#!/bin/bash ### BEGIN INIT INFO # Provides: init-firewall # Required-Start: $syslog $network # Required-Stop: $syslog # Should-Start: $local_fs # Should-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: NuFace firewall script # Description: Firewall script created by nuface. ### END INIT INFO # # NuFace firewall script # 2005-2006 INL # chkconfig: 2345 80 30 # description: init-firewall is a script set by NuFace # ipt="/sbin/iptables" iptsave="/sbin/iptables-save" iptrestore="/sbin/iptables-restore" nupyf="/usr/sbin/nupyf" ETCDIR=/etc/nuface BASEDIR=/var/lib/nuface MODE_FILE=$BASEDIR/mode LOCAL_RULES_D=$BASEDIR/local_rules.d LOCAL_NAT_RULES=$BASEDIR/nat STOP_RULES=$BASEDIR/stop_rules BACKUP_FILE=/var/lib/nuface/backups/firewall_good_conf MANGLE_RULES_PRE=$BASEDIR/pre-mangle MANGLE_RULES_POST=$BASEDIR/post-mangle MANGLE_RULES_DYN=$BASEDIR/dyn/vpn_rules BASEDIR_DYN=$BASEDIR/dyn TMP_RULES=$BASEDIR/iptables_rules NUFW_RULES_DIR=$BASEDIR_DYN/nufw STD_RULES_DIR=$BASEDIR_DYN/standard DISPATCH_RULES=dispatch_rules DEFAULT_ESTREL_INVALID=default_estrel_invalid DISPATCH_TARGETS=dispatch_targets FWD_RULES=forward_rules INPUT_RULES=input_rules OUTPUT_RULES=output_rules NAT_RULES=nat_rules MANGLE_RULES=mangle_rules L7_RULES=l7_rules LDAP_DATA=$BASEDIR/dyn/ldap_objects NUPYF_CONF=$ETCDIR/nupyf.conf LOCK_FILE=/var/lock/fw-init FAIL2BAN=/etc/init.d/fail2ban FAIL2BAN_ENABLED= MANAGE_NAT=1 MANAGE_FORWARD=1 # test generated files rules for dir in $NUFW_RULES_DIR $STD_RULES_DIR; do if [ ! -f $dir/$DISPATCH_RULES ]; then echo "Sorry. Can't find file ${dir}/${DISPATCH_RULES}" exit 1 fi if [ ! -f $dir/$DEFAULT_ESTREL_INVALID ]; then echo "Sorry. Can't find file ${dir}/${DEFAULT_ESTREL_INVALID}" exit 1 fi if [ ! -f $dir/$DISPATCH_TARGETS ]; then echo "Sorry. Can't find file ${dir}/${DISPATCH_TARGETS}" exit 1 fi if [ ! -f $dir/$FWD_RULES ]; then echo "Sorry. Can't find file ${dir}/${FWD_RULES}" exit 1 fi if [ ! -f $dir/$MANGLE_RULES ]; then echo "Sorry. Can't find file ${dir}/${MANGLE_RULES}" exit 1 fi if [ ! -f $dir/$INPUT_RULES ]; then echo "Sorry. Can't find file ${dir}/${INPUT_RULES}" exit 1 fi if [ ! -f $dir/$OUTPUT_RULES ]; then echo "Sorry. Can't find file ${dir}/${OUTPUT_RULES}" exit 1 fi if [ $MANAGE_NAT = 1 ] && [ ! -f $dir/$NAT_RULES ]; then echo "Sorry. Can't find file ${dir}/${NAT_RULES}" exit 1 fi done set_policy_to_drop() { $ipt -P INPUT DROP $ipt -P FORWARD DROP } reload_good_conf() { remove_trap_err echo "A problem occured, reloading old config" $iptrestore < ${BACKUP_FILE} rm ${LOCK_FILE} exit 1 } try_run(){ if [ -f $1 ]; then . $1 fi } #define script behaviour on ERR/EXIT define_trap_err(){ set -e trap reload_good_conf ERR EXIT } # remove special function on ERR/EXIT remove_trap_err(){ set +e trap - ERR EXIT } reset_chains() { $ipt -F $ipt -X $ipt -t nat -F $ipt -t nat -X $ipt -t mangle -F $ipt -t mangle -X } reload_periods() { echo "Reloading periods" echo "reload periods"|nuauth_command >/dev/null || true } refresh_cache() { echo "Refreshing cache" echo "refresh cache"|nuauth_command >/dev/null || true } # Load iptables mangle rules load_mangle(){ if [ -f $MANGLE_RULES_PRE ] && [ -f $MANGLE_RULES_POST ]; then . $MANGLE_RULES_PRE . $MANGLE_RULES_POST if [ -f $MANGLE_RULES_DYN ]; then . $MANGLE_RULES_DYN fi fi } load_iptables_rules() { sed -e 's/#.*$//g;/^$/D' | cat > $TMP_RULES echo "COMMIT" >> $TMP_RULES remove_trap_err $iptrestore < $TMP_RULES exitcode=$? if [ $exitcode -ne 0 ]; then echo "--- iptables rules ---" cat -n $TMP_RULES echo "--- iptables rules ---" fi rm $TMP_RULES define_trap_err if [ $exitcode -ne 0 ]; then exit 1 fi } # load rules generated by nuface # arg1: directory where rules files has been written load_dyn_rules(){ dir=$1 FILES="$dir/$DISPATCH_RULES $dir/$INPUT_RULES $dir/$OUTPUT_RULES" if [ $MANAGE_FORWARD = 1 ]; then FILES="$FILES $dir/$FWD_RULES" fi echo " o dispatch and filter rules" (echo -e "*filter\n:FORWARD ACCEPT\n:INPUT ACCEPT\n:OUTPUT ACCEPT\n"; \ special_reload_rules start; \ cat $(find_local_rules filter) $dir/$DISPATCH_TARGETS $(find_local_rules filter .targets) $dir/$DEFAULT_ESTREL_INVALID $(find_local_rules filter .dispatch) $FILES $(find_local_rules filter .post) \ ) | load_iptables_rules if [ $MANAGE_NAT = 1 ]; then echo " o nat rules" (echo -e "*nat\n:PREROUTING ACCEPT\n:POSTROUTING ACCEPT\n:OUTPUT ACCEPT\n"; \ cat $(find_local_rules nat) $dir/$NAT_RULES $(find_local_rules nat .post) \ ) | load_iptables_rules fi # load mangle rules ASTRING="*mangle\n:PREROUTING ACCEPT\n:POSTROUTING ACCEPT\n:OUTPUT ACCEPT\n:INPUT ACCEPT\n:FORWARD ACCEPT" echo " o mangle rules" load_mangle if [ -f $dir/$MANGLE_RULES ]; then if [ -f $BASEDIR_DYN/$L7_RULES ]; then (echo -e $ASTRING; \ cat $(find_local_rules mangle) $dir/$MANGLE_RULES \ $BASEDIR_DYN/$L7_RULES $(find_local_rules mangle .post) \ ) | load_iptables_rules else (echo -e $ASTRING; \ cat $(find_local_rules mangle) $dir/$MANGLE_RULES $(find_local_rules mangle .post) \ ) | load_iptables_rules fi fi } # find files in local_rules.d that begin with a # fixed prefix # optional fixed suffix # args: prefix suffix to search for find_local_rules(){ prefix=$1 suffix=$2 if [ -d $LOCAL_RULES_D ]; then for f in $LOCAL_RULES_D/$prefix*.rules${suffix}; do if [ -f $f ]; then echo -n "$f " fi done fi } # special rules to prevent firewall to be open # during rules reloading # output: rules suitable for iptables-restore special_reload_rules(){ arg='' if [ $1 = "start" ]; then arg="A" else arg="D" fi echo "-$arg FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" echo "-$arg FORWARD -j DROP" } # # delete rules coming from functin special_reload_rules exec_reload_rules(){ special_reload_rules $1 | while read line; do $ipt $line done } # rules loaded at stop load_stop_rules(){ $ipt -I FORWARD -j DROP } backup_iptables(){ # load iptables module needed by iptables-save # (to get "/proc/net/ip_tables_names" proc entry) modprobe iptable_filter # save current iptables configuration echo "Saving current configuration as good in ${BACKUP_FILE}" $iptsave > ${BACKUP_FILE} # check if iptables-save worked correctly # itpables < 1.4 creates empty file if iptable_filter module is not loaded if [ $? -ne 0 -o ! -s ${BACKUP_FILE} ]; then echo "ERROR: $iptsave failure" echo "Make sure that iptables module is correctly loaded" exit 1 fi } remove_lock(){ rm ${LOCK_FILE} } if [ -f $LOCK_FILE ]; then echo "Lock file ${LOCK_FILE} exists. Is script already running? If not, please delete lock by hand." exit 1 fi if [ "$2" = "--debug" ]; then set -x nupyf="$nupyf --debug" fi touch $LOCK_FILE # Get the mode MODE=$1 if [ "$MODE" = "standard" ]; then # standard is an alias of nonufw mode MODE=nonufw fi if [ "$MODE" = "nufw" -o "$MODE" = "nonufw" ]; then echo $MODE >| $MODE_FILE elif [ "$MODE" = "start" -o "$MODE" = "restart" -o "$MODE" = "reload" -o "$MODE" = "force-reload" ]; then # Replace start|restart|reload|force-reload by nufw or nonufw test -e $MODE_FILE && grep -q nonufw $MODE_FILE if [ $? -eq 0 ]; then MODE="nonufw" else MODE="nufw" fi fi trap remove_lock EXIT case $MODE in nufw) backup_iptables define_trap_err set_policy_to_drop reset_chains reload_periods refresh_cache echo "Loading new firewall configuration" echo " o Local rules" load_dyn_rules $NUFW_RULES_DIR if [ -f $LOCAL_NAT_RULES ]; then . $LOCAL_NAT_RULES fi load_mangle remove_trap_err if [ -f $LDAP_DATA ]; then echo "Merging ldap with nupyf" define_trap_err $nupyf --config $NUPYF_CONF --loadldap $LDAP_DATA rm -f $LDAP_DATA fi exec_reload_rules stop echo "Enable IPv4 forward" echo 1 >| /proc/sys/net/ipv4/ip_forward ;; stop) echo "Loading stopped configuration" reset_chains echo " o Local rules" #do not load forward or nat rules MANAGE_FORWARD=0 MANAGE_NAT=0 load_dyn_rules $STD_RULES_DIR exec_reload_rules stop load_stop_rules if [ -f $STOP_RULES ]; then echo " o Stop Rules" . $STOP_RULES exec_reload_rules stop fi ;; nonufw) backup_iptables define_trap_err set_policy_to_drop reset_chains echo 'Loading non-authenticating firewall configuration' echo " o Local rules" load_dyn_rules $STD_RULES_DIR if [ -f $LOCAL_NAT_RULES ]; then . $LOCAL_NAT_RULES fi exec_reload_rules stop echo "Enable IPv4 forward" echo 1 >| /proc/sys/net/ipv4/ip_forward ;; *) echo "Usage: $0 start|restart|reload|force-reload|nufw|nonufw|stop" ;; esac if [ "x$FAIL2BAN_ENABLED" = "x1" ] && [ -x $FAIL2BAN ]; then $FAIL2BAN restart fi remove_trap_err rm ${LOCK_FILE}