Commit | Line | Data |
---|---|---|
bfdc045d MW |
1 | ### -*-m4-*- |
2 | ### | |
3 | ### Utility functions for firewall scripts | |
4 | ### | |
5 | ### (c) 2008 Mark Wooding | |
6 | ### | |
7 | ||
8 | ###----- Licensing notice --------------------------------------------------- | |
9 | ### | |
10 | ### This program is free software; you can redistribute it and/or modify | |
11 | ### it under the terms of the GNU General Public License as published by | |
12 | ### the Free Software Foundation; either version 2 of the License, or | |
13 | ### (at your option) any later version. | |
14 | ### | |
15 | ### This program is distributed in the hope that it will be useful, | |
16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | ### GNU General Public License for more details. | |
19 | ### | |
20 | ### You should have received a copy of the GNU General Public License | |
21 | ### along with this program; if not, write to the Free Software Foundation, | |
22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
23 | ||
24 | m4_divert(20)m4_dnl | |
25 | ###-------------------------------------------------------------------------- | |
26 | ### Utility functions. | |
27 | ||
28 | ## doit COMMAND ARGS... | |
29 | ## | |
30 | ## If debugging, print the COMMAND and ARGS. If serious, execute them. | |
31 | run () { | |
32 | set -e | |
33 | if [ "$FW_DEBUG" ]; then echo "* $*"; fi | |
34 | if ! [ "$FW_NOACT" ]; then "$@"; fi | |
35 | } | |
36 | ||
37 | ## trace MESSAGE... | |
38 | ## | |
39 | ## If debugging, print the MESSAGE. | |
40 | trace () { | |
41 | set -e | |
42 | if [ "$FW_DEBUG" ]; then echo "$*"; fi | |
43 | } | |
44 | ||
45 | ## defport NAME NUMBER | |
46 | ## | |
47 | ## Define $port_NAME to be NUMBER. | |
48 | defport () { | |
49 | name=$1 number=$2 | |
50 | eval port_$name=$number | |
51 | } | |
52 | ||
53 | m4_divert(22)m4_dnl | |
54 | ###-------------------------------------------------------------------------- | |
55 | ### Basic chain constructions. | |
56 | ||
57 | ## clearchain CHAIN CHAIN ... | |
58 | ## | |
59 | ## Ensure that the named chains exist and are empty. | |
60 | clearchain () { | |
61 | set -e | |
62 | for chain; do | |
63 | case $chain in | |
64 | *:*) table=${chain%:*} chain=${chain#*:} ;; | |
65 | *) table=filter ;; | |
66 | esac | |
67 | run iptables -t $table -N $chain | |
68 | done | |
69 | } | |
70 | ||
71 | ## errorchain CHAIN ACTION ARGS ... | |
72 | ## | |
73 | ## Make a chain which logs a message and then invokes some other action, | |
74 | ## typically REJECT. Log messages are prefixed by `fw: CHAIN'. | |
75 | errorchain () { | |
76 | set -e | |
77 | chain=$1; shift | |
78 | case $chain in | |
79 | *:*) table=${chain%:*} chain=${chain#*:} ;; | |
80 | *) table=filter ;; | |
81 | esac | |
82 | clearchain $table:$chain | |
83 | run iptables -t $table -A $chain -j LOG \ | |
84 | -m limit --limit 3/minute --limit-burst 10 \ | |
fc10e52b | 85 | --log-prefix "fw: $chain " --log-level notice |
bfdc045d MW |
86 | run iptables -t $table -A $chain -j "$@" |
87 | } | |
88 | ||
89 | m4_divert(24)m4_dnl | |
90 | ###-------------------------------------------------------------------------- | |
91 | ### Basic option setting. | |
92 | ||
93 | ## setopt OPTION VALUE | |
94 | ## | |
95 | ## Set an IP sysctl. | |
96 | setopt () { | |
97 | set -e | |
98 | opt=$1; shift; val=$* | |
99 | run sysctl -q net/ipv4/$opt="$val" | |
100 | } | |
101 | ||
102 | ## setdevopt OPTION VALUE | |
103 | ## | |
104 | ## Set an IP interface-level sysctl. | |
105 | setdevopt () { | |
106 | set -e | |
107 | opt=$1; shift; val=$* | |
108 | for i in /proc/sys/net/ipv4/conf/*; do | |
109 | [ -f $i/$opt ] && | |
110 | run sysctl -q net/ipv4/conf/${i#/proc/sys/net/ipv4/conf/}/$opt="$val" | |
111 | done | |
112 | } | |
113 | ||
114 | m4_divert(26)m4_dnl | |
115 | ###-------------------------------------------------------------------------- | |
116 | ### Packet filter construction. | |
117 | ||
118 | ## conntrack CHAIN | |
119 | ## | |
120 | ## Add connection tracking to CHAIN, and allow obvious stuff. | |
121 | conntrack () { | |
122 | set -e | |
123 | chain=$1 | |
124 | run iptables -A $chain -p tcp -m state \ | |
125 | --state ESTABLISHED,RELATED -j ACCEPT | |
126 | run iptables -A $chain -p tcp ! --syn -g bad-tcp | |
127 | } | |
128 | ||
ecdca131 MW |
129 | ## commonrules CHAIN |
130 | ## | |
131 | ## Add standard IP filtering rules to the CHAIN. | |
132 | commonrules () { | |
133 | set -e | |
134 | chain=$1 | |
135 | ||
136 | ## Pass fragments through, assuming that the eventual destination will sort | |
137 | ## things out properly. Except for TCP, that is, which should never be | |
138 | ## fragmented. | |
139 | run iptables -A $chain -p tcp -f -g tcp-fragment | |
140 | run iptables -A $chain -f -j ACCEPT | |
141 | } | |
142 | ||
bfdc045d MW |
143 | ## allowservices CHAIN PROTO SERVICE ... |
144 | ## | |
145 | ## Add rules to allow the SERVICES on the CHAIN. | |
146 | allowservices () { | |
147 | set -e | |
148 | chain=$1 proto=$2; shift 2 | |
149 | count=0 | |
150 | list= | |
151 | for svc; do | |
152 | case $svc in | |
153 | *:*) | |
154 | n=2 | |
155 | left=${svc%:*} right=${svc#*:} | |
156 | case $left in *[!0-9]*) eval left=\$port_$left ;; esac | |
157 | case $right in *[!0-9]*) eval right=\$port_$right ;; esac | |
158 | svc=$left:$right | |
159 | ;; | |
160 | *) | |
161 | n=1 | |
162 | case $svc in *[!0-9]*) eval svc=\$port_$svc ;; esac | |
163 | ;; | |
164 | esac | |
165 | case $svc in | |
166 | *: | :* | "" | *[!0-9:]*) | |
167 | echo >&2 "Bad service name" | |
168 | exit 1 | |
169 | ;; | |
170 | esac | |
171 | count=$(( $count + $n )) | |
172 | if [ $count -gt 15 ]; then | |
173 | run iptables -A $chain -p $proto -m multiport -j ACCEPT \ | |
174 | --destination-ports ${list#,} | |
175 | list= count=$n | |
176 | fi | |
177 | list=$list,$svc | |
178 | done | |
179 | case $list in | |
180 | "") | |
181 | ;; | |
182 | ,*,*) | |
183 | run iptables -A $chain -p $proto -m multiport -j ACCEPT \ | |
184 | --destination-ports ${list#,} | |
185 | ;; | |
186 | *) | |
187 | run iptables -A $chain -p $proto -j ACCEPT \ | |
188 | --destination-port ${list#,} | |
189 | ;; | |
190 | esac | |
191 | } | |
192 | ||
193 | ## ntpclient CHAIN NTPSERVER ... | |
194 | ## | |
195 | ## Add rules to CHAIN to allow NTP with NTPSERVERs. | |
196 | ntpclient () { | |
197 | set -e | |
198 | chain=$1; shift | |
199 | for ntp; do | |
200 | run iptables -A $chain -s $ntp -j ACCEPT \ | |
201 | -p udp --source-port 123 --destination-port 123 | |
202 | done | |
203 | } | |
204 | ||
205 | ## dnsresolver CHAIN | |
206 | ## | |
207 | ## Add rules to allow CHAIN to be a DNS resolver. | |
208 | dnsresolver () { | |
209 | set -e | |
210 | chain=$1 | |
211 | for p in tcp udp; do | |
212 | run iptables -A $chain -j ACCEPT \ | |
213 | -m state --state ESTABLISHED \ | |
214 | -p $p --source-port 53 | |
215 | done | |
216 | } | |
217 | ||
218 | ## openports CHAIN [MIN MAX] | |
219 | ## | |
220 | ## Add rules to CHAIN to allow the open ports. | |
221 | openports () { | |
222 | set -e | |
223 | chain=$1; shift | |
224 | [ $# -eq 0 ] && set -- $open_port_min $open_port_max | |
225 | run iptables -A $chain -p tcp -g interesting --destination-port $1:$2 | |
226 | run iptables -A $chain -p udp -g interesting --destination-port $1:$2 | |
227 | } | |
228 | ||
229 | m4_divert(28)m4_dnl | |
230 | ###-------------------------------------------------------------------------- | |
231 | ### Packet classification. | |
232 | ||
233 | ## defbitfield NAME WIDTH | |
234 | ## | |
235 | ## Defines MASK_NAME and BIT_NAME symbolic constants for dealing with | |
236 | ## bitfields: x << BIT_NAME yields the value x in the correct position, and | |
237 | ## ff & MASK_NAME extracts the corresponding value. | |
238 | defbitfield () { | |
239 | set -e | |
240 | name=$1 width=$2 | |
241 | eval MASK_$name=$(( (1 << $width) - 1 << $bitindex )) | |
242 | eval BIT_$name=$bitindex | |
243 | bitindex=$(( $bitindex + $width )) | |
244 | } | |
245 | ||
246 | ## Define the layout of the bitfield. | |
247 | bitindex=0 | |
248 | defbitfield MASK 16 | |
249 | defbitfield FROM 4 | |
250 | defbitfield TO 4 | |
251 | ||
252 | ## defnetclass NAME FORWARD-TO... | |
253 | ## | |
254 | ## Defines a netclass called NAME, which is allowed to forward to the | |
255 | ## FORWARD-TO netclasses. | |
256 | ## | |
257 | ## For each netclass, constants from_NAME and to_NAME are defined as the | |
258 | ## appropriate values in the FROM and TO fields (i.e., not including any mask | |
259 | ## bits). | |
260 | ## | |
261 | ## This function also establishes mangle chains mark-from-NAME and | |
262 | ## mark-to-NAME for applying the appropriate mark bits to the packet. | |
263 | ## | |
264 | ## Because it needs to resolve forward references, netclasses must be defined | |
265 | ## in a two-pass manner, using a loop of the form | |
266 | ## | |
267 | ## for pass in 1 2; do netclassindex=0; ...; done | |
268 | netclassess= | |
269 | defnetclass () { | |
270 | set -e | |
271 | name=$1; shift | |
272 | case $pass in | |
273 | 1) | |
274 | ||
275 | ## Pass 1. Establish the from_NAME and to_NAME constants, and the | |
276 | ## netclass's mask bit. | |
277 | eval from_$name=$(( $netclassindex << $BIT_FROM )) | |
278 | eval to_$name=$(( $netclassindex << $BIT_TO )) | |
279 | eval _mask_$name=$(( 1 << ($netclassindex + $BIT_MASK) )) | |
280 | nets="$nets $name" | |
281 | ;; | |
282 | 2) | |
283 | ||
284 | ## Pass 2. Compute the actual from and to values. We're a little bit | |
285 | ## clever during source classification, and set the TO field to | |
286 | ## all-bits-one, so that destination classification needs only a single | |
287 | ## AND operation. | |
288 | from=$(( ($netclassindex << $BIT_FROM) + (0xf << $BIT_TO) )) | |
289 | for net; do | |
290 | eval bit=\$_mask_$net | |
291 | from=$(( $from + $bit )) | |
292 | done | |
293 | to=$(( ($netclassindex << $BIT_TO) + \ | |
294 | (0xf << $BIT_FROM) + \ | |
295 | (1 << ($netclassindex + $BIT_MASK)) )) | |
296 | trace "from $name --> set $(printf %x $from)" | |
297 | trace " to $name --> and $(printf %x $from)" | |
298 | ||
299 | ## Now establish the mark-from-NAME and mark-to-NAME chains. | |
300 | clearchain mangle:mark-from-$name mangle:mark-to-$name | |
301 | run iptables -t mangle -A mark-from-$name -j MARK --set-mark $from | |
302 | run iptables -t mangle -A mark-to-$name -j MARK --and-mark $to | |
303 | ;; | |
304 | esac | |
305 | netclassindex=$(( $netclassindex + 1 )) | |
306 | } | |
307 | ||
308 | ## defiface NAME NETCLASS:NETWORK/MASK... | |
309 | ## | |
310 | ## Declares a network interface NAME and associates with it a number of | |
311 | ## reachable networks. During source classification, a packet arriving on | |
312 | ## interface NAME from an address in NETWORK/MASK is classified as coming | |
313 | ## from to NETCLASS. During destination classification, all packets going to | |
314 | ## NETWORK/MASK are classified as going to NETCLASS, regardless of interface | |
315 | ## (which is good, because the outgoing interface hasn't been determined | |
316 | ## yet). | |
317 | ## | |
318 | ## As a special case, the NETWORK/MASK can be the string `default', which | |
319 | ## indicates that all addresses not matched elsewhere should be considered. | |
320 | ifaces=: | |
321 | defaultiface=none | |
322 | allnets= | |
323 | defiface () { | |
324 | set -e | |
325 | name=$1; shift | |
326 | case $ifaces in | |
327 | *:"$name":*) ;; | |
328 | *) | |
329 | clearchain mangle:in-$name | |
330 | run iptables -t mangle -A in-classify -i $name -g in-$name | |
331 | ;; | |
332 | esac | |
333 | ifaces=$ifaces$name: | |
334 | for item; do | |
335 | netclass=${item%:*} addr=${item#*:} | |
336 | case $addr in | |
337 | default) | |
338 | defaultiface=$name | |
339 | defaultclass=$netclass | |
340 | run iptables -t mangle -A out-classify -g mark-to-$netclass | |
341 | ;; | |
342 | *) | |
343 | run iptables -t mangle -A in-$name -s $addr -g mark-from-$netclass | |
344 | run iptables -t mangle -A out-classify -d $addr -g mark-to-$netclass | |
345 | allnets="$allnets $name:$addr" | |
346 | ;; | |
347 | esac | |
348 | done | |
349 | } | |
350 | ||
351 | ## defvpn IFACE CLASS NET HOST:ADDR ... | |
352 | ## | |
353 | ## Defines a VPN interface. If the interface has the form `ROOT+' (i.e., a | |
354 | ## netfilter wildcard) then define a separate interface ROOTHOST routing to | |
355 | ## ADDR; otherwise just write a blanket rule allowing the whole NET. All | |
356 | ## addresses concerned are put in the named CLASS. | |
357 | defvpn () { | |
358 | set -e | |
359 | iface=$1 class=$2 net=$3; shift 3 | |
360 | case $iface in | |
361 | *-+) | |
362 | root=${iface%+} | |
363 | for host; do | |
364 | name=${host%:*} addr=${host#*:} | |
365 | defiface $root$name $class:$addr | |
366 | done | |
367 | ;; | |
368 | *) | |
369 | defiface $iface $class:$net | |
370 | ;; | |
371 | esac | |
372 | } | |
373 | ||
374 | m4_divert(-1) | |
375 | ###----- That's all, folks -------------------------------------------------- |