3 ### Utility functions for firewall scripts
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 ###--------------------------------------------------------------------------
26 ### Utility functions.
28 ## doit COMMAND ARGS...
30 ## If debugging, print the COMMAND and ARGS. If serious, execute them.
33 if [ "$FW_DEBUG" ]; then echo "* $*"; fi
34 if ! [ "$FW_NOACT" ]; then "$@"; fi
39 ## If debugging, print the MESSAGE.
42 if [ "$FW_DEBUG" ]; then echo "$*"; fi
45 ## defport NAME NUMBER
47 ## Define $port_NAME to be NUMBER.
50 eval port_$name=$number
54 ###--------------------------------------------------------------------------
55 ### Utility chains (used by function definitions).
58 ###--------------------------------------------------------------------------
59 ### Basic chain constructions.
61 ## ip46tables ARGS ...
63 ## Do the same thing for `iptables' and `ip6tables'.
70 ## clearchain CHAIN CHAIN ...
72 ## Ensure that the named chains exist and are empty.
77 *:*) table=${chain%:*} chain=${chain#*:} ;;
80 run ip46tables -t $table -N $chain
84 ## errorchain CHAIN ACTION ARGS ...
86 ## Make a chain which logs a message and then invokes some other action,
87 ## typically REJECT. Log messages are prefixed by `fw: CHAIN'.
92 *:*) table=${chain%:*} chain=${chain#*:} ;;
95 clearchain $table:$chain
96 run ip46tables -t $table -A $chain -j LOG \
97 -m limit --limit 3/minute --limit-burst 10 \
98 --log-prefix "fw: $chain " --log-level notice
99 run ip46tables -t $table -A $chain -j "$@"
103 ###--------------------------------------------------------------------------
104 ### Basic option setting.
106 ## setopt OPTION VALUE
113 for ver in ipv4 ipv6; do
114 if [ -f /proc/sys/net/$ver/$opt ]; then
115 run sysctl -q net/$ver/$opt="$val"
120 nil) echo >&2 "$0: unknown IP option $opt"; exit 1 ;;
124 ## setdevopt OPTION VALUE [INTERFACES ...]
126 ## Set an IP interface-level sysctl.
129 opt=$1 val=$2; shift 2
134 for ver in ipv4 ipv6; do
135 cd /proc/sys/net/$ver/conf
137 [ -f $i/$opt ] || continue
138 case "$seen" in (*:$i:*) continue ;; esac
146 for ver in ipv4 ipv6; do
147 if [ -f /proc/sys/net/$ver/conf/$i/$opt ]; then
149 run sysctl -q net/ipv4/conf/$i/$opt="$val"
153 nil) echo >&2 "$0: unknown device option $opt"; exit 1 ;;
159 ###--------------------------------------------------------------------------
160 ### Packet filter construction.
164 ## Add connection tracking to CHAIN, and allow obvious stuff.
168 run ip46tables -A $chain -p tcp -m state \
169 --state ESTABLISHED,RELATED -j ACCEPT
170 run ip46tables -A $chain -p tcp ! --syn -g bad-tcp
175 ## Add standard IP filtering rules to the CHAIN.
180 ## Pass fragments through, assuming that the eventual destination will sort
181 ## things out properly. Except for TCP, that is, which should never be
182 ## fragmented. This is an extra pain for ip6tables, which doesn't provide
183 ## a pleasant way to detect non-initial fragments.
184 run iptables -A $chain -p tcp -f -g tcp-fragment
185 run iptables -A $chain -f -j ACCEPT
186 run ip6tables -A $chain -p tcp -g tcp-fragment \
187 -m ipv6header --soft --header frag
188 run ip6tables -A $chain -j accept-non-init-frag
192 ## Accept a non-initial fragment. This is only needed by IPv6, to work
193 ## around a deficiency in the option parser.
194 run ip6tables -N accept-non-init-frag
195 run ip6tables -A accept-non-init-frag -j RETURN \
197 run ip6tables -A accept-non-init-frag -j ACCEPT
200 ## allowservices CHAIN PROTO SERVICE ...
202 ## Add rules to allow the SERVICES on the CHAIN.
205 chain=$1 proto=$2; shift 2
212 left=${svc%:*} right=${svc#*:}
213 case $left in *[!0-9]*) eval left=\$port_$left ;; esac
214 case $right in *[!0-9]*) eval right=\$port_$right ;; esac
219 case $svc in *[!0-9]*) eval svc=\$port_$svc ;; esac
223 *: | :* | "" | *[!0-9:]*)
224 echo >&2 "Bad service name"
228 count=$(( $count + $n ))
229 if [ $count -gt 15 ]; then
230 run ip46tables -A $chain -p $proto -m multiport -j ACCEPT \
231 --destination-ports ${list#,}
240 run ip46tables -A $chain -p $proto -m multiport -j ACCEPT \
241 --destination-ports ${list#,}
244 run ip46tables -A $chain -p $proto -j ACCEPT \
245 --destination-port ${list#,}
250 ## ntpclient CHAIN NTPSERVER ...
252 ## Add rules to CHAIN to allow NTP with NTPSERVERs.
257 run iptables -A $chain -s $ntp -j ACCEPT \
258 -p udp --source-port 123 --destination-port 123
264 ## Add rules to allow CHAIN to be a DNS resolver.
269 run ip46tables -A $chain -j ACCEPT \
270 -m state --state ESTABLISHED \
271 -p $p --source-port 53
275 ## openports CHAIN [MIN MAX]
277 ## Add rules to CHAIN to allow the open ports.
281 [ $# -eq 0 ] && set -- $open_port_min $open_port_max
282 run ip46tables -A $chain -p tcp -g interesting --destination-port $1:$2
283 run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
287 ###--------------------------------------------------------------------------
288 ### Packet classification.
290 ## defbitfield NAME WIDTH
292 ## Defines MASK_NAME and BIT_NAME symbolic constants for dealing with
293 ## bitfields: x << BIT_NAME yields the value x in the correct position, and
294 ## ff & MASK_NAME extracts the corresponding value.
298 eval MASK_$name=$(( (1 << $width) - 1 << $bitindex ))
299 eval BIT_$name=$bitindex
300 bitindex=$(( $bitindex + $width ))
303 ## Define the layout of the bitfield.
309 ## defnetclass NAME FORWARD-TO...
311 ## Defines a netclass called NAME, which is allowed to forward to the
312 ## FORWARD-TO netclasses.
314 ## For each netclass, constants from_NAME and to_NAME are defined as the
315 ## appropriate values in the FROM and TO fields (i.e., not including any mask
318 ## This function also establishes mangle chains mark-from-NAME and
319 ## mark-to-NAME for applying the appropriate mark bits to the packet.
321 ## Because it needs to resolve forward references, netclasses must be defined
322 ## in a two-pass manner, using a loop of the form
324 ## for pass in 1 2; do netclassindex=0; ...; done
332 ## Pass 1. Establish the from_NAME and to_NAME constants, and the
333 ## netclass's mask bit.
334 eval from_$name=$(( $netclassindex << $BIT_FROM ))
335 eval to_$name=$(( $netclassindex << $BIT_TO ))
336 eval _mask_$name=$(( 1 << ($netclassindex + $BIT_MASK) ))
341 ## Pass 2. Compute the actual from and to values. We're a little bit
342 ## clever during source classification, and set the TO field to
343 ## all-bits-one, so that destination classification needs only a single
345 from=$(( ($netclassindex << $BIT_FROM) + (0xf << $BIT_TO) ))
347 eval bit=\$_mask_$net
348 from=$(( $from + $bit ))
350 to=$(( ($netclassindex << $BIT_TO) + \
351 (0xf << $BIT_FROM) + \
352 (1 << ($netclassindex + $BIT_MASK)) ))
353 trace "from $name --> set $(printf %x $from)"
354 trace " to $name --> and $(printf %x $from)"
356 ## Now establish the mark-from-NAME and mark-to-NAME chains.
357 clearchain mangle:mark-from-$name mangle:mark-to-$name
358 run ip46tables -t mangle -A mark-from-$name -j MARK --set-mark $from
359 run ip46tables -t mangle -A mark-to-$name -j MARK --and-mark $to
362 netclassindex=$(( $netclassindex + 1 ))
365 ## defiface NAME[,NAME,...] NETCLASS:NETWORK/MASK...
367 ## Declares network interfaces with the given NAMEs and associates with them
368 ## a number of reachable networks. During source classification, a packet
369 ## arriving on interface NAME from an address in NETWORK/MASK is classified
370 ## as coming from to NETCLASS. During destination classification, all
371 ## packets going to NETWORK/MASK are classified as going to NETCLASS,
372 ## regardless of interface (which is good, because the outgoing interface
373 ## hasn't been determined yet).
375 ## As a special case, the NETWORK/MASK can be the string `default', which
376 ## indicates that all addresses not matched elsewhere should be considered.
384 for name in $(echo $names | sed 'y/,/ /'); do
385 case $seen in *:"$name":*) continue ;; esac
390 clearchain mangle:in-$name
391 run ip46tables -t mangle -A in-classify -i $name -g in-$name
396 netclass=${item%:*} addr=${item#*:}
399 case "$defaultifaces,$defaultclass" in
401 defaultifaces="$defaultifaces $name"
402 defaultclass=$netclass
405 echo >&2 "$0: inconsistent default netclasses"
411 run ip6tables -t mangle -A in-$name -g mark-from-$netclass \
413 run ip6tables -t mangle -A out-classify -g mark-to-$netclass \
415 allnets6="$allnets6 $name:$addr"
418 run iptables -t mangle -A in-$name -g mark-from-$netclass \
420 run iptables -t mangle -A out-classify -g mark-to-$netclass \
422 allnets="$allnets $name:$addr"
429 ## defvpn IFACE CLASS NET HOST:ADDR ...
431 ## Defines a VPN interface. If the interface has the form `ROOT+' (i.e., a
432 ## netfilter wildcard) then define a separate interface ROOTHOST routing to
433 ## ADDR; otherwise just write a blanket rule allowing the whole NET. All
434 ## addresses concerned are put in the named CLASS.
437 iface=$1 class=$2 net=$3; shift 3
442 name=${host%%:*} addr=${host#*:}
443 defiface $root$name $class:$addr
447 defiface $iface $class:$net
453 ###----- That's all, folks --------------------------------------------------