3 ### Utility functions for firewall scripts
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 ###--------------------------------------------------------------------------
26 ### Utility functions.
28 ## doit COMMAND ARGS...
30 ## If debugging, print the COMMAND and ARGS. If serious, execute them.
33 if [ "$FW_DEBUG" ]; then echo "* $*"; fi
34 if ! [ "$FW_NOACT" ]; then "$@"; fi
39 ## If debugging, print the MESSAGE.
42 if [ "$FW_DEBUG" ]; then echo "$*"; fi
45 ## defport NAME NUMBER
47 ## Define $port_NAME to be NUMBER.
50 eval port_$name=$number
54 ###--------------------------------------------------------------------------
55 ### Utility chains (used by function definitions).
58 ###--------------------------------------------------------------------------
59 ### Basic chain constructions.
61 ## ip46tables ARGS ...
63 ## Do the same thing for `iptables' and `ip6tables'.
70 ## clearchain CHAIN CHAIN ...
72 ## Ensure that the named chains exist and are empty.
77 *:*) table=${chain%:*} chain=${chain#*:} ;;
80 run ip46tables -t $table -N $chain
84 ## errorchain CHAIN ACTION ARGS ...
86 ## Make a chain which logs a message and then invokes some other action,
87 ## typically REJECT. Log messages are prefixed by `fw: CHAIN'.
92 *:*) table=${chain%:*} chain=${chain#*:} ;;
95 clearchain $table:$chain
96 run ip46tables -t $table -A $chain -j LOG \
97 -m limit --limit 3/minute --limit-burst 10 \
98 --log-prefix "fw: $chain " --log-level notice
99 run ip46tables -t $table -A $chain -j "$@"
103 ###--------------------------------------------------------------------------
104 ### Basic option setting.
106 ## setopt OPTION VALUE
111 opt=$1; shift; val=$*
112 run sysctl -q net/ipv4/$opt="$val"
115 ## setdevopt OPTION VALUE
117 ## Set an IP interface-level sysctl.
120 opt=$1; shift; val=$*
121 for i in /proc/sys/net/ipv4/conf/*; do
123 run sysctl -q net/ipv4/conf/${i#/proc/sys/net/ipv4/conf/}/$opt="$val"
128 ###--------------------------------------------------------------------------
129 ### Packet filter construction.
133 ## Add connection tracking to CHAIN, and allow obvious stuff.
137 run ip46tables -A $chain -p tcp -m state \
138 --state ESTABLISHED,RELATED -j ACCEPT
139 run ip46tables -A $chain -p tcp ! --syn -g bad-tcp
144 ## Add standard IP filtering rules to the CHAIN.
149 ## Pass fragments through, assuming that the eventual destination will sort
150 ## things out properly. Except for TCP, that is, which should never be
151 ## fragmented. This is an extra pain for ip6tables, which doesn't provide
152 ## a pleasant way to detect non-initial fragments.
153 run iptables -A $chain -p tcp -f -g tcp-fragment
154 run iptables -A $chain -f -j ACCEPT
155 run ip6tables -A $chain -p tcp -g tcp-fragment \
156 -m ipv6header --soft --header frag
157 run ip6tables -A $chain -j accept-non-init-frag
161 ## Accept a non-initial fragment. This is only needed by IPv6, to work
162 ## around a deficiency in the option parser.
163 run ip6tables -N accept-non-init-frag
164 run ip6tables -A accept-non-init-frag -j RETURN \
166 run ip6tables -A accept-non-init-frag -j ACCEPT
169 ## allowservices CHAIN PROTO SERVICE ...
171 ## Add rules to allow the SERVICES on the CHAIN.
174 chain=$1 proto=$2; shift 2
181 left=${svc%:*} right=${svc#*:}
182 case $left in *[!0-9]*) eval left=\$port_$left ;; esac
183 case $right in *[!0-9]*) eval right=\$port_$right ;; esac
188 case $svc in *[!0-9]*) eval svc=\$port_$svc ;; esac
192 *: | :* | "" | *[!0-9:]*)
193 echo >&2 "Bad service name"
197 count=$(( $count + $n ))
198 if [ $count -gt 15 ]; then
199 run ip46tables -A $chain -p $proto -m multiport -j ACCEPT \
200 --destination-ports ${list#,}
209 run ip46tables -A $chain -p $proto -m multiport -j ACCEPT \
210 --destination-ports ${list#,}
213 run ip46tables -A $chain -p $proto -j ACCEPT \
214 --destination-port ${list#,}
219 ## ntpclient CHAIN NTPSERVER ...
221 ## Add rules to CHAIN to allow NTP with NTPSERVERs.
226 run iptables -A $chain -s $ntp -j ACCEPT \
227 -p udp --source-port 123 --destination-port 123
233 ## Add rules to allow CHAIN to be a DNS resolver.
238 run ip46tables -A $chain -j ACCEPT \
239 -m state --state ESTABLISHED \
240 -p $p --source-port 53
244 ## openports CHAIN [MIN MAX]
246 ## Add rules to CHAIN to allow the open ports.
250 [ $# -eq 0 ] && set -- $open_port_min $open_port_max
251 run ip46tables -A $chain -p tcp -g interesting --destination-port $1:$2
252 run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
256 ###--------------------------------------------------------------------------
257 ### Packet classification.
259 ## defbitfield NAME WIDTH
261 ## Defines MASK_NAME and BIT_NAME symbolic constants for dealing with
262 ## bitfields: x << BIT_NAME yields the value x in the correct position, and
263 ## ff & MASK_NAME extracts the corresponding value.
267 eval MASK_$name=$(( (1 << $width) - 1 << $bitindex ))
268 eval BIT_$name=$bitindex
269 bitindex=$(( $bitindex + $width ))
272 ## Define the layout of the bitfield.
278 ## defnetclass NAME FORWARD-TO...
280 ## Defines a netclass called NAME, which is allowed to forward to the
281 ## FORWARD-TO netclasses.
283 ## For each netclass, constants from_NAME and to_NAME are defined as the
284 ## appropriate values in the FROM and TO fields (i.e., not including any mask
287 ## This function also establishes mangle chains mark-from-NAME and
288 ## mark-to-NAME for applying the appropriate mark bits to the packet.
290 ## Because it needs to resolve forward references, netclasses must be defined
291 ## in a two-pass manner, using a loop of the form
293 ## for pass in 1 2; do netclassindex=0; ...; done
301 ## Pass 1. Establish the from_NAME and to_NAME constants, and the
302 ## netclass's mask bit.
303 eval from_$name=$(( $netclassindex << $BIT_FROM ))
304 eval to_$name=$(( $netclassindex << $BIT_TO ))
305 eval _mask_$name=$(( 1 << ($netclassindex + $BIT_MASK) ))
310 ## Pass 2. Compute the actual from and to values. We're a little bit
311 ## clever during source classification, and set the TO field to
312 ## all-bits-one, so that destination classification needs only a single
314 from=$(( ($netclassindex << $BIT_FROM) + (0xf << $BIT_TO) ))
316 eval bit=\$_mask_$net
317 from=$(( $from + $bit ))
319 to=$(( ($netclassindex << $BIT_TO) + \
320 (0xf << $BIT_FROM) + \
321 (1 << ($netclassindex + $BIT_MASK)) ))
322 trace "from $name --> set $(printf %x $from)"
323 trace " to $name --> and $(printf %x $from)"
325 ## Now establish the mark-from-NAME and mark-to-NAME chains.
326 clearchain mangle:mark-from-$name mangle:mark-to-$name
327 run ip46tables -t mangle -A mark-from-$name -j MARK --set-mark $from
328 run ip46tables -t mangle -A mark-to-$name -j MARK --and-mark $to
331 netclassindex=$(( $netclassindex + 1 ))
334 ## defiface NAME NETCLASS:NETWORK/MASK...
336 ## Declares a network interface NAME and associates with it a number of
337 ## reachable networks. During source classification, a packet arriving on
338 ## interface NAME from an address in NETWORK/MASK is classified as coming
339 ## from to NETCLASS. During destination classification, all packets going to
340 ## NETWORK/MASK are classified as going to NETCLASS, regardless of interface
341 ## (which is good, because the outgoing interface hasn't been determined
344 ## As a special case, the NETWORK/MASK can be the string `default', which
345 ## indicates that all addresses not matched elsewhere should be considered.
355 clearchain mangle:in-$name
356 run ip46tables -t mangle -A in-classify -i $name -g in-$name
361 netclass=${item%:*} addr=${item#*:}
365 defaultclass=$netclass
366 run ip46tables -t mangle -A out-classify -g mark-to-$netclass
369 run ip6tables -t mangle -A in-$name -s $addr -g mark-from-$netclass
370 run ip6tables -t mangle -A out-classify -d $addr -g mark-to-$netclass
371 allnets6="$allnets6 $name:$addr"
374 run iptables -t mangle -A in-$name -s $addr -g mark-from-$netclass
375 run iptables -t mangle -A out-classify -d $addr -g mark-to-$netclass
376 allnets="$allnets $name:$addr"
382 ## defvpn IFACE CLASS NET HOST:ADDR ...
384 ## Defines a VPN interface. If the interface has the form `ROOT+' (i.e., a
385 ## netfilter wildcard) then define a separate interface ROOTHOST routing to
386 ## ADDR; otherwise just write a blanket rule allowing the whole NET. All
387 ## addresses concerned are put in the named CLASS.
390 iface=$1 class=$2 net=$3; shift 3
395 name=${host%%:*} addr=${host#*:}
396 defiface $root$name $class:$addr
400 defiface $iface $class:$net
406 ###----- That's all, folks --------------------------------------------------