate file with their CHANGELOG (.changelog) 6) Plugins should be preferably POSIX shell compatible (eg. work with "Dash") 7) Plugins can use all variables/functions/chains from the main-script and main configuration file. Plugin specific configuration variables should be put inside the plugin's configuration file (.conf). 8) Make sure that when you create new iptables-chains, they don't conflict with the main script or other plugins. The same goes for the iptables MARK-module, make sure that you use an unique MARK-number that doesn't conflict with other plugins. 9) Plugins should in principle always cleanup up their own chains (and possibly other stuff) they created at start when stopping. 10) A list of available chains created by AIF's main script can be found below. Note that I strongly recommend NOT to directly use any builtin iptables chains like INPUT/OUTPUT/FORWARD/PREROUTING/POSTROUTING. Only do this when it's absolutely necessary! Available iptables chains created by Arno's Iptables Firewall ------------------------------------------------------------- BASE_INPUT_CHAIN - Base input chain. For internal use by AIF only! BASE_OUTPUT_CHAIN - Base output chain. For internal use by AIF only! BASE_FORWARD_CHAIN - Base forward chain. For internal use by AIF only! INPUT_CHAIN - AIF's main INPUT chain. Use this if you want to insert rules in the INPUT chain OUTPUT_CHAIN - AIF's main OUTPUT chain. Use this if you want to insert rules in the OUTPUT chain FORWARD_CHAIN - AIF's main FORWARD chain. Use this if you want to insert rules in the FORWARD chain EXT_INPUT_CHAIN - External-net INPUT chain EXT_OUTPUT_CHAIN - External-net OUTPUT chain EXT_BROADCAST_CHAIN - External-net chain for broadcast traffic EXT_MULTICAST_CHAIN - External-net chain for multicast traffic EXT_FORWARD_IN_CHAIN - External-net FORWARD chain for INcoming traffic EXT_FORWARD_OUT_CHAIN - External-net FORWARD chain for OUTgoing traffic EXT_ICMP_FLOOD_CHAIN - External-net chain where ICMP packets go which are considered a "flood" DMZ_FORWARD_IN_CHAIN - DMZ FORWARD chain for INcoming traffic DMZ_FORWARD_OUT_CHAIN - DMZ FORWARD chain for OUTgoing traffic DMZ_INET_FORWARD_CHAIN - DMZ to internet/external-net forward chain DMZ_INPUT_CHAIN - DMZ INPUT chain DMZ_LAN_FORWARD_CHAIN - DMZ to LAN/internal-net forward chain DMZ_OUTPUT_CHAIN - DMZ output chain INET_DMZ_FORWARD_CHAIN - External-net(internet) to DMZ forward chain HOST_BLOCK_SRC - Chain containing the list of inbound blocked hosts HOST_BLOCK_DST - Chain containing the list of outbound blocked hosts HOST_BLOCK_SRC_DROP - Chain where packets from dropped inbound blocked hosts go HOST_BLOCK_DST_DROP - Chain where packets from dropped outbound blocked hosts go INT_INPUT_CHAIN - Internal-net INPUT chain INT_OUTPUT_CHAIN - Internal-net OUTPUT chain LAN_LAN_FORWARD_CHAIN - LAN to LAN (Inter-LAN) forward chain (AIF private use only) LAN_INET_FORWARD_CHAIN - LAN to internet (external net) forward chain POST_INPUT_CHAIN - This chain is always processed last(post) in the INPUT chain POST_OUTPUT_CHAIN - This chain is always processed last(post) in the OUTPUT chain POST_FORWARD_CHAIN - This chain is always processed last(post in the FORWARD chain POST_INPUT_DROP_CHAIN - Packets dropped at the end of the INPUT chain end up in this chain (Used for eg. IDS) RESERVED_NET_CHK - This chain holds the list of reserved nets to check against SPOOF_CHK - This chain contains rules for spoof checking VALID_CHK - This chain contains rules for checking whether a packet is valid NAT_POSTROUTING_CHAIN - NAT (-t nat) POSTROUTING chain NAT_PREROUTING_CHAIN - NAT (-t nat) PREROUTING chain POST_NAT_POSTROUTING_CHAIN - This chain is always processed last(post) in the NAT (-t nat) POSTROUTING chain POST_NAT_PREROUTING_CHAIN - This chain is always processed last(post) in the NAT (-t nat) PREROUTING chain Loadbalancing/multirouting (with multiroute masquerade/SNAT) ------------------------------------------------------------ My firewall also supports multirouting (loadbalancing), optionally in conjunction with NAT. Although this works with both conventional masquerading and SNAT, it's strongly recommended to use SNAT. This is because the latter is known to have a much lower chance of causing problems. Also note that I haven't found a way (yet) to make this work with dynamic external(internet) IP's, meaning you need static IP's from your ISP. First of all, if you want to use multirouting, make sure that your (vanilla)-kernel has the following network features enabled (eg. when building from source): - CONFIG_IP_ADVANCED_ROUTER=y - CONFIG_IP_MULTIPLE_TABLES=y - CONFIG_IP_ROUTE_MULTIPATH=y Second, you should configure/enable the multiroute-plugin. And last but not least, you should setup the firewall: adding (all) the used external interfaces to EXT_IF. And when SNAT is used, add the corresponding external IPs to NAT_STATIC_IP. That's it! NOTE: Redundant connections are (currently) not supported! This is limitation of the (current) Linux kernel (not of my firewall). Info when building your own kernel (2.4 & 2.6) through "make menuconfig": ------------------------------------------------------------------------------- For the firewall to work properly you need the following options enabled (as modules or compiled in your kernel): - "Loadable module support" - "Enable loadable module support" (If you want to build iptables as modules) - "Automatic kernel module loading" (Strongly recommended if you build iptables as modules) (Only available in newer 2.6 kernels) - "Networking", "Networking Support", "Networking Options" : - "Packet socket" (If you want to use dhcp client and/or server) - "TCP/IP networking" - "IP: Multicasting" - "IP: advanced router" - "IP: policy routing" (If you want to use load balancing, eg. multiroute masquerading) - "IP: equal cost multipath" (If you want to use load balancing, eg. multiroute masquerading) - "IP: TCP syncookie support" - ("Network packet filtering") - "Core Netfilter Configuration" (For kernel =>2.6.16) - "Netfilter Xtables support (Required for ip_tables)" - "MARK" target support (Only required for special purposes like eg. traffic shaping & kernel 2.6 VPN support) - "conntrack" connection tracking match support - "limit" match support - "mac" address match support (If you want to use MAC filtering) - "state" match support - "tcpmss" match support (If you want to use tcpmss clamping) - "IP: Netfilter Configuration": - "Connection tracking" - "Connection tracking flow accounting" (If you want to do accounting on your network traffic. (kernel 2.6 only) - "FTP protocol support" - "IP tables support" (NOTE: The order of sub-options can differ between kernel versions): - "Multiple port match support" - "TOS match support" (If you want to use TOS mangling) - "recent match support" (required for IDS & SSH brute-force protection) - "TTL match support" (If you want to use TTL manipulation) - "limit match support" (kernel <2.6.16) - "MAC address match support" (If you want to use MAC filtering) (kernel <2.6.16) - "Multiple port match support" (kernel <2.6.16) - "tcpmss match support" (If you use tcpmss clamping) (kernel <2.6.16) - "Connection state match support" (Kernel <2.6.16) - "Packet filtering" (kernel <2.6.16) - "REJECT target support" - "LOG target support" - "TCPMSS target support (If you want to use tcpmss-clamping) - "Full NAT" (If you use NAT/masquerading aka internet-sharing or transparent proxies) - "MASQUERADE target" (If you want to use masquerading) - "REDIRECT target support" (If you want to use port- forwarding, -redirection or transparent proxies) - "Packet mangling" - "TOS target support" (If you want to use TOS mangling) - "MARK target support" (Only required for special purposes like eg. traffic shaping & kernel 2.6 VPN support) (kernel <2.6.16) - "TTL target support" (if you want to use TTL manipulation Kernel configuration - Special issues ------------------------------------- Some kernel versions, or series of versions, may have unique issues, below are topics related to the scope of this firewall script. 1) Starting with kernel version 2.6.27, CONFIG_NF_CT_ACCT is deprecated, the result when the "nf_conntrack" module is loaded and the kernel has CONFIG_NF_CT_ACCT=y set, the following message is displayed: "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or sysctl net.netfilter.nf_conntrack_acct=1 to enable it." The message is harmless, and can be safely ignored. The main script also sets net.netfilter.nf_conntrack_acct=1 in the case CONFIG_NF_CT_ACCT is not set. Though, if you find this message annoying, it can be silenced via "make menuconfig": -- Core Netfilter Configuration -- Netfilter connection tracking support [ ] Connection tracking flow accounting if "Connection tracking flow accounting" can't be disabled, then disabling < > "connbytes" per-connection counter match support may be required because of dependencies. The resulting configuration settings are: CONFIG_NF_CONNTRACK=m # CONFIG_NF_CT_ACCT is not set # CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set CONFIG_NF_CT_ACCT was scheduled to be removed in 2.6.29, but has not yet been removed, as of writing. aif-2.1.2a/bin/000077500000000000000000000000001464417520100131705ustar00rootroot00000000000000aif-2.1.2a/bin/arno-fwfilter000077500000000000000000000614621464417520100157060ustar00rootroot00000000000000#!/bin/bash # # description: Firewall-log filter script (arno-fwfilter) # Last update: March 20, 2015 # Usage examples (make sure arno-fwfilter is executable!): # -------------------------------------------------------- # Static firewall log filtering : cat /var/log/messages |arno-fwfilter # or # Static firewall log filtering : cat /var/log/arno-iptables-firewall |arno-fwfilter # Realtime firewall logging on TTY10 : tail --follow /var/log/messages |fwfilter >/dev/tty10 & # Example on how to disable kernel debug logging : cat /var/log/messages |grep -v kernel |arno-fwfilter # Email firewall logs to root : cat /var/log/arno-iptables-firewall |arno-fwfilter --html-output --no-colors |mail -s "Firewall Log" -a "Content-Type: text/html; charset=us-ascii" root # ------------------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) =- # Firewall-log filter script (arno-fwfilter) # # (C) Copyright 2001-2015 by Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------------------ # Some of the information used to create this script was obtained from: # - http://ports.tantalo.net/ # - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml # - http://www.speedguide.net/ports.php # ------------------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------------------- # Options: ########## # Enable this option if you want to resolve IP adresses to names (requires "dig") RESOLVE_NAMES=1 # Enable this option if you want to (try to) obtain the IPs geographical location (can be very slow!) (requires "curl") SHOW_LOCATION=0 # Enable this option if you want to resolve both the source and target host when doing location/name lookups (slower) FULL_INFO=0 # Enable this option to use ANSI colors (increases readability) USE_ANSI_COLORS=1 # Enable this if you want the output to be (colored) html formatted (for emails etc.) USE_HTML=0 # Enable this if you want want to put all information on a single line USE_1ROW=0 # Use this variable if your awk binary is in a non-default location (use 'locate awk' or 'whereis # awk' to manually locate it). AWK_BIN="" ################################################################################################# # Parse commandline options (taken from the getopt examples from the Debian util-linux package) # ################################################################################################# # Note that we use `"$@"' to let each command-line parameter expand to a # separate word. The quotes around `$@' are essential! # We need CLOPTS as the `eval set --' would nuke the return value of getopt. CLOPTS=`getopt -o h,r,o,l,c,s --long help,no-resolve,html-output,no-locations,no-colors,single-line -n 'arno-fwfilter' -- "$@"` if [ $? != 0 ] ; then echo "Terminating..." >&2 exit 1 fi # Note the quotes around `$CLOPTS': they are essential! eval set -- "$CLOPTS" while true; do case "$1" in -r|--no-resolve) RESOLVE_NAMES=0; shift;; -o|--html-output) USE_HTML=1; shift;; -l|--no-locations) SHOW_LOCATION=0; shift;; -c|--no-colors) USE_ANSI_COLORS=0; shift;; -s|--single-line) USE_1ROW=1; shift;; -h|--help) echo "Options:" echo "-h, --help - Print this help" echo "-r, --no-resolve - Disable resolving of IPs to names" echo "-o, --html-output - Use basic HTML to format the output" echo "-l, --no-locations - Disable obtaining the IPs geographical location" echo "-c, --no-colors - Disable the use of (ANSI) colors in the output" echo "-s, --single-line - Put all information about an event in a single line" exit 0 # nothing left to do ;; --) shift ; break ;; *) echo "Internal error!"; exit 1;; esac done if [ -z "$AWK_BIN" ]; then if [ -x '/bin/gawk' ]; then AWK_BIN='/bin/gawk' else if [ -x '/usr/bin/gawk' ]; then AWK_BIN='/usr/bin/gawk' else if [ -x '/bin/awk' ]; then AWK_BIN='/bin/awk' else if [ -x '/usr/bin/awk' ]; then AWK_BIN='/usr/bin/awk' fi fi fi fi fi if [ -z "$AWK_BIN" ]; then echo "ERROR: Could not locate the AWK binary (is it installed?)." echo "You may want to configure it yourself inside this script." else # Test what awk version is used (gawk, mawk etc...) test=`$AWK_BIN -W version 2>/dev/null |grep -i mawk` if [ -n "$test" ]; then # AWK_BIN=$(echo "$AWK_BIN -W interactive") echo "The configured AWK binary is MAWK, which does not work with the script. Please use GAWK instead" exit 1 fi if [ "$USE_HTML" = "1" ]; then echo 'Firewall Log' echo '' echo '' fi $AWK_BIN ' # This is the function which performs the portname lookups ########################################################## function portname_lookup(port_str) { port=strtonum(port_str) if (port==0) return("Invalid Port(0)") if (port==1) return("SGI Irix TCPMUX(1)") if (port==7) return("Echo-Server(7)") if (port==9) return("Discard-Server(9)") if (port==11) return("Unix Sysstat(11)") if (port==13) return("Daytime-Server(13)") if (port==19) return("Chargen(19)") if (port==20) return("FTP-Data(20)") if (port==21) return("FTP(21)") if (port==22) return("SSH(22)") if (port==23) return("Telnet(23)") if (port==25) return("SMTP(25)") if (port==37) return("Time(37)") if (port==43) return("Who-IS(43)") if (port==53) return("DNS(53)") if (port==59) return("Ident(59)") if (port==67) return("BootP Server(67)") if (port==68) return("BootP Client(68)") if (port==69) return("TFTP(69)") if (port==79) return("Finger(79)") if (port==80) return("HTTP(80)") if (port==88) return("KRB5(88)") if (port==98) return("LinuxConf(98)") if (port==109) return("POP2(109)") if (port==110) return("POP3(110)") if (port==111) return("SunRPC/RPCbind(111)") if (port==113) return("IDENT(113)") if (port==119) return("NNTP News(119)") if (port==123) return("NTP(123)") if (port==135) return("MS RPC(135)") if (port==137) return("SMB Name(137)") if (port==138) return("SMB Data(138)") if (port==139) return("SMB Session(139)") if (port==143) return("IMAP(143)") if (port==161) return("SNMP(161)") if (port==177) return("XDMCP(177)") if (port==389) return("LDAP(389)") if (port==427) return("SLP(427)") if (port==443) return("HTTPS(443)") if (port==445) return("MSFT DS(445)") if (port==464) return("KPASSWD(464)") if (port==465) return("SMTP-SSL(465)") if (port==500) return("Appleshare(500)") if (port==513) return("Rwho(513)") if (port==515) return("Printer(515)") if (port==520) return("Route(520)") if (port==524) return("NCP(524)") if (port==525) return("TimeServer(525)") if (port==535) return("CORBA IIOP(535)") if (port==554) return("RealServer(554)") if (port==555) return("phAse zero(555)") if (port==587) return("SMTP-msa(587)") if (port==600) return("PC Server Backdoor(600)") if (port==635) return("Linux Mountd bug(635)") if (port==636) return("LDAPs(636)") if (port==691) return("MS-Exchange(691)") if (port==873) return("Rsync(873)") if (port==990) return("FTPs(990)") if (port==993) return("IMAPs(993)") if (port==995) return("POP3s(995)") if (port==1025) return("NFS(1025)") if (port==1026) return("Windows-Message-Service(1026)") if (port==1027) return("Windows-Message-Service(1027)") if (port==1080) return("SOCKS(1080)") if (port==1114) return("SQL(1114)") if (port==1214) return("KaZaa(1214)") if (port==1243) return("Sub-7(1243)") if (port==1394) return("Network Log Client(1394)") if (port==1433) return("MS-SQL(1433)") if (port==1434) return("MS-SQL monitor(1434)") if (port==1524) return("Trin 00(1524)") if (port==1662) return("Netview-aix-2(1662)") if (port==1723) return("PPtP(1723)") if (port==1883) return("IBM MQSeries SCADA(1883)") if (port==1900) return("UPnP(1900)") if (port==1999) return("Backdoor-G or Sub-7 2.x(1999)") if (port==2002) return("Cisco Secure ACS WebServer(2002)") if (port==2049) return("NFS(2049)") if (port==2243) return("Magicom Protocol(2243)") if (port==2343) return("Nati logos(2343)") if (port==2772) return("Sub-7 ScreenCapture(2772)") if (port==2773) return("Sub-7 KeyLogger(2773)") if (port==3127) return("MyDoom Backdoor(3127)") if (port==3128) return("Squid(3128)") if (port==3129) return("Masters Paradise(3129)") if (port==3268) return("globalcat-LDAP(3268)") if (port==3449) return("HotU Chat(3449)") if (port==3544) return("Teredo IPv6-IPv4 Tunnel(3544)") if (port==4500) return("MS IPsec NAT-T(4500)") if (port==4662) return("eDonkey(4662)") if (port==5000) return("UPnP(5000)") if (port==5060) return("SIP(5060)") if (port==5061) return("SIP over TLS(5061)") if (port==5222) return("Jabber/xmpp-client(5222)") if (port==5223) return("Jabber-SSL(5223)") if (port==5228) return("Android Market(5228)") if (port==5500) return("VNC(5500)") if (port==5554) return("Sasser-backdoor(5554)") if (port==5623) return("pcAnywhere(5623)") if (port==5800) return("VNC-data(5800)") if (port==5900) return("VNC-HTTP(5900)") if (port==5938) return("Teamviewer(5938)") if (port==6346) return("GNUtella(6346)") if (port==6670) return("Deep Throat(6670)") if (port==6711) return("Sub-7(6711)") if (port==6712) return("Sub-7(6712)") if (port==6713) return("Sub-7(6713)") if (port==6776) return("Backdoor-G or Sub-7(6776)") if (port==6969) return("GateCrasher(6969)") if (port==6970) return("RealAudio(6970)") if (port==7215) return("Sub-7 Matrix Chat(7215)") if (port==7777) return("Unreal or Klingon Honor Guard(7777)") if (port==7778) return("Unreal Tournament(7778)") if (port==8000) return("Seafile-seahub(8000)") if (port==8030) return("iTunes Radio Streams(8030)") if (port==8080) return("HTTP Alternate(8080)") if (port==8082) return("Seafile-fileserver(8082)") if (port==9100) return("JetDirect(9100)") if (port==9418) return("Git(9418)") if (port==10000) return("Webadmin(10000)") if (port==10001) return("Seafile-ccnet(10001)") if (port==10008) return("Cheeseworm(10008)") if (port==12001) return("Seafile-service(12001)") if (port==12345) return("Netbus(12345)") if (port==12346) return("Netbus(12346)") if (port==13223) return("PowWow(13223)") if (port>=16384 && port<=16472) return(sprintf("Real-Time Transport Protocol(RTP) (%i)",port)) if (port==16660) return("Stacheldraht(16660)") if (port==16959) return("Sub-7(16959)") if (port==17027) return("Conducent(17027)") if (port==20034) return("Netbus 2 Pro(20034)") if (port==20002) return("Acidkor(20002)") if (port==21544) return("Girlfriend(21544)") if (port==22450) return("Sin(22450)") if (port==23456) return("EvilFTP(23456)") if (port==26000) return("Quake(26000)") if (port==26900) return("Hexen 2(26900)") if (port==26950) return("Hexen World(26950)") if (port==27015) return("Half-life Or Team Fortress Classic(27015)") if (port==27374) return("Backdoor-G or Sub-7(27374)") if (port==27444) return("Trin 00(27444)") if (port==27500) return("Quake World(27500)") if (port==27665) return("Trin 00(27665)") if (port>=27910 && port<=27961) return(sprintf("Quake(%i)", port)) if (port>=28000 && port<=28008) return(sprintf("Starsiege Tribes(%i)", port)) if (port==28910) return("Heretic 2(28910)") if (port==30100) return("NetSphere(30100)") if (port==31335) return("Trin 00(31335)") if (port==31337) return("Back Orifice(31337)") if (port==31338) return("Back Orifice(31338)") if (port==31789) return("Hack'a'Tack(31789)") if (port==31337) return("Back Orifice(31337)") if (port>=32770 && port<=32900) return(sprintf("SUN-RPC Portmapper(%i)",port)) if (port==33270) return("Trinity v3(33270)") if (port>=33434 && port<=33600) return(sprintf("Traceroute?(%i)",port)) if (port==41508) return("Inoculan(41508)") if (port==50505) return("Sockets de Troi(50505)") if (port==54283) return("Sub-7 Spy port(54283)") if (port==54320) return("Back Orifice 2K(54320)") if (port==54321) return("Back Orifice 2K(54321)") if (port==60001) return("Stacheldraht(60001)") if (port==65000) return("Stacheldraht(65000)") # If nothing else matches just return the port number return(port_str) } # This is the function which performs the ICMP lookups ###################################################### function ICMP_lookup(type, code) { if (type==0 && code==0) return ("Echo reply") if (type==3 && code==0) return ("Network unreachable") if (type==3 && code==1) return ("Host unreachable") if (type==3 && code==2) return ("Protocol unreachable") if (type==3 && code==3) return ("Port unreachable") if (type==3 && code==4) return ("Fragmentation needed but no frag. bit set") if (type==3 && code==5) return ("Source routing failed") if (type==3 && code==6) return ("Destination network unknown") if (type==3 && code==7) return ("Destination host unknown") if (type==3 && code==8) return ("Source host isolated") if (type==3 && code==9) return ("Destination network administratively prohibited") if (type==3 && code==10) return ("Destination host administratively prohibited") if (type==3 && code==11) return ("Network unreachable for TOS") if (type==3 && code==12) return ("Host unreachable for TOS") if (type==3 && code==13) return ("Communication administratively prohibited by filtering") if (type==3 && code==14) return ("Host precedence violation") if (type==3 && code==15) return ("Precedence cutoff in effect") if (type==4 && code==0) return ("Source quench") if (type==5 && code==0) return ("Redirect for network") if (type==5 && code==1) return ("Redirect for host") if (type==5 && code==2) return ("Redirect for TOS and network") if (type==5 && code==3) return ("Redirect for TOS and host") if (type==8 && code==0) return ("Echo request") if (type==9 && code==0) return ("Router advertisement") if (type==9 && code==16) return ("Does not route common traffic") if (type==10 && code==0) return ("Route solicitation") if (type==11 && code==0) return ("TTL equals 0 during transit") if (type==11 && code==1) return ("TTL equals 0 during reassembly") if (type==12 && code==0) return ("IP header bad (catchall error)") if (type==12 && code==1) return ("Required options missing") if (type==12 && code==2) return ("Bad Length") if (type==13 && code==0) return ("Timestamp request") if (type==14 && code==0) return ("Timestamp reply (obsolete)") if (type==15 && code==0) return ("Information request") if (type==16 && code==0) return ("Information reply") if (type==17 && code==0) return ("Address mask request") if (type==18 && code==0) return ("Address mask reply") if (type==30 && code==0) return ("Outbound Packet succesfully forwarded") if (type==30 && code==1) return ("No route for Outbound Packet; packet discarded") if (type==40 && code==0) return ("Bad SPI") if (type==40 && code==1) return ("Authentication Failed") if (type==40 && code==2) return ("Decompression Failed") if (type==40 && code==3) return ("Decryption Failed") if (type==40 && code==4) return ("Need Authentication") if (type==40 && code==5) return ("Need Authorization") # If nothing else matches just return unknown return("Unknown ICMP type/code") } # Main program ############## { if (match($0, "IN=") != 0 || match($0, "firewall") != 0 || match($0, "Firewall") != 0 || match($0, "kernel") != 0) { if (match($0, "IN=") == 0) { printf("%s", $0) } else { # Check whether it is an incoming or outgoing packet if (match($0, "IN= ") != 0) INPUT=0; else INPUT=1 if (match($0, "OUT= ") != 0) OUTPUT=0; else OUTPUT=1 for (i = 1; i <= NF; i++) # First show message, SRC etc. { if (substr($i,1,4) == "SRC=") SRC_HOST=substr($i, 5, length($i) - 4) if (substr($i,1,4) == "DST=") DST_HOST=substr($i, 5, length($i) - 4) if (substr($i,1,4) != "MAC=" && substr($i,1,4) != "SRC=" && substr($i,1,4) != "DST=" && $i != "IN=" && $i != "OUT=" ) { if ($(i+1) != "kernel:" && $i != "kernel:" && $i != "[kernel]" ) { if (i==1) printf("%s", $i) else if (i==2 && length($2)==1) # We always want 2 digits for the date-day: printf(" 0%s", $i) else printf(" %s", $i) } } if (substr($i,1,4) == "SRC=") { if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;36m") if (USE_HTML==1) printf("") printf(" %s", $i) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") } if (substr($i,1,4) == "DST=") { # Show destination ################## if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;35m") if (USE_HTML==1) printf("") printf(" %s", $i) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") if (INPUT==1 || FULL_INFO==1) { if (RESOLVE_NAMES==1 || SHOW_LOCATION==1) if (USE_1ROW==0) { if (USE_HTML==1) printf("
\n "); else printf("\n ") } if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;36m") if (USE_HTML==1) printf("") if (RESOLVE_NAMES==1) { # If multiple names exist for one IP then only use the first (head -n1) syscall=sprintf("printf \" $(dig +short +time=1 +tries=1 -x %s 2>/dev/null |head -n1 |grep -v \";;.*\" |sed s,.$,\" \",)\" 2>/dev/null", SRC_HOST) system(syscall) } if (SHOW_LOCATION==1) { syscall=sprintf("curl -L --silent --connect-timeout 1 http://api.hostip.info/get_html.php?ip=%s 2>/dev/null |grep -e \"Country:\" -e \"City:\" |while read line; do printf \" $line\"; done", SRC_HOST) system(syscall) } } if (OUTPUT==1 || FULL_INFO==1) { if (RESOLVE_NAMES==1 || SHOW_LOCATION==1) if (USE_1ROW==0) { if (USE_HTML==1) printf("
\n "); else printf("\n ") } if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;35m") if (USE_HTML==1) printf("") if (RESOLVE_NAMES==1) { # If multiple names exist for one IP then only use the first (head -n1) syscall=sprintf("printf \" $(dig +short +time=1 +tries=1 -x %s 2>/dev/null |head -n1 |grep -v \";;.*\" |sed s,.$,\" \",)\" 2>/dev/null", DST_HOST) system(syscall) } if (SHOW_LOCATION==1) { syscall=sprintf("curl -L --silent --connect-timeout 1 http://api.hostip.info/get_html.php?ip=%s 2>/dev/null |grep -e \"Country:\" -e \"City:\" |while read line; do printf \" $line\"; done", DST_HOST) system(syscall) } } if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") break } } if (i==NF) { if (USE_HTML==1) printf("
") printf("\n") } else { offset=i+1 if (USE_1ROW==0) { if (USE_HTML==1) printf("
\n "); else printf("\n ") } else printf(" ") } save_offset=++offset; for (i = offset; i <= NF; i++) if (substr($i,1,6) == "PROTO=") break; offset=i # First show PROTO= if ($offset == "PROTO=UDP") { if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;33m") if (USE_HTML==1) printf("") printf(" %s", $offset) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") } else if ($offset == "PROTO=TCP") { if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;32m") if (USE_HTML==1) printf("") printf(" %s", $offset) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") } else if ($offset == "PROTO=ICMP") { if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;34m") if (USE_HTML==1) printf("") printf(" %s", $offset) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") } else { printf(" %s", $offset) } if (substr($(offset+1),1,4)=="SPT=") { # Second show DPT= if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;31m") if (USE_HTML==1) printf("") printf(" DPT=%s", portname_lookup(substr($(offset+2), 5, length($(offset+2))-4))) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") # Third show SPT= printf(" SPT=%s", portname_lookup(substr($(offset+1), 5, length($(offset+1))-4))) } if ($(offset)=="PROTO=ICMP") { # Resolve type/code if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;31m") if (USE_HTML==1) printf("") type=strtonum(substr($(offset+1), 6, length($(offset+1))-5)) code=strtonum(substr($(offset+2), 6, length($(offset+2))-5)) printf(" TYPE/CODE=%s(%i,%i)", ICMP_lookup(type, code), type, code) if (USE_ANSI_COLORS==1) printf("\033[0m") if (USE_HTML==1) printf("") } ICMP_INFO=0 for (i = save_offset; i <= NF; i++) # Show all other info { if (substr($i,1,1) == "[") ICMP_INFO=1 if (ICMP_INFO==1) { if (substr($i,1,5) != "PREC=" && substr($i,1,4) != "TOS=" && substr($i,1,3) != "ID=" \ && i != 4 && i != 5 && substr($i,1,2) != "DF" \ && $i != "RES=0x00" && $i != "URGP=0") printf(" %s", $i) } else { if (substr($i,1,6) != "PROTO=" && substr($i,1,5) != "PREC=" && substr($i,1,4) != "TOS=" && substr($i,1,3) != "ID=" \ && substr($i,1,4) != "LEN=" && i != 4 && i != 5 && substr($i,1,2) != "DF" && substr($i,1,4) != "SPT=" && substr($i,1,4) != "DPT=" \ && $i != "RES=0x00" && $i != "URGP=0" && substr($i,1,7) != "WINDOW=" && substr($i,1,5) != "TYPE=" && substr($i,1,5) != "CODE=") printf(" %s", $i) } } } if (USE_HTML==1) printf("
") printf("\n") } } ' RESOLVE_NAMES=$RESOLVE_NAMES SHOW_LOCATION=$SHOW_LOCATION USE_ANSI_COLORS=$USE_ANSI_COLORS USE_1ROW=$USE_1ROW USE_HTML=$USE_HTML if [ "$USE_HTML" = "1" ]; then echo "" fi fi aif-2.1.2a/bin/arno-iptables-firewall000077500000000000000000006640271464417520100175000ustar00rootroot00000000000000#!/bin/sh MY_VERSION="2.1.2" # Location of the main configuration file for the firewall ########################################################## CONFIG_FILE=/etc/arno-iptables-firewall/firewall.conf # ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) =- # Single- & multi-homed firewall script with DSL/ADSL support # # ~ In memory of my dear parents ~ # # (C) Copyright 2001-2024 by Arno van Amersfoort & Lonnie Abelbeck # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ echo "Arno's Iptables Firewall(AIF) v$MY_VERSION" echo "-------------------------------------------------------------------------------" # Check if the main config file exists and if so load it ######################################################## if [ -f "$CONFIG_FILE" ]; then . "$CONFIG_FILE" else printf "\033[40m\033[1;31mERROR: Could not read configuration file $CONFIG_FILE!\033[0m\n" >&2 printf "\033[40m\033[1;31m Please, check the file's location and (root) rights.\033[0m\n" >&2 exit 2 fi # Check if the environment file exists and if so, load it ######################################################### # Autodetect according to standard paths ENV_FILE="/usr/local/share/arno-iptables-firewall/environment" if [ ! -f "$ENV_FILE" ]; then ENV_FILE="/usr/share/arno-iptables-firewall/environment" if [ ! -f "$ENV_FILE" ]; then printf "\033[40m\033[1;31mERROR: Unable to locate environment file in /usr/(local/)/share/arno-iptables-firewall/\033[0m\n" >&2 printf "\033[40m\033[1;31m Please, check the file's location and (root) rights.\033[0m\n" >&2 exit 2 fi fi # Source environment file . "$ENV_FILE" sanity_check() { local ip4t_ver ip6t_ver # Show uname & iptables information echo "Platform: $(uname -s -r -m)" ip4t_ver="$($IP4TABLES --version)" ip4t_ver="${ip4t_ver#* v}" ip4t_ver="${ip4t_ver%% *}" ip6t_ver="$($IP6TABLES --version)" ip6t_ver="${ip6t_ver#* v}" ip6t_ver="${ip6t_ver%% *}" echo "Netfilter iptables version: $ip4t_ver" if [ "$ip4t_ver" != "$ip6t_ver" ]; then printf "\033[40m\033[1;31mWARNING: Mismatched iptables($ip4t_ver) / ip6tables($ip6t_ver) versions.\033[0m\n" >&2 fi # root check if [ "$(id -u)" != "0" ]; then printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n" >&2 exit 1 fi # Check whether the required binaries exist and are executable ############################################################## check_command_error iptables if [ "$IPV6_DETECTED" = "1" ]; then check_command_error ip6tables fi check_command_error awk check_command_error tr check_command_error ip check_command_error cut check_command_error uname check_command_error sed check_command_error cat check_command_error date check_command_error modprobe check_command_error sysctl check_command_error head check_command_error tail check_command_error wc check_command_error logger check_command_warning pgrep check_command_warning pkill check_command_warning dig nslookup if [ "$IPV6_SUPPORT" = "1" ]; then if ! kernel_ver_chk 2 6 24; then printf "\033[40m\033[1;31mWARNING: IPv6 support is enabled but your kernel is rather old (<2.6.24)! This *could* cause problems...\033[0m\n" >&2 fi fi } ipset_check() { if [ "$IPTABLES_IPSET" != "1" ]; then return 1 fi ## Check if userspace 'ipset' command is installed if ! check_command ipset; then return 1 fi ## Issue a simple command that will fail without kernel support if ! ipset list -n >/dev/null 2>&1; then return 1 fi return 0 } config_check() { local retval=0 # Make sure EXT_IF != "" ######################## if [ -z "$EXT_IF" ]; then printf "\033[40m\033[1;31mERROR: The required variable EXT_IF is empty!\033[0m\n" >&2 printf "\033[40m\033[1;31m Please, check the configuration file.\033[0m\n" >&2 retval=1 fi # Check whether EXT_IF exists ############################# IFS=' ,' for interface in $EXT_IF; do if ! check_interface $interface; then printf "\033[40m\033[1;31mWARNING: External interface $interface does NOT exist (yet?)\033[0m\n" >&2 fi done # Check whether INT_IF exists ############################# IFS=' ,' for interface in $INT_IF; do if ! check_interface $interface; then printf "\033[40m\033[1;31mWARNING: Internal interface $interface does NOT exist (yet?)\033[0m\n" >&2 fi done # Check whether DMZ_IF exists ############################# IFS=' ,' for interface in $DMZ_IF; do if ! check_interface $interface; then printf "\033[40m\033[1;31mWARNING: DMZ interface $interface does NOT exist (yet?)\033[0m\n" >&2 fi done # Check whether TRUSTED_IF exists ################################# IFS=' ,' for interface in $TRUSTED_IF; do if ! check_interface $interface; then printf "\033[40m\033[1;31mWARNING: Trusted interface $interface does NOT exist (yet?)\033[0m\n" >&2 fi done # Make sure INT_IF != EXT_IF ############################ IFS=' ,' for eif in $EXT_IF; do for iif in $INT_IF; do if [ "$iif" = "$eif" ]; then printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF is the same as one in\033[0m\n" >&2 printf "\033[40m\033[1;31m INT_IF! Please, check the configuration file.\033[0m\n" >&2 retval=1 break fi done done # Make sure EXT_IF != lo / 127.0.0.1 #################################### IFS=' ,' for eif in $EXT_IF; do if [ "$eif" = "lo" -o "$eif" = "127.0.0.1" ]; then printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF has the address or name of the\033[0m\n" >&2 printf "\033[40m\033[1;31m local loopback device! Please, check the configuration file.\033[0m\n" >&2 retval=1 break fi done # Make sure INT_IF != lo / 127.0.0.1 #################################### IFS=' ,' for iif in $INT_IF; do if [ "$iif" = "lo" -o "$iif" = "127.0.0.1" ]; then printf "\033[40m\033[1;31mERROR: At least one of the interfaces specified in INT_IF has the address or\033[0m\n" >&2 printf "\033[40m\033[1;31m name of the local loopback device! Please, check the configuration file.\033[0m\n" >&2 retval=1 break fi done # If support for an DHCP server serving an external net is enabled, we # also need to know what the external net is. ########################################################################## if [ "$EXTERNAL_DHCP_SERVER" = "1" -a -z "$EXTERNAL_NET" ]; then printf "\033[40m\033[1;31mERROR: You have enabled external DHCP server support but required variable\033[0m\n" >&2 printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n" >&2 retval=1 fi # We can only perform NAT if NAT_INTERNAL_NET is defined if [ "$NAT" = "1" -a -z "$NAT_INTERNAL_NET" ]; then printf "\033[40m\033[1;31mERROR: Unable to enable NAT because there's no (NAT_)INTERNAL_NET specified!\033[0m\n" >&2 retval=1 fi # If support the nmb_broadcast_fix is enabled we need the EXTERNAL_NET set ########################################################################## if [ "$NMB_BROADCAST_FIX" = "1" -a -z "$EXTERNAL_NET" ]; then printf "\033[40m\033[1;31mERROR: You have enabled the NMB_BROADCAST_FIX but required variable\033[0m\n" >&2 printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n" >&2 retval=1 fi # Warn if no_broadcast variables are used and external net is NOT defined ########################################################################## if [ -n "$BROADCAST_TCP_NOLOG" -o -n "$BROADCAST_UDP_NOLOG" ]; then if [ -z "$EXTERNAL_NET" -a -z "$EXT_NET_BCAST_ADDRESS" ]; then printf "\033[40m\033[1;31mWARNING: You are using the BROADCAST_xxx_NOLOG variables but EXTERNAL_NET (or EXT_NET_BCAST_ADDRESS)\033[0m\n" >&2 printf "\033[40m\033[1;31m has NOT been defined!\033[0m\n" >&2 fi fi # Check whether we know the plugin binary path ############################################## if [ ! -d "$PLUGIN_BIN_PATH" ]; then printf "\033[40m\033[1;31mERROR: The PLUGIN_BIN_PATH ($PLUGIN_BIN_PATH) does not exist!\033[0m\n" >&2 printf "\033[40m\033[1;31m Please check your installation and/or configuration file.\033[0m\n" >&2 retval=1 fi # Check whether we know the plugin config path ############################################## if [ ! -d "$PLUGIN_CONF_PATH" ]; then printf "\033[40m\033[1;31mERROR: The PLUGIN_CONF_PATH ($PLUGIN_CONF_PATH) does not exist!\033[0m\n" >&2 printf "\033[40m\033[1;31m Please check your installation and/or configuration file.\033[0m\n" >&2 retval=1 fi # Check for errors if [ $retval -ne 0 ]; then show_failed exit $retval fi } load_modules() { unset IFS # Set indent for functions INDENT=' ' echo "Checking/probing Iptables modules:" # Required; all IPv4 modules depend on this one modprobe ip_tables if [ "$IPV6_SUPPORT" = "1" ]; then modprobe ip6_tables fi # Allows connection tracking state match, which allows you to # write rules matching the state of a connection modprobe_multi nf_conntrack ip_conntrack if [ "$IPV6_SUPPORT" = "1" ]; then ## kernel >= 4.19 merged nf_conntrack_ipv{4,6} into nf_conntrack if ! kernel_ver_chk 4 19 0; then modprobe nf_conntrack_ipv6 fi fi # Allows tracking for various protocols, placing entries in the conntrack table etc. if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_conntrack "ipt_conntrack,ip6t_conntrack" else modprobe_multi xt_conntrack ipt_conntrack fi # Allows log limits if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_limit "ipt_limit,ip6t_limit" else modprobe_multi xt_limit ipt_limit fi # Permits packet state checking (SYN, SYN-ACK, ACK, and so on). if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_state "ipt_state,ip6t_state" else modprobe_multi xt_state ipt_state fi # Allows packet specifications on multiple ports if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_multiport "ipt_multiport,ip6t_multiport" else modprobe_multi xt_multiport ipt_multiport fi # Implement the filter table: modprobe iptable_filter if [ "$IPV6_SUPPORT" = "1" ]; then modprobe ip6table_filter fi # Implement the mangle table modprobe iptable_mangle if [ "$IPV6_SUPPORT" = "1" ]; then modprobe ip6table_mangle fi # Implement the raw table modprobe iptable_raw if [ "$IPV6_SUPPORT" = "1" ]; then modprobe ip6table_raw fi # Implement the REJECT target modprobe ipt_REJECT if [ "$IPV6_SUPPORT" = "1" ]; then modprobe ip6t_REJECT fi # Implement the LOG target if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_LOG "ipt_LOG,ip6t_LOG" else modprobe_multi xt_LOG ipt_LOG fi if [ "$SET_MSS" != "0" ]; then # Implement the TCPMSS target if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_TCPMSS "ipt_TCPMSS,ip6t_TCPMSS" else modprobe_multi xt_TCPMSS ipt_TCPMSS fi fi if [ "$MANGLE_TOS" != "0" ]; then # Implement the TOS target if [ "$IPV6_SUPPORT" = "1" ]; then modprobe_multi xt_DSCP "ipt_DSCP,ip6t_DSCP" "ipt_TOS,ip6t_TOS" else modprobe_multi xt_DSCP ipt_DSCP ipt_TOS fi fi if [ "$PACKET_TTL" = "1" -o "$TTL_INC" = "1" ]; then # Load the TTL target: modprobe ipt_TTL fi # (Currently) unused modules: # modprobe ipt_addrtype # Allows matching src/dst address type (BROKEN!) # modprobe ipt_pkttype # Permits checking for packet type (BROADCAST, MULTICAST etc.) (BROKEN!) # modprobe ip_queue # Allows queuing packets to user space # modprobe ipt_owner # Permits user/group checking on OUTPUT packets # modprobe ipt_mark # Allows use of mark match # modprobe ip_conntrack_egg # Implement the NAT table modprobe iptable_nat if [ "$NAT" = "1" -o -n "$NAT_FORWARD_TCP" -o -n "$NAT_FORWARD_UDP" -o -n "$NAT_FORWARD_IP" ]; then # Load the module implementing DNAT/SNAT/NAT support modprobe_multi nf_nat ip_nat fi if [ "$NAT" = "1" ]; then if [ -z "$NAT_STATIC_IP" ]; then # Load the MASQUERADE target: modprobe ipt_MASQUERADE fi fi echo " Module check done..." } setup_misc() { # Remove any stale plugin restart file rm -f "$PLUGIN_LOAD_FILE_RESTART" # Remove stale host-cache file rm -f "$HOST_CACHE_FILE" # Most people don't want to get any firewall logs being spit to the console # This option makes the kernel ring buffer only log messages with level "panic" if [ "$DMESG_PANIC_ONLY" = "1" ]; then echo "Setting the kernel ring buffer to only log panic messages to the console" # dmesg -c # Clear ring buffer dmesg -n 1 # Only show panic messages on the console fi } setup_kernel_settings() { # Set INDENT value for functions INDENT=' ' echo "Configuring general kernel parameters:" # Disable conntrack automatic helper assignment, if supported ############################################################# if sysctl_key_match net.netfilter.nf_conntrack_helper; then sysctl -w net.netfilter.nf_conntrack_helper=0 elif ! kernel_ver_chk 6 0 0; then echo " Conntrack legacy automatic helper assignment is ENABLED" # Fallback to an older conntrack match method NF_CONNTRACK_STATE="-m state --state" fi # Set the maximum number of connections to track. # The kernel "default" depends on the available amount of RAM, 128 MB of RAM -> 8192 # possible entries, 256 MB of RAM --> 16376 possible entries, etc... ####################################################################################### if [ -n "$CONNTRACK" -a "$CONNTRACK" != "0" ]; then echo " Setting the max. amount of simultaneous connections to $CONNTRACK" sysctl_multi -w net.nf_conntrack_max=$CONNTRACK \ net.ipv4.netfilter.ip_conntrack_max=$CONNTRACK \ net.ipv4.ip_conntrack_max=$CONNTRACK fi # Change some default timings to fix false logs generated by "lost connections" # Defaults: # echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout # echo 180 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream # echo 10 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close # echo 300 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans # echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait # echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack # echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait # echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait # echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv # echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent # echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout # echo 1200 > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout ############################################################################### # echo " Setting default conntrack timeouts" # This is to fix issues with DNS: sysctl_multi -w net.netfilter.nf_conntrack_udp_timeout=60 \ net.ipv4.netfilter.ip_conntrack_udp_timeout=60 # sysctl_multi -w net.netfilter.nf_conntrack_udp_timeout_stream=180 \ # net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180 # Enable Conntrack Accounting (kernel config CONFIG_NF_CT_ACCT) # CONFIG_NF_CT_ACCT is deprecated and will be removed sometime after kernel 2.6.27 sysctl -w net.netfilter.nf_conntrack_acct=1 2>/dev/null # Always set IPv4 options for IPv4 or IPv4/IPv6 ###################################################### echo "Configuring kernel parameters:" # Disable ICMP send_redirect ############################ echo " Disabling send redirects" sysctl_set_all "net.ipv4.conf" "send_redirects" 0 if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "send_redirects" 0 fi # Don't accept source routed packets. # Attackers can use source routing to generate # traffic pretending to be from inside your network, but which is routed back along # the path from which it came, namely outside, so attackers can compromise your # network. Source routing is rarely used for legitimate purposes. ################################################################################### if [ "$SOURCE_ROUTE_PROTECTION" = "0" ]; then echo " DISABLING protection against source routed packets" sysctl_set_all "net.ipv4.conf" "accept_source_route" 1 if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "accept_source_route" 1 fi else echo " Enabling protection against source routed packets" sysctl_set_all "net.ipv4.conf" "accept_source_route" 0 if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "accept_source_route" 0 fi fi # ICMP Broadcasting protection (smurf amplifier protection) ########################################################### sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # ICMP Dead Error Messages protection ##################################### sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # IP forwarding (need it to perform for example NAT) #################################################### if [ "$IP_FORWARDING" = "1" ]; then echo " Enabling packet forwarding" sysctl_set_all "net.ipv4.conf" "forwarding" 1 || sysctl -w net.ipv4.ip_forward=1 || { printf "\033[40m\033[1;31m WARNING: net.ipv4.conf.*.forwarding (or net.ipv4.ip_forward) could not be set! If you're using\033[0m\n" >&2 printf "\033[40m\033[1;31m NAT or any other type of forwarding this may be a problem.\033[0m\n" >&2 } if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "forwarding" 1 echo " Disabling Local IPv6 Auto-Configuration" sysctl_set_all "net.ipv6.conf" "autoconf" 0 ## Setting accept_ra=0 is not needed with forwarding=1, don't overwrite any existing accept_ra=2 values fi elif [ "$IP_FORWARDING" = "0" ]; then echo " DISABLING packet forwarding" sysctl_set_all "net.ipv4.conf" "forwarding" 0 2>/dev/null || sysctl -w -e net.ipv4.ip_forward=0 2>/dev/null if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "forwarding" 0 2>/dev/null if [ "$IPV6_AUTO_CONFIGURATION" != "0" ]; then echo " Enabling IPv6 Auto-Configuration" sysctl_set_all "net.ipv6.conf" "autoconf" 1 sysctl_set_all "net.ipv6.conf" "accept_ra" 1 else echo " DISABLING IPv6 Auto-Configuration" sysctl_set_all "net.ipv6.conf" "autoconf" 0 sysctl_set_all "net.ipv6.conf" "accept_ra" 0 fi fi fi # Enable some general settings ############################## echo " Setting some kernel performance options" sysctl -w net.ipv4.tcp_window_scaling=1 sysctl -w net.ipv4.tcp_timestamps=1 sysctl -w net.ipv4.tcp_sack=1 sysctl -w net.ipv4.tcp_dsack=1 sysctl -w net.ipv4.tcp_fack=1 sysctl -w net.ipv4.tcp_low_latency=0 # Reduce DoS'ing ability by reducing timeouts ############################################################# if [ "$REDUCE_DOS_ABILITY" = "1" ]; then echo " Enabling reduction of the DoS'ing ability" sysctl -w net.ipv4.tcp_fin_timeout=30 sysctl -w net.ipv4.tcp_keepalive_time=1800 # Set number of times to retry SYN in a new connection sysctl -w net.ipv4.tcp_syn_retries=3 # Set number of times to retry a SYN-ACK in a half-open new connections sysctl -w net.ipv4.tcp_synack_retries=2 # Enable a fix for RFC1337 - time-wait assassination hazards in TCP sysctl -w net.ipv4.tcp_rfc1337=1 elif [ "$REDUCE_DOS_ABILITY" = "0" ]; then echo " Disabling reduction of the DoS'ing ability" # Defaults: sysctl -w net.ipv4.tcp_fin_timeout=60 sysctl -w net.ipv4.tcp_keepalive_time=7200 sysctl -w net.ipv4.tcp_syn_retries=5 sysctl -w net.ipv4.tcp_synack_retries=5 sysctl -w net.ipv4.tcp_rfc1337=0 fi # Set our local port range. Kernel default = "32768 60999" ########################################################## if [ -z "$LOCAL_PORT_RANGE" ]; then LOCAL_PORT_RANGE="32768 60999" fi sysctl -w net.ipv4.ip_local_port_range="$LOCAL_PORT_RANGE" # Now we change the LOCAL_PORT_RANGE for further use by iptables (replace space with :) LOCAL_PORT_RANGE="$(echo "$LOCAL_PORT_RANGE" |tr ' ' ':')" # Add synflood protection? ########################## if [ "$SYN_PROT" != "0" ]; then echo " Enabling SYN-flood protection via SYN-cookies" sysctl -w net.ipv4.tcp_syncookies=1 else echo " Disabling SYN-flood protection via SYN-cookies" sysctl -w net.ipv4.tcp_syncookies=0 fi # Use rp_filter to drop connections from non-routable IPs ###################################################################### if [ "$RP_FILTER" = "2" ]; then echo " Enabling loose anti-spoof with rp_filter" sysctl_set_all "net.ipv4.conf" "rp_filter" 2 elif [ "$RP_FILTER" = "1" ]; then echo " Enabling strict anti-spoof with rp_filter" sysctl_set_all "net.ipv4.conf" "rp_filter" 1 elif [ "$RP_FILTER" = "0" ]; then echo " Disabling anti-spoof with rp_filter" sysctl_set_all "net.ipv4.conf" "rp_filter" 0 fi # Block ALL ICMP echo requests? ############################### if [ "$ECHO_IGNORE" = "1" ]; then echo " Blocking all ICMP echo-requests" sysctl -w net.ipv4.icmp_echo_ignore_all=1 elif [ "$ECHO_IGNORE" = "0" ]; then sysctl -w net.ipv4.icmp_echo_ignore_all=0 fi # Log martians? ############### if [ "$LOG_MARTIANS" = "1" ]; then echo " Enabling the logging of martians" sysctl_set_all "net.ipv4.conf" "log_martians" 1 elif [ "$LOG_MARTIANS" = "0" ]; then echo " Disabling the logging of martians" sysctl_set_all "net.ipv4.conf" "log_martians" 0 fi # Accept ICMP redirect messages? ################################ if [ "$ICMP_REDIRECT" = "1" ]; then echo " Enabling the acception of ICMP-redirect messages" sysctl_set_all "net.ipv4.conf" "accept_redirects" 1 if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "accept_redirects" 1 fi elif [ "$ICMP_REDIRECT" = "0" ]; then echo " Disabling the acception of ICMP-redirect messages" sysctl_set_all "net.ipv4.conf" "accept_redirects" 0 if [ "$IPV6_SUPPORT" = "1" ]; then sysctl_set_all "net.ipv6.conf" "accept_redirects" 0 fi fi # Enable ECN? (Explicit Congestion Notification) ################################################ if [ "$ECN" = "1" ]; then echo " Enabling ECN (Explicit Congestion Notification)" sysctl -w net.ipv4.tcp_ecn=1 elif [ "$ECN" = "0" ]; then echo " Disabling ECN (Explicit Congestion Notification)" sysctl -w net.ipv4.tcp_ecn=0 fi # This enables dynamic-address hacking which makes the # life with Diald and similar programs much easier. ###################################################### if [ "$EXT_IF_DHCP_IP" = "1" ]; then echo " Enabling kernel support for dynamic IPs" sysctl -w net.ipv4.ip_dynaddr=1 elif [ "$EXT_IF_DHCP_IP" = "0" ]; then echo " Disabling kernel support for dynamic IPs" sysctl -w net.ipv4.ip_dynaddr=0 fi # In most cases pmtu discovery is ok, but in some rare cases (when having problems) # you might want to disable it. if [ "$NO_PMTU_DISCOVERY" = "1" ]; then echo " Disabling PMTU discovery" sysctl -w net.ipv4.ip_no_pmtu_disc=1 elif [ "$NO_PMTU_DISCOVERY" = "0" ]; then echo " Enabling PMTU discovery" sysctl -w net.ipv4.ip_no_pmtu_disc=0 fi # Time To Live (TTL) is the term for a data field in the internet protocol. # TTL is today interpreted to indicate the maximum number of routers a packet may transit. # Each router that handles a packet will decrement the TTL field by 1. # Raise if you have a huge network. # Set the default ttl. (Kernel Default: 64) ########################################################################################### if [ -n "$DEFAULT_TTL" ]; then if [ $DEFAULT_TTL -gt 9 -a $DEFAULT_TTL -lt 256 ]; then echo " Setting default TTL=$DEFAULT_TTL" sysctl -w net.ipv4.ip_default_ttl=$DEFAULT_TTL else printf "\033[40m\033[1;31m WARNING: Ingoring invalid value for DEFAULT_TTL ($DEFAULT_TTL), it should be between 10 and 255!\033[0m\n" >&2 fi fi # Increase the default queuelength. (Kernel Default: 1024) ########################################################## # sysctl -w -e net.ipv4.ip_queue_maxlen=2048 # With eg. open iscsi some systems may have problems under heavy load. Enable tcp_be_liberal to workaround this if [ "$TCP_BE_LIBERAL" = "1" ]; then sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_be_liberal=1 fi echo " Flushing route table" sysctl -w net.ipv4.route.flush=1 if [ "$IPV6_SUPPORT" = "1" ]; then sysctl -w net.ipv6.route.flush=1 fi echo " Kernel setup done..." # Return "no error" return 0 } init_firewall_chains() { echo "Initializing firewall chains" # Set INDENT for functions INDENT=' ' # Attempt to flush all IPv4 chains ################################## ip4tables -F ip4tables -X # Flush builtin IPv4 chains ########################### ip4tables -F INPUT ip4tables -F OUTPUT ip4tables -F FORWARD # Flush rules in nat/mangle/raw tables ###################################### ip4tables -t nat -F ip4tables -t nat -X ip4tables -t mangle -F ip4tables -t mangle -X try_ip4tables -t raw -F try_ip4tables -t raw -X if [ "$IPV6_DETECTED" = "1" ]; then # Attempt to flush all IPv6 chains ################################## ip6tables -F ip6tables -X # Flush builtin IPv6 chains ########################### ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD # Flush rules in nat/mangle/raw tables ###################################### try_ip6tables -t nat -F try_ip6tables -t nat -X ip6tables -t mangle -F ip6tables -t mangle -X try_ip6tables -t raw -F try_ip6tables -t raw -X fi # Create our "base" chains ########################## iptables -N BASE_INPUT_CHAIN iptables -N BASE_FORWARD_CHAIN iptables -N BASE_OUTPUT_CHAIN # Accept packets of ESTABLISHED connections ########################################### iptables -A BASE_INPUT_CHAIN $NF_CONNTRACK_STATE ESTABLISHED -j ACCEPT iptables -A BASE_FORWARD_CHAIN $NF_CONNTRACK_STATE ESTABLISHED -j ACCEPT iptables -A BASE_OUTPUT_CHAIN $NF_CONNTRACK_STATE ESTABLISHED -j ACCEPT # Accept packets of RELATED connections ####################################### iptables -A BASE_INPUT_CHAIN $NF_CONNTRACK_STATE RELATED -p icmp -j ACCEPT iptables -A BASE_FORWARD_CHAIN $NF_CONNTRACK_STATE RELATED -p icmp -j ACCEPT # Apply conntrack helper chain, fallback to RELATED connections ############################################################### if kernel_ver_chk 6 0 0 || [ "$(sysctl_get_value net.netfilter.nf_conntrack_helper)" = "0" ]; then iptables -N CONNTRACK_HELPER iptables -A BASE_INPUT_CHAIN -j CONNTRACK_HELPER iptables -A BASE_FORWARD_CHAIN -j CONNTRACK_HELPER else iptables -A BASE_INPUT_CHAIN $NF_CONNTRACK_STATE RELATED -p tcp --dport 1024: -j ACCEPT iptables -A BASE_INPUT_CHAIN $NF_CONNTRACK_STATE RELATED -p udp --dport 1024: -j ACCEPT iptables -A BASE_FORWARD_CHAIN $NF_CONNTRACK_STATE RELATED -p tcp --dport 1024: -j ACCEPT iptables -A BASE_FORWARD_CHAIN $NF_CONNTRACK_STATE RELATED -p udp --dport 1024: -j ACCEPT fi # Drop all IPv6 packets with Routing Header Type 0 ################################################## if [ "$IPV6_SUPPORT" = "1" -a "$IPV6_DROP_RH_ZERO" != "0" ]; then if try_ip6tables -A BASE_INPUT_CHAIN -m rt --rt-type 0 -j DROP; then ip6tables -A BASE_FORWARD_CHAIN -m rt --rt-type 0 -j DROP ip6tables -A BASE_OUTPUT_CHAIN -m rt --rt-type 0 -j DROP else echo " WARNING: IPv6 Routing Header Type 0 matching not supported" fi fi # Accept all packets for the loopback device ############################################ iptables -A BASE_INPUT_CHAIN -i lo -j ACCEPT iptables -A BASE_FORWARD_CHAIN -i lo -j ACCEPT iptables -A BASE_OUTPUT_CHAIN -o lo -j ACCEPT # Insert our base chains ######################## iptables -A INPUT -j BASE_INPUT_CHAIN iptables -A FORWARD -j BASE_FORWARD_CHAIN iptables -A OUTPUT -j BASE_OUTPUT_CHAIN # Create several chains that we will use later on ################################################# create_user_chains } # Check if the base chains are appropriate for the IPV6_SUPPORT setting ####################################################################### check_for_base_chains() { local ipv4_rtn ipv6_rtn ip4tables -nL BASE_INPUT_CHAIN >/dev/null 2>&1 ipv4_rtn=$? if [ "$IPV6_DETECTED" = "1" ]; then ip6tables -nL BASE_INPUT_CHAIN >/dev/null 2>&1 ipv6_rtn=$? else # No IPv6 available, therefore no ip6tables call # Set a return error result of 1 to specify no IPv6 BASE_INPUT_CHAIN ipv6_rtn=1 fi if [ "$IPV6_SUPPORT" = "1" ]; then if [ $ipv4_rtn -eq 0 -a $ipv6_rtn -eq 0 ]; then echo "yes" elif [ $ipv4_rtn -eq 0 ]; then echo "other" else echo "no" fi else if [ $ipv4_rtn -eq 0 -a $ipv6_rtn -eq 0 ]; then echo "other" elif [ $ipv4_rtn -eq 0 ]; then echo "yes" else echo "no" fi fi } setup_default_policies() { # Set the default policies for the builtin INPUT & FORWARD tables. The # default for other chains (eg. OUTPUT) is always set to ACCEPT. ####################################################################### if [ "$DEFAULT_POLICY_DROP" != "0" ]; then echo " Setting all default policies to DROP while \"setting up firewall rules\"" iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP else echo " WARNING: Setting all default policies to ACCEPT while \"setting up firewall rules\"" iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT fi if [ "$IPV6_SUPPORT" = "1" ]; then echo "IPv4/IPv6 mixed mode selected" elif [ "$IPV6_DETECTED" = "1" ]; then echo "IPv4 mode selected but IPv6 available, DROP all IPv6 packets" ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP # Allow IPv6 traffic from the loopback (localhost) ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A FORWARD -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT # DROP all IPv6 traffic ip6tables -A INPUT -j DROP ip6tables -A FORWARD -j DROP ip6tables -A OUTPUT -j DROP else echo "IPv4 mode selected, no IPv6 available" fi # The POST_INPUT_DROP_CHAIN should temporarily DROP for now # We'll change this once the rules are in place ########################################################### iptables -A POST_INPUT_DROP_CHAIN -j DROP # The HOST_BLOCK_SRC_DROP chain should always DROP ########################################################### if [ "$BLOCKED_HOST_LOG" = "1" -o "$BLOCKED_HOST_LOG" = "2" ]; then iptables -A HOST_BLOCK_SRC_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Blocked inbound host: " fi iptables -A HOST_BLOCK_SRC_DROP -j DROP # The HOST_BLOCK_DST_DROP chain should always DROP ########################################################### if [ "$BLOCKED_HOST_LOG" = "1" -o "$BLOCKED_HOST_LOG" = "3" ]; then iptables -A HOST_BLOCK_DST_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Blocked outbound host: " fi iptables -A HOST_BLOCK_DST_DROP -j DROP # The LINK_LOCAL_DROP chain should always DROP ########################################################### if [ "$IPV6_SUPPORT" = "1" ]; then if [ "$LINK_LOCAL_DROP_LOG" != "0" ]; then ip6tables -A LINK_LOCAL_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Dropped Link-Local: " fi ip6tables -A LINK_LOCAL_DROP -j DROP fi } ################################################################################################################## ## Chain VALID_CHK - Check packets for invalid flags etc. ## ################################################################################################################## setup_valid_chk_chain() { ## Log scanning of nmap etc. ############################ if [ "$SCAN_LOG" != "0" ]; then echo "Logging of stealth scans (nmap probes etc.) enabled" # (NMAP) FIN/URG/PSH #################### iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth XMAS scan: " # SYN/RST/ACK/FIN/URG ##################### iptables -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth XMAS-PSH scan: " # ALL/ALL ######### iptables -A VALID_CHK -p tcp --tcp-flags ALL ALL \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth XMAS-ALL scan: " # NMAP FIN Stealth ################## iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth FIN scan: " # SYN/RST ######### iptables -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth SYN/RST scan: " # SYN/FIN (probably) #################### iptables -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth SYN/FIN scan?: " # Null scan ########### iptables -A VALID_CHK -p tcp --tcp-flags ALL NONE \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth Null scan: " else echo "Logging of stealth scans (nmap probes etc.) disabled" fi # Drop (NMAP) scan packets: ########################### # NMAP FIN/URG/PSH ################## iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH -j POST_INPUT_DROP_CHAIN # SYN/RST/ACK/FIN/URG ##################### iptables -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j POST_INPUT_DROP_CHAIN # ALL/ALL Scan ############## iptables -A VALID_CHK -p tcp --tcp-flags ALL ALL -j POST_INPUT_DROP_CHAIN # NMAP FIN Stealth ################## iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN -j POST_INPUT_DROP_CHAIN # SYN/RST ######### iptables -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST -j POST_INPUT_DROP_CHAIN # SYN/FIN -- Scan(probably) ########################### iptables -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j POST_INPUT_DROP_CHAIN # NMAP Null Scan ################ iptables -A VALID_CHK -p tcp --tcp-flags ALL NONE -j POST_INPUT_DROP_CHAIN # These packets are normally from "lost connection" and thus can generate false alarms # So we might want to ignore such packets ###################################################################################### # if [ "$LOST_CONNECTION_LOG" != "1" ]; then # iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK -j POST_INPUT_DROP_CHAIN # iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -j POST_INPUT_DROP_CHAIN # iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j POST_INPUT_DROP_CHAIN # iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,FIN -j POST_INPUT_DROP_CHAIN # iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,RST -j POST_INPUT_DROP_CHAIN # iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -j POST_INPUT_DROP_CHAIN # fi # Here we add some protection from random packets we receive, such as random sweeps from other # (possible) hacked computers, or just packets who are invalid, not belonging to ANY connection ############################################################################################### if [ "$INVALID_TCP_LOG" = "1" ]; then echo "Logging of INVALID TCP packets enabled" iptables -A VALID_CHK -p tcp $NF_CONNTRACK_STATE INVALID \ -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID TCP: " else echo "Logging of INVALID TCP packets disabled" fi if [ "$INVALID_UDP_LOG" = "1" ]; then echo "Logging of INVALID UDP packets enabled" iptables -A VALID_CHK -p udp $NF_CONNTRACK_STATE INVALID \ -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID UDP: " else echo "Logging of INVALID UDP packets disabled" fi if [ "$INVALID_ICMP_LOG" = "1" ]; then echo "Logging of INVALID ICMP packets enabled" # Only log INVALID ICMP-request packets when we also want to log "normal" ICMP-request packets if [ "$ICMP_REQUEST_LOG" != "0" ]; then iptables -A VALID_CHK -p icmp --icmp-type echo-request $NF_CONNTRACK_STATE INVALID \ -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID ICMP-request: " fi # Only log INVALID ICMP-other when enabled in the config if [ "$ICMP_OTHER_LOG" != "0" ]; then iptables -A VALID_CHK -p icmp ! --icmp-type echo-request $NF_CONNTRACK_STATE INVALID \ -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID ICMP-other: " fi else echo "Logging of INVALID ICMP packets disabled" fi # Drop invalid packets ###################### iptables -A VALID_CHK $NF_CONNTRACK_STATE INVALID -j POST_INPUT_DROP_CHAIN # Fragmented packets handling # NOTE: Fragmentation cannot happen with IPv6 (and probably even not with iptables/IPv4) ######################################################################################## if [ "$FRAG_DROP" = "1" ]; then echo "Dropping and logging of IPv4 fragmented packets enabled" ip4tables -A VALID_CHK -f -m limit --limit 3/m --limit-burst 1 -j LOG --log-prefix "AIF:Fragment packet: " ip4tables -A VALID_CHK -f -j DROP else echo "Dropping and logging of IPv4 fragmented packets disabled" fi } ################################################################################################################ ## Chain RESERVED_NET_CHK - Check if the source addresses of the packets are (in)valid ## ################################################################################################################ setup_reserved_net_chk_chain() { # Log access from reserved addresses #################################### if [ "$RESERVED_NET_LOG" = "1" ]; then echo "Logging of access from reserved nets enabled" ip4tables -A RESERVED_NET_CHK -s 10.0.0.0/8 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Private address: " ip4tables -A RESERVED_NET_CHK -s 172.16.0.0/12 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Private address: " ip4tables -A RESERVED_NET_CHK -s 192.168.0.0/16 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Private address: " ip4tables -A RESERVED_NET_CHK -s 169.254.0.0/16 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Link-local address: " ip4tables -A RESERVED_NET_CHK -s 224.0.0.0/24 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Multicast address: " ip4tables -A RESERVED_NET_CHK -s 239.0.0.0/24 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Multicast address: " if [ "$IPV6_SUPPORT" = "1" ]; then # IPv6 not 2000::/3 is non-Global Unicast ip6tables -A RESERVED_NET_CHK ! -s 2000::/3 \ -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv6 non-Global address: " fi else echo "Logging of access from reserved nets disabled" fi if [ "$RESERVED_NET_DROP" = "1" ]; then # rp_filter drops some of these addresses, but just to be sure :) ################################################################ #echo "Denying access from reserved addresses..." ip4tables -A RESERVED_NET_CHK -s 10.0.0.0/8 -j POST_INPUT_DROP_CHAIN ip4tables -A RESERVED_NET_CHK -s 172.16.0.0/12 -j POST_INPUT_DROP_CHAIN ip4tables -A RESERVED_NET_CHK -s 192.168.0.0/16 -j POST_INPUT_DROP_CHAIN ip4tables -A RESERVED_NET_CHK -s 169.254.0.0/16 -j POST_INPUT_DROP_CHAIN ip4tables -A RESERVED_NET_CHK -s 224.0.0.0/24 -j POST_INPUT_DROP_CHAIN ip4tables -A RESERVED_NET_CHK -s 239.0.0.0/24 -j POST_INPUT_DROP_CHAIN if [ "$IPV6_SUPPORT" = "1" ]; then # IPv6 not 2000::/3 is non-Global Unicast ip6tables -A RESERVED_NET_CHK ! -s 2000::/3 -j POST_INPUT_DROP_CHAIN fi fi } ################################################################################################################ ## Chain SPOOF_CHK - Check if the source address is not spoofed ## ################################################################################################################ setup_spoof_chk_chain() { # Anti-spoof protection for the internal net if [ -n "$INT_IF" -a -n "$INTERNAL_NET" ]; then if [ "$INTERNAL_NET_ANTISPOOF" != "0" ]; then printf "Setting up antispoof for INTERNAL net(s): " IFS=' ,' for net in $INTERNAL_NET; do printf "$net " for interface in $INT_IF; do # Any internal net is valid iptables -A SPOOF_CHK -i $interface -s $net -j RETURN done iptables -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed packet: " iptables -A SPOOF_CHK -s $net -j POST_INPUT_DROP_CHAIN done echo "" else echo "Antispoof for INTERNAL net(s) DISABLED!" fi fi # Anti-spoof protection for the DMZ net if [ -n "$DMZ_IF" -a -n "$DMZ_NET" ]; then if [ "$DMZ_NET_ANTISPOOF" != "0" ]; then printf "Setting up antispoof for DMZ net(s): " IFS=' ,' for net in $DMZ_NET; do printf "$net " for interface in $DMZ_IF; do # Any dmz net is valid iptables -A SPOOF_CHK -i $interface -s $net -j RETURN done iptables -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed packet: " iptables -A SPOOF_CHK -s $net -j POST_INPUT_DROP_CHAIN done echo "" else echo "Antispoof for DMZ net(s) DISABLED!" fi fi # Everything else is valid iptables -A SPOOF_CHK -j RETURN } ################################################################ # Setup rules to forward INET IPv6 and non-NAT'ed IPv4 traffic # ################################################################ setup_inet_forward_rules() { # TCP ports to ALLOW for certain INET hosts ######################################### unset IFS for rule in $INET_FORWARD_TCP; do if parse_rule "$rule" INET_FORWARD_TCP "interfaces:EXT_IF-shosts-dhosts-ports:ANYPORT"; then echo "$(show_if_ip "$interfaces")Forwarding(non-NAT) TCP port(s): $ports from $shosts(INET) to $dhosts" IFS=' ,' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A EXT_FORWARD_IN_CHAIN -i $interface ! -o $interface -s $shost -d $dhost -p tcp --dport $port -j ACCEPT done done done done fi done # UDP ports to ALLOW for certain INET hosts ######################################### unset IFS for rule in $INET_FORWARD_UDP; do if parse_rule "$rule" INET_FORWARD_UDP "interfaces:EXT_IF-shosts-dhosts-ports:ANYPORT"; then echo "$(show_if_ip "$interfaces")Forwarding(non-NAT) UDP port(s): $ports from $shosts(INET) to $dhosts" IFS=' ,' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A EXT_FORWARD_IN_CHAIN -i $interface ! -o $interface -s $shost -d $dhost -p udp --dport $port -j ACCEPT done done done done fi done # (Other) IP protocols to ALLOW for certain INET hosts ###################################################### unset IFS for rule in $INET_FORWARD_IP; do if parse_rule "$rule" INET_FORWARD_IP "interfaces:EXT_IF-shosts-dhosts-protos"; then echo "$(show_if_ip "$interfaces")Forwarding(non-NAT) IP protocol(s): $protos from $shosts(INET) to $dhosts" IFS=' ,' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do iptables -A EXT_FORWARD_IN_CHAIN -i $interface ! -o $interface -s $shost -d $dhost -p $proto -j ACCEPT done done done done fi done } ################################################## # Setup chain for the DMZ input traffic # ################################################## setup_dmz_input_chain() { # Add TCP ports to allow for certain hosts ########################################## unset IFS for rule in $DMZ_HOST_OPEN_TCP; do if parse_rule "$rule" DMZ_HOST_OPEN_TCP "hosts-ports"; then echo " Allowing $hosts(DMZ) for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do iptables -A DMZ_INPUT_CHAIN -s $host -p tcp --dport $port -j ACCEPT done done fi done # Add UDP ports to allow for certain hosts ########################################## unset IFS for rule in $DMZ_HOST_OPEN_UDP; do if parse_rule "$rule" DMZ_HOST_OPEN_UDP "hosts-ports"; then echo " Allowing $hosts(DMZ) for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do iptables -A DMZ_INPUT_CHAIN -s $host -p udp --dport $port -j ACCEPT done done fi done # Add IP protocols to allow for certain hosts ############################################# unset IFS for rule in $DMZ_HOST_OPEN_IP; do if parse_rule "$rule" DMZ_HOST_OPEN_IP "hosts-protos"; then echo " Allowing $hosts(DMZ) for IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do iptables -A DMZ_INPUT_CHAIN -s $host -p $proto -j ACCEPT done done fi done # Adding TCP ports NOT to be firewalled ####################################### if [ -n "$DMZ_OPEN_TCP" ]; then echo " Allowing TCP port(s): $DMZ_OPEN_TCP" IFS=' ,' for port in $DMZ_OPEN_TCP; do iptables -A DMZ_INPUT_CHAIN -p tcp --dport $port -j ACCEPT done fi # Adding UDP ports NOT to be firewalled ####################################### if [ -n "$DMZ_OPEN_UDP" ]; then echo " Allowing UDP port(s): $DMZ_OPEN_UDP" IFS=' ,' for port in $DMZ_OPEN_UDP; do iptables -A DMZ_INPUT_CHAIN -p udp --dport $port -j ACCEPT done fi # Adding IP protocols NOT to be firewalled ########################################## if [ -n "$DMZ_OPEN_IP" ]; then echo " Allowing IP protocol(s): $DMZ_OPEN_IP" IFS=' ,' for proto in $DMZ_OPEN_IP; do iptables -A DMZ_INPUT_CHAIN -p $proto -j ACCEPT done fi # Allow to send ICMP packets? ############################# if [ "$DMZ_OPEN_ICMP" != "0" ]; then echo " Allowing ICMP-requests(ping)" iptables -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT if [ "$IPV6_SUPPORT" = "1" ]; then unset IFS for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do ip6tables -A DMZ_INPUT_CHAIN -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT done fi fi # Log incoming ICMP-request packets? #################################### if [ "$ICMP_REQUEST_LOG" != "0" ]; then iptables -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " fi # Drop ICMP packets iptables -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request -j DROP # Log everything else if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INPUT_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ-INPUT denied: " fi # Everything else is denied iptables -A DMZ_INPUT_CHAIN -j DROP } ################################################## # Setup chain for the DMZ-to-LAN forward traffic # ################################################## setup_dmz_lan_forward_chain() { echo " Setting up DMZ->LAN policy" # TCP ports to ALLOW for certain DMZ hosts ########################################## unset IFS for rule in $DMZ_LAN_HOST_OPEN_TCP; do if parse_rule "$rule" DMZ_LAN_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT done done done fi done # UDP ports to ALLOW for certain DMZ hosts ########################################## unset IFS for rule in $DMZ_LAN_HOST_OPEN_UDP; do if parse_rule "$rule" DMZ_LAN_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " Allowing $shosts(DMZ) to $dhosts(LAN) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $port -j ACCEPT done done done fi done # IP protocol(s) to ALLOW for certain DMZ hosts ############################################### unset IFS for rule in $DMZ_LAN_HOST_OPEN_IP; do if parse_rule "$rule" DMZ_LAN_HOST_OPEN_IP "shosts:ANYHOST-dhosts-protos"; then echo " Allowing $shosts(DMZ) to $dhosts(LAN) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT done done done fi done # Allow ICMP-requests(ping) for DMZ->LAN? ########################################## if [ "$DMZ_LAN_OPEN_ICMP" = "1" ]; then echo " Allowing ICMP-requests(ping)" iptables -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 20/second --limit-burst 100 -j ACCEPT fi # Log incoming ICMP-request packets? #################################### if [ "$ICMP_REQUEST_LOG" != "0" ]; then iptables -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " fi # Drop ICMP packets iptables -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP # Log everything else if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_LAN_FORWARD_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->LAN denied: " fi # Everything else is denied iptables -A DMZ_LAN_FORWARD_CHAIN -j DROP } ################################################### # Setup chain for the INET-to-DMZ forward traffic # ################################################### setup_inet_dmz_forward_chain() { echo " Setting up INET->DMZ policy" # TCP ports to ALLOW for certain INET hosts ######################################### unset IFS for rule in $INET_DMZ_HOST_OPEN_TCP; do if parse_rule "$rule" INET_DMZ_HOST_OPEN_TCP "interfaces-shosts-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(INET) to $dhosts(DMZ) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p tcp --dport $port -j ACCEPT done done done done fi done # UDP ports to ALLOW for certain INET hosts ######################################### unset IFS for rule in $INET_DMZ_HOST_OPEN_UDP; do if parse_rule "$rule" INET_DMZ_HOST_OPEN_UDP "interfaces-shosts-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(INET) to $dhosts(DMZ) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p udp --dport $port -j ACCEPT done done done done fi done # (Other) IP protocols to ALLOW for certain INET hosts ###################################################### unset IFS for rule in $INET_DMZ_HOST_OPEN_IP; do if parse_rule "$rule" INET_DMZ_HOST_OPEN_IP "interfaces-shosts-dhosts-protos"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(INET) to $dhosts(DMZ) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p $proto -j ACCEPT done done done done fi done # TCP ports to DENY for certain INET hosts ######################################### unset IFS for rule in $INET_DMZ_HOST_DENY_TCP; do if parse_rule "$rule" INET_DMZ_HOST_DENY_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Denying $shosts(INET) to $dhosts(DMZ) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p tcp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p tcp --dport $port -j DROP done done done done fi done # UDP ports to DENY for certain INET hosts ######################################### unset IFS for rule in $INET_DMZ_HOST_DENY_UDP; do if parse_rule "$rule" INET_DMZ_HOST_DENY_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Denying $shosts(INET) to $dhosts(DMZ) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p udp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p udp --dport $port -j DROP done done done done fi done # (Other) IP protocols to DENY for certain INET hosts ##################################################### unset IFS for rule in $INET_DMZ_HOST_DENY_IP; do if parse_rule "$rule" INET_DMZ_HOST_DENY_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then echo " $(show_if_ip "$interfaces")Denying $shosts(INET) to $dhosts(DMZ) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p $proto \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p $proto -j DROP done done done done fi done # Allow only certain TCP ports to be used from the INET->DMZ? ############################################################# unset IFS for rule in $INET_DMZ_OPEN_TCP; do if parse_rule "$rule" INET_DMZ_OPEN_TCP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing TCP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j ACCEPT done done done fi done # Allow only certain UDP ports to be used from the INET->DMZ? ############################################################# unset IFS for rule in $INET_DMZ_OPEN_UDP; do if parse_rule "$rule" INET_DMZ_OPEN_UDP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing UDP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j ACCEPT done done done fi done # Allow only certain IP protocols to be used from the INET->DMZ? ################################################################ unset IFS for rule in $INET_DMZ_OPEN_IP; do if parse_rule "$rule" INET_DMZ_OPEN_IP "interfaces-destips-protos"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing IP protocol(s): $protos" IFS=',' for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p $proto -j ACCEPT done done done fi done # Allow ICMP-requests(ping) for INET->DMZ? ########################################## if [ "$INET_DMZ_OPEN_ICMP" = "1" ]; then echo " Allowing ICMP-requests(ping)" iptables -A INET_DMZ_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 20/second --limit-burst 100 -j ACCEPT fi # TCP ports to DENY for INET->DMZ ################################# unset IFS for rule in $INET_DMZ_DENY_TCP; do if parse_rule "$rule" INET_DMZ_DENY_TCP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying TCP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j DROP done done done fi done # UDP ports to DENY for INET->DMZ ################################# unset IFS for rule in $INET_DMZ_DENY_UDP; do if parse_rule "$rule" INET_DMZ_DENY_UDP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying UDP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j DROP done done done fi done # IP protocols to DENY for INET->DMZ #################################### unset IFS for rule in $INET_DMZ_DENY_IP; do if parse_rule "$rule" INET_DMZ_DENY_IP "interfaces-destips-protos"; then echo " $(show_if_ip "$interfaces" "$destips")Denying IP protocol(s): $protos" IFS=',' for proto in $protos; do for destip in $destips; do for interface in $interfaces; do if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p $proto -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p $proto -j DROP done done done fi done # Log incoming ICMP-request packets? #################################### if [ "$ICMP_REQUEST_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " fi echo " Denying all other INET->DMZ packets" # Drop ICMP packets iptables -A INET_DMZ_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then iptables -A INET_DMZ_FORWARD_CHAIN \ -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: " fi iptables -A INET_DMZ_FORWARD_CHAIN -j DROP } ################################################### # Setup chain for the DMZ-to-INET forward traffic # ################################################### setup_dmz_inet_forward_chain() { echo " Setting up DMZ->INET policy" # TCP ports to ALLOW for certain DMZ hosts ######################################### unset IFS for rule in $DMZ_INET_HOST_OPEN_TCP; do if parse_rule "$rule" DMZ_INET_HOST_OPEN_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing $shosts(DMZ) to $dhosts(INET) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p tcp --dport $port -j ACCEPT done done done done fi done # UDP ports to ALLOW for certain DMZ hosts ######################################### unset IFS for rule in $DMZ_INET_HOST_OPEN_UDP; do if parse_rule "$rule" DMZ_INET_HOST_OPEN_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(DMZ) to $dhosts(INET) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p udp --dport $port -j ACCEPT done done done done fi done # (Other) IP protocols to ALLOW for certain DMZ hosts ##################################################### unset IFS for rule in $DMZ_INET_HOST_OPEN_IP; do if parse_rule "$rule" DMZ_INET_HOST_OPEN_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(DMZ) to $dhosts(INET) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p $proto -j ACCEPT done done done done fi done # TCP ports to DENY for certain DMZ hosts ######################################### unset IFS for rule in $DMZ_INET_HOST_DENY_TCP; do if parse_rule "$rule" DMZ_INET_HOST_DENY_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Denying $shosts(DMZ) to $dhosts(INET) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p tcp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host DMZ->INET denied: " fi iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p tcp --dport $port -j DROP done done done done fi done # UDP ports to DENY for certain DMZ hosts ######################################### unset IFS for rule in $DMZ_INET_HOST_DENY_UDP; do if parse_rule "$rule" DMZ_INET_HOST_DENY_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Denying $shosts(DMZ) to $dhosts(INET) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p udp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host DMZ->INET denied: " fi iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p udp --dport $port -j DROP done done done done fi done # (Other) IP protocols to DENY for certain DMZ hosts ##################################################### unset IFS for rule in $DMZ_INET_HOST_DENY_IP; do if parse_rule "$rule" DMZ_INET_HOST_DENY_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then echo " $(show_if_ip "$interfaces")Denying $shosts(DMZ) to $dhosts(INET) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p $proto \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host DMZ->INET denied: " fi iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p $proto -j DROP done done done done fi done # Allow only certain TCP ports to be used from the DMZ->INET? ############################################################# unset IFS for rule in $DMZ_INET_OPEN_TCP; do if parse_rule "$rule" DMZ_INET_OPEN_TCP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Allowing TCP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p tcp --dport $port -j ACCEPT done done fi done # Allow only certain UDP ports to be used from the DMZ->INET? ############################################################# unset IFS for rule in $DMZ_INET_OPEN_UDP; do if parse_rule "$rule" DMZ_INET_OPEN_UDP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Allowing UDP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p udp --dport $port -j ACCEPT done done fi done # Allow only certain IP protocols to be used from the DMZ->INET? ################################################################ unset IFS for rule in $DMZ_INET_OPEN_IP; do if parse_rule "$rule" DMZ_INET_OPEN_IP "interfaces-protos"; then echo " $(show_if_ip "$interfaces")Allowing IP protocol(s): $protos" IFS=',' for proto in $protos; do for interface in $interfaces; do iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p $proto -j ACCEPT done done fi done # TCP ports to DENY for DMZ->INET ################################# unset IFS for rule in $DMZ_INET_DENY_TCP; do if parse_rule "$rule" DMZ_INET_DENY_TCP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Denying TCP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p tcp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: " fi iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p tcp --dport $port -j DROP done done fi done # UDP ports to DENY for DMZ->INET ################################# unset IFS for rule in $DMZ_INET_DENY_UDP; do if parse_rule "$rule" DMZ_INET_DENY_UDP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Denying UDP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p udp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: " fi iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p udp --dport $port -j DROP done done fi done # IP protocols to DENY for DMZ->INET #################################### unset IFS for rule in $DMZ_INET_DENY_IP; do if parse_rule "$rule" DMZ_INET_DENY_IP "interfaces-protos"; then echo " $(show_if_ip "$interfaces")Denying IP protocol(s): $protos" IFS=',' for proto in $protos; do for interface in $interfaces; do if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p $proto -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: " fi iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p $proto -j DROP done done fi done # Allow ICMP-requests(ping) for DMZ->INET? ########################################## if [ "$DMZ_INET_OPEN_ICMP" != "0" ]; then echo " Allowing ICMP-requests(ping)" iptables -A DMZ_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 20/second --limit-burst 100 -j ACCEPT fi # Log incoming ICMP-request packets? #################################### if [ "$ICMP_REQUEST_LOG" != "0" -a "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " fi # Drop ICMP (remaining) packets iptables -A DMZ_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP # Set the default policy (switch to DROP for a protocol when xxx_OPEN_xxx variable is used) ########################################################################################### if [ -z "$DMZ_INET_OPEN_TCP" -a -z "$DMZ_INET_HOST_OPEN_TCP" -a \ -z "$DMZ_INET_OPEN_UDP" -a -z "$DMZ_INET_HOST_OPEN_UDP" -a \ -z "$DMZ_INET_OPEN_IP" -a -z "$DMZ_INET_HOST_OPEN_IP" -a -z "$DMZ_INET_DEFAULT_POLICY_DROP" ] \ || [ "$DMZ_INET_DEFAULT_POLICY_DROP" = "0" ]; then echo " Allowing all (other) ports/protocols" iptables -A DMZ_INET_FORWARD_CHAIN -j ACCEPT else if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then iptables -A DMZ_INET_FORWARD_CHAIN -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: " fi echo " Denying all (other) ports/protocols" iptables -A DMZ_INET_FORWARD_CHAIN -j DROP fi } ######################################### # Setup chain for the LAN input traffic # ######################################### setup_int_input_chain() { # TCP ports to OPEN for certain LAN hosts ######################################### unset IFS for rule in $LAN_HOST_OPEN_TCP; do if parse_rule "$rule" LAN_HOST_OPEN_TCP "hosts-ports"; then echo " Allowing $hosts(LAN) for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do iptables -A INT_INPUT_CHAIN -s $host -p tcp --dport $port -j ACCEPT done done fi done # UDP ports to OPEN for certain LAN hosts ######################################### unset IFS for rule in $LAN_HOST_OPEN_UDP; do if parse_rule "$rule" LAN_HOST_OPEN_UDP "hosts-ports"; then echo " Allowing $hosts(LAN) for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do iptables -A INT_INPUT_CHAIN -s $host -p udp --dport $port -j ACCEPT done done fi done # IP protocols to OPEN for certain LAN hosts ############################################ unset IFS for rule in $LAN_HOST_OPEN_IP; do if parse_rule "$rule" LAN_HOST_OPEN_IP "hosts-protos"; then echo " Allowing $hosts(LAN) for IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do iptables -A INT_INPUT_CHAIN -s $host -p $proto -j ACCEPT done done fi done # TCP ports to DENY for certain LAN hosts ######################################### unset IFS for rule in $LAN_HOST_DENY_TCP; do if parse_rule "$rule" LAN_HOST_DENY_TCP "hosts:ANYHOST-ports:ANYPORT"; then echo " Denying $hosts(LAN) for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -s $host -p tcp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN denied: " fi iptables -A INT_INPUT_CHAIN -s $host -p tcp --dport $port -j DROP done done fi done # UDP ports to DENY for certain LAN hosts ######################################### unset IFS for rule in $LAN_HOST_DENY_UDP; do if parse_rule "$rule" LAN_HOST_DENY_UDP "hosts:ANYHOST-ports:ANYPORT"; then echo " Denying $hosts(LAN) for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -s $host -p udp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN denied: " fi iptables -A INT_INPUT_CHAIN -s $host -p udp --dport $port -j DROP done done fi done # IP protocols to DENY for certain LAN hosts ############################################ unset IFS for rule in $LAN_HOST_DENY_IP; do if parse_rule "$rule" LAN_HOST_DENY_IP "hosts:ANYHOST-protos"; then echo " Denying $hosts(LAN) for IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -s $host -p $proto \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN denied: " fi iptables -A INT_INPUT_CHAIN -s $host -p $proto -j DROP done done fi done # Allow only certain TCP ports to be used from the LAN? ####################################################### if [ -n "$LAN_OPEN_TCP" ]; then echo " Allowing TCP port(s): $LAN_OPEN_TCP" IFS=' ,' for port in $LAN_OPEN_TCP; do iptables -A INT_INPUT_CHAIN -p tcp --dport $port -j ACCEPT done fi # Allow only certain UDP ports to be used from the LAN? ####################################################### if [ -n "$LAN_OPEN_UDP" ]; then echo " Allowing UDP port(s): $LAN_OPEN_UDP" IFS=' ,' for port in $LAN_OPEN_UDP; do iptables -A INT_INPUT_CHAIN -p udp --dport $port -j ACCEPT done fi # Allow only certain IP protocols to be used from the LAN? ########################################################## if [ -n "$LAN_OPEN_IP" ]; then echo " Allowing IP protocol(s): $LAN_OPEN_IP" IFS=' ,' for proto in $LAN_OPEN_IP; do iptables -A INT_INPUT_CHAIN -p $proto -j ACCEPT done fi # TCP ports to DENY for LAN hosts ################################# if [ -n "$LAN_DENY_TCP" ]; then echo " Denying TCP port(s): $LAN_DENY_TCP" IFS=' ,' for port in $LAN_DENY_TCP; do if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -p tcp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN-INPUT denied: " fi iptables -A INT_INPUT_CHAIN -p tcp --dport $port -j DROP done fi # UDP ports to DENY for LAN hosts ################################# if [ -n "$LAN_DENY_UDP" ]; then echo " Denying UDP port(s): $LAN_DENY_UDP" IFS=' ,' for port in $LAN_DENY_UDP; do if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -p udp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN-INPUT denied: " fi iptables -A INT_INPUT_CHAIN -p udp --dport $port -j DROP done fi # IP protocols to DENY for LAN hosts #################################### if [ -n "$LAN_DENY_IP" ]; then echo " Denying IP protocol(s): $LAN_DENY_IP" IFS=' ,' for proto in $LAN_DENY_IP; do if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -p $proto -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN-INPUT denied: " fi iptables -A INT_INPUT_CHAIN -p $proto -j DROP done fi # Allow world to send ICMP packets? ################################### if [ "$LAN_OPEN_ICMP" != "0" ]; then echo " Allowing ICMP-requests(ping)" iptables -A INT_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT fi # Log incoming ICMP-request packets? #################################### if [ "$ICMP_REQUEST_LOG" != "0" -a "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " fi # Drop (remaining) ICMP packets iptables -A INT_INPUT_CHAIN -p icmp --icmp-type echo-request -j DROP # Set the default policy ######################## if [ -z "$LAN_OPEN_TCP" -a -z "$LAN_HOST_OPEN_TCP" -a \ -z "$LAN_OPEN_UDP" -a -z "$LAN_HOST_OPEN_UDP" -a \ -z "$LAN_OPEN_IP" -a -z "$LAN_HOST_OPEN_IP" -a -z "$LAN_DEFAULT_POLICY_DROP" ] \ || [ "$LAN_DEFAULT_POLICY_DROP" = "0" ]; then echo " Allowing all (other) ports/protocols" iptables -A INT_INPUT_CHAIN -j ACCEPT else echo " Denying all (other) ports/protocols" if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then iptables -A INT_INPUT_CHAIN -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN-INPUT denied: " fi iptables -A INT_INPUT_CHAIN -j DROP fi } ################################################## # Setup chain for the LAN-to-LAN forward traffic # ################################################## setup_lan_lan_forward_chain() { local rtn_val=1 echo " Setting up LAN->LAN policy" # TCP ports to ALLOW for certain Inter-LAN hosts ################################################ unset IFS for rule in $LAN_LAN_HOST_OPEN_TCP; do if parse_rule "$rule" LAN_LAN_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " Allowing $shosts(LAN) to $dhosts(LAN) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT rtn_val=0 done done done fi done # UDP ports to ALLOW for certain Inter-LAN hosts ################################################ unset IFS for rule in $LAN_LAN_HOST_OPEN_UDP; do if parse_rule "$rule" LAN_LAN_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " Allowing $shosts(LAN) to $dhosts(LAN) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $port -j ACCEPT rtn_val=0 done done done fi done # IP protocol(s) to ALLOW for certain Inter-LAN hosts ##################################################### unset IFS for rule in $LAN_LAN_HOST_OPEN_IP; do if parse_rule "$rule" LAN_LAN_HOST_OPEN_IP "shosts:ANYHOST-dhosts-protos"; then echo " Allowing $shosts(LAN) to $dhosts(LAN) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT rtn_val=0 done done done fi done # ICMP enable Inter-LAN hosts ############################# unset IFS if [ "$LAN_LAN_OPEN_ICMP" = "1" ]; then echo " Allowing ICMP-requests(ping)" iptables -A LAN_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 20/second --limit-burst 100 -j ACCEPT fi return $rtn_val } ################################################### # Setup chain for the LAN-to-INET forward traffic # ################################################### setup_lan_inet_forward_chain() { echo " Setting up LAN->INET policy" # TCP ports to ALLOW for certain LAN hosts ######################################### unset IFS for rule in $LAN_INET_HOST_OPEN_TCP; do if parse_rule "$rule" LAN_INET_HOST_OPEN_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(LAN) to $dhosts(INET) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p tcp --dport $port -j ACCEPT done done done done fi done # UDP ports to ALLOW for certain LAN hosts ######################################### unset IFS for rule in $LAN_INET_HOST_OPEN_UDP; do if parse_rule "$rule" LAN_INET_HOST_OPEN_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(LAN) to $dhosts(INET) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p udp --dport $port -j ACCEPT done done done done fi done # (Other) IP protocols to ALLOW for certain LAN hosts ##################################################### unset IFS for rule in $LAN_INET_HOST_OPEN_IP; do if parse_rule "$rule" LAN_INET_HOST_OPEN_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then echo " $(show_if_ip "$interfaces")Allowing $shosts(LAN) to $dhosts(INET) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p $proto -j ACCEPT done done done done fi done # TCP ports to DENY for certain LAN hosts ######################################### unset IFS for rule in $LAN_INET_HOST_DENY_TCP; do if parse_rule "$rule" LAN_INET_HOST_DENY_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Denying $shosts(LAN) to $dhosts(INET) for TCP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p tcp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN->INET denied: " fi iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p tcp --dport $port -j DROP done done done done fi done # UDP ports to DENY for certain LAN hosts ######################################### unset IFS for rule in $LAN_INET_HOST_DENY_UDP; do if parse_rule "$rule" LAN_INET_HOST_DENY_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo " $(show_if_ip "$interfaces")Denying $shosts(LAN) to $dhosts(INET) for UDP port(s): $ports" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for port in $ports; do for interface in $interfaces; do if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p udp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN->INET denied: " fi iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p udp --dport $port -j DROP done done done done fi done # (Other) IP protocols to DENY for certain LAN hosts ##################################################### unset IFS for rule in $LAN_INET_HOST_DENY_IP; do if parse_rule "$rule" LAN_INET_HOST_DENY_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then echo " $(show_if_ip "$interfaces")Denying $shosts(LAN) to $dhosts(INET) for IP protocol(s): $protos" IFS=',' for shost in `ip_range "$shosts"`; do for dhost in `ip_range "$dhosts"`; do for proto in $protos; do for interface in $interfaces; do if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p $proto \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN->INET denied: " fi iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p $proto -j DROP done done done done fi done # Allow only certain udp ports to be used from the LAN->INET? ############################################################# unset IFS for rule in $LAN_INET_OPEN_TCP; do if parse_rule "$rule" LAN_INET_OPEN_TCP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Allowing TCP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p tcp --dport $port -j ACCEPT done done fi done # Allow only certain UDP ports to be used from the LAN->INET? ############################################################# unset IFS for rule in $LAN_INET_OPEN_UDP; do if parse_rule "$rule" LAN_INET_OPEN_UDP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Allowing UDP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p udp --dport $port -j ACCEPT done done fi done # Allow only certain IP protocols to be used from the LAN->INET? ################################################################ unset IFS for rule in $LAN_INET_OPEN_IP; do if parse_rule "$rule" LAN_INET_OPEN_IP "interfaces-protos"; then echo " $(show_if_ip "$interfaces")Allowing IP protocol(s): $protos" IFS=',' for proto in $protos; do for interface in $interfaces; do iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p $proto -j ACCEPT done done fi done # TCP ports to DENY for LAN->INET ################################# unset IFS for rule in $LAN_INET_DENY_TCP; do if parse_rule "$rule" LAN_INET_DENY_TCP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Denying TCP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p tcp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: " fi iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p tcp --dport $port -j DROP done done fi done # UDP ports to DENY for LAN->INET ################################# unset IFS for rule in $LAN_INET_DENY_UDP; do if parse_rule "$rule" LAN_INET_DENY_UDP "interfaces-ports"; then echo " $(show_if_ip "$interfaces")Denying UDP port(s): $ports" IFS=',' for port in $ports; do for interface in $interfaces; do if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p udp --dport $port -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: " fi iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p udp --dport $port -j DROP done done fi done # IP protocols to DENY for LAN->INET #################################### unset IFS for rule in $LAN_INET_DENY_IP; do if parse_rule "$rule" LAN_INET_DENY_IP "interfaces-protos"; then echo " $(show_if_ip "$interfaces")Denying IP protocol(s): $protos" IFS=',' for proto in $protos; do for interface in $interfaces; do if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p $proto -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: " fi iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p $proto -j DROP done done fi done # Allow ICMP-requests(ping) for LAN->INET? ########################################## if [ "$LAN_INET_OPEN_ICMP" != "0" ]; then echo " Allowing ICMP-requests(ping)" iptables -A LAN_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 20/second --limit-burst 100 -j ACCEPT fi # Log incoming ICMP-request packets? #################################### if [ "$ICMP_REQUEST_LOG" != "0" -a "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " fi # Drop (remaining) ICMP packets iptables -A LAN_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP # Set the default policy (switch to DROP for a protocol when xxx_OPEN_xxx variable is used) ########################################################################################### if [ -z "$LAN_INET_OPEN_TCP" -a -z "$LAN_INET_HOST_OPEN_TCP" -a \ -z "$LAN_INET_OPEN_UDP" -a -z "$LAN_INET_HOST_OPEN_UDP" -a \ -z "$LAN_INET_OPEN_IP" -a -z "$LAN_INET_HOST_OPEN_IP" -a -z "$LAN_INET_DEFAULT_POLICY_DROP" ] \ || [ "$LAN_INET_DEFAULT_POLICY_DROP" = "0" ]; then echo " Allowing all (other) ports/protocols" iptables -A LAN_INET_FORWARD_CHAIN -j ACCEPT else if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then iptables -A LAN_INET_FORWARD_CHAIN -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: " fi echo " Denying all (other) ports/protocols" iptables -A LAN_INET_FORWARD_CHAIN -j DROP fi } ###################################################################################################################### ## Chain EXT_INPUT_CHAIN - Checks all incoming packets for the EXTERNAL interface(s) ## ###################################################################################################################### setup_ext_input_chain() { ## Log scanning of port 0 fingerprinting ######################################## if [ "$SCAN_LOG" != "0" ]; then iptables -A EXT_INPUT_CHAIN -p tcp --dport 0 \ -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Port 0 OS fingerprint: " iptables -A EXT_INPUT_CHAIN -p udp --dport 0 \ -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Port 0 OS fingerprint: " fi # Drop port 0 scan packets ########################## iptables -A EXT_INPUT_CHAIN -p tcp --dport 0 -j POST_INPUT_DROP_CHAIN iptables -A EXT_INPUT_CHAIN -p udp --dport 0 -j POST_INPUT_DROP_CHAIN ## Log scanning of source port 0 ################################ if [ "$SCAN_LOG" != "0" ]; then iptables -A EXT_INPUT_CHAIN -p tcp --sport 0 \ -m limit --limit 6/h --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:TCP source port 0: " iptables -A EXT_INPUT_CHAIN -p udp --sport 0 \ -m limit --limit 6/h --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UDP source port 0: " fi # Drop source port 0 packets ############################ iptables -A EXT_INPUT_CHAIN -p tcp --sport 0 -j POST_INPUT_DROP_CHAIN iptables -A EXT_INPUT_CHAIN -p udp --sport 0 -j POST_INPUT_DROP_CHAIN # Here we add support for DHCP assigned IP ########################################## if [ "$EXT_IF_DHCP_IP" = "1" ]; then echo " Enabling support for DHCP-assigned-IP (DHCP client)" # Allow this host to be an DHCP client: ip4tables -A EXT_INPUT_CHAIN -p udp --sport 67 --dport 68 -j ACCEPT fi if [ "$EXT_IF_DHCP_IP" = "1" -o "$EXT_IF_DHCPV6_IPV6" = "1" ]; then if [ "$IPV6_SUPPORT" = "1" ]; then # Allow this host to be an DHCPv6 client: ip6tables -A EXT_INPUT_CHAIN -d fe80::/10 -p udp --sport 547 --dport 546 -j ACCEPT fi fi # Support for a DHCP/BootP service on the EXTERNAL interface ############################################################ if [ "$EXTERNAL_DHCP_SERVER" = "1" ]; then echo " Enabling support for DHCP/BOOTP (DHCP server) for subnet(s): $EXTERNAL_NET" IFS=' ,' for net in $EXTERNAL_NET; do # Allow this host to be a DHCP/BOOTP-server: ip4tables -A EXT_INPUT_CHAIN -d 255.255.255.255 -p udp --dport 67 -j ACCEPT ip4tables -A EXT_INPUT_CHAIN -s $net -p udp --dport 67 -j ACCEPT # ip4tables -A EXT_INPUT_CHAIN -d 255.255.255.255 -p udp --sport 68 --dport 67 -j ACCEPT # ip4tables -A EXT_INPUT_CHAIN -s $net -p udp --sport 68 --dport 67 -j ACCEPT # Extra rules to allow packets from other dhcp servers in the same segment ip4tables -A EXT_INPUT_CHAIN -s $net -d 255.255.255.255 -p udp --sport 67 --dport 68 -j ACCEPT done fi # Support for a DHCPv6 service on the EXTERNAL interface ######################################################## if [ "$IPV6_SUPPORT" = "1" -a "$EXTERNAL_DHCPV6_SERVER" = "1" ]; then echo " Enabling support for DHCPv6 server on external interface(s)" # Allow only Link-Local clients ip6tables -A EXT_INPUT_CHAIN -s fe80::/10 -p udp --dport 547 -j ACCEPT fi # This is the fix(hack) for nmb broadcast packets (nmblookup/Samba) ################################################################### if [ "$NMB_BROADCAST_FIX" = "1" ]; then echo " Enabling support for NMB-broadcasts(Samba) for subnet(s): $EXTERNAL_NET" IFS=' ,' for net in $EXTERNAL_NET; do ip4tables -A EXT_INPUT_CHAIN -s $net -p udp --sport 137 --dport "$LOCAL_PORT_RANGE" -j ACCEPT done fi # Enable logging of blocked hosts? ################################## if [ "$BLOCKED_HOST_LOG" = "1" ]; then echo " Logging of explicitly blocked hosts inbound/outbound enabled" elif [ "$BLOCKED_HOST_LOG" = "2" ]; then echo " Logging of explicitly blocked hosts inbound enabled" elif [ "$BLOCKED_HOST_LOG" = "3" ]; then echo " Logging of explicitly blocked hosts outbound enabled" else echo " Logging of explicitly blocked hosts disabled" fi # Enable logging of denied output connections? ############################################## if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then echo " Logging of denied local output connections enabled" else echo " Logging of denied local output connections disabled" fi # Add TCP ports to allow for certain hosts ########################################## unset IFS for rule in $HOST_OPEN_TCP; do if parse_rule "$rule" HOST_OPEN_TCP "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port -j ACCEPT done done done done fi done # Add UDP ports to allow for certain hosts ########################################## unset IFS for rule in $HOST_OPEN_UDP; do if parse_rule "$rule" HOST_OPEN_UDP "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j ACCEPT done done done done fi done # Add IP protocols to allow for certain hosts ############################################# unset IFS for rule in $HOST_OPEN_IP; do if parse_rule "$rule" HOST_OPEN_IP "interfaces-destips-hosts-protos"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts for IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p $proto -j ACCEPT done done done done fi done # Add ICMP to allow for certain hosts ##################################### unset IFS for rule in $HOST_OPEN_ICMP; do if parse_rule "$rule" HOST_OPEN_ICMP "interfaces-destips-hosts"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts for ICMP-requests(ping)" IFS=',' for host in `ip_range "$hosts"`; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p icmp --icmp-type echo-request -j ACCEPT done done done fi done # Add TCP ports to REJECT for certain hosts but NOT logged ########################################################## unset IFS for rule in $HOST_REJECT_TCP_NOLOG; do if parse_rule "$rule" HOST_REJECT_TCP_NOLOG "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting $hosts for TCP port(s) (NO LOG): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port -j REJECT --reject-with tcp-reset done done done done fi done # Add UDP ports to REJECT for certain hosts NOT logged ###################################################### unset IFS for rule in $HOST_REJECT_UDP_NOLOG; do if parse_rule "$rule" HOST_REJECT_UDP_NOLOG "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting $hosts for UDP port(s) (NO LOG): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do ip4tables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j REJECT --reject-with icmp-host-unreachable if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j REJECT --reject-with icmp6-addr-unreachable fi done done done done fi done # Add TCP ports to REJECT for certain hosts ########################################### unset IFS for rule in $HOST_REJECT_TCP; do if parse_rule "$rule" HOST_REJECT_TCP "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting $hosts for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise TCP rejected: " iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port -j REJECT --reject-with tcp-reset done done done done fi done # Add UDP ports to REJECT for certain hosts ########################################### unset IFS for rule in $HOST_REJECT_UDP; do if parse_rule "$rule" HOST_REJECT_UDP "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting $hosts for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise UDP rejected: " ip4tables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j REJECT --reject-with icmp-host-unreachable if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j REJECT --reject-with icmp6-addr-unreachable fi done done done done fi done # Add TCP ports to DENY for certain hosts but NOT logged ######################################################## unset IFS for rule in $HOST_DENY_TCP_NOLOG; do if parse_rule "$rule" HOST_DENY_TCP_NOLOG "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for TCP port(s) (NO LOG): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port -j POST_INPUT_DROP_CHAIN done done done done fi done # Add UDP ports to DENY for certain hosts but NOT logged ######################################################## unset IFS for rule in $HOST_DENY_UDP_NOLOG; do if parse_rule "$rule" HOST_DENY_UDP_NOLOG "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for UDP port(s) (NO LOG): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j POST_INPUT_DROP_CHAIN done done done done fi done # Add IP protocols to DENY for certain hosts but NOT logged ########################################################### unset IFS for rule in $HOST_DENY_IP_NOLOG; do if parse_rule "$rule" HOST_DENY_IP_NOLOG "interfaces-destips-hosts-protos"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for IP protocol(s) (NO LOG): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p $proto -j POST_INPUT_DROP_CHAIN done done done done fi done # Add ICMP-request to DENY for certain hosts but NOT logged ############################################################ unset IFS for rule in $HOST_DENY_ICMP_NOLOG; do if parse_rule "$rule" HOST_DENY_ICMP_NOLOG "interfaces-destips-hosts"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for ICMP-requests(ping)" IFS=',' for host in `ip_range "$hosts"`; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p icmp --icmp-type echo-request -j POST_INPUT_DROP_CHAIN done done done fi done # Add TCP ports to DENY for certain hosts ######################################### unset IFS for rule in $HOST_DENY_TCP; do if parse_rule "$rule" HOST_DENY_TCP "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET denied: " iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port -j POST_INPUT_DROP_CHAIN done done done done fi done # Add UDP ports to DENY for certain hosts ######################################### unset IFS for rule in $HOST_DENY_UDP; do if parse_rule "$rule" HOST_DENY_UDP "interfaces-destips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET denied: " iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j POST_INPUT_DROP_CHAIN done done done done fi done # Add IP protocols to DENY for certain hosts ############################################ unset IFS for rule in $HOST_DENY_IP; do if parse_rule "$rule" HOST_DENY_IP "interfaces-destips-hosts-protos"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -s $host -p $proto \ -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET denied: " iptables -A EXT_INPUT_CHAIN -s $host -p $proto -j POST_INPUT_DROP_CHAIN done done done done fi done # Add ICMP-request to DENY for certain hosts ############################################ unset IFS for rule in $HOST_DENY_ICMP; do if parse_rule "$rule" HOST_DENY_ICMP "interfaces-destips-hosts"; then echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for ICMP-requests(ping)" IFS=',' for host in `ip_range "$hosts"`; do for destip in $destips; do for interface in $interfaces; do if [ "$ICMP_DROP_LOG" != "0" ]; then iptables -A EXT_INPUT_CHAIN -s $host -p icmp --icmp-type echo-request -m limit --limit 1/h --limit-burst 1 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET denied: " fi iptables -A EXT_INPUT_CHAIN -s $host -p icmp --icmp-type echo-request -j POST_INPUT_DROP_CHAIN done done done fi done # Adding TCP ports to be denied for everyone ############################################ unset IFS for rule in $DENY_TCP; do if parse_rule "$rule" DENY_TCP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying ANYHOST for TCP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-INPUT denied: " iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j POST_INPUT_DROP_CHAIN done done done fi done # Adding UDP ports to be denied for everyone ############################################ unset IFS for rule in $DENY_UDP; do if parse_rule "$rule" DENY_UDP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying ANYHOST for UDP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-INPUT denied: " iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j POST_INPUT_DROP_CHAIN done done done fi done # Adding TCP ports to be rejected for everyone ############################################## unset IFS for rule in $REJECT_TCP; do if parse_rule "$rule" REJECT_TCP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting ANYHOST for TCP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Rejected TCP port: " iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j REJECT --reject-with tcp-reset done done done fi done # Adding UDP ports to be rejected for everyone ############################################## unset IFS for rule in $REJECT_UDP; do if parse_rule "$rule" REJECT_UDP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting ANYHOST for UDP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN -p udp --dport $port \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Rejected UDP port: " ip4tables -A EXT_INPUT_CHAIN -p udp --dport $port -j REJECT --reject-with icmp-host-unreachable if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A EXT_INPUT_CHAIN -p udp --dport $port -j REJECT --reject-with icmp6-addr-unreachable fi done done done fi done # Adding the "full access hosts" ################################ unset IFS for rule in $FULL_ACCESS_HOSTS; do if parse_rule "$rule" FULL_ACCESS_HOSTS "interfaces-destips-hosts"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts full (inbound) access" IFS=',' for host in `ip_range "$hosts"`; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -j ACCEPT done done done fi done # TCP ports to DENY but NOT to LOG ################################## unset IFS for rule in $DENY_TCP_NOLOG; do if parse_rule "$rule" DENY_TCP_NOLOG "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying ANYHOST for TCP port(s) (NO LOG): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j POST_INPUT_DROP_CHAIN done done done fi done # UDP ports to DENY but NOT to LOG ################################## unset IFS for rule in $DENY_UDP_NOLOG; do if parse_rule "$rule" DENY_UDP_NOLOG "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Denying ANYHOST for UDP port(s) (NO LOG): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j POST_INPUT_DROP_CHAIN done done done fi done # TCP ports to REJECT but NOT to LOG #################################### unset IFS for rule in $REJECT_TCP_NOLOG; do if parse_rule "$rule" REJECT_TCP_NOLOG "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting ANYHOST for TCP port(s) (NO LOG): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j REJECT --reject-with tcp-reset done done done fi done # UDP ports to REJECT but NOT to LOG #################################### unset IFS for rule in $REJECT_UDP_NOLOG; do if parse_rule "$rule" REJECT_UDP_NOLOG "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Rejecting ANYHOST for UDP port(s) (NO LOG): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do ip4tables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j REJECT --reject-with icmp-host-unreachable if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j REJECT --reject-with icmp6-addr-unreachable fi done done done fi done # Check the packet source address ################################# if [ "$RESERVED_NET_DROP" = "1" ]; then echo " Packets will be checked for reserved source addresses" else echo " Packets will NOT be checked for reserved source addresses" fi if [ "$RESERVED_NET_DROP" = "1" -o "$RESERVED_NET_LOG" = "1" ]; then iptables -A EXT_INPUT_CHAIN -j RESERVED_NET_CHK fi # Do NOT allow DRDOS abuse (Distributed Reflection Denial Of Service attack) ############################################################################ if [ "$DRDOS_PROTECT" = "1" ]; then echo " Enabling protection against DRDOS-abuse" iptables -A EXT_INPUT_CHAIN -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 \ -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Possible DRDOS abuse: " iptables -A EXT_INPUT_CHAIN -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 \ -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Possible DRDOS abuse: " iptables -A EXT_INPUT_CHAIN -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j POST_INPUT_DROP_CHAIN iptables -A EXT_INPUT_CHAIN -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j POST_INPUT_DROP_CHAIN fi # Adding TCP ports NOT to be firewalled ####################################### unset IFS for rule in $OPEN_TCP; do if parse_rule "$rule" OPEN_TCP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing ANYHOST for TCP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j ACCEPT done done done fi done # Adding UDP ports NOT to be firewalled ####################################### unset IFS for rule in $OPEN_UDP; do if parse_rule "$rule" OPEN_UDP "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing ANYHOST for UDP port(s): $ports" IFS=',' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j ACCEPT done done done fi done # Adding IP protocols NOT to be firewalled ########################################## unset IFS for rule in $OPEN_IP; do if parse_rule "$rule" OPEN_IP "interfaces-destips-protos"; then echo " $(show_if_ip "$interfaces" "$destips")Allowing ANYHOST for IP protocol(s): $protos" IFS=',' for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p $proto -j ACCEPT done done done fi done # Allow world to send IPv4 ICMP packets? ######################################## if [ "$OPEN_ICMP" = "1" ]; then echo " Allowing ANYHOST to send IPv4 ICMP-requests (ping)" ip4tables -A EXT_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT else echo " Denying ANYHOST to send IPv4 ICMP-requests (ping)" fi # Allow world to send IPv6 ICMPv6 packets? ########################################## if [ "$IPV6_SUPPORT" = "1" ]; then if [ "$OPEN_ICMPV6" != "0" ]; then echo " Allowing ANYHOST to send IPv6 ICMPv6-requests" ip6tables -A EXT_INPUT_CHAIN -p icmpv6 --icmpv6-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT else echo " Denying ANYHOST to send IPv6 ICMPv6-requests" fi fi # Logging of possible stealth scans ################################### if [ "$POSSIBLE_SCAN_LOG" = "1" ]; then echo " Logging of possible stealth scans enabled" if [ "$UNPRIV_TCP_LOG" != "0" ]; then iptables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport 1024: \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth scan? (UNPRIV): " fi if [ "$PRIV_TCP_LOG" != "0" ]; then iptables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport :1023 \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth scan? (PRIV): " fi else echo " Logging of possible stealth scans disabled" fi # General stealth scan drop ########################### iptables -A EXT_INPUT_CHAIN -p tcp ! --syn -j POST_INPUT_DROP_CHAIN # Setup IPv4 chain to handle broadcast traffic ############################################## ip4tables -A EXT_INPUT_CHAIN -d 255.255.255.255 -j EXT_BROADCAST_CHAIN # ip4tables -A EXT_INPUT_CHAIN -m pkttype --pkt-type broadcast -j EXT_BROADCAST_CHAIN # ip4tables -A EXT_INPUT_CHAIN -m addrtype --dst-type BROADCAST -j EXT_BROADCAST_CHAIN if [ -n "$EXT_NET_BCAST_ADDRESS" ]; then IFS=' ,' for address in $EXT_NET_BCAST_ADDRESS; do ip4tables -A EXT_INPUT_CHAIN -d $address -j EXT_BROADCAST_CHAIN done fi # Handle multicast traffic ########################## ip4tables -A EXT_INPUT_CHAIN -d 224.0.0.0/4 -j EXT_MULTICAST_CHAIN if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A EXT_INPUT_CHAIN -d ff00::/8 -j EXT_MULTICAST_CHAIN fi # Allow all packets that have been locally redirected ##################################################### if [ "$NAT_LOCAL_REDIRECT" = "1" ]; then echo " Enabling support for NAT local redirect" ip4tables -A EXT_INPUT_CHAIN -m conntrack --ctstate DNAT -j ACCEPT fi # Log packets to privileged TCP ports? ################################################## if [ "$PRIV_TCP_LOG" != "0" ]; then echo " Logging of (other) packets to PRIVILEGED TCP ports enabled" iptables -A EXT_INPUT_CHAIN -p tcp --dport :1023 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV TCP packet: " iptables -A EXT_MULTICAST_CHAIN -p tcp --dport :1023 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV TCP multicast: " iptables -A EXT_BROADCAST_CHAIN -p tcp --dport :1023 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV TCP broadcast: " else echo " Logging of (other) packets to PRIVILEGED TCP ports disabled" fi # Log packets to privileged UDP ports? ################################################## if [ "$PRIV_UDP_LOG" != "0" ]; then echo " Logging of (other) packets to PRIVILEGED UDP ports enabled" iptables -A EXT_INPUT_CHAIN -p udp --dport :1023 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV UDP packet: " iptables -A EXT_MULTICAST_CHAIN -p udp --dport :1023 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV UDP multicast: " iptables -A EXT_BROADCAST_CHAIN -p udp --dport :1023 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV UDP broadcast: " else echo " Logging of (other) packets to PRIVILEGED UDP ports disabled" fi # Log packets to unprivileged TCP ports? #################################################### if [ "$UNPRIV_TCP_LOG" != "0" ]; then echo " Logging of (other) packets to UNPRIVILEGED TCP ports enabled" iptables -A EXT_INPUT_CHAIN -p tcp --dport 1024: \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV TCP packet: " iptables -A EXT_MULTICAST_CHAIN -p tcp --dport 1024: \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV TCP multicast: " iptables -A EXT_BROADCAST_CHAIN -p tcp --dport 1024: \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV TCP broadcast: " else echo " Logging of (other) packets to UNPRIVILEGED TCP ports disabled" fi # Log packets to unprivileged UDP ports? #################################################### if [ "$UNPRIV_UDP_LOG" != "0" ]; then echo " Logging of (other) packets to UNPRIVILEGED UDP ports enabled" iptables -A EXT_INPUT_CHAIN -p udp --dport 1024: \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV UDP packet: " iptables -A EXT_MULTICAST_CHAIN -p udp --dport 1024 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV UDP multicast: " iptables -A EXT_BROADCAST_CHAIN -p udp --dport 1024 \ -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV UDP broadcast: " else echo "Logging of (other) packets to UNPRIVILEGED UDP ports disabled" fi # Do we want to log igmp packets? ############################################# if [ "$IGMP_LOG" != "0" ]; then echo " Logging of IGMP packets enabled" ip4tables -A EXT_INPUT_CHAIN -p 2 \ -m limit --limit 1/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IGMP packet: " else echo " Logging of IPv4 IGMP packets disabled" fi # Finally drop all in the broadcast chain iptables -A EXT_BROADCAST_CHAIN -j DROP # Jump into the POST_INPUT_CHAIN before we start to DROP iptables -A EXT_INPUT_CHAIN -j POST_INPUT_CHAIN if [ "$ICMP_REQUEST_LOG" != "0" ]; then echo " Logging of dropped ICMP-request(ping) packets enabled" iptables -A EXT_INPUT_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " iptables -A EXT_MULTICAST_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-multicast-request: " else echo " Logging of dropped ICMP-request(ping) packets disabled" fi if [ "$ICMP_OTHER_LOG" != "0" ]; then echo " Logging of dropped other ICMP packets enabled" iptables -A EXT_INPUT_CHAIN -p icmp ! --icmp-type echo-request \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-other: " iptables -A EXT_MULTICAST_CHAIN -p icmp ! --icmp-type echo-request \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-multicast-other: " else echo " Logging of dropped other ICMP packets disabled" fi # Drop all in the multicast chain iptables -A EXT_MULTICAST_CHAIN -j DROP # Drop all "standard" IP protocols ################################## iptables -A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN iptables -A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN ip4tables -A EXT_INPUT_CHAIN -p 2 -j POST_INPUT_DROP_CHAIN iptables -A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN # Do we want to log non udp/tcp/icmp packets? ############################################# if [ "$OTHER_IP_LOG" != "0" ]; then echo " Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled" iptables -A EXT_INPUT_CHAIN \ -m limit --limit 1/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Other connect: " else echo " Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets disabled" fi # Drop all remaining packets ############################ iptables -A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN } ###################################################################################################################### ## Chain EXT_ICMP_FLOOD_CHAIN - Checks all ICMP (flooded) packets for the EXTERNAL interface(s) ## ###################################################################################################################### setup_ext_icmp_flood_chain() { # Log of ICMP flooding ###################### if [ "$ICMP_FLOOD_LOG" != "0" ]; then echo " Logging of ICMP flooding enabled" iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type destination-unreachable \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-unreachable flood: " iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type destination-unreachable -j POST_INPUT_DROP_CHAIN iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type time-exceeded \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-time-exceeded fld: " iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type time-exceeded -j POST_INPUT_DROP_CHAIN iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type parameter-problem \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-param-problem fld: " iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type parameter-problem -j POST_INPUT_DROP_CHAIN iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request(ping) fld: " iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-request -j POST_INPUT_DROP_CHAIN iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-reply \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-reply(pong) flood: " iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-reply -j POST_INPUT_DROP_CHAIN ip4tables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type source-quench \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-source-quench fld: " ip4tables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type source-quench -j POST_INPUT_DROP_CHAIN if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type packet-too-big \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-packet-too-big fld: " ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type packet-too-big -j POST_INPUT_DROP_CHAIN fi # All other ICMP into the general log rule iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp \ -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP(other) flood: " else echo " Logging of ICMP flooding disabled" fi # Drop any ICMP packets left iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN } ###################################################################################################################### ## Chain EXT_OUTPUT_CHAIN - Checks all outgoing packets for the EXTERNAL interface(s) ## ###################################################################################################################### setup_ext_output_chain() { # Adding the "full access hosts" ################################ unset IFS for rule in $FULL_ACCESS_HOSTS; do if parse_rule "$rule" FULL_ACCESS_HOSTS "interfaces-srcips-hosts"; then echo " $(show_if_ip "$interfaces")Allowing $hosts full (outbound) access" IFS=',' for host in `ip_range "$hosts"`; do for srcip in $srcips; do for interface in $interfaces; do iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -j ACCEPT done done done fi done # This rule is for hostwise OUTPUT TCP open ########################################### unset IFS for rule in $INET_OUTPUT_HOST_OPEN_TCP; do if parse_rule "$rule" INET_OUTPUT_HOST_OPEN_TCP "interfaces-srcips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$srcips")Allowing $hosts for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for srcip in $srcips; do for interface in $interfaces; do iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p tcp --dport $port -j ACCEPT done done done done fi done # This rule is for hostwise OUTPUT UDP open ########################################### unset IFS for rule in $INET_OUTPUT_HOST_OPEN_UDP; do if parse_rule "$rule" INET_OUTPUT_HOST_OPEN_UDP "interfaces-srcips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$srcips")Allowing $hosts for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for srcip in $srcips; do for interface in $interfaces; do iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p udp --dport $port -j ACCEPT done done done done fi done # This rule is for hostwise OUTPUT IP open ########################################## unset IFS for rule in $INET_OUTPUT_HOST_OPEN_IP; do if parse_rule "$rule" INET_OUTPUT_HOST_OPEN_IP "interfaces-srcips-hosts-protos"; then echo " $(show_if_ip "$interfaces" "$srcips")Allowing $hosts for IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do for srcip in $srcips; do for interface in $interfaces; do iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p $proto -j ACCEPT done done done done fi done # This rule is for hostwise OUTPUT TCP blocking ############################################### unset IFS for rule in $INET_OUTPUT_HOST_DENY_TCP; do if parse_rule "$rule" INET_OUTPUT_HOST_DENY_TCP "interfaces-srcips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$srcips")Denying $hosts for TCP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for srcip in $srcips; do for interface in $interfaces; do if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p tcp --dport $port \ -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: " fi iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p tcp --dport $port -j DROP done done done done fi done # This rule is for hostwise OUTPUT UDP blocking ############################################### unset IFS for rule in $INET_OUTPUT_HOST_DENY_UDP; do if parse_rule "$rule" INET_OUTPUT_HOST_DENY_UDP "interfaces-srcips-hosts-ports"; then echo " $(show_if_ip "$interfaces" "$srcips")Denying $hosts for UDP port(s): $ports" IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for srcip in $srcips; do for interface in $interfaces; do if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p udp --dport $port \ -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: " fi iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p udp --dport $port -j DROP done done done done fi done # This rule is for hostwise OUTPUT IP blocking ############################################## unset IFS for rule in $INET_OUTPUT_HOST_DENY_IP; do if parse_rule "$rule" INET_OUTPUT_HOST_DENY_IP "interfaces-srcips-hosts-protos"; then echo " $(show_if_ip "$interfaces" "$srcips")Denying $hosts for IP protocol(s): $protos" IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do for srcip in $srcips; do for interface in $interfaces; do if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p $proto \ -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: " fi iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p $proto -j DROP done done done done fi done # This rule is for local OUTPUT TCP open ######################################## unset IFS for rule in $INET_OUTPUT_OPEN_TCP; do if parse_rule "$rule" INET_OUTPUT_OPEN_TCP "interfaces-srcips-ports"; then echo " $(show_if_ip "$interfaces" "$srcips")Allowing TCP port(s): $ports" IFS=',' for port in $ports; do for srcip in $srcips; do for interface in $interfaces; do iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p tcp --dport $port -j ACCEPT done done done fi done # This rule is for local OUTPUT UDP open ######################################## unset IFS for rule in $INET_OUTPUT_OPEN_UDP; do if parse_rule "$rule" INET_OUTPUT_OPEN_UDP "interfaces-srcips-ports"; then echo " $(show_if_ip "$interfaces" "$srcips")Allowing UDP port(s): $ports" IFS=',' for port in $ports; do for srcip in $srcips; do for interface in $interfaces; do iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p udp --dport $port -j ACCEPT done done done fi done # This rule is for local OUTPUT IP open ####################################### unset IFS for rule in $INET_OUTPUT_OPEN_IP; do if parse_rule "$rule" INET_OUTPUT_OPEN_IP "interfaces-srcips-protos"; then echo " $(show_if_ip "$interfaces" "$srcips")Allowing IP protocol(s): $protos" IFS=',' for proto in $protos; do for srcip in $srcips; do for interface in $interfaces; do iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p $proto -j ACCEPT done done done fi done # This rule is for local OUTPUT TCP blocking ############################################ unset IFS for rule in $INET_OUTPUT_DENY_TCP; do if parse_rule "$rule" INET_OUTPUT_DENY_TCP "interfaces-srcips-ports"; then echo " $(show_if_ip "$interfaces" "$srcips")Denying TCP port(s): $ports" IFS=',' for port in $ports; do for srcip in $srcips; do for interface in $interfaces; do if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p tcp --dport $port \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: " fi iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p tcp --dport $port -j DROP done done done fi done # This rule is for local OUTPUT UDP blocking ############################################ unset IFS for rule in $INET_OUTPUT_DENY_UDP; do if parse_rule "$rule" INET_OUTPUT_DENY_UDP "interfaces-srcips-ports"; then echo " $(show_if_ip "$interfaces" "$srcips")Denying UDP port(s): $ports" IFS=',' for port in $ports; do for srcip in $srcips; do for interface in $interfaces; do if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p udp --dport $port \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: " fi iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p udp --dport $port -j DROP done done done fi done # This rule is for local OUTPUT IP blocking ############################################ unset IFS for rule in $INET_OUTPUT_DENY_IP; do if parse_rule "$rule" INET_OUTPUT_DENY_IP "interfaces-srcips-protos"; then echo " $(show_if_ip "$interfaces" "$srcips")Denying IP protocol(s): $protos" IFS=',' for proto in $protos; do for srcip in $srcips; do for interface in $interfaces; do if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p $proto \ -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: " fi iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p $proto -j DROP done done done fi done # Allow ICMP-requests(ping) for LAN->INET? ########################################## if [ "$INET_OUTPUT_OPEN_ICMP" != "0" ]; then echo " Allowing ICMP-requests(ping)" iptables -A EXT_OUTPUT_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 20/second --limit-burst 100 -j ACCEPT fi # Log incoming ICMP-request packets? #################################### if [ "$ICMP_REQUEST_LOG" != "0" -a "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN -p icmp --icmp-type echo-request \ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: " fi # Drop (remaining) ICMP packets iptables -A EXT_OUTPUT_CHAIN -p icmp --icmp-type echo-request -j DROP # Set the default policy (switch to DROP for a protocol when xxx_OPEN_xxx variable is used) ########################################################################################### if [ -z "$INET_OUTPUT_OPEN_TCP" -a -z "$INET_OUTPUT_HOST_OPEN_TCP" -a \ -z "$INET_OUTPUT_OPEN_UDP" -a -z "$INET_OUTPUT_HOST_OPEN_UDP" -a \ -z "$INET_OUTPUT_OPEN_IP" -a -z "$INET_OUTPUT_HOST_OPEN_IP" -a -z "$INET_OUTPUT_DEFAULT_POLICY_DROP" ] \ || [ "$INET_OUTPUT_DEFAULT_POLICY_DROP" = "0" ]; then echo " Allowing all (other) ports/protocols" iptables -A EXT_OUTPUT_CHAIN -j ACCEPT else if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then iptables -A EXT_OUTPUT_CHAIN -m limit \ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: " fi echo " Denying all (other) ports/protocols" iptables -A EXT_OUTPUT_CHAIN -j DROP fi } # Helper chain to catch broadcast traffic setup_ext_broadcast_chain() { # Disable logging of certain TCP broadcasts on the external interface ##################################################################### unset IFS for rule in $BROADCAST_TCP_NOLOG; do if parse_rule "$rule" BROADCAST_TCP_NOLOG "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Logging of external subnet broadcasts disabled for TCP port(s): $ports" IFS=' ,' for port in $ports; do for interface in $interfaces; do iptables -A EXT_BROADCAST_CHAIN $(ipt_if -i "$interface") -p tcp --dport $port -j DROP done done fi done # Disable logging of certain UDP broadcasts on the external interface ########################################################################################## unset IFS for rule in $BROADCAST_UDP_NOLOG; do if parse_rule "$rule" BROADCAST_UDP_NOLOG "interfaces-destips-ports"; then echo " $(show_if_ip "$interfaces" "$destips")Logging of external subnet broadcasts disabled for UDP port(s): $ports" IFS=' ,' for port in $ports; do for interface in $interfaces; do iptables -A EXT_BROADCAST_CHAIN $(ipt_if -i "$interface") -p udp --dport $port -j DROP done done fi done } # This creates the input logging rules ########################################################## setup_input_log() { # This rule is for local INPUT TCP watching ############################################ unset IFS for rule in $LOG_INPUT_TCP; do if parse_rule "$rule" LOG_INPUT_TCP "interfaces-destips-ports"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming TCP port(s): $ports" IFS=' ,' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT $(ipt_if -i "$interface") -d $destip -p tcp --dport $port $NF_CONNTRACK_STATE NEW -m limit \ --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:TCP INPUT log: " done done done fi done # This rule is for local INPUT UDP watching ########################################### unset IFS for rule in $LOG_INPUT_UDP; do if parse_rule "$rule" LOG_INPUT_UDP "interfaces-destips-ports"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming UDP port(s): $ports" IFS=' ,' for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT $(ipt_if -i "$interface") -d $destip -p udp --dport $port $NF_CONNTRACK_STATE NEW -m limit \ --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UDP INPUT log: " done done done fi done # This rule is for local INPUT IP watching ########################################## unset IFS for rule in $LOG_INPUT_IP; do if parse_rule "$rule" LOG_INPUT_IP "interfaces-destips-protos"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming IP protocol(s): $protos" IFS=' ,' for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT $(ipt_if -i "$interface") -d $destip -p $proto $NF_CONNTRACK_STATE NEW -m limit \ --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IP INPUT log: " done done done fi done # Hostwise logging of input connection attempts ############################################### unset IFS for rule in $LOG_HOST_INPUT; do if parse_rule "$rule" LOG_HOST_INPUT "interfaces-destips-hosts"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming connections of: $hosts" IFS=' ,' for host in `ip_range "$hosts"`; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT $(ipt_if -i "$interface") -s $host -d $destip $NF_CONNTRACK_STATE NEW \ -m limit --limit 12/m --limit-burst 50 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise INPUT log: " done done done fi done # Hostwise logging of certain TCP port connection attempts ########################################################## unset IFS for rule in $LOG_HOST_INPUT_TCP; do if parse_rule "$rule" LOG_HOST_INPUT_TCP "interfaces-destips-hosts-ports"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming connections of $hosts to TCP port(s): $ports" IFS=' ,' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port $NF_CONNTRACK_STATE NEW \ -m limit --limit 12/m --limit-burst 5 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise TCP log (IN): " done done done done fi done # Hostwise logging of certain UDP port connection attempts ########################################################## unset IFS for rule in $LOG_HOST_INPUT_UDP; do if parse_rule "$rule" LOG_HOST_INPUT_UDP "interfaces-destips-hosts-ports"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming connections of $hosts to UDP port(s): $ports" IFS=' ,' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port $NF_CONNTRACK_STATE NEW \ -m limit --limit 12/m --limit-burst 5 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise UDP INPUT log: " done done done done fi done # Hostwise logging of certain IP protocols connection attempts ############################################################## unset IFS for rule in $LOG_HOST_INPUT_IP; do if parse_rule "$rule" LOG_HOST_INPUT_IP "interfaces-destips-hosts-protos"; then echo "$(show_if_ip "$interfaces" "$destips")Logging incoming connections of $hosts to IP protocol(s): $protos" IFS=' ,' for host in `ip_range "$hosts"`; do for proto in $protos; do for destip in $destips; do for interface in $interfaces; do iptables -A INPUT $(ipt_if -i "$interface") -s $host -d $destip -p $proto $NF_CONNTRACK_STATE NEW \ -m limit --limit 12/m --limit-burst 5 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise IP INPUT log: " done done done done fi done } # This creates the output logging rules ########################################################## setup_output_log() { # This rule is for local OUTPUT TCP watching ############################################ unset IFS for rule in $LOG_OUTPUT_TCP; do if parse_rule "$rule" LOG_OUTPUT_TCP "interfaces-srcips-ports"; then echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing TCP port(s): $ports" IFS=' ,' for port in $ports; do for srcip in $srcips; do for interface in $interfaces; do iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -p tcp --dport $port $NF_CONNTRACK_STATE NEW -m limit \ --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:TCP OUTPUT log: " done done done fi done # This rule is for local OUTPUT UDP watching ############################################ unset IFS for rule in $LOG_OUTPUT_UDP; do if parse_rule "$rule" LOG_OUTPUT_UDP "interfaces-srcips-ports"; then echo "$(show_if_ip "$interfaces")Logging outgoing UDP port(s): $ports" IFS=' ,' for port in $ports; do for srcip in $srcips; do for interface in $interfaces; do iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -p udp --dport $port $NF_CONNTRACK_STATE NEW -m limit \ --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UDP OUTPUT log: " done done done fi done # This rule is for local OUTPUT IP watching ########################################### unset IFS for rule in $LOG_OUTPUT_IP; do if parse_rule "$rule" LOG_OUTPUT_IP "interfaces-srcips-protos"; then echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing IP protocol(s): $protos" IFS=' ,' for proto in $protos; do for srcip in $srcips; do for interface in $interfaces; do iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -p $proto $NF_CONNTRACK_STATE NEW -m limit \ --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IP OUTPUT log: " done done done fi done # Hostwise logging of output connection attempts ################################################ unset IFS for rule in $LOG_HOST_OUTPUT; do if parse_rule "$rule" LOG_HOST_OUTPUT "interfaces-srcips-hosts"; then echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing connections to: $hosts" IFS=' ,' for host in `ip_range "$hosts"`; do for srcip in $srcips; do for interface in $interfaces; do iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -d $host $NF_CONNTRACK_STATE NEW \ -m limit --limit 12/m --limit-burst 50 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise OUTPUT log: " done done done fi done # Hostwise logging of certain TCP port connection attempts ########################################################## unset IFS for rule in $LOG_HOST_OUTPUT_TCP; do if parse_rule "$rule" LOG_HOST_OUTPUT_TCP "interfaces-srcips-hosts-ports"; then echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing connections of $hosts to TCP port(s): $ports" IFS=' ,' for host in `ip_range "$hosts"`; do for port in $ports; do for srcip in $srcips; do for interface in $interfaces; do iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -d $host -p tcp --dport $port $NF_CONNTRACK_STATE NEW \ -m limit --limit 12/m --limit-burst 5 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host TCP log (OUT): " done done done done fi done # Hostwise logging of certain UDP port connection attempts ########################################################## unset IFS for rule in $LOG_HOST_OUTPUT_UDP; do if parse_rule "$rule" LOG_HOST_OUTPUT_UDP "interfaces-srcips-hosts-ports"; then echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing connections of $hosts to UDP port(s): $ports" IFS=' ,' for host in `ip_range "$hosts"`; do for port in $ports; do for srcip in $srcips; do for interface in $interfaces; do iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -d $host -p udp --dport $port $NF_CONNTRACK_STATE NEW \ -m limit --limit 12/m --limit-burst 5 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host UDP log (OUT): " done done done done fi done # Hostwise logging of certain IP protocols connection attempts ############################################################## unset IFS for rule in $LOG_HOST_OUTPUT_IP; do if parse_rule "$rule" LOG_HOST_OUTPUT_IP "interfaces-srcips-hosts-protos"; then echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing connections of $hosts to IP protocol(s): $protos" IFS=' ,' for host in `ip_range "$hosts"`; do for proto in $protos; do for srcip in $srcips; do for interface in $interfaces; do iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -d $host -p $proto $NF_CONNTRACK_STATE NEW \ -m limit --limit 12/m --limit-burst 5 \ -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host IP log (OUT): " done done done done fi done } # Helper function for setup_hostblock_chain ########################################### setup_ipset_netset() { local dir="$1" hashsize="$2" maxelem="$3" family netset set_name IFS ## Setup Whitelist ipset create -exist aif_whitelist hash:net family inet hashsize $hashsize maxelem $maxelem ip4tables -A HOST_BLOCK_SRC -m set --match-set aif_whitelist src -j RETURN if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip4tables -A HOST_BLOCK_DST -m set --match-set aif_whitelist dst -j RETURN fi if [ "$IPV6_SUPPORT" = "1" ]; then ipset create -exist aif_whitelistv6 hash:net family inet6 hashsize $hashsize maxelem $maxelem ip6tables -A HOST_BLOCK_SRC -m set --match-set aif_whitelistv6 src -j RETURN if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip6tables -A HOST_BLOCK_DST -m set --match-set aif_whitelistv6 dst -j RETURN fi fi ## Setup *.netset files unset IFS for netset in "$dir"/*.netset; do set_name="${netset##*/}" set_name="${set_name%.netset}" ## Kernel limits set names to 31 characters, subtract 4 for _tmp if [ ${#set_name} -gt 27 ]; then continue fi ## Naming convention, *v6.netset files for IPv6, all other *.netset files default to IPv4 case $set_name in *v6|*V6) family="inet6" ;; *) family="inet" ;; esac if [ "$IPV6_SUPPORT" != "1" -a "$family" = "inet6" ]; then continue fi ## Whitelist already setup above if [ "$set_name" = "whitelist" -o "$set_name" = "whitelistv6" ]; then continue fi ipset create -exist ${set_name} hash:net family $family hashsize $hashsize maxelem $maxelem if [ "$family" = "inet" ]; then ip4tables -A HOST_BLOCK_SRC -m set --match-set ${set_name} src -j HOST_BLOCK_SRC_DROP if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip4tables -A HOST_BLOCK_DST -m set --match-set ${set_name} dst -j HOST_BLOCK_DST_DROP fi else ip6tables -A HOST_BLOCK_SRC -m set --match-set ${set_name} src -j HOST_BLOCK_SRC_DROP if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip6tables -A HOST_BLOCK_DST -m set --match-set ${set_name} dst -j HOST_BLOCK_DST_DROP fi fi done } # Helper function for setup_hostblock_chain ########################################### apply_ipset_netset() { local dir="$1" hashsize="$2" maxelem="$3" family netset set_name swap_err IFS local x default_whitelist default_whitelistv6 default_whitelist="127.0.0.0/8 0.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 224.0.0.0/3" default_whitelistv6="::1 fe80::/10 ff00::/8" ## Apply Whitelist unset IFS for netset in "$dir/whitelist.netset" "$dir/whitelistv6.netset"; do set_name="${netset##*/}" set_name="aif_${set_name%.netset}" case $set_name in *v6|*V6) family="inet6" ;; *) family="inet" ;; esac if [ "$IPV6_SUPPORT" != "1" -a "$family" = "inet6" ]; then continue fi ipset create -exist ${set_name}_tmp hash:net family $family hashsize $hashsize maxelem $maxelem ipset flush ${set_name}_tmp if [ "$family" = "inet" ]; then unset IFS for x in ${DEFAULT_NETSET_WHITELIST:-$default_whitelist}; do ipset add -exist ${set_name}_tmp $x if [ $? -ne 0 ]; then RULE_WARNING=$((RULE_WARNING + 1)) fi done if [ -f "$netset" ]; then printf "Loading IPv4 Whitelist Set: whitelist.netset ... " sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$/add -exist ${set_name}_tmp \1/p" "$netset" | ipset restore if [ $? -ne 0 ]; then RULE_WARNING=$((RULE_WARNING + 1)) fi echo "Done." fi else unset IFS for x in ${DEFAULT_NETSET_WHITELISTV6:-$default_whitelistv6}; do ipset add -exist ${set_name}_tmp $x if [ $? -ne 0 ]; then RULE_WARNING=$((RULE_WARNING + 1)) fi done if [ -f "$netset" ]; then printf "Loading IPv6 Whitelist Set: whitelistv6.netset ... " sed -n -r -e "s/^([0-9a-fA-F][0-9a-fA-F:/]+)([[:space:]].*|)$/add -exist ${set_name}_tmp \1/p" "$netset" | ipset restore if [ $? -ne 0 ]; then RULE_WARNING=$((RULE_WARNING + 1)) fi echo "Done." fi fi ipset swap ${set_name} ${set_name}_tmp ipset destroy ${set_name}_tmp done ## Apply *.netset files unset IFS for netset in "$dir"/*.netset; do set_name="${netset##*/}" set_name="${set_name%.netset}" ## Kernel limits set names to 31 characters, subtract 4 for _tmp if [ ${#set_name} -gt 27 ]; then printf "\033[40m\033[1;31mERROR: The \"${set_name}.netset\" name is too long, filenames are limited to <27-characters>.netstat\033[0m\n" >&2 RULE_WARNING=$((RULE_WARNING + 1)) continue fi ## Naming convention, *v6.netset files for IPv6, all other *.netset files default to IPv4 case $set_name in *v6|*V6) family="inet6" ;; *) family="inet" ;; esac if [ "$IPV6_SUPPORT" != "1" -a "$family" = "inet6" ]; then continue fi ## Whitelist already applied above if [ "$set_name" = "whitelist" -o "$set_name" = "whitelistv6" ]; then continue fi ipset create -exist ${set_name}_tmp hash:net family $family hashsize $hashsize maxelem $maxelem ipset flush ${set_name}_tmp swap_err=0 if [ "$family" = "inet" ]; then printf "Loading IPv4 Blocklist Set: ${set_name}.netset ... " sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$/add -exist ${set_name}_tmp \1/p" "$netset" | ipset restore if [ $? -ne 0 ]; then swap_err=1 RULE_WARNING=$((RULE_WARNING + 1)) fi else printf "Loading IPv6 Blocklist Set: ${set_name}.netset ... " sed -n -r -e "s/^([0-9a-fA-F][0-9a-fA-F:/]+)([[:space:]].*|)$/add -exist ${set_name}_tmp \1/p" "$netset" | ipset restore if [ $? -ne 0 ]; then swap_err=1 RULE_WARNING=$((RULE_WARNING + 1)) fi fi if [ $swap_err -eq 0 ]; then ipset swap ${set_name} ${set_name}_tmp echo "Done." else echo "" printf "\033[40m\033[1;31mERROR: \"ipset swap ${set_name} ...\" not applied.\033[0m\n" >&2 fi ipset destroy ${set_name}_tmp done } # This creates the separate host block ###################################### setup_hostblock_chain() { local hashsize maxelem swap4_err swap6_err if iptables -F HOST_BLOCK_SRC 2>&1 |grep -q "No chain" || \ iptables -F HOST_BLOCK_DST 2>&1 |grep -q "No chain"; then printf "\033[40m\033[1;31mERROR: The firewall isn't running!\033[0m\n" >&2 printf "\033[40m\033[1;31m You should first run this script with the \"start\" command.\033[0m\n" >&2 return 5 fi # Return if no Blocked Hosts are defined if [ -z "$BLOCK_HOSTS" -a -z "$BLOCK_HOSTS_FILE" -a -z "$BLOCK_NETSET_DIR" ]; then return fi if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then echo "Blocking (blackhole) direction: Inbound and Outbound" else echo "Blocking (blackhole) direction: Inbound Only" fi ## Use 'ipset' if enabled and available, else fallback to discrete iptables rules ## if ipset_check; then hashsize="${IPTABLES_IPSET_HASHSIZE:-2048}" maxelem="${IPTABLES_IPSET_MAXELEM:-131072}" if [ -n "$BLOCK_HOSTS" -o -n "$BLOCK_HOSTS_FILE" ]; then ipset create -exist aif_blocklist hash:net family inet hashsize $hashsize maxelem $maxelem ip4tables -A HOST_BLOCK_SRC -m set --match-set aif_blocklist src -j HOST_BLOCK_SRC_DROP if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip4tables -A HOST_BLOCK_DST -m set --match-set aif_blocklist dst -j HOST_BLOCK_DST_DROP fi if [ "$IPV6_SUPPORT" = "1" ]; then ipset create -exist aif_blocklistv6 hash:net family inet6 hashsize $hashsize maxelem $maxelem ip6tables -A HOST_BLOCK_SRC -m set --match-set aif_blocklistv6 src -j HOST_BLOCK_SRC_DROP if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip6tables -A HOST_BLOCK_DST -m set --match-set aif_blocklistv6 dst -j HOST_BLOCK_DST_DROP fi fi fi if [ -d "$BLOCK_NETSET_DIR" ] && ls "$BLOCK_NETSET_DIR"/*.netset >/dev/null 2>&1; then setup_ipset_netset "$BLOCK_NETSET_DIR" $hashsize $maxelem ## Optimization, add ipsets to iptables (above) first, then apply ipset contents (below) which takes time apply_ipset_netset "$BLOCK_NETSET_DIR" $hashsize $maxelem fi if [ -z "$BLOCK_HOSTS" -a -z "$BLOCK_HOSTS_FILE" ]; then return fi ipset create -exist aif_blocklist_tmp hash:net family inet hashsize $hashsize maxelem $maxelem ipset flush aif_blocklist_tmp if [ "$IPV6_SUPPORT" = "1" ]; then ipset create -exist aif_blocklistv6_tmp hash:net family inet6 hashsize $hashsize maxelem $maxelem ipset flush aif_blocklistv6_tmp fi swap4_err=0 swap6_err=0 if [ -n "$BLOCK_HOSTS" ]; then printf "Blocking (blackhole) host(s): " IFS=' ,' for hosts in $BLOCK_HOSTS; do printf "$hosts " for host in `ip_range "$hosts"`; do get_numeric_ip_version "$host" case $? in 4) ipset add -exist aif_blocklist_tmp $host if [ $? -ne 0 ]; then swap4_err=1 RULE_WARNING=$((RULE_WARNING + 1)) fi ;; 6) if [ "$IPV6_SUPPORT" = "1" ]; then ipset add -exist aif_blocklistv6_tmp $host if [ $? -ne 0 ]; then swap6_err=1 RULE_WARNING=$((RULE_WARNING + 1)) fi fi ;; esac done done echo "" fi # Setup the blocked hosts from our file if [ -n "$BLOCK_HOSTS_FILE" ]; then if [ -f "$BLOCK_HOSTS_FILE" ]; then local cur_cnt=0 total_cnt total_cnt=$(( $(cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |wc -l) )) : > "$IP4TABLES_BATCH_FILE" if [ "$IPV6_SUPPORT" = "1" ]; then : > "$IP6TABLES_BATCH_FILE" fi echo "(Re)loading list of BLOCKED hosts from $BLOCK_HOSTS_FILE..." if [ $total_cnt -gt 0 ]; then progress_bar $cur_cnt $total_cnt # Support both a '#' and a ';' as a comment delimiter in BLOCK_HOSTS_FILE file unset IFS cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |while read hosts; do cur_cnt=$((cur_cnt + 100)) progress_bar $cur_cnt $total_cnt if [ -n "$hosts" ]; then IFS=',' for host in `ip_range "$hosts"`; do get_numeric_ip_version "$host" case $? in 4) echo "add -exist aif_blocklist_tmp $host" >> "$IP4TABLES_BATCH_FILE" ;; 6) if [ "$IPV6_SUPPORT" = "1" ]; then echo "add -exist aif_blocklistv6_tmp $host" >> "$IP6TABLES_BATCH_FILE" fi ;; esac done unset IFS fi done printf "........." fi echo "$total_cnt host line(s) read" ipset restore < "$IP4TABLES_BATCH_FILE" if [ $? -ne 0 ]; then swap4_err=1 RULE_WARNING=$((RULE_WARNING + 1)) fi rm -f "$IP4TABLES_BATCH_FILE" if [ "$IPV6_SUPPORT" = "1" ]; then ipset restore < "$IP6TABLES_BATCH_FILE" if [ $? -ne 0 ]; then swap6_err=1 RULE_WARNING=$((RULE_WARNING + 1)) fi rm -f "$IP6TABLES_BATCH_FILE" fi else printf "\033[40m\033[1;31mWARNING: Cannot read the blocked hosts file \"$BLOCK_HOSTS_FILE\".\033[0m\n" fi fi if [ $swap4_err -eq 0 ]; then ipset swap aif_blocklist aif_blocklist_tmp else printf "\033[40m\033[1;31mERROR: IPv4 \"ipset swap ...\" not applied.\033[0m\n" >&2 fi ipset destroy aif_blocklist_tmp if [ "$IPV6_SUPPORT" = "1" ]; then if [ $swap6_err -eq 0 ]; then ipset swap aif_blocklistv6 aif_blocklistv6_tmp else printf "\033[40m\033[1;31mERROR: IPv6 \"ipset swap ...\" not applied.\033[0m\n" >&2 fi ipset destroy aif_blocklistv6_tmp fi else if [ -n "$BLOCK_NETSET_DIR" ]; then printf "\033[40m\033[1;31mWARNING: Blocking using .netset files in BLOCK_NETSET_DIR requires IPTABLES_IPSET to be enabled.\033[0m\n" fi if [ -z "$BLOCK_HOSTS" -a -z "$BLOCK_HOSTS_FILE" ]; then return fi # Set default to DROP all while rules are added iptables -A HOST_BLOCK_SRC -j DROP iptables -A HOST_BLOCK_DST -j DROP iptables_batch start iptables_batch init HOST_BLOCK_SRC iptables_batch init HOST_BLOCK_DST if [ -n "$BLOCK_HOSTS" ]; then printf "Blocking (blackhole) host(s): " IFS=' ,' for hosts in $BLOCK_HOSTS; do printf "$hosts " for host in `ip_range "$hosts"`; do get_numeric_ip_version "$host" case $? in 4) ip4tables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_SRC_DROP if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip4tables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DST_DROP fi ;; 6) if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_SRC_DROP if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip6tables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DST_DROP fi fi ;; esac done done echo "" fi # Setup the blocked hosts from our file if [ -n "$BLOCK_HOSTS_FILE" ]; then if [ -f "$BLOCK_HOSTS_FILE" ]; then local cur_cnt=0 total_cnt total_cnt=$(( $(cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |wc -l) )) echo "(Re)loading list of BLOCKED hosts from $BLOCK_HOSTS_FILE..." if [ $total_cnt -gt 0 ]; then progress_bar $cur_cnt $total_cnt # Support both a '#' and a ';' as a comment delimiter in BLOCK_HOSTS_FILE file unset IFS cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |while read hosts; do cur_cnt=$((cur_cnt + 100)) progress_bar $cur_cnt $total_cnt if [ -n "$hosts" ]; then IFS=',' for host in `ip_range "$hosts"`; do get_numeric_ip_version "$host" case $? in 4) ip4tables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_SRC_DROP if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip4tables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DST_DROP fi ;; 6) if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_SRC_DROP if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then ip6tables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DST_DROP fi fi ;; esac done unset IFS fi done printf "........." fi echo "$total_cnt host line(s) read" else printf "\033[40m\033[1;31mWARNING: Cannot read the blocked hosts file \"$BLOCK_HOSTS_FILE\".\033[0m\n" fi fi iptables_batch apply HOST_BLOCK_SRC iptables_batch apply HOST_BLOCK_DST iptables_batch stop # All Blocked Host rules are applied # Remove default rule at the beginning of the HOST_BLOCK_SRC and HOST_BLOCK_DST chains iptables -D HOST_BLOCK_SRC 1 iptables -D HOST_BLOCK_DST 1 fi } setup_mangle_tables() { # The following line is intended to hide the firewall during a traceroute. ########################################################################## if [ "$TTL_INC" = "1" ]; then echo "Enabling TTL-increase for the PREROUTING chain" IFS=' ,' for interface in $EXT_IF; do ip4tables -t mangle -A PREROUTING -i $interface -j TTL --ttl-inc 1 done fi # Set TTL on outgoing & forwarded packets: ########################################## if [ -n "$PACKET_TTL" ]; then if [ $PACKET_TTL -gt 9 -a $PACKET_TTL -lt 256 ]; then echo "Setting TTL=$PACKET_TTL for the FORWARD & OUTPUT chains" IFS=' ,' for interface in $EXT_IF; do ip4tables -t mangle -A FORWARD -o $interface -j TTL --ttl-set $PACKET_TTL ip4tables -t mangle -A OUTPUT -o $interface -j TTL --ttl-set $PACKET_TTL done else printf "\033[40m\033[1;31m WARNING: Ignoring invalid value for PACKET_TTL ($PACKET_TTL), it should be between 10 and 255!\033[0m\n" >&2 fi fi # Mangles the TOS on standard ports so they get priority in routers ################################################################### # TOS table # Options: # Normal-Service = 0 (0x00) # Minimize-Cost = 2 (0x02) # Maximize-Reliability = 4 (0x04) # Maximize-Throughput = 8 (0x08) # Minimize-Delay = 16 (0x10) if [ "$MANGLE_TOS" = "1" ]; then echo "Enabling mangling TOS" # ToS: Client Applications; data => tos_client # Most of these are the RFC 1060/1349 suggested TOS values, yours might vary. # To view mangle table, type: iptables -L -t mangle IFS=' ,' for interface in $EXT_IF; do # Mangle values of packets created locally. iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 23 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 25 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p udp --dport 53 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 67 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 113 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 123 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput done # Rules to mangle TOS values of packets routed through the firewall iptables -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p udp --dport 53 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 67 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 113 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 123 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput fi } setup_tcp_mss() { # Besides MTU, there is yet another way to set the maximum packet size, the so called Maximum Segment Size. # This is a field in the TCP Options part of a SYN packet. # The good thing about this is that by setting the MSS value, you are telling the remote side unequivocally # 'do not ever try to send me packets bigger than this value'. No ICMP traffic is needed to get this to work. # In order for this to work you need at least iptables-1.2.1a and Linux 2.4.3 or higher. ################################################################################################################## if [ "$SET_MSS" = "1" ]; then echo "Enabling setting the maximum packet size via MSS" IFS=' ,' for interface in $EXT_IF; do iptables -A FORWARD -o $interface -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A OUTPUT -o $interface -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu if [ "$NAT" = "1" ]; then ip4tables -t nat -A POSTROUTING -o $interface -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu fi done fi } plugins_start() { local plugin_count=0 # Truncate/create file : > "$PLUGIN_LOAD_FILE" printf "Checking for (user) plugins in $PLUGIN_BIN_PATH..." PLUGIN_ERRORS=0 # Check for plugins in our plugins binary path: if ls "$PLUGIN_BIN_PATH"/*.plugin >/dev/null 2>&1; then echo "" unset IFS for plugin in "$PLUGIN_BIN_PATH"/*.plugin; do PLUGIN_CMD=start if [ -f "$PLUGIN_LOAD_FILE_RESTART" ]; then IFS=$EOL for plugin_restart in `cat "$PLUGIN_LOAD_FILE_RESTART"`; do if [ "$plugin_restart" = "$plugin" ]; then if grep -q "^plugin_restart\(\)" "$plugin"; then PLUGIN_CMD=restart fi break fi done fi # Preset ENABLED=0 to make sure the plugin only # gets loaded if the config has an explicit ENABLED=1: ENABLED=0 # Preinit to 0, just in case PLUGIN_RET_VAL=0 # Store current amount of iptables rule warnings STORE_RULE_WARNING=$RULE_WARNING # Set indent INDENT=' ' # Explicit unset IFS, just in case unset IFS # Source the plugin: . "$plugin" if [ "$ENABLED" = "1" ]; then # By checking the ENABLED variable, we know whether the plugin # was actually loaded. If so increase the plugin count: echo "$plugin" >> "$PLUGIN_LOAD_FILE" plugin_count=$((plugin_count + 1)) # Check result if [ "$PLUGIN_RET_VAL" != "0" -o $STORE_RULE_WARNING -ne $RULE_WARNING ]; then PLUGIN_ERRORS=$((PLUGIN_ERRORS + 1)) fi fi done rm -f "$PLUGIN_LOAD_FILE_RESTART" echo " Loaded $plugin_count plugin(s)..." else echo "None found" fi } plugins_stop() { local restart="$1" local plugin_count=0 # Remove any stale plugin restart file rm -f "$PLUGIN_LOAD_FILE_RESTART" PLUGIN_ERRORS=0 if [ -f "$PLUGIN_LOAD_FILE" ]; then echo "Stopping (user) plugins..." IFS=$EOL for plugin in `cat "$PLUGIN_LOAD_FILE"`; do plugin_name="$(basename "$plugin" |sed 's/^[0-9]*//')" if [ -f "$plugin" ]; then plugin_file="$plugin" else # If we can't find it, ignore the priority number in front of the plugin-filename plugin_file="$(ls "$PLUGIN_BIN_PATH"/*.plugin |grep "[0-9]*$plugin_name$" |head -n1)" fi if [ -f "$plugin_file" ]; then # Only issue the stop command for plugins that support it: if grep -q "^plugin_stop\(\)" "$plugin_file"; then # Preset ENABLED=0 to make sure the plugin only # gets loaded if the config has an explicit ENABLED=1: ENABLED=0 # Preinit to 0, just in case PLUGIN_RET_VAL=0 # Store current amount of iptables rule warnings STORE_RULE_WARNING=$RULE_WARNING # Set indent INDENT=' ' PLUGIN_CMD=stop if [ "$restart" = "restart" ] && grep -q "^plugin_restart\(\)" "$plugin_file"; then echo "$plugin" >> "$PLUGIN_LOAD_FILE_RESTART" PLUGIN_CMD=stop-restart fi # Explicit unset IFS, just in case unset IFS # Source the plugin: . "$plugin_file" # Check result if [ "$PLUGIN_RET_VAL" != "0" -o $STORE_RULE_WARNING -ne $RULE_WARNING ]; then PLUGIN_ERRORS=$((PLUGIN_ERRORS + 1)) fi plugin_count=$((plugin_count + 1)) fi else printf "\033[40m\033[1;31mERROR: Could not stop plugin \"$plugin_name\" as it does no exist!\033[0m\n" >&2 fi done echo " Unloaded $plugin_count plugin(s)..." rm -f "$PLUGIN_LOAD_FILE" fi } plugins_status() { local match="$1" # Load/insert user plugins if [ -f "$PLUGIN_LOAD_FILE" ]; then printf "\nShowing status of (user) plugins:${match:+ $match}\n" echo "---------------------------------" IFS=$EOL for plugin in `cat "$PLUGIN_LOAD_FILE"`; do # Only issue the status command for plugins that support the PLUGIN_CMD-variable: if grep -q "^plugin_status\(\)" "$plugin"; then if [ "${plugin%$match.plugin}" != "${plugin}" ]; then # Preset ENABLED=0 to make sure the plugin only # gets loaded if the config has an explicit ENABLED=1: ENABLED=0 # Set indent INDENT=' ' PLUGIN_CMD=status # Source the plugin: printf "=>" . "$plugin" echo "" fi fi done fi } # Remove (background) job # $1 = Job name job_remove() { local SCRIPT_NAME="$1" if [ -f "$JOBS_FILE" ]; then echo "${INDENT}Removing background job \"$SCRIPT_NAME\"" # Remove job from jobs file sed -i "s,^$SCRIPT_NAME[[:blank:]].*,," "$JOBS_FILE" fi return 0 } # Add (background) job # $1 = Job name # $2 = Time in minutes between executes # $3 = Path to script/binary job_add() { local SCRIPT_NAME SCRIPT_TIME SCRIPT_PATH if [ -z "$JOBS_FILE" ]; then echo "** ERROR: Unable to add job since JOBS_FILE is not defined" >&2 return 1 fi SCRIPT_NAME="$1" shift SCRIPT_TIME="$1" shift SCRIPT_PATH="$*" # First remove job (if one exists) job_remove "$SCRIPT_NAME" >/dev/null echo "${INDENT}Adding background job \"$SCRIPT_NAME\"" # Add new job to jobs file # NOTE: The 2nd and 3rd argument are the job repeat time and job passed time # by setting the job passed time to the repeat time, the job will execute # as soon as the job processor is executed echo "$SCRIPT_NAME $SCRIPT_TIME $SCRIPT_TIME $SCRIPT_PATH" >> "$JOBS_FILE" return 0 } # Run job once (in foreground) # $1 = Path to job helper job_run_once() { local SCRIPT_NAME="$1" if [ -z "$JOB_EXECUTER" ]; then echo "** ERROR: Unable to execute job \"$SCRIPT_NAME\" since JOB_EXECUTER is not defined" >&2 return 1 fi echo "${INDENT}Foreground running job helper script \"$SCRIPT_NAME\"" # Source script if ! "$JOB_EXECUTER" --indent="${INDENT} " "$SCRIPT_NAME"; then return 1 fi return 0 } # Check if job process is running job_process_is_running() { if [ -z "$JOB_PROCESSOR" ]; then return 1 fi if ! pgrep -f "$JOB_PROCESSOR" >/dev/null 2>&1; then return 1 fi return 0 } # Check whether the jobs process is terminated, if not wait 10 seconds for it # else (hard) pkill it. This function assumes jobs_process_stop() was previously called jobs_process_terminate_check() { local wait_count=10 local cnt=0 if ! job_process_is_running; then return # Nothing to do fi echo "Waiting for background job processor \"$JOB_PROCESSOR\" to terminate" # Check if process is not still running while [ $cnt -lt $wait_count ]; do sleep 1 if ! job_process_is_running; then return # We're done fi cnt=$((cnt+1)) done echo "** WARNING: Jobs processor \"$JOB_PROCESSOR\" is still running! Attempting to kill" >&2 # Kill background process if ! pkill -f "$JOB_PROCESSOR"; then echo "** ERROR: Killing jobs processor \"$JOB_PROCESSOR\" failed!" >&2 return fi # Remove possible leftover jobs file (unlikely) rm -f "$JOBS_FILE" return } # Start jobs processor jobs_process_start() { if [ -f "$JOBS_FILE" ]; then if [ -z "$JOB_PROCESSOR" ]; then echo "** ERROR: Unable to start jobs processor since JOB_PROCESSOR is not defined" >&2 return fi echo "Starting background jobs processor" # Run script for background process if check_command start-stop-daemon; then start-stop-daemon -S -b -x "$JOB_PROCESSOR" else # Fallback: "$JOB_PROCESSOR" & fi # Wait a bit sleep 1 # Check if job process is running if ! job_process_is_running; then echo "** ERROR: Starting jobs processor \"$JOB_PROCESSOR\" failed!" >&2 fi fi } # Stop jobs processor jobs_process_stop() { if [ -f "$JOBS_FILE" ]; then echo "Stopping background jobs processor" # Enter critical section (ignore whether we actually can obtain the lock) lock_enter "$JOBS_LOCK_NAME" # Remove jobs file (also kills background process (if any)) rm -f "$JOBS_FILE" # Leave critical section (ignore whether we actually can release the lock) lock_leave "$JOBS_LOCK_NAME" fi # Make sure process is properly terminated jobs_process_terminate_check } # Here the actual iptables rules are loaded ########################################### setup_firewall_rules() { # Set indent for functions INDENT=' ' echo "Using loglevel \"$LOGLEVEL\" for syslogd" echo "" echo "Setting up firewall rules:" echo "-------------------------------------------------------------------------------" # Assign conntrack helper modules ################################# echo "Enabling assignment of selected conntrack helpers" load_conntrack_helper_module ftp tcp 21 if [ "$USE_IRC" = "1" ]; then load_conntrack_helper_module irc tcp 6667:7001 fi # Setup all TCP MSS stuff ######################### setup_tcp_mss # Setup all mangle stuff ######################## setup_mangle_tables # Setup basic input/forward/output/... chains ############################################# iptables -A INPUT -j INPUT_CHAIN iptables -A FORWARD -j FORWARD_CHAIN iptables -A OUTPUT -j OUTPUT_CHAIN ip4tables -t nat -A PREROUTING -j NAT_PREROUTING_CHAIN ip4tables -t nat -A POSTROUTING -j NAT_POSTROUTING_CHAIN # Block all hosts in the custom blocked hosts file ################################################## iptables -A INPUT -j HOST_BLOCK_SRC iptables -A FORWARD -j HOST_BLOCK_SRC iptables -A FORWARD -j HOST_BLOCK_DST iptables -A OUTPUT -j HOST_BLOCK_DST # Allow DNS out for plugins and iptables while setting up rules ############################################################### iptables -A OUTPUT_CHAIN -p udp --dport 53 -j ACCEPT iptables -A OUTPUT_CHAIN -p tcp --dport 53 -j ACCEPT # Setup global helper chains ############################ setup_valid_chk_chain setup_reserved_net_chk_chain setup_spoof_chk_chain # Check if source address is spoofed #################################### iptables -A INPUT -j SPOOF_CHK # Setup rules for input/output logging ###################################### setup_input_log setup_output_log # Explicit unset IFS, just in case unset IFS # Insert the custom rules ######################### if [ -f "$CUSTOM_RULES" ]; then echo "Reading custom rules from $CUSTOM_RULES" . $CUSTOM_RULES fi # Start (user) plugins ###################### plugins_start # Fragmented packets handling # NOTE: Fragmentation cannot happen with IPv6 (and probably even not with iptables/IPv4) ######################################################################################## if [ "$FRAG_DROP" = "1" ]; then ip4tables -A OUTPUT -f \ -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Fragment packet: " ip4tables -A OUTPUT -f -j DROP fi # Setup helper chains for EXTERNAL input traffic: echo "Setting up external(INET) INPUT policy" setup_ext_broadcast_chain setup_ext_icmp_flood_chain setup_ext_input_chain # Setup helper chains for EXTERNAL output traffic: echo "Setting up external(INET) OUTPUT policy" setup_ext_output_chain # This is used for your external (untrusted) interfaces ####################################################### IFS=' ,' for interface in $EXT_IF; do echo "Applying external(INET) policy to interface: $interface" # Apply external (internet) interface policy for the output chain: ################################################################## iptables -A OUTPUT -o $interface -j EXT_OUTPUT_CHAIN # We must allow special icmpv6 packets since CONNTRACK doesn't handle all icmpv6 types: ####################################################################################### if [ "$IPV6_SUPPORT" = "1" -a "$OPEN_ICMPV6" != "0" ]; then for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT done if [ "$OPEN_ICMPV6_MLD" = "1" ]; then for icmpv6_type in $ICMPV6_MLD_TYPES; do ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT done fi fi # Apply external (internet) interface policy for the input chain: ################################################################# # Check packets for invalid flags: iptables -A INPUT -i $interface -j VALID_CHK # Perform check: ################ # Non-ICMP traffic: iptables -A INPUT -i $interface ! -p icmp $NF_CONNTRACK_STATE NEW -j EXT_INPUT_CHAIN # ICMP traffic (rate limited): iptables -A INPUT -i $interface -p icmp $NF_CONNTRACK_STATE NEW \ -m limit --limit 60/second --limit-burst 100 -j EXT_INPUT_CHAIN # ICMP traffic (flood) iptables -A INPUT -i $interface -p icmp $NF_CONNTRACK_STATE NEW -j EXT_ICMP_FLOOD_CHAIN # Drop any remaining ICMPv6 traffic if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A INPUT -i $interface -p icmpv6 -j POST_INPUT_DROP_CHAIN fi done # Setup input rules for your internal net ######################################### if [ -n "$INT_IF" ]; then # Setup helper chain for the LAN: echo "Setting up internal(LAN) INPUT policy" setup_int_input_chain IFS=' ,' for interface in $INT_IF; do echo "Applying internal(LAN) policy to interface: $interface" iptables -A INPUT -i $interface -j INT_INPUT_CHAIN iptables -A OUTPUT -o $interface -j INT_OUTPUT_CHAIN done fi # Setup input rules for your DMZ net #################################### if [ -n "$DMZ_IF" ]; then # Setup helper chain for the DMZ: echo "Setting up DMZ INPUT policy" setup_dmz_input_chain IFS=' ,' for interface in $DMZ_IF; do echo "Applying DMZ policy to interface: $interface" iptables -A INPUT -i $interface -j DMZ_INPUT_CHAIN iptables -A OUTPUT -o $interface -j DMZ_OUTPUT_CHAIN done fi # Accept all packets on "other" interfaces ########################################## if [ -n "$TRUSTED_IF" ]; then echo "Accepting ALL INPUT packets from trusted interface(s): $TRUSTED_IF" IFS=' ,' for interface in $TRUSTED_IF; do iptables -A INPUT -i $interface -j ACCEPT done fi # Jump to the POST INPUT chain ############################## iptables -A INPUT -j POST_INPUT_CHAIN # Everything else is logged & dropped in INPUT (just in case)... ################################################################ iptables -A INPUT -m limit --limit 1/s -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Dropped INPUT packet: " iptables -A INPUT -j DROP # Drop all packets at the end of the POST_INPUT_DROP_CHAIN iptables -A POST_INPUT_DROP_CHAIN -j DROP # Remove the temp rule at the beginning of the POST_INPUT_DROP_CHAIN iptables -D POST_INPUT_DROP_CHAIN 1 ############################################################################################### # FORWARD rules # ############################################################################################### # Drop forward traffic to/from IPv6 Link Local Addresses ######################################################## if [ "$IPV6_SUPPORT" = "1" ]; then if [ "$FORWARD_LINK_LOCAL" != "1" ]; then ip6tables -A FORWARD -s fe80::/10 -j LINK_LOCAL_DROP ip6tables -A FORWARD -d fe80::/10 -j LINK_LOCAL_DROP else echo "IPv6 Link-Local Addresses are forwarded!" fi fi # Allow forward traffic from "trusted-if" ######################################### if [ -n "$TRUSTED_IF" ]; then echo "Accepting ALL FORWARD packets for trusted interface(s): $TRUSTED_IF" IFS=' ,' for interface in $TRUSTED_IF; do # Allow forward traffic in: iptables -A FORWARD -i $interface -j ACCEPT # Allow forward traffic out: iptables -A FORWARD -o $interface -j ACCEPT done fi # Source the IN/OUT chains for the external interface(s) ######################################################## IFS=' ,' for eif in $EXT_IF; do iptables -A FORWARD -i $eif -j EXT_FORWARD_IN_CHAIN iptables -A FORWARD -o $eif -j EXT_FORWARD_OUT_CHAIN done # Source the IN/OUT chains for the dmz interface(s) ######################################################## IFS=' ,' for dif in $DMZ_IF; do iptables -A FORWARD -i $dif -j DMZ_FORWARD_IN_CHAIN iptables -A FORWARD -o $dif -j DMZ_FORWARD_OUT_CHAIN done # Check source address for spoofing ################################### iptables -A FORWARD -j SPOOF_CHK # Check if the incoming packet is (in)valid ########################################### iptables -A EXT_FORWARD_IN_CHAIN -j VALID_CHK # Check if incoming packet sources are (in)valid ################################################ if [ "$RESERVED_NET_DROP" = "1" -o "$RESERVED_NET_LOG" = "1" ]; then iptables -A EXT_FORWARD_IN_CHAIN -j RESERVED_NET_CHK fi # Setup forward policy for the DMZ ################################## if [ -n "$DMZ_IF" ]; then echo "Setting up DMZ FORWARD policy" if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then echo " Logging of denied DMZ (forward) output connections enabled" else echo " Logging of denied DMZ (forward) output connections disabled" fi if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then echo " Logging of denied DMZ (forward) input connections enabled" else echo " Logging of denied DMZ (forward) input connections disabled" fi # Setup helper chains for the DMZ: setup_inet_dmz_forward_chain setup_dmz_inet_forward_chain setup_dmz_lan_forward_chain echo " Allowing LAN->DMZ for LAN interface(s): ${LAN_DMZ_ALLOW_IF:-$INT_IF}" IFS=' ,' for dif in $DMZ_IF; do echo "Applying DMZ FORWARD policy to interface: $dif" # Always make subnets on the SAME interface trust each other iptables -A FORWARD -i $dif -o $dif -j ACCEPT for eif in $EXT_IF; do # Apply policy for inet->DMZ traffic iptables -A FORWARD -i $eif -o $dif -j INET_DMZ_FORWARD_CHAIN # Apply policy for DMZ->inet traffic iptables -A FORWARD -i $dif -o $eif -j DMZ_INET_FORWARD_CHAIN done # Apply policy for DMZ->LAN traffic & LAN->DMZ traffic for iif in $INT_IF; do # Apply policy for DMZ->LAN iptables -A FORWARD -i $dif -o $iif -j DMZ_LAN_FORWARD_CHAIN # Apply policy for LAN->DMZ (allow all INT_IF when LAN_DMZ_ALLOW_IF is not defined) for interface in ${LAN_DMZ_ALLOW_IF:-$INT_IF}; do if [ "$iif" = "$interface" ]; then iptables -A FORWARD -i $iif -o $dif -j ACCEPT break fi done done done fi # Forward traffic for LAN interface(s) that trust each other ####################################################################### IFS=$SEP3 for if_group in $IF_TRUSTS; do echo "Setting up trust FORWARD policy for interface(s): $if_group" IFS=' ,' for input_if in $if_group; do for output_if in $if_group; do if [ "$input_if" != "$output_if" ]; then iptables -A FORWARD -i $input_if -o $output_if -j ACCEPT fi done done done # Additional rules for the internal subnet(s) ############################################# if [ -n "$INT_IF" ]; then echo "Setting up internal(LAN) FORWARD policy" # Enable logging of denied LAN output connections? ################################################## if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then echo " Logging of denied LAN->INET FORWARD connections enabled" else echo " Logging of denied LAN->INET FORWARD connections disabled" fi # Setup helper chains for the LAN: setup_lan_lan_forward_chain lan_lan_forward_result=$? setup_lan_inet_forward_chain IFS=' ,' for iif in $INT_IF; do echo "Applying internal(LAN) FORWARD policy to interface: $iif" # Always make subnets on the SAME interface trust each other iptables -A FORWARD -i $iif -o $iif -j ACCEPT # Optimize by only adding to FORWARD if LAN_LAN_FORWARD_CHAIN contains rules if [ $lan_lan_forward_result -eq 0 ]; then for output_if in $INT_IF; do if [ "$iif" != "$output_if" ]; then iptables -A FORWARD -i $iif -o $output_if -j LAN_LAN_FORWARD_CHAIN fi done fi for eif in $EXT_IF; do iptables -A FORWARD -i $iif -o $eif -j LAN_INET_FORWARD_CHAIN done done unset lan_lan_forward_result fi ############################################################################## # Masquerade (NAT) or SNAT. Share the gateway's internet connection with # # the internal network # ############################################################################## if [ "$NAT" = "1" ]; then if [ -n "$NAT_STATIC_IP" ]; then echo "Enabling SNAT via (external) IP(s): $NAT_STATIC_IP" printf " Adding (internal) host(s): " IFS=' ,' for net in $NAT_INTERNAL_NET; do printf "$net " COUNT=0 for interface in $NAT_IF; do COUNT=$((COUNT + 1)) STATIC_IP=$(echo "$NAT_STATIC_IP" |awk "{ print \$$COUNT }") if [ -z "$STATIC_IP" ]; then # No more IPs specified for the remaining interfaces break fi ip4tables -t nat -A POSTROUTING -o $interface -s $net ! -d $net -j SNAT --to-source $STATIC_IP done done echo "" else echo "Enabling masquerading(NAT) via (external) interface(s): $NAT_IF" printf " Adding (internal) host(s): " IFS=' ,' for net in $NAT_INTERNAL_NET; do printf "$net " for interface in $NAT_IF; do # The "! -d $net" is to avoid problems with Freeswan etc. ip4tables -t nat -A POSTROUTING -o $interface -s $net ! -d $net -j MASQUERADE done done echo "" fi fi # Port / protocol forwarding. Forward ports or protocols on the internet-gateway to machines in our LAN ####################################################################################################### # NAT TCP port forwards ####################### unset IFS for rule in $NAT_FORWARD_TCP; do if parse_rule "$rule" NAT_FORWARD_TCP "interfaces:NAT_IF-destips-shosts-ports-dhost_dport"; then echo "$(show_if_ip "$interfaces" "$destips")Forwarding(NAT) TCP port(s) $(show_hosts_ports "$shosts" "$ports") to $(echo "$dhost_dport" |tr "$SEP-" '::')" IFS=' ,' for shost in `ip_range "$shosts"`; do for port in $ports; do for destip in $destips; do # Portforward for all specified interfaces for eif in $interfaces; do # This code makes it possible to forward to a different port on the internal host dport=`get_ports_hp "$dhost_dport" "$port"` ip4tables -t nat -A PREROUTING -i $eif -s $shost -d $destip -p tcp --dport $port -j DNAT --to-destination `echo "$dhost_dport" |tr "$SEP-" '::'` dhost=`get_hosts_hp "$dhost_dport"` if [ -n "$dhost" ]; then ip4tables -A EXT_FORWARD_IN_CHAIN -i $eif ! -o $eif -s $shost -d $dhost -p tcp --dport $dport -j ACCEPT fi done done done done fi done # NAT UDP port forwards ####################### unset IFS for rule in $NAT_FORWARD_UDP; do if parse_rule "$rule" NAT_FORWARD_UDP "interfaces:NAT_IF-destips-shosts-ports-dhost_dport"; then echo "$(show_if_ip "$interfaces" "$destips")Forwarding(NAT) UDP port(s) $(show_hosts_ports "$shosts" "$ports") to $(echo "$dhost_dport" |tr "$SEP-" '::')" IFS=' ,' for shost in `ip_range "$shosts"`; do for port in $ports; do for destip in $destips; do # Portforward for all specified interfaces for eif in $interfaces; do # This code makes it possible to forward to a different port on the internal host dport=`get_ports_hp "$dhost_dport" "$port"` ip4tables -t nat -A PREROUTING -i $eif -s $shost -d $destip -p udp --dport $port -j DNAT --to-destination `echo "$dhost_dport" |tr "$SEP-" '::'` dhost=`get_hosts_hp "$dhost_dport"` if [ -n "$dhost" ]; then ip4tables -A EXT_FORWARD_IN_CHAIN -i $eif ! -o $eif -s $shost -d $dhost -p udp --dport $dport -j ACCEPT fi done done done done fi done # Non-TCP/UDP port forwards (protocol based) ############################################ unset IFS for rule in $NAT_FORWARD_IP; do if parse_rule "$rule" NAT_FORWARD_IP "interfaces:NAT_IF-destips-shosts-protos-dhost"; then echo "$(show_if_ip "$interfaces" "$destips")Forwarding(NAT) IP protocol(s) $(show_hosts_ports "$shosts" "$protos") to $dhost" IFS=' ,' for shost in `ip_range "$shosts"`; do for proto in $protos; do for destip in $destips; do for eif in $interfaces; do ip4tables -t nat -A PREROUTING -i $eif -s $shost -d $destip -p $proto -j DNAT --to-destination $dhost if [ -n "$dhost" ]; then ip4tables -A EXT_FORWARD_IN_CHAIN -i $eif ! -o $eif -s $shost -d $dhost -p $proto -j ACCEPT fi done done done done fi done # Setup rules to allow INET IPv6 and non-NAT'ed IPv4 traffic in FORWARD chain setup_inet_forward_rules # Do we want to loose the forward chain to make use of protocols like UPnP possible? #################################################################################### if [ "$LOOSE_FORWARD" = "1" ]; then echo "Security is LOOSENED for external interface(s) in the FORWARD chain!" # Loose the forward chain IFS=' ,' for eif in $EXT_IF; do iptables -A FORWARD -i $eif ! -o $eif -j ACCEPT done else echo "Security is ENFORCED for external interface(s) in the FORWARD chain" fi # Jump to the post forward chain iptables -A FORWARD -j POST_FORWARD_CHAIN # Everything else is logged & dropped in FORWARD if [ "$FORWARD_DROP_LOG" != "0" ]; then echo " Logging of dropped FORWARD packets enabled" iptables -A FORWARD -m limit --limit 1/m --limit-burst 3 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Dropped FORWARD packet: " else echo " Logging of dropped FORWARD packets disabled" fi iptables -A FORWARD -j DROP # Post/pre routing post chains ip4tables -t nat -A PREROUTING -j POST_NAT_PREROUTING_CHAIN ip4tables -t nat -A POSTROUTING -j POST_NAT_POSTROUTING_CHAIN # Mark outgoing packets for traffic shaping? ############################################ #if [ "$TRAFFIC_SHAPING" = "1" ]; then # iptables -t mangle -I OUTPUT -m length --length 0:500 -j MARK --set-mark 1 # iptables -t mangle -I OUTPUT -m length --length 500:1500 -j MARK --set-mark 2 #fi # Jump to the post output chain iptables -A OUTPUT -j POST_OUTPUT_CHAIN # Everything else is accepted in OUTPUT iptables -A OUTPUT -j ACCEPT # Clean-up DNS output rules iptables -D OUTPUT_CHAIN 2 iptables -D OUTPUT_CHAIN 1 } # Create our custom chains create_user_chains() { # General chains iptables -N HOST_BLOCK_SRC iptables -N HOST_BLOCK_DST iptables -N HOST_BLOCK_SRC_DROP iptables -N HOST_BLOCK_DST_DROP iptables -N VALID_CHK iptables -N RESERVED_NET_CHK iptables -N SPOOF_CHK iptables -N INPUT_CHAIN iptables -N FORWARD_CHAIN iptables -N OUTPUT_CHAIN ip4tables -t nat -N NAT_PREROUTING_CHAIN ip4tables -t nat -N NAT_POSTROUTING_CHAIN iptables -N POST_INPUT_DROP_CHAIN iptables -N POST_INPUT_CHAIN iptables -N POST_FORWARD_CHAIN iptables -N POST_OUTPUT_CHAIN ip4tables -t nat -N POST_NAT_PREROUTING_CHAIN ip4tables -t nat -N POST_NAT_POSTROUTING_CHAIN if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -N LINK_LOCAL_DROP fi # Interface-2-interface chains iptables -N DMZ_LAN_FORWARD_CHAIN iptables -N INET_DMZ_FORWARD_CHAIN iptables -N DMZ_INET_FORWARD_CHAIN iptables -N LAN_LAN_FORWARD_CHAIN iptables -N LAN_INET_FORWARD_CHAIN # Chains for the external interface iptables -N EXT_MULTICAST_CHAIN iptables -N EXT_BROADCAST_CHAIN iptables -N EXT_ICMP_FLOOD_CHAIN iptables -N EXT_INPUT_CHAIN iptables -N EXT_FORWARD_IN_CHAIN iptables -N EXT_FORWARD_OUT_CHAIN iptables -N EXT_OUTPUT_CHAIN # INT(LAN) chains iptables -N INT_INPUT_CHAIN iptables -N INT_OUTPUT_CHAIN # DMZ chains iptables -N DMZ_INPUT_CHAIN iptables -N DMZ_FORWARD_IN_CHAIN iptables -N DMZ_FORWARD_OUT_CHAIN iptables -N DMZ_OUTPUT_CHAIN } # Flush our custom chains flush_user_chains() { # General chains iptables -F HOST_BLOCK_SRC iptables -F HOST_BLOCK_DST iptables -F HOST_BLOCK_SRC_DROP iptables -F HOST_BLOCK_DST_DROP iptables -F VALID_CHK iptables -F RESERVED_NET_CHK iptables -F SPOOF_CHK iptables -F INPUT_CHAIN iptables -F FORWARD_CHAIN iptables -F OUTPUT_CHAIN iptables -F POST_INPUT_DROP_CHAIN iptables -F POST_INPUT_CHAIN iptables -F POST_FORWARD_CHAIN iptables -F POST_OUTPUT_CHAIN ip4tables -t nat -F NAT_PREROUTING_CHAIN ip4tables -t nat -F NAT_POSTROUTING_CHAIN ip4tables -t nat -F POST_NAT_PREROUTING_CHAIN ip4tables -t nat -F POST_NAT_POSTROUTING_CHAIN if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -F LINK_LOCAL_DROP fi # Interface-2-interface chains iptables -F DMZ_LAN_FORWARD_CHAIN iptables -F INET_DMZ_FORWARD_CHAIN iptables -F DMZ_INET_FORWARD_CHAIN iptables -F LAN_LAN_FORWARD_CHAIN iptables -F LAN_INET_FORWARD_CHAIN # Chains for the external interface iptables -F EXT_MULTICAST_CHAIN iptables -F EXT_BROADCAST_CHAIN iptables -F EXT_ICMP_FLOOD_CHAIN iptables -F EXT_INPUT_CHAIN iptables -F EXT_FORWARD_IN_CHAIN iptables -F EXT_FORWARD_OUT_CHAIN iptables -F EXT_OUTPUT_CHAIN # INT(LAN) chains iptables -F INT_INPUT_CHAIN iptables -F INT_OUTPUT_CHAIN # DMZ chains iptables -F DMZ_INPUT_CHAIN iptables -F DMZ_FORWARD_IN_CHAIN iptables -F DMZ_FORWARD_OUT_CHAIN iptables -F DMZ_OUTPUT_CHAIN } stop_firewall() { # Set default IPv4 policies ip4tables -P INPUT ACCEPT ip4tables -P FORWARD DROP ip4tables -P OUTPUT ACCEPT # Flush builtin IPv4 chains ip4tables -F INPUT ip4tables -F OUTPUT ip4tables -F FORWARD # Flush rules in the nat/mangle/raw tables ip4tables -t nat -F ip4tables -t nat -X ip4tables -t mangle -F ip4tables -t mangle -X try_ip4tables -t raw -F try_ip4tables -t raw -X # Attempt to flush all IPv4 chains ip4tables -F ip4tables -X if [ "$IPV6_DETECTED" = "1" ]; then # Set default IPv6 policies ip6tables -P INPUT ACCEPT ip6tables -P FORWARD DROP ip6tables -P OUTPUT ACCEPT # Flush builtin IPv6 chains ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD # Flush rules in the nat/mangle/raw tables try_ip6tables -t nat -F try_ip6tables -t nat -X ip6tables -t mangle -F ip6tables -t mangle -X try_ip6tables -t raw -F try_ip6tables -t raw -X # Attempt to flush all IPv6 chains ip6tables -F ip6tables -X fi } reinit_firewall_chains() { echo "Reinitializing firewall chains" # Set INDENT for functions INDENT=' ' # Create chains, just in case create_user_chains 2>/dev/null # Flush our user chains flush_user_chains # Temporarily set OUTPUT default policy to ACCEPT # Without it, active states will be flushed. iptables -P OUTPUT ACCEPT # Flush builtin IPv4 chains ip4tables -F INPUT ip4tables -F OUTPUT ip4tables -F FORWARD # Flush builtin IPv4 nat chains ip4tables -t nat -F PREROUTING ip4tables -t nat -F OUTPUT ip4tables -t nat -F POSTROUTING # Flush builtin IPv4 mangle chains # We don't have to be selective by chain since we don't # expect any external, dynamically managed mangle chains ip4tables -t mangle -F # Flush builtin IPv4 raw chains try_ip4tables -t raw -F # Flush conntrack helper IPv4 chain, may not exist so "try" try_ip4tables -F CONNTRACK_HELPER if [ "$IPV6_DETECTED" = "1" ]; then # Flush builtin IPv6 chains ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD # Flush builtin IPv6 nat chains try_ip6tables -t nat -F PREROUTING try_ip6tables -t nat -F OUTPUT try_ip6tables -t nat -F POSTROUTING # Flush builtin IPv6 mangle chains # We don't have to be selective by chain since we don't # expect any external, dynamically managed mangle chains ip6tables -t mangle -F # Flush builtin IPv6 raw chains try_ip6tables -t raw -F # Flush conntrack helper IPv6 chain, may not exist so "try" try_ip6tables -F CONNTRACK_HELPER fi # Restore our base chains (which weren't flushed so any # running connections should be maintained ####################################################### iptables -A INPUT -j BASE_INPUT_CHAIN iptables -A FORWARD -j BASE_FORWARD_CHAIN iptables -A OUTPUT -j BASE_OUTPUT_CHAIN } stop_block_firewall() { # Temporarely set default IPv4 policies to DROP, # to not even have a small window of opportunity ################################################ ip4tables -P INPUT DROP ip4tables -P FORWARD DROP ip4tables -P OUTPUT DROP # Flush builtin IPv4 chains ip4tables -F INPUT ip4tables -F OUTPUT ip4tables -F FORWARD # Flush nat/mangle/raw table rules ip4tables -t nat -F ip4tables -t nat -X ip4tables -t mangle -F ip4tables -t mangle -X try_ip4tables -t raw -F try_ip4tables -t raw -X # Attempt to flush all IPv4 chains ip4tables -F ip4tables -X if [ "$IPV6_DETECTED" = "1" ]; then # Temporarely set default IPv6 policies to DROP, # to not even have a small window of opportunity ################################################ ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP # Flush builtin IPv6 chains ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD # Flush nat/mangle/raw table rules try_ip6tables -t nat -F try_ip6tables -t nat -X ip6tables -t mangle -F ip6tables -t mangle -X try_ip6tables -t raw -F try_ip6tables -t raw -X # Attempt to flush all IPv6 chains ip6tables -F ip6tables -X fi # Deny traffic from our internet interfaces IFS=' ,' for interface in $EXT_IF; do ip4tables -A INPUT -i $interface -j DROP if [ "$IPV6_DETECTED" = "1" ]; then ip6tables -A INPUT -i $interface -j DROP fi done # Allow IPv4 traffic from the loopback (localhost) ip4tables -A INPUT -i lo -j ACCEPT ip4tables -A FORWARD -i lo -j ACCEPT ip4tables -A OUTPUT -o lo -j ACCEPT # Set default IPv4 policies ip4tables -P INPUT ACCEPT ip4tables -P FORWARD DROP ip4tables -P OUTPUT ACCEPT if [ "$IPV6_DETECTED" = "1" ]; then # Allow IPv6 traffic from the loopback (localhost) ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A FORWARD -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT # Set default IPv6 policies ip6tables -P INPUT ACCEPT ip6tables -P FORWARD DROP ip6tables -P OUTPUT ACCEPT fi } show_status() { # Check if the user gave any parameters if [ -z "$1" ]; then iptables -xnvL if [ "$NAT" = "1" ]; then ip4tables -t nat -xnvL fi if [ "$MANGLE_TOS" = "1" ]; then iptables -t mangle -nvL fi # Show plugin status plugins_status else #iptables -nvL $2 $3 $4 $5 iptables -xnvL $@ fi # Show IP->hostname mappings from our host-cache if [ -f "$HOST_CACHE_FILE" ]; then echo "" echo "Showing hostname->IP mapping" echo "----------------------------" cat "$HOST_CACHE_FILE" fi } show_start() { echo "** Starting Arno's Iptables Firewall(AIF) v$MY_VERSION **" |log_msg } show_restart() { echo "** Restarting Arno's Iptables Firewall(AIF) v$MY_VERSION **" |log_msg } show_failed() { echo "** ERROR: Firewall failed to start! **" |log_msg } show_stop() { DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` echo "$DATE Stopping Arno's Iptables Firewall(AIF) v$MY_VERSION" echo "** Stopping Arno's Iptables Firewall(AIF) v$MY_VERSION **" |log_msg } show_stop_blocked() { DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` echo "$DATE FIREWALL DISABLED & BLOCKING ALL INTERNET TRAFFIC!" echo "** FIREWALL DISABLED & BLOCKING ALL INTERNET TRAFFIC! **" |log_msg } # Now show the final message show_applied() { echo "" DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` if [ $RULE_WARNING -ne 0 ]; then printf "$DATE \033[40m\033[1;31mWARNING: $RULE_WARNING firewall rules failed to apply!\n\033[0m" >&2 echo "** WARNING: $RULE_WARNING firewall rules failed to apply! **" |log_msg else echo "$DATE All firewall rules applied" echo "** All firewall rules applied **" |log_msg fi } show_disabled() { DATE=`LC_ALL=C date +'%b %d %H:%M:%S'` echo "$DATE FIREWALL DISABLED!" } show_help() { echo "Usage: `basename $0` { start | stop | restart | force-reload | status }" >&2 echo "start = Start firewall" >&2 echo "stop = Stop firewall" >&2 echo "stop-block = Stop firewall & block all internet packets" >&2 echo "restart = Restart firewall" >&2 echo "force-reload = Reload blocked hosts (blackhole) file" >&2 echo "check-conf = Check configuration file (only)" >&2 echo "status [-t {table}] [chain] = View firewall ruleset ([chain] & [-t {table}] are optional)" >&2 echo "status-plugins [name] = View plugins status (view only plugin [name] is optional)" >&2 } main_stop() { # Stop jobs processor (if running) jobs_process_stop # Stop all plugins plugins_stop if [ "$1" = "block" ]; then stop_block_firewall else stop_firewall fi if [ "$PLUGIN_ERRORS" != "0" ]; then printf "\033[40m\033[1;31m\nWARNING: $PLUGIN_ERRORS Plugin(s) reported errors while stopping!\n\033[0m" >&2 fi } main_start() { # Stop jobs processor (if running) jobs_process_stop load_modules setup_misc setup_kernel_settings init_firewall_chains setup_default_policies setup_hostblock_chain setup_firewall_rules # Start jobs processor (if required) jobs_process_start } main_restart() { # Stop jobs processor (if running) jobs_process_stop plugins_stop restart load_modules # setup_misc setup_kernel_settings reinit_firewall_chains setup_default_policies setup_hostblock_chain setup_firewall_rules # Start jobs processor (if required) jobs_process_start } start_restart() { # Check whether we are actually stopped case $(check_for_base_chains) in no) main_start;; yes) main_restart;; other) main_stop; main_start;; esac if [ "$PLUGIN_ERRORS" != "0" ]; then printf "\033[40m\033[1;31m\nWARNING: $PLUGIN_ERRORS Plugin(s) reported errors while starting!\n\033[0m" >&2 fi show_applied } # int main (char *argv) ####################### # Check commandline supplied argument: case "$1" in 'start' ) sanity_check show_start config_check start_restart;; 'restart' ) sanity_check show_restart config_check start_restart;; 'force-reload' ) sanity_check config_check setup_hostblock_chain show_applied;; 'stop' ) sanity_check show_stop main_stop show_disabled;; 'stop-block' ) sanity_check show_stop main_stop block show_stop_blocked;; 'status' ) shift show_status $@;; 'status-plugins' ) shift plugins_status $@;; 'check-conf' ) config_check;; * ) printf "\033[40m\033[1;31mERROR: Bad or missing parameter(s)\033[0m\n\n" >&2 show_help;; esac exit 0 aif-2.1.2a/configure.sh000077500000000000000000000200111464417520100147320ustar00rootroot00000000000000#!/bin/bash MY_VERSION="1.06" # ------------------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) =- # Single- & multi-homed firewall script with DSL/ADSL support # # ~ In memory of my dear parents ~ # # (C) Copyright 2001-2022 by Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------------------ # Check if the environment file exists and if so, load it ######################################################### if [ -f ./share/arno-iptables-firewall/environment ]; then . ./share/arno-iptables-firewall/environment else printf "\033[40m\033[1;31mERROR: Could not read environment file ./share/arno-iptables-firewall/environment!\033[0m\n\n" >&2 exit 2 fi # Allow user to override firewall.conf location (undocumented) FIREWALL_CONF=${1:-/etc/arno-iptables-firewall/firewall.conf} sanity_check() { # root check if [ "$(id -u)" != "0" ]; then printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n\n" >&2 exit 1 fi if [ ! -f "/etc/arno-iptables-firewall/firewall.conf" ]; then printf "\033[40m\033[1;31mERROR: It looks like arno-iptables-firewall is not installed on this system (yet)! Quitting...\033[0m\n\n" >&2 exit 1 fi check_command_error sed check_command_error chmod check_command_error chown check_command_error cp check_command_error ln check_command_error rm check_command_error ip check_command_error cut check_command_error diff check_command_error sed } change_conf_var() { if ! grep -E -q "^#?$2=" "$1"; then printf "\033[40m\033[1;31mERROR: Variable \"$2\" not found in \"$1\". File is probably outdated!\033[0m\n\n" >&2 elif [ -n "$3" ]; then sed -i -e "s~^#\?$2=.*$~$2=\"$3\"~" "$1" fi } get_conf_var() { printf "$1 " read ANSWER if [ -z "$ANSWER" ]; then if [ -n "$4" ]; then # echo "$4" change_conf_var "$2" "$3" "$4" # else # echo "(None)" fi else change_conf_var "$2" "$3" "$ANSWER" fi return 0 } get_user_yn() { if [ "$2" = "y" ]; then printf "$1 (Y/n)? " else printf "$1 (y/N)? " fi read ANSWER_WITH_CASE ANSWER=`echo "$ANSWER_WITH_CASE" |tr A-Z a-z` if [ "$ANSWER" = "y" -o "$ANSWER" = "yes" ]; then return 0 fi if [ "$ANSWER" = "n" -o "$ANSWER" = "no" ]; then return 1 fi # Fallback to default if [ "$2" = "y" ]; then return 0 else return 1 fi } verify_interfaces() { if [ -z "$1" ]; then if ! get_user_yn "No interface(s) specified. These are required! Continue anyway" "n"; then return 1 fi fi IFS=' ,' for interface in $1; do if ! check_interface $interface; then if ! get_user_yn "Interface \"$interface\" does not exist (yet). Continue anyway" "n"; then return 1 fi fi done return 0 } list_interfaces() { ip -o -brief addr show } setup_conf_file() { # Create backup of old config cp -fvb "$FIREWALL_CONF" "${FIREWALL_CONF}.bak" echo "" echo "Listing available interfaces:" echo "-----------------------------" list_interfaces echo "-----------------------------" printf "We will now setup the most basic settings of the firewall\n\n" while true; do printf "What is your external (aka. internet) interface (multiple interfaces should be comma separated)? " read EXT_IF if verify_interfaces $EXT_IF; then change_conf_var "$FIREWALL_CONF" "EXT_IF" "$EXT_IF" break fi done if get_user_yn "Does your external interface get its IP through DHCP" "n"; then change_conf_var "$FIREWALL_CONF" "EXT_IF_DHCP_IP" "1" else change_conf_var "$FIREWALL_CONF" "EXT_IF_DHCP_IP" "0" fi if get_user_yn "Do you want to enable IPv6 support" "y"; then change_conf_var "$FIREWALL_CONF" "IPV6_SUPPORT" "1" else change_conf_var "$FIREWALL_CONF" "IPV6_SUPPORT" "0" fi if get_user_yn "Do you want to be pingable from the internet" "n"; then change_conf_var "$FIREWALL_CONF" "OPEN_ICMP" "1" else change_conf_var "$FIREWALL_CONF" "OPEN_ICMP" "0" fi get_conf_var "Which TCP ports do you want to allow from the internet? (eg. 22=SSH, 80=HTTP, etc.) (comma separate multiple ports)?" "$FIREWALL_CONF" "OPEN_TCP" "" get_conf_var "Which UDP ports do you want to allow from the internet? (eg. 53=DNS, etc.) (comma separate multiple ports)?" "$FIREWALL_CONF" "OPEN_UDP" "" if get_user_yn "Do you have an internal(aka LAN) interface that you want to setup" "n"; then while true; do printf "What is your internal (aka. LAN) interface (multiple interfaces should be comma separated)? " read INT_IF if verify_interfaces $INT_IF; then change_conf_var "$FIREWALL_CONF" "INT_IF" "$INT_IF" local INTERNAL_NET="" local INT_NET_BCAST_ADDRESS="" IFS=' ,' for interface in $INT_IF; do INTERNAL_NET="$INTERNAL_NET${INTERNAL_NET:+ }$(get_network_ipv4_address_mask $interface)" INT_NET_BCAST_ADDRESS="$INT_NET_BCAST_ADDRESS${INT_NET_BCAST_ADDRESS:+ }$(get_network_ipv4_broadcast $interface)" done if [ -n "$INTERNAL_NET" ] && [ -n "$INT_NET_BCAST_ADDRESS" ]; then echo "* Auto-detected internal IPv4 net(s): $INTERNAL_NET" echo "* Auto-detected internal IPv4 broadcast address(es): $INT_NET_BCAST_ADDRESS" change_conf_var "$FIREWALL_CONF" "INTERNAL_NET" "$INTERNAL_NET" change_conf_var "$FIREWALL_CONF" "INT_NET_BCAST_ADDRESS" "$INT_NET_BCAST_ADDRESS" if get_user_yn "Do you want to enable NAT/masquerading for your internal subnet" "n"; then change_conf_var "$FIREWALL_CONF" "NAT" "1" change_conf_var "$FIREWALL_CONF" "NAT_INTERNAL_NET" '\$INTERNAL_NET' else change_conf_var "$FIREWALL_CONF" "NAT" "0" fi fi break fi done fi # Make sure init script is executable and root owned if [ -f /etc/init.d/arno-iptables-firewall ]; then chown 0:0 /etc/init.d/arno-iptables-firewall chmod 755 /etc/init.d/arno-iptables-firewall fi # Set the correct permissions on the config file chown 0:0 "$FIREWALL_CONF" chmod 600 "$FIREWALL_CONF" } # main line: AIF_VERSION="$(grep "MY_VERSION=" ./bin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")" printf "\033[40m\033[1;32mArno's Iptables Firewall(AIF) v$AIF_VERSION\033[0m\n" printf "Configure Script v$MY_VERSION\n" echo "-------------------------------------------------------------------------------" sanity_check if diff ./etc/arno-iptables-firewall/firewall.conf "$FIREWALL_CONF" >/dev/null; then if get_user_yn "Your firewall.conf is not configured yet.\nDo you want me to help you setup a basic configuration" "y"; then setup_conf_file else echo "* Skipped" fi else if get_user_yn "Your firewall.conf looks already customized.\nModify configuration" "n"; then setup_conf_file else echo "* Skipped" fi fi echo "" echo "** Configuration done **" echo "" exit 0 aif-2.1.2a/contrib/000077500000000000000000000000001464417520100140605ustar00rootroot00000000000000aif-2.1.2a/contrib/Debian/000077500000000000000000000000001464417520100152425ustar00rootroot00000000000000aif-2.1.2a/contrib/Debian/syslog-ng.conf000066400000000000000000000241331464417520100200360ustar00rootroot00000000000000# # Example configuration file for syslog-ng under Debian # This will redirect all kernel-debug logging to file /var/log/arno-iptables-firewall. # Don't forget to touch(create) /var/log/arno-iptables-firewall first & set "LOGLEVEL=debug" in the # firewall configuration file (firewall.conf)! # # The standard syslog levels are (in descending order of priority): # emerg alert crit err warning notice info debug # the aliases "error", "panic", and "warn" are deprecated # the "none" priority found in the original syslogd configuration is # only used in internal messages created by syslogd ###### # options options { # disable the chained hostname format in logs # (default is enabled) chain_hostnames(0); # the time to wait before a died connection is re-established # (default is 60) time_reopen(10); # the time to wait before an idle destination file is closed # (default is 60) time_reap(360); # the number of lines buffered before written to file # you might want to increase this if your disk isn't catching with # all the log messages you get or if you want less disk activity # (say on a laptop) # (default is 0) #sync(0); # the number of lines fitting in the output queue log_fifo_size(2048); # enable or disable directory creation for destination files create_dirs(yes); # default owner, group, and permissions for log files # (defaults are 0, 0, 0600) #owner(root); group(adm); perm(0640); # default owner, group, and permissions for created directories # (defaults are 0, 0, 0700) #dir_owner(root); #dir_group(root); dir_perm(0755); # enable or disable DNS usage # syslog-ng blocks on DNS queries, so enabling DNS may lead to # a Denial of Service attack # (default is yes) use_dns(no); # maximum length of message in bytes # this is only limited by the program listening on the /dev/log Unix # socket, glibc can handle arbitrary length log messages, but -- for # example -- syslogd accepts only 1024 bytes # (default is 2048) #log_msg_size(2048); }; ###### # sources # all known message sources source s_all { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" log_prefix("kernel: ")); # use the above line if you want to receive remote UDP logging messages # (this is equivalent to the "-r" syslogd flag) # udp(); }; ###### # destinations # some standard log files destination df_auth { file("/var/log/auth.log"); }; destination df_syslog { file("/var/log/syslog"); }; destination df_cron { file("/var/log/cron.log"); }; destination df_daemon { file("/var/log/daemon.log"); }; destination df_kern { file("/var/log/kern.log"); }; destination df_lpr { file("/var/log/lpr.log"); }; destination df_mail { file("/var/log/mail/mail.log"); }; destination df_mail_dot_info { file("/var/log/mail/mail.info"); }; destination df_mail_dot_warn { file("/var/log/mail/mail.warn"); }; destination df_mail_dot_err { file("/var/log/mail/mail.err"); }; destination df_user { file("/var/log/user.log"); }; destination df_uucp { file("/var/log/uucp.log"); }; # these files are meant for the mail system log files # and provide re-usable destinations for {mail,cron,...}.info, # {mail,cron,...}.notice, etc. destination df_facility_dot_info { file("/var/log/$FACILITY.info"); }; destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); }; destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); }; destination df_facility_dot_err { file("/var/log/$FACILITY.err"); }; destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); }; # these files are meant for the news system, and are kept separated # because they should be owned by "news" instead of "root" destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); }; destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); }; destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); }; # some more classical and useful files found in standard syslog configurations destination df_debug { file("/var/log/debug"); }; destination df_messages { file("/var/log/messages"); }; # iptables destination df_firewall { file("/var/log/arno-iptables-firewall"); }; # pipes # a console to view log messages under X destination dp_xconsole { pipe("/dev/xconsole"); }; # consoles # this will send messages to everyone logged in destination du_all { usertty("*"); }; ###### # filters # all messages from the auth and authpriv facilities filter f_auth { facility(auth, authpriv); }; # all messages except from the auth and authpriv facilities filter f_syslog { not facility(auth, authpriv); }; # respectively: messages from the cron, daemon, kern, lpr, mail, news, user, # and uucp facilities filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern) and not level(debug); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; # some filters to select messages of priority greater or equal to info, warn, # and err # (equivalents of syslogd's *.info, *.warn, and *.err) filter f_at_least_info { level(info..emerg); }; filter f_at_least_notice { level(notice..emerg); }; filter f_at_least_warn { level(warn..emerg); }; filter f_at_least_err { level(err..emerg); }; filter f_at_least_crit { level(crit..emerg); }; # all messages of priority debug not coming from the auth, authpriv, news, and # mail facilities filter f_debug { level(debug) and not facility(auth, authpriv, news, mail, kern); }; # iptables filter f_firewall { level(debug) and facility(kern); }; # all messages of info, notice, or warn priority not coming form the auth, # authpriv, cron, daemon, mail, and news facilities filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); }; # messages with priority emerg filter f_emerg { level(emerg); }; # complex filter for messages usually sent to the xconsole filter f_xconsole { facility(daemon,mail) or level(debug,info,notice,warn) or (facility(news) and level(crit,err,notice)); }; ###### # logs # order matters if you use "flags(final);" to mark the end of processing in a # "log" statement # these rules provide the same behavior as the commented original syslogd rules # auth,authpriv.* /var/log/auth.log log { source(s_all); filter(f_auth); destination(df_auth); }; # *.*;auth,authpriv.none -/var/log/syslog log { source(s_all); filter(f_syslog); destination(df_syslog); }; # this is commented out in the default syslog.conf # cron.* /var/log/cron.log #log { # source(s_all); # filter(f_cron); # destination(df_cron); #}; # daemon.* -/var/log/daemon.log log { source(s_all); filter(f_daemon); destination(df_daemon); }; # kern.* -/var/log/kern.log log { source(s_all); filter(f_kern); destination(df_kern); }; # lpr.* -/var/log/lpr.log log { source(s_all); filter(f_lpr); destination(df_lpr); }; # mail.* -/var/log/mail.log log { source(s_all); filter(f_mail); destination(df_mail); }; # user.* -/var/log/user.log log { source(s_all); filter(f_user); destination(df_user); }; # uucp.* /var/log/uucp.log log { source(s_all); filter(f_uucp); destination(df_uucp); }; # mail.info -/var/log/mail/mail.info log { source(s_all); filter(f_mail); filter(f_at_least_info); destination(df_mail_dot_info); }; # mail.warn -/var/log/mail/mail.warn log { source(s_all); filter(f_mail); filter(f_at_least_warn); destination(df_mail_dot_warn); }; # mail.err /var/log/mail/mail.err log { source(s_all); filter(f_mail); filter(f_at_least_err); destination(df_mail_dot_err); }; # news.crit /var/log/news/news.crit log { source(s_all); filter(f_news); filter(f_at_least_crit); destination(df_news_dot_crit); }; # news.err /var/log/news/news.err log { source(s_all); filter(f_news); filter(f_at_least_err); destination(df_news_dot_err); }; # news.notice /var/log/news/news.notice log { source(s_all); filter(f_news); filter(f_at_least_notice); destination(df_news_dot_notice); }; # *.=debug;\ # auth,authpriv.none;\ # news.none;mail.none -/var/log/debug log { source(s_all); filter(f_debug); destination(df_debug); }; # *.=info;*.=notice;*.=warn;\ # auth,authpriv.none;\ # cron,daemon.none;\ # mail,news.none -/var/log/messages log { source(s_all); filter(f_messages); destination(df_messages); }; # *.emerg * log { source(s_all); filter(f_emerg); destination(du_all); }; # kern.debug (iptables) /var/log/arno-iptables-firewall log { source(s_all); filter(f_firewall); destination(df_firewall); }; # daemon.*;mail.*;\ # news.crit;news.err;news.notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn |/dev/xconsole log { source(s_all); filter(f_xconsole); destination(dp_xconsole); }; aif-2.1.2a/contrib/Debian/syslog.conf000066400000000000000000000045271464417520100174410ustar00rootroot00000000000000# /etc/syslog.conf # # Example configuration file for syslogd on Debian (you can optionally use this # as a replacement). This will redirect all kernel-debug logging to file # /var/log/arno-iptables-firewall. Don't forget to touch(create) /var/log/arno-iptables-firewall first & # set "LOGLEVEL=debug" in the firewall configuration file (firewall.conf)! # You should (probably) also set "KLOGD="-c 4" in /etc/init.d/klogd to get rid of firewall logs # being spit to the console! # # First some standard logfiles. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv,local7,daemon,lpr.none;\ kern.!=debug;\ cron.!=info -/var/log/syslog cron.* -/var/log/cron.log daemon.* -/var/log/daemon.log #kern.* -/var/log/kern.log kern.*;kern.!=debug -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log uucp.* /var/log/uucp.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # Logging for INN news system # news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice # Logging for DHCP system local7.* /var/log/dhcpd # Logging for iptables kern.=debug /var/log/arno-iptables-firewall # # Some `catch-all' logfiles. # *.=debug;\ kern.!=debug;\ local7.none;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ local7.none;\ auth,authpriv.none;\ cron,daemon,lpr.none;\ mark.none;\ mail,news.none /var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg * # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # #daemon,mail.*;\ # news.=crit;news.=err;news.=notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn /dev/tty8 # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, # you must invoke `xconsole' with the `-file' option: # # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably # busy site.. # daemon.*;mail.*;\ news.crit;news.err;news.notice;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole aif-2.1.2a/contrib/Redhat/000077500000000000000000000000001464417520100152675ustar00rootroot00000000000000aif-2.1.2a/contrib/Redhat/syslog.conf000066400000000000000000000023751464417520100174650ustar00rootroot00000000000000# /etc/syslog.conf Example configuration file for syslogd on RedHat (you can optionally use this as a replacement). # This will redirect all kernel-debug logging to file /var/log/arno-iptables-firewall. # Don't forget to touch(create) /var/log/arno-iptables-firewall first & set "LOGLEVEL=debug" in the # firewall configuration file (firewall.conf)! # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages, plus log them on another # machine. *.emerg * # Save mail and news errors of level err and higher in a # special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # Log all iptables messages to /var/log/arno-iptables-firewall kern.=debug /var/log/arno-iptables-firewall aif-2.1.2a/contrib/Slackware/000077500000000000000000000000001464417520100157745ustar00rootroot00000000000000aif-2.1.2a/contrib/Slackware/syslog.conf000066400000000000000000000041001464417520100201560ustar00rootroot00000000000000# /etc/syslog.conf Example configuration file for syslogd on Slackware (you can optionally use this as a replacement). # This will redirect all kernel-debug logging to file /var/log/arno-iptables-firewall. # Don't forget to touch(create) /var/log/arno-iptables-firewall first & set "LOGLEVEL=debug" in the # firewall configuration file (firewall.conf)! # For info about the format of this file, see "man syslog.conf" # and /usr/doc/sysklogd/README.linux. Note the '-' prefixing some # of these entries; this omits syncing the file after every logging. # In the event of a crash, some log information might be lost, so # if this is a concern to you then you might want to remove the '-'. # Be advised this will cause a performation loss if you're using # programs that do heavy logging. # Uncomment this to see kernel messages on the console. #kern.*;kern.!=debug /dev/console # Log anything 'info' or higher, but lower than 'warn'. # Exclude authpriv, cron, mail, and news. These are logged elsewhere. *.info;*.!warn;\ authpriv.none;cron.none;mail.none;news.none -/var/log/messages # Log anything 'warn' or higher. # Exclude authpriv, cron, mail, and news. These are logged elsewhere. *.warn;\ authpriv.none;cron.none;mail.none;news.none -/var/log/syslog # Debugging information is logged here. *.=debug;kern.!=debug -/var/log/debug # Logging for iptables kern.=debug -/var/log/arno-iptables-firewall # Private authentication message logging: authpriv.* -/var/log/secure # Cron related logs: cron.* -/var/log/cron # Mail related logs: mail.* -/var/log/maillog # Emergency level messages go to all users: *.emerg * # This log is for news and uucp errors: uucp,news.crit -/var/log/spooler # Uncomment these if you'd like INN to keep logs on everything. # You won't need this if you don't run INN (the InterNetNews daemon). #news.=crit -/var/log/news/news.crit #news.=err -/var/log/news/news.err #news.notice -/var/log/news/news.notice aif-2.1.2a/contrib/adsl-failover000077500000000000000000000154701464417520100165450ustar00rootroot00000000000000#!/bin/bash # This script was written by Mark Cleverdon 22/11/2007 under the GPL license # email: mark at lanzarote1.com # # For automatic Failover from the main external network provider on failure # to a dialup modem or UMTS modem connection. # # REQUREMENTS # You must have IP forwarding enabled in the system. # ADSL connection with a static IP # wvdial must be installed and setup with a script that works for your service provider. # A firewall like arnos iptables firewall script or shorewall etc # # You can set this script in the system cron to check the connection at regular time intervals. # # METHODS USED IN THIS SCRIPT # We have both eth1 and ppp0 as external interfaces in iptables, if both were functioning at the same time # we would have load balancing (which could get expensive), but here we only need one active connection so # all we need to do is to adjust the dynamic IP address of the dialup connection in the firwall when there # is a problem in order to allow routing through the dialup device. Once the emergency is over we can can- # cel the dialup connection and the original routing will continue as usual with no need to adjust # the firewall again. When a new failure happens then the new IP address is assigned to the second external # interface (normally ppp0) and the firewall restarted to allow routing. # # PARAMETERS HERE # The normal external interface (DSL or cable etc) interface="eth1" normal_ext_ip="XXX.XXX.XXX.XXX" # Admin email address for failover notification admin_email="admin@your-domain" # The dialup device PCMCIA UMTS card or regular modem will normally be a ttyS0/1/2/3 etc # But here you need the device that wvdial returns which is generally ppp0 dialup_if="ppp0" # Full path and name of your firewall script I use Arnos iptables firewall firewall="/etc/arno-iptables-firewall/firewall.conf" # The /etc/init.d/firewall-script that your system uses to restart the firewall firestarter="/etc/init.d/arno-iptables-firewall" # WARNING if you are not using arnos firewall script you will need to edit the sed commands parameters below # eg. on line 111 of this script # sed 's/\(search string just before substitution \)[0-9]*.[0-9]*.[0-9]*.[0-9]*/\1'$OUT_IP'/g' $firewall # # The wvdial command for dialup (you must set this up previously) # eg. this would be like "myserver:#/wvdial internet" on the command line connection="internet" # The following are the ip address of any reliable public server ie. google.com # if all three servers fail then the dialup connection will be started. # But beware of ping_server1, it must be the most reliable of the three because # it is used in further tests on its own. # Further, note it is important to use IP addresses and not domain names because if # your system is totally isolated you will not be able to do name resolution. ping_server1="64.233.167.99" ping_server2="216.109.112.135" ping_server3="66.45.254.244" route add $ping_server1 gw $normal_ext_ip if (ping -w 5 -nq -I $interface $ping_server1 |grep '100%\ packet\ loss' 2>&1>/dev/null) then SERVER1="DOWN" else SERVER1="UP" fi route del $ping_server1 route add $ping_server2 gw $normal_ext_ip if (ping -w 5 -nq -I $interface $ping_server2 |grep '100%\ packet\ loss' 2>&1>/dev/null) then SERVER2="DOWN" else SERVER2="UP" fi route del $ping_server2 route add $ping_server3 gw $normal_ext_ip if (ping -w 5 -nq -I $interface $ping_server3 |grep '100%\ packet\ loss' 2>&1>/dev/null) then SERVER3="DOWN" else SERVER3="UP" fi route del $ping_server3 if [ "$SERVER1" = "DOWN" ] && [ "$SERVER2" = "DOWN" ] && [ "$SERVER3" = "DOWN" ] then echo "WARNING! -- We have an internet connection problem. I will attempt to discover the situation and fix it." if [[ "$interface"="eth1" ]] then echo . # Check to see if we have any connection at all (if not we dial) if (ping -w 5 -nq $ping_server1|grep '100%\ packet\ loss' 2>&1>/dev/null) then # Check for existing wvdial processes that may be hungup if (ps ax|grep wvdial) then echo "finishing any previous hung connection" killall wvdial sleep 15 fi echo . echo "Dialing out ...." wvdial $connection & sleep 25 if (ping -w 5 -nq -I $dialup_if $ping_server1|grep -v '100%\ packet\ loss' 2>&1>/dev/null) then # Pick up the new IP for adjusting the firewall script. OUT_IP=`ifconfig|grep -A 2 $dialup_if|grep inet\ addr:|sed 's/.*inet\ addr\:\([0-9]*.[0-9]*.[0-9]*.[0-9]*\).*/\1/g'` echo . echo "New public IP address is <$OUT_IP> from UMTS/dialup device $dialup." echo . echo "Restarting the Firewall routing for new connection." echo . # Make sure the original firewall script is saved (here we datestamp it just in case) cp -p $firewall $firewall.`date +"%d%m%Y%H%M%S"` sed 's/\(NAT_STATIC_IP="$normal_ext_ip \)[0-9]*.[0-9]*.[0-9]*.[0-9]*/\1'$OUT_IP'/g' $firewall >/tmp/firewall.conf mv /tmp/firewall.conf $firewall $firestarter restart # Get myself a copy of all this stuff for a remote firewall setup etc. echo "The ADSL connection has failed">/tmp/ifconfig_ppp0 echo ".">>/tmp/ifconfig_ppp0 echo "The new IP address is $OUT_IP">>/tmp/ifconfig_ppp0 ifconfig $dialup_if>>/tmp/ifconfig_ppp0 echo $OUT_IP>/tmp/FAILOVER_IP mail -s "FAILOVER IP $OUT_IP" $admin_email /tmp/FAILOVER_IP echo "The ADSL connection has failed">/tmp/ifconfig_ppp0 echo ".">>/tmp/ifconfig_ppp0 echo "The new IP address is $OUT_IP2">>/tmp/ifconfig_ppp0 echo ".">>/tmp/ifconfig_ppp0 ifconfig $dialup_if>>/tmp/ifconfig_ppp0 mail -s "NEW FAILOVER IP $OUT_IP2" $admin_email &1>/dev/null echo "The ADSL connection is now working">/tmp/ifconfig echo ".">>/tmp/ifconfig echo "Use the original connection information to connect">>/tmp/ifconfig echo ".">>/tmp/ifconfig mail -s "FAILOVER STOPED - ADSL OK" $admin_email DESTIP1{~port} \ # {SRCIP3,...~}PORT3,...>DESTIP2{~port}" # # IP form: # "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \ # {SRCIP3~}PROTO3,PROTO4,...>DESTIP2" # # TCP/UDP port forward examples: # Simple (forward port 80 to internal host 192.168.0.10): # NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10" # Advanced (forward port 20 & 21 to 192.168.0.10 and # forward from 1.2.3.4 port 81 to 192.168.0.11 port 80: # NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80" # # IP protocol forward example: # (forward protocols 47 & 48 to 192.168.0.10) # NAT_FORWARD_IP="47,48>192.168.0.10" # # NOTE 1: {~port} is optional. Use it to redirect a specific port to a # different port on the internal client. # NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source # (inet) IP addresses. # (IPv4 Only) # ------------------------------------------------------------------------------ NAT_FORWARD_TCP="" NAT_FORWARD_UDP="" NAT_FORWARD_IP="" # TCP/UDP/IP forwards. Forward IPv6 and non-NAT'ed IPv4 ports or protocols # from the gateway to an internal client. Note that you can also use these # variables to forward ports to DMZ hosts. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1{~port} \ # SRCIP3,...>DESTIP2{~port}" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~PROTO \ # SRCIP3,...>DESTIP2~PROTO" # # TCP/UDP port forward examples: # Simple (IPv6 forward port 80 to internal host 2001:db8::2): # INET_FORWARD_TCP="::/0>2001:db8::2~80" # Simple (IPv4 non-NAT forward port 80 to internal host 192.168.0.10): # INET_FORWARD_TCP="0/0>192.168.0.10~80" # Advanced (forward all UDP ports for 2000::/3 net to 2001:db8::/32 net): # INET_FORWARD_UDP="2000::/3>2001:db8::/32" # # IP protocol forward example: # (forward protocol 58 (ICMPv6) to 2001:db8::2) # INET_FORWARD_IP="::/0>2001:db8::2~58" # # (IPv6 and non-NAT'ed IPv4 Only) # ------------------------------------------------------------------------------ INET_FORWARD_TCP="" INET_FORWARD_UDP="" INET_FORWARD_IP="" ################################################################################ # General settings # ################################################################################ # Most people don't want to get any firewall logs being spit to the console. # This option makes the kernel ring buffer only log messages with level # "panic". # ------------------------------------------------------------------------------ DMESG_PANIC_ONLY=1 # Enable this if you want TOS mangling (RFC) # ------------------------------------------------------------------------------ MANGLE_TOS=0 # Enable this if you want to set the maximum packet size via the # Maximum Segment Size(through MSS field) # ------------------------------------------------------------------------------ SET_MSS=1 # Enable this if you want to increase the TTL value by one in the prerouting # chain. This hides the firewall when performing eg. traceroutes to internal # hosts. (IPv4 only!) # ------------------------------------------------------------------------------ TTL_INC=0 # (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in # the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels # (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target # support. Don't mess with this unless you really know what you are doing! # (IPv4 only!) # ------------------------------------------------------------------------------ #PACKET_TTL="64" # (EXPERT SETTING!) Enable this if you want our internal DNS functions to fail # "fast". This means a query will be tried only once and times out after 1 # second, the default is 3 tries and a 5 second timeout. # Note: The command 'dig' is preferred, 'nslookup' will be used if 'dig' is not # available, though the BusyBox 'nslookup' is not supported with this option # ------------------------------------------------------------------------------ DNS_FAST_FAIL=0 # (EXPERT SETTING!) This option sets to maximum allowed age of (previously) # resolved host names. Defaults to 10 minutes # ------------------------------------------------------------------------------ DNS_MAX_AGE=10 # (EXPERT SETTING!) This value defines the threshold for the amount of # allowed successive cache fallbacks with dns failures # ------------------------------------------------------------------------------ DNS_FAIL_THRESHOLD=4 # Enable this to support the IRC-protocol # ------------------------------------------------------------------------------ USE_IRC=0 # (EXPERT SETTING!) Loosen the forward chain for the external interface(s). # Enable it to allow the use of protocols like UPnP. Note that it *could* be # less secure # ------------------------------------------------------------------------------ LOOSE_FORWARD=0 # (EXPERT SETTING!) Enable (1) to allow IPv6 Link-Local addresses to be # forwarded between interfaces. (IPv6 Only) # ------------------------------------------------------------------------------ FORWARD_LINK_LOCAL=0 # (EXPERT SETTING!) Disable (0) to not drop all IPv6 packets with # Routing Header Type 0. Enabled by default. (IPv6 Only) # ------------------------------------------------------------------------------ IPV6_DROP_RH_ZERO=1 # (EXPERT SETTING!) Enable this if you want to drop packets originating from a # private address. # Note: To enable logging of dropped private addresses set RESERVED_NET_LOG=1 # ------------------------------------------------------------------------------ RESERVED_NET_DROP=0 # (EXPERT SETTING!) Protect this machine from being abused for a DRDOS-attack # ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!) # ------------------------------------------------------------------------------ DRDOS_PROTECT=0 # Enable (1) if you want to enable mixed IPv4/IPv6 traffic support # Disable (0) if you want to enable only IPv4 traffic support # ------------------------------------------------------------------------------ IPV6_SUPPORT=0 # This option fixes problems with SMB broadcasts when using nmblookup # ------------------------------------------------------------------------------ NMB_BROADCAST_FIX=0 # Set this to 0 to suppress "assuming module is compiled in kernel" messages # ------------------------------------------------------------------------------ COMPILED_IN_KERNEL_MESSAGES=1 # (EXPERT SETTING!) You can choose the default policy for the INPUT & FORWARD # chain here (1=DROP, 0=ACCEPT). The default policy is DROP. This means that # when there are no rule(s) available (yet), the packet will be DROPPED. In # practice this rule only does something while the firewall is starting. Once # it's started and all rules are in place, the default policy doesn't do # anything anymore. People that use eg. NFS and let their clients boot from NFS # (diskless client systems) probably want to disable this option to fix # "NFS server not responding" etc. errors on their clients. # ------------------------------------------------------------------------------ DEFAULT_POLICY_DROP=1 # (EXPERT SETTING!) (Other) trusted network interfaces for which ALL IP # traffic should be ACCEPTED. (multiple(!) interfaces should be space # separated). Be warned that anything TO and FROM these interfaces is allowed # (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world # (internet)! And of course putting one of your external interfaces here would # be extremely stupid. # ------------------------------------------------------------------------------ TRUSTED_IF="" # (EXPERT SETTING!) Put here the interfaces that should trust each other # (accept forward traffic). Use this to e.g. create trusts between multiple # internal interfaces/subnets. You can use | (piping-sign) to create # seperate trust groups. And of course putting one of your external # interfaces here would be extremely stupid. # ------------------------------------------------------------------------------ IF_TRUSTS="" # Location of the custom iptables rules file (if any). # ------------------------------------------------------------------------------ CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules" # Location of the local (user/global) configuration file, if used # ------------------------------------------------------------------------------ LOCAL_CONFIG_FILE="" # Location of the local directory, if defined, containing *.conf file(s) # in that directory, and sources them for configuration variables. # Note: An undefined LOCAL_CONFIG_DIR variable defaults to the default below. # ------------------------------------------------------------------------------ LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d" # (EXPERT SETTING!) Set this (to 1) to enable the use of ipset to efficiently # match a large block of IPv4/IPv6 addresses/nets. Much faster when enabled. # BLOCK_NETSET_DIR, BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature. # ------------------------------------------------------------------------------ #IPTABLES_IPSET=0 # (EXPERT SETTING!) Set tunable options when IPTABLES_IPSET is enabled. # Adjust the default values if there are more than 100,000 block hosts. # ------------------------------------------------------------------------------ #IPTABLES_IPSET_HASHSIZE=2048 #IPTABLES_IPSET_MAXELEM=131072 # (EXPERT SETTING!) Set this (to 1) to disable the use of iptables-save and # iptables-restore to add rules in batch rather than one-by-one. Much slower # when disabled. BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature. # Note: This option is ignored when IPTABLES_IPSET is enabled. # ------------------------------------------------------------------------------ DISABLE_IPTABLES_BATCH=0 ################################################################################ # Logging options - All logging is rate limited to prevent log flooding # ################################################################################ # Enable logging for explicitly blocked hosts. # Log Options: 0 = Disable, 1 = Inbound & Outbound, 2 = Inbound, 3 = Outbound # ------------------------------------------------------------------------------ BLOCKED_HOST_LOG=1 # Enable logging for various stealth scans (reliable). # ------------------------------------------------------------------------------ SCAN_LOG=1 # Enable logging for possible stealth scans (less reliable). # ------------------------------------------------------------------------------ POSSIBLE_SCAN_LOG=1 # Enable logging of invalid TCP packets. Keep disabled (0) by default to reduce # INVALID packets being logged because of lost (legimate) connections. When # debugging any problems, you should enable it (temporarily)! # ------------------------------------------------------------------------------ INVALID_TCP_LOG=0 # Enable logging of invalid UDP packets. Keep disabled (0) by default to reduce # INVALID packets being logged because of lost (legimate) connections. When # debugging any problems, you should enable it (temporarily)! # ------------------------------------------------------------------------------ INVALID_UDP_LOG=0 # Enable logging of invalid ICMP packets. Keep disabled (0) to reduce # INVALID packets being logged caused by lost (legimate) connections. When # debugging any problems, you should enable it (temporarily)! # ------------------------------------------------------------------------------ INVALID_ICMP_LOG=0 # Enable (1) logging of source IPs with reserved or private addresses. # ------------------------------------------------------------------------------ RESERVED_NET_LOG=0 # Enable dropping (& logging) of IPv4 fragmented packets. Normally fragmented # packets are automatically defragmented by the kernel. # ------------------------------------------------------------------------------ FRAG_DROP=0 # Enable logging of denied local (OUTPUT) connections. # ------------------------------------------------------------------------------ INET_OUTPUT_DENY_LOG=1 # Enable logging of denied LAN output (FORWARD) connections. # ------------------------------------------------------------------------------ LAN_OUTPUT_DENY_LOG=1 # Enable logging of denied LAN INPUT connections. # ------------------------------------------------------------------------------ LAN_INPUT_DENY_LOG=1 # Enable logging of denied DMZ output (FORWARD) connections. # ------------------------------------------------------------------------------ DMZ_OUTPUT_DENY_LOG=1 # Enable logging of denied DMZ input (FORWARD) connections. # ------------------------------------------------------------------------------ DMZ_INPUT_DENY_LOG=1 # Enable logging of dropped FORWARD packets. # ------------------------------------------------------------------------------ FORWARD_DROP_LOG=1 # Enable logging of dropped IPv6 Link-Local forwarded packets. # Note: requires FORWARD_LINK_LOCAL=0 (IPv6 Only) # ------------------------------------------------------------------------------ LINK_LOCAL_DROP_LOG=1 # Enable logging of dropped ICMP-request packets (ping). # ------------------------------------------------------------------------------ ICMP_REQUEST_LOG=1 # Enable logging of dropped "other" ICMP packets. # ------------------------------------------------------------------------------ ICMP_OTHER_LOG=1 # Enable logging of normal connection attempts to privileged TCP ports. # ------------------------------------------------------------------------------ PRIV_TCP_LOG=1 # Enable logging of normal connection attempts to privileged UDP ports. # ------------------------------------------------------------------------------ PRIV_UDP_LOG=1 # Enable logging of normal connection attempts to unprivileged TCP ports. # ------------------------------------------------------------------------------ UNPRIV_TCP_LOG=1 # Enable logging of normal connection attempts to unprivileged UDP ports. # ------------------------------------------------------------------------------ UNPRIV_UDP_LOG=1 # Enable logging of IPv4 IGMP packets # ------------------------------------------------------------------------------ IGMP_LOG=1 # Enable logging of normal connection attempts to "other-IP"-protocols (non # TCP/UDP/ICMP/IGMP). # ------------------------------------------------------------------------------ OTHER_IP_LOG=1 # Enable logging for ICMP flooding. # ------------------------------------------------------------------------------ ICMP_FLOOD_LOG=1 # (EXPERT SETTING!) Log-level used for logging to syslog. The default is "info" # but "debug" can be used to have (legacy) syslogd log to # /var/log/arno-iptables-firewall. Note that this also requires you to # modify your syslogd.conf (see examples on how to). Most (if not all) newer # distributions use rsyslogd which works much better out of the box, so in most # cases you should leave this setting as is (="info"). # ------------------------------------------------------------------------------ LOGLEVEL="info" # Put in the following variables which hosts you want to log certain incoming # connection attempts for. # TCP/UDP port format (LOG_HOST_INPUT_xxx): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (LOG_HOST_INPUT_IP): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # ------------------------------------------------------------------------------ LOG_HOST_INPUT_TCP="" LOG_HOST_INPUT_UDP="" LOG_HOST_INPUT_IP="" # Put in the following variables which hosts you want to log certain outgoing # connection attempts for. # TCP/UDP port format (LOG_HOST_OUTPUT_xxx): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (LOG_HOST_OUTPUT_IP): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # ------------------------------------------------------------------------------ LOG_HOST_OUTPUT_TCP="" LOG_HOST_OUTPUT_UDP="" LOG_HOST_OUTPUT_IP="" # Put in the following variables which services you want to log incoming # connection attempts for. # ------------------------------------------------------------------------------ LOG_INPUT_TCP="" LOG_INPUT_UDP="" LOG_INPUT_IP="" # Put in the following variables which services you want to log outgoing # connection attempts for. # ------------------------------------------------------------------------------ LOG_OUTPUT_TCP="" LOG_OUTPUT_UDP="" LOG_OUTPUT_IP="" # Put in the following variable which hosts you want to log incoming connection # (attempts) for. # ------------------------------------------------------------------------------ LOG_HOST_INPUT="" # Put in the following variable which hosts you want to log outgoing connection # (attempts) to. # ------------------------------------------------------------------------------ LOG_HOST_OUTPUT="" ################################################################################ # sysctl based settings (EXPERT SETTINGS!) # ################################################################################ # Enable for synflood protection (through /proc/.../tcp_syncookies). # ------------------------------------------------------------------------------ SYN_PROT=1 # Enable this to reduce the ability of others DOS'ing your machine. # ------------------------------------------------------------------------------ REDUCE_DOS_ABILITY=1 # Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces. # ------------------------------------------------------------------------------ ECHO_IGNORE=0 # Enable to log packets with impossible addresses to the kernel log. # ------------------------------------------------------------------------------ LOG_MARTIANS=0 # Only disable this if you're NOT using forwarding (required for NAT etc.) for # increased security. # Note: If enabled and IPV6 enabled, local IPv6 autoconf will be disabled. # ------------------------------------------------------------------------------ IP_FORWARDING=1 # (EXPERT SETTING!) Only disable this if IP_FORWARDING is disabled and # you do not use autoconf to obtain your IPv6 address. # Note: This is ignored if IP_FORWARDING is enabled. (IPv6 Only) # ------------------------------------------------------------------------------ IPV6_AUTO_CONFIGURATION=1 # Enable if you want to accept ICMP redirect messages. Should be set to "0" in # case of a router. # ------------------------------------------------------------------------------ ICMP_REDIRECT=0 # Enable/modify this if you want to be a able to handle a larger (or smaller) # number of simultaneous connections. For high traffic machines I recommend to # use a value of at least 16384 (note that a higher value (obviously) also uses # more memory). # ------------------------------------------------------------------------------ CONNTRACK=16384 # Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default, # as some routers are still not compatible with this. # ------------------------------------------------------------------------------ ECN=0 # Reverse path filter setting. Kernel setting to drop connections from # non-routable IPs, eg. prevent source routing. By default the firewall itself # also provides rules against source routing. # Options: 0 = Disable, 1 = Strict filter, 2 = Loose filter # When using eg. VPNs, you should probably use 0 (disable) or 2 (loose) # ------------------------------------------------------------------------------ RP_FILTER=1 # Protect against source routed packets. Attackers can use source routing to # generate traffic pretending to be from inside your network, but which is # routed back along the path from which it came, namely outside, so attackers # can compromise your network. Source routing is rarely used for legitimate # purposes, so normally you should always leave this enabled(1)! # ------------------------------------------------------------------------------ SOURCE_ROUTE_PROTECTION=1 # Here we set the local port range (ports from which connections are # initiated from our site). Don't mess with this unless you really know what # you are doing! # ------------------------------------------------------------------------------ LOCAL_PORT_RANGE="32768 60999" # Here you can change the default TTL used for sending packets. The value # should be between 10 and 255. Don't mess with this unless you really know # what you are doing! # ------------------------------------------------------------------------------ DEFAULT_TTL=64 # In most cases pmtu discovery is ok, but in some rare cases (when having # problems) you might want to disable it. # ------------------------------------------------------------------------------ NO_PMTU_DISCOVERY=0 # With eg. open iscsi some systems may have problems under heavy load. Enable # tcp_be_liberal to workaround this # ------------------------------------------------------------------------------ TCP_BE_LIBERAL=0 ################################################################################ # Firewall policies for the LAN (EXPERT SETTINGS!) # ################################################################################ ################################################################################ # LAN_xxx = LAN->localhost(this machine) input access rules # # # # Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the # # default policy for this chain is accept (unless denied through # # LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)! # ################################################################################ # Disable this (set to "") to automatically set default policy as above. # When set to "1" the LAN->localhost default policy will always be DROP # When set to "0" the LAN->localhost default policy will always be ACCEPT # ------------------------------------------------------------------------------ LAN_DEFAULT_POLICY_DROP="" # Enable this to allow for ICMP-requests(ping) from your LAN # ------------------------------------------------------------------------------ LAN_OPEN_ICMP=1 # Put in the following variables the TCP/UDP ports or IP protocols TO # (remote end-point) which the LAN hosts are permitted to connect to. # ------------------------------------------------------------------------------ LAN_OPEN_TCP="" LAN_OPEN_UDP="" LAN_OPEN_IP="" # Put in the following variables the TCP/UDP ports or IP protocols TO (remote # end-point) which LAN hosts are NOT permitted to connect to. # ------------------------------------------------------------------------------ LAN_DENY_TCP="" LAN_DENY_UDP="" LAN_DENY_IP="" # Put in the following variables the TCP/UDP ports or IP # protocols TO (remote end-point) which certain LAN hosts are # permitted to connect to. # # TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (LAN_INPUT_HOST_OPEN_xxx): # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..." # ------------------------------------------------------------------------------ LAN_HOST_OPEN_TCP="" LAN_HOST_OPEN_UDP="" LAN_HOST_OPEN_IP="" # Put in the following variables the TCP/UDP ports or IP protocols TO (remote # end-point) which certain LAN hosts are NOT permitted to connect to. # # TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (LAN_INPUT_HOST_DENY_xxx): # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..." # ------------------------------------------------------------------------------ LAN_HOST_DENY_TCP="" LAN_HOST_DENY_UDP="" LAN_HOST_DENY_IP="" ################################################################################ # LAN_LAN_xxx = LAN->LAN access rules (forward) # ################################################################################ # Enable this to allow ICMP(ping) for LAN->LAN # ------------------------------------------------------------------------------ LAN_LAN_OPEN_ICMP=0 # Put in the following variables which LAN hosts you want to allow to certain # hosts/services on a different LAN (net). # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # TCP/UDP examples: # Simple (Allow port 80 to LAN host 1.2.3.4 from all other LAN hosts(0/0)): # LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80" # Advanced (Allow port 20 & 21 to LAN host 1.2.3.4 from all other LAN hosts # (0/0) and allow port 80 from LAN host 5.6.7.8 (only) to LAN host # 1.2.3.4): # LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" # # IP protocol example: # (Allow protocols 47 & 48 to LAN host 1.2.3.4 from all other LAN hosts # (0/0)): # LAN_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ------------------------------------------------------------------------------ LAN_LAN_HOST_OPEN_TCP="" LAN_LAN_HOST_OPEN_UDP="" LAN_LAN_HOST_OPEN_IP="" ################################################################################ # LAN_INET_xxx = LAN->internet access rules (forward) # # # # Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are # # NOT used, the default policy will be accept for LAN->INET (unless denied # # through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! # ################################################################################ # Disable this (set to "") to automatically set default policy as above. # When set to "1" the LAN->INET default policy will always be DROP # When set to "0" the LAN->INET default policy will always be ACCEPT # ------------------------------------------------------------------------------ LAN_INET_DEFAULT_POLICY_DROP="" # Enable this to allow for ICMP-requests(ping) for LAN->INET # ------------------------------------------------------------------------------ LAN_INET_OPEN_ICMP=1 # Put in the following variables the TCP/UDP ports or IP # protocols TO (remote end-point) which the LAN hosts are # permitted to connect to via the external (internet) interface. # ------------------------------------------------------------------------------ LAN_INET_OPEN_TCP="" LAN_INET_OPEN_UDP="" LAN_INET_OPEN_IP="" # Put in the following variables the TCP/UDP ports or IP protocols TO (remote # end-point) which the LAN hosts are NOT permitted to connect to # via the external (internet) interface. Examples of usage are for blocking # IRC (TCP 6666:6669) for the internal network. # ------------------------------------------------------------------------------ LAN_INET_DENY_TCP="" LAN_INET_DENY_UDP="" LAN_INET_DENY_IP="" # Put in the following variables which LAN hosts you want to allow to certain # hosts/services on the internet. By default all services are allowed. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # TCP/UDP examples: # Simple: # (Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)): # LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80" # Advanced: # (Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and # allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)): # LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 192.168.0.10>80" # # IP protocol example: # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)) # LAN_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ------------------------------------------------------------------------------ LAN_INET_HOST_OPEN_TCP="" LAN_INET_HOST_OPEN_UDP="" LAN_INET_HOST_OPEN_IP="" # Put in the following variables which DMZ hosts you want to deny to certain # hosts/services on the internet. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # TCP/UDP examples: # Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)): # LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~80" # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and # deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)): # LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 192.168.0.10>1.2.3.4~80" # # IP protocol example: # (Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)): # LAN_INET_HOST_DENY_IP="0/0>1.2.3.4~47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ------------------------------------------------------------------------------ LAN_INET_HOST_DENY_TCP="" LAN_INET_HOST_DENY_UDP="" LAN_INET_HOST_DENY_IP="" ################################################################################ # Firewall policies for the DMZ (EXPERT SETTINGS!) # ################################################################################ ################################################################################ # DMZ_xxx = DMZ->localhost(this machine) input access rules # ################################################################################ # Enable this to allow ICMP-requests(ping) from the DMZ # ------------------------------------------------------------------------------ DMZ_OPEN_ICMP=1 # Put in the following variables which DMZ hosts are permitted to connect to # certain the TCP/UDP ports, IP protocols or ICMP. By default all (local) # services are blocked for DMZ hosts. # ------------------------------------------------------------------------------ DMZ_OPEN_TCP="" DMZ_OPEN_UDP="" DMZ_OPEN_IP="" # Put in the following variables which DMZ hosts you want to allow for certain # services. By default all (local) services are blocked for DMZ hosts. # TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (DMZ_HOST_OPEN_IP): # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..." # ------------------------------------------------------------------------------ DMZ_HOST_OPEN_TCP="" DMZ_HOST_OPEN_UDP="" DMZ_HOST_OPEN_IP="" ################################################################################ # INET_DMZ_xxx = Internet->DMZ access rules (forward) # # # # Note: As of Version 2.0.0 the default policy has changed to DROP # # Previous to Version 2.0.0 the default policy was ACCEPT # ################################################################################ # Enable this to make the default policy allow for ICMP(ping) for INET->DMZ # ------------------------------------------------------------------------------ INET_DMZ_OPEN_ICMP=0 # Put in the following variables which INET hosts are permitted to connect to # certain the TCP/UDP ports or IP protocols in the DMZ. # ------------------------------------------------------------------------------ INET_DMZ_OPEN_TCP="" INET_DMZ_OPEN_UDP="" INET_DMZ_OPEN_IP="" # Put in the following variables which INET hosts are NOT permitted to connect # to certain the TCP/UDP ports or IP protocols in the DMZ. # ------------------------------------------------------------------------------ INET_DMZ_DENY_TCP="" INET_DMZ_DENY_UDP="" INET_DMZ_DENY_IP="" # Put in the following variables which INET hosts you want to allow to certain # hosts/services on the DMZ net. By default all services are dropped. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # TCP/UDP examples: # Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)): # INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~80" # Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and # allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)): # INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" # # IP protocol example: # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts ) # INET_DMZ_HOST_OPEN_IP="0/0>1.2.3.4~47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ------------------------------------------------------------------------------ INET_DMZ_HOST_OPEN_TCP="" INET_DMZ_HOST_OPEN_UDP="" INET_DMZ_HOST_OPEN_IP="" # Put in the following variables which INET hosts you want to deny to certain # hosts/services on the DMZ net. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # TCP/UDP examples: # Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)): # INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~80" # Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and # deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)): # INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" # # IP protocol example: # (Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts): # INET_DMZ_HOST_DENY_IP="0/0>1.2.3.4~47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ------------------------------------------------------------------------------ INET_DMZ_HOST_DENY_TCP="" INET_DMZ_HOST_DENY_UDP="" INET_DMZ_HOST_DENY_IP="" ################################################################################ # DMZ_INET_xxx = DMZ->internet access rules (forward) # # # # Note that when the DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx variables are # # NOT used, the default policy will be accept for DMZ->INET (unless denied # # through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! # ################################################################################ # Disable this (set to "") to automatically set default policy as above. # When set to "1" the DMZ->INET default policy will always be DROP # When set to "0" the DMZ->INET default policy will always be ACCEPT # ------------------------------------------------------------------------------ DMZ_INET_DEFAULT_POLICY_DROP="" # Enable this to make the default policy allow for ICMP(ping) for DMZ->INET # ------------------------------------------------------------------------------ DMZ_INET_OPEN_ICMP=1 # Put in the following variables the TCP/UDP ports or IP # protocols TO (remote end-point) which the DMZ hosts are # permitted to connect to via the external (internet) interface. # ------------------------------------------------------------------------------ DMZ_INET_OPEN_TCP="" DMZ_INET_OPEN_UDP="" DMZ_INET_OPEN_IP="" # Put in the following variables the TCP/UDP ports or IP protocols TO (remote # end-point) which the DMZ hosts are NOT permitted to connect to # via the external (internet) interface. Examples of usage are for blocking # IRC (TCP 6666:6669) for the internal network. # ------------------------------------------------------------------------------ DMZ_INET_DENY_TCP="" DMZ_INET_DENY_UDP="" DMZ_INET_DENY_IP="" # Put in the following variables which DMZ hosts you want to allow to certain # hosts/services on the internet. By default all services are allowed. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~sprotocol" # # TCP/UDP examples: # Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)): # DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80" # Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and # allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)): # DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" # # IP protocol example: # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts): # DMZ_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ------------------------------------------------------------------------------ DMZ_INET_HOST_OPEN_TCP="" DMZ_INET_HOST_OPEN_UDP="" DMZ_INET_HOST_OPEN_IP="" # Put in the following variables which DMZ hosts you want to deny to certain # hosts/services on the internet. # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # TCP/UDP examples: # Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)): # DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~80" # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and # deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)): # DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" # # IP protocol example: # (Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)): # DMZ_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ------------------------------------------------------------------------------ DMZ_INET_HOST_DENY_TCP="" DMZ_INET_HOST_DENY_UDP="" DMZ_INET_HOST_DENY_IP="" ################################################################################ # DMZ_LAN_xxx = DMZ->LAN access rules (forward) # ################################################################################ # Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN # ------------------------------------------------------------------------------ DMZ_LAN_OPEN_ICMP=0 # Put in the following variables which DMZ hosts you want to allow to certain # hosts/services on the LAN (net). # # TCP/UDP form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # TCP/UDP examples: # Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)): # DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80" # Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and # allow port 80 for DMZ host 5.6.7.8 (only) on LAN host # 1.2.3.4): # DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80" # # IP protocol example: # (Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)): # DMZ_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48" # # NOTE 1: If no SRCIPx is specified, any source host is used # NOTE 2: If no port is specified, any port is used # ------------------------------------------------------------------------------ DMZ_LAN_HOST_OPEN_TCP="" DMZ_LAN_HOST_OPEN_UDP="" DMZ_LAN_HOST_OPEN_IP="" ################################################################################ # Firewall policies for the external (inet) interface (default policy = drop) # ################################################################################ # Put in the following variable which hosts (subnets) you want have full access # via your internet (EXT_IF) connection(!). This is especially meant for # networks/servers which use eg. NIS/NFS. # NOTE: Don't mistake this variable with the one used for internal nets. # ------------------------------------------------------------------------------ FULL_ACCESS_HOSTS="" ################################################################################ # INET_OUTPUT_xxx = THIS machine->internet output rules # # # # Note that when the INET_OUTPUT_OPEN_xxx & INET_OUTPUT_HOST_OPEN_xxx # # variables are NOT used, the default policy will be accept (unless denied # # through INET_OUTPUT_DENY_xxx and/or INET_OUTPUT_HOST_DENY_xxx)! # ################################################################################ # Disable this (set to "") to automatically set default policy as above. # When set to "1" the (INET) output default policy will always be DROP # When set to "0" the (INET) output default policy will always be ACCEPT # ------------------------------------------------------------------------------ INET_OUTPUT_DEFAULT_POLICY_DROP="" # Enable this to allow THIS machine to send ICMP-requests(ping) to internet hosts # ------------------------------------------------------------------------------ INET_OUTPUT_OPEN_ICMP=1 # Put in the following variables to which internet ports THIS machine is # allowed to connect to. # ------------------------------------------------------------------------------ INET_OUTPUT_OPEN_TCP="" INET_OUTPUT_OPEN_UDP="" INET_OUTPUT_OPEN_IP="" # Put in the following variables to which internet ports THIS machine is # denied to connect to. For example for blocking IRC (tcp 6666:6669). # ------------------------------------------------------------------------------ INET_OUTPUT_DENY_TCP="" INET_OUTPUT_DENY_UDP="" INET_OUTPUT_DENY_IP="" # Put in the following variables to which internet hosts/ports THIS machine is # allowed to connect to. # TCP/UDP port format (INET_OUTPUT_HOST_OPEN_TCP & INET_OUTPUT_HOST_OPEN_UDP): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (INET_OUTPUT_HOST_OPEN_IP): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # ------------------------------------------------------------------------------ INET_OUTPUT_HOST_OPEN_TCP="" INET_OUTPUT_HOST_OPEN_UDP="" INET_OUTPUT_HOST_OPEN_IP="" # Put in the following variables to which internet hosts/ports THIS machine is # denied to connect to. # TCP/UDP port format (INET_OUTPUT_HOST_DENY_TCP & INET_OUTPUT_HOST_DENY_UDP): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (INET_OUTPUT_HOST_DENY_IP): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # ------------------------------------------------------------------------------ INET_OUTPUT_HOST_DENY_TCP="" INET_OUTPUT_HOST_DENY_UDP="" INET_OUTPUT_HOST_DENY_IP="" # This enables(1)/disables(0) IPv4 ICMP (ping) for the external net(s) # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted. # ------------------------------------------------------------------------------ OPEN_ICMP=0 # This enables(1)/disables(0) IPv6 ICMPv6 for the external net(s) # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted. # ------------------------------------------------------------------------------ OPEN_ICMPV6=1 # Enable (1) to make the default policy allow IPv6 ICMPv6 # Multicast Listener Discovery (RFC 2710, 3810) for INET access # Note: Requires setting OPEN_ICMPV6=1 to apply. # ------------------------------------------------------------------------------ OPEN_ICMPV6_MLD=0 # Put in the following variables which ports or IP protocols you want to leave # open to the whole world. These variables are normally used when opening ports # for eg. webservers (TCP port 80) etc. # ------------------------------------------------------------------------------ OPEN_TCP="" OPEN_UDP="" OPEN_IP="" # Put in the following variables the TCP/UDP ports you want to DENY(DROP) for # everyone (and logged). Also use these variables if you want to log connection # attempts to these ports from everyone (also trusted/full access hosts). # In principle you don't need these variables, as everything is already blocked # (denied) by default, but just exists for consistency. # ------------------------------------------------------------------------------ DENY_TCP="" DENY_UDP="" # Put in the following variables which ports you want to DENY(DROP) for # everyone but NOT logged. This is very useful if you have constant probes on # the same port(s) over and over again (code red worm) and don't want your logs # flooded with it. # ------------------------------------------------------------------------------ DENY_TCP_NOLOG="" DENY_UDP_NOLOG="" # Put in the following variables the TCP/UDP ports you want to REJECT (instead # of DROP) for everyone (and logged). # ------------------------------------------------------------------------------ REJECT_TCP="" REJECT_UDP="" # Put in the following variables the TCP/UDP ports you want to REJECT (instead # of DROP) for everyone but NOT logged. # ------------------------------------------------------------------------------ REJECT_TCP_NOLOG="" REJECT_UDP_NOLOG="" # Put in the following variables which hosts you want to allow for certain # services. # TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (HOST_OPEN_IP): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # # ICMP protocol format (HOST_OPEN_ICMP): # "host1 host2 ...." # ------------------------------------------------------------------------------ HOST_OPEN_TCP="" HOST_OPEN_UDP="" HOST_OPEN_IP="" HOST_OPEN_ICMP="" # Put in the following variables which hosts you want to DENY(DROP) for certain # services (and logged). # to DENY(DROP) for certain hosts. # TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (HOST_DENY_IP): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # # ICMP protocol format (HOST_DENY_ICMP): # "host1 host2 ...." # ------------------------------------------------------------------------------ HOST_DENY_TCP="" HOST_DENY_UDP="" HOST_DENY_IP="" HOST_DENY_ICMP="" # Put in the following variables which hosts you want to DENY(DROP) for certain # services but NOT logged. # TCP/UDP port format (HOST_DENY_xxx_NOLOG): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (HOST_DENY_IP_NOLOG): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # # ICMP protocol format (HOST_DENY_ICMP_NOLOG): # "host1 host2 ...." # ------------------------------------------------------------------------------ HOST_DENY_TCP_NOLOG="" HOST_DENY_UDP_NOLOG="" HOST_DENY_IP_NOLOG="" HOST_DENY_ICMP_NOLOG="" # Put in the following variables which hosts you want to REJECT (instead of # DROP) for certain TCP/UDP ports. # TCP/UDP port format (HOST_REJECT_xxx): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # ------------------------------------------------------------------------------ HOST_REJECT_TCP="" HOST_REJECT_UDP="" # Put in the following variables which hosts you want to REJECT (instead of # DROP) for certain services but NOT logged. # TCP/UDP port format (HOST_REJECT_xxx_NOLOG): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # ------------------------------------------------------------------------------ HOST_REJECT_TCP_NOLOG="" HOST_REJECT_UDP_NOLOG="" # Put in the following variable which TCP/UDP ports you don't want to # see broadcasts from (eg. DHCP (67/68) on your EXTERNAL interface. Note that # to make this properly work you also need to set "EXTERNAL_NET"! # ------------------------------------------------------------------------------ BROADCAST_TCP_NOLOG="" #BROADCAST_UDP_NOLOG="67 68" # Put in the following variable which hosts you want to block (blackhole, # dropping every packet from the host). # ------------------------------------------------------------------------------ BLOCK_HOSTS="" # Blocked Hosts are by default blocked in both Inbound and Outbound directions. # If only Inbound blocking is desired, set to 0 to disable bidirectional # blocking. # ------------------------------------------------------------------------------ BLOCK_HOSTS_BIDIRECTIONAL=1 # (EXPERT SETTING!) When using *.netset files, a default whitelist ipset for # IPv4 (and IPv6) is created to ensure blocklist files do not inadvertently # block normal local traffic. When undefined these variables default to include # all Private (RFC1918), Link-Local and Multicast IP/Nets to be whitelisted. # Define a space separated list of IPv4 (and IPv6) IP/Nets for custom defaults. # # Note: This option depends on BLOCK_NETSET_DIR being defined. # ------------------------------------------------------------------------------ DEFAULT_NETSET_WHITELIST="" DEFAULT_NETSET_WHITELISTV6="" # Uncomment & specify here the location of the file that contains a list of # hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as # w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file # should always contain a carriage-return (enter)! # ------------------------------------------------------------------------------ #BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts" # Uncomment & specify here the location of the directory that contains *.netset # files containing IP addresses and/or Networks (CIDR notation) to be BLOCKED. # Each .netset file may contain only one IP/Net entry per line, each IP/Net # entry must start at the beginning of the line and any valid entry must be # immediately followed by a new-line or a POSIX [[:space:]] character. # File contents not matching an IP/Net will be ignored. # # File naming convention, use *v6.netset files for IPv6 entries, all other # *.netset files default to IPv4. Filenames are limited to a maximum of # 27 characters before the .netset suffix. # Optional whitelist.netset, whitelistv6.netset files may contain IP/Net entries # that will NOT be BLOCKED by other *.netset files. Automatically by default, # all Private (RFC1918), Link-Local and Multicast IP/Nets will be whitelisted. # See also: DEFAULT_NETSET_WHITELIST and DEFAULT_NETSET_WHITELISTV6 # # Note: This option depends on IPTABLES_IPSET being enabled. # ------------------------------------------------------------------------------ #BLOCK_NETSET_DIR="/etc/arno-iptables-firewall/blocklists" aif-2.1.2a/etc/arno-iptables-firewall/plugins/000077500000000000000000000000001464417520100212175ustar00rootroot00000000000000aif-2.1.2a/etc/arno-iptables-firewall/plugins/adaptive-ban.conf000066400000000000000000000035741464417520100244320ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Adaptive Ban plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Log file where failed access attempts are derived # ------------------------------------------------------------------------------ ADAPTIVE_BAN_FILE="/var/log/messages" # The time in minutes between each iteration of analyzing the log file # ------------------------------------------------------------------------------ ADAPTIVE_BAN_TIME=2 # The number of log failures to ban host # ------------------------------------------------------------------------------ ADAPTIVE_BAN_COUNT=6 # A list of analysis types that are applied # Choose from: sshd asterisk lighttpd mini_httpd pptpd # ------------------------------------------------------------------------------ ADAPTIVE_BAN_TYPES="sshd asterisk" # By default, inbound packets from banned IP addresses will be silently DROP'ed # As an option, the packets can be REJECT'ed instead of being DROP'ed # Define ADAPTIVE_BAN_REJECT=1 for an ICMP error message to be returned # ------------------------------------------------------------------------------ ADAPTIVE_BAN_REJECT=0 # Bt default, INTERNAL (LAN) networks will be whitelisted against banning # As an option, this automatic whitelisting can be disabled # Define ADAPTIVE_BAN_WHITELIST_INTERNAL=0 to disable INTERNAL whitelisting # ------------------------------------------------------------------------------ ADAPTIVE_BAN_WHITELIST_INTERNAL=1 # Whitelist Hosts # A list of IP addresses whose traffic will never be banned # ------------------------------------------------------------------------------ ADAPTIVE_BAN_WHITELIST="" aif-2.1.2a/etc/arno-iptables-firewall/plugins/dmz-dnat.conf000066400000000000000000000010041464417520100235770ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - DMZ-host port forwarding plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # The host which receives traffic by default # ------------------------------------------------------------------------------ DMZ_IP="" aif-2.1.2a/etc/arno-iptables-firewall/plugins/dsl-ppp-modem.conf000066400000000000000000000045321464417520100245500ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - (A)DSL PPP Modem plugin =- # ------------------------------------------------------------------------------ ############################################################################### # (ADSL) Modem settings # # # # The MODEM_xxx options should (only) be used when you have an ((A)DSL) # # modem which works with a ppp-connection between the modem and the # # host the modem is connected to. # # # # You can check whether this applies for your (hardware) setup with # # 'ifconfig' (a 'ppp' device is shown). # # This means that if your modem is bridging or an NAT router) or the # # network interface the modem is connected to doesn't have an IP, you # # should leave the MODEM_xxx options disabled (=default)! # ############################################################################### # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # The physical(!) network interface your ADSL modem is connected to (this is # not ppp0!). # ------------------------------------------------------------------------------ #MODEM_IF="eth1" # (optional) The IP of the network interface (MODEM_IF) your ADSL modem is # connected to (IP shown for the modem interface (MODEM_IF) in 'ifconfig'). # ------------------------------------------------------------------------------ #MODEM_IF_IP="10.0.0.150" # (optional) The IP of your (A)DSL modem itself. # ------------------------------------------------------------------------------ #MODEM_IP="10.0.0.138" # (EXPERT SETTING!). Here you can specify the hosts/local net(s) that should # have access to the (A)DSL modem itself (manage modem settings, if supported # by your modem!). The default setting ("$INTERNAL_NET") allows access from # everybody on your LAN. # ------------------------------------------------------------------------------ #MODEM_INTERNAL_NET="$INTERNAL_NET" aif-2.1.2a/etc/arno-iptables-firewall/plugins/dyndns-host-open.conf000066400000000000000000000022721464417520100253020ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - DynDNS Host Open plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Specify here the time(s) in minutes between executes of the helper script # (leave default if you don't know what it is). # ------------------------------------------------------------------------------ DYNDNS_HOST_OPEN_TIME="15" # Put in the following variables which (dyndns) hosts (names) you want to allow # for certain services. # TCP/UDP port format (DYNDNS_HOST_OPEN_TCP & DYNDNS_HOST_OPEN_UDP): # "host1,host2~port1,port2 host3,host4~port3,port4 ..." # # IP protocol format (DYNDNS_HOST_OPEN_IP): # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." # # ICMP protocol format (DYNDNS_HOST_OPEN_ICMP): # "host1 host2 ...." # ------------------------------------------------------------------------------ DYNDNS_HOST_OPEN_TCP="" DYNDNS_HOST_OPEN_UDP="" DYNDNS_HOST_OPEN_IP="" DYNDNS_HOST_OPEN_ICMP="" aif-2.1.2a/etc/arno-iptables-firewall/plugins/ids-protection.conf000066400000000000000000000031111464417520100250250ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - IDS Protection plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Interface(s) that should be protected by IDS. Default is all external interfaces # ------------------------------------------------------------------------------ IDS_INTERFACE="" # Specify here the hosts you want to allow to bypass the IDS protection checks # ------------------------------------------------------------------------------ IDS_TRUSTED_HOSTS="" # Specify here the TCP & UDP ports you like to exclude from IDS checking # ------------------------------------------------------------------------------ IDS_EXCLUDE_TCP="" IDS_EXCLUDE_UDP="" # 1st set of maximum allowed connection attempts (default: 4 connections/60 seconds) # ------------------------------------------------------------------------------ IDS_MAX_RATE1="4" IDS_MAX_TIME1="60" # 2nd set of maximum allowed connection attempts (default: 10 connections/1800 seconds) # ------------------------------------------------------------------------------ IDS_MAX_RATE2="10" IDS_MAX_TIME2="1800" # (EXPERT SETTING!) If ip6tables '-m recent' IPv6 support is not available: # Disable (0) if the kernel module xt_recent is not available, only IPv4 will be used. # ------------------------------------------------------------------------------ IDS_IPV6_ENABLE=1 aif-2.1.2a/etc/arno-iptables-firewall/plugins/ipsec-vpn.conf000066400000000000000000000017061464417520100237760ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - IPsec VPN plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Specify here both the local & remove subnets that participate in the VPN. # If no networks are named, then all implicitly allowed (i.e. 0/0). # ------------------------------------------------------------------------------ IPSEC_VPN_NETS="" # Specify here the inet-hosts that are allowed to connect to the ipsec service # ports: # ------------------------------------------------------------------------------ IPSEC_ALLOWED_HOSTS="0/0" # To enable UDP-encapsulation for NAT traversal: # ------------------------------------------------------------------------------ IPSEC_NAT_TRAVERSAL=0 aif-2.1.2a/etc/arno-iptables-firewall/plugins/ipv6-over-ipv4.conf000066400000000000000000000016301464417520100246030ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - IPv6-over-IPv4 plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # The IPv4 address of the IPv6 tunnel server # For a 6in4 static tunnel define with the remote IPv4 address # For a 6to4 relay tunnel define with 0/0 # ------------------------------------------------------------------------------ IPV6_OVER_IPV4_SERVER="0/0" # The external interface(s) to allow IPv4 packets for the IPv6 tunnel # ------------------------------------------------------------------------------ IPV6_OVER_IPV4_IF="" # Note: Be sure to add the IPv6 tunnel interface (ex. he-ipv6) to the EXT_IF # variable in your configuration. aif-2.1.2a/etc/arno-iptables-firewall/plugins/linux-upnp-igd.conf000066400000000000000000000007561464417520100247560ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Linux UPnP IGD plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # We don't have parameters for now... # ------------------------------------------------------------------------------ aif-2.1.2a/etc/arno-iptables-firewall/plugins/mac-address-filter.conf000066400000000000000000000024121464417520100255330ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - MAC Address Filter plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Specify interfaces that the MAC Addresses Filter is applied (eg. INT_IF) # ------------------------------------------------------------------------------ MAC_ADDRESS_IF="$INT_IF" # Enable logging for not-allowed MAC addresses (if used). # ----------------------------------------------------------------------------- MAC_ADDRESS_LOG=1 # Specify the location here of the file that contains the MAC addresses of the # hosts on the interfaces specified in "$MAC_ADDRESS_IF" that are allowed. # The MAC addresses should be written like 00:11:22:33:44:55 optionally followed # by an (space-seperated) IP address, to lock the MAC-address to a certain IP. # Each line should contain one MAC address (+optional IP address) and the last # line should contain a carriage-return! # ----------------------------------------------------------------------------- MAC_ADDRESS_FILE="/etc/arno-iptables-firewall/mac-addresses" aif-2.1.2a/etc/arno-iptables-firewall/plugins/multiroute.conf000066400000000000000000000023131464417520100242760ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Multirouting plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # RP_FILTER settings (Only set this to 0, if you know what you're doing) # ------------------------------------------------------------------------------ RP_FILTER_DISABLE=1 # Settings for the first interface: # ------------------------------------------------------------------------------ MULTIROUTE_EXT_IF1=eth0 MULTIROUTE_EXT_ROUTER1=1.2.3.5 MULTIROUTE_EXT_IP1=5.6.7.9 MULTIROUTE_EXT_WEIGHT1=1 # Settings for the second interface: # ------------------------------------------------------------------------------ MULTIROUTE_EXT_IF2=eth1 MULTIROUTE_EXT_ROUTER2=1.2.3.4 MULTIROUTE_EXT_IP2=5.6.7.8 MULTIROUTE_EXT_WEIGHT2=1 # Optional settings if you also use an internal interface (for your LAN/gateway) # ------------------------------------------------------------------------------ MULTIROUTE_INT_IP=192.168.0.1 MULTIROUTE_INT_NET=192.168.0.0/24 aif-2.1.2a/etc/arno-iptables-firewall/plugins/nat-loopback.conf000066400000000000000000000033501464417520100244410ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - NAT Loopback plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # NAT Loopback for local nets using existing NAT_FORWARD_TCP and NAT_FORWARD_UDP # rules. # Note: The default external IPv4 address is obtained from the first # interface defined in the EXT_IF variable. # # Limit local nets by defining NAT_LOOPBACK_NET, a space separated list. # Defaults to NAT_INTERNAL_NET if not defined. # # Example: # NAT_LOOPBACK_NET="192.168.1.0/24" # (IPv4 Only) # ------------------------------------------------------------------------------ NAT_LOOPBACK_NET="" # When local servers are in another LAN they are unreachable (by default) unless # FORWARD rules are created. When NAT_LOOPBACK_FORWARD is set to "1" the # FORWARD rules to the servers are created for all subnets in NAT_LOOPBACK_NET. # # Defaults to no added forwards if not set to "1" # ------------------------------------------------------------------------------ NAT_LOOPBACK_FORWARD=0 # When this plugin's status is called, if the default external IPv4 address # has changed, the NAT_LOOPBACK_DNAT and NAT_LOOPBACK_SNAT chains will be # updated with the new address. Set NAT_LOOPBACK_UPDATE_ON_STATUS to "0" # to disable this automatic update on status. # # Example: # $ arno-iptables-firewall status-plugins nat-loopback # # Defaults to update on status if not set to "0" # ------------------------------------------------------------------------------ NAT_LOOPBACK_UPDATE_ON_STATUS=1 aif-2.1.2a/etc/arno-iptables-firewall/plugins/outbound-snat.conf000066400000000000000000000017331464417520100246740ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Outbound SNAT plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # When a NAT'ed external interface has multiple IPv4 addresses, it may be # desirable to specify which internal IP's or CIDR's use which external # IPv4 addresses for outbound connections. # # Format: (space or comma separated) # "SRCIP1>VIAIP1 SRCIP2>VIAIP2 ... SRCIPn>VIAIPn" # # Note 1: SRCIP (internal) may be a single IP or CIDR address. # # Note 2: VIAIP (external) must be a single IP address # # Example: # OUTBOUND_SNAT_NET_HOST="192.168.1.20>1.2.3.10 192.168.10/24>1.2.3.11" # (IPv4 Only) # ------------------------------------------------------------------------------ OUTBOUND_SNAT_NET_HOST="" aif-2.1.2a/etc/arno-iptables-firewall/plugins/parasitic-net.conf000066400000000000000000000115231464417520100246330ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Parasitic (SNAT) Network plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # ------------------------------------------------------------------------------ # Parasitic Network # # Allows "clients" on the same subnet to use this device as a gateway upstream. # This network of "clients" is the Parasitic Network, SNAT'ed to this device's # external interface(s). # # This Parasitic Network is useful for situations when the upstream firewall # is not under your control and you desire added security for specific devices # in your subnet. Set the gateway address of Parasitic Network clients to an # external IPv4 address of this device. # # Note: To be effective, be certain the Parasitic Network clients are IPv4-only # # (IPv4 Only) # ------------------------------------------------------------------------------ # Specify which (external) network interfaces should have parasitic SNAT enabled # You can optionally also provide the interface IP in the form of interface~IP # (for eg. interfaces with multiple IP addresses). Multiple interfaces should # be space separated. Leave empty to include all external interfaces # ------------------------------------------------------------------------------ PARASITIC_NET_IF="" # Specify which "clients" are allowed to use this device as an SNAT gateway. # If not specified all hosts on parasitic SNAT enabled interfaces are allowed # NOTE: The hosts in here should be on subnets connected to interfaces specified # in PARASITIC_NET_IF # ------------------------------------------------------------------------------ PARASITIC_NET_CLIENT_HOSTS="" # Specify here the time(s) in minutes between executes of the helper script # (leave default if you don't know what it is). # ------------------------------------------------------------------------------ PARASITIC_NET_TIME="15" ################################################################################ # Use PARASITIC_NET_HOST_OPEN_xxx and PARASITIC_NET_HOST_DENY to restrict # # forwarded parasitic network traffic. # # # # By default all parasitic network packets are forwarded and NAT-ed upstream, # # unless one of the PARASATIC_NET_HOST_OPEN_xxx variables is specified. In # # that case the default policy for that protocol (TCP, UDP, ICMP, IP) will # # become deny, except for IP which always defaults to deny. # ################################################################################ #------------------------------------------------------------------------------- # PARASITIC_NET_HOST_xxxx_yyy & PARASITIC_NET_HOST_xxxx_yyy format: # # TCP/UDP port form: # "SRCIP1,SRCIP2,...>DESTIP1~port \ # SRCIP3,...>DESTIP2~port" # # IP form: # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ # SRCIP3,...>DESTIP2~protocol" # # ICMP form: # "SRCIP1,SRCIP2,...>DESTIP1 \ # SRCIP3,...>DESTIP2" # # TCP/UDP examples: # ----------------- # Simple: # (Allow port 80 to INET host 1.2.3.4 for all parasitic hosts(0/0)): # PARASITIC_NET_HOST_OPEN_xxx="1.2.3.4~80" # Advanced: # (Allow port 20 & 21 to INET host 1.2.3.4 for all parasitic hosts(0/0) and # allow port 80 to INET host 1.2.3.4 for parasitic host 192.168.0.10 (only)): # PARASITIC_NET_HOST_OPEN_xxx="1.2.3.4~20,21 192.168.0.10>0/0~80" # # IP protocol example: # (Allow protocols 47 & 48 to INET host 1.2.3.4 for all parasitic hosts(0/0)) # PARASITIC_NET_HOST_OPEN_IP="1.2.3.4~47,48" # # NOTE: If no SRCIPx is specified, any source host is used #------------------------------------------------------------------------------- # Put in the following variables which hosts you want to allow(open) for certain # services # ------------------------------------------------------------------------------ PARASITIC_NET_HOST_OPEN_TCP="" PARASITIC_NET_HOST_OPEN_UDP="" PARASITIC_NET_HOST_OPEN_ICMP="" PARASITIC_NET_HOST_OPEN_IP="" # Put in the following variables which hosts you want to deny for certain # services # ------------------------------------------------------------------------------ PARASITIC_NET_HOST_DENY_TCP="" PARASITIC_NET_HOST_DENY_UDP="" PARASITIC_NET_HOST_DENY_ICMP="" PARASITIC_NET_HOST_DENY_IP="" # Enable (1) or disable(0) logging of denied packets # ------------------------------------------------------------------------------ PARASITIC_NET_DENY_LOG=1 # Specify the policy for denied packets: DROP (default) or REJECT # ------------------------------------------------------------------------------ PARASITIC_NET_DENY_POLICY="DROP" aif-2.1.2a/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf000066400000000000000000000013361464417520100262220ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - PPTP VPN Passthrough plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # PPTP uses the GRE protocol for transport, as such, when PPTP VPN clients # have NAT between them and the PPTP VPN server special packet handling must be performed. # This plugin loads the required Linux Kernel modules to handle that situation. # # No configuration options # ------------------------------------------------------------------------------ aif-2.1.2a/etc/arno-iptables-firewall/plugins/pptp-vpn.conf000066400000000000000000000043561464417520100236620ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - PPTP VPN plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # ------------------------------------------------------------------------------ # PPTP VPN Server Support # Note: The PPP interface wildcard 'ppp+' is used, along with PPTP_VPN_NETS to # identify PPTP VPN traffic. # # If PPP interfaces are specified for the external interface, they will # automatically be excluded from the PPTP VPN interface list. Should EXT_IF # contain 'ppp+' this plugin will be disabled. # ------------------------------------------------------------------------------ # Define the local network where PPTP remote clients appear on, possibly # via proxyarp in an unused LAN/DMZ address range. # Examples: # 16 clients, 192.168.1.224-239 range, PPTP_VPN_NETS="192.168.1.224/28" # 8 clients, 192.168.1.232-239 range, PPTP_VPN_NETS="192.168.1.232/29" # 4 clients, 192.168.1.236-239 range, PPTP_VPN_NETS="192.168.1.236/30" # # PPTP_VPN_NETS must be defined to allow PPTP VPN traffic # ------------------------------------------------------------------------------ PPTP_VPN_NETS="" # Specify the tunnel external hosts that are allowed to connect to the PPTP VPN # service ports, any by default: # ------------------------------------------------------------------------------ PPTP_VPN_TUNNEL_HOSTS="0/0" # By default all valid PPTP VPN packets are allowed, use PPTP_VPN_ALLOW_HOSTS # and PPTP_VPN_DENY_HOSTS to restrict local PPTP VPN traffic. # # PPTP_VPN_ALLOW_HOSTS used in conjunction with PPTP_VPN_DENY_HOSTS, otherwise # the default policy is to allow. # ------------------------------------------------------------------------------ PPTP_VPN_ALLOW_HOSTS="" # Deny PPTP VPN packets to specified hosts, networks # ------------------------------------------------------------------------------ PPTP_VPN_DENY_HOSTS="" # Enable (1) logging of denied PPTP VPN packets # ------------------------------------------------------------------------------ PPTP_VPN_DENY_LOG=0 aif-2.1.2a/etc/arno-iptables-firewall/plugins/rpc.conf000066400000000000000000000011511464417520100226500ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - RPC plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # RPC services to enable # ------------------------------------------------------------------------------ RPC_SERVICES="" # Nets to allow for RPC services # ------------------------------------------------------------------------------ RPC_NETS=""aif-2.1.2a/etc/arno-iptables-firewall/plugins/sip-voip.conf000066400000000000000000000014561464417520100236420ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - SIP-VOIP plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # This plugin automatically opens inbound RTP voice ports by tracking # the inbound (INET) SIP sessions. # # Specify the UDP port(s) for SIP (default is 5060) # ------------------------------------------------------------------------------ SIP_VOIP_PORTS="5060" # Specify the allowed remote hosts(s) for SIP (default is all hosts) # ------------------------------------------------------------------------------ SIP_VOIP_REMOTE_HOSTS="0/0" aif-2.1.2a/etc/arno-iptables-firewall/plugins/ssh-brute-force-protection.conf000066400000000000000000000030141464417520100272600ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - SSH Brute Force Protection plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Specify here the port(s) you want the SSH checks to apply to. Note that this # plugin does NOT open the ports for you, this must be done in the main script # with eg. OPEN_TCP! # ------------------------------------------------------------------------------ SSH_BFP_PORTS="22" # Specify here the hosts you want to allow to bypass the SSH protection checks # ------------------------------------------------------------------------------ SSH_BFP_TRUSTED_HOSTS="" # 1st set of maximum allowed connection attempts # (default: 4 connections/60 seconds) # ------------------------------------------------------------------------------ SSH_BFP_MAX_RATE1="4" SSH_BFP_MAX_TIME1="60" # 2nd set of maximum allowed connection attempts # (default: 10 connections/1800 seconds) # ------------------------------------------------------------------------------ SSH_BFP_MAX_RATE2="10" SSH_BFP_MAX_TIME2="1800" # (EXPERT SETTING!) If ip6tables '-m recent' IPv6 support is not available: # Disable (0) if the kernel module xt_recent is not available, only IPv4 will be used. # ------------------------------------------------------------------------------ SSH_BFP_IPV6_ENABLE=1 aif-2.1.2a/etc/arno-iptables-firewall/plugins/traffic-accounting.conf000066400000000000000000000014611464417520100256360ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Traffic Accounting plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Specify here the time(s) in minutes between executes of the helper script # (leave default if you don't know what it is). # ------------------------------------------------------------------------------ TRAFFIC_ACCOUNTING_TIME="15" # Put in the following variables which hosts you want to do # accounting for (space separated). # ------------------------------------------------------------------------------ TRAFFIC_ACCOUNTING_HOSTS="" aif-2.1.2a/etc/arno-iptables-firewall/plugins/traffic-shaper.conf000066400000000000000000000055061464417520100247720ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Traffic Shaper plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # The external interface(s) to perform traffic shaping for # ------------------------------------------------------------------------------ SHAPER_IF="$EXT_IF" # Specify qdisc type: cfq (default), htb or hfsc (experimental) # ------------------------------------------------------------------------------ SHAPER_TYPE="cfq" ################################################################################ # NOTE: The remaining settings below don't apply to cfq (only hfsc/htb)! # # DOWNLINK/UPLINK are required to be configured, the rest is optional. # ################################################################################ # The uplink/downlink speed of your internet connection in KBit # Note: Disable incoming (ingress) shaping with DOWNLINK=0 # UPLINK must be defined and greater than 0 # ------------------------------------------------------------------------------ DOWNLINK=3072 UPLINK=832 # Most users can leave the port classification as is. The notation signifies # the destination port on *outbound* traffic. Ports are prefixed by 'u' for # UDP and 't' for TCP. Ranges are given as 5060:5064. # # Additionally, packets tagged with DSCP classes EF, CS3, etc. # will be automatically placed with the proper priority. # ------------------------------------------------------------------------------ # Higher Priority - Streaming Media - VoIP (RTP, IAX2, etc.) # ------------------------------------------------------------------------------ SHAPER_STREAMINGMEDIA_PORTS="u4569 u1720 u1731" # High Priority - Interactive - Shell (ssh, telnet, X, Vnc, etc.) # ------------------------------------------------------------------------------ SHAPER_INTERACTIVE_PORTS="u53 t22 u1194 t3389 u5060:5064 t5900" # Medium Priority - Default (SIP-signaling) # Default, no ports defined # Low Priority - Bulk data transfer (HTTP, HTTPS, POP3, SMTP, FTP, etc.) # ------------------------------------------------------------------------------ SHAPER_BULKDATA_PORTS="t20 t21 t25 t80 t110 t137:139 u137:139 t143 t443 t465 t515 t993 t8080" # Lowest Priority - P2P (BitTorrent) # ------------------------------------------------------------------------------ SHAPER_P2P_PORTS="" # (EXPERT SETTING!) If there are servers running locally, include # the protocol/port from any of the above SHAPER PORTS to also match # on the source port in addition to the destination port. # ------------------------------------------------------------------------------ SHAPER_LOCAL_SERVER_PORTS="" aif-2.1.2a/etc/arno-iptables-firewall/plugins/transparent-dnat.conf000066400000000000000000000016671464417520100253650ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Transparent DNAT plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # Specify here the internal IP of this host (the IP that will be redirected TO) # ------------------------------------------------------------------------------ DNAT_MY_INTERNAL_IP="" # Specify here the external IP (the IP that will be redirected FROM) # ------------------------------------------------------------------------------ DNAT_MY_EXTERNAL_IP="" # Specify here the ports you want to enable transparent DNAT for (multiple ports comma separated) # ------------------------------------------------------------------------------ DNAT_TCP_PORTS="" DNAT_UDP_PORTS="" aif-2.1.2a/etc/arno-iptables-firewall/plugins/transparent-proxy.conf000066400000000000000000000011151464417520100256040ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Transparent Proxy plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=0 # (Transparent) proxy settings # ------------------------------------------------------------------------------ #HTTP_PROXY_PORT="3128" HTTPS_PROXY_PORT="" FTP_PROXY_PORT="" SMTP_PROXY_PORT="" POP3_PROXY_PORT="" aif-2.1.2a/etc/init.d/000077500000000000000000000000001464417520100143605ustar00rootroot00000000000000aif-2.1.2a/etc/init.d/arno-iptables-firewall000077500000000000000000000034571464417520100206620ustar00rootroot00000000000000#!/bin/sh # # chkconfig: 2345 09 91 # description: init.d script for Arno's Iptables Firewall(AIF) ### BEGIN INIT INFO # Provides: arno-iptables-firewall # Required-Start: $local_fs $remote_fs $network # Required-Stop: $local_fs $remote_fs $network # Default-Start: S # Default-Stop: 0 6 # Short-Description: Setup iptables firewall configuration ### END INIT INFO ############################################################################################ # You should put this script in eg. "/etc/init.d/" . # # Furthermore make sure it's executable! -> "chmod 700" or "chmod +x" it # # If you want to run it upon boot, either add an entry in your "/etc/rc.d/rc.local" or # # (for eg. Debian) in "/etc/rcS.d/" create a symlink to the arno-iptables-firewall script # # ("ln -s /etc/init.d/arno-iptables-firewall script S99-arno-iptables-firewall script"). # ############################################################################################ PATH=/bin:/usr/bin:/sbin:/usr/sbin PROGRAM="/usr/local/sbin/arno-iptables-firewall" # Be verbose(1)?: VERBOSE=0 test -x $PROGRAM || exit 0 if [ "$VERBOSE" = "0" ]; then case "$1" in start) echo "Starting Arno's Iptables Firewall(AIF)..." ;; stop) echo "Stopping Arno's Iptables Firewall(AIF)..." ;; restart) echo "Restarting Arno's Iptables Firewall(AIF)..." ;; force-reload) echo "(Forced) reloading Arno's Iptables Firewall(AIF)..." ;; status) $PROGRAM $* exit $? ;; configtest) $PROGRAM check-conf exit $? ;; *) $PROGRAM exit 1 ;; esac # Call firewall script: result=`$PROGRAM $*` retval=$? else $PROGRAM $* retval=$? fi # Return value: exit $retval aif-2.1.2a/etc/logrotate.d/000077500000000000000000000000001464417520100154155ustar00rootroot00000000000000aif-2.1.2a/etc/logrotate.d/arno-iptables-firewall000066400000000000000000000002371464417520100217050ustar00rootroot00000000000000/var/log/arno-iptables-firewall { rotate 4 weekly missingok notifempty compress delaycompress copytruncate } aif-2.1.2a/etc/rsyslog.d/000077500000000000000000000000001464417520100151175ustar00rootroot00000000000000aif-2.1.2a/etc/rsyslog.d/arno-iptables-firewall.conf000066400000000000000000000004771464417520100223410ustar00rootroot00000000000000 # Log firewall messages to /var/log/arno-iptables-firewall (asynchronously), # and then drop them so that they aren't logged again elsewhere. if $syslogfacility-text == 'kern' \ and $msg contains 'AIF:' then -/var/log/arno-iptables-firewall & stop if $syslogtag == 'firewall:' then -/var/log/arno-iptables-firewall aif-2.1.2a/gpl_license.txt000066400000000000000000000431321464417520100154500ustar00rootroot00000000000000 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. aif-2.1.2a/install.sh000077500000000000000000000375611464417520100144410ustar00rootroot00000000000000#!/bin/bash MY_VERSION="1.14d" # ------------------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) =- # Single- & multi-homed firewall script with DSL/ADSL support # # ~ In memory of my dear parents ~ # # (C) Copyright 2001-2023 by Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------------------ EOL=' ' # Check if the environment file exists and if so, load it ######################################################### if [ -f ./share/arno-iptables-firewall/environment ]; then . ./share/arno-iptables-firewall/environment else printf "\033[40m\033[1;31mERROR: Could not read environment file ./share/arno-iptables-firewall/environment!\033[0m\n" >&2 exit 2 fi sanity_check() { # root check if [ "$(id -u)" != "0" ]; then printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n" >&2 exit 1 fi check_command_error iptables if [ "$IPV6_DETECTED" = "1" ]; then check_command_error ip6tables fi check_command_error awk check_command_error tr check_command_error ip check_command_error cut check_command_error uname check_command_error sed check_command_error cat check_command_error date check_command_error modprobe check_command_error sysctl check_command_error head check_command_error tail check_command_error wc check_command_error gzip check_command_error logger check_command_error chmod check_command_error chown check_command_error find check_command_error cp check_command_error rm check_command_error mkdir check_command_error rmdir check_command_error ln check_command_warning dig nslookup } shell_diff() { local FILE1_DATA="$(cat "$1")" local FILE2_DATA="$(cat "$2")" if [ "$FILE1_DATA" != "$FILE2_DATA" ]; then # If mismatch, check whether it's only the comments that differ if [ "${FILE1_DATA%\#*}" = "${FILE2_DATA%\#*}" ]; then return 1 # Only comments differ fi return 2 # Full mismatch fi return 0 # Match } copy_ask_if_exist() { local DIFF_RETVAL=-1 local RETVAL local DEFAULT_YN="${3:-'n'}" # Default to n(o) local BACKUP_EXT="$4" local FALLBACK_EXT="$5" if [ -z "$(find "$1" -type f)" ]; then echo "ERROR: Missing source file(s) \"$1\"" >&2 exit 2 fi unset IFS for SOURCE in `find "$1" -type f |grep -v -e '/\.svn/' -e '/\.git/'`; do if echo "$2" |grep -q '/$'; then FN="${SOURCE#$1}" if [ -z "$FN" ]; then TARGET="${2}$(basename "$1")" else TARGET="${2}${FN}" fi TARGET_DIR="$2" else TARGET="$2" TARGET_DIR="$(dirname "$2")" fi if [ ! -d "$TARGET_DIR" ]; then printf "\033[40m\033[1;31m* WARNING: Target directory $TARGET_DIR does not exist. Skipping copy of $SOURCE!\033[0m\n" >&2 continue fi if [ -f "$SOURCE" -a -f "$TARGET" ]; then # Ignore files that are the same in the target shell_diff "$SOURCE" "$TARGET" DIFF_RETVAL=$? # 0 = full match, 1 = match (excluding comments), 2 = full mismatch (including comments) if [ $DIFF_RETVAL -eq 2 ] && ! get_user_yn "File \"$TARGET\" already exists. Overwrite" "$DEFAULT_YN"; then if [ -z "$FALLBACK_EXT" ]; then echo "Skipped..." continue else # Copy as e.g. .dist-file: TARGET="${TARGET}.${FALLBACK_EXT}" rm -f "$TARGET" fi fi fi RETVAL=0 if [ $DIFF_RETVAL -eq 2 -a -n "$BACKUP_EXT" ]; then # copy file & create backup of old file if exists cp -v --suffix=".${BACKUP_EXT}" --backup=simple --preserve=mode,timestamps "$SOURCE" "$TARGET" RETVAL=$? else # Only comments mismatch, so no point in keeping a backup file cp -v --preserve=mode,timestamps "$SOURCE" "$TARGET" RETVAL=$? fi if [ $RETVAL -ne 0 ]; then echo "ERROR: Copy of \"$SOURCE\" to \"$TARGET\" failed!" >&2 exit 3 fi chown 0:0 "$TARGET" done return 0 } copy_skip_if_exist() { if [ -z "$(find "$1" -type f)" ]; then echo "ERROR: Missing source file(s) \"$1\"" >&2 exit 2 fi unset IFS for SOURCE in `find "$1" -type f |grep -v -e '/\.svn/' -e '/\.git/'`; do if echo "$2" |grep -q '/$'; then FN="${SOURCE#$1}" if [ -z "$FN" ]; then TARGET="$2$(basename "$1")" else TARGET="$2$FN" fi TARGET_DIR="$2" else TARGET="$2" TARGET_DIR="$(dirname "$2")" fi if [ ! -d "$TARGET_DIR" ]; then printf "\033[40m\033[1;31m* WARNING: Target directory $TARGET_DIR does not exist. Skipping copy of $SOURCE!\033[0m\n" >&2 continue fi if [ -f "$TARGET" ]; then if [ -z "$3" ]; then echo "* File \"$TARGET\" already exists. Skipping copy of $SOURCE" continue else # Copy as e.g. .dist-file: TARGET="${TARGET}.${3}" rm -f "$TARGET" fi fi # NOTE: Always copy, even if contents is the same to make sure permissions are updated if ! cp -v --preserve=mode,timestamps "$SOURCE" "$TARGET"; then echo "ERROR: Copy of \"$SOURCE\" to \"$TARGET!\" failed!" >&2 exit 3 fi chown 0:0 "$TARGET" done return 0 } copy_overwrite() { if [ -z "$(find "$1" -type f)" ]; then echo "ERROR: Missing source file(s) \"$1\"" >&2 exit 2 fi unset IFS for SOURCE in `find "$1" -type f |grep -v -e '/\.svn/' -e '/\.git/'`; do if echo "$2" |grep -q '/$'; then FN="${SOURCE#$1}" if [ -z "$FN" ]; then TARGET="$2$(basename "$1")" else TARGET="$2$FN" fi TARGET_DIR="$2" else TARGET="$2" TARGET_DIR="$(dirname "$2")" fi if [ ! -d "$TARGET_DIR" ]; then printf "\033[40m\033[1;31m* WARNING: Target directory $TARGET_DIR does not exist. Skipping copy of $SOURCE!\033[0m\n" >&2 continue fi # NOTE: Always copy, even if contents is the same to make sure permissions are updated if ! cp -fv --preserve=mode,timestamps "$SOURCE" "$TARGET"; then echo "ERROR: Copy of \"$SOURCE\" to \"$TARGET\" failed!" >&2 exit 3 fi chown 0:0 "$TARGET" done return 0 } get_user_yn() { if [ "$2" = "y" ]; then printf "$1 (Y/n)? " else printf "$1 (y/N)? " fi read answer_with_case ANSWER=`echo "$answer_with_case" |tr A-Z a-z` if [ "$ANSWER" = "y" -o "$ANSWER" = "yes" ]; then return 0 fi if [ "$ANSWER" = "n" -o "$ANSWER" = "no" ]; then return 1 fi # Fallback to default if [ "$2" = "y" ]; then return 0 else return 1 fi } check_18_version() { if grep -q "^MY_VERSION=" "/etc/init.d/arno-iptables-firewall" 2>/dev/null; then if get_user_yn "WARNING: An old version is still installed. Removing it first is *STRONGLY* recommended. Remove" "y"; then rm -fv /etc/init.d/arno-iptables-firewall mv -fv /etc/arno-iptables-firewall/custom-rules /etc/arno-iptables-firewall/custom-rules.old mv -fv /etc/arno-iptables-firewall/firewall.conf /etc/arno-iptables-firewall/firewall.conf.old rm -fv /etc/arno-iptables-firewall/plugins/*.plugin rm -fv /etc/rc*.d/*arno-iptables-firewall fi fi } check_dist_version() { if [ -f /usr/sbin/arno-iptables-firewall ]; then if ! get_user_yn "WARNING: It seems a distribution version is already installed. It's *STRONGLY* recommended to remove it first. Continue anyway" "n"; then return 1 fi fi return 0 } # Check plugins for (old) versions with different priority check_plugins() { if [ -d /usr/local/share/arno-iptables-firewall/plugins ] && ls /usr/local/share/arno-iptables-firewall/plugins/*.plugin >/dev/null 2>&1; then unset IFS for PLUGIN_FILE in ./share/arno-iptables-firewall/plugins/*.plugin; do PLUGIN_NAME="$(basename "$PLUGIN_FILE" |sed 's/^[0-9]*//')" ls /usr/local/share/arno-iptables-firewall/plugins/*.plugin 2>/dev/null |grep "/[0-9]*${PLUGIN_NAME}$" |grep -v "/$(basename "$PLUGIN_FILE")$" |while IFS=$EOL read PLUGIN_OLD; do echo "* Removing old plugin: $PLUGIN_OLD" rm -fv "$PLUGIN_OLD" done done fi } setup_start_scripts() { # Install init.d script, but only if init.d folder exists if [ -d "/etc/init.d" ]; then copy_overwrite ./etc/init.d/arno-iptables-firewall /etc/init.d/ fi # Make sure only one service file exists in /lib/.. or /usr/lib/ where we prefer /lib/ rm -f /usr/lib/systemd/system/arno-iptables-firewall.service # Install service file if systemd directory is available, use fallbacks to support different systems if [ -d "/lib/systemd/system" ]; then copy_overwrite ./lib/systemd/system/arno-iptables-firewall.service /lib/systemd/system/ elif [ -d "/usr/lib/systemd/system" ]; then copy_overwrite ./lib/systemd/system/arno-iptables-firewall.service /usr/lib/systemd/system/ elif [ -d "/etc/systemd/system" ]; then copy_ask_if_exist ./lib/systemd/system/arno-iptables-firewall.service /etc/systemd/system/ "y" else echo "NOTE: Could not find any systemd/system directory, skipping systemd configuration" >&2 fi RC_PATH="/etc" # Check for Redhat/SUSE rc.d if [ -d "/etc/rc.d" ]; then RC_PATH="/etc/rc.d" fi # Remove any symlinks in rc*.d out of the way rm -f $RC_PATH/rc0.d/*arno-iptables-firewall rm -f $RC_PATH/rc1.d/*arno-iptables-firewall rm -f $RC_PATH/rc2.d/*arno-iptables-firewall rm -f $RC_PATH/rc3.d/*arno-iptables-firewall rm -f $RC_PATH/rc4.d/*arno-iptables-firewall rm -f $RC_PATH/rc5.d/*arno-iptables-firewall rm -f $RC_PATH/rc6.d/*arno-iptables-firewall rm -f $RC_PATH/rcS.d/*arno-iptables-firewall if get_user_yn "Do you want to start the firewall at boot" "y"; then DONE=0 if check_command systemctl; then if systemctl enable arno-iptables-firewall; then echo "* Successfully enabled service with systemctl" DONE=1 fi elif check_command update-rc.d; then # Note: Currently update-rc.d doesn't seem to properly use the init script's LSB header, so specify explicitly if update-rc.d -f arno-iptables-firewall start 11 S . stop 10 0 6 .; then echo "* Successfully enabled service with update-rc.d" DONE=1 fi elif check_command chkconfig; then if chkconfig --add arno-iptables-firewall && chkconfig arno-iptables-firewall on; then echo "* Successfully enabled service with chkconfig" DONE=1 fi else if [ -d "$RC_PATH/rcS.d" ]; then if ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rcS.d/S11arno-iptables-firewall" && ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc0.d/K10arno-iptables-firewall" && ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc6.d/K10arno-iptables-firewall"; then echo "* Successfully enabled service through $RC_PATH/rcS.d/ symlink" DONE=1 fi elif [ -d "$RC_PATH/rc2.d" ]; then if ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc2.d/S09arno-iptables-firewall" && ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc0.d/K91arno-iptables-firewall" && ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc6.d/K91arno-iptables-firewall"; then echo "* Successfully enabled service through $RC_PATH/rc2.d/ symlink" DONE=1 fi else echo "WARNING: Unable to detect /rc2.d or /rcS.d directories. Skipping runlevel symlinks" >&2 fi fi if [ $DONE -eq 0 ]; then echo "ERROR: Unable to setup automatic start at boot. Please investigate" >&2 fi fi } # main line: AIF_VERSION="$(grep "MY_VERSION=" ./bin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")" printf "\033[40m\033[1;32mArno's Iptables Firewall Script(AIF) v$AIF_VERSION\033[0m\n" printf "Install Script v$MY_VERSION\n" echo "-------------------------------------------------------------------------------" sanity_check # We want to run in the dir the install script is in cd "$(dirname $0)" || exit 1 if ! get_user_yn "Continue install" "n"; then echo "*Install aborted" exit 1 fi # Make sure an old version is not still installed check_18_version # Make sure a dist version is not already installed if ! check_dist_version; then echo "*Install aborted" exit 1 fi copy_overwrite ./bin/arno-iptables-firewall /usr/local/sbin/ copy_overwrite ./bin/arno-fwfilter /usr/local/bin/ # Remove old version: rm -f /usr/local/sbin/arno-fwfilter mkdir -pv /usr/local/share/arno-iptables-firewall/plugins || exit 1 copy_overwrite ./share/arno-iptables-firewall/ /usr/local/share/arno-iptables-firewall/ if [ ! -f /usr/local/sbin/traffic-accounting-show ]; then ln -sv /usr/local/share/arno-iptables-firewall/plugins/traffic-accounting-show /usr/local/sbin/traffic-accounting-show fi mkdir -pv /usr/local/share/man/man1 || exit 1 mkdir -pv /usr/local/share/man/man8 || exit 1 gzip -c -v ./share/man/man8/arno-iptables-firewall.8 >/usr/local/share/man/man8/arno-iptables-firewall.8.gz gzip -c -v ./share/man/man1/arno-fwfilter.1 >/usr/local/share/man/man8/arno-fwfilter.1.gz mkdir -pv /usr/local/share/doc/arno-iptables-firewall || exit 1 copy_overwrite ./README /usr/local/share/doc/arno-iptables-firewall/ # Install rsyslog config file (if rsyslog is available) if [ -d "/etc/rsyslog.d" ]; then copy_ask_if_exist ./etc/rsyslog.d/arno-iptables-firewall.conf /etc/rsyslog.d/ "y" "old" "dist" fi copy_ask_if_exist ./etc/logrotate.d/arno-iptables-firewall /etc/logrotate.d/ "y" mkdir -pv /etc/arno-iptables-firewall || exit 1 copy_overwrite ./etc/arno-iptables-firewall/firewall.conf /etc/arno-iptables-firewall/firewall.conf.dist copy_ask_if_exist ./etc/arno-iptables-firewall/firewall.conf /etc/arno-iptables-firewall/ copy_skip_if_exist ./etc/arno-iptables-firewall/custom-rules /etc/arno-iptables-firewall/ mkdir -pv /etc/arno-iptables-firewall/plugins || exit 1 copy_ask_if_exist ./etc/arno-iptables-firewall/plugins/ /etc/arno-iptables-firewall/plugins/ "n" "old" "dist" mkdir -pv /etc/arno-iptables-firewall/conf.d || exit 1 echo "Files with a .conf extension in this directory will be sourced by the environment file" >/etc/arno-iptables-firewall/conf.d/README # Check old plugins check_plugins setup_start_scripts echo "" echo "** Install done **" echo "" if get_user_yn "Do you want to run the configuration script"; then ./configure.sh fi echo "" echo "-------------------------------------------------------------------------------" echo "** NOTE: You can now (manually) start the firewall by executing **" echo "** \"/usr/local/sbin/arno-iptables-firewall start\" **" echo "** It is recommended however to first review the settings in **" echo "** /etc/arno-iptables-firewall/firewall.conf! **" echo "-------------------------------------------------------------------------------" echo "" if get_user_yn "(Re)start firewall"; then /usr/local/sbin/arno-iptables-firewall restart fi exit 0 aif-2.1.2a/lib/000077500000000000000000000000001464417520100131665ustar00rootroot00000000000000aif-2.1.2a/lib/systemd/000077500000000000000000000000001464417520100146565ustar00rootroot00000000000000aif-2.1.2a/lib/systemd/system/000077500000000000000000000000001464417520100162025ustar00rootroot00000000000000aif-2.1.2a/lib/systemd/system/arno-iptables-firewall.service000066400000000000000000000012241464417520100241260ustar00rootroot00000000000000[Unit] Description=Arno's Iptables Firewall(AIF) Documentation=man:arno-iptables-firewall(8) Documentation=https://github.com/arno-iptables-firewall/aif DefaultDependencies=no After=local-fs.target network-online.target Requires=local-fs.target network-online.target Conflicts=shutdown.target Before=shutdown.target [Service] Type=oneshot ExecStart=/usr/local/sbin/arno-iptables-firewall start ExecStop=/usr/local/sbin/arno-iptables-firewall stop ExecReload=/usr/local/sbin/arno-iptables-firewall force-reload RemainAfterExit=yes ProtectSystem=true ProtectHome=true PrivateTmp=false LimitNPROC=1 DeviceAllow=/dev/null rw [Install] WantedBy=multi-user.target aif-2.1.2a/share/000077500000000000000000000000001464417520100135225ustar00rootroot00000000000000aif-2.1.2a/share/arno-iptables-firewall/000077500000000000000000000000001464417520100200655ustar00rootroot00000000000000aif-2.1.2a/share/arno-iptables-firewall/aif-job-execute000077500000000000000000000074031464417520100227660ustar00rootroot00000000000000#!/bin/sh # ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) =- # Single- & multi-homed firewall script with DSL/ADSL support # # ~ In memory of my dear parents ~ # # (C) Copyright 2001-2021 by Arno van Amersfoort & Lonnie Abelbeck # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Location of the main configuration file for the firewall ########################################################## CONF_FILE=/etc/arno-iptables-firewall/firewall.conf # Define some global variables OPT_INDENT="" JOB_HELPER_PATH="" # Check sanity of environment sanity_check() { if [ -z "$JOB_HELPER_PATH" ]; then echo "** ERROR: Missing job-helper argument!" >&2 return 1 fi return 0 } show_help() { echo "Usage: $(basename $0) [options] {plugin_helper_path}" >&2 echo "" >&2 echo "Options:" >&2 echo "--help|-h - Print this help" >&2 echo "--indent=\'{indent}\' - Use {indent} for line indention" >&2 echo "" } process_commandline() { # Check arguments while [ -n "$1" ]; do ARG="$1" ARGNAME="${ARG%%=*}" # Can't directly obtain value as = is optional!: ARGVAL="${ARG#$ARGNAME}" ARGVAL="${ARGVAL#=}" case "$ARGNAME" in --help|-h) show_help exit 0 ;; --indent|-i) OPT_INDENT="$ARGVAL" ;; -*) echo "ERROR: Bad argument \"$ARG\"" >&2 echo "" >&2 show_help exit 1 ;; *) JOB_HELPER_PATH="$ARG" ;; esac shift # Next argument done } ############ # Mainline # ############ process_commandline "$@" if [ ! -f "$CONF_FILE" ]; then echo "ERROR: Could not read configuration file ($CONF_FILE)!" >&2 echo "" >&2 exit 2 fi # Source config file . "$CONF_FILE" # Check if the environment file exists and if so, load it ######################################################### ENV_FILE="${0%/*}/environment" if [ ! -f "$ENV_FILE" ]; then echo "** ERROR: Unable to locate environment file \"$ENV_FILE\"!" >&2 exit 2 fi # Source environment file . "$ENV_FILE" # Only proceed if environment ok if ! sanity_check; then exit 2 fi # Reset to 0, just in case PLUGIN_RET_VAL=0 LOCK_NAME="$(basename "$JOB_HELPER_PATH")" # Enter critical section (single lock) if ! lock_enter_single $LOCK_NAME; then exit 2 fi # Set indent INDENT="$OPT_INDENT" # Source helper . "$JOB_HELPER_PATH" # Leave critical section if ! lock_leave $LOCK_NAME; then exit 2 fi # Return helper's return code exit $PLUGIN_RET_VAL aif-2.1.2a/share/arno-iptables-firewall/aif-job-processor000077500000000000000000000153121464417520100233410ustar00rootroot00000000000000#!/bin/sh # ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) =- # Single- & multi-homed firewall script with DSL/ADSL support # # ~ In memory of my dear parents ~ # # (C) Copyright 2001-2021 by Arno van Amersfoort & Lonnie Abelbeck # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Location of the main configuration file for the firewall ########################################################## CONF_FILE=/etc/arno-iptables-firewall/firewall.conf # Set environment variables to default VERBOSE=0 # Default sleep time (in minutes) SLEEP_TIME=1 # Check sanity of environment sanity_check() { if [ -z "$JOBS_FILE" ]; then echo "** ERROR: Missing JOBS_FILE declaration in environment file!" >&2 return 1 fi if [ ! -f "$JOBS_FILE" ]; then echo "** ERROR: JOBS_FILE($JOBS_FILE) does not exist!" >&2 return 1 fi return 0 } idle_wait() { local time="$1" chk_file="$2" cnt=0 while [ $((cnt / 60)) -lt $time ]; do cnt=$((cnt + 1)) sleep 1 # Check for file removal if [ ! -f "$chk_file" ]; then return 0 fi done return 1 } # (Background) job processor job_process() { local LINE SCRIPT_NAME SCRIPT_SET_TIME SCRIPT_CUR_TIME SCRIPT_PATH READ_JOBS_FILE result retval [ $VERBOSE -eq 1 ] && echo "Starting jobs process..." # Loop (until JOBS_FILE is deleted) while true; do # Enter critical section: if ! lock_enter "$JOBS_LOCK_NAME"; then # Lock failed, just keeping trying forever since there's no point in exiting here [ $VERBOSE -eq 1 ] && echo "Lock failed, (re)trying next loop..." else READ_JOBS_FILE="$(cat "$JOBS_FILE" 2>/dev/null)" IFS=$EOL for LINE in $READ_JOBS_FILE; do SCRIPT_NAME="$(echo "$LINE" |cut -d' ' -f1)" SCRIPT_SET_TIME="$(echo "$LINE" |cut -d' ' -f2)" SCRIPT_CUR_TIME="$(echo "$LINE" |cut -d' ' -f3)" SCRIPT_PATH="$(echo "$LINE" |cut -d' ' -f1,2,3 --complement)" # Increment current time (in minutes) SCRIPT_CUR_TIME=$((SCRIPT_CUR_TIME + SLEEP_TIME)) [ $VERBOSE -eq 1 ] && echo "Processing job \"$SCRIPT_NAME\"..." if [ $SCRIPT_CUR_TIME -ge $SCRIPT_SET_TIME ]; then [ $VERBOSE -eq 1 ] && echo " Countdown reached, running job \"$SCRIPT_NAME\"..." # Create extra FD exec 3>&1 if [ $VERBOSE -ne 1 ]; then exec 3>/dev/null fi result="$("$JOB_EXECUTER" "$SCRIPT_PATH" 2>&1 1>&3)" retval=$? # Release extra FD exec 3>&- # In case an error occurred, log it if [ $retval -ne 0 ]; then echo "$result (error=$retval)" >&2 echo "$result (error=$retval)" |log_msg "${SCRIPT_NAME}: " elif [ -n "$result" -a $VERBOSE -eq 1 ]; then echo "$result" fi # Reset counter SCRIPT_CUR_TIME=0 fi # As soon as the jobs file gets removed, stop processing (and terminate) if [ ! -f "$JOBS_FILE" ]; then # Leave critical section: lock_leave "$JOBS_LOCK_NAME" return 0 # We're done fi # Update job sed -i "s,^$SCRIPT_NAME[[:blank:]].*,$SCRIPT_NAME $SCRIPT_SET_TIME $SCRIPT_CUR_TIME $SCRIPT_PATH," "$JOBS_FILE" done fi # Leave critical section: lock_leave "$JOBS_LOCK_NAME" #if ! lock_leave "$JOBS_LOCK_NAME"; then # [ $VERBOSE -eq 1 ] && echo "Lock removal failed, terminating..." # return 1 #fi [ $VERBOSE -eq 1 ] && echo "Sleeping $SLEEP_TIME minutes..." # Idle wait SLEEP_TIME minutes unless the jobs gets removed if idle_wait "$SLEEP_TIME" "$JOBS_FILE"; then [ $VERBOSE -eq 1 ] && echo "Jobs file removed, terminating..." return 0 # No jobs file: We're done fi done return 0 } show_help() { echo "Usage: $(basename $0) [options]" >&2 echo "" >&2 echo "Options:" >&2 echo "--help|-h - Print this help" >&2 echo "--verbose - Be verbose with displaying info (only recommended when not backgrounded!)" >&2 echo "--sleep=n|-s=n - Sleep n minutes after each run (default is 1)" >&2 echo "" } process_commandline() { # Check arguments while [ -n "$1" ]; do ARG="$1" ARGNAME="${ARG%%=*}" # Can't directly obtain value as = is optional!: ARGVAL="${ARG#$ARGNAME}" ARGVAL="${ARGVAL#=}" case "$ARGNAME" in --sleep|-s) SLEEP_TIME="$ARGVAL";; --verbose|-v) VERBOSE=1;; --help|-h) show_help; exit 0 ;; -*) echo "ERROR: Bad argument \"$ARG\"" >&2 echo "" >&2 show_help exit 1 ;; *) echo "ERROR: Bad command syntax with argument \"$ARG\"" >&2 echo "" >&2 show_help exit 1 ;; esac shift # Next argument done } ############ # Mainline # ############ process_commandline $* if [ ! -f "$CONF_FILE" ]; then echo "ERROR: Could not read configuration file ($CONF_FILE)!" >&2 echo "" >&2 exit 1 fi # Source config file . "$CONF_FILE" # Check if the environment file exists and if so, load it ######################################################### ENV_FILE="${0%/*}/environment" if [ ! -f "$ENV_FILE" ]; then echo "** ERROR: Unable to locate environment file \"$ENV_FILE\"!" >&2 exit 2 fi # Source environment file . "$ENV_FILE" # Only proceed if environment ok if sanity_check; then job_process fi aif-2.1.2a/share/arno-iptables-firewall/environment000066400000000000000000001472741464417520100223730ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) =- # Single- & multi-homed firewall script with DSL/ADSL support # # ~ In memory of my dear parents ~ # # (C) Copyright 2001-2024 by Arno van Amersfoort & Lonnie Abelbeck # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # NOTE: When used in combination with firewall.conf. Load firewall.conf first before calling us! # Some predefined variables/macros: ANYHOST="0/0" ANYPORT="0:65535" SEP="~" SEP2="#" SEP3="|" INDENT="" TAB="$(printf '\t')" EOL=' ' # Globals variables: RULE_WARNING=0 DNS_FAST_FAIL_ONCE=0 ################################# Functions #################################### # Find command path with '/hint/path/command' as the argument find_command() { local cmd IFS IFS=' ' for cmd in $*; do if [ -x "$cmd" ]; then echo "$cmd" return 0 fi done which $(basename "$1") 2>/dev/null return 1 } # Check whether a certain command is available check_command() { local cmd path IFS IFS=' ' for cmd in $*; do case "$cmd" in /*) path="" ;; ip|tc|modprobe|sysctl) path="/sbin/" ;; sed|cat|date|uname) path="/bin/" ;; ipset) path="/usr/sbin/" ;; *) path="/usr/bin/" ;; esac if [ -x "$path$cmd" ]; then return 0 fi if [ -n "$(which "$cmd" 2>/dev/null)" ]; then return 0 fi done return 1 } # Check whether a binary is available and if not, generate an error and stop program execution check_command_error() { local IFS=' ' if ! check_command "$@"; then printf "\033[40m\033[1;31mERROR : Command(s) \"$(echo "$@" |tr ' ' '|')\" is/are not available!\033[0m\n" >&2 printf "\033[40m\033[1;31m Please investigate. Quitting...\033[0m\n" >&2 echo "" exit 2 fi } # Check whether a binary is available and if not, generate a warning but continue program execution check_command_warning() { local retval IFS=' ' check_command "$@" retval=$? if [ $retval -ne 0 ]; then printf "\033[40m\033[1;31mWARNING: Command(s) \"$(echo "$@" |tr ' ' '|')\" is/are not available!\033[0m\n" >&2 printf "\033[40m\033[1;31m Please investigate. This *may* be a problem!\033[0m\n" >&2 echo "" fi return $retval } # Check if the current kernel is at least a certain version (or newer) # Arguments: major minor rev (eg. "2 6 25") # Return : 0 = kernel is equal or newer, 1 = kernel is older ###################################################################### kernel_ver_chk() { local maj min rev ver ver_maj ver_min ver_rev if [ -n "$2" ]; then maj="$1" min="$2" rev="$3" else maj=$(echo "$1" |cut -s -d'.' -f1) min=$(echo "$1" |cut -s -d'.' -f2) rev=$(echo "$1" |cut -s -d'.' -f3) fi ver=$(uname -r |cut -d'-' -f1) ver_maj=$(echo "$ver" |cut -s -d'.' -f1) if [ $ver_maj -gt $maj ]; then return 0 elif [ $ver_maj -lt $maj ]; then return 1 fi ver_min=$(echo "$ver" |cut -s -d'.' -f2) if [ $ver_min -gt $min ]; then return 0 elif [ $ver_min -lt $min ]; then return 1 fi ver_rev=$(echo "$ver" |cut -s -d'.' -f3) if [ $ver_rev -gt $rev ]; then return 0 elif [ $ver_rev -lt $rev ]; then return 1 fi return 0 } # nf_conntrack helper assignment # Example: load_conntrack_helper_module ftp tcp 21 ## load_conntrack_helper_module() { local helper="$1" proto="$2" dport="$3" do_iptables related modprobe_multi nf_conntrack_$helper ip_conntrack_$helper if [ "$NAT" = "1" ]; then modprobe_multi nf_nat_$helper ip_nat_$helper fi if ip4tables -nL CONNTRACK_HELPER >/dev/null 2>&1; then case $helper in ftp) do_iptables="iptables" ; related="-p $proto --dport 1024:" ;; pptp) do_iptables="ip4tables"; related="" ;; *) do_iptables="iptables" ; related="" ;; esac $do_iptables -A CONNTRACK_HELPER -m conntrack --ctstate RELATED -m helper --helper $helper $related -j ACCEPT $do_iptables -t raw -A PREROUTING -p $proto --dport $dport -j CT --helper $helper fi } # Linecount function lc() { wc -l |awk '{ print $1 }' } note_iptables_error() { local arg IFS IFS='~' # expand command-line args using the unique 'tilde' character for arg in $*; do if [ "$arg" = "-A" -o "$arg" = "-I" ]; then return 0 fi done return 1 } ip6tables_icmp_args() { local arg args="" action="" tilde="~" IFS IFS='~' # expand command-line args using the unique 'tilde' character for arg in $*; do if [ "$action" = "p" ]; then if [ "$arg" = "icmp" ]; then arg="icmpv6" fi action="" else # parse option flags case $arg in --icmp-type) arg="--icmpv6-type" ;; -p|--proto) action="p" ;; esac fi # build 'tilde' separated command-line # Note: use $tilde instead of ~ to workaround Busybox 'ash' bug args="$args${args:+$tilde}$arg" done # return 'tilde' separated command-line echo "$args" } iptables() { local arg action="" IFS local src=0 dst=0 table="" proto="" if [ "$IPV6_SUPPORT" = "1" ]; then IFS='~' # expand command-line args using the unique 'tilde' character for arg in $*; do if [ -n "$action" ]; then case $action in s) get_numeric_ip_version "$arg" src=$? ;; d) get_numeric_ip_version "$arg" dst=$? ;; t) table="$arg" ;; p) proto="$arg" ;; esac action="" else # parse option flags case $arg in -s|--source) action="s" ;; -d|--destination) action="d" ;; -t|--table) action="t" ;; -p|--proto) action="p" ;; esac fi done unset IFS # # Call ip4tables and/or ip6tables as appropriate # if [ $src -eq 4 -o $dst -eq 4 -o "$table" = "nat" ]; then ip4tables "$@" elif [ $src -eq 6 -o $dst -eq 6 -o "$proto" = "icmpv6" ]; then if [ "$proto" = "icmp" ]; then IFS='~'; set -- $(ip6tables_icmp_args "$@"); unset IFS fi ip6tables "$@" elif [ "$proto" = "icmp" ]; then ip4tables "$@" # Regenerate ip6tables command-line from the returned 'tilde' separated string IFS='~'; set -- $(ip6tables_icmp_args "$@"); unset IFS ip6tables "$@" else ip4tables "$@" ip6tables "$@" fi else # # Only call ip4tables since IPv6 filtering is disabled. # ip4tables "$@" fi } ip4tables() { local err_result retval IFS=' ' # Create extra FD exec 3>&1 err_result=`$IP4TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" 2>&1 1>&3` retval=$? # Release extra FD exec 3>&- if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${IP4TABLES} $*\nERROR ($retval): ${err_result}\n\033[0m" >&2 if note_iptables_error "$@"; then RULE_WARNING=$((RULE_WARNING + 1)) fi elif [ -n "$err_result" ]; then # ip4tables returned success, so normal output of stderr but filter some messages echo "$err_result" |grep -v -e 'WARNING:.*match is obsolete' -e 'iptables-legacy tables present' >&2 fi return $retval } ip6tables() { local err_result retval IFS=' ' # Create extra FD exec 3>&1 err_result=`$IP6TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" 2>&1 1>&3` retval=$? # Release extra FD exec 3>&- if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${IP6TABLES} $*\nERROR ($retval): ${err_result}\n\033[0m" >&2 if note_iptables_error "$@"; then RULE_WARNING=$((RULE_WARNING + 1)) fi elif [ -n "$err_result" ]; then # ip6tables returned success, so normal output of stderr but filter some messages echo "$err_result" |grep -v -e 'WARNING:.*match is obsolete' -e 'iptables-legacy tables present' >&2 fi return $retval } ip4tables_save() { local retval IFS=' ' $IP4TABLES_SAVE "$@" retval=$? if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${IP4TABLES_SAVE} $*\nERROR ($retval)\033[0m\n" >&2 RULE_WARNING=$((RULE_WARNING + 1)) fi return $retval } ip4tables_restore() { local err_result retval IFS=' ' # Create extra FD exec 3>&1 err_result=`$IP4TABLES_RESTORE "$@" 2>&1 1>&3` retval=$? # Release extra FD exec 3>&- if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${IP4TABLES_RESTORE} $*\nERROR ($retval): ${err_result}\n\033[0m" >&2 RULE_WARNING=$((RULE_WARNING + 1)) elif [ -n "$err_result" ]; then # ip4tables_restore returned success, so normal output of stderr but filter some messages echo "$err_result" |grep -v -e 'WARNING:.*match is obsolete' -e 'iptables-legacy tables present' >&2 fi return $retval } ip6tables_save() { local retval IFS=' ' $IP6TABLES_SAVE "$@" retval=$? if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${IP6TABLES_SAVE} $*\nERROR ($retval)\033[0m\n" >&2 RULE_WARNING=$((RULE_WARNING + 1)) fi return $retval } ip6tables_restore() { local err_result retval IFS=' ' # Create extra FD exec 3>&1 err_result=`$IP6TABLES_RESTORE "$@" 2>&1 1>&3` retval=$? # Release extra FD exec 3>&- if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${IP6TABLES_RESTORE} $*\nERROR ($retval): ${err_result}\n\033[0m" >&2 RULE_WARNING=$((RULE_WARNING + 1)) elif [ -n "$err_result" ]; then # ip6tables_restore returned success, so normal output of stderr but filter some messages echo "$err_result" |grep -v -e 'WARNING:.*match is obsolete' -e 'iptables-legacy tables present' >&2 fi return $retval } try_ip4tables() { local IFS=' ' $IP4TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" >/dev/null 2>&1 } try_ip6tables() { local IFS=' ' $IP6TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" >/dev/null 2>&1 } # Wrapper function for modprobe ############################### modprobe() { local result retval IFS=' ' # Module support available? if [ -e /proc/modules ]; then # Make sure environment variable is not set MODPROBE_OPTIONS="" result=`$MODPROBE $@ 2>&1` retval=$? if [ $retval -ne 0 ]; then if ! echo "$result" |grep -q -e "Module .* not found" -e "Can't locate module" -e "^ *$"; then # Show any (error) messages in red printf "\033[40m\033[1;31m${MODPROBE} $*\nERROR ($retval): ${result}\033[0m\n" >&2 elif [ "$COMPILED_IN_KERNEL_MESSAGES" != "0" ]; then printf "WARNING: Module \"$1\" failed to load. Assuming compiled-in-kernel.\n" >&2 fi return $retval else if echo "$result" |grep -q -e '^WARNING:'; then # Show any (warning) messages in red printf "\033[40m\033[1;31m${MODPROBE} $*\nWARNING: ${result}\033[0m\n" >&2 else echo "${INDENT}Loaded kernel module $1. $result" fi return 0 fi elif [ "$COMPILED_IN_KERNEL_MESSAGES" != "0" ]; then echo "${INDENT}NOTE: Kernel has no module support. Assuming compiled-in-kernel for module \"$1\"" fi return 0 } # Multi modprobe - Modprobe different modules until one succeeds, group modules with a comma modprobe_multi() { local result retval OPTIONS="" MODULES="" IFS=' ' # Split options and modules while [ -n "$1" ]; do case "$1" in -*) OPTIONS="$OPTIONS${OPTIONS:+ }$1";; *) MODULES="${MODULES}${MODULES:+ }$1";; esac shift done # Module support available? if [ -e /proc/modules ]; then # Make sure environment variable is not set MODPROBE_OPTIONS="" local module modules fail modprobe_commandline IFS=' ' for modules in $MODULES; do fail=0 IFS=',' for module in $modules; do modprobe_commandline="$MODPROBE" if [ -n "$OPTIONS" ]; then modprobe_commandline="$modprobe_commandline $OPTIONS" fi modprobe_commandline="$modprobe_commandline $module" IFS=' ' result=`$modprobe_commandline 2>&1` retval=$? if [ $retval -ne 0 ]; then if ! echo "$result" |grep -q -e "Module .* not found" -e "Can't locate module" -e "^ *$"; then # Show any (error) messages in red printf "\033[40m\033[1;31m${modprobe_commandline}\nERROR ($retval): $result\033[0m\n" >&2 fi fail=1 else if echo "$result" |grep -q -e '^WARNING:'; then # Show any (warning) messages in red printf "\033[40m\033[1;31m${modprobe_commandline}\nWARNING: $result\033[0m\n" >&2 else echo "${INDENT}Loaded kernel module $module. $result" fi fi done if [ $fail -eq 0 ]; then return 0 fi done if [ "$COMPILED_IN_KERNEL_MESSAGES" != "0" ]; then printf "WARNING: Modules \"$(echo "$MODULES" |tr ' ' '|')\" failed to load. Assuming compiled-in-kernel.\n" >&2 return 1 fi elif [ "$COMPILED_IN_KERNEL_MESSAGES" != "0" ]; then echo "${INDENT}NOTE: Kernel has no module support. Assuming compiled-in-kernel for modules \"$(echo "$MODULES" |tr ' ' '|')\"" fi return 0 } # sysctl binary wrapper ####################### sysctl() { local result retval IFS=' ' result=`$SYSCTL "$@" 2>&1` retval=$? if [ $retval -ne 0 ]; then # Show any (error) messages in red printf "\033[40m\033[1;31m${SYSCTL} $*\nERROR ($retval): ${result}\033[0m\n" >&2 return $retval fi if [ -n "$result" ]; then echo "${INDENT}$result" fi return 0 } # Multi sysctl - Try sysctl-variables until one succeeds sysctl_multi() { local result retval OPTIONS="" VARIABLES="" IFS=' ' while [ -n "$1" ]; do # Combine options and exit on first non-option case "$1" in -*) OPTIONS="${OPTIONS}${OPTIONS:+ }$1";; *) VARIABLES="${VARIABLES}${VARIABLES:+ }$1";; esac shift done IFS=' ' for variable in $VARIABLES; do if $SYSCTL "$(echo "$variable" |cut -d'=' -f1)" >/dev/null 2>&1; then local sysctl_commandline="$SYSCTL" if [ -n "$OPTIONS" ]; then sysctl_commandline="$sysctl_commandline $OPTIONS" fi sysctl_commandline="$sysctl_commandline $variable" result=`$sysctl_commandline 2>&1` retval=$? if [ $retval -eq 0 ]; then if [ -n "$result" ]; then echo "${INDENT}$result" fi return 0 else # Show any (error) messages in red printf "\033[40m\033[1;31m${sysctl_commandline}\nERROR ($retval): $result\033[0m\n" >&2 fi fi done printf "\033[40m\033[1;31mERROR: Unable to find kernel parameters \"$(echo "$VARIABLES" |tr ' ' '|')\"!\033[0m\n" >&2 return 1 } # Set a value for sysctl wildcard interfaces (like "net.ipv4.conf.*.rp_filter") # $1 = prefix (eg. net.ipv4.conf) # $2 = variable (eg. rp_filter) # $3 = value to set sysctl_set_all() { local prefix="$1" variable="$2" value="$3" local interface line IFS IFS=$EOL for line in $($SYSCTL -a 2>/dev/null |cut -d' ' -f1 |grep "^${prefix}\..*\.${variable}$"); do IFS=' ,' for interface in all default lo $EXT_IF $INT_IF $DMZ_IF; do if [ "$line" = "$prefix.$interface.$variable" ]; then sysctl -w "$line=$value" break fi done done } sysctl_key_prefix() { $SYSCTL -a 2>/dev/null |grep -q "^$1" } sysctl_key_match() { $SYSCTL "$1" >/dev/null 2>&1 } sysctl_get_value() { $SYSCTL -n "$1" 2>/dev/null } # tc binary wrapper ################### tc() { $TC "$@" } # ip binary wrapper ################### ip() { $IP "$@" } # dig binary wrapper #################### dig() { local x=0 addr name lines item retval first dig_args IFS if [ -n "$DIG" ]; then dig_args="+noauthority +noadditional" if [ "$DNS_FAST_FAIL" = "1" -o "$DNS_FAST_FAIL_ONCE" = "1" ]; then dig_args="$dig_args +tries=1 +time=1" DNS_FAST_FAIL_ONCE=0 fi if [ "$IPV6_SUPPORT" = "1" ]; then dig_args="$dig_args any" # To obtain AAAA-record as well fi IFS=' ' lines="$($DIG $dig_args $@)" retval=$? first=1 IFS=$EOL for item in $(echo "$lines" |awk '{ if (substr($0,0,1) != ";" && ($4 == "A" || $4 == "AAAA" || $4 == "PTR")) print $NF }'); do if [ $first -eq 1 ]; then first=0 else printf " " fi printf "$item" done echo "" # Carriage return return $retval elif [ -n "$NSLOOKUP" ]; then while [ $# -gt 1 ]; do if [ "$1" = "-x" ]; then x=1 fi shift done if [ -n "$1" ]; then if [ "$DNS_FAST_FAIL" = "1" -o "$DNS_FAST_FAIL_ONCE" = "1" ]; then lines="$($NSLOOKUP -retry=1 -timeout=1 "$1" |sed -e "1,2d")" DNS_FAST_FAIL_ONCE=0 else lines="$($NSLOOKUP "$1" |sed -e "1,2d")" fi addr="" name="" IFS=$EOL for line in $lines; do case "$line" in 'Address'*) addr="${addr}${addr:+ }$(echo "$line" |sed -n -r -e 's/^Address.*: *([0-9.]{7,}).*$/\1/p')" ;; *'name = '*) name="${name}${name:+ }$(echo "$line" |sed -e 's/^.*name = *//' -e 's/ .*$//')" ;; esac done if [ $x -eq 0 -a -n "$addr" ]; then echo "$addr" return 0 elif [ $x -eq 1 -a -n "$name" ]; then echo "$name" return 0 fi # Failure: return 9 fi return 1 else return 9 fi } # Helper function to expand out wildcards in interface name list wildcard_ifs() { local expnd if0 if1 expnd="" local IFS=', ' for if0 in $*; do if1="$if0" case $if1 in *+) if1="${if1%+}" if1="$(ip link | awk "\$2 ~ /${if1}[0-9]+:/ { print substr(\$2, 1, length(\$2)-1); }" | tr '\n' ' ')" if [ -z "$if1" ]; then echo "wildcard: $if0 unmatched!" >&2 continue fi ;; esac expnd="$expnd${expnd:+ }$if1" done echo "$expnd" } parse_rule() { local rule="$1" var="$2" type="$3" left_rule right_rule case $type in hosts-ports|hosts-protos) hosts=$(get_hosts_ihp "$rule") ports=$(get_ports_ihp "$rule") if [ -z "$hosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; hosts:ANYHOST-ports:ANYPORT|hosts:ANYHOST-protos) hosts=$(get_hosts_ihp "$rule" "$ANYHOST") if [ "$type" = "hosts:ANYHOST-ports:ANYPORT" ]; then ports=$(get_ports_ihp "$rule" "$ANYPORT") else ports=$(get_ports_ihp "$rule") fi if [ -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-ports|interfaces-protos) interfaces=$(get_ifs "$rule") ports=$(get_ports_ip "$rule") if [ -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-srcips-ports|interfaces-srcips-protos) interfaces=$(get_ifs "$rule") srcips=$(get_ips "$rule") ports=$(get_ports_ip "$rule") if [ -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-srcips-hosts) interfaces=$(get_ifs "$rule") srcips=$(get_ips "$rule") hosts=$(get_hosts_ih "$rule") if [ -z "$hosts" ]; then parse_rule_warning "$rule" return 1 fi ;; interfaces-srcips-hosts-ports|interfaces-srcips-hosts-protos) interfaces=$(get_ifs "$rule") srcips=$(get_ips "$rule") hosts=$(get_hosts_ihp "$rule") ports=$(get_ports_ihp "$rule") if [ -z "$hosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-destips-ports|interfaces-destips-protos) interfaces=$(get_ifs "$rule") destips=$(get_ips "$rule") ports=$(get_ports_ip "$rule") if [ -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-destips-hosts) interfaces=$(get_ifs "$rule") destips=$(get_ips "$rule") hosts=$(get_hosts_ih "$rule") if [ -z "$hosts" ]; then parse_rule_warning "$rule" return 1 fi ;; interfaces-destips-hosts-ports|interfaces-destips-hosts-protos) interfaces=$(get_ifs "$rule") destips=$(get_ips "$rule") hosts=$(get_hosts_ihp "$rule") ports=$(get_ports_ihp "$rule") if [ -z "$hosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; shosts:ANYHOST-dhosts-ports:ANYPORT|shosts:ANYHOST-dhosts-ports|shosts:ANYHOST-dhosts-protos) left_rule=$(echo "$rule" |cut -s -d'>' -f1) right_rule=$(echo "$rule" |cut -d'>' -f2) shosts=$(get_hosts_ih "$left_rule" "$ANYHOST") dhosts=$(get_hosts_hp "$right_rule") if [ "$type" = "shosts:ANYHOST-dhosts-ports:ANYPORT" ]; then ports=$(get_ports_hp "$right_rule" "$ANYPORT") else ports=$(get_ports_hp "$right_rule") fi if [ -z "$dhosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT|interfaces-shosts:ANYHOST-dhosts-protos) left_rule=$(echo "$rule" |cut -s -d'>' -f1) right_rule=$(echo "$rule" |cut -d'>' -f2) interfaces=$(get_ifs "$left_rule") shosts=$(get_hosts_ih "$left_rule" "$ANYHOST") dhosts=$(get_hosts_hp "$right_rule") if [ "$type" = "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT" ]; then ports=$(get_ports_hp "$right_rule" "$ANYPORT") else ports=$(get_ports_hp "$right_rule") fi if [ -z "$dhosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces-shosts-dhosts-ports:ANYPORT|interfaces-shosts-dhosts-protos) left_rule=$(echo "$rule" |cut -s -d'>' -f1) right_rule=$(echo "$rule" |cut -s -d'>' -f2) interfaces=$(get_ifs "$left_rule") shosts=$(get_hosts_ih "$left_rule") dhosts=$(get_hosts_hp "$right_rule") if [ "$type" = "interfaces-shosts-dhosts-ports:ANYPORT" ]; then ports=$(get_ports_hp "$right_rule" "$ANYPORT") else ports=$(get_ports_hp "$right_rule") fi if [ -z "$shosts" -o -z "$dhosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces:EXT_IF-shosts-dhosts-ports:ANYPORT|interfaces:EXT_IF-shosts-dhosts-protos) left_rule=$(echo "$rule" |cut -s -d'>' -f1) right_rule=$(echo "$rule" |cut -s -d'>' -f2) interfaces=$(get_ifs "$left_rule" "$EXT_IF") shosts=$(get_hosts_ih "$left_rule") dhosts=$(get_hosts_hp "$right_rule") if [ "$type" = "interfaces:EXT_IF-shosts-dhosts-ports:ANYPORT" ]; then ports=$(get_ports_hp "$right_rule" "$ANYPORT") else ports=$(get_ports_hp "$right_rule") fi if [ -z "$shosts" -o -z "$dhosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" ;; interfaces:EXT_IF-destips-shosts-ports-dhost_dport|interfaces:EXT_IF-destips-shosts-protos-dhost) left_rule=$(echo "$rule" |cut -s -d'>' -f1) right_rule=$(echo "$rule" |cut -s -d'>' -f2) interfaces=$(get_ifs "$left_rule" "$EXT_IF") destips=$(get_ips "$left_rule") # Check for separator(SEP) if echo "$left_rule" |grep -q "$SEP"; then shosts=$(get_hosts_ihp "$left_rule") ports=$(get_ports_ihp "$left_rule") else # Assume ports/protos only if no separator shosts="$ANYHOST" ports=$(get_ports_ip "$left_rule") fi dhost_dport="$right_rule" if [ -z "$shosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" dhost="$dhost_dport" ;; interfaces:NAT_IF-destips-shosts-ports-dhost_dport|interfaces:NAT_IF-destips-shosts-protos-dhost) left_rule=$(echo "$rule" |cut -s -d'>' -f1) right_rule=$(echo "$rule" |cut -s -d'>' -f2) interfaces=$(get_ifs "$left_rule" "$NAT_IF") destips=$(get_ips "$left_rule") # Check for separator(SEP) if echo "$left_rule" |grep -q "$SEP"; then shosts=$(get_hosts_ihp "$left_rule") ports=$(get_ports_ihp "$left_rule") else # Assume ports/protos only if no separator shosts="$ANYHOST" ports=$(get_ports_ip "$left_rule") fi dhost_dport="$right_rule" if [ -z "$shosts" -o -z "$ports" ]; then parse_rule_warning "$rule" return 1 fi protos="$ports" dhost="$dhost_dport" ;; shosts:ANYHOST-dhosts) left_rule=$(echo "$rule" |cut -s -d'>' -f1) right_rule=$(echo "$rule" |cut -d'>' -f2) shosts=$(get_hosts_ih "$left_rule" "$ANYHOST") dhosts=$(get_hosts_hp "$right_rule") if [ -z "$dhosts" ]; then parse_rule_warning "$rule" return 1 fi ;; shosts-dhosts:ANYHOST) left_rule=$(echo "$rule" |cut -d'>' -f1) right_rule=$(echo "$rule" |cut -s -d'>' -f2) shosts=$(get_hosts_ih "$left_rule") dhosts=$(get_hosts_hp "$right_rule" "$ANYHOST") if [ -z "$shosts" ]; then parse_rule_warning "$rule" return 1 fi ;; *) echo "** ERROR: Invalid rule parse type \"$type\"!" >&2 return 1 ;; esac return 0 } parse_rule_warning() { local rule="$1" RULE_WARNING=$((RULE_WARNING + 1)) echo "** WARNING: In variable $var, Rule: \"$rule\" is ignored." >&2 } # Helper function to work around non working + wildcard in some versions of iptables ipt_if() { if [ -n "$2" -a "$2" != "+" ]; then echo "$1${IFS:- }$2" fi } # Helper function to get interface(s) from variable get_ifs() { local result="" if echo "$1" |grep -q -e "$SEP2"; then result="$(echo "$1" |cut -s -d"$SEP2" -f1 |grep -v -e '[.][0-9][0-9]*[.]' -e ':[0-9a-fA-F]*:' -e "$ANYHOST" |tr ' ' ',')" fi if [ -n "$result" ]; then echo "$result" return 0 else if [ -n "$2" ]; then echo "$2" else echo "+" fi return 1 fi } # Helper function to get source/destination interface IP(s) from variable get_ips() { local result="" if echo "$1" |grep -q -e "$SEP2"; then result="$(echo "$1" |cut -s -d"$SEP2" -f1 |grep -e '[.][0-9][0-9]*[.]' -e ':[0-9a-fA-F]*:' -e "$ANYHOST" |tr ' ' ',')" fi if [ -n "$result" ]; then echo "$result" return 0 else if [ -n "$2" ]; then echo "$2" else echo "$ANYHOST" fi return 1 fi } # Helper function to get hostname(s) from variable (ifs|ips#hosts) get_hosts_ih() { local result="$(echo "$1" |sed "s!^.*$SEP2!!")" if [ -n "$result" ]; then echo "$result" return 0 else echo "$2" return 1 fi } # Helper function to get hostname(s) from variable (ifs|ips#hosts~ports|protos) get_hosts_ihp() { local result="$(echo "$1" |sed "s!^.*$SEP2!!" |cut -s -d"$SEP" -f1)" if [ -n "$result" ]; then echo "$result" return 0 else echo "$2" return 1 fi } # Helper function to get port(s) from variable (ifs|ips#hosts~ports|protos) get_ports_ihp() { local result="$(echo "$1" |sed "s!^.*$SEP2!!")" if echo "$result" |grep -q -e "$SEP"; then echo "$result" |cut -s -d"$SEP" -f2 |tr '-' ':' return 0 elif [ -n "$2" ]; then # Use default, if specified echo "$2" return 1 else # When we have no separator, assume port(s) only and no host(s) echo "$result" |tr '-' ':' return 0 fi } # Helper function to get hostname(s) from variable (hosts~ports|protos) get_hosts_hp() { local result="$(echo "$1" |sed "s!^.*$SEP2!!")" if echo "$result" |grep -q -e "$SEP"; then echo "$result" |cut -s -d"$SEP" -f1 return 0 elif [ -n "$2" ]; then # Use default, if specified echo "$2" return 1 else # When we have no separator, assume host(s) only and no port(s) echo "$result" return 0 fi } # Helper function to get port(s) from variable (hosts~ports|protos) get_ports_hp() { local result="$(echo "$1" |sed "s!^.*$SEP2!!")" if echo "$result" |grep -q -e "$SEP"; then echo "$result" |cut -s -d"$SEP" -f2 |tr '-' ':' return 0 else echo "$2" return 1 fi } # Helper function to get port(s) from variable (ifs|ips#ports|protos) get_ports_ip() { local result="$(echo "$1" |sed "s!^.*$SEP2!!")" if [ -n "$result" ]; then echo "$result" |tr '-' ':' return 0 else echo "$2" return 1 fi } get_numeric_ip_version() { case $1 in 0/0) ;; [0-9][0-9.][0-9.][0-9.][0-9.]*.*[0-9]) return 4 ;; [0-9]*.*/*[0-9]|[0-9]/*[0-9]|[1-9][0-9]/*[0-9]|[12][0-9][0-9]/*[0-9]) return 4 ;; *:*) return 6 ;; esac return 0 # Unknown, possibly a hostname } # Is argument IPv4 numeric? is_numeric_ipv4() { if [ "$1" = "0/0" ]; then return 0 # Consider 0/0 also as numeric fi get_numeric_ip_version "$1" if [ $? -eq 4 ]; then return 0 fi return 1 } # Is argument IPv6 numeric? is_numeric_ipv6() { if [ "$1" = "0/0" ]; then return 0 # Consider 0/0 also as numeric fi get_numeric_ip_version "$1" if [ $? -eq 6 ]; then return 0 fi return 1 } # Is argument a (numeric) IP? is_numeric_ip() { if [ "$1" = "0/0" ]; then return 0 # Consider 0/0 also as numeric fi get_numeric_ip_version "$1" if [ $? -ne 0 ]; then return 0 fi return 1 } # Helper function to resolve an IP to a DNS name # $1 = IP. $2 (optional) = Additional arguments for dig. stdout = DNS name gethostbyaddr() { local host="$1" result retval=0 # We can't resolve addresses with a subnet mask case "$host" in */*) return 1 ;; esac # Don't try to resolve DNS names: if ! is_numeric_ip "$host"; then # It's a DNS name already, so just return it echo "$host" return 0 fi shift result="$(dig -x "$@" "$host")" retval=$? if [ $retval -eq 0 ]; then if [ -n "$result" ]; then echo "$result" return 0 else return 1 fi else return $retval fi } # Helper function to resolve a DNS name to an IP # $1 = Hostname. $2 (optional) = Additional arguments for dig. stdout = IP gethostbyname() { local host="$1" result retval=0 # Don't try to resolve IPs: if is_numeric_ip "$host"; then # It's an IP already, so just return it echo "$host" return 0 fi shift result="$(dig "$@" "$host")" retval=$? if [ $retval -eq 0 ]; then if [ -n "$result" ]; then echo "$result" return 0 else return 1 fi else return $retval fi } # Get resolved host->ip from host cache # Arguments : $1 = hostname to resolve # Returns : 0 = Got result, 1 = no result, 2 = in cache with no-ip. IP is send to stdout (if any). # NOTE : Hosts with multiple IPs are outputted space separated get_dynamic_host_from_cache() { local host="$1" if is_numeric_ip "$host"; then echo "$host" return 0 fi if [ -f "$HOST_CACHE_FILE" ]; then # First try to get host from host-cache local find_host="$(grep "^$host " -m1 "$HOST_CACHE_FILE")" if [ -n "$find_host" ]; then local host_ip="$(echo "$find_host" |cut -s -d' ' -f2 |tr ',' ' ')" if [ "$host_ip" = "NO_IP" ]; then host_ip="" return 2 # NO-IP result elif [ -n "$host_ip" ]; then echo "$host_ip" return 0 fi fi fi return 1 # No result } # Get IP for (dynamic) host. In case it already exists in our cache and is not too old # use that else resolve and store in our cache # Arguments : $1 = hostname to resolve # Returns : Resolved host's IP in "$host_ip" # NOTE : Hosts with multiple IPs are outputted space separated get_dynamic_host_cached() { host_ip="" # Reset result local host="$1" local retval=0 local cache_lookup="" local cache_time=0 fail_count=0 local max_age cur_time store_ip threshold count # Don't try to resolve stuff that's already numeric if is_numeric_ip "$host"; then host_ip="$host" return 0 fi printf "${INDENT}Resolving host \"$host\" -> " # Check whether we already have it in our cache if [ -f "${HOST_CACHE_FILE}" ]; then cache_lookup="$(grep "^$host " -m1 "${HOST_CACHE_FILE}")" if [ -n "$cache_lookup" ]; then # Check whether it's not too old cache_time="$(echo "$cache_lookup" |cut -d' ' -f3)" cur_time="$(($(date +'%s') / 60))" if [ -n "$DNS_MAX_AGE" ]; then max_age="$DNS_MAX_AGE" else max_age=10 # Fallback to 10 minutes fi # Check cache age if [ -n "$cache_time" -a $cache_time -le $cur_time -a $cur_time -le $((cache_time + max_age)) ]; then host_ip="$(echo "$cache_lookup" |cut -d' ' -f2)" if [ -n "$host_ip" ]; then echo "$host_ip (cached)" if [ "$host_ip" = "NO_IP" ]; then host_ip="" return 1 fi return 0 fi fi fi fi DNS_FAST_FAIL_ONCE="$DNS_FAST_FAIL" host_ip="$(gethostbyname "$host" |tr ' ' ',')" gethost_retval=$? # Update cache time cache_time="$(($(date +'%s') / 60))" if [ $gethost_retval -ne 0 -o -z "$host_ip" ]; then retval=1 # Error # Use value from cache as a fallback, but only if allowed if [ -n "$cache_lookup" ]; then count="$(echo "$cache_lookup" |cut -s -d' ' -f4)" if [ -n "$count" ]; then fail_count=$count fi # Try to get from (old) cache, if allowed if [ "$DNS_FAIL_THRESHOLD" != "0" ]; then host_ip="$(echo "$cache_lookup" |cut -s -d' ' -f2)" fi fi if [ -z "$host_ip" -o "$host_ip" = "NO_IP" ]; then host_ip="" printf "\033[40m\033[1;31mFAILED!\n\033[0m" echo "** ERROR: Unresolvable host \"$host\" and no old IP to fallback on! **" >&2 else echo "$host_ip (cached!)" echo "** WARNING($retval): Unresolvable host \"$host\". Re-using old IP ($host_ip)! **" >&2 # Ignore error: retval=0 fi if [ -n "$DNS_FAIL_THRESHOLD" ]; then threshold=$DNS_FAIL_THRESHOLD else threshold=4 # default fi # Increment fail count fail_count=$((fail_count + 1)) # Check fail count if [ $threshold -gt 0 -a $fail_count -ge $threshold ]; then fail_count=1 fi else echo "$host_ip" cache_time="$(($(date +'%s') / 60))" fail_count=0 fi if [ -z "$host_ip" ]; then # NOTE Explicitly store empty results as well else we'll keep trying over and over again for each plugin/rule store_ip="NO_IP" else store_ip="$host_ip" fi if [ -n "$cache_lookup" ]; then # Update existing entry sed -i "s/^$host[[:blank:]].*/$host $store_ip $cache_time $fail_count/" "${HOST_CACHE_FILE}" else # Add new entry echo "$host $store_ip $(($(date +'%s') / 60)) $fail_count" >>"${HOST_CACHE_FILE}" fi return $retval } # Leave lock function to release lock # $1 = Lock (file) name lock_leave() { local LOCK_FILE RETVAL=0 if [ -z "$1" ]; then echo "ERROR: Exception due to missing lock argument" >&2 return 1 # Failure fi LOCK_FILE="/var/lock/aif_$1.lock" # Remove lockfile if ! rm -f "$LOCK_FILE"; then echo "ERROR: Failed to remove lock file: $LOCK_FILE" >&2 RETVAL=1 fi # Disable int handler trap - INT TERM EXIT return $RETVAL } lock_ctrl_handler() { lock_leave "$1" stty intr ^C # Back to normal exit # Yep, I meant to do that... Kill/hang the shell. } # Internal lock_enter() function. Only to be used by lock_enter_single() and lock_enter() (below) # $1 = Lock (file) name lock_enter_internal() { local LOCK_FILE="$1" local PID # Check lock PID: # If cat isn't able to read the file, another instance is probably # about to remove the lock -- exit, we're *still* locked # Thanks to Grzegorz Wierzowiecki for pointing out this race condition on # http://wiki.grzegorz.wierzowiecki.pl/code:mutex-in-bash PID="$(cat "$LOCK_FILE" 2>/dev/null)" if [ $? -eq 0 ]; then if ! kill -0 "$PID" 2>/dev/null; then # lock is stale, remove it and restart echo "WARNING: Removing stale lockfile \"$LOCK_FILE\" of nonexistant PID \"$PID\"" >&2 rm -f "$LOCK_FILE" fi fi # Acquire lock if ( set -o noclobber; echo "$$" > "$LOCK_FILE") 2> /dev/null; then # Setup int handler trap "lock_ctrl_handler $LOCK_FILE" INT TERM EXIT return 0 # Lock success fi return 1 # Lock failure } # Lock enter function to acquire a single lock. Prevents running of multiple instances # When an instance is already running, this (new) instance will be aborted # $1 = Lock (file) name # $2 = Amount of retries (optional, defaults to 5) lock_enter_single() { local LOCK_FILE="/var/lock/aif_$1.lock" if [ -z "$1" ]; then echo "ERROR: Exception due to missing lock argument" >&2 return 1 # Failure fi if lock_enter_internal "$LOCK_FILE"; then return 0 # Lock success fi echo "NOTE: Another instance is already running for lockfile \"$LOCK_FILE\". Held by PID $(cat $LOCK_FILE)" >&2 return 1 # Lock failed } # Lock enter function to acquire lock. Prevents running of multiple instances # When an instance is already running, a new instance will wait until the lock is released (in case a timeout is reached, it will be aborted) # $1 = Lock (file) name # $2 = Amount of retries (optional, defaults to 5) lock_enter() { local LOCK_FILE="/var/lock/aif_$1.lock" local MAX_RETRIES="${2:-5}" local FAIL_COUNT=0 if [ -z "$1" ]; then echo "ERROR: Exception due to missing lock argument" >&2 return 1 # Failure fi while [ $FAIL_COUNT -lt $MAX_RETRIES ]; do if lock_enter_internal "$LOCK_FILE"; then return 0 # Lock success fi FAIL_COUNT=$((FAIL_COUNT + 1)) # Sleep between retries sleep 1 done echo "ERROR: Failed to acquire lockfile \"$LOCK_FILE\". Held by PID $(cat $LOCK_FILE)" >&2 return 1 # Lock failed } # Function to wait for lock to be released # $1 = Lock (file) name # $2 = Optional wait time in seconds (default = 5 seconds) lock_wait() { local LOCK_FILE="/var/lock/aif_$1.lock" local cnt="${2:-5}" # Default to 5 seconds if [ -z "$1" ]; then echo "ERROR: Exception due to missing lock argument" >&2 return 1 # Failure fi # Wait for lock to disappear while [ $cnt -gt 0 ]; do if [ ! -f "$LOCK_FILE" ]; then return 0 # Lock wait success fi cnt=$((cnt - 1)) sleep 1 done return 1 # Lock wait failed } # Helper function to show interfaces / ips in front of verbose line # $1 = interfaces. $2 = ips show_if_ip() { # Only show interfaces if not empty: if [ -n "$1" -a "$1" != "+" ]; then printf "($1) " fi # Only show destination IPs if not empty: if [ -n "$2" -a "$2" != "$ANYHOST" ]; then printf "($2) " fi } # Helper function to show hosts:ports # $1 = host. $2 = ports show_hosts_ports() { # Only show interfaces if not empty: if [ -n "$1" ]; then printf "$1:$2" else printf "$2" fi } # Helper function to translate host ranges from variable ip_range() { local FIRST IFS=' ' # Return the args if there is no '-' for improved execution speed case "$@" in *-*) ;; *) echo "$@"; return;; esac FIRST=1 IFS=', ' # Get variable from commandline for item in $*; do # Check whether an IP range was specified (only works like w.x.y.z1-z2!): start="$(echo "$item" |cut -s -d'-' -f1 |awk -F'.' '{ print $NF }' |grep -e '[0-9]')" host_base="$(echo "$item" |cut -s -d'-' -f1 |awk -F'.' '{ for (i=1; i> "$CHAINFILE" elif [ "$1" = "init" ]; then rm -f "$CHAINFILE" elif [ "$1" = "apply" ]; then sed -i "/^-A $CHAIN / r $CHAINFILE" "$IP4TABLES_BATCH_FILE" ip4tables_restore < "$IP4TABLES_BATCH_FILE" RESULT=$? rm -f "$CHAINFILE" else RESULT=1 fi else if [ "$1" = "start" ]; then ip4tables_save -t filter > "$IP4TABLES_BATCH_FILE" RESULT=$? elif [ "$1" = "stop" ]; then rm -f "$IP4TABLES_BATCH_FILE" else RESULT=1 fi fi return $RESULT } # Add ip6tables rules in batch using ip6tables-save and ip6tables-restore ip6tables_batch() { local ARGS CHAIN CHAINFILE RESULT=0 IFS=' ' # Args must be of the form and called in this order: # start # init CHAIN # -A CHAIN ... # apply CHAIN # stop # # Note: the added rules will be placed after a required # pre-existing rule in CHAIN. # ARGS="$@" CHAIN="$2" if [ "$DISABLE_IPTABLES_BATCH" = "1" ]; then if [ "$1" = "-A" ]; then ip6tables "$@" fi return fi if [ -n "$CHAIN" ]; then CHAINFILE="$IP6TABLES_BATCH_FILE"_"$CHAIN" if [ "$1" = "-A" ]; then echo "$ARGS" >> "$CHAINFILE" elif [ "$1" = "init" ]; then rm -f "$CHAINFILE" elif [ "$1" = "apply" ]; then sed -i "/^-A $CHAIN / r $CHAINFILE" "$IP6TABLES_BATCH_FILE" ip6tables_restore < "$IP6TABLES_BATCH_FILE" RESULT=$? rm -f "$CHAINFILE" else RESULT=1 fi else if [ "$1" = "start" ]; then ip6tables_save -t filter > "$IP6TABLES_BATCH_FILE" RESULT=$? elif [ "$1" = "stop" ]; then rm -f "$IP6TABLES_BATCH_FILE" else RESULT=1 fi fi return $RESULT } # Log message function. Message is read from stdin # $1 = Optional prefix log_msg() { local PREFIX="$1" # Get message from stdin IFS=$EOL while read LINE; do # Have sed remove any colouring echo "${PREFIX}${LINE}" |sed 's/\x1B\[[0-9;]\+[A-Za-z]//g' |logger -t firewall -p user.info done } # Display progress bar, 0% to 100% in 2% increments progress_bar() { # Args: cur_cnt total_cnt local prev if [ $2 -gt 0 ]; then if [ $1 -eq 0 ]; then progress_percent=0 printf " 0%%" else cur=$(($1 / $2)) if [ $progress_percent -lt $cur ]; then prev=$progress_percent while [ $prev -le $cur ]; do if [ $progress_percent -lt $prev ]; then progress_percent=$prev if [ $((progress_percent % 20)) -eq 0 ]; then printf "$progress_percent%%" else printf "." fi fi prev=$((prev + 2)) done fi fi fi } # Check existence of an interface check_interface() { local interface IFS=' ' local interfaces="$(ip -o link show | cut -d':' -f2)" unset IFS for interface in $interfaces; do case "$1" in # Wildcard interface? *+) if [ "${1%+}" = "${interface%%[0-9]*}" ]; then return 0 fi ;; *) if [ "${1}" = "${interface%@*}" ]; then return 0 fi ;; esac done # Interface not found return 1 } # Get all IP address(es)/mask(s) of specified network interface get_network_ipv4_address_mask_all() { ip -o addr show dev "$1" 2>/dev/null \ |awk '$3 == "inet" { print $4 }' |tr '\n' ' ' |sed s,' $',, } # Get (primary) IP address/mask of specified network interface get_network_ipv4_address_mask() { get_network_ipv4_address_mask_all "$1" |cut -d' ' -f1 } # Get all IP address(es) of the specified network interface get_network_ipv4_address_all() { ip -o addr show dev "$1" 2>/dev/null \ |awk '$3 == "inet" { print $4 }' |cut -f1 -d'/' |tr '\n' ' ' |sed s,' $',, } # Get (primary) IP address of the specified network interface get_network_ipv4_address() { get_network_ipv4_address_mask "$1" |cut -f1 -d'/' } # Get (primary) netmask of the specified network interface get_network_ipv4_mask() { get_network_ipv4_address_mask "$1" |cut -f2 -d'/' } # Get broadcast address of the specified network interface get_network_ipv4_broadcast() { ip -o addr show dev "$1" 2>/dev/null \ |awk '$3 == "inet" && $5 == "brd" { print $6; exit; }' } # Get IPv6 address/mask of specified network interface get_network_ipv6_address_mask() { ip -o addr show dev "$1" 2>/dev/null \ |awk '$3 == "inet6" { print $4; exit; }' } # Get IPv6 address of the specified network interface get_network_ipv6_address() { get_network_ipv6_address_mask "$1" |cut -f1 -d'/' } # Get IPv6 netmask of the specified network interface get_network_ipv6_mask() { get_network_ipv6_address_mask "$1" |cut -f2 -d'/' } ################################# Main #################################### # Set base file for iptables_batch IP4TABLES_BATCH_FILE="/var/tmp/aif_ip4tables_batch" IP6TABLES_BATCH_FILE="/var/tmp/aif_ip6tables_batch" # Set file to store which plugins are loaded PLUGIN_LOAD_FILE="/var/tmp/aif_active_plugins" PLUGIN_LOAD_FILE_RESTART="/var/tmp/aif_active_plugins_restart" # (Dynamic) host cache. Used by compatible plugins HOST_CACHE_FILE="/var/tmp/aif_host_cache" # Check for a local/global config file ###################################### if [ -f "$LOCAL_CONFIG_FILE" ]; then . "$LOCAL_CONFIG_FILE" fi # Source config directory (conf.d) ################################## if [ -z "$LOCAL_CONFIG_DIR" ]; then LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d" fi if [ -d "$LOCAL_CONFIG_DIR" ] && ls "$LOCAL_CONFIG_DIR"/*.conf >/dev/null 2>&1; then unset IFS for conf_file in "$LOCAL_CONFIG_DIR/"*.conf; do . "$conf_file" done fi # if $LOGLEVEL is not set, default to "info" ############################################ if [ -z "$LOGLEVEL" ]; then LOGLEVEL="info" fi # Detect all binaries ##################### if [ -z "$IP6TABLES" ]; then IP6TABLES="$(find_command /sbin/ip6tables /usr/sbin/ip6tables)" fi if [ -n "$IP6TABLES" ]; then IP6TABLES_SAVE="$(find_command "$IP6TABLES"-save)" IP6TABLES_RESTORE="$(find_command "$IP6TABLES"-restore)" fi if [ -z "$IP4TABLES" ]; then IP4TABLES="$(find_command /sbin/iptables /usr/sbin/iptables)" fi if [ -n "$IP4TABLES" ]; then IP4TABLES_SAVE="$(find_command "$IP4TABLES"-save)" IP4TABLES_RESTORE="$(find_command "$IP4TABLES"-restore)" fi IP="$(find_command /sbin/ip)" TC="$(find_command /sbin/tc /usr/sbin/tc)" SYSCTL="$(find_command /sbin/sysctl)" MODPROBE="$(find_command /sbin/modprobe)" DIG="$(find_command /usr/bin/dig)" if [ -z "$DIG" ]; then NSLOOKUP="$(find_command /usr/bin/nslookup)" fi # Enable xtables lock "wait" option found in iptables 1.4.20+ if $IP4TABLES -w --version >/dev/null 2>&1; then IPTABLES_OPTIONS="-w" else IPTABLES_OPTIONS="" fi # Setup IPv6 detected environment variable if sysctl_key_prefix net.ipv6.conf; then IPV6_DETECTED=1 else IPV6_DETECTED=0 IPV6_SUPPORT=0 fi # Default NAT_INTERNAL_NET to INTERNAL_NET, if not specified ############################################################ if [ -z "$NAT_INTERNAL_NET" ]; then NAT_INTERNAL_NET="$INTERNAL_NET" fi # Default NAT_IF to EXT_IF, if not specified ############################################################# if [ -z "$NAT_IF" ]; then NAT_IF="$EXT_IF" fi # IPv6 ICMPv6 types that are allowed, not including echo-request (128) ###################################################################### ICMPV6_SPECIAL_TYPES="133 134 135 136" # IPv6 ICMPv6 Multicast Listener Discovery (RFC 2710, 3810) ###################################################################### ICMPV6_MLD_TYPES="130 131 132 143" # Default conntrack match method, if needed the main script will # fallback to an older method after the conntrack modules are loaded. ###################################################################### NF_CONNTRACK_STATE="-m conntrack --ctstate" # Set system wide share path ############################ if [ -z "$USR_SHARE_PATH" ]; then USR_SHARE_PATH="/usr/local/share/arno-iptables-firewall" if [ ! -d "$USR_SHARE_PATH" ]; then USR_SHARE_PATH="/usr/share/arno-iptables-firewall" if [ ! -d "$USR_SHARE_PATH" ]; then echo "** ERROR: Unable to determine USR_SHARE_PATH!" >&2 fi fi fi # Check plugin bin path and fallback in case it's empty ####################################################### if [ -z "$PLUGIN_BIN_PATH" ]; then PLUGIN_BIN_PATH="$USR_SHARE_PATH/plugins" fi # File containing (background) jobs to run JOBS_FILE="/var/tmp/aif_jobs" # Lock file for accessing the JOBS_FILE JOBS_LOCK_NAME="jobs" # Jobs process (file) name JOB_PROCESSOR="$USR_SHARE_PATH/aif-job-processor" JOB_EXECUTER="$USR_SHARE_PATH/aif-job-execute" # Check plugin bin path and fallback in case it's empty ####################################################### if [ -z "$PLUGIN_CONF_PATH" ]; then if [ -d "/etc/arno-iptables-firewall/plugins" ]; then PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins" fi fi # Check for EXT_NET_BCAST_ADDRESS and autodetect if empty ######################################################### if [ -z "$EXT_NET_BCAST_ADDRESS" -a -n "$EXT_IF" ]; then ext_count=0 IFS=' ,' for eif in $EXT_IF; do found=0 for eif1 in $(wildcard_ifs $eif); do baddr="$(get_network_ipv4_broadcast "$eif1")" # NOTE: If no broadcast address found, then probably interface is not up (yet) if [ -n "$baddr" ]; then EXT_NET_BCAST_ADDRESS="${EXT_NET_BCAST_ADDRESS}${EXT_NET_BCAST_ADDRESS:+ }${baddr}" found=1 fi done ext_count=$((ext_count + 1)) if [ $found -eq 0 -a -n "$EXTERNAL_NET" ]; then ext_net="$(echo "$EXTERNAL_NET" |awk "{ print \$$ext_count }")" case "$ext_net" in */24) baddr="$(echo "$ext_net" |awk -F. '{ print $1"."$2"."$3".255" }')" ;; */16) baddr="$(echo "$ext_net" |awk -F. '{ print $1"."$2".255.255" }')" ;; */8) baddr="$(echo "$ext_net" |awk -F. '{ print $1".255.255.255" }')" ;; *) baddr="" ;; esac if [ -n "$baddr" ]; then EXT_NET_BCAST_ADDRESS="${EXT_NET_BCAST_ADDRESS}${EXT_NET_BCAST_ADDRESS:+ }${baddr}" fi fi done fi # Check for EXTERNAL_NET and autodetect if empty ################################################ if [ -z "$EXTERNAL_NET" -a -n "$EXT_IF" ]; then IFS=' ,' for eif in $EXT_IF; do for eif1 in $(wildcard_ifs $eif); do addr_mask="$(get_network_ipv4_address_mask "$eif1")" # NOTE: If no mask found, then probably interface is not up (yet) if [ -n "$addr_mask" ]; then EXTERNAL_NET="${EXTERNAL_NET}${EXTERNAL_NET:+ }${addr_mask}" fi done done fi aif-2.1.2a/share/arno-iptables-firewall/plugins/000077500000000000000000000000001464417520100215465ustar00rootroot00000000000000aif-2.1.2a/share/arno-iptables-firewall/plugins/10mac-address-filter.plugin000066400000000000000000000143461464417520100266050ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - MAC Address Filter plugin =- # PLUGIN_NAME="MAC Address Filter plugin" PLUGIN_VERSION="1.1b" PLUGIN_CONF_FILE="mac-address-filter.conf" # # Last changed : July 21, 2015 # Requirements : ipt_mac module # Comments : This plugin allows you to select the MAC addresses # that are allowed access for the specified interfaces # (eg. INT_IF) # # Author : (C) Copyright 2010-2015 by Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { # Probe module ipt_recent (Allows checking for recent packets): modprobe_multi xt_mac ipt_mac # Allows specifying MAC address # Create new chains iptables -N MAC_FILTER_HOOK 2>/dev/null iptables -F MAC_FILTER_HOOK iptables -N MAC_FILTER 2>/dev/null iptables -F MAC_FILTER echo " Using interface(s): $MAC_ADDRESS_IF" # Here we filter the internal hosts using their MAC address (if used) ##################################################################### # Setup the mac addresses from our file printf "${INDENT}(Re)loading allowed internal MAC addresses from $MAC_ADDRESS_FILE: " # Allow IPv4 broadcasts and IPv6 "link-scope all-hosts multicast" ip4tables -A MAC_FILTER -d 255.255.255.255 -j RETURN if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A MAC_FILTER -d ff02::1 -j RETURN fi #iptables -A MAC_FILTER -m pkttype --pkt-type ! unicast -j RETURN #iptables -A MAC_FILTER -m addrtype --dst-type BROADCAST -j RETURN if [ -n "$INT_NET_BCAST_ADDRESS" ]; then IFS=' ,' for address in $INT_NET_BCAST_ADDRESS; do iptables -A MAC_FILTER -d $address -j RETURN done else IFS=' ,' for net in $INTERNAL_NET; do get_numeric_ip_version "$net" case $? in 4) # Class C net ip4tables -A MAC_FILTER -d $(echo "$net" |awk -F. '{ print $1"."$2"."$3".255" }') -j RETURN # Class B net ip4tables -A MAC_FILTER -d $(echo "$net" |awk -F. '{ print $1"."$2".255.255" }') -j RETURN # Class A net ip4tables -A MAC_FILTER -d $(echo "$net" |awk -F. '{ print $1".255.255.255" }') -j RETURN ;; esac done fi MCOUNT=0 IFS=' ' for LINE in `cat "$MAC_ADDRESS_FILE" |sed -e 's|#.*||' -e 's| *$||'`; do if [ -n "$LINE" ]; then src_mac="$(echo "$LINE" |awk '{ print $1 }')" src_ip="$(echo "$LINE" |awk '{ print $2 }')" if [ -z "$src_ip" ]; then src_ip="0/0" fi MCOUNT=$((MCOUNT + 1)) iptables -A MAC_FILTER -m mac --mac-source $src_mac -s $src_ip -j RETURN fi done if [ "$MAC_ADDRESS_LOG" = "1" ]; then iptables -A MAC_FILTER \ -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:MAC address dropped: " fi # Anyone else is dropped iptables -A MAC_FILTER -j POST_INPUT_DROP_CHAIN IFS=' ,' for interface in $MAC_ADDRESS_IF; do iptables -A MAC_FILTER_HOOK -i $interface -j MAC_FILTER done # Insert chains iptables -A INPUT -j MAC_FILTER_HOOK iptables -A FORWARD -j MAC_FILTER_HOOK echo "$MCOUNT loaded" return 0 } # Plugin stop function plugin_stop() { iptables -D INPUT -j MAC_FILTER_HOOK 2>/dev/null iptables -D FORWARD -j MAC_FILTER_HOOK 2>/dev/null iptables -F MAC_FILTER_HOOK iptables -X MAC_FILTER_HOOK 2>/dev/null iptables -F MAC_FILTER iptables -X MAC_FILTER 2>/dev/null return 0 } # Plugin status function plugin_status() { # iptables -xnvL MAC_FILTER |sed -e "s/^/$INDENT/" return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ ! -f "$MAC_ADDRESS_FILE" ]; then printf "\033[40m\033[1;31m${INDENT}NOTE: Cannot read the allowed internal MAC address file \"$MAC_ADDRESS_FILE\".\033[0m\n" >&2 return 1 fi if [ -z "$MAC_ADDRESS_IF" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/20nat-loopback.plugin000066400000000000000000000222651464417520100255110ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - NAT Loopback plugin =- # PLUGIN_NAME="NAT Loopback plugin" PLUGIN_VERSION="1.02" PLUGIN_CONF_FILE="nat-loopback.conf" # # Last changed : February 2, 2019 # Requirements : AIF 2.0.1g+ # Comments : NAT Loopback for local nets using existing NAT_FORWARD_TCP # and NAT_FORWARD_UDP rules. # Local nets may be able to use the external IPv4 address and # port to access NAT forwarded internal servers. # # Author : (C) Copyright 2012-2019 by Lonnie Abelbeck & Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ NAT_LOOPBACK_DEFAULT_IPV4="/var/tmp/aif-nat-loopback-default-ipv4" nat_loopback_default_ext_ipv4() { local eif IFS IFS=' ,' for eif in $(wildcard_ifs $NAT_IF); do ip -o addr show dev $eif \ | awk '$3 == "inet" { split($4, field, "/"); print field[1]; nextfile; }' break # Only use first external interface done } nat_loopback_update_default_ipv4() { local old_defaultip="$1" defaultip="$2" old_match line cnt IFS unset IFS # Replace 'dot' with 'backslash-dot' for regex match # ${old_defaultip//./\.} would be better, but dash does not support it old_match="$(echo "$old_defaultip" | sed 's/\./\\./g')" cnt=1 ip4tables_save -t nat | grep -e '-A NAT_LOOPBACK_DNAT ' | while read line; do nline="$(echo "$line" | sed "s| ${old_match}/32| ${defaultip}/32|")" if [ "$nline" != "$line" ]; then ip4tables -t nat -R NAT_LOOPBACK_DNAT $cnt ${nline#-A NAT_LOOPBACK_DNAT } fi cnt=$((cnt + 1)) done cnt=1 ip4tables_save -t nat | grep -e '-A NAT_LOOPBACK_SNAT ' | while read line; do nline="$(echo "$line" | sed "s| ${old_match}$| ${defaultip}|")" if [ "$nline" != "$line" ]; then ip4tables -t nat -R NAT_LOOPBACK_SNAT $cnt ${nline#-A NAT_LOOPBACK_SNAT } fi cnt=$((cnt + 1)) done } # Plugin start function plugin_start() { local defaultip eif net IFS ip4tables -t nat -N NAT_LOOPBACK_DNAT 2>/dev/null ip4tables -t nat -F NAT_LOOPBACK_DNAT ip4tables -t nat -N NAT_LOOPBACK_SNAT 2>/dev/null ip4tables -t nat -F NAT_LOOPBACK_SNAT if [ -z "$NAT_LOOPBACK_NET" ]; then NAT_LOOPBACK_NET="$NAT_INTERNAL_NET" fi defaultip="$(nat_loopback_default_ext_ipv4)" if [ -z "$defaultip" ]; then # Use an arbitrary IPv4 Link-Local address as a placeholder # for the currently unknown default IPv4 address defaultip="169.254.25.54" fi echo "$defaultip" > "$NAT_LOOPBACK_DEFAULT_IPV4" echo "${INDENT}NAT Loopback default IPv4: $defaultip" echo "${INDENT}NAT Loopback internal net(s): $NAT_LOOPBACK_NET" if [ "$NAT_LOOPBACK_FORWARD" = "1" ]; then echo "${INDENT}NAT Loopback local forwards are enabled." else echo "${INDENT}NAT Loopback local forwards are disabled." fi unset IFS for rule in $NAT_FORWARD_TCP; do if parse_rule "$rule" NAT_FORWARD_TCP "interfaces:NAT_IF-destips-shosts-ports-dhost_dport"; then IFS=' ,' for port in $ports; do for destip in $destips; do for eif in $interfaces; do dport="$(get_ports_hp "$dhost_dport" "$port")" dhost="$(get_hosts_hp "$dhost_dport")" if [ "$destip" = "0/0" ]; then destip="$defaultip" fi if [ -n "$dhost" -a -n "$destip" ]; then for net in $NAT_LOOPBACK_NET; do ip4tables -t nat -A NAT_LOOPBACK_DNAT -s $net -d $destip \ -p tcp --dport $port -j DNAT --to-destination $(echo "$dhost_dport" |tr "$SEP-" '::') if [ "$NAT_LOOPBACK_FORWARD" = "1" ]; then ip4tables -A POST_FORWARD_CHAIN -s $net -d $dhost -p tcp --dport $dport -j ACCEPT fi ip4tables -t nat -A NAT_LOOPBACK_SNAT -s $net -d $dhost \ -p tcp --dport $dport -j SNAT --to-source $destip done fi done done done fi done unset IFS for rule in $NAT_FORWARD_UDP; do if parse_rule "$rule" NAT_FORWARD_UDP "interfaces:NAT_IF-destips-shosts-ports-dhost_dport"; then IFS=' ,' for port in $ports; do for destip in $destips; do for eif in $interfaces; do dport="$(get_ports_hp "$dhost_dport" "$port")" dhost="$(get_hosts_hp "$dhost_dport")" if [ "$destip" = "0/0" ]; then destip="$defaultip" fi if [ -n "$dhost" -a -n "$destip" ]; then for net in $NAT_LOOPBACK_NET; do ip4tables -t nat -A NAT_LOOPBACK_DNAT -s $net -d $destip \ -p udp --dport $port -j DNAT --to-destination $(echo "$dhost_dport" |tr "$SEP-" '::') if [ "$NAT_LOOPBACK_FORWARD" = "1" ]; then ip4tables -A POST_FORWARD_CHAIN -s $net -d $dhost -p udp --dport $dport -j ACCEPT fi ip4tables -t nat -A NAT_LOOPBACK_SNAT -s $net -d $dhost \ -p udp --dport $dport -j SNAT --to-source $destip done fi done done done fi done ip4tables -t nat -A PREROUTING -j NAT_LOOPBACK_DNAT ip4tables -t nat -A POSTROUTING -j NAT_LOOPBACK_SNAT return 0 } # Plugin restart function plugin_restart() { # Skip plugin_stop on a restart plugin_start return 0 } # Plugin stop function plugin_stop() { ip4tables -t nat -D PREROUTING -j NAT_LOOPBACK_DNAT ip4tables -t nat -D POSTROUTING -j NAT_LOOPBACK_SNAT ip4tables -t nat -F NAT_LOOPBACK_DNAT ip4tables -t nat -X NAT_LOOPBACK_DNAT 2>/dev/null ip4tables -t nat -F NAT_LOOPBACK_SNAT ip4tables -t nat -X NAT_LOOPBACK_SNAT 2>/dev/null rm -f "$NAT_LOOPBACK_DEFAULT_IPV4" return 0 } # Plugin status function plugin_status() { local defaultip old_defaultip if [ -f "$NAT_LOOPBACK_DEFAULT_IPV4" ]; then old_defaultip="$(cat "$NAT_LOOPBACK_DEFAULT_IPV4")" else old_defaultip="" fi defaultip="$(nat_loopback_default_ext_ipv4)" if [ -n "$defaultip" -a -n "$old_defaultip" ]; then if [ "$defaultip" != "$old_defaultip" ]; then if [ "$NAT_LOOPBACK_UPDATE_ON_STATUS" != "0" ]; then # update rules nat_loopback_update_default_ipv4 "$old_defaultip" "$defaultip" echo "$defaultip" > "$NAT_LOOPBACK_DEFAULT_IPV4" echo " NAT Loopback default IPv4 (updated): $defaultip" else echo " NAT Loopback default IPv4 needs updating from '$old_defaultip' to '$defaultip'" fi return 0 fi fi if [ -n "$old_defaultip" ]; then echo " NAT Loopback default IPv4: $old_defaultip" else echo " NAT Loopback default IPv4: None" fi return 0 } # Check sanity of eg. environment plugin_sanity_check() { # Sanity check return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/20parasitic-net.plugin000066400000000000000000000216431464417520100257010ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Parasitic (SNAT) Network plugin =- # PLUGIN_NAME="Parasitic (SNAT) Network plugin" PLUGIN_VERSION="1.01" PLUGIN_CONF_FILE="parasitic-net.conf" # # Last changed : Jan 16, 2020 # Requirements : AIF 2.1.1 (or newer) # Comments : This plugin allows "clients" on the same subnet to use this # device as a gateway upstream. This network of "clients" is # SNAT'ed to this device's external interface(s). # This parasitic network is useful for situations when the # upstream firewall is not under your control and you desire # added security for specific devices in your subnet. # Set the gateway address of parasitic network clients to an # external IPv4 address of this device. Note that this plugin # only works for IPv4, NOT IPv6 # # Author : (C) Copyright 2017-2020 by Arno van Amersfoort & Lonnie Abelbeck # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # (Background) job name JOB_NAME="parasitic-net" # (Background) job helper script JOB_HELPER_SCRIPT="$PLUGIN_BIN_PATH/parasitic-net-helper" parasitic_net_init() { local IFS host if_ip snat_if snat_ip snat_ifs_ips snat_if_subnet ip4tables -t nat -N PARASITIC_NET_SNAT 2>/dev/null ip4tables -t nat -F PARASITIC_NET_SNAT ip4tables -N PARASITIC_NET_ACL 2>/dev/null ip4tables -F PARASITIC_NET_ACL ip4tables -N PARASITIC_NET_FORWARD 2>/dev/null ip4tables -F PARASITIC_NET_FORWARD if [ -z "$PARASITIC_NET_IF" ]; then PARASITIC_NET_IF="$EXT_IF" fi if [ -z "$PARASITIC_NET_DENY_POLICY" ]; then PARASITIC_NET_DENY_POLICY="DROP" fi snat_ifs_ips="" IFS=' ,' for if_ip in $(wildcard_ifs $PARASITIC_NET_IF); do snat_if="$(echo "$if_ip" |cut -d'~' -f1)" snat_ip="$(echo "$if_ip" |cut -s -d'~' -f2)" if [ -z "$snat_ip" ]; then # Add all interface IPs to list for if_ip in $(get_network_ipv4_address_all $snat_if); do snat_ifs_ips="$snat_ifs_ips${snat_ifs_ips:+ }$snat_if~$if_ip" done else snat_ifs_ips="$snat_ifs_ips${snat_ifs_ips:+ }$snat_if~$snat_ip" fi done if [ -z "$snat_ifs_ips" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: Unable to determine SNAT interface(s)/address(es)!\033[0m\n" >&2 return 1 fi echo "${INDENT}Parasitic network SNAT interface(s)/address(es): $snat_ifs_ips" if [ -z "$PARASITIC_NET_CLIENT_HOSTS" ]; then IFS=' ,' for if_ip in $(wildcard_ifs $PARASITIC_NET_IF); do snat_if="$(echo "$if_ip" |cut -d'~' -f1)" snat_if_subnet="$(get_network_ipv4_address_mask_all $snat_if)" PARASITIC_NET_CLIENT_HOSTS="$PARASITIC_NET_CLIENT_HOSTS${PARASITIC_NET_CLIENT_HOSTS:+ }$snat_if_subnet" done fi # Filter traffic related to the Parasitic Network echo "${INDENT}Allowing parasitic network access for client host(s): $PARASITIC_NET_CLIENT_HOSTS" IFS=' ,' for host in $(ip_range $PARASITIC_NET_CLIENT_HOSTS); do ip4tables -A PARASITIC_NET_FORWARD -s $host -j PARASITIC_NET_ACL done # Enable forwarding on the SNAT interfaces. # Note: can't check IF IP here, therefore only match interface(s) IFS=' ,' for if_ip in $(wildcard_ifs $PARASITIC_NET_IF); do snat_if="$(echo "$if_ip" |cut -d'~' -f1)" ip4tables -A POST_FORWARD_CHAIN -i $snat_if -o $snat_if -j PARASITIC_NET_FORWARD done # We do not want traffic generated on this machine to be NAT-ed, so skip all SNAT interface IPv4's IFS=' ' for if_ip in $snat_ifs_ips; do snat_ip="$(echo "$if_ip" |cut -d'~' -f2)" ip4tables -t nat -A PARASITIC_NET_SNAT -s $snat_ip -j RETURN done IFS=' ' for if_ip in $snat_ifs_ips; do snat_if="$(echo "$if_ip" |cut -d'~' -f1)" snat_ip="$(echo "$if_ip" |cut -d'~' -f2)" IFS=' ,' for host in $(ip_range $PARASITIC_NET_CLIENT_HOSTS); do ip4tables -t nat -A PARASITIC_NET_SNAT -o $snat_if -s $host -j SNAT --to-source $snat_ip done done # Hook into the POST POSTROUTING NAT chain ip4tables -t nat -A POST_NAT_POSTROUTING_CHAIN -j PARASITIC_NET_SNAT # Create background job if ! job_add "$JOB_NAME" "${PARASITIC_NET_TIME:-60}" "$JOB_HELPER_SCRIPT"; then return 1 fi return 0 } # Plugin start function plugin_start() { # Initialize if ! parasitic_net_init; then return 1 fi return 0 } # Plugin restart function plugin_restart() { # NOTE: Skip plugin_stop on a restart and basically do the same as with a normal start plugin_start return $? } # Plugin stop function plugin_stop() { ip4tables -t nat -D POST_NAT_POSTROUTING_CHAIN -j PARASITIC_NET_SNAT ip4tables -t nat -F PARASITIC_NET_SNAT ip4tables -t nat -X PARASITIC_NET_SNAT 2>/dev/null ip4tables -F PARASITIC_NET_ACL ip4tables -X PARASITIC_NET_ACL 2>/dev/null ip4tables -F PARASITIC_NET_FORWARD ip4tables -X PARASITIC_NET_FORWARD 2>/dev/null return 0 } # Plugin status function plugin_status() { echo " Interface forward policy:" echo " ==============================" ip4tables -nv -L POST_FORWARD_CHAIN | awk '$3 == "PARASITIC_NET_FORWARD" { print " "$3" "$6" "$7" "$8" "$9 }' echo " ------------------------------" echo "" echo " Allowed client host(s):" echo " ==============================" ip4tables -n -L PARASITIC_NET_FORWARD | awk '$1 == "PARASITIC_NET_ACL" { print " "$4 }' echo " ------------------------------" echo "" echo " Access Control List(ACL):" echo " ==============================" ip4tables -n -L PARASITIC_NET_ACL | sed -n -e 's/^ACCEPT.*$/ &/p' -e 's/^DROP.*$/ &/p' echo " ------------------------------" echo "" return 0 } # Check sanity of eg. environment plugin_sanity_check() { local IFS if1 if2 if [ -n "$PARASITIC_NET_DENY_POLICY" -a "$PARASITIC_NET_DENY_POLICY" != "DROP" -a "$PARASITIC_NET_DENY_POLICY" != "REJECT" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: PARASITIC_NET_DENY_POLICY must be either \"DROP\" (or left empty) or \"REJECT\"!\033[0m\n" >&2 return 1 fi IFS=' ,' for if1 in $INT_IF $DMZ_IF; do for if2 in $PARASITIC_NET_IF; do if [ "$if1" = "$if2" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: INT_IF/DMZ_IF interface $if1 is not allowed as PARASITIC_NET_IF interface $if2.\033[0m\n" >&2 return 1 fi done done if [ ! -f "$JOB_HELPER_SCRIPT" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The job helper script($JOB_HELPER_SCRIPT) can not be found!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/50dsl-ppp-modem.plugin000066400000000000000000000173321464417520100256170ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - (A)DSL PPP Modem plugin =- # PLUGIN_NAME="(A)DSL PPP Modem plugin" PLUGIN_VERSION="1.0g" PLUGIN_CONF_FILE="dsl-ppp-modem.conf" # # Last changed : October 20, 2011 # Requirements : aif 1.9.2i+ & kernel 2.6 & iptable_nat & ip_nat & ipt_MASQUERADE # Comments : This implements support for (A)DSL PPP modems # # Author : (C) Copyright 2008-2011 by Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { echo "${INDENT}Applying rules for (A)DSL modem on interface: $MODEM_IF" if [ -n "$MODEM_IF_IP" ]; then echo "${INDENT}Setting up (antispoof) MODEM net: $MODEM_IF_IP/24" # Anti spoof protection for the modem net ######################################### ip4tables -A SPOOF_CHK ! -i $MODEM_IF -s "$MODEM_IF_IP/24" \ -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed (MODEM) packet: " ip4tables -A SPOOF_CHK ! -i $MODEM_IF -s "$MODEM_IF_IP/24" -j DROP fi # Create & flush our modem chain ip4tables -N MODEM_CHAIN 2>/dev/null ip4tables -F MODEM_CHAIN ip4tables -N MODEM_CHAIN_HOOK 2>/dev/null ip4tables -F MODEM_CHAIN_HOOK # This is only used if you have a (A)DSL modem using ppp (connected to an # ethernet interface) ######################################################################### if [ -n "$MODEM_IF_IP" ]; then if [ -n "$MODEM_IP" ]; then echo "${INDENT}Using MODEM IP $MODEM_IP" # Only allow traffic from the MODEM (check IP) to this machine ############################################################## ip4tables -A MODEM_CHAIN -s $MODEM_IP -d $MODEM_IF_IP -j ACCEPT else # Only allow traffic from the MODEM (no IP, so no checking) to this machine ########################################################################### ip4tables -A MODEM_CHAIN -d $MODEM_IF_IP -j ACCEPT fi elif [ -n "$MODEM_IP" ]; then echo "${INDENT}Using MODEM IP $MODEM_IP" # Only allow traffic from the MODEM (check IP) to this machine ############################################################## ip4tables -A MODEM_CHAIN -s $MODEM_IP -j ACCEPT else # Only allow traffic from the MODEM (no IP, so no checking) to this machine ########################################################################### ip4tables -A MODEM_CHAIN -j ACCEPT fi # Allow DHCP packets ip4tables -A MODEM_CHAIN -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j ACCEPT # Everything else is logged & dropped ip4tables -A MODEM_CHAIN \ -m limit --limit 1/s -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Dropped MODEM packet: " ip4tables -A MODEM_CHAIN -j DROP IFS=' ,' for interface in $MODEM_IF; do ip4tables -A MODEM_CHAIN_HOOK -i $interface -j MODEM_CHAIN done # Add our MODEM chain hook ip4tables -A INPUT -j MODEM_CHAIN_HOOK # Manage your modemsettings from computers on your LAN. For example with your browser via http://{MODEM_IP} ########################################################################################################### if [ -n "$MODEM_IP" -a -n "$MODEM_INTERNAL_NET" ]; then echo "${INDENT}Enabling (ADSL) modem (@$MODEM_IP) management for hosts(s): $MODEM_INTERNAL_NET" IFS=' ,' for net in `ip_range "$MODEM_INTERNAL_NET"`; do ip4tables -A FORWARD -o $MODEM_IF -s $net -j ACCEPT ip4tables -t nat -A POSTROUTING -o $MODEM_IF -s $net -d $MODEM_IP -j MASQUERADE done fi return 0 } # Plugin stop function plugin_stop() { ip4tables -D INPUT -j MODEM_CHAIN_HOOK 2>/dev/null ip4tables -F MODEM_CHAIN_HOOK ip4tables -X MODEM_CHAIN_HOOK 2>/dev/null ip4tables -F MODEM_CHAIN ip4tables -X MODEM_CHAIN 2>/dev/null return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$MODEM_IF" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi # Check whether MODEM_IF exists ############################### if ! check_interface $MODEM_IF; then printf "\033[40m\033[1;31m${INDENT}NOTE: Modem interface \"$MODEM_IF\" does NOT exist (yet?)\033[0m\n" >&2 fi # Make sure EXT_IF != MODEM_IF ############################## IFS=' ,' for eif in $EXT_IF; do if [ "$eif" = "$MODEM_IF" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: One or more interfaces specified in EXT_IF is the same as the\033[0m\n" >&2 printf "\033[40m\033[1;31m${INDENT} MODEM_IF! Please, check the configuration file.\033[0m\n" >&2 return 1 fi done # Make sure INT_IF != MODEM_IF ############################## IFS=' ,' for iif in $INT_IF; do if [ "$iif" = "$MODEM_IF" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: One or more interfaces specified in INT_IF is the same as the one in\033[0m\n" >&2 printf "\033[40m\033[1;31m${INDENT} MODEM_IF! Please, check the configuration file.\033[0m\n" >&2 return 1 fi done # Make sure MODEM_IF != lo / 127.0.0.1 ###################################### if [ "$MODEM_IF" = "lo" -o "$MODEM_IF" = "127.0.0.1" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The interface specified in MODEM_IF has the address or name of the local\033[0m\n" >&2 printf "\033[40m\033[1;31m${INDENT} loopback device! Please, check the configuration file.\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/50dyndns-host-open.plugin000066400000000000000000000113561464417520100263520ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - DynDNS Host Open plugin =- # PLUGIN_NAME="DynDNS Host Open plugin" PLUGIN_VERSION="1.42a" PLUGIN_CONF_FILE="dyndns-host-open.conf" # # Last changed : May 9, 2019 # Requirements : AIF 2.1.0 (or newer) # Comments : This implements dynamic DNS (DynDNS) support for eg. opening ports # # Author : (C) Copyright 2008-2019 by Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # (Background) job name JOB_NAME="dyndns-host-open" # (Background) job helper script JOB_HELPER_SCRIPT="$PLUGIN_BIN_PATH/dyndns-host-open-helper" dyndns_host_open_init() { # Insert rule into the main chain: iptables -A EXT_INPUT_CHAIN -j DYNDNS_CHAIN # Remove old cron job (this is in case a legacy plugin left it) rm -f /etc/cron.d/dyndns-host-open # Create background job if ! job_add "$JOB_NAME" "${DYNDNS_HOST_OPEN_TIME:-60}" "$JOB_HELPER_SCRIPT"; then return 1 fi return 0 } # Plugin start function plugin_start() { # Create new DYNDNS_CHAIN chain: iptables -N DYNDNS_CHAIN 2>/dev/null iptables -F DYNDNS_CHAIN # Initialize if ! dyndns_host_open_init; then return 1 fi return 0 } # Plugin restart function plugin_restart() { # Re-add standard chain rules that are flushed on a restart echo "${INDENT}Restarting..." # Initialize if ! dyndns_host_open_init; then return 1 fi return 0 } # Plugin stop function plugin_stop() { # Remove old cron job (this is in case a legacy plugin left it) rm -f /etc/cron.d/dyndns-host-open iptables -D EXT_INPUT_CHAIN -j DYNDNS_CHAIN 2>/dev/null iptables -F DYNDNS_CHAIN iptables -X DYNDNS_CHAIN 2>/dev/null return 0 } # Plugin status function plugin_status() { iptables -L DYNDNS_CHAIN |sed -e "s/^/$INDENT/" return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$DYNDNS_HOST_OPEN_TCP" -a -z "$DYNDNS_HOST_OPEN_UDP" -a \ -z "$DYNDNS_HOST_OPEN_IP" -a -z "$DYNDNS_HOST_OPEN_ICMP" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not (properly) setup!\033[0m\n" >&2 return 1 fi if [ ! -f "$JOB_HELPER_SCRIPT" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The job helper script($JOB_HELPER_SCRIPT) can not be found!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/50ipsec-vpn.plugin000066400000000000000000000141131464417520100250370ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - IPsec VPN plugin =- # PLUGIN_NAME="IPsec VPN plugin" PLUGIN_VERSION="0.85" PLUGIN_CONF_FILE="ipsec-vpn.conf" # # Last changed : July 12, 2016 # Requirements : AIF 2.0.0+ and kernel 2.6 + ipt_policy + iptable_nat # Comments : This plugin adds all required rules for using Racoon IPSEC. # # Author : (C) Copyright 2006-2016 by Philip Prindeville & Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : philipp AT redfish-solutions DOT com # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { local eif net ipver IFS modprobe_multi xt_policy ipt_policy # Allows use of policy match modprobe iptable_nat # We need the NAT table iptables -N VPN_INPUT 2>/dev/null iptables -F VPN_INPUT iptables -N VPN_FORWARD 2>/dev/null iptables -F VPN_FORWARD # If the user has specified a subset of remote networks, only allow those. if [ -n "$IPSEC_VPN_NETS" ]; then echo "${INDENT}Applying rules for VPN nets $IPSEC_VPN_NETS" IFS=' ,' for vnet in $IPSEC_VPN_NETS; do iptables -A VPN_INPUT -s $vnet -j ACCEPT iptables -A VPN_FORWARD -s $vnet -j ACCEPT done iptables -A VPN_INPUT -j DROP iptables -A VPN_FORWARD -j DROP else # Otherwise, we allow everything. iptables -A VPN_INPUT -j ACCEPT iptables -A VPN_FORWARD -j ACCEPT fi # Don't apply the usual filters for the external interface on # traffic that's just been decapulated. We treat it mostly like # internal traffic. # iptables -A EXT_INPUT_CHAIN -m policy --pol ipsec --dir in -j VPN_INPUT # (unnecessary since the -A INPUT...-j VPN_INPUT rule below supersedes this rule) echo "${INDENT}Allowing internet hosts $IPSEC_ALLOWED_HOSTS to access the VPN service" IFS=' ,' for host in `ip_range "$IPSEC_ALLOWED_HOSTS"`; do iptables -A EXT_INPUT_CHAIN -p udp --dport 500 -s $host -j ACCEPT get_numeric_ip_version "$host" ipver=$? if [ $ipver -eq 4 -o $ipver -eq 0 ]; then ip4tables -A EXT_INPUT_CHAIN -p esp -s $host -j ACCEPT ip4tables -A EXT_INPUT_CHAIN -p ah -s $host -j ACCEPT fi if [ "$IPV6_SUPPORT" = "1" ]; then if [ $ipver -eq 6 -o $ipver -eq 0 ]; then ip6tables -A EXT_INPUT_CHAIN -m esp -p esp -s $host -j ACCEPT ip6tables -A EXT_INPUT_CHAIN -m ah -s $host -j ACCEPT fi fi if [ "$IPSEC_NAT_TRAVERSAL" = "1" ]; then iptables -A EXT_INPUT_CHAIN -p udp --dport 4500 -s $host -j ACCEPT fi done local cnt=0 IFS=' ,' for eif in $EXT_IF; do for net in $INTERNAL_NET; do cnt=$((cnt + 1)) iptables -I SPOOF_CHK $cnt -i $eif -s $net -m policy --pol ipsec --dir in -j RETURN done done IFS=' ,' for eif in ${NAT_IF:-$EXT_IF}; do # Allow IPSEC packets in after decapsulation ip4tables -t nat -A PREROUTING -i $eif -m policy --pol ipsec --dir in -j ACCEPT # Do not apply masquerading to outbound traffic ip4tables -t nat -A POSTROUTING -o $eif -m policy --pol ipsec --dir out -j ACCEPT done IFS=' ,' for eif in $EXT_IF; do iptables -A FORWARD -i $eif -m policy --pol ipsec --dir in -j VPN_FORWARD iptables -A INPUT -i $eif -m policy --pol ipsec --dir in -j VPN_INPUT done return 0 } # Plugin stop function plugin_stop() { local eif net IFS iptables -F VPN_INPUT iptables -X VPN_INPUT 2>/dev/null iptables -F VPN_FORWARD iptables -X VPN_FORWARD 2>/dev/null IFS=' ,' for eif in $EXT_IF; do for net in $INTERNAL_NET; do iptables -D SPOOF_CHK -i $eif -s $net -m policy --pol ipsec --dir in -j RETURN done done return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { # Sanity check if [ -z "$IPSEC_ALLOWED_HOSTS" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/50ipv6-over-ipv4.plugin000066400000000000000000000071601464417520100256540ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - IPv6-over-IPv4 plugin =- # PLUGIN_NAME="IPv6-over-IPv4 plugin" PLUGIN_VERSION="0.2BETA" PLUGIN_CONF_FILE="ipv6-over-ipv4.conf" # # Last changed : October 8, 2010 # Requirements : kernel 2.6 with IPv6 support # Comments : This plugin opens the (IPv4) protocols to enable # IPv6 tunneling. Only works with AIF 1.9+ ! # # Author : (C) Copyright 2010 by Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { local src interface # Enable (allow) IPv6 tunnel traffic #################################### echo "${INDENT}Allowing IPv6 tunnel for $IPV6_OVER_IPV4_SERVER (INET) to interface(s): $IPV6_OVER_IPV4_IF" IFS=' ,' for src in $IPV6_OVER_IPV4_SERVER; do for interface in $IPV6_OVER_IPV4_IF; do ip4tables -A EXT_INPUT_CHAIN -s $src -i $interface -p 41 -j ACCEPT done done return 0 } # Plugin stop function plugin_stop() { return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$IPV6_OVER_IPV4_IF" -o -z "$IPV6_OVER_IPV4_SERVER" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/50linux-upnp-igd.plugin000066400000000000000000000075401464417520100260210ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Linux UPnP IGD plugin =- # PLUGIN_NAME="Linux UPnP IGD plugin" PLUGIN_VERSION="1.0a" PLUGIN_CONF_FILE="linux-upnp-igd.conf" # # Last changed : October 10, 2011 # Requirements : kernel 2.6 + linux-igd # Comments : An UPnP-enabled application can tell linux-igd what public ports # have to be forwarded back to the application. # This plugin adds a new chain into the FORWARD chain # where the UPnP daemon "linuxigd" can insert its ports. # In "upnpd.conf" you must set the forward_chain_name = UPNP_FORWARD # # Author : (C) Copyright 2007-2011 by Joerg Straube # Homepage : http://joerg.li/ # Email : j o e r g DOT s t r a u b e AT i a e t h DOT c h # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { # Create new UPNP_FORWARD chain to be used by linuxigd (aka upnpd): iptables -N UPNP_FORWARD 2>/dev/null iptables -F UPNP_FORWARD iptables -N UPNP_FORWARD_HOOK 2>/dev/null iptables -F UPNP_FORWARD_HOOK # Insert rule into the FORWARD chain: IFS=' ,' for eif in $EXT_IF; do iptables -A UPNP_FORWARD_HOOK -i $eif ! -o $eif -j UPNP_FORWARD done iptables -A FORWARD -j UPNP_FORWARD_HOOK return 0 } # Plugin stop function plugin_stop() { iptables -D FORWARD -j UPNP_FORWARD_HOOK 2>/dev/null iptables -F UPNP_FORWARD_HOOK iptables -X UPNP_FORWARD_HOOK 2>/dev/null iptables -F UPNP_FORWARD iptables -X UPNP_FORWARD 2>/dev/null return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/50multiroute.plugin000066400000000000000000000170501464417520100253470ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Multirouting plugin =- # PLUGIN_NAME="Multirouting plugin" PLUGIN_VERSION="1.00" PLUGIN_CONF_FILE="multiroute.conf" # # Last changed : February 6, 2020 # Requirements : iproute2 (package) + kernel 2.6 with the following options set in: # Networking, Networking support, TCP/IP networking: # CONFIG_IP_ADVANCED_ROUTER=y (IP: advanced router) # CONFIG_IP_MULTIPLE_TABLES=y (IP: policy routing) # CONFIG_IP_ROUTE_MULTIPATH=y (IP: equal cost multipath) # # Comments : This plugin enables IP multirouting (load balancing). Note # that it does NOT support redundant connections (fallback when # one of the links is down). This is NOT a limitation of this # plugin, but of the current Linux kernel that does not support # this(yet). To obtain the information needed to configure this plugin # use the 'ifconfig' and 'route' commands. # # Author : (C) Copyright 2005-2020 by Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { if [ "$RP_FILTER_DISABLE" = "1" ]; then # In some cases the rp_filter gives some problems, so we disable it and # rely on the anti-spoof rules in the firewall echo "${INDENT}Disabling RP_FILTER..." echo "0" >/proc/sys/net/ipv4/conf/$MULTIROUTE_EXT_IF1/rp_filter echo "0" >/proc/sys/net/ipv4/conf/$MULTIROUTE_EXT_IF2/rp_filter fi # Purge, just in case ip rule del from $MULTIROUTE_EXT_IP1 lookup 1 2>/dev/null ip rule del from $MULTIROUTE_EXT_IP2 lookup 2 2>/dev/null # Setup source IP routing rules for external interface 1 echo "${INDENT}Setup source IP routing for $MULTIROUTE_EXT_IP1" ip rule add from $MULTIROUTE_EXT_IP1 lookup 1 # ip route replace 0/0 via $MULTIROUTE_EXT_ROUTER1 table 1 echo "${INDENT}Setting default route for $MULTIROUTE_EXT_IF1 to $MULTIROUTE_EXT_ROUTER1 (table 1)" ip route replace default via $MULTIROUTE_EXT_ROUTER1 dev $MULTIROUTE_EXT_IF1 table 1 echo "${INDENT}Setting route for $MULTIROUTE_INT_NET to $MULTIROUTE_INT_IP (table 1)" ip route replace $MULTIROUTE_INT_NET via $MULTIROUTE_INT_IP table 1 # Setup source IP routing rules for external interface 2 echo "${INDENT}Setup source IP routing for $MULTIROUTE_EXT_IP2" ip rule add from $MULTIROUTE_EXT_IP2 lookup 2 # ip route replace 0/0 via $MULTIROUTE_EXT_ROUTER2 table 2 echo "${INDENT}Setting default route for $MULTIROUTE_EXT_IF2 to $MULTIROUTE_EXT_ROUTER2 (table 2)" ip route replace default via $MULTIROUTE_EXT_ROUTER2 dev $MULTIROUTE_EXT_IF2 table 2 echo "${INDENT}Setting route for $MULTIROUTE_INT_NET to $MULTIROUTE_INT_IP (table 2)" ip route replace $MULTIROUTE_INT_NET via $MULTIROUTE_INT_IP table 2 # Destroy old routes ip route del default via $MULTIROUTE_EXT_ROUTER1 dev $MULTIROUTE_EXT_IF1 2>/dev/null ip route del default via $MULTIROUTE_EXT_ROUTER2 dev $MULTIROUTE_EXT_IF2 2>/dev/null # Setup the actual loadbalancing echo "${INDENT}Enabling loadbalancing" echo "${INDENT} Adding external interface $MULTIROUTE_EXT_IF1, gw=$MULTIROUTE_EXT_ROUTER1, weight=$MULTIROUTE_EXT_WEIGHT1" echo "${INDENT} Adding external interface $MULTIROUTE_EXT_IF2, gw=$MULTIROUTE_EXT_ROUTER2, weight=$MULTIROUTE_EXT_WEIGHT2" ip route add default scope global \ nexthop via $MULTIROUTE_EXT_ROUTER1 dev $MULTIROUTE_EXT_IF1 weight $MULTIROUTE_EXT_WEIGHT1 \ nexthop via $MULTIROUTE_EXT_ROUTER2 dev $MULTIROUTE_EXT_IF2 weight $MULTIROUTE_EXT_WEIGHT2 # Flush route cache # echo "1" >/proc/sys/net/ipv4/route/flush ip route flush cache return 0 } # Plugin stop function plugin_stop() { echo "${INDENT}Removing lookup rules" ip rule del from $MULTIROUTE_EXT_IP1 lookup 1 ip rule del from $MULTIROUTE_EXT_IP2 lookup 2 ip route del default via $MULTIROUTE_EXT_ROUTER1 dev $MULTIROUTE_EXT_IF1 2>/dev/null ip route del default via $MULTIROUTE_EXT_ROUTER2 dev $MULTIROUTE_EXT_IF2 2>/dev/null # Set default route to the first interface echo "${INDENT}Setting default (single) route to $MULTIROUTE_EXT_ROUTER1 on interface $MULTIROUTE_EXT_IF1" ip route add default via $MULTIROUTE_EXT_ROUTER1 dev $MULTIROUTE_EXT_IF1 # Flush route cache # echo "1" >/proc/sys/net/ipv4/route/flush ip route flush cache return 0 } # Plugin status function plugin_status() { ip rule show ip route show return 0 } # Check sanity of eg. environment plugin_sanity_check() { # Set default weight, if not specified if [ -z "$MULTIROUTE_EXT_WEIGHT1" ]; then MULTIROUTE_EXT_WEIGHT1=1 fi # Set default weight, if not specified if [ -z "$MULTIROUTE_EXT_WEIGHT2" ]; then MULTIROUTE_EXT_WEIGHT2=1 fi if [ -z "$MULTIROUTE_EXT_IF1" -o -z "$MULTIROUTE_EXT_ROUTER1" -o -z "$MULTIROUTE_EXT_IP1" -o \ -z "$MULTIROUTE_EXT_IF2" -o -z "$MULTIROUTE_EXT_ROUTER2" -o -z "$MULTIROUTE_EXT_IP2" -o \ -z "$MULTIROUTE_INT_IP" -o -z "$MULTIROUTE_INT_NET" -o \ $MULTIROUTE_EXT_WEIGHT1 -le 0 -o $MULTIROUTE_EXT_WEIGHT2 -le 0 ]; then printf "\033[40m\033[1;31m ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin000066400000000000000000000101561464417520100272670ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - PPTP VPN Passthrough plugin =- # PLUGIN_NAME="PPTP VPN Passthrough plugin" PLUGIN_VERSION="1.01" PLUGIN_CONF_FILE="pptp-vpn-passthrough.conf" # # Last changed : June 15, 2017 # Requirements : AIF 2.0.0+ and ip_nat_pptp # Comments : This plugin loads the required kernel modules for PPTP VPN Clients # to access remote PPTP VPN Server(s) when NAT is enabled. # # Author : (C) Copyright 2016-2017 by Lonnie Abelbeck & Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { if [ "$NAT" = "1" ]; then echo "${INDENT}Enable PPTP NAT helper module" modprobe_multi nf_nat_pptp ip_nat_pptp if ip4tables -nL CONNTRACK_HELPER >/dev/null 2>&1; then ip4tables -A CONNTRACK_HELPER -m conntrack --ctstate RELATED -m helper --helper pptp -j ACCEPT ip4tables -t raw -A PREROUTING -p tcp --dport 1723 -j CT --helper pptp fi else echo "${INDENT}ERROR: NAT is not enabled, this plugin will be ignored." fi return 0 } # Plugin restart function plugin_restart() { # Skip plugin_stop on a restart plugin_start return 0 } # Plugin stop function plugin_stop() { if [ "$NAT" = "1" ]; then if [ -e /proc/modules -a -x "$MODPROBE" ]; then if ! $MODPROBE -r nf_nat_pptp >/dev/null 2>&1; then $MODPROBE -r ip_nat_pptp >/dev/null 2>&1 fi if [ $? -eq 0 ]; then echo "${INDENT}Disabled PPTP NAT helper module" fi fi fi return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/50pptp-vpn.plugin000066400000000000000000000154721464417520100247300ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - PPTP VPN plugin =- # PLUGIN_NAME="PPTP VPN plugin" PLUGIN_VERSION="1.00 BETA" PLUGIN_CONF_FILE="pptp-vpn.conf" # # Last changed : February 21, 2011 # Requirements : AIF 2.0.0+ # Comments : This plugin adds all required rules for using a PPTP Server. # # Author : (C) Copyright 2011 by Lonnie Abelbeck & Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { local host net eif ppp_ifs="" IFS iptables -N PPTP_VPN_INPUT 2>/dev/null iptables -F PPTP_VPN_INPUT iptables -N PPTP_VPN_FORWARD_IN 2>/dev/null iptables -F PPTP_VPN_FORWARD_IN iptables -N PPTP_VPN_FORWARD_OUT 2>/dev/null iptables -F PPTP_VPN_FORWARD_OUT IFS=' ,' for eif in $EXT_IF; do case $eif in ppp+) echo "${INDENT}ERROR: Cannot distinguish between external and PPTP-VPN 'ppp+' interfaces." echo "${INDENT} ${PLUGIN_NAME} functionally is disabled." return 0 ;; ppp[0-9]*) ppp_ifs="$ppp_ifs${ppp_ifs:+ }$eif" ;; esac done # Setup PPTP VPN rules if [ -n "$ppp_ifs" ]; then echo "${INDENT}Excluding external interfaces '$ppp_ifs' from PPTP VPN" IFS=' ,' for eif in $ppp_ifs; do iptables -A PPTP_VPN_INPUT -i $eif -j RETURN iptables -A PPTP_VPN_FORWARD_IN -i $eif -j RETURN iptables -A PPTP_VPN_FORWARD_OUT -o $eif -j RETURN done fi if [ -n "$PPTP_VPN_ALLOW_HOSTS" ]; then echo "${INDENT}Allowing PPTP VPN packets to hosts: $PPTP_VPN_ALLOW_HOSTS" IFS=' ,' for host in $PPTP_VPN_ALLOW_HOSTS; do iptables -A PPTP_VPN_INPUT -d $host -j ACCEPT iptables -A PPTP_VPN_FORWARD_IN -d $host -j ACCEPT iptables -A PPTP_VPN_FORWARD_OUT -s $host -j ACCEPT done fi if [ -n "$PPTP_VPN_DENY_HOSTS" ]; then echo "${INDENT}Denying PPTP VPN packets to hosts: $PPTP_VPN_DENY_HOSTS" IFS=' ,' for host in $PPTP_VPN_DENY_HOSTS; do if [ "$PPTP_VPN_DENY_LOG" = "1" ]; then iptables -A PPTP_VPN_INPUT -d $host -m limit --limit 3/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:PPTP-VPN denied: " iptables -A PPTP_VPN_FORWARD_IN -d $host -m limit --limit 3/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:PPTP-VPN denied: " iptables -A PPTP_VPN_FORWARD_OUT -s $host -m limit --limit 3/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:PPTP-VPN denied: " fi iptables -A PPTP_VPN_INPUT -d $host -j DROP iptables -A PPTP_VPN_FORWARD_IN -d $host -j DROP iptables -A PPTP_VPN_FORWARD_OUT -s $host -j DROP done fi # Default policy, allow all the rest iptables -A PPTP_VPN_INPUT -j ACCEPT iptables -A PPTP_VPN_FORWARD_IN -j ACCEPT iptables -A PPTP_VPN_FORWARD_OUT -j ACCEPT # Filter ppp+ traffic related to the PPTP VPN if [ -n "$PPTP_VPN_NETS" ]; then echo "${INDENT}Applying rules for PPTP VPN nets $PPTP_VPN_NETS" IFS=' ,' for net in $PPTP_VPN_NETS; do # Adjust spoof check iptables -I SPOOF_CHK -i ppp+ -s $net -j RETURN # Insert rule in the INPUT chain iptables -A INPUT -i ppp+ -s $net -j PPTP_VPN_INPUT # Insert rules in the FORWARD chain iptables -A FORWARD -i ppp+ -s $net -j PPTP_VPN_FORWARD_IN iptables -A FORWARD -o ppp+ -d $net -j PPTP_VPN_FORWARD_OUT done fi echo "${INDENT}Allowing internet hosts $PPTP_VPN_TUNNEL_HOSTS to access the PPTP VPN service" IFS=' ,' for host in $(ip_range "$PPTP_VPN_TUNNEL_HOSTS"); do iptables -A EXT_INPUT_CHAIN -p gre -s $host -j ACCEPT iptables -A EXT_INPUT_CHAIN -p tcp --dport 1723 -s $host -j ACCEPT done return 0 } # Plugin restart function plugin_restart() { # Skip plugin_stop on a restart plugin_start return 0 } # Plugin stop function plugin_stop() { iptables -F PPTP_VPN_INPUT iptables -X PPTP_VPN_INPUT 2>/dev/null iptables -F PPTP_VPN_FORWARD_IN iptables -X PPTP_VPN_FORWARD_IN 2>/dev/null iptables -F PPTP_VPN_FORWARD_OUT iptables -X PPTP_VPN_FORWARD_OUT 2>/dev/null return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { # Sanity check if [ -z "$PPTP_VPN_TUNNEL_HOSTS" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/50sip-voip.plugin000066400000000000000000000105661464417520100247110ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - SIP-VOIP plugin =- # PLUGIN_NAME="SIP-VOIP plugin" PLUGIN_VERSION="0.32BETA" PLUGIN_CONF_FILE="sip-voip.conf" # # Last changed : June 13, 2017 # Requirements : AIF 2.0.0+ and ip_conntrack_sip # Comments : This plugin will allow/enable SIP (VOIP) support # # Author : (C) Copyright 2010-2017 by Arno van Amersfoort # Credits : Philip Prindeville for his initial idea # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { local port ports="" host IFS if [ -z "$SIP_VOIP_PORTS" ]; then SIP_VOIP_PORTS="5060" fi if [ -z "$SIP_VOIP_REMOTE_HOSTS" ]; then SIP_VOIP_REMOTE_HOSTS="0/0" fi # Some required modules are already loaded by the main script: modprobe_multi nf_nat ip_nat echo "${INDENT}Using SIP UDP for $SIP_VOIP_REMOTE_HOSTS (INET) to port(s): $SIP_VOIP_PORTS" # We need the SIP module loaded of course IFS=' ,' for port in $SIP_VOIP_PORTS; do # Check for kernel 2.6.25 or newer if kernel_ver_chk 2 6 25; then ports="${ports:-ports=}${ports:+,}$port" else ports="$ports${ports:+ }ports=$port" fi done IFS=' ' if ! modprobe nf_conntrack_sip $ports >/dev/null 2>&1; then modprobe ip_conntrack_sip $ports fi # Load the SIP NAT module only when required if [ "$NAT" = "1" ]; then modprobe_multi nf_nat_sip ip_nat_sip fi if ip4tables -nL CONNTRACK_HELPER >/dev/null 2>&1; then iptables -A CONNTRACK_HELPER -m conntrack --ctstate RELATED -m helper --helper sip -j ACCEPT IFS=' ,' for port in $SIP_VOIP_PORTS; do iptables -t raw -A PREROUTING -p udp --dport $port -j CT --helper sip done fi IFS=' ,' for host in $SIP_VOIP_REMOTE_HOSTS; do for port in $SIP_VOIP_PORTS; do iptables -A EXT_INPUT_CHAIN -s $host -p udp --dport $port -j ACCEPT done done return 0 } # Plugin stop function plugin_stop() { return 0 } # Plugin status function plugin_status() { return 0 } # Sanity check environment before actual start plugin_sanity_check() { return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/50ssh-brute-force-protection.plugin000066400000000000000000000132021464417520100303250ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - SSH Brute Force Protection plugin =- # PLUGIN_NAME="SSH Brute-Force Protection plugin" PLUGIN_VERSION="1.1b" PLUGIN_CONF_FILE="ssh-brute-force-protection.conf" # # Last changed : June 14, 2017 # Requirements : kernel 2.6 + ipt_recent or xt_recent # : AIF 1.9.2k (and later) # Comments : This plugin implements protecting for brute force # cracking by limiting the amount of connection attempts # for each source IP in specific time slot. Its # primarely intended for SSH/port 22 but in principle # it can be used for any TCP protocol # (eg. FTP/SMTP/IMAP etc. # Updated for mixed IPv4/IPv6 # # Author : (C) Copyright 2006-2017 by Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { if [ "$IPV6_DETECTED" = "1" ] && [ "$SSH_BFP_IPV6_ENABLE" = "0" ]; then echo "${INDENT}NOTE: Only IPv4 is protected." fi # Probe module xt_recent for IPv4/IPv6 or ipt_recent for IPv4: # (Allows checking for recent packets) modprobe_multi xt_recent ipt_recent # Create new SSH_CHK to insert SSH checker + whitelist: $IPTABLES -N SSH_CHK 2>/dev/null $IPTABLES -F SSH_CHK # Create new SSH_LOG_DROP chain for loggin' 'n droppin': $IPTABLES -N SSH_LOG_DROP 2>/dev/null $IPTABLES -F SSH_LOG_DROP $IPTABLES -A SSH_LOG_DROP -m limit --limit 1/m --limit-burst 1 -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:SSH Brute force attack?: " $IPTABLES -A SSH_LOG_DROP -j DROP if [ -n "$SSH_BFP_TRUSTED_HOSTS" ]; then # Create whitelist: echo "${INDENT}Allowing bypass of SSH protection checks for: $SSH_BFP_TRUSTED_HOSTS" IFS=' ,' for host in `ip_range "$SSH_BFP_TRUSTED_HOSTS"`; do $IPTABLES -A SSH_CHK -s $host -j RETURN done fi # Create rate1 & rate2 checker: $IPTABLES -A SSH_CHK -m recent --name sshchk --set $IPTABLES -A SSH_CHK -m recent --name sshchk --update \ --seconds $SSH_BFP_MAX_TIME1 --hitcount $SSH_BFP_MAX_RATE1 -j SSH_LOG_DROP $IPTABLES -A SSH_CHK -m recent --name sshchk --update \ --seconds $SSH_BFP_MAX_TIME2 --hitcount $SSH_BFP_MAX_RATE2 -j SSH_LOG_DROP # If no ports were not configured, use default of 22 if [ -z "$SSH_BFP_PORTS" ]; then SSH_BFP_PORTS="22" fi echo "${INDENT}Protecting TCP port(s): $SSH_BFP_PORTS" # Insert rule into the EXTERNAL INPUT chain: IFS=' ,' for port in $SSH_BFP_PORTS; do $IPTABLES -A EXT_INPUT_CHAIN -p tcp --dport $port ${NF_CONNTRACK_STATE:--m state --state} NEW -j SSH_CHK done return 0 } # Plugin stop function plugin_stop() { $IPTABLES -F SSH_CHK $IPTABLES -X SSH_CHK 2>/dev/null $IPTABLES -F SSH_LOG_DROP $IPTABLES -X SSH_LOG_DROP 2>/dev/null return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$SSH_BFP_MAX_RATE1" -o -z "$SSH_BFP_MAX_TIME1" -o -z "$SSH_BFP_MAX_RATE2" -o -z "$SSH_BFP_MAX_TIME2" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " if [ "$SSH_BFP_IPV6_ENABLE" = "0" ]; then IPTABLES="ip4tables" else IPTABLES="iptables" fi # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi unset IPTABLES fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/50transparent-dnat.plugin000066400000000000000000000113751464417520100264270ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Transparent DNAT plugin =- # PLUGIN_NAME="Transparent DNAT plugin" PLUGIN_VERSION="0.31BETA (EXPERIMENTAL!)" PLUGIN_CONF_FILE="transparent-dnat.conf" # # Last changed : July 31, 2015 # Requirements : kernel 2.6 + ip_nat + iptable_nat # Comments : This plugin enables transparent DNAT for internal hosts for # certain ports. Meaning you can redirect certain TCP/UDP ports (eg. http) # which should be redirected from a certain INET address to an # internal address. # # Author : (C) Copyright 2007-2009 by Arno van Amersfoort # Credits : Rok Potocnik for his initial idea # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------------------ # Plugin start function plugin_start() { # Some required modules are already loaded by the main script: modprobe_multi nf_nat ip_nat modprobe iptable_nat echo "${INDENT}Using internal IP $DNAT_MY_INTERNAL_IP & external IP $DNAT_MY_EXTERNAL_IP" if [ -n "$DNAT_TCP_PORTS" ]; then echo "${INDENT}Enabling transparent DNAT for TCP port(s): $DNAT_TCP_PORTS" IFS=' ,' for interface in $INT_IF; do for port in $DNAT_TCP_PORTS; do ip4tables -t nat -A POSTROUTING -o $interface -p tcp --dport $port -d $DNAT_MY_INTERNAL_IP -j MASQUERADE ip4tables -t nat -A PREROUTING -i $interface -d $DNAT_MY_EXTERNAL_IP -p tcp --dport $port -j DNAT --to-destination $DNAT_MY_INTERNAL_IP done done else echo "${INDENT}No TCP ports configured" fi if [ -n "$DNAT_UDP_PORTS" ]; then echo "${INDENT}Enabling transparent DNAT for UDP port(s): $DNAT_UDP_PORTS" IFS=' ,' for interface in $INT_IF; do for port in $DNAT_UDP_PORTS; do ip4tables -t nat -A POSTROUTING -o $interface -p udp --dport $port -d $DNAT_MY_INTERNAL_IP -j MASQUERADE ip4tables -t nat -A PREROUTING -i $interface -d $DNAT_MY_EXTERNAL_IP -p udp --dport $port -j DNAT --to-destination $DNAT_MY_INTERNAL_IP done done else echo "${INDENT}No UDP ports configured" fi return 0 } # Plugin stop function plugin_stop() { return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$DNAT_MY_INTERNAL_IP" -o -z "$DNAT_MY_EXTERNAL_IP" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/50transparent-proxy.plugin000066400000000000000000000123041464417520100266530ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Transparent Proxy plugin =- # PLUGIN_NAME="Transparent Proxy plugin" PLUGIN_VERSION="1.04" PLUGIN_CONF_FILE="transparent-proxy.conf" # # Last changed : July 31, 2015 # Requirements : kernel 2.6 + ip_nat + iptable_nat # Comments : This plugin enables transparent DNAT for internal hosts for # certain ports. Meaning you can redirect certain TCP/UDP ports (eg. http) # which should be redirected from a certain INET address to an # internal address. # Updated to be IPv4-only # # Author : (C) Copyright 2007-2010 by Arno van Amersfoort # Credits : Rok Potocnik for his initial idea # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { # Some required modules are already loaded by the main script: modprobe_multi nf_nat ip_nat modprobe iptable_nat # Setup (transparent) proxy settings: ##################################### if [ -n "$FTP_PROXY_PORT" ]; then echo "${INDENT}Redirecting all internal FTP(port 21) traffic to proxy-port $FTP_PROXY_PORT" IFS=' ,' for interface in $INT_IF; do ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 21 -j REDIRECT --to-ports $FTP_PROXY_PORT done fi if [ -n "$SMTP_PROXY_PORT" ]; then echo "${INDENT}Redirecting all internal SMTP(port 25) traffic to proxy-port $SMTP_PROXY_PORT" IFS=' ,' for interface in $INT_IF; do ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 25 -j REDIRECT --to-ports $SMTP_PROXY_PORT done fi if [ -n "$HTTP_PROXY_PORT" ]; then echo "${INDENT}Redirecting all internal HTTP(port 80) traffic to proxy-port $HTTP_PROXY_PORT" IFS=' ,' for interface in $INT_IF; do ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 80 -j REDIRECT --to-ports $HTTP_PROXY_PORT done fi if [ -n "$POP3_PROXY_PORT" ]; then echo "${INDENT}Redirecting all internal POP3(port 110) traffic to proxy-port $POP3_PROXY_PORT" IFS=' ,' for interface in $INT_IF; do ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 110 -j REDIRECT --to-ports $POP3_PROXY_PORT done fi if [ -n "$HTTPS_PROXY_PORT" ]; then echo "${INDENT}Redirecting all internal HTTPs(port 443) traffic to proxy-port $HTTPS_PROXY_PORT" IFS=' ,' for interface in $INT_IF; do ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 443 -j REDIRECT --to-ports $HTTPS_PROXY_PORT done fi return 0 } # Plugin stop function plugin_stop() { return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { # if [ -z "$FTP_PROXY_PORT" -o -z "$SMTP_PROXY_PORT" ]; then # printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 # return 1 # fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/60traffic-shaper.plugin000066400000000000000000000367001464417520100260400ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - (HTB/HFSC/CFQ) traffic shaper plugin =- # PLUGIN_NAME="Traffic Shaper Plugin" PLUGIN_VERSION="1.2.2a" PLUGIN_CONF_FILE="traffic-shaper.conf" # # Last changed : July 21, 2015 # Requirements : kernel 2.6 + iproute # Comments : This plugin will shape traffic. It borrows heavily on # the logic of Maciej's original script (below), with # some minor changes to the actual bins that traffic # goes into (I made the catch-all [default] for traffic # be a higher priority than browsing or bulk data # transfer). # [LRA]: Added htb support from astshape in AstLinux # [LRA]: Classify by DSCP class # Author : (C) Copyright 2008-2010 by Philip Prindeville # Credits : Maciej Blizinski # Credits : Kristian Kielhofner # Credits : Lonnie Abelbeck # Credits : Arno van Amersfoort (CFQ) # Homepage : http://www.voip-info.org/wiki/view/QoS+Linux+with+HFSC # http://media.blizinski.pl/code/hfsc.gz # Email : philipp AT redfish-solutions DOT com # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # Notes : HTB/CFQ is well tested, HFSC is experimental # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Traffic classes: # 1:10 Highest Priority - Low Volume (ICMP, tcp-ACK, NTP, etc.) # 1:20 Streaming Media - VoIP (RTP, IAX2, etc.) # 1:30 Interactive - Shell (ssh, telnet, X, Vnc, etc.) # 1:40 Default (SIP-signaling) # 1:50 Bulk data transfer (HTTP, HTTPS, POP3, SMTP, FTP, etc.) # 1:60 Lowest priority (P2P) # Helper functions setclassbyport() { local pport="$1" class="$2" port sport proto IFS case $pport in t*) proto=tcp; port="${pport#t}" ;; u*) proto=udp; port="${pport#u}" ;; *) printf "\033[40m\033[1;31m${INDENT}ERROR: Unknown protocol/port $pport!\n\033[0m" >&2 return 1 ;; esac # We assume that on egress traffic, only the destination port is # significant, i.e. that we're not running any servers locally. iptables -t mangle -A SHAPER_CHAIN -m $proto -p $proto --dport $port -j CLASSIFY \ --set-class $class iptables -t mangle -A SHAPER_CHAIN -m $proto -p $proto --dport $port -j RETURN # If we are running servers locally, include the protocol/port from the # SHAPER_LOCAL_SERVER_PORTS variable to also generate a --sport classify rule. # Note that this could have been done using an associative array in a single pass. IFS=' ,' for sport in $SHAPER_LOCAL_SERVER_PORTS; do if [ "$sport" = "$pport" ]; then iptables -t mangle -A SHAPER_CHAIN -m $proto -p $proto --sport $port -j CLASSIFY \ --set-class $class iptables -t mangle -A SHAPER_CHAIN -m $proto -p $proto --sport $port -j RETURN break fi done return 0 } classify_by_port() { local port IFS # Automatically set UDP 123 (NTP) to highest priority class setclassbyport u123 1:10 IFS=' ,' for port in $SHAPER_STREAMINGMEDIA_PORTS; do setclassbyport $port 1:20 done IFS=' ,' for port in $SHAPER_INTERACTIVE_PORTS; do setclassbyport $port 1:30 done IFS=' ,' for port in $SHAPER_BULKDATA_PORTS; do setclassbyport $port 1:50 done IFS=' ,' for port in $SHAPER_P2P_PORTS; do setclassbyport $port 1:60 done } classify_special_packets() { # To speed up downloads while an upload is going on, put short ACK # packets in the high priority class: iptables -t mangle -A SHAPER_CHAIN \ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK \ -m length --length :64 \ -j CLASSIFY --set-class 1:10 iptables -t mangle -A SHAPER_CHAIN \ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK \ -m length --length :64 \ -j RETURN # put large (512+) icmp packets in bulk category iptables -t mangle -A SHAPER_CHAIN \ -p icmp \ -m length --length 512: \ -j CLASSIFY --set-class 1:50 iptables -t mangle -A SHAPER_CHAIN \ -p icmp \ -m length --length 512: \ -j RETURN # ICMP in the high priority class iptables -t mangle -A SHAPER_CHAIN \ -p icmp \ -m length --length :512 \ -j CLASSIFY --set-class 1:10 iptables -t mangle -A SHAPER_CHAIN \ -p icmp \ -m length --length :512 \ -j RETURN } classify_by_dscp_class() { # Classify by DSCP class # Assume VoIP audio is marked as EF, and SIP as CS3 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class CS7 -j CLASSIFY --set-class 1:10 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class CS6 -j CLASSIFY --set-class 1:10 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class EF -j CLASSIFY --set-class 1:20 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class CS5 -j CLASSIFY --set-class 1:30 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class CS4 -j CLASSIFY --set-class 1:30 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class AF41 -j CLASSIFY --set-class 1:30 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class AF42 -j CLASSIFY --set-class 1:30 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class AF43 -j CLASSIFY --set-class 1:30 # Default: --set-class 1:40 # CS0, CS3, AF31, AF32, AF33, AF21, AF22, AF23 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class CS2 -j CLASSIFY --set-class 1:50 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class AF11 -j CLASSIFY --set-class 1:50 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class AF12 -j CLASSIFY --set-class 1:50 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class AF13 -j CLASSIFY --set-class 1:50 iptables -t mangle -A SHAPER_CHAIN -m dscp --dscp-class CS1 -j CLASSIFY --set-class 1:60 } incoming_traffic_limit() { local retval=0 # Skip if DOWNLINK is 0 if [ $DOWNLINK -eq 0 ]; then return 0 fi # Try to control the incoming traffic as well. # Set up ingress qdisc tc qdisc add dev $1 handle ffff: ingress || retval=1 # filter *everything* to it (0.0.0.0/0), drop everything that's # coming in too fast: tc filter add dev $1 parent ffff: protocol ip prio 100 u32 match ip src \ 0.0.0.0/0 police rate ${DOWNLINK}kbit burst $((1 * DOWNLINK / 10))k drop flowid :1 || retval=1 return $retval } # HFSC start function plugin_start_hfsc() { local retval=0 # Some required modules are already loaded by the main script: modprobe_multi nf_nat ip_nat modprobe sch_hfsc printf "${INDENT}Shaping as (Down/Up) %d/%d kb/s using '%s' for interface(s): %s\n" $DOWNLINK $UPLINK hfsc "$SHAPER_IF" iptables -t mangle -N SHAPER_CHAIN classify_special_packets classify_by_port classify_by_dscp_class IFS=' ,' for eif in $SHAPER_IF; do # tc doesn't take wildcards, so we need expansion done here for eif1 in $(wildcard_ifs $eif); do # add HFSC root qdisc tc qdisc add dev $eif1 root handle 1: hfsc default 40 || retval=1 # add main rate limit class tc class add dev $eif1 parent 1: classid 1:1 hfsc \ sc rate ${UPLINK}kbit ul rate ${UPLINK}kbit || retval=1 # Highest Priority: guarantee 2/10 uplink for 50ms, then 1/10 tc class add dev $eif1 parent 1:1 classid 1:10 hfsc \ sc m1 $((2 * UPLINK / 10))kbit d 50ms m2 $((1 * UPLINK / 10))kbit \ ul rate ${UPLINK}kbit || retval=1 # Streaming Media: guarantee 5/10 uplink for 200ms, then 4/10 tc class add dev $eif1 parent 1:1 classid 1:20 hfsc \ sc m1 $((5 * UPLINK / 10))kbit d 200ms m2 $((4 * UPLINK / 10))kbit \ ul rate ${UPLINK}kbit || retval=1 # Interactive traffic: guarantee 3/10 uplink for 50ms, then 3/10 tc class add dev $eif1 parent 1:1 classid 1:30 hfsc \ sc m1 $((3 * UPLINK / 10))kbit d 50ms m2 $((3 * UPLINK / 10))kbit \ ul rate ${UPLINK}kbit || retval=1 # Default traffic: don't guarantee for 500ms, then guarentee 3/20 tc class add dev $eif1 parent 1:1 classid 1:40 hfsc \ sc m1 0 d 500ms m2 $((3 * UPLINK / 20))kbit \ ul rate ${UPLINK}kbit || retval=1 # Bulk data traffic: don't guarantee for 2 seconds, then guarantee 1/20 tc class add dev $eif1 parent 1:1 classid 1:50 hfsc \ sc m1 0 d 2s m2 $((1 * UPLINK / 20))kbit \ ul rate ${UPLINK}kbit || retval=1 # P2P traffic: don't guarantee anything tc class add dev $eif1 parent 1:1 classid 1:60 hfsc \ sc m1 0 d 4s m2 1kbit \ ul rate ${UPLINK}kbit || retval=1 incoming_traffic_limit $eif1 || retval=1 done # add SHAPER_CHAIN chain to mangle table in iptables iptables -t mangle -A POSTROUTING -o $eif -j SHAPER_CHAIN done return $retval } # HTB start function plugin_start_htb() { local retval=0 # Some required modules are already loaded by the main script: modprobe_multi nf_nat ip_nat printf "${INDENT}Shaping as (Down/Up) %d/%d kb/s using '%s' for interface(s): %s\n" $DOWNLINK $UPLINK htb "$SHAPER_IF" iptables -t mangle -N SHAPER_CHAIN classify_special_packets classify_by_port classify_by_dscp_class IFS=' ,' for eif in $SHAPER_IF; do # tc doesn't take wildcards, so we need expansion done here for eif1 in $(wildcard_ifs $eif); do #install root HTB, point default traffic to 1:40 tc qdisc add dev $eif1 root handle 1: htb default 40 || retval=1 #shape everything at $UPLINK speed to prevent queing tc class add dev $eif1 parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k || retval=1 # highest priority class 1:10 tc class add dev $eif1 parent 1:1 classid 1:10 htb rate ${UPLINK}kbit burst 6k prio 1 || retval=1 # streaming media class 1:20 tc class add dev $eif1 parent 1:1 classid 1:20 htb rate ${UPLINK}kbit burst 6k prio 2 || retval=1 # interactive class 1:30 tc class add dev $eif1 parent 1:1 classid 1:30 htb rate ${UPLINK}kbit burst 6k prio 3 || retval=1 # default class 1:40 tc class add dev $eif1 parent 1:1 classid 1:40 htb rate $((9*$UPLINK/10))kbit burst 6k prio 4 || retval=1 # bulk class 1:50 tc class add dev $eif1 parent 1:1 classid 1:50 htb rate $((8*$UPLINK/10))kbit burst 6k prio 5 || retval=1 # p2p class 1:60 tc class add dev $eif1 parent 1:1 classid 1:60 htb rate $((5*$UPLINK/10))kbit burst 6k prio 6 || retval=1 # all get Stochastic Fairness tc qdisc add dev $eif1 parent 1:10 handle 10: sfq perturb 10 || retval=1 tc qdisc add dev $eif1 parent 1:20 handle 20: sfq perturb 10 || retval=1 tc qdisc add dev $eif1 parent 1:30 handle 30: sfq perturb 10 || retval=1 tc qdisc add dev $eif1 parent 1:40 handle 40: sfq perturb 10 || retval=1 tc qdisc add dev $eif1 parent 1:50 handle 50: sfq perturb 10 || retval=1 tc qdisc add dev $eif1 parent 1:60 handle 60: sfq perturb 10 || retval=1 incoming_traffic_limit $eif1 || retval=1 done # add SHAPER_CHAIN chain to mangle table in iptables iptables -t mangle -A POSTROUTING -o $eif -j SHAPER_CHAIN done return $retval } plugin_cleanup() { IFS=' ,' for eif in $SHAPER_IF; do # tc doesn't take wildcards, so we need expansion done here for eif1 in $(wildcard_ifs $eif); do # Reset everything to a known state (cleared) tc qdisc del dev $eif1 root 2>/dev/null tc qdisc del dev $eif1 ingress 2>/dev/null done # Flush and delete tables iptables -t mangle -D POSTROUTING -o $eif -j SHAPER_CHAIN 2>/dev/null done iptables -t mangle -F SHAPER_CHAIN 2>/dev/null iptables -t mangle -X SHAPER_CHAIN 2>/dev/null } # CFQ start function - Stochastic Fairness Queueing (SFQ) is a simple # implementation of the fair queueing algorithms family. It's less accurate # than others, but it also requires less calculations while being almost # perfectly fair plugin_start_cfq() { local retval=0 echo "${INDENT}Shaping using Stochastic Fairness Queueing (SFQ) for interface(s): $SHAPER_IF" IFS=' ,' for eif in $SHAPER_IF; do # tc doesn't take wildcards, so we need expansion done here for eif1 in $(wildcard_ifs $eif); do tc qdisc add dev $eif1 root sfq perturb 10 || retval=1 done done return $retval } # Plugin start function plugin_start() { local retval=0 # Make sure everything is clean before we start: plugin_cleanup case $SHAPER_TYPE in hfsc) plugin_start_hfsc; retval=$? ;; htb) plugin_start_htb; retval=$? ;; *) plugin_start_cfq; retval=$? ;; esac return $retval } # Plugin stop function plugin_stop() { plugin_cleanup return 0 } # Plugin status function plugin_status() { local retval=0 IFS=' ,' # tc doesn't take wildcards, so we need expansion done here for eif in $(wildcard_ifs $SHAPER_IF); do echo "${INDENT}[qdisc]" tc -s qdisc show dev $eif || retval=1 echo "" echo "${INDENT}[class]" tc -s class show dev $eif || retval=1 echo "" echo "${INDENT}[filter]" tc -s filter show dev $eif || retval=1 done echo "" echo "${INDENT}[iptables]" iptables -t mangle -L SHAPER_CHAIN -v -x 2>/dev/null |sed -e "s/^/$INDENT/" return $retval } # Sanity check environment before actual start plugin_sanity_check() { if [ -z "$UPLINK" -o -z "$DOWNLINK" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\n\033[0m" >&2 return 1 fi if ! check_command tc; then printf "\033[40m\033[1;31m${INDENT}ERROR: Required binary \"tc\" is not available!\n\033[0m" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Set default for old config file SHAPER_IF="$EXT_IF" # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/90dmz-dnat.plugin000066400000000000000000000140701464417520100246570ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - DMZ-host default port forwarding plugin =- # PLUGIN_NAME="DMZ-host DNAT plugin" PLUGIN_VERSION="0.10" PLUGIN_CONF_FILE="dmz-dnat.conf" # # Last changed : January 5, 2019 # Requirements : AIF 2.1.0 (or newer) # Comments : This plugin allows forwarding of all traffic to a "DMZ" host. # Updated to be IPv4-only # Updated to support parse_rule() # Updated to support ipt_if() # # Author : (C) Copyright 2010-2019 by Arno van Amersfoort # : (C) Copyright 2010-2016 by Philip A. Prindeville # Email : philipp AT redfish-solutions DOT com # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { # Forward all traffic that doesn't match an explicit port-forward to the # DMZ host. ip4tables -t nat -N NAT_PREROUTING_LOCAL 2>/dev/null ip4tables -t nat -F NAT_PREROUTING_LOCAL ip4tables -t nat -A POST_NAT_PREROUTING_CHAIN -j NAT_PREROUTING_LOCAL # bail if ICMP... IFS=' ,' for eif in ${NAT_IF:-$EXT_IF}; do ip4tables -t nat -A NAT_PREROUTING_LOCAL -i $eif -p icmp -j RETURN done local open_tcp="" open_udp="" open_ip="" unset IFS for rule in $OPEN_TCP; do open_tcp="$open_tcp $ANYHOST$SEP$rule" done # intercept HOST_OPEN_TCP and HOST_OPEN_UDP (sigh... duplicate code...) unset IFS for rule in $HOST_OPEN_TCP $open_tcp; do if parse_rule "$rule" HOST_OPEN_TCP "interfaces-destips-hosts-ports"; then IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do ip4tables -t nat -A NAT_PREROUTING_LOCAL $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port -j RETURN done done done done fi done unset IFS for rule in $OPEN_UDP; do open_udp="$open_udp $ANYHOST$SEP$rule" done for rule in $HOST_OPEN_UDP $open_udp; do if parse_rule "$rule" HOST_OPEN_UDP "interfaces-destips-hosts-ports"; then IFS=',' for host in `ip_range "$hosts"`; do for port in $ports; do for destip in $destips; do for interface in $interfaces; do ip4tables -t nat -A NAT_PREROUTING_LOCAL $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j RETURN done done done done fi done unset IFS for rule in $OPEN_IP; do open_ip="$open_ip $ANYHOST$SEP$rule" done for rule in $HOST_OPEN_IP $open_ip; do if parse_rule "$rule" HOST_OPEN_IP "interfaces-destips-hosts-protos"; then IFS=',' for host in `ip_range "$hosts"`; do for proto in $protos; do for destip in $destips; do for interface in $interfaces; do ip4tables -t nat -A NAT_PREROUTING_LOCAL $(ipt_if -i "$interface") -s $host -d $destip -p $proto -j RETURN done done done done fi done ## ICMP??? echo "${INDENT}DMZ-DNAT: sending all non-local packets to $DMZ_IP" IFS=' ,' for eif in ${NAT_IF:-$EXT_IF}; do ip4tables -t nat -A NAT_PREROUTING_LOCAL -i $eif -j DNAT --to-destination $DMZ_IP ip4tables -A POST_FORWARD_CHAIN -i $eif -d $DMZ_IP -j ACCEPT done return 0 } # Plugin stop function plugin_stop() { ip4tables -t nat -D POST_NAT_PREROUTING_CHAIN -j NAT_PREROUTING_LOCAL ip4tables -t nat -F NAT_PREROUTING_LOCAL ip4tables -t nat -X NAT_PREROUTING_LOCAL 2>/dev/null IFS=' ,' for eif in ${NAT_IF:-$EXT_IF}; do ip4tables -D POST_FORWARD_CHAIN -i $eif -d $DMZ_IP -j ACCEPT done return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$DMZ_IP" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not (properly) setup!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/90ids-protection.plugin000066400000000000000000000136661464417520100261160ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - IDS-protection plugin =- # PLUGIN_NAME="IDS-protection plugin" PLUGIN_VERSION="1.1a" PLUGIN_CONF_FILE="ids-protection.conf" # # Last changed : June 14, 2017 # Requirements : kernel 2.6 + ipt_recent or xt_recent # : AIF 1.9.2k (and later) # Comments : This implements IDS protection aka Intrusion-Detection-System. # It will block remote hosts trying to eg. scan/access your # system on firewalled ports. # Updated for mixed IPv4/IPv6 # # Author : (C) Copyright 2007-2017 by Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------------------ # Plugin start function plugin_start() { if [ "$IPV6_DETECTED" = "1" ] && [ "$IDS_IPV6_ENABLE" = "0" ]; then echo "${INDENT}NOTE: Only IPv4 is protected." fi # Probe module xt_recent for IPv4/IPv6 or ipt_recent for IPv4: # (Allows checking for recent packets) modprobe_multi xt_recent ipt_recent # Create new IDS_LOG_DROP chain for loggin' 'n droppin': $IPTABLES -N IDS_LOG_DROP 2>/dev/null $IPTABLES -F IDS_LOG_DROP $IPTABLES -A IDS_LOG_DROP -m limit --limit 1/m --limit-burst 1 -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:IDS violation: " $IPTABLES -A IDS_LOG_DROP -j DROP # Create new IDS_CHK to insert IDS checker + whitelist: $IPTABLES -N IDS_CHK 2>/dev/null $IPTABLES -F IDS_CHK if [ -n "$IDS_TRUSTED_HOSTS" ]; then # Create whitelist: echo "${INDENT}Allowing bypass of IDS protection checks for: $IDS_TRUSTED_HOSTS" IFS=' ,' for host in `ip_range "$IDS_TRUSTED_HOSTS"`; do $IPTABLES -A IDS_CHK -s $host -j RETURN done fi # We also ignore ICMP traffic since we can not reliabily check it for IDS $IPTABLES -A IDS_CHK -p icmp -j RETURN if [ -n "$IDS_EXCLUDE_TCP" ]; then echo "${INDENT}Excluding IDS check for TCP port(s): $IDS_EXCLUDE_TCP" IFS=' ,' for port in $IDS_EXCLUDE_TCP; do $IPTABLES -A IDS_CHK -p tcp --dport $port -j RETURN done fi if [ -n "$IDS_EXCLUDE_UDP" ]; then echo "${INDENT}Excluding IDS check for UDP port(s): $IDS_EXCLUDE_UDP" IFS=' ,' for port in $IDS_EXCLUDE_UDP; do $IPTABLES -A IDS_CHK -p udp --dport $port -j RETURN done fi $IPTABLES -A IDS_CHK -m recent --set --name idschk $IPTABLES -A IDS_CHK -m recent --update --name idschk if [ -z "$IDS_INTERFACE" ]; then IDS_INTERFACE="$EXT_IF" fi IFS=' ,' for interface in $IDS_INTERFACE; do # Create rate1 & rate2 checker: $IPTABLES -A INPUT_CHAIN -i $interface -m recent --rcheck --seconds $IDS_MAX_TIME1 --hitcount $IDS_MAX_RATE1 --name idschk -j IDS_LOG_DROP $IPTABLES -A INPUT_CHAIN -i $interface -m recent --rcheck --seconds $IDS_MAX_TIME2 --hitcount $IDS_MAX_RATE2 --name idschk -j IDS_LOG_DROP # Insert rule into the POST_INPUT_DROP_CHAIN chain: $IPTABLES -A POST_INPUT_DROP_CHAIN -i $interface ${NF_CONNTRACK_STATE:--m state --state} NEW -j IDS_CHK done return 0 } # Plugin stop function plugin_stop() { $IPTABLES -F IDS_CHK $IPTABLES -X IDS_CHK 2>/dev/null $IPTABLES -F IDS_LOG_DROP $IPTABLES -X IDS_LOG_DROP 2>/dev/null return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$IDS_MAX_RATE1" -o -z "$IDS_MAX_TIME1" -o -z "$IDS_MAX_RATE2" -o -z "$IDS_MAX_TIME2" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " if [ "$IDS_IPV6_ENABLE" = "0" ]; then IPTABLES="ip4tables" else IPTABLES="iptables" fi # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi unset IPTABLES fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/90outbound-snat.plugin000066400000000000000000000127551464417520100257530ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Outbound SNAT plugin =- # PLUGIN_NAME="Outbound SNAT plugin" PLUGIN_VERSION="1.01" PLUGIN_CONF_FILE="outbound-snat.conf" # # Last changed : July 12, 2016 # Requirements : AIF 2.0.0+ # Comments : When a NAT'ed external interface has multiple IPv4 addresses, # it may be desirable to specify which internal IP's or CIDR's # use which external IPv4 addresses for outbound connections. # # Author : (C) Copyright 2012-2016 by Lonnie Abelbeck & Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ get_extif_ipv4_addresses() { ip -o addr show dev "$1" 2>/dev/null \ | awk '$3 == "inet" { split($4, field, "/"); print field[1]; }' } get_extif_with_ipv4_address() { local host="$1" eif eip eips IFS IFS=' ,' for eif in $(wildcard_ifs ${NAT_IF:-$EXT_IF}); do eips="$(get_extif_ipv4_addresses $eif)" if [ -n "$eips" ]; then unset IFS for eip in $eips; do if [ "$host" = "$eip" ]; then echo "$eif" return 0 fi done fi done return 1 } # Plugin start function plugin_start() { local rule net host eif IFS ip4tables -t nat -N OUTBOUND_SNAT 2>/dev/null ip4tables -t nat -F OUTBOUND_SNAT IFS=' ,' for rule in $OUTBOUND_SNAT_NET_HOST; do net="$(echo "$rule" |cut -s -d'>' -f1)" host="$(echo "$rule" |cut -s -d'>' -f2)" if [ -n "$net" -a -n "$host" ]; then # First, look for matching external interface with "host" address. eif="$(get_extif_with_ipv4_address $host)" if [ -n "$eif" ]; then # Apply to single external interface containing "host". echo "${INDENT}Outbound SNAT internal $net via external $host for interface: $eif" ip4tables -t nat -A OUTBOUND_SNAT -o $eif -s $net ! -d $net -j SNAT --to-source $host else # Apply to all external interface(s) if "host" is not currently found. echo "${INDENT}Outbound SNAT internal $net via external $host for interface(s): ${NAT_IF:-$EXT_IF}" IFS=' ,' for eif in ${NAT_IF:-$EXT_IF}; do ip4tables -t nat -A OUTBOUND_SNAT -o $eif -s $net ! -d $net -j SNAT --to-source $host done fi else echo "** WARNING: In Variable OUTBOUND_SNAT_NET_HOST, Rule: \"$rule\" is ignored." >&2 fi done ip4tables -t nat -A POSTROUTING -j OUTBOUND_SNAT return 0 } # Plugin restart function plugin_restart() { # Skip plugin_stop on a restart plugin_start return 0 } # Plugin stop function plugin_stop() { ip4tables -t nat -D POSTROUTING -j OUTBOUND_SNAT ip4tables -t nat -F OUTBOUND_SNAT ip4tables -t nat -X OUTBOUND_SNAT 2>/dev/null return 0 } # Plugin status function plugin_status() { return 0 } # Check sanity of eg. environment plugin_sanity_check() { # Sanity check if [ -z "$OUTBOUND_SNAT_NET_HOST" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'' ) plugin_start; PLUGIN_RET_VAL=$? ;; restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/90rpc.plugin000066400000000000000000000106251464417520100237270ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - RPC plugin =- # PLUGIN_NAME="RPCplugin" PLUGIN_VERSION="0.22a-BETA" PLUGIN_CONF_FILE="rpc.conf" # # Last changed : April 13, 2020 # Requirements : kernel 2.6 # Comments : This plugin opens RPC ports # # Author : (C) Copyright 2011-2012 by Jared H. Hudson # Email : jhhudso AT volumehost DOT com # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # Plugin start function plugin_start() { # Create new DYNDNS_CHAIN chain: iptables -N RPC_CHAIN 2>/dev/null iptables -F RPC_CHAIN # Insert rule into the main chain: iptables -A EXT_INPUT_CHAIN -j RPC_CHAIN echo "${INDENT}Enabling RPC service(s) $RPC_SERVICES for net(s) $RPC_NETS" IFS=' ,' for service in $RPC_SERVICES; do ports="$(rpcinfo -p |awk "/tcp.*$service/"' { print $4 }' |uniq |tr '\n' ' ')" echo "${INDENT}Adding TCP ports $ports for RPC service $service" for net in $RPC_NETS; do for port in $ports; do iptables -I RPC_CHAIN -p tcp -s $net --dport $port -j ACCEPT done done ports="$(rpcinfo -p |awk "/udp.*$service/"' { print $4 }' |uniq |tr '\n' ' ')" echo "${INDENT}Adding UDP ports $ports for RPC service $service" for net in $RPC_NETS; do for port in $ports; do iptables -I RPC_CHAIN -p udp -s $net --dport $port -j ACCEPT done done done return 0 } # Plugin restart function plugin_restart() { ## Re-add standard chain rules that are flushed on a restart echo "${INDENT}Restarting..." # Insert rule into the main chain: iptables -A EXT_INPUT_CHAIN -j RPC_CHAIN return 0 } # Plugin stop function plugin_stop() { iptables -D EXT_INPUT_CHAIN -j RPC_CHAIN 2>/dev/null iptables -F RPC_CHAIN iptables -X RPC_CHAIN 2>/dev/null return 0 } # Plugin status function plugin_status() { iptables -L RPC_CHAIN |sed -e "s/^/$INDENT/" return 0 } plugin_sanity_check() { if [ -z "$RPC_SERVICES" ] || [ -z "$RPC_NETS" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly setup!\033[0m\n" >&2 return 1 fi if ! check_command rpcinfo; then printf "\033[40m\033[1;31m${INDENT}ERROR: Required binary \"rpcinfo\" is not available!\n\033[0m" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$? ;; restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/90traffic-accounting.plugin000066400000000000000000000126601464417520100267120ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Traffic Accounting plugin =- # PLUGIN_NAME="Traffic Accounting plugin" PLUGIN_VERSION="1.31" PLUGIN_CONF_FILE="traffic-accounting.conf" # # Last changed : May 9, 2019 # Requirements : AIF 2.1.0 (or newer) # Comments : This implements support for traffic accounting for # IPv4 & IPv6. It has support for dynamic host resolving # # Author : (C) Copyright 2008-2019 by Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # (Background) job name JOB_NAME="traffic-accounting" # (Background) job helper script JOB_HELPER_SCRIPT="$PLUGIN_BIN_PATH/traffic-accounting-helper" traffic_accounting_init() { # Flush accounting chains iptables -F ACCOUNTING_INPUT_CHAIN iptables -F ACCOUNTING_OUTPUT_CHAIN # (Re)insert rule in the INPUT chain iptables -I INPUT 1 -j ACCOUNTING_INPUT_CHAIN # (Re)insert rule in the OUTPUT chain # Insert rule in the OUTPUT chain iptables -I OUTPUT 1 -j ACCOUNTING_OUTPUT_CHAIN # Remove old cron job (this is in case a legacy plugin left it) rm -f /etc/cron.d/traffic-accounting # Create background job if ! job_add "$JOB_NAME" "${TRAFFIC_ACCOUNTING_TIME:-60}" "$JOB_HELPER_SCRIPT"; then return 1 fi return 0 } # Plugin start function plugin_start() { # Enable Conntrack Accounting (kernel config CONFIG_NF_CT_ACCT) # CONFIG_NF_CT_ACCT is deprecated and will be removed sometime after kernel 2.6.27 sysctl net.netfilter.nf_conntrack_acct=1 2>/dev/null # Create new chains iptables -N ACCOUNTING_INPUT_CHAIN 2>/dev/null iptables -N ACCOUNTING_OUTPUT_CHAIN 2>/dev/null # Initialize if ! traffic_accounting_init; then return 1 fi return 0 } # Plugin restart function plugin_restart() { echo "${INDENT}Restarting..." # Store current values (NOTE: Ignore return value) job_run_once "$JOB_HELPER_SCRIPT" # Initialize if ! traffic_accounting_init; then return 1 fi return 0 } # Plugin stop function plugin_stop() { # Remove old cron job (this is in case a legacy plugin left it) rm -f /etc/cron.d/traffic-accounting # Store current values (NOTE: Ignore return value) job_run_once "$JOB_HELPER_SCRIPT" iptables -D INPUT -j ACCOUNTING_INPUT_CHAIN 2>/dev/null iptables -D OUTPUT -j ACCOUNTING_OUTPUT_CHAIN 2>/dev/null iptables -F ACCOUNTING_INPUT_CHAIN iptables -X ACCOUNTING_INPUT_CHAIN 2>/dev/null iptables -F ACCOUNTING_OUTPUT_CHAIN iptables -X ACCOUNTING_OUTPUT_CHAIN 2>/dev/null return 0 } # Plugin status function plugin_status() { # Store current values (NOTE: Ignore return value) job_run_once "$JOB_HELPER_SCRIPT" # Call parse script "$PLUGIN_BIN_PATH/traffic-accounting-show" return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ ! -f "$JOB_HELPER_SCRIPT" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The job helper script($JOB_HELPER_SCRIPT) can not be found!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'' ) plugin_start; PLUGIN_RET_VAL=$? ;; restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; status ) plugin_status; PLUGIN_RET_VAL=$? ;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/95adaptive-ban.plugin000066400000000000000000000155711464417520100255100ustar00rootroot00000000000000# ------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) - Adaptive Ban plugin =- # PLUGIN_NAME="Adaptive Ban plugin" PLUGIN_VERSION="1.04 BETA" PLUGIN_CONF_FILE="adaptive-ban.conf" # # Last changed : February 3, 2019 # Requirements : AIF 2.1.0 (or newer) # Comments : Parse a log file for failed access with offending IP addresses # Ban the IP address after multiple failed attempts # # Author : (C) Copyright 2010-2019 by Arno van Amersfoort & Lonnie Abelbeck # Credits : AstLinux Project # Homepage : https://www.astlinux-project.org/ # Credits : Fail2ban Project # Homepage : https://www.fail2ban.org/ # Credits : Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------ # (Background) job name JOB_NAME="adaptive-ban" # (Background) job helper script JOB_HELPER_SCRIPT="$PLUGIN_BIN_PATH/adaptive-ban-helper" # Plugin start function plugin_start() { local host net IFS iptables -N ADAPTIVE_BAN_DROP_CHAIN 2>/dev/null iptables -F ADAPTIVE_BAN_DROP_CHAIN iptables -A ADAPTIVE_BAN_DROP_CHAIN -m limit --limit 1/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Adaptive-Ban host: " if [ "$ADAPTIVE_BAN_REJECT" = "1" ]; then ip4tables -A ADAPTIVE_BAN_DROP_CHAIN -j REJECT --reject-with icmp-host-unreachable if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -A ADAPTIVE_BAN_DROP_CHAIN -j REJECT --reject-with icmp6-addr-unreachable fi else iptables -A ADAPTIVE_BAN_DROP_CHAIN -j DROP fi iptables -N ADAPTIVE_BAN_CHAIN 2>/dev/null iptables -F ADAPTIVE_BAN_CHAIN if [ "$ADAPTIVE_BAN_WHITELIST_INTERNAL" != "0" ]; then printf "${INDENT}Adaptive Ban - Whitelisting INTERNAL net(s): " IFS=' ,' for net in $INTERNAL_NET; do printf "$net " iptables -A ADAPTIVE_BAN_CHAIN -s $net -j RETURN done echo "" fi if [ -n "$ADAPTIVE_BAN_WHITELIST" ]; then printf "${INDENT}Adaptive Ban - Whitelisting host(s): " IFS=' ,' for host in $ADAPTIVE_BAN_WHITELIST; do printf "$host " iptables -A ADAPTIVE_BAN_CHAIN -s $host -j RETURN done echo "" fi # Insert rule in the INPUT chain iptables -I INPUT -j ADAPTIVE_BAN_CHAIN # Insert rule in the FORWARD chain iptables -I FORWARD -j ADAPTIVE_BAN_CHAIN echo "${INDENT}File=$ADAPTIVE_BAN_FILE Time=$ADAPTIVE_BAN_TIME Count=$ADAPTIVE_BAN_COUNT Types=$ADAPTIVE_BAN_TYPES" # Create background job if ! job_add "$JOB_NAME" "${ADAPTIVE_BAN_TIME:-2}" "$JOB_HELPER_SCRIPT"; then return 1 fi return 0 } # Plugin stop function plugin_stop() { printf "${INDENT}Adaptive Ban - Stopping... " iptables -D INPUT -j ADAPTIVE_BAN_CHAIN iptables -D FORWARD -j ADAPTIVE_BAN_CHAIN iptables -F ADAPTIVE_BAN_CHAIN iptables -X ADAPTIVE_BAN_CHAIN 2>/dev/null iptables -F ADAPTIVE_BAN_DROP_CHAIN iptables -X ADAPTIVE_BAN_DROP_CHAIN 2>/dev/null return 0 } # Plugin status function plugin_status() { echo " Banned Hosts:" echo " ==============================" ip4tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "ADAPTIVE_BAN_DROP_CHAIN" { print " "$4 }' if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "ADAPTIVE_BAN_DROP_CHAIN" { print " "$3 }' fi echo " ------------------------------" echo "" echo " Whitelisted Hosts:" echo " ==============================" ip4tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "RETURN" { print " "$4 }' if [ "$IPV6_SUPPORT" = "1" ]; then ip6tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "RETURN" { print " "$3 }' fi echo " ------------------------------" echo "" return 0 } # Check sanity of eg. environment plugin_sanity_check() { if [ -z "$ADAPTIVE_BAN_FILE" -o -z "$ADAPTIVE_BAN_TIME" -o -z "$ADAPTIVE_BAN_COUNT" -o -z "$ADAPTIVE_BAN_TYPES" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 return 1 fi if [ ! -f "$JOB_HELPER_SCRIPT" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: The job helper script($JOB_HELPER_SCRIPT) can not be found!\033[0m\n" >&2 return 1 fi if [ "$PLUGIN_CMD" = "start" ] && [ ! -f "$ADAPTIVE_BAN_FILE" ]; then printf "\033[40m\033[1;31m${INDENT}ERROR: Input log file $ADAPTIVE_BAN_FILE does not exist!\033[0m\n" >&2 return 1 fi if ! check_command sort; then printf "\033[40m\033[1;31m${INDENT}ERROR: Required command sort is not available!\033[0m\n" >&2 return 1 fi if ! check_command uniq; then printf "\033[40m\033[1;31m${INDENT}ERROR: Required command uniq is not available!\033[0m\n" >&2 return 1 fi return 0 } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Preinit to success: PLUGIN_RET_VAL=0 # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 else # Source the plugin config file . "$CONF_FILE" if [ "$ENABLED" = "1" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then # Show who we are: echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" # Increment indention INDENT="$INDENT " # Only proceed if environment ok if ! plugin_sanity_check; then PLUGIN_RET_VAL=1 else case $PLUGIN_CMD in start|'') plugin_start; PLUGIN_RET_VAL=$?;; stop ) plugin_stop; PLUGIN_RET_VAL=$?;; status ) plugin_status; PLUGIN_RET_VAL=$?;; * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; esac fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/adaptive-ban-helper000066400000000000000000000134301464417520100253020ustar00rootroot00000000000000# The plugin configuration file ############################### PLUGIN_CONF_FILE="adaptive-ban.conf" # Preinit return value for success PLUGIN_RET_VAL=0 TEMPFILE="/var/tmp/aif_adaptive_ban.temp" # Check sanity of environment adaptive_ban_helper_sanity_check() { # Check whether chains exists if ! check_for_chain ADAPTIVE_BAN_CHAIN; then echo "** ERROR: ADAPTIVE_BAN_CHAIN does not exist! **" >&2 return 1 fi if ! check_for_chain ADAPTIVE_BAN_DROP_CHAIN; then echo "** ERROR: ADAPTIVE_BAN_DROP_CHAIN does not exist! **" >&2 return 1 fi if [ ! -f "$ADAPTIVE_BAN_FILE" ]; then echo "** ERROR: Input log file $ADAPTIVE_BAN_FILE does not exist! **" >&2 return 1 fi return 0 } adaptive_ban_helper_do_work() { local filetime=0 if [ "$filetime" != "$(date -r "$ADAPTIVE_BAN_FILE" "+%s")" ]; then filter "$ADAPTIVE_BAN_FILE" "$ADAPTIVE_BAN_COUNT" "$ADAPTIVE_BAN_TYPES" filetime="$(date -r "$ADAPTIVE_BAN_FILE" "+%s")" fi return 0 } filter() { local file="$1" count="$2" type types PREFIX HOST IFS shift 2 types="$@" # regex to pull out offending IPv4/IPv6 address # HOST="([0-9a-fA-F:.]{7,})" unset IFS for type in $types; do # regex match the start of the syslog string # PREFIX=".*${type}\[[0-9]*]:[[:space:]]*" case "$type" in sshd) filter_sshd "$file" "$PREFIX" "$HOST" ;; asterisk) filter_asterisk "$file" "$PREFIX" "$HOST" ;; lighttpd) filter_lighttpd "$file" "$PREFIX" "$HOST" ;; mini_httpd) filter_mini_httpd "$file" "$PREFIX" "$HOST" ;; pptpd) filter_pptpd "$file" "$PREFIX" "$HOST" ;; *) echo "Unsupported type \"$type\"" >&2 continue ;; esac if [ $? -ne 0 ]; then echo "Filter error for type \"$type\"" >&2 else count_attempts_then_ban "$count" "$type" fi rm -f "$TEMPFILE" done } filter_sshd() { local file="$1" PREFIX="$2" HOST="$3" sed -n -r -e "s/^${PREFIX}Failed (password|publickey) for .* from ${HOST}( port [0-9]*)?( ssh[0-9]*)?$/\2/p" \ -e "s/^${PREFIX}[iI](llegal|nvalid) user .* from ${HOST}[[:space:]]*$/\2/p" \ "$file" >"$TEMPFILE" } filter_asterisk() { local file="$1" PREFIX="$2" HOST="$3" sed -n -r -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - Wrong password$/\1/p" \ -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - No matching peer found$/\1/p" \ -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - Username\/auth name mismatch$/\1/p" \ -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - Device does not match ACL$/\1/p" \ -e "s/^${PREFIX}NOTICE.* '${HOST}' - Dialplan Noted Suspicious IP Address$/\1/p" \ -e "s/^${PREFIX}NOTICE.* ${HOST} failed to authenticate as '.*'$/\1/p" \ -e "s/^${PREFIX}NOTICE.* .*: No registration for peer '.*' \(from ${HOST}\)$/\1/p" \ -e "s/^${PREFIX}NOTICE.* .*: Host ${HOST} failed MD5 authentication for '.*' \(.*\)$/\1/p" \ "$file" >"$TEMPFILE" } filter_lighttpd() { local file="$1" PREFIX="$2" HOST="$3" sed -n -r -e "s/^${PREFIX}.* password doesn't match for .* IP: ${HOST}[[:space:]]*$/\1/p" \ -e "s/^${PREFIX}.* get_password failed, IP: ${HOST}[[:space:]]*$/\1/p" \ "$file" >"$TEMPFILE" } filter_mini_httpd() { local file="$1" PREFIX="$2" HOST="$3" sed -n -r -e "s/^${PREFIX}${HOST} authentication failure - access denied$/\1/p" \ "$file" >"$TEMPFILE" } filter_pptpd() { local file="$1" PREFIX="$2" HOST="$3" PPP_PREFIX=".*pppd\[[0-9]*]:[[:space:]]*" sed -n -r -e "/^${PPP_PREFIX}.* failed CHAP authentication$/ {N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;\ s/^.*\n${PREFIX}CTRL: Client ${HOST} control connection finished\n.*$/\1/p}" \ "$file" >"$TEMPFILE" } count_attempts_then_ban() { local count="$1" type="$2" line host IFS # Remove possible IPv4 port numbers, IPv4:PORT -> IPv4 sed -i -r -e 's/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):[0-9]+$/\1/' "$TEMPFILE" IFS=$EOL for line in $(sort "$TEMPFILE" | uniq -c); do if [ "$(echo "$line" | awk '{ print $1; }')" -ge "$count" ]; then host="$(echo "$line" | awk '{ print $2; }')" ban_host "$host" "$type" fi done } ban_host() { local host="$1" type="$2" get_numeric_ip_version "$host" case $? in 4) if ! ip4tables -n -L ADAPTIVE_BAN_CHAIN | grep -q " ${host//./\.}[/ ]"; then ip4tables -A ADAPTIVE_BAN_CHAIN -s $host -j ADAPTIVE_BAN_DROP_CHAIN if [ $? -eq 0 ]; then echo "Banned IPv4 host: $host Filter type: $type" >&2 fi fi ;; 6) if [ "$IPV6_SUPPORT" = "1" ]; then if ! ip6tables -n -L ADAPTIVE_BAN_CHAIN | grep -q " ${host}[/ ]"; then ip6tables -A ADAPTIVE_BAN_CHAIN -s $host -j ADAPTIVE_BAN_DROP_CHAIN if [ $? -eq 0 ]; then echo "Banned IPv6 host: $host Filter type: $type" >&2 fi fi fi ;; esac } check_for_chain() { local err ip4tables -n -L "$1" >/dev/null 2>&1 err=$? if [ "$IPV6_SUPPORT" = "1" -a $err -eq 0 ]; then ip6tables -n -L "$1" >/dev/null 2>&1 err=$? fi return $err } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2 PLUGIN_RET_VAL=1 else # Source the plugin config file . "$CONF_FILE" # Only proceed if environment ok if ! adaptive_ban_helper_sanity_check; then PLUGIN_RET_VAL=1 else # Parse rules if ! adaptive_ban_helper_do_work; then PLUGIN_RET_VAL=1 fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/dmz-dnat.CHANGELOG000066400000000000000000000017641464417520100245050ustar00rootroot00000000000000Version 0.10 (January 5, 2019) ---------------------------- * Changed to support ipt_if() function (requires AIF 2.1.0+) Version 0.08 (July 12, 2016) ---------------------------- + Add support for NAT_IF with fallback to EXT_IF Version 0.07BETA (August 14, 2011) ----------------------------------- * Changed to support parse_rule() Version 0.06BETA (September 19, 2010) ----------------------------------- * Changed to be IPv4-only Version 0.05BETA (May 14, 2009) ----------------------------------- + Lonnie's patch to include $OPEN_TCP, $OPEN_UDP, $OPEN_IP Version 0.04BETA (May 12, 2009) ----------------------------------- + Quieted some harmless error messages. Version 0.03BETA (May 10, 2009) ----------------------------------- + Updated to avoid NATting HOST_OPEN_TCP and HOST_OPEN_UDP. Version 0.02BETA (May 9, 2009) ----------------------------------- + Updated to use new POST_NAT_PREROUTING chain. Version 0.01BETA (May 7, 2009) ----------------------------------- + First initial version. aif-2.1.2a/share/arno-iptables-firewall/plugins/dsl-ppp-modem.CHANGELOG000066400000000000000000000010621464417520100254340ustar00rootroot00000000000000Version 1.0g (October 20, 2011) ------------------------------- ! Iptables negation changed in newer versions from intraposition to extraposition ! Indent missing (cosmetic) Version 1.0e (June 18, 2009) ---------------------------- ! Fixed stop section didn't remove the INPUT-hook properly causing the main script to report an error on restart Version 1.0c (March 17, 2009) ----------------------------- * Cleanup + Allow DHCP packets by default Version 1.0 (August 11, 2008) ----------------------------- * Simple move of the code out of the main script aif-2.1.2a/share/arno-iptables-firewall/plugins/dyndns-host-open-helper000066400000000000000000000126271464417520100261670ustar00rootroot00000000000000# The plugin configuration file ############################### PLUGIN_CONF_FILE="dyndns-host-open.conf" # Preinit return value for success PLUGIN_RET_VAL=0 # Check sanity of environment dyndns_host_open_helper_sanity_check() { if [ -z "$DYNDNS_HOST_OPEN_TCP" -a -z "$DYNDNS_HOST_OPEN_UDP" -a \ -z "$DYNDNS_HOST_OPEN_IP" -a -z "$DYNDNS_HOST_OPEN_ICMP" ]; then echo "** ERROR: The plugin config file is not (properly) setup!" >&2 return 1 fi # Check whether chain exists if ! ip4tables -nL DYNDNS_CHAIN >/dev/null 2>&1; then echo "** ERROR: DYNDNS_CHAIN does not exist! **" >&2 return 1 fi # Check if chain is inserted in the main chains # if ! ip4tables -nL EXT_INPUT_CHAIN |grep -q '^DYNDNS_CHAIN '; then # echo "** ERROR: DYNDNS_CHAIN is not inserted in the EXT_INPUT_CHAIN chain! **" >&2 # return 1 # fi return 0 } dyndns_host_open_helper_do_work() { local RETVAL=0 # Flush the DYNDNS_CHAIN iptables -F DYNDNS_CHAIN # Add TCP ports to allow for certain hosts ########################################## unset IFS for rule in $DYNDNS_HOST_OPEN_TCP; do if parse_rule "$rule" DYNDNS_HOST_OPEN_TCP "interfaces-destips-hosts-ports"; then echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for TCP port(s): $ports" IFS=' ,' for host in $hosts; do # get_dynamic_host_cached returns hostname in $host_ip if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then echo "** WARNING: Skipping TCP rule(s) for \"$host\"! **" >&2 RETVAL=1 continue fi for interface in $interfaces; do for host_ip2 in $host_ip; do for destip in $destips; do for port in $ports; do iptables -A DYNDNS_CHAIN $(ipt_if -i "$interface") -s $host_ip2 -d $destip -p tcp --dport $port -j ACCEPT done done done done done fi done # Add UDP ports to allow for certain hosts ########################################## unset IFS for rule in $DYNDNS_HOST_OPEN_UDP; do if parse_rule "$rule" DYNDNS_HOST_OPEN_UDP "interfaces-destips-hosts-ports"; then echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for UDP port(s): $ports" IFS=' ,' for host in $hosts; do # get_dynamic_host_cached returns hostname in $host_ip if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then echo "** WARNING: Skipping UDP rule(s) for \"$host\"! **" >&2 RETVAL=1 continue fi for interface in $interfaces; do for host_ip2 in $host_ip; do for destip in $destips; do for port in $ports; do iptables -A DYNDNS_CHAIN $(ipt_if -i "$interface") -s $host_ip2 -d $destip -p udp --dport $port -j ACCEPT done done done done done fi done # Add IP protocols to allow for certain hosts ############################################# unset IFS for rule in $DYNDNS_HOST_OPEN_IP; do if parse_rule "$rule" DYNDNS_HOST_OPEN_IP "interfaces-destips-hosts-protos"; then echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for IP protocol(s): $protos" IFS=' ,' for host in $hosts; do # get_dynamic_host_cached returns hostname in $host_ip if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then echo "** WARNING: Skipping IP rule(s) for \"$host\"! **" >&2 RETVAL=1 continue fi for interface in $interfaces; do for host_ip2 in $host_ip; do for destip in $destips; do for proto in $protos; do iptables -A DYNDNS_CHAIN $(ipt_if -i "$interface") -s $host_ip2 -d $destip -p $proto -j ACCEPT done done done done done fi done # Add ICMP to allow for certain hosts ##################################### unset IFS for rule in $DYNDNS_HOST_OPEN_ICMP; do if parse_rule "$rule" DYNDNS_HOST_OPEN_ICMP "interfaces-destips-hosts"; then echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for ICMP-requests(ping)" IFS=' ,' for host in $hosts; do # get_dynamic_host_cached returns hostname in $host_ip if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then echo "** WARNING: Skipping ICMP rule(s) for \"$host\"! **" >&2 RETVAL=1 continue fi for interface in $interfaces; do for host_ip2 in $host_ip; do for destip in $destips; do iptables -A DYNDNS_CHAIN $(ipt_if -i "$interface") -s $host_ip2 -d $destip -p icmp --icmp-type echo-request -j ACCEPT done done done done fi done return $RETVAL } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2 PLUGIN_RET_VAL=1 else # Source the plugin config file . "$CONF_FILE" # Only proceed if environment ok if ! dyndns_host_open_helper_sanity_check; then PLUGIN_RET_VAL=1 else # Parse rules if ! dyndns_host_open_helper_do_work; then PLUGIN_RET_VAL=1 fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/dyndns-host-open.CHANGELOG000066400000000000000000000073571464417520100262040ustar00rootroot00000000000000Version 1.42 (May 9, 2019) -------------------------- ! Fixed (dynamic) host multi IP handling Version 1.41 (January 5, 2019) ------------------------------ * Changed to support ipt_if() function (requires AIF 2.1.0+) Version 1.40 (June 11, 2018) ---------------------------- * Added new dynamic host support (requires AIF 2.1.0+) * Updated helper for new aif job system (requires AIF 2.1.0+) Version 1.34a (July 10, 2017) ----------------------------- * Improve locking (handle stale lock files etc.) Version 1.34 (May 8, 2017) -------------------------- * Remove BETA suffix from version Version 1.33-BETA2 (June 22, 2015) ---------------------------------- * Implement log rate limiting ! Misc. tweaks & fixes Version 1.33-BETA1 (September 18, 2014) --------------------------------------- * Implement new cache fallback threshold setting/logic Version 1.32 (January 25, 2013) ------------------------------- * Show a warning in case host resolving fails instead of having iptables fail * Only try to resolve a host once per session to speed things up in case netwerk/dns fails Version 1.31-BETA (November 5, 2012) ------------------------------------ - Remove DYNDNS_SESSION_FAILED_DNS_SKIP option since it never worked the it supposed to anyway Version 1.30-BETA (October 23, 2012) ------------------------------------ * Refactor/cleanup helper script. No need to preinit cache anymore since we can fallback on our "old"-cache anyway * Use the host-cache file provided by the main script (environment). This makes it easier for plugins to use and allows the main script to clean up ! Host resolving was broken (regression) * Improve performance by reorganising the loops * Always execute iptables command even with an empty host_ip to make clear to the user it failed ! Sanity check didn't check for DYNDNS_HOST_MISC ! Fixed typos Version 1.24 (August 14, 2011) ------------------------------ * Changed to support parse_rule() in dyndns-host-open-helper Version 1.23 (July 14, 2011) ---------------------------- * Add proper locking for our helper script (like we already did for the traffic accounting plugin) Version 1.22 (July 14, 2011) ---------------------------- ! We should call the helper script on a restart(), if required Version 1.21 (May 13, 2011) --------------------------- * Change default DYNDNS_HOST_CACHE filename to be more consistent Version 1.2BETA (October 19, 2010) ---------------------------------- * Added plugin_restart() function support for AIF 2.0.0 Version 1.1BETA (January 21, 2010) ---------------------------------- + Adding proper caches + additional (tweak) settings for the config file + Improved sanity check * Pre-resolve all hostnames first before updating the rules in our helper script * Numerous tweaks + fixes Version 1.0 (March 7, 2009) --------------------------- * Tell gethostbyname() which nameserver to use (ns.dyndns.org) + Use OUR gethostbyname() to resolve the hostnames for iptables Version 0.25BETA (January 7, 2009) ---------------------------------- ! Fixes in the helper script Version 0.24BETA (November 24, 2008) ------------------------------------ ! Fixed missing IFS for ICMP rules Version 0.24BETA (November 17, 2008) ------------------------------------ * Minor tweaks Version 0.23BETA (October 10, 2008) ----------------------------------- * Cron update internal set to 15min. + made it user configurable * Misc. changs * Renamed helper script Version 0.22BETA (September 16, 2008) ------------------------------------- ! Small cosmetic fix Version 0.21BETA (September 8, 2008) ------------------------------------ * Small tweaks Version 0.20BETA (September 5, 2008) ------------------------------------ * It now automatically creates & removes the cron job * Minor cosmetic changes in the cron helper shell script aif-2.1.2a/share/arno-iptables-firewall/plugins/ids-protection.CHANGELOG000066400000000000000000000007211464417520100257220ustar00rootroot00000000000000Version 1.1 (September 21, 2010) ---------------------------- * Updated for mixed IPv4/IPv6 Version 1.02 (July 27, 2009) ---------------------------- + Implemented TCP & UDP port excludes * Always ignore ICMP packets for IDS checking Version 1.01 (May 9, 2009) -------------------------- + Version bump + minor tweaks * Option to set the interfaces to protect Version 0.21BETA (August 11, 2008) ---------------------------------- * First initial working version aif-2.1.2a/share/arno-iptables-firewall/plugins/ipsec-vpn.CHANGELOG000066400000000000000000000056241464417520100246720ustar00rootroot00000000000000Version 0.85 (July 12, 2016) ---------------------------- + Add support for NAT_IF with fallback to EXT_IF Version 0.84BETA (July 31, 2015) -------------------------------- * Use modprobe_multi for newer kernels Version 0.83BETA (March 9, 2011) -------------------------------- ! Removed Bash-ism Version 0.82BETA (November 2, 2010) ----------------------------------- + Added IPv6 support for matching AH headers * removed unnecessary EXT_INPUT_CHAIN rule Version 0.81BETA (September 19, 2010) ---------------------------------- * Changed '-t nat' calls via ip4tables Version 0.80BETA (August 23, 2009) ---------------------------------- + Use 'modprobe' wrapper instead of module_probe. Version 0.71BETA (June 30, 2009) -------------------------------- * Fixed IFS regression introduced in 0.70BETA. Version 0.70BETA (June 23, 2009) -------------------------------- * Added policy support to SPOOF_CHK rule to allow spoofing of local addresses on VPN connections (since IPsec address pool might come out of local subnet). Version 0.61BETA (May 1, 2009) ------------------------------ * Corrected some comments Version 0.60BETA (March 18, 2009) --------------------------------- + Support 1.9.0c stop + Added back support for IPSEC_VPN_NETS. Version 0.50BETA (February 26, 2009) ------------------------------------ * Transitioned to use the "policy" module to detect policy being applied to IPSec traffic, as well as to detect its state at the various stages (pre- and post-encapsulation/decapsulation). + Decrepecated the IPSEC_VPN_NETS variable for now, though it might come in handy in the future for detecting routing problems and policy mismatches. Version 0.41BETA (February 14, 2009) ------------------------------------ + Reintroduced NATting regression with 0.40BETA... sigh. Version 0.40BETA (February 9, 2009) ----------------------------------- + Added ipt_policy module + Use -m policy to see if packet is the result of decapsulating an AH or ESP packet; if so, don't process it in the EXT_INPUT_CHAIN + Fixed NAT issue where packets that were about to be encapsulated got NATted Version 0.31BETA (August 11, 2008) ---------------------------------- + Unknown Version 0.30BETA (July 20, 2008) -------------------------------- * Renamed plugin to "ipsec-vpn" + Added NAT traversal + Added OPEN AH UDP port (just in case) Version 0.25BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.24BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template Version 0.23BETA (January 30, 2008) ----------------------------------- + Updated for new config file location / detection Version 0.22BETA (May 25, 2007) ------------------------------- + Added variable sanity check * Changed some variable names Version 0.21BETA (January 9, 2006) ---------------------------------- + Updated for new plugin system (separate conf etc.) aif-2.1.2a/share/arno-iptables-firewall/plugins/ipv6-over-ipv4.CHANGELOG000066400000000000000000000010761464417520100255000ustar00rootroot00000000000000Version 0.2BETA (October 8, 2010) ------------------------------------ + Added IPV6_OVER_IPV4_SERVER variable to restrict source packets ! Removed IPv4 rule allowing proto 58, which is icmpv6 IPv6 icmpv6 packets are handled by the main script Version 0.12BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.11BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template Version 0.1BETA (December 18, 2007) ----------------------------------- + First initial version. aif-2.1.2a/share/arno-iptables-firewall/plugins/linux-upnp-igd.CHANGELOG000066400000000000000000000013441464417520100256410ustar00rootroot00000000000000Version 1.0a (October 10, 2011) --------------------------------- ! Iptables negation changed in newer versions from intraposition to extraposition Version 0.14BETA (August 4, 2008) --------------------------------- * Plugin should be disabled by default (ENABLED=0) * Rename to "linux-upnp-igd" Version 0.13BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.12BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template Version 0.11 (January 30, 2008) ------------------------------- + Updated for new config file location / detection Version 0.1 (September 5, 2007) ------------------------------- + Creation of the first version aif-2.1.2a/share/arno-iptables-firewall/plugins/mac-address-filter.CHANGELOG000066400000000000000000000007731464417520100264340ustar00rootroot00000000000000Version 1.1a (July 21, 2015) ---------------------------- ! Mac module loading on newer systems Version 1.1 (September 19, 2010) ------------------------------- + Updated to support mixed IPv4/IPv6 Version 1.0a (March 10, 2009) ------------------------------- ! Fixed incorrect IFS Version 1.0 (February 26, 2009) ------------------------------- ! Fixed typo in the sed syntax Version 0.1BETA (February 26, 2009) ------------------------------------ * First initial version (moved from the main script) aif-2.1.2a/share/arno-iptables-firewall/plugins/multiroute.CHANGELOG000066400000000000000000000026401464417520100251720ustar00rootroot00000000000000Version 1.00 (February 6, 2020) ------------------------------- ! Replace ip route "equalize" with "scope global" since equalize is no longer supported (by default) in newer distributions Version 0.29BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.28BETA (February 18, 2008) ------------------------------------ * Added some extra del rules to purge the rule & route tables on start/stop Version 0.27BETA (February 18, 2008) ------------------------------------ ! Fixed several typos/bugs Version 0.26BETA (February 17, 2008) ------------------------------------ ! Fixed double || syntax error in sanity_check() Version 0.25BETA (February 16, 2008) ------------------------------------ + Implemented stop() section which will disable multirouting on stop Version 0.24BETA (February 14, 2008) ------------------------------------ + Added weight options for the external interfaces Version 0.23BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template Version 0.22BETA (January 30, 2008) ----------------------------------- + Updated for new config file location / detection Version 0.21BETA (May 25, 2007) ------------------------------------ + Added variable sanity check * Changed some variable names * Cosmetic improvements Version 0.20BETA (January 22, 2007) ------------------------------------ * Minor tweaks/changes aif-2.1.2a/share/arno-iptables-firewall/plugins/nat-loopback.CHANGELOG000066400000000000000000000004521464417520100253320ustar00rootroot00000000000000Version 1.02 (February 2, 2019) ------------------------------- * Remove unused for-loops Version 1.01 (July 12, 2016) ---------------------------- + Add support for NAT_IF requiring AIF 2.0.1g or later Version 1.00 BETA (October 15, 2012) ------------------------------------ + Initial version aif-2.1.2a/share/arno-iptables-firewall/plugins/outbound-snat.CHANGELOG000066400000000000000000000003151464417520100255600ustar00rootroot00000000000000Version 1.01 (July 12, 2016) ---------------------------- + Add support for NAT_IF with fallback to EXT_IF Version 1.00 BETA (September 22, 2012) -------------------------------------- + Initial version aif-2.1.2a/share/arno-iptables-firewall/plugins/parasitic-net-helper000066400000000000000000000240321464417520100255120ustar00rootroot00000000000000# The plugin configuration file ############################### PLUGIN_CONF_FILE="parasitic-net.conf" # Preinit return value for success PLUGIN_RET_VAL=0 # Check sanity of environment parasitic_net_helper_sanity_check() { # Check whether chain exists if ! ip4tables -nL PARASITIC_NET_ACL >/dev/null 2>&1; then echo "** ERROR: PARASITIC_NET_ACL does not exist! **" >&2 return 1 fi return 0 } parasitic_net_helper_do_work() { local RETVAL=0 # Flush the PARASITIC_NET_ACL iptables -F PARASITIC_NET_ACL unset IFS for rule in $PARASITIC_NET_HOST_DENY_TCP; do if parse_rule "$rule" PARASITIC_NET_HOST_DENY_TCP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo "${INDENT}Denying access from $shosts to $dhosts for TCP port(s): $ports" IFS=' ,' for dhost in `ip_range "$dhosts"`; do if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then echo "** WARNING: Skipping TCP deny rule(s) for unresolvable host \"$dhost\"! **" >&2 RETVAL=1 continue fi for dhost_ip in $host_ip; do for shost_ip in `ip_range "$shosts"`; do for port in $ports; do if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p tcp --dport $port -m limit --limit 1/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " fi ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p tcp --dport $port -j $PARASITIC_NET_DENY_POLICY done done done done fi done unset IFS for rule in $PARASITIC_NET_HOST_DENY_UDP; do if parse_rule "$rule" PARASITIC_NET_HOST_DENY_UDP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then echo "${INDENT}Denying access from $shosts to $dhosts for UDP port(s): $ports" IFS=' ,' for dhost in `ip_range "$dhosts"`; do if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then echo "** WARNING: Skipping UDP deny rule(s) for unresolvable host \"$dhost\"! **" >&2 RETVAL=1 continue fi for dhost_ip in $host_ip; do for shost_ip in `ip_range "$shosts"`; do for port in $ports; do if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p udp --dport $port -m limit --limit 1/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " fi ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p udp --dport $port -j $PARASITIC_NET_DENY_POLICY done done done done fi done unset IFS for rule in $PARASITIC_NET_HOST_DENY_ICMP; do if parse_rule "$rule" PARASITIC_NET_HOST_DENY_ICMP "shosts:ANYHOST-dhosts"; then echo "${INDENT}Denying access from $shosts to $dhosts for ICMP requests" IFS=' ,' for dhost in `ip_range "$dhosts"`; do if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then echo "** WARNING: Skipping ICMP deny rule(s) for unresolvable host \"$dhost\"! **" >&2 RETVAL=1 continue fi for dhost_ip in $host_ip; do for shost_ip in `ip_range "$shosts"`; do if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p icmp --icmp-type echo-request -m limit --limit 1/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " fi ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p icmp --icmp-type echo-request -j $PARASITIC_NET_DENY_POLICY done done done fi done unset IFS for rule in $PARASITIC_NET_HOST_DENY_IP; do if parse_rule "$rule" PARASITIC_NET_HOST_DENY_IP "shosts:ANYHOST-dhosts-protos"; then echo "${INDENT}Denying access from $shosts to $dhosts for IP protocol(s): $protos" IFS=' ,' for dhost in `ip_range "$dhosts"`; do if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then echo "** WARNING: Skipping IP deny rule(s) for unresolvable host \"$dhost\"! **" >&2 RETVAL=1 continue fi for dhost_ip in $host_ip; do for shost_ip in `ip_range "$shosts"`; do for proto in $protos; do if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p $proto -m limit --limit 1/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " fi ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p $proto -j $PARASITIC_NET_DENY_POLICY done done done done fi done unset IFS for rule in $PARASITIC_NET_HOST_OPEN_TCP; do if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-ports"; then echo "${INDENT}Allowing access from $shosts to $dhosts for TCP port(s): $ports" IFS=' ,' for dhost in `ip_range "$dhosts"`; do if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then echo "** WARNING: Skipping TCP allow rule(s) for unresolvable host \"$dhost\"! **" >&2 RETVAL=1 continue fi for dhost_ip in $host_ip; do for shost_ip in `ip_range "$shosts"`; do for port in $ports; do ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p tcp --dport $port -j ACCEPT done done done done fi done unset IFS for rule in $PARASITIC_NET_HOST_OPEN_UDP; do if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-ports"; then echo "${INDENT}Allowing access from $shosts to $dhosts for UDP port(s): $ports" IFS=' ,' for dhost in `ip_range "$dhosts"`; do if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then echo "** WARNING: Skipping UDP allow rule(s) for unresolvable host \"$dhost\"! **" >&2 RETVAL=1 continue fi for dhost_ip in $host_ip; do for shost_ip in `ip_range "$shosts"`; do for port in $ports; do ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p udp --dport $port -j ACCEPT done done done done fi done unset IFS for rule in $PARASITIC_NET_HOST_OPEN_ICMP; do if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_ICMP "shosts:ANYHOST-dhosts"; then echo "${INDENT}Allowing access from $shosts to $dhosts for ICMP requests" IFS=' ,' for dhost in `ip_range "$dhosts"`; do if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then echo "** WARNING: Skipping ICMP allow rule(s) for unresolvable host \"$dhost\"! **" >&2 RETVAL=1 continue fi for dhost_ip in $host_ip; do for shost_ip in $shosts; do ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p icmp --icmp-type echo-request -j ACCEPT done done done fi done unset IFS for rule in $PARASITIC_NET_HOST_OPEN_IP; do if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_IP "shosts:ANYHOST-dhosts-protos"; then echo "${INDENT}Allowing access from $shosts to $dhosts for IP protocol(s): $protos" IFS=' ,' for dhost in `ip_range "$dhosts"`; do if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then echo "** WARNING: Skipping IP allow rule(s) for unresolvable host \"$dhost\"! **" >&2 RETVAL=1 continue fi for dhost_ip in $host_ip; do for shost_ip in $shosts; do for proto in $protos; do ip4tables -A PARASITIC_NET_ACL -d $dhost_ip -p $proto -j ACCEPT done done done done fi done # Set default policy if [ -z "$PARASITIC_NET_HOST_OPEN_TCP" ]; then ip4tables -A PARASITIC_NET_ACL -p tcp -j ACCEPT else if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then ip4tables -A PARASITIC_NET_ACL -p tcp -m limit --limit 12/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " fi ip4tables -A PARASITIC_NET_ACL -p tcp -j $PARASITIC_NET_DENY_POLICY fi if [ -z "$PARASITIC_NET_HOST_OPEN_UDP" ]; then ip4tables -A PARASITIC_NET_ACL -p udp -j ACCEPT else if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then ip4tables -A PARASITIC_NET_ACL -p udp -m limit --limit 12/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " fi ip4tables -A PARASITIC_NET_ACL -p udp -j $PARASITIC_NET_DENY_POLICY fi if [ -z "$PARASITIC_NET_HOST_OPEN_ICMP" ]; then ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -j ACCEPT else if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -m limit --limit 12/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " fi ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -j $PARASITIC_NET_DENY_POLICY fi # Drop the rest ("Other" IP protocols always need to be specified explicitly) if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then ip4tables -A PARASITIC_NET_ACL -m limit --limit 12/m -j LOG \ --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " fi ip4tables -A PARASITIC_NET_ACL -j $PARASITIC_NET_DENY_POLICY return $RETVAL } ############ # Mainline # ############ # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2 PLUGIN_RET_VAL=1 else # Source the plugin config file . "$CONF_FILE" # Only proceed if environment ok if ! parasitic_net_helper_sanity_check; then PLUGIN_RET_VAL=1 else if ! parasitic_net_helper_do_work; then PLUGIN_RET_VAL=1 fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/parasitic-net.CHANGELOG000066400000000000000000000021011464417520100255140ustar00rootroot00000000000000Version 1.01 (January 14, 2019) ------------------------------- + Support for specifying source hosts in PARASITIC_NET_HOST_xxxxxxxxxxxxx variables Version 1.00 (May 9, 2019) -------------------------- ! Fixed (dynamic) host multi IP handling ! Fixed misplaced RETVAL=1 statement Version 1.00-RC1 (February 12, 2019) ------------------------------------ * Sync code with dyndns-host-open & traffic-accounting plugins Version 1.00-BETA3 (June 11, 2018) ---------------------------------- * Added new dynamic host support (requires AIF 2.1.0+) Version 1.00-BETA2 (April 5, 2018) ---------------------------------- + Allow specifying multiple interfaces + Allow specifying IP for interfaces to use (aliased) interfaces with multiple IPs + Allow specifying subnet for PARASITIC_NET_CLIENTS_HOSTS or leaving it empty + Instead of only allowing certain hosts, also allow specifying which TCP/UDP/ICMP/IP protos to allow/deny + Add setting to select deny-policy (DROP or REJECT) * Misc. tweaks/refactor Version 1.00-BETA1 (July 25, 2017) ---------------------------------- + Initial version aif-2.1.2a/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG000066400000000000000000000003061464417520100271070ustar00rootroot00000000000000Version 1.01 (June 15, 2017) ---------------------------- + Add support for v2.0.2 using the CONNTRACK_HELPER chain Version 1.00 (January 9, 2016) ------------------------------ + Initial version aif-2.1.2a/share/arno-iptables-firewall/plugins/pptp-vpn.CHANGELOG000066400000000000000000000001351464417520100245420ustar00rootroot00000000000000Version 1.00 BETA (February 21, 2011) ----------------------------------- + Initial version aif-2.1.2a/share/arno-iptables-firewall/plugins/rpc.CHANGELOG000066400000000000000000000005671464417520100235530ustar00rootroot00000000000000Version 0.22-BETA (April 13, 2020) ---------------------------------- ! Parsing of rpcinfo failed due to missing EOL-space conversion Version 0.2-BETA (January 16, 2012) ----------------------------------- + Added RPC_NETS variable to restrict access * Few tweaks, fixes & cleanups Version 0.1-BETA (January 16, 2012) ----------------------------------- - Initial version aif-2.1.2a/share/arno-iptables-firewall/plugins/sip-voip.CHANGELOG000066400000000000000000000027721464417520100245350ustar00rootroot00000000000000Version 0.32BETA (June 13, 2017) -------------------------------- * Add support for v2.0.2 using the CONNTRACK_HELPER chain Version 0.31BETA (July 31, 2015) -------------------------------- * Use modprobe_multi for newer kernels Version 0.3BETA (October 13, 2010) ----------------------------------- + Added SIP_VOIP_REMOTE_HOSTS variable to limit access by source address. Version 0.22BETA (August 23, 2009) ----------------------------------- ! No, that wasn't a regression, it's supposed to be called 'modprobe'. Version 0.21BETA (August 22, 2009) ----------------------------------- ! Hopefully I'll stop introducing regressions one of these days. Version 0.20BETA (August 13, 2009) ----------------------------------- ! Fixed port / kernel check -- again. + Fixed IFS value so that $ports doesn't get split up if it contains commas. Version 0.15BETA (December 3, 2008) ----------------------------------- ! Fixed port / kernel check + Added proper stop() section Version 0.14BETA (November 30, 2008) ------------------------------------ ! Fixed plugin for kernels 2.6.25 and newer * Misc. tweaks Version 0.12BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.11BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template ! Config variable name mismatch (SIP_VOIP_PORTS vs. VOIP_SIP_PORTS. Changed it to SIP_VOIP_PORTS. Version 0.1BETA (January 30, 2008) ----------------------------------- + Initial version aif-2.1.2a/share/arno-iptables-firewall/plugins/ssh-brute-force-protection.CHANGELOG000066400000000000000000000025331464417520100301560ustar00rootroot00000000000000Version 1.1 (September 21, 2010) ------------------------------------ * Updated for mixed IPv4/IPv6 Version 0.34BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.33BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template Version 0.32BETA (January 30, 2008) ------------------------------------ + Updated for new config file location / detection Version 0.31BETA (December 18, 2007) ------------------------------------ * Layout changes ! Fixed bug in port routine, rendering the plugin useless ! No port configured will now fallback to port 22 Version 0.30BETA (November 21, 2007) ------------------------------------ * Updated for new plugin model (with PLUGIN_CMD) + better layout + Added SSH_BFP_PORTS to allow the user to modify the SSH port used Version 0.24BETA (May 25, 2007) ------------------------------- + Added variable sanity check * Changes some variable names Version 0.23BETA (December 28, 2006) ------------------------------------ + Added dual rate checkers. You can now use one for a short interval and one for a long interval + Separate config file (new plugin standard) + Misc. cosmetic changes Version 0.2BETA (October 20, 2006) --------------------------------- + Added SSH trusted hosts variable for whitelisting of certain hosts aif-2.1.2a/share/arno-iptables-firewall/plugins/traffic-accounting-helper000066400000000000000000000200021464417520100265060ustar00rootroot00000000000000# The plugin configuration file ############################### PLUGIN_CONF_FILE="traffic-accounting.conf" # Preinit return value for success PLUGIN_RET_VAL=0 # Define some global variables VERBOSE=0 # Check sanity of eg. environment traffic_accounting_helper_sanity_check() { # Check whether chains exists if ! ip4tables -nL ACCOUNTING_INPUT_CHAIN >/dev/null 2>&1; then echo "** ERROR: ACCOUNTING_INPUT_CHAIN does not exist! **" >&2 return 1 fi if ! ip4tables -nL ACCOUNTING_OUTPUT_CHAIN >/dev/null 2>&1; then echo "** ERROR: ACCOUNTING_OUTPUT_CHAIN does not exist! **" >&2 return 1 fi # Check if chains inserted in the main chains # if ! ip4tables -nL INPUT |grep -q '^ACCOUNTING_INPUT_CHAIN '; then # echo "** ERROR: ACCOUNTING_INPUT_CHAIN is not inserted in the INPUT chain! **" >&2 # return 1 # fi # if ! ip4tables -nL OUTPUT |grep -q '^ACCOUNTING_OUTPUT_CHAIN '; then # echo "** ERROR: ACCOUNTING_OUTPUT_CHAIN is not inserted in the OUTPUT chain! **" >&2 # return 1 # fi return 0 } traffic_accounting_helper_do_work() { local RETVAL=0 # Touch the log file (just in case it doesn't exist yet): touch /var/log/traffic-accounting.log # Truncate file printf "" >/tmp/traffic-accounting.new # Process the input chain if [ "$VERBOSE" = "1" ]; then echo "${INDENT}Traffic Accounting Hosts:" echo "${INDENT}-------------------------" fi # Also include default unicast route addresses, (0.0.0.0/0 and ::/0) DEFAULT_ADDR="0.0.0.0/0" if [ "$IPV6_SUPPORT" = "1" ]; then DEFAULT_ADDR="$DEFAULT_ADDR ::/0" fi IFS=' ,' for host in $TRAFFIC_ACCOUNTING_HOSTS $DEFAULT_ADDR; do old_entry="$(grep "^$host " /var/log/traffic-accounting.log)" old_ip="$(echo "$old_entry" |cut -s -d' ' -f2)" old_in_value="$(echo "$old_entry" |cut -s -d' ' -f3)" old_out_value="$(echo "$old_entry" |cut -s -d' ' -f4)" # If value is non-existant make it zero if [ -z "$old_in_value" ]; then old_in_value=0 fi # If value is non-existant make it zero if [ -z "$old_out_value" ]; then old_out_value=0 fi # Get host_ip, if it fails, skip rule # Parse/get hostname. Try to use host cache if applicable # NOTE: get_dynamic_host_cached returns hostname in $host_ip if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then echo "** WARNING: Skipping rule for \"$host\"! **" >&2 RETVAL=1 continue fi IFS=' ,' for mon_host_ip in $host_ip; do echo "${INDENT}Monitoring host \"$host\" with IP: $mon_host_ip" if [ "$VERBOSE" = "1" ]; then printf "${INDENT}old_ip=$old_ip host_ip=$mon_host_ip " fi # Process input chain OLDFOUND=0 if [ -n "$old_ip" ]; then get_numeric_ip_version "$mon_host_ip" case $? in 4) LCOUNT=0 IFS=$EOL for LINE in `ip4tables -xnvL ACCOUNTING_INPUT_CHAIN |sed -e "1,2d"`; do ipt_ip="$(echo "$LINE" |awk '{ print $8 }')" LCOUNT=$((LCOUNT + 1)) if [ "$ipt_ip" = "$old_ip" ]; then ip4tables -R ACCOUNTING_INPUT_CHAIN $LCOUNT -s $mon_host_ip -j RETURN if [ "$VERBOSE" = "1" ]; then printf "in_action=update " fi OLDFOUND=1 ipt_in_value="$(echo "$LINE" |awk '{ print $2 }')" break fi done ;; 6) if [ "$IPV6_SUPPORT" = "1" ]; then LCOUNT=0 IFS=$EOL for LINE in `ip6tables -xnvL ACCOUNTING_INPUT_CHAIN |sed -e "1,2d"`; do ipt_ip="$(echo "$LINE" |awk '{ print $7 }')" LCOUNT=$((LCOUNT + 1)) if [ "$ipt_ip" = "$old_ip" ]; then ip6tables -R ACCOUNTING_INPUT_CHAIN $LCOUNT -s $mon_host_ip -j RETURN if [ "$VERBOSE" = "1" ]; then printf "in_action=update " fi OLDFOUND=1 ipt_in_value="$(echo "$LINE" |awk '{ print $2 }')" break fi done fi ;; esac fi if [ $OLDFOUND -eq 0 ]; then if [ "$VERBOSE" = "1" ]; then printf "in_action=add " fi if [ "$mon_host_ip" = "0.0.0.0/0" -o "$mon_host_ip" = "::/0" ]; then iptables -A ACCOUNTING_INPUT_CHAIN -s $mon_host_ip -j RETURN else iptables -I ACCOUNTING_INPUT_CHAIN 1 -s $mon_host_ip -j RETURN fi # Preset values to zero as none exist yet ipt_in_value=0 fi # Process output chain OLDFOUND=0 if [ -n "$old_ip" ]; then get_numeric_ip_version "$mon_host_ip" case $? in 4) LCOUNT=0 IFS=$EOL for LINE in `ip4tables -xnvL ACCOUNTING_OUTPUT_CHAIN |sed -e "1,2d"`; do ipt_ip="$(echo "$LINE" |awk '{ print $9 }')" LCOUNT=$((LCOUNT + 1)) if [ "$ipt_ip" = "$old_ip" ]; then ip4tables -R ACCOUNTING_OUTPUT_CHAIN $LCOUNT -d $mon_host_ip -j RETURN if [ "$VERBOSE" = "1" ]; then printf "out_action=update " fi OLDFOUND=1 ipt_out_value="$(echo "$LINE" |awk '{ print $2 }')" break fi done ;; 6) if [ "$IPV6_SUPPORT" = "1" ]; then LCOUNT=0 IFS=$EOL for LINE in `ip6tables -xnvL ACCOUNTING_OUTPUT_CHAIN |sed -e "1,2d"`; do ipt_ip="$(echo "$LINE" |awk '{ print $8 }')" LCOUNT=$((LCOUNT + 1)) if [ "$ipt_ip" = "$old_ip" ]; then ip6tables -R ACCOUNTING_OUTPUT_CHAIN $LCOUNT -d $mon_host_ip -j RETURN if [ "$VERBOSE" = "1" ]; then printf "out_action=update " fi OLDFOUND=1 ipt_out_value="$(echo "$LINE" |awk '{ print $2 }')" break fi done fi ;; esac fi if [ $OLDFOUND -eq 0 ]; then if [ "$VERBOSE" = "1" ]; then printf "out_action=add " fi if [ "$mon_host_ip" = "0.0.0.0/0" -o "$mon_host_ip" = "::/0" ]; then iptables -A ACCOUNTING_OUTPUT_CHAIN -d $mon_host_ip -j RETURN else iptables -I ACCOUNTING_OUTPUT_CHAIN 1 -d $mon_host_ip -j RETURN fi # Preset values to zero as none exist yet ipt_out_value=0 fi # Calculate new in value new_in_value=$((old_in_value + ipt_in_value)) # Calculate new out value new_out_value=$((old_out_value + ipt_out_value)) if [ "$VERBOSE" = "1" ]; then printf "old_in_val=$old_in_value ipt_in_val=$ipt_in_value new_in_val=$new_in_value old_out_val=$old_out_value ipt_out_val=$ipt_out_value new_out_val=$new_out_value" fi # Create entry in accounting file echo "$host $mon_host_ip $new_in_value $new_out_value" >>/tmp/traffic-accounting.new if [ "$VERBOSE" = "1" ]; then printf "\n\n" fi done done # FIXME: Don't use old-file if [ -f /var/log/traffic-accounting.log ]; then if [ -f /var/log/traffic-accounting.log.old ]; then rm -f /var/log/traffic-accounting.log.old fi mv /var/log/traffic-accounting.log /var/log/traffic-accounting.log.old fi mv /tmp/traffic-accounting.new /var/log/traffic-accounting.log return $RETVAL } ############ # Mainline # ############ if [ "$1" = "-v" -o "$1" = "--verbose" ]; then VERBOSE=1 fi # Check where to find the config file CONF_FILE="" if [ -n "$PLUGIN_CONF_PATH" ]; then CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" fi # Check if the config file exists if [ ! -f "$CONF_FILE" ]; then echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2 PLUGIN_RET_VAL=1 else # Source the plugin config file . "$CONF_FILE" # Only proceed if environment ok if ! traffic_accounting_helper_sanity_check; then PLUGIN_RET_VAL=1 else # Create actual rules if ! traffic_accounting_helper_do_work; then PLUGIN_RET_VAL=1 fi fi fi aif-2.1.2a/share/arno-iptables-firewall/plugins/traffic-accounting-log-rotate000077500000000000000000000010321464417520100273110ustar00rootroot00000000000000#!/bin/sh log_file="/var/log/traffic-accounting.log" keeps=13 log_rotate() { # $1 = filename # $2 = keep count filename="$1" if [ -f "$filename.$2" ]; then rm -f "$filename.$2" fi for x in `seq $(($2 + 1)) -1 1`; do if [ -f "$filename.$x" ]; then mv "$filename.$x" "$filename.$(($x + 1))" fi done if [ -f "$filename" ]; then mv "$filename" "$filename.1" # Reset counters cat "$filename.1" |awk '{ print $1" "$2" 0 0" }' > "$filename" fi } # main log_rotate "$log_file" $keeps aif-2.1.2a/share/arno-iptables-firewall/plugins/traffic-accounting-show000077500000000000000000000032731464417520100262250ustar00rootroot00000000000000#!/bin/sh TOTAL_IN=0 TOTAL_OUT=0 EOL=' ' show_human_size() { if [ $1 -lt 10000 ]; then echo "$1 Bytes" return 0 fi if [ $1 -lt 10000000 ]; then echo "$(($1 / 1024)) KiB" return 0 fi if [ $1 -lt 10000000000 ]; then echo "$(($1 / (1024*1024))) MiB" return 0 fi echo "$(($1 / (1024*1024*1024))) GiB" return 0 } # Program entry point if [ -n "$1" ]; then LOG_FILE="$1" else LOG_FILE="/var/log/traffic-accounting.log" fi echo "Bytes input:" echo "-------------" IFS=$EOL for LINE in `cat "$LOG_FILE" |sort -n --key=3 --reverse`; do hostname="$(echo "$LINE" |cut -s -d' ' -f1)" ip="$(echo "$LINE" |cut -s -d' ' -f2)" size="$(echo "$LINE" |cut -s -d' ' -f3)" if [ "$hostname" = "0/0" ]; then hostname="Other traffic" elif [ "$hostname" = "0.0.0.0/0" ]; then hostname="Other IPv4 traffic" elif [ "$hostname" = "::/0" ]; then hostname="Other IPv6 traffic" fi echo "$hostname ($ip): $(show_human_size $size)" TOTAL_IN=$(($TOTAL_IN + $size)) done echo "" echo "Total input traffic: $(show_human_size $TOTAL_IN)" echo "" echo "Bytes output:" echo "-------------" IFS=$EOL for LINE in `cat "$LOG_FILE" |sort -n --key=4 --reverse`; do hostname="$(echo "$LINE" |cut -s -d' ' -f1)" ip="$(echo "$LINE" |cut -s -d' ' -f2)" size="$(echo "$LINE" |cut -s -d' ' -f4)" if [ "$hostname" = "0/0" ]; then hostname="Other traffic" elif [ "$hostname" = "0.0.0.0/0" ]; then hostname="Other IPv4 traffic" elif [ "$hostname" = "::/0" ]; then hostname="Other IPv6 traffic" fi echo "$hostname ($ip): $(show_human_size $size)" TOTAL_OUT=$(($TOTAL_OUT + $size)) done echo "" echo "Total output traffic: $(show_human_size $TOTAL_OUT)" aif-2.1.2a/share/arno-iptables-firewall/plugins/traffic-accounting.CHANGELOG000066400000000000000000000063521464417520100265330ustar00rootroot00000000000000Version 1.31 (May 9, 2018) -------------------------- ! Fixed (dynamic) host multi IP handling Version 1.30 (June 11, 2018) ---------------------------- * Added new dynamic host support (requires AIF 2.1.0+) * Updated helper for new aif job system (requires AIF 2.1.0+) Version 1.23a (July 10, 2017) ---------------------------- * Improve locking (handle stale lock files etc.) Version 1.23 (May 8, 2017) -------------------------- ! On restart we must flush accounting chains to get rid of removed/stale hosts * Remove BETA suffix from version Version 1.22-BETA1 (September 18, 2014) --------------------------------------- ! We should use DNS_FAST_FAIL not DYNDNS_FAST_FAIL * Handle the host cache's new cache fallback threshold column properly Version 1.21 (January 25, 2013) ------------------------------- * Show a warning in case host resolving fails instead of having iptables fail * Only try to resolve a host once per session to speed things up in case netwerk/dns fails Version 1.20-BETA (October 23, 2012) ------------------------------------ * No longer generate/use our own hostcache but the one generated by the DynDNS-plugin. Requires DynDNS-plugin v1.20+ Version 1.12 (July 14, 2011) --------------------------- ! We should call the helper script on a restart(), if required Version 1.11 (May 13, 2011) --------------------------- * Since we have support for the restart() command now the DNS cache file can be removed on stop/start Version 1.1BETA (October 19, 2010) ------------------------------------ * Added plugin_restart() function support for AIF 2.0.0 * Updated for mixed IPv4/IPv6 Version 1.01BETA (March 1, 2010) -------------------------------- ! Adding hosts when the plugin/firewall was already running didn't work properly Version 1.0BETA (February 15, 2010) ---------------------------------- + Adding proper caches + additional (tweak) settings for the config file * Pre-resolve all hostnames first before updating the rules in our helper script * Numerous tweaks + fixes Version 0.33BETA (September 2, 2009) ------------------------------------ ! Fixed log rotation Version 0.32BETA (August 3, 2009) --------------------------------- ! Fixed rules in the input/output chains didn't return causing traffic to also be counted for the catch-all (0/0) rule Version 0.31BETA (July 14, 2009) -------------------------------- ! Fixed catch-all rule didn't work because iptables translates 0/0 to 0.0.0.0/0 Version 0.30BETA (July 1, 2009) ------------------------------- ! Fixed stupid bug that caused an infinite number of RETURN rules to build up in the traffic chains + Also show *other* traffic generated by undefined hosts * Temporary stuff now stored in /var/tmp + Have option to enable/disable DynDNS-try-first Version 0.23BETA (January 7, 2009) ---------------------------------- ! Fixes in the helper script Version 0.22BETA (November 19, 2008) ------------------------------------ ! Fix incorrect helper script name Version 0.21BETA (November 17, 2008) ------------------------------------ * Minor tweaks Version 0.2BETA (October 12, 2008) ---------------------------------- + Major cleanup + Better error handeling + Adding lockfile checking Version 0.1ALPHA (October 10, 2008) ------------------------------------ + First initial version aif-2.1.2a/share/arno-iptables-firewall/plugins/traffic-shaper.CHANGELOG000066400000000000000000000036771464417520100256720ustar00rootroot00000000000000Version 1.2.05 (December 27, 2012) ---------------------------------- + Allow DOWNLINK=0 to disable inbound (ingress) shaping, UPLINK must be greater than 0 Version 1.2.04 (October 17, 2010) -------------------------------- + Added SHAPER_IF variable to specify a single interface should EXT_IF contain more than one Version 1.2.02 (September 11, 2009) -------------------------------- + Reformat informational message about down- and up-load speeds. Version 1.2.01 (Augest 23, 2009) -------------------------------- + Call 'modprobe' directly and not module_probe as before. Version 1.2.00 (August 21, 2009) -------------------------------- + Give the actual downstream/upstream bandwidth for visual confirmation. Version 1.1.01 (March 22, 2009) ------------------------------- + Changed invocations of iptables to use short command names. + Now unload modules on 'stop'. + Check for presence of 'ip' and 'tc' during sanity routine. Version 1.1.00 (February 9, 2009) --------------------------------- + Added support for wildcard interface names (e.g. "ppp+"). Version 1.0.01 (December 6, 2008) --------------------------------- + Lonnie added support to DSCP, and HTB. Version 0.24BETA (December 1, 2008) ----------------------------------- ! Fixed last change broke busybox setups Version 0.23BETA (November 19, 2008) ------------------------------------ ! Fix error on Ubuntu Version 0.22BETA (November 17, 2008) ------------------------------------ - Cleanups Version 0.21BETA (August 11, 2008) ---------------------------------- + Added support for multiple interfaces VERSION 0.2BETA (February 19, 2008) ----------------------------------- ! Minor tweak for PLUGIN_RET_VAL + Updated according to the new plugin template + Changed config variables to have SHAPER_ prefix (since they might be shared by other similar plugins with different schedulers, like 'red' or 'cbq') VERSION 0.1BETA (February 12, 2008) ----------------------------------- + Initial version aif-2.1.2a/share/arno-iptables-firewall/plugins/transparent-dnat.CHANGELOG000066400000000000000000000015451464417520100262510ustar00rootroot00000000000000Version 0.31BETA (July 31, 2015) -------------------------------- * Use modprobe_multi for newer kernels Version 0.30BETA (March 17, 2009) --------------------------------- * Cleanup * Misc. tweaks Version 0.23BETA (February 19, 2008) ------------------------------------ * Minor tweak for PLUGIN_RET_VAL Version 0.22BETA (February 13, 2008) ------------------------------------ + Updated according to the new plugin template Version 0.21BETA (January 30, 2008) ----------------------------------- * Changed hardcoded iptables to iptables Version 0.2BETA (November 15, 2007) ----------------------------------- * Plugin cleanup * Changed OUTPUT to PREROUTING chain (cleaner + faster) * Updated for new plugin model (with PLUGIN_CMD) + better layout Version 0.1BETA (May 26, 2006) ------------------------------------ * Initial version (courtesy of Rok Potocnik) aif-2.1.2a/share/arno-iptables-firewall/plugins/transparent-proxy.CHANGELOG000066400000000000000000000010301464417520100264710ustar00rootroot00000000000000Version 1.04 (July 31, 2015) -------------------------------- * Use modprobe_multi for newer kernels Version 1.03 (September 19, 2010) -------------------------------- * Changed to be IPv4-only Version 1.02 (September 8, 2008) -------------------------------- ! Fixed incorrect configuration filename Version 1.01 (September 4, 2008) ------------------------------------ ! Fixed accidental DOS formating of the plugin Version 1.0 (August 9, 2008) ------------------------------------ * Simply move of the code from the main script aif-2.1.2a/share/man/000077500000000000000000000000001464417520100142755ustar00rootroot00000000000000aif-2.1.2a/share/man/man1/000077500000000000000000000000001464417520100151315ustar00rootroot00000000000000aif-2.1.2a/share/man/man1/arno-fwfilter.1000066400000000000000000000026221464417520100177740ustar00rootroot00000000000000.TH "ARNO_FWFILTER" "1" "September 2005" "Michael Hanke" "" .SH "NAME" arno\-fwfilter \- a filter script to make iptables firewall logs more readable for humans .SH "SYNOPSIS" \fBarno\-fwfilter\fR [\fIOPTIONS\fR] .SH "DESCRIPTION" \fBarno\-fwfilter\fR is a pipe filter script to make the firewall\-log better readable. Some usage examples are: .TP Static firewall log filtering: arno-fwfilter < logfile .TP Realtime firewall logging on tty10: tail \-\-follow | arno-fwfilter >/dev/tty10 & .SH "OPTIONS" .TP \fB\-\-help\fR, \fB\-h\fR Print the available options. .TP \fB\-\-no-resolve\fR, \fB\-r\fR Disable resolving of IPs to names. .TP \fB\-\-html\-output\fR, \fB\-o\fR Use basic HTML to format the output. .TP \fB\-\-no\-locations\fR, \fB\-l\fR Disable to (try to) obtain the IP's geographical location. By default, http://www.hostip.info/ is visited to get this information. .TP \fB\-\-no\-colors\fR, \fB\-c\fR Disable the use of colors in the output. .TP \fB\-\-single\-line\fR, \fB\-s\fR Put all information about an event in a single line .SH "SEE ALSO" .BR iptables "(8)", .BR arno\-iptables\-firewall "(8)" .PP The .I https://github.com/arno-iptables-firewall/aif web site. .SH "AUTHOR" \fBarno\-fwfilter\fR was written by Arno van Amersfoort . .PP This manual page was written by Michael Hanke , for the Debian project (but may be used by others). aif-2.1.2a/share/man/man8/000077500000000000000000000000001464417520100151405ustar00rootroot00000000000000aif-2.1.2a/share/man/man8/arno-iptables-firewall.8000066400000000000000000000057261464417520100216060ustar00rootroot00000000000000.TH "ARNO-IPTABLES-FIREWALL" "8" "2020-03-25" "Sven Geuer" "AIF Manual" .SH "NAME" arno\-iptables\-firewall \- Single\- & multi\-homed firewall script with DSL/ADSL support. .SH "SYNOPSIS" \fBarno\-iptables\-firewall\fR start | restart | force-reload | stop | stop-block | status | status\-plugins | check-conf .SH "DESCRIPTION" \fBarno\-iptables\-firewall\fR is an iptables configuration script with support for both IPv4 & IPv6. In general, it should not be called directly, but rather should be invoked via \fI/etc/init.d/arno\-iptables\-firewall\fR or \fIsystemctl\~COMMAND\~arno\-iptables\-firewall.service\fR, depending on the init system in use. While it is extremely easy to set up a basic firewall one can nevertheless configure it to meet quite complex requirements. .P All available options are explained in the extensively documented configuration file. .P As a bare minimum the external interface of the system needs to be set up properly in the firewalls configuration (EXT_IF). The default behavior of the firewall is to deny all incoming connections. .P Instead of editing the main configuration file, it is recommended to put configuration snippets into .conf files to be placed in the configuration directory. These are sourced after the main configuration file has been read and can be used to override previous (default) configurations. .P For additional requirements not covered by the configuration file and not coverable by configuration snippets custom iptables rules can be placed in a custom rules file. This file is automatically parsed by the service script. .P Logs are written to a dedicated log file if \fBrsyslogd\fR is in use. The \fBarno\-fwfilter\fR script can be used to make the firewall logs more readable for humans (see manpage). .P Several plugins implementing advanced features come with the firewall script. Each of them brings its own configuration file to be found in the plugins configuration directory. .SH "FILES" .TP .I /etc/arno\-iptables\-firewall/firewall.conf main configuration file .TP .I /etc/arno\-iptables\-firewall/conf.d/ firewall configuration directory .TP .I /etc/arno\-iptables\-firewall/plugins/ plugins configuration directory .TP .I /etc/arno\-iptables\-firewall/custom\-rules custom iptables rules file .TP .I /etc/arno\-iptables\-firewall/blocked\-hosts host blacklist. This file does not pre-exist and its use is disabled in the main configuration file by default. .TP .I /var/log/arno\-iptables\-firewall log file maintained by rsyslogd .SH "SEE ALSO" .BR iptables "(8)", .BR arno\-fwfilter "(1)", .I /usr/local/share/doc/arno-iptables-firewall/README.gz, .I https://github.com/arno-iptables-firewall/aif .SH "AUTHORS" arno\-iptables\-firewall was written by Arno van Amersfoort and Lonnie Abelbeck . .P This manual page was initially written by Michael Hanke and has been reworked by Sven Geuer , for the Debian project (but may be used by others). aif-2.1.2a/uninstall.sh000077500000000000000000000076561464417520100150060ustar00rootroot00000000000000#!/bin/bash MY_VERSION="1.0f" # ------------------------------------------------------------------------------------------ # -= Arno's Iptables Firewall(AIF) =- # Single- & multi-homed firewall script with DSL/ADSL support # # ~ In memory of my dear parents ~ # # (C) Copyright 2001-2020 by Arno van Amersfoort # Web : https://github.com/arno-iptables-firewall/aif # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m # (note: you must remove all spaces and substitute the @ and the . # at the proper locations!) # ------------------------------------------------------------------------------------------ # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ------------------------------------------------------------------------------------------ check_command() { local path IFS IFS=' ' for cmd in $*; do if [ -n "$(which "$cmd" 2>/dev/null)" ]; then return 0 fi done return 1 } sanity_check() { # root check if [ "$(id -u)" != "0" ]; then printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n" >&2 exit 1 fi } get_user_yn() { if [ "$2" = "y" ]; then printf "$1 (Y/n)? " else printf "$1 (y/N)? " fi read answer_with_case ANSWER=`echo "$answer_with_case" |tr A-Z a-z` if [ "$ANSWER" = "y" -o "$ANSWER" = "yes" ]; then return 0 fi if [ "$ANSWER" = "n" -o "$ANSWER" = "no" ]; then return 1 fi # Fallback to default if [ "$2" = "y" ]; then return 0 else return 1 fi } # main line: AIF_VERSION="$(grep "MY_VERSION=" ./bin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")" printf "\033[40m\033[1;32mArno's Iptables Firewall(AIF) v$AIF_VERSION\033[0m\n" printf "Uninstall Script v$MY_VERSION\n" echo "-------------------------------------------------------------------------------" sanity_check if ! get_user_yn "Continue uninstall" "n"; then echo "*Uninstall aborted!" exit 1 fi rm -fv /usr/local/sbin/arno-iptables-firewall rm -fv /usr/local/sbin/arno-fwfilter rm -fv /usr/local/sbin/traffic-accounting-show rm -fv /usr/local/bin/arno-fwfilter rm -rfv /usr/local/share/arno-iptables-firewall rm -fv /usr/local/share/man/man8/arno-iptables-firewall.8.gz rm -fv /usr/local/share/man/man8/arno-fwfilter.1.gz rm -fv /usr/local/share/doc/arno-iptables-firewall/README rm -fv /etc/logrotate.d/arno-iptables-firewall # Disable systemd if check_command systemctl; then systemctl disable arno-iptables-firewall fi # Disable via update-rc.d/chkconfig if check_command update-rc.d; then update-rc.d -f arno-iptables-firewall remove elif check_command chkconfig; then chkconfig --del arno-iptables-firewall fi # Remove init.d script rm -fv /etc/init.d/arno-iptables-firewall rm -fv /etc/rc.d/rc*.d/*arno-iptables-firewall rm -fv /etc/rc*.d/*arno-iptables-firewall # Remove systemd files rm -fv /usr/lib/systemd/system/arno-iptables-firewall.service rm -fv /lib/systemd/system/arno-iptables-firewall.service rm -fv /etc/systemd/arno-iptables-firewall.service if get_user_yn "Also remove ALL configuration files from /etc/arno-iptables-firewall/" "n"; then rm -rfv /etc/arno-iptables-firewall else echo "* Skipped" fi echo "" echo "** Uninstall done **" echo "" exit 0