3 ### Utility functions for firewall scripts
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 ###--------------------------------------------------------------------------
26 ### Utility functions.
28 ## doit COMMAND ARGS...
30 ## If debugging, print the COMMAND and ARGS. If serious, execute them.
33 if [ "$FW_DEBUG" ]; then echo "* $*"; fi
34 if ! [ "$FW_NOACT" ]; then "$@"; fi
39 ## If debugging, print the MESSAGE.
42 if [ "$FW_DEBUG" ]; then echo "$*"; fi
45 ## defport NAME NUMBER
47 ## Define $port_NAME to be NUMBER.
50 eval port_$name=$number
53 ## defproto NAME NUMBER
55 ## Define $proto_NAME to be NUMBER.
58 eval proto_$name=$number
62 ###--------------------------------------------------------------------------
63 ### Utility chains (used by function definitions).
66 ###--------------------------------------------------------------------------
67 ### Basic chain constructions.
69 ## ip46tables ARGS ...
71 ## Do the same thing for `iptables' and `ip6tables'.
78 ## clearchain CHAIN CHAIN ...
80 ## Ensure that the named chains exist and are empty.
85 *:*) table=${chain%:*} chain=${chain#*:} ;;
88 run ip46tables -t $table -N $chain
92 ## errorchain CHAIN ACTION ARGS ...
94 ## Make a chain which logs a message and then invokes some other action,
95 ## typically REJECT. Log messages are prefixed by `fw: CHAIN'.
100 *:*) table=${chain%:*} chain=${chain#*:} ;;
103 clearchain $table:$chain
104 run ip46tables -t $table -A $chain -j LOG \
105 -m limit --limit 3/minute --limit-burst 10 \
106 --log-prefix "fw: $chain " --log-level notice
107 run ip46tables -t $table -A $chain -j "$@" \
108 -m limit --limit 20/second --limit-burst 100
109 run ip46tables -t $table -A $chain -j DROP
113 ###--------------------------------------------------------------------------
114 ### Basic option setting.
116 ## setopt OPTION VALUE
123 for ver in ipv4 ipv6; do
124 if [ -f /proc/sys/net/$ver/$opt ]; then
125 run sysctl -q net/$ver/$opt="$val"
130 nil) echo >&2 "$0: unknown IP option $opt"; exit 1 ;;
134 ## setdevopt OPTION VALUE [INTERFACES ...]
136 ## Set an IP interface-level sysctl.
139 opt=$1 val=$2; shift 2
144 for ver in ipv4 ipv6; do
145 cd /proc/sys/net/$ver/conf
147 [ -f $i/$opt ] || continue
148 case "$seen" in (*:$i:*) continue ;; esac
156 for ver in ipv4 ipv6; do
157 if [ -f /proc/sys/net/$ver/conf/$i/$opt ]; then
159 run sysctl -q net/ipv4/conf/$i/$opt="$val"
163 nil) echo >&2 "$0: unknown device option $opt"; exit 1 ;;
169 ###--------------------------------------------------------------------------
170 ### Packet filter construction.
174 ## Add connection tracking to CHAIN, and allow obvious stuff.
178 run ip46tables -A $chain -p tcp -m state \
179 --state ESTABLISHED,RELATED -j ACCEPT
180 run ip46tables -A $chain -p tcp ! --syn -g bad-tcp
185 ## Add standard IP filtering rules to the CHAIN.
190 ## Pass fragments through, assuming that the eventual destination will sort
191 ## things out properly. Except for TCP, that is, which should never be
192 ## fragmented. This is an extra pain for ip6tables, which doesn't provide
193 ## a pleasant way to detect non-initial fragments.
194 run iptables -A $chain -p tcp -f -g tcp-fragment
195 run iptables -A $chain -f -j ACCEPT
196 run ip6tables -A $chain -p tcp -g tcp-fragment \
197 -m ipv6header --soft --header frag
198 run ip6tables -A $chain -j accept-non-init-frag
202 ## Accept a non-initial fragment. This is only needed by IPv6, to work
203 ## around a deficiency in the option parser.
204 run ip6tables -N accept-non-init-frag
205 run ip6tables -A accept-non-init-frag -j RETURN \
207 run ip6tables -A accept-non-init-frag -j ACCEPT
210 ## allowservices CHAIN PROTO SERVICE ...
212 ## Add rules to allow the SERVICES on the CHAIN.
215 chain=$1 proto=$2; shift 2
222 left=${svc%:*} right=${svc#*:}
223 case $left in *[!0-9]*) eval left=\$port_$left ;; esac
224 case $right in *[!0-9]*) eval right=\$port_$right ;; esac
229 case $svc in *[!0-9]*) eval svc=\$port_$svc ;; esac
233 *: | :* | "" | *[!0-9:]*)
234 echo >&2 "Bad service name"
238 count=$(( $count + $n ))
239 if [ $count -gt 15 ]; then
240 run ip46tables -A $chain -p $proto -m multiport -j ACCEPT \
241 --destination-ports ${list#,}
250 run ip46tables -A $chain -p $proto -m multiport -j ACCEPT \
251 --destination-ports ${list#,}
254 run ip46tables -A $chain -p $proto -j ACCEPT \
255 --destination-port ${list#,}
260 ## ntpclient CHAIN NTPSERVER ...
262 ## Add rules to CHAIN to allow NTP with NTPSERVERs.
267 run iptables -A $chain -s $ntp -j ACCEPT \
268 -p udp --source-port 123 --destination-port 123
274 ## Add rules to allow CHAIN to be a DNS resolver.
279 run ip46tables -A $chain -j ACCEPT \
280 -m state --state ESTABLISHED \
281 -p $p --source-port 53
285 ## openports CHAIN [MIN MAX]
287 ## Add rules to CHAIN to allow the open ports.
291 [ $# -eq 0 ] && set -- $open_port_min $open_port_max
292 run ip46tables -A $chain -p tcp -g interesting --destination-port $1:$2
293 run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
297 ###--------------------------------------------------------------------------
298 ### Packet classification.
300 ## defbitfield NAME WIDTH
302 ## Defines MASK_NAME and BIT_NAME symbolic constants for dealing with
303 ## bitfields: x << BIT_NAME yields the value x in the correct position, and
304 ## ff & MASK_NAME extracts the corresponding value.
308 eval MASK_$name=$(( (1 << $width) - 1 << $bitindex ))
309 eval BIT_$name=$bitindex
310 bitindex=$(( $bitindex + $width ))
313 ## Define the layout of the bitfield.
319 ## defnetclass NAME FORWARD-TO...
321 ## Defines a netclass called NAME, which is allowed to forward to the
322 ## FORWARD-TO netclasses.
324 ## For each netclass, constants from_NAME and to_NAME are defined as the
325 ## appropriate values in the FROM and TO fields (i.e., not including any mask
328 ## This function also establishes mangle chains mark-from-NAME and
329 ## mark-to-NAME for applying the appropriate mark bits to the packet.
331 ## Because it needs to resolve forward references, netclasses must be defined
332 ## in a two-pass manner, using a loop of the form
334 ## for pass in 1 2; do netclassindex=0; ...; done
342 ## Pass 1. Establish the from_NAME and to_NAME constants, and the
343 ## netclass's mask bit.
344 eval from_$name=$(( $netclassindex << $BIT_FROM ))
345 eval to_$name=$(( $netclassindex << $BIT_TO ))
346 eval _mask_$name=$(( 1 << ($netclassindex + $BIT_MASK) ))
351 ## Pass 2. Compute the actual from and to values. We're a little bit
352 ## clever during source classification, and set the TO field to
353 ## all-bits-one, so that destination classification needs only a single
355 from=$(( ($netclassindex << $BIT_FROM) + (0xf << $BIT_TO) ))
357 eval bit=\$_mask_$net
358 from=$(( $from + $bit ))
360 to=$(( ($netclassindex << $BIT_TO) + \
361 (0xf << $BIT_FROM) + \
362 (1 << ($netclassindex + $BIT_MASK)) ))
363 trace "from $name --> set $(printf %x $from)"
364 trace " to $name --> and $(printf %x $from)"
366 ## Now establish the mark-from-NAME and mark-to-NAME chains.
367 clearchain mangle:mark-from-$name mangle:mark-to-$name
368 run ip46tables -t mangle -A mark-from-$name -j MARK --set-mark $from
369 run ip46tables -t mangle -A mark-to-$name -j MARK --and-mark $to
372 netclassindex=$(( $netclassindex + 1 ))
375 ## defiface NAME[,NAME,...] NETCLASS:NETWORK/MASK...
377 ## Declares network interfaces with the given NAMEs and associates with them
378 ## a number of reachable networks. During source classification, a packet
379 ## arriving on interface NAME from an address in NETWORK/MASK is classified
380 ## as coming from to NETCLASS. During destination classification, all
381 ## packets going to NETWORK/MASK are classified as going to NETCLASS,
382 ## regardless of interface (which is good, because the outgoing interface
383 ## hasn't been determined yet).
385 ## As a special case, the NETWORK/MASK can be the string `default', which
386 ## indicates that all addresses not matched elsewhere should be considered.
394 for name in $(echo $names | sed 'y/,/ /'); do
395 case $seen in *:"$name":*) continue ;; esac
400 clearchain mangle:in-$name
401 run ip46tables -t mangle -A in-classify -i $name -g in-$name
406 netclass=${item%:*} addr=${item#*:}
409 case "$defaultifaces,$defaultclass" in
411 defaultifaces="$defaultifaces $name"
412 defaultclass=$netclass
415 echo >&2 "$0: inconsistent default netclasses"
421 run ip6tables -t mangle -A in-$name -g mark-from-$netclass \
423 run ip6tables -t mangle -A out-classify -g mark-to-$netclass \
425 allnets6="$allnets6 $name:$addr"
428 run iptables -t mangle -A in-$name -g mark-from-$netclass \
430 run iptables -t mangle -A out-classify -g mark-to-$netclass \
432 allnets="$allnets $name:$addr"
439 ## defvpn IFACE CLASS NET HOST:ADDR ...
441 ## Defines a VPN interface. If the interface has the form `ROOT+' (i.e., a
442 ## netfilter wildcard) then define a separate interface ROOTHOST routing to
443 ## ADDR; otherwise just write a blanket rule allowing the whole NET. All
444 ## addresses concerned are put in the named CLASS.
447 iface=$1 class=$2 net=$3; shift 3
452 name=${host%%:*} addr=${host#*:}
453 defiface $root$name $class:$addr
457 defiface $iface $class:$net
463 ###----- That's all, folks --------------------------------------------------