3 ### Utility functions for firewall scripts
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 ###--------------------------------------------------------------------------
26 ### Utility functions.
28 ## doit COMMAND ARGS...
30 ## If debugging, print the COMMAND and ARGS. If serious, execute them.
33 if [ "$FW_DEBUG" ]; then echo "* $*"; fi
34 if ! [ "$FW_NOACT" ]; then "$@"; fi
39 ## If debugging, print the MESSAGE.
42 if [ "$FW_DEBUG" ]; then echo "$*"; fi
45 ## defport NAME NUMBER
47 ## Define $port_NAME to be NUMBER.
50 eval port_$name=$number
54 ###--------------------------------------------------------------------------
55 ### Basic chain constructions.
57 ## clearchain CHAIN CHAIN ...
59 ## Ensure that the named chains exist and are empty.
64 *:*) table=${chain%:*} chain=${chain#*:} ;;
67 run iptables -t $table -N $chain
71 ## errorchain CHAIN ACTION ARGS ...
73 ## Make a chain which logs a message and then invokes some other action,
74 ## typically REJECT. Log messages are prefixed by `fw: CHAIN'.
79 *:*) table=${chain%:*} chain=${chain#*:} ;;
82 clearchain $table:$chain
83 run iptables -t $table -A $chain -j LOG \
84 -m limit --limit 3/minute --limit-burst 10 \
85 --log-prefix "fw: $chain " --log-level notice
86 run iptables -t $table -A $chain -j "$@"
90 ###--------------------------------------------------------------------------
91 ### Basic option setting.
93 ## setopt OPTION VALUE
99 run sysctl -q net/ipv4/$opt="$val"
102 ## setdevopt OPTION VALUE
104 ## Set an IP interface-level sysctl.
107 opt=$1; shift; val=$*
108 for i in /proc/sys/net/ipv4/conf/*; do
110 run sysctl -q net/ipv4/conf/${i#/proc/sys/net/ipv4/conf/}/$opt="$val"
115 ###--------------------------------------------------------------------------
116 ### Packet filter construction.
120 ## Add connection tracking to CHAIN, and allow obvious stuff.
124 run iptables -A $chain -p tcp -m state \
125 --state ESTABLISHED,RELATED -j ACCEPT
126 run iptables -A $chain -p tcp ! --syn -g bad-tcp
129 ## allowservices CHAIN PROTO SERVICE ...
131 ## Add rules to allow the SERVICES on the CHAIN.
134 chain=$1 proto=$2; shift 2
141 left=${svc%:*} right=${svc#*:}
142 case $left in *[!0-9]*) eval left=\$port_$left ;; esac
143 case $right in *[!0-9]*) eval right=\$port_$right ;; esac
148 case $svc in *[!0-9]*) eval svc=\$port_$svc ;; esac
152 *: | :* | "" | *[!0-9:]*)
153 echo >&2 "Bad service name"
157 count=$(( $count + $n ))
158 if [ $count -gt 15 ]; then
159 run iptables -A $chain -p $proto -m multiport -j ACCEPT \
160 --destination-ports ${list#,}
169 run iptables -A $chain -p $proto -m multiport -j ACCEPT \
170 --destination-ports ${list#,}
173 run iptables -A $chain -p $proto -j ACCEPT \
174 --destination-port ${list#,}
179 ## ntpclient CHAIN NTPSERVER ...
181 ## Add rules to CHAIN to allow NTP with NTPSERVERs.
186 run iptables -A $chain -s $ntp -j ACCEPT \
187 -p udp --source-port 123 --destination-port 123
193 ## Add rules to allow CHAIN to be a DNS resolver.
198 run iptables -A $chain -j ACCEPT \
199 -m state --state ESTABLISHED \
200 -p $p --source-port 53
204 ## openports CHAIN [MIN MAX]
206 ## Add rules to CHAIN to allow the open ports.
210 [ $# -eq 0 ] && set -- $open_port_min $open_port_max
211 run iptables -A $chain -p tcp -g interesting --destination-port $1:$2
212 run iptables -A $chain -p udp -g interesting --destination-port $1:$2
216 ###--------------------------------------------------------------------------
217 ### Packet classification.
219 ## defbitfield NAME WIDTH
221 ## Defines MASK_NAME and BIT_NAME symbolic constants for dealing with
222 ## bitfields: x << BIT_NAME yields the value x in the correct position, and
223 ## ff & MASK_NAME extracts the corresponding value.
227 eval MASK_$name=$(( (1 << $width) - 1 << $bitindex ))
228 eval BIT_$name=$bitindex
229 bitindex=$(( $bitindex + $width ))
232 ## Define the layout of the bitfield.
238 ## defnetclass NAME FORWARD-TO...
240 ## Defines a netclass called NAME, which is allowed to forward to the
241 ## FORWARD-TO netclasses.
243 ## For each netclass, constants from_NAME and to_NAME are defined as the
244 ## appropriate values in the FROM and TO fields (i.e., not including any mask
247 ## This function also establishes mangle chains mark-from-NAME and
248 ## mark-to-NAME for applying the appropriate mark bits to the packet.
250 ## Because it needs to resolve forward references, netclasses must be defined
251 ## in a two-pass manner, using a loop of the form
253 ## for pass in 1 2; do netclassindex=0; ...; done
261 ## Pass 1. Establish the from_NAME and to_NAME constants, and the
262 ## netclass's mask bit.
263 eval from_$name=$(( $netclassindex << $BIT_FROM ))
264 eval to_$name=$(( $netclassindex << $BIT_TO ))
265 eval _mask_$name=$(( 1 << ($netclassindex + $BIT_MASK) ))
270 ## Pass 2. Compute the actual from and to values. We're a little bit
271 ## clever during source classification, and set the TO field to
272 ## all-bits-one, so that destination classification needs only a single
274 from=$(( ($netclassindex << $BIT_FROM) + (0xf << $BIT_TO) ))
276 eval bit=\$_mask_$net
277 from=$(( $from + $bit ))
279 to=$(( ($netclassindex << $BIT_TO) + \
280 (0xf << $BIT_FROM) + \
281 (1 << ($netclassindex + $BIT_MASK)) ))
282 trace "from $name --> set $(printf %x $from)"
283 trace " to $name --> and $(printf %x $from)"
285 ## Now establish the mark-from-NAME and mark-to-NAME chains.
286 clearchain mangle:mark-from-$name mangle:mark-to-$name
287 run iptables -t mangle -A mark-from-$name -j MARK --set-mark $from
288 run iptables -t mangle -A mark-to-$name -j MARK --and-mark $to
291 netclassindex=$(( $netclassindex + 1 ))
294 ## defiface NAME NETCLASS:NETWORK/MASK...
296 ## Declares a network interface NAME and associates with it a number of
297 ## reachable networks. During source classification, a packet arriving on
298 ## interface NAME from an address in NETWORK/MASK is classified as coming
299 ## from to NETCLASS. During destination classification, all packets going to
300 ## NETWORK/MASK are classified as going to NETCLASS, regardless of interface
301 ## (which is good, because the outgoing interface hasn't been determined
304 ## As a special case, the NETWORK/MASK can be the string `default', which
305 ## indicates that all addresses not matched elsewhere should be considered.
315 clearchain mangle:in-$name
316 run iptables -t mangle -A in-classify -i $name -g in-$name
321 netclass=${item%:*} addr=${item#*:}
325 defaultclass=$netclass
326 run iptables -t mangle -A out-classify -g mark-to-$netclass
329 run iptables -t mangle -A in-$name -s $addr -g mark-from-$netclass
330 run iptables -t mangle -A out-classify -d $addr -g mark-to-$netclass
331 allnets="$allnets $name:$addr"
337 ## defvpn IFACE CLASS NET HOST:ADDR ...
339 ## Defines a VPN interface. If the interface has the form `ROOT+' (i.e., a
340 ## netfilter wildcard) then define a separate interface ROOTHOST routing to
341 ## ADDR; otherwise just write a blanket rule allowing the whole NET. All
342 ## addresses concerned are put in the named CLASS.
345 iface=$1 class=$2 net=$3; shift 3
350 name=${host%:*} addr=${host#*:}
351 defiface $root$name $class:$addr
355 defiface $iface $class:$net
361 ###----- That's all, folks --------------------------------------------------