#! /bin/bash ################################################################### #### ### DO NOT EDIT THIS FILE! ## This file is managed by cfengine; any manual changes will be overridden # : ${IPTABLES:=iptables} : ${IPTABLES_RESTORE:=iptables-restore} : ${IS_IPV4:=false} : ${IS_IPV6:=false} IPTABLES_FLAGS='' current_table='' current_chain='' function _cleanup { ! test -d "$W" || rm -rf "$workdir" W= trap "" EXIT } function _klog { local l=$1 shift echo "<$l>$*" > /dev/kmsg 2>/dev/null || : } function log { _klog 7 "$@" } function panic { _klog 4 "$@" echo "*** $*" >&2 exit 1 } function warning { _klog 4 "$@" echo "*** $*" >&2 } function quote { local delim=$1 shift for i; do echo -n "$delim" delim=' ' if test x"${i//[-_a-zA-Z0-9+:\/=.,\!\[\]]/}" = x; then echo -n $i continue fi i=${i//\\/\\\\} i=${i//"/\\"} printf "\"%s\"" "$i" done } function emit { quote '' "$@" echo } function start { W=`mktemp -d -t firwall.XXXXXX` || panic "failed to create workdir" echo "## Generation started at `LANG=C date`" > $W/header selectTable filter ! test -e "$1" || rm -f "$1" trap "commit \"$1\"" EXIT } function commit_table { local d=$W/tables/$1 test -d "$d" || continue ! test -e "$d/.commited" || continue touch "$d/.commited" local f quote "*" "$1" echo f="$d/policies" if test -e "$f"; then sort -u "$f" | sed 's/^/:/' fi f="$d/chains" if test -e "$f"; then sort -u "$f" | sed 's/^/:/' fi f="$d/rules" if test -e "$f"; then cat "$f" fi echo COMMIT } function _commit { local t cat $W/header for i in raw mangle nat filter; do commit_table "$i" done for t in $W/tables/*; do commit_table "${t##$W/tables/}" done echo "## finished at `LANG=C date`" } function _exec_fallback { function execw { $IPTABLES "$@" || \ warning "fallback: failed to execute $*" } function selectTable { case x$1 in x|xfilter) ;; *) warning "fallback: selecting non filter table not supported" ;; esac : # noop } warning "installing fallback rules" for t in $W/tables/*; do n=${t##$W/tables/} execw -t $n -F execw -t $n -X done _cleanup enableFallback exit 1 } function commit { _commit > $W/firewall.xml log "starting to commit iptables rules" $IPTABLES_RESTORE "$W/firewall.xml" || { \ warning "failed to commit rules" rm -f /var/run/firewall.bad cp $W/firewall.xml /var/run/firewall.bad _exec_fallback } log "commited iptables rules" test "$#" -ge 1 -a "$1" != '' || return cp $W/firewall.xml "$1" _cleanup } function flushAll { : echo "WARNING: obsolete 'flushAll' called" >&2 } function selectChain { current_chain=$1 } function addChain { selectChain "$1" emit "$1" "-" "[0:0]" >> "$W/t/chains" } function selectTable { current_table=$1 mkdir -p "$W/tables/$1" rm -f "$W/t" ln -s "tables/$1" "$W/t" } function setPolicy { emit "$current_chain" "$1" "[0:0]" >> "$W/t/policies" } function add { test -n "$current_chain" || panic 'No chain selected; aborting' emit -A "$current_chain" "$@" >> "$W/t/rules" } function insert { test -n "$current_chain" || panic 'No chain selected; aborting' emit -I "$current_chain" "$@" >> "$W/t/rules" } function addMany { echo "WARNING: Using obsolete addMany rule: $*!" >&2 common=$1 while test $# -ge 2; do shift add $1 $common done } function add-many { common=$1 shift while test $# -ge 1; do add $common $1 shift done } function add-dst { local target case $1 in -[jg]) target="$1 $2" shift 2 ;; *) target="${DEFAULT_TARGET:--j ACCEPT}" ;; esac local dest=$1 local proto=$2 local port=$3 shift 3 case $dest in ALL) dest=0.0.0.0/0;; *) ;; esac case $proto in ALL) proto=;; *) proto="-p $proto";; esac case $port in 0) port=;; *) port="--dport $port";; esac add $proto -d "$dest" $port "$@" $target } function add-dst-vec { for i; do add-dst $i done } function add-mac-spoof { local src=$1 local mac shift case "$1" in (!) mac=( ! --mac-source "$2" ); shift 2;; (!*) mac=( ! --mac-source "${1##\!}" ); shift;; (*) mac=( --mac-source "$1" ); shift;; esac test $# -gt 0 || set -- -j RETURN add -s "$src" -m mac "${mac[@]}" "$@" } function add-mac-spoof-vec { local i for i; do add-mac-spoof $i done } function add-mac-block { local mac shift case "$1" in (!) mac=( ! --mac-source "$2" ); shift 2;; (!*) mac=( ! --mac-source "${1##\!}" ); shift;; (*) mac=( --mac-source "$1" ); shift;; esac test $# -gt 0 || set -- -g .ldrop add -m mac "${mac[@]}" "$@" } function add-mac-block-vec { local i for i; do add-mac-block $i done } function addDefaultChains { # do not make log_uid local; it might be used outside case $(uname -r) in 2.6.9-*) log_uid=;; *) log_uid=--log-uid;; esac addChain .drop add -j DROP addChain .ldrop add -j LOG -m limit --limit 1/s --log-prefix "[${1}drop] " --log-tcp-sequence --log-tcp-options --log-ip-options $log_uid --log-level 6 add -j DROP if test -z "$current_table" -o x"$current_table" = x"filter"; then addChain .hide add -j REJECT -p tcp --reject-with tcp-reset $IS_IPV4 && add -j REJECT -p icmp --reject-with icmp-host-unreachable $IS_IPV6 && add -j REJECT -p icmp --reject-with icmp6-addr-unreachable add -j REJECT addChain .lhide add -j LOG -m limit --limit 1/s --log-prefix "[${1}hide] " --log-tcp-sequence --log-tcp-options --log-ip-options $log_uid --log-level 6 add -g .hide addChain .lreject add -j LOG -m limit --limit 1/s --log-prefix "[${1}reject] " --log-tcp-sequence --log-tcp-options --log-ip-options $log_uid --log-level 6 add -j REJECT fi addChain .watch add -j LOG -m limit --limit 1/s --log-prefix "[${1}watch] " --log-tcp-sequence --log-tcp-options --log-ip-options $log_uid --log-level 6 add -j ACCEPT } start "$1"