firewall ipchains

[Andrzej Krzysztofowicz]

Wkurzyl mnie dzisiaj w koncu malo elastyczny parser konfiguracji firewalla w
RA. Jesli krtos ma ochote potestowac, to dolaczam wersje z lekka rozbudowana.
Glowne jej "ficzery", to:

- akceptowanie "any" jako protokolu
- mozliwosc dopisywania wykrzyknikow przy wszystkich polach zezwalajacych na
  to bez koniecznosci cytowania nastepujacych po nich spacji / tabulacji
- tolerowanie pominiecia pola "port" (zrodlowy / docelowy) w niektorych
  sytuacjach, gdy nie rodzi to niejednoznacznosci.

Komentarze i testetowanie mile widziane.

===============================================================
#!/bin/sh
#
# firewall	This script sets up firewall/masquerade/accounting
#
# chkconfig: 345 09 98
# description: Firewall-init is meant to provide an easy to use
#              interface to start and stopping the kernel IP packet
#              filters and accounting through ipchains(8).
# config: /etc/sysconfig/firewall
# config: /etc/sysconfig/firewall-rules/forward
# config: /etc/sysconfig/firewall-rules/input
# config: /etc/sysconfig/firewall-rules/output

# Source function library.
. /etc/rc.d/init.d/functions

# Check that networking is up.
[ "${NETWORKING}" = "no" ] && exit 0

. /etc/sysconfig/firewall

[ ${FIREWALL} = 'no' ] && exit 0

[ -f /sbin/ipchains ] || exit 0

syntax_error ()
{
	echo $2: "$(nls "$1")"
	echo "$3"
}

ipv4_forward_set ()
{
	# Turn IP forwarding on or off. We do this before bringing up the
	# interfaces to make sure we don't forward when we shouldn't, and
	# we do it even if networking isn't configured (why not?).
	if [ -d /proc/sys/net/ipv4 ]; then
		value=$1
		if [ $value != 1 ]; then
			value=0
			message="Disabling IPv4 packet forwarding"
		else
			value=1
			message="Enabling IPv4 packet forwarding"
		fi
		show "$message"
		busy
		if [ ! -f /proc/sys/net/ipv4/ip_forward ] ; then
			deltext
			fail
			exit 1
		else
			echo "$value" > /proc/sys/net/ipv4/ip_forward
			deltext
			ok
		fi
	fi
}

ipv4_spoof_protection ()
{
	# This is the best method: turn on Source Address Verification and get
	# spoof protection on all current and future interfaces.
	if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
		show "Setting up IP spoofing protection"
		busy
		for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
			echo 1 > $f
		done
		deltext
		ok
	else
		deltext
		fail
		echo "PROBLEMS SETTING UP IP SPOOFING PROTECTION.  BE WORRIED!"
	fi
}

# See how we were called.
case "$1" in
  start)
  	ipv4_forward_set 1
	ipv4_spoof_protection

	show "Starting firewall"
	busy

	rm -f /tmp/.firewall

	cd /etc/sysconfig/firewall-rules
	FILES=''
	if [ ${FIREWALL} = 'yes' ]; then
		FILES="input output forward"
		
		/sbin/ipchains -F
		/sbin/ipchains -X
		
		/sbin/ipchains -P input ${INPUT}
		/sbin/ipchains -P output ${OUTPUT}
		/sbin/ipchains -P forward ${FORWARD}
	fi

	for CHAIN in ${FILES}; do
	    if [ -s ${CHAIN} ]; then
		grep -v '^#' ${CHAIN} | grep -v '^$' | \
		while read LINE; do
		#POLICY PROTO SADDR SPORT DADDR DPORT IFACE OPTIONS
		    LINE2=`echo $LINE`
		    POLICY=${LINE2%% *}
		    LINE2=${LINE2#$POLICY}; LINE2=${LINE2# }
		    case "${POLICY}" in
		      [Nn][Oo][Nn][Ee])
			    POLICY=''
			    ;;
		      *)
		     	    POLICY="-j ${POLICY}"
			    ;;
		    esac
		    PROTO=${LINE2%% *}
		    LINE2=${LINE2#$PROTO}; LINE2=${LINE2# }
		    case "${PROTO}" in
		      [Aa][Nn][Yy])
			    PROTO=''
			    ;;
		      !)
			    PROTO2=${LINE2%% *}
			    LINE2=${LINE2#$PROTO2}; LINE2=${LINE2# }
			    PROTO="-p ! ${PROTO2}"
			    ;;
		      *)
			    PROTO="-p ${PROTO}"
		    esac
		    SADDR=${LINE2%% *}
		    LINE2=${LINE2#$SADDR}; LINE2=${LINE2# }
		    case "${SADDR}" in
		      !)
			    SADDR2=${LINE2%% *}
			    LINE2=${LINE2#$SADDR2}; LINE2=${LINE2# }
			    SADDR="! ${SADDR2}"
			    ;;
		    esac
		    SPORT=${LINE2%% *}
		    LINE2=${LINE2#$SPORT}; LINE2=${LINE2# }
		    DADDR=''
		    case "${SPORT}" in
		      0:65535|[Aa][Nn][Yy])
			    SPORT=''
			    ;;
		      */*|*.*.*.*)
			    DADDR="${SPORT}"
			    SPORT=''
			    ;;
		      !)
			    SPORT2=${LINE2%% *}
			    LINE2=${LINE2#$SPORT2}; LINE2=${LINE2# }
			    case "${SPORT2}" in
			      */*|*.*.*.*)
				    DADDR="! ${SPORT2}"
				    SPORT=''
				    ;;
			      *)
				    if [ -z "$PROTO" ]; then
					syntax_error "Source port is illegal in line:" "$CHAIN" "$LINE"
				    else
					SPORT="! ${SPORT2}"
				    fi
			    esac
			    ;;
		      *)
			    if [ -z "$PROTO" ]; then
				syntax_error "Source port is illegal in line:" "$CHAIN" "$LINE"
			    fi
		    esac
		    if [ -z "${DADDR}" ]; then
			DADDR=${LINE2%% *}
			LINE2=${LINE2#$DADDR}; LINE2=${LINE2# }
		    fi
		    case "${DADDR}" in
		      !)
			    DADDR2=${LINE2%% *}
			    LINE2=${LINE2#$DADDR2}; LINE2=${LINE2# }
			    DADDR="! ${DADDR2}"
			    ;;
		    esac
		    DPORT=${LINE2%% *}
		    LINE2=${LINE2#$DPORT}; LINE2=${LINE2# }
		    IFACE=''
		    case "${DPORT}" in
		      0:65535|[Aa][Nn][Yy])
			    DPORT=''
			    ;;
		      eth[+0-9]*|lo|ppp[+0-9]*|tunl[+0-9]*)
			    IFACE="${DPORT}"
			    DPORT=''
			    ;;
		      !)
			    DPORT2=${LINE2%% *}
			    LINE2=${LINE2#$DPORT2}; LINE2=${LINE2# }
			    case "${DPORT2}" in
			      eth[+0-9]*|lo|ppp[+0-9]*|tunl[+0-9]*)
				    IFACE="! ${DPORT2}"
				    DPORT=''
				    ;;
			      *)
				    if [ -z "$PROTO" ]; then
					syntax_error "Destination port is illegal in line:" "$CHAIN" "$LINE"
				    else
					DPORT="! ${DPORT2}"
				    fi
			    esac
			    ;;
		      *)
			    if [ -z "$PROTO" ]; then
				syntax_error "Destination port is illegal in line:" "$CHAIN" "$LINE"
			    fi
		    esac
		    if [ -z "${IFACE}" ]; then
			IFACE=${LINE2%% *}
			LINE2=${LINE2#$IFACE}; LINE2=${LINE2# }
		    fi
		    case "${IFACE}" in
		      [Aa][Nn][Yy])
			    IFACE=''
			    ;;
		      !)
			    IFACE2=${LINE2%% *}
			    LINE2=${LINE2#$IFACE2}; LINE2=${LINE2# }
			    IFACE="-i ! ${IFACE2}"
			    ;;
		      *)
			    IFACE="-i ${IFACE}"
			    ;;
		    esac
		    OPTIONS=$LINE2
		    /sbin/ipchains -A ${CHAIN} ${PROTO} ${IFACE} \
		    		-s ${SADDR} ${SPORT} -d ${DADDR} ${DPORT} ${POLICY} ${OPTIONS} 2>> /tmp/.firewall
		done
	    fi
	done
	
	for MODNAME in ${MASQ_MODS}; do
	    insmod ${MODNAME} > /dev/null 2> /dev/null
	done
	
	if [ -s /tmp/.firewall ]; then
	    grep -v '^Try' < /tmp/.firewall | logger -t 'firewall' -p user.notice
	    deltext
	    fail
	    echo $(nls 'PROBLEMS SETTING UP FIREWALL.  CHECK /var/log/messages!')
	else
	    deltext
	    ok
	fi
	;;
  stop)
  	ipv4_forward_set 0
	show "Shutting down firewall"
	/sbin/ipchains -P input ACCEPT
	/sbin/ipchains -P output ACCEPT
	/sbin/ipchains -P forward ACCEPT

	/sbin/ipchains -F
	/sbin/ipchains -X

	for MODNAME in ${MASQ_MODS}; do
	    rmmod ${MODNAME} > /dev/null 2> /dev/null
	done

	deltext
	ok
	;;
  restart)
	$0 stop
	$0 start
	;;
  status)
	/sbin/ipchains -L -n
	;;
  extstatus)
	/sbin/ipchains -L -n -v
	;;
  masqstatus)
	/sbin/ipchains -L -M -n
	;;
  masqextstatus)
	/sbin/ipchains -L -M -n -v
	;;
  *)
	echo "Usage: $0 {start|stop|restart|status|extstatus|masqstatus|masqextstatus}"
	exit 1
esac

exit 0
===============================================================

-- 
=======================================================================
  Andrzej M. Krzysztofowicz               ankry w mif.pg.gda.pl
  phone (48)(58) 347 14 61
Faculty of Applied Phys. & Math.,   Gdansk University of Technology