dirwall-0.10/0040755000175000001450000000000010066726674012433 5ustar tkoodatkoodadirwall-0.10/etc/0040755000175000001450000000000010066704673013201 5ustar tkoodatkoodadirwall-0.10/etc/init.d/0040755000175000001450000000000010066720724014361 5ustar tkoodatkoodadirwall-0.10/etc/init.d/dirwall0100755000175000001450000002300610066720667015751 0ustar tkoodatkooda#!/bin/bash ## dirwall : a linux iptables firewall script ## tkooda : 2004-06-24 : v0.10 : cleaned up for release ## INFO: ## ## I wrote this because I wanted to have the ability to have useful ## iptables rules described in a concice and (hopefully) sane format. ## I separated the rules from the script logic to make it easier to ## update the script without touching the actual rules. This also ## makes it easy for other packages to manage the rules. ## RULE SYNTAX: ## ## rule = [ hostlist ] [ ">" hostlist ] [ "<" proto ] [ "=" extra ] ## hostlist = [ host [ "," host [...] ] ] [ ":" portlist ] ## host = [ [ ip [ "/" mask ] ] ## ip = ( ipv4 dotted decimal address | dns host address ) ## mask = ( ipv4 dotted decimal bitmask | integer bitmask ) ## portlist = [ portrange [ "," portrange [...] ] ] ## portrange = [ port [ "-" port ] ] ## port = ( ipv4 port integer ) ## proto = "tcp" | "udp" | "icmp" | "all" | ( other from /etc/protocols ) ## extra = [ host ] ## NOTES: ## ## - rule files can have multiple rules. ## - rule files named '*~' will be ignored. ## - rule file comments may begin anywhere with a '#'. ## - not all rules that can be represented by the rule syntax ## are considered to be valid iptables rules. ## - FORWARD rules use the 1st host:port for the initial destination, ## and the 2nd host:port for the final destination. ## - FORWARD rules just use the same port as the 1st port for the ## 2nd port if the 2nd port is omitted. ## - FORWARD only works with tcp/udp ## - NAT rules may require the extra field to be set to the (local nics) ## gateway ip/mask ("10.0.0.1/24") so that int->ext->int works. ## TODO: ## - don't print chain name if rule files have no rules (i.e. commented out) ## setup.. DIRWALL="/etc/dirwall" CONFIG_DATA="$DIRWALL/config" CONFIG_SCRIPTS="$DIRWALL/scripts" CONFIG_ACCEPT="$DIRWALL/ACCEPT" CONFIG_FORWARD="$DIRWALL/FORWARD" CONFIG_MASQ="$DIRWALL/MASQ" CONFIG_NAT="$DIRWALL/NAT" CONFIG_NOLOG="$DIRWALL/NOLOG" ## setup global functions.. function bail { echo "$1"; exit 1; } function get_token { echo "`cut -d'#' -f1 $1 2>/dev/null |grep '\w' |head -1 |awk '{print $1}'`"; } function get_tokens { echo "`cut -d'#' -f1 $1 2>/dev/null |grep '\w'`"; } ## dependency checks.. [ -x "`which perl`" ] || bail "Error: perl not found" [ -d "$CONFIG_DATA" ] || bail "Error: $CONFIG_DATA dir not found" [ -d "$CONFIG_SCRIPTS" ] || bail "Error: $CONFIG_SCRIPTS dir not found" ## read local config data.. VERBOSE="`get_token $CONFIG_DATA/VERBOSE`" DEBUG="`get_token $CONFIG_DATA/DEBUG`" LOG="`get_token $CONFIG_DATA/LOG`" LOG_FLOOD="`get_token $CONFIG_DATA/LOG_FLOOD`" LOG_LEVEL="`get_token $CONFIG_DATA/LOG_LEVEL`" ALLOW_ICMP="`get_tokens $CONFIG_DATA/ALLOW_ICMP`" POLICY_INPUT="`get_token $CONFIG_DATA/POLICY_INPUT`" POLICY_FORWARD="`get_token $CONFIG_DATA/POLICY_FORWARD`" POLICY_OUTPUT="`get_token $CONFIG_DATA/POLICY_OUTPUT`" RPFILTER="`get_token $CONFIG_DATA/RPFILTER`" FORWARD="`get_token $CONFIG_DATA/FORWARD`" ## run local config scripts.. IFACE_WAN="`$CONFIG_SCRIPTS/iface-wan`" ## setup config defaults if no local config specified.. DEBUG="${DEBUG:-'0'}" VERBOSE="${VERBOSE:-'0'}" LOG="${LOG:-'0'}" LOG_FLOOD="${LOG_FLOOD:-'10/s'}" LOG_LEVEL="${LOG_LEVEL:-'debug'}" ALLOW_ICMP="${ALLOW_ICMP:-'echo-request echo-reply time-exceed destination-unreachable parameter-problem'}" POLICY_FORWARD="${POLICY_FORWARD:-'DROP'}" POLICY_INPUT="${POLICY_INPUT:-'ACCEPT'}" POLICY_OUTPUT="${POLICY_OUTPUT:-'ACCEPT'}" RPFILTER="${RPFILTER:-'1'}" FORWARD="${FORWARD:-'1'}" ## program functions.. function ipt { [ "$DEBUG" == "1" ] && echo /sbin/iptables "$@"; [ "$CHECK" == "1" ] || /sbin/iptables "$@"; } function put { [ "$DEBUG" == "1" ] && echo "echo $1 > $2"; [ "$CHECK" == "1" ] || echo "$1" > "$2"; } function runscript { [ "$DEBUG" == "1" ] && grep -H ^ "$@"; [ "$CHECK" == "1" ] || . "$@"; } function out { [ "$VERBOSE" == "1" ] && echo "$@"; } function get_ip1 { v=$(echo $1|perl -pe 's/^([^:<>\=]+)?.*/$1/g';);echo ${v:-'0/0'};} function get_p1 { v=$(echo $1|perl -pe 's/^([^:<>]+)?(\:([^:<>\=]+))?.*/$3/g;s/,/ /g';);echo ${v:-':'};} function get_ip2 { v=$(echo $1|perl -pe 's/(.*>([^:<>\=]+))?.*/$2/g';);echo ${v:-'0/0'};} function get_p2 { v=$(echo $1|perl -pe 's/(.*>(.*(:([^:<>\=]+)))?)?.*/$4/g;s/,/ /g';);echo ${v:-':'};} function get_p { v=$(echo $1|perl -pe 's/(.*<([^:<>\=]+)?)?.*/$2/g';);echo ${v:-'tcp,udp'};} function get_x { v=$(echo $1|perl -pe 's/(.*=(.*)?)?.*/$2/g';);echo ${v:-'0'};} # extras function ipt_flush { ipt -Z ipt -F ipt -X put "$FORWARD" "/proc/sys/net/ipv4/ip_forward" # rp_filter is required until interfaces are supported.. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do put "$RPFILTER" "$f" done fi } function ipt_safepolicy { ipt -t filter -P INPUT ACCEPT; ipt -t filter -P FORWARD ACCEPT; ipt -t filter -P OUTPUT ACCEPT; } function bailsafe { ipt_flush; ipt_safepolicy; bail "$@"; } function parsetoken { ip1r="`get_ip1 $1`" p1r="`get_p1 $1`" ip2r="`get_ip2 $1`" p2r="`get_p2 $1`" pr="`get_p $1`" x="`get_x $1`" for p in ${pr//,/ }; do for ip1 in ${ip1r//,/ }; do for ip2 in ${ip2r//,/ }; do for p1 in ${p1r//,/ }; do for p2 in ${p2r//,/ }; do echo "$ip1" "${p1//-/:}" "$ip2" "${p2//-/:}" "$p" "$x" done done done done done } ## process argv.. [ "$1" == "check" ] && CHECK=1 case "$1" in list) ipt -nL exit 0 ;; start|stop|restart|reload|check) ;; *) bail "Usage: `basename $0` start|stop|reload|restart|list|check" ;; esac ## stop firewall.. [ "$1" == "stop" ] && bailsafe "Dirwall: stopped." ## flush/delete everything.. ipt_flush ## setup default policies.. ipt -t filter -P INPUT "${POLICY_INPUT:-ACCEPT}" ipt -t filter -P FORWARD "${POLICY_FORWARD:-ACCEPT}" ipt -t filter -P OUTPUT "${POLICY_OUTPUT:-ACCEPT}" ## run custom local iptables commands.. [ -x "$CONFIG_SCRIPTS/dirwall-begin" ] \ && runscript "$CONFIG_SCRIPTS/dirwall-begin" ## setup internal DROP chain.. ipt -t filter -N DIRWALL_DROP ipt -t filter -A DIRWALL_DROP -p tcp -j REJECT --reject-with tcp-reset ipt -t filter -A DIRWALL_DROP ! -p tcp -j REJECT \ --reject-with icmp-port-unreachable ipt -t filter -A DIRWALL_DROP -j DROP ## setup internal LOG chain (if desired).. ## setup chains.. # allow local traffic.. ipt -t filter -A INPUT -i lo -j ACCEPT # allow some icmp.. for icmp in $ALLOW_ICMP; do ipt -t filter -A INPUT -p icmp --icmp-type "$icmp" -j ACCEPT done # allow established/related.. ipt -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT CHAINS="MASQ FORWARD NAT ACCEPT" # setup logging chain.. if [ "$LOG" == "1" ]; then ipt -t filter -N DIRWALL_LOG CHAINS="NOLOG $CHAINS" fi # use rules to setup other chains.. for chain in $CHAINS; do rules=`ls -1 $DIRWALL/$chain/ |grep -v '~'` [ -n "$rules" ] && out "$chain:" for rule in $rules; do for token in `get_tokens $DIRWALL/$chain/$rule`; do out " $rule: $token" parsetoken "$token" \ | while read ip1 p1 ip2 p2 p x; do case $chain in NOLOG ) if [ "$p" == "tcp" -o "$p" == "udp" ]; then ipt -t filter -A DIRWALL_LOG -p "$p" -s "$ip1" \ --sport "$p1" -d "$ip2" --dport "$p2" -j DIRWALL_DROP else ipt -t filter -A DIRWALL_LOG -p "$p" -s "$ip1" -d "$ip2" \ -j DIRWALL_DROP fi ;; MASQ ) ipt -t filter -A FORWARD -s "$ip1" -j ACCEPT ipt -t filter -A FORWARD -d "$ip1" \ -m state --state ESTABLISHED,RELATED -j ACCEPT ipt -t nat -A POSTROUTING -s "$ip1" -o "$IFACE_WAN" \ -j MASQUERADE ;; FORWARD ) ipt -t nat -A PREROUTING -p "$p" -d "$ip1" \ --dport "$p1" -j DNAT --to-destination "$ip2:${p2//:/$p1}" ipt -t filter -A FORWARD -p "$p" -d "$ip2" \ --dport "${p2//:/$p1}" -j ACCEPT ;; NAT ) ipt -t nat -A PREROUTING -d "$ip1" -j DNAT \ --to-destination "$ip2" ipt -t filter -A FORWARD -i "$IFACE_WAN" -d "$ip2" -j ACCEPT ipt -t nat -A POSTROUTING -s "$ip2" -j SNAT --to-source "$ip1" if [ "$x" != "0" ]; then ipt -t nat -A POSTROUTING -s "$x" -d "$ip2" \ -j SNAT --to-source "${x%/*}" fi ;; ACCEPT ) if [ "$p" == "tcp" -o "$p" == "udp" ]; then ipt -t filter -A INPUT -p "$p" -s "$ip1" --sport "$p1" \ -d "$ip2" --dport "$p2" -j ACCEPT else ipt -t filter -A INPUT -p "$p" -s "$ip1" -d "$ip2" -j ACCEPT fi ;; esac done done done done ## run custom local iptables commands.. [ -x "$CONFIG_SCRIPTS/dirwall-end" ] && runscript "$CONFIG_SCRIPTS/dirwall-end" ## finish INPUT chain.. if [ "$LOG" == "1" ]; then ipt -t filter -A DIRWALL_LOG -p tcp -m limit --limit "$LOG_FLOOD" \ -j LOG --log-level "$LOG_LEVEL" --log-prefix 'rejected_tcp ' ipt -t filter -A DIRWALL_LOG -p udp -m limit --limit "$LOG_FLOOD" \ -j LOG --log-level "$LOG_LEVEL" --log-prefix 'rejected_udp ' ipt -t filter -A DIRWALL_LOG -p icmp -m limit --limit "$LOG_FLOOD" \ -j LOG --log-level "$LOG_LEVEL" --log-prefix 'rejected_icmp ' ipt -t filter -A DIRWALL_LOG -j DIRWALL_DROP ipt -t filter -A INPUT -j DIRWALL_LOG else ipt -t filter -A INPUT -j DIRWALL_DROP fi echo "Dirwall: started." exit 0 dirwall-0.10/etc/dirwall/0040755000175000001450000000000010066707724014637 5ustar tkoodatkoodadirwall-0.10/etc/dirwall/ACCEPT/0040700000175000001450000000000010066706021015551 5ustar tkoodatkoodadirwall-0.10/etc/dirwall/ACCEPT/ftp0100600000175000001450000000004610066704673016277 0ustar tkoodatkooda# allow public ftp access >:20-21:22:8010.0.0.17:80 internal = internal gateway/mask # 1.2.3.4>10.0.0.16=10.0.0.1/24 dirwall-0.10/etc/dirwall/NOLOG/0040700000175000001450000000000010066720550015473 5ustar tkoodatkoodadirwall-0.10/etc/dirwall/NOLOG/local-samba0100600000175000001450000000005310066705712017571 0ustar tkoodatkooda# don't log smb (tcp or udp) >:135-139,443 dirwall-0.10/etc/dirwall/scripts/0040700000175000001450000000000010066704673016314 5ustar tkoodatkoodadirwall-0.10/etc/dirwall/scripts/dirwall-end0100700000175000001450000000012010066704673020432 0ustar tkoodatkooda#!/bin/bash ## dirwall-end : custom script that runs at the end of the script dirwall-0.10/etc/dirwall/scripts/dirwall-begin0100700000175000001450000000013110066704673020752 0ustar tkoodatkooda#!/bin/bash ## dirwall-begin : custom rule script that runs at the start of the script dirwall-0.10/etc/dirwall/scripts/iface-wan0100700000175000001450000000012210066704673020064 0ustar tkoodatkooda#!/bin/bash ## iface-wan : print the wan interface (default route) echo "eth0" dirwall-0.10/etc/dirwall/config/0040700000175000001450000000000010066704673016072 5ustar tkoodatkoodadirwall-0.10/etc/dirwall/config/DEBUG0100644000175000001450000000000210066704673016642 0ustar tkoodatkooda0 dirwall-0.10/etc/dirwall/config/VERBOSE0100644000175000001450000000000210066704673017121 0ustar tkoodatkooda1 dirwall-0.10/etc/dirwall/config/ALLOW_ICMP0100644000175000001450000000011610066704673017510 0ustar tkoodatkoodaecho-request echo-reply time-exceed destination-unreachable parameter-problem dirwall-0.10/etc/dirwall/config/LOG_FLOOD0100644000175000001450000000000510066704673017363 0ustar tkoodatkooda10/s dirwall-0.10/etc/dirwall/config/LOG_LEVEL0100644000175000001450000000000610066704673017370 0ustar tkoodatkoodadebug dirwall-0.10/etc/dirwall/config/POLICY_INPUT0100644000175000001450000000000710066704673017777 0ustar tkoodatkoodaACCEPT dirwall-0.10/etc/dirwall/config/POLICY_OUTPUT0100644000175000001450000000000710066704673020140 0ustar tkoodatkoodaACCEPT dirwall-0.10/etc/dirwall/config/POLICY_FORWARD0100644000175000001450000000000510066704673020202 0ustar tkoodatkoodaDROP dirwall-0.10/etc/dirwall/config/LOG0100644000175000001450000000000210066704673016435 0ustar tkoodatkooda0 dirwall-0.10/etc/dirwall/config/FORWARD0100644000175000001450000000000210066704673017120 0ustar tkoodatkooda1 dirwall-0.10/etc/dirwall/config/RPFILTER0100644000175000001450000000000210066704673017243 0ustar tkoodatkooda1 dirwall-0.10/INSTALL0100644000175000001450000000014510066712533013446 0ustar tkoodatkoodaTo install: ----------- make install To remove: ---------- make remove rm -r /etc/dirwall dirwall-0.10/LICENSE0100644000175000001450000000302710066725176013433 0ustar tkoodatkoodaThis is distributed under the BSD liscense. Copyright (c) 2004, Thor Kooda All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the organisation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. dirwall-0.10/Changelog0100644000175000001450000000014010066712457014227 0ustar tkoodatkooda2004-06-24 (v0.10) Thor Kooda * cleaned up for public release dirwall-0.10/Makefile0100644000175000001450000000213510066726672014067 0ustar tkoodatkooda# simple dirwall install Makefile SYSVLINK="/etc/rc2.d" RCSCRIPT="/etc/init.d" dirwall : install : @[ -e "/etc/dirwall" ] && echo "/etc/dirwall dir already exists, skipping.." || ( cp -r etc/dirwall /etc; echo "installed: /etc/dirwall" ) @[ -e "$(RCSCRIPT)/dirwall" ] && echo "$(RCSCRIPT)/dirwall file already exists, skipping.." || ( cp etc/init.d/dirwall $(RCSCRIPT); chmod a+rx $(RCSCRIPT)/dirwall; echo "installed: $(RCSCRIPT)/dirwall" ) @[ -h "$(SYSVLINK)/S19dirwall" ] && echo "$(SYSVLINK)/S19dirwall link already exists, skipping.." || ( ln -s $(RCSCRIPT)/dirwall $(SYSVLINK)/S19dirwall; echo "installed: $(SYSVLINK)/S19dirwall" ) remove : @[ ! -e "/etc/dirwall" ] && echo "/etc/dirwall dir dosn't exist, skipping.." || ( echo "please remove /etc/dirwall manually" ) @[ ! -e "$(RCSCRIPT)/dirwall" ] && echo "$(RCSCRIPT)/dirwall file dosn't exist, skipping.." || ( rm $(RCSCRIPT)/dirwall; echo "removed: $(RCSCRIPT)/dirwall" ) @[ ! -h "$(SYSVLINK)/S19dirwall" ] && echo "$(SYSVLINK)/S19dirwall link dosn't exist, skipping.." || ( rm $(SYSVLINK)/S19dirwall; echo "removed: $(SYSVLINK)/S19dirwall" ) dirwall-0.10/README0100644000175000001450000000277210066724764013316 0ustar tkoodatkoodadirwall - v0.10 --------------- ## ABOUT: I wrote this because I wanted to have the ability to have useful iptables rules described in a concice and (hopefully) sane format. I separated the rules from the script logic to make it easier to update the script without touching the actual rules. This also makes it easy for other packages to manage the rules. ## CONFIG: Configuration settings are stored in the /etc/dirwall/config/* files. Other configuration is done by the /etc/dirwall/scripts/* scripts. ## RULES: The iptables rules are stored in rule files located in /etc/dirwall/{ACCEPT,FORWARD,MASQ,NAT,NOLOG}/* . There may be more than one rule per file. The rule filenames in the ACCEPT dir are reserved for packages with that name. i.e. the "ssh" package has the ability to manage the /etc/dirwall/ACCEPT/ssh rule file. Local ACCEPT rule files should (but are not required to) begin with "local-". ## RULE SYNTAX: rule = [ hostlist ] [ ">" hostlist ] [ "<" proto ] [ "=" extra ] hostlist = [ host [ "," host [...] ] ] [ ":" portlist ] host = [ [ ip [ "/" mask ] ] ip = ( ipv4 dotted decimal address | dns host address ) mask = ( ipv4 dotted decimal bitmask | integer bitmask ) portlist = [ portrange [ "," portrange [...] ] ] portrange = [ port [ "-" port ] ] port = ( ipv4 port integer ) proto = "tcp" | "udp" | "icmp" | "all" | ( other from /etc/protocols ) extra = [ host ] -Thor Kooda tkooda-dirwall@devsec.org 2004-06-24