dirwall-0.11/0040700000175000017500000000000010073374741012415 5ustar tkoodatkoodadirwall-0.11/etc/0040700000175000017500000000000010073366270013166 5ustar tkoodatkoodadirwall-0.11/etc/init.d/0040700000175000017500000000000010073370731014350 5ustar tkoodatkoodadirwall-0.11/etc/init.d/dirwall0100700000175000017500000002231310073366270015735 0ustar tkoodatkooda#!/bin/bash ## dirwall : v0.11 : a linux iptables firewall script ## - Thor Kooda ## setup.. DIRWALL="/etc/dirwall" CONFIG_DATA="$DIRWALL/config" CONFIG_SCRIPTS="$DIRWALL/scripts" CONFIG_ACCEPT="$DIRWALL/ACCEPT" CONFIG_FORWARD="$DIRWALL/FORWARD" CONFIG_MASQ="$DIRWALL/MASQ" CONFIG_NAT="$DIRWALL/NAT" CONFIG_NOLOG="$DIRWALL/NOLOG" CONFIG_REJECT="$DIRWALL/REJECT" ## setup global functions.. function bail { echo "$1"; exit 1; } function get_token { echo "`cut -d'#' -f1 $1 2>/dev/null |grep '\w' |head -1 |awk '{print $1}'`"; } function get_tokens { echo "`cut -d'#' -f1 $1 2>/dev/null |grep '\w'`"; } ## dependency checks.. [ -x "`which perl`" ] || bail "Error: perl not found" [ -d "$CONFIG_DATA" ] || bail "Error: $CONFIG_DATA dir not found" [ -d "$CONFIG_SCRIPTS" ] || bail "Error: $CONFIG_SCRIPTS dir not found" ## read local config data.. VERBOSE="`get_token $CONFIG_DATA/VERBOSE`" DEBUG="`get_token $CONFIG_DATA/DEBUG`" LOG="`get_token $CONFIG_DATA/LOG`" LOG_FLOOD="`get_token $CONFIG_DATA/LOG_FLOOD`" LOG_LEVEL="`get_token $CONFIG_DATA/LOG_LEVEL`" ALLOW_ICMP="`get_tokens $CONFIG_DATA/ALLOW_ICMP`" POLICY_FILTER_INPUT="`get_token $CONFIG_DATA/POLICY_FILTER_INPUT`" POLICY_FILTER_FORWARD="`get_token $CONFIG_DATA/POLICY_FILTER_FORWARD`" POLICY_FILTER_OUTPUT="`get_token $CONFIG_DATA/POLICY_FILTER_OUTPUT`" POLICY_NAT_PREROUTING="`get_token $CONFIG_DATA/POLICY_NAT_PREROUTING`" POLICY_NAT_POSTROUTING="`get_token $CONFIG_DATA/POLICY_NAT_POSTROUTING`" POLICY_NAT_OUTPUT="`get_token $CONFIG_DATA/POLICY_NAT_OUTPUT`" RPFILTER="`get_token $CONFIG_DATA/RPFILTER`" FORWARD="`get_token $CONFIG_DATA/FORWARD`" ## run local config scripts.. IFACE_WAN="`$CONFIG_SCRIPTS/iface-wan`" ## setup config defaults if no local config specified.. DEBUG="${DEBUG:-0}" VERBOSE="${VERBOSE:-0}" LOG="${LOG:-0}" LOG_FLOOD="${LOG_FLOOD:-10/s}" LOG_LEVEL="${LOG_LEVEL:-debug}" ALLOW_ICMP="${ALLOW_ICMP:-echo-request echo-reply time-exceed destination-unreachable parameter-problem}" RPFILTER="${RPFILTER:-1}" FORWARD="${FORWARD:-1}" POLICY_FILTER_INPUT="${POLICY_FILTER_INPUT:-ACCEPT}" POLICY_FILTER_FORWARD="${POLICY_FILTER_FORWARD:-ACCEPT}" POLICY_FILTER_OUTPUT="${POLICY_FILTER_OUTPUT:-ACCEPT}" POLICY_NAT_PREROUTING="${POLICY_NAT_PREROUTING:-ACCEPT}" POLICY_NAT_POSTROUTING="${POLICY_NAT_POSTROUTING:-ACCEPT}" POLICY_NAT_OUTPUT="${POLICY_NAT_OUTPUT:-ACCEPT}" ## program functions.. function ipt { [ "$DEBUG" == "1" ] && echo /sbin/iptables "$@"; [ "$CHECK" == "1" ] || /sbin/iptables "$@"; } function put { [ "$DEBUG" == "1" ] && echo "echo $1 > $2"; [ "$CHECK" == "1" ] || echo "$1" > "$2"; } function runscript { [ "$DEBUG" == "1" ] && grep -H ^ "$@"; [ "$CHECK" == "1" ] || . "$@"; } function out { [ "$VERBOSE" == "1" ] && echo "$@"; } function get_ip1 { v=$(echo $1|perl -pe 's/^([^:<>\=]+)?.*/$1/g';);echo ${v:-'0/0'};} function get_p1 { v=$(echo $1|perl -pe 's/^([^:<>]+)?(\:([^:<>\=]+))?.*/$3/g;s/,/ /g';);echo ${v:-':'};} function get_ip2 { v=$(echo $1|perl -pe 's/(.*>([^:<>\=]+))?.*/$2/g';);echo ${v:-'0/0'};} function get_p2 { v=$(echo $1|perl -pe 's/(.*>(.*(:([^:<>\=]+)))?)?.*/$4/g;s/,/ /g';);echo ${v:-':'};} function get_p { v=$(echo $1|perl -pe 's/(.*<([^:<>\=]+)?)?.*/$2/g';);echo ${v:-'tcp,udp'};} function get_x { v=$(echo $1|perl -pe 's/(.*=(.*)?)?.*/$2/g';);echo ${v:-'0'};} # extras function ipt_flush { ipt -t filter -F ipt -t filter -X ipt -t nat -F ipt -t nat -X put "$FORWARD" "/proc/sys/net/ipv4/ip_forward" # rp_filter is required until interfaces are supported.. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do put "$RPFILTER" "$f" done fi } function ipt_openpolicy { ipt -t filter -P INPUT ACCEPT ipt -t filter -P FORWARD ACCEPT ipt -t filter -P OUTPUT ACCEPT ipt -t nat -P PREROUTING ACCEPT ipt -t nat -P POSTROUTING ACCEPT ipt -t nat -P OUTPUT ACCEPT } function bailsafe { ipt_flush; ipt_openpolicy; bail "$@"; } function parsetoken { ip1r="`get_ip1 $1`" p1r="`get_p1 $1`" ip2r="`get_ip2 $1`" p2r="`get_p2 $1`" pr="`get_p $1`" x="`get_x $1`" for p in ${pr//,/ }; do for ip1 in ${ip1r//,/ }; do for ip2 in ${ip2r//,/ }; do for p1 in ${p1r//,/ }; do for p2 in ${p2r//,/ }; do echo "$ip1" "${p1//-/:}" "$ip2" "${p2//-/:}" "$p" "$x" done done done done done } ## process argv.. [ "$1" == "check" ] && CHECK=1 case "$1" in list) for table in filter nat; do echo "$table table:" ipt -t "$table" -nL echo; echo done exit 0 ;; start|stop|restart|reload|check) ;; *) bail "Usage: `basename $0` start|stop|reload|restart|list|check" ;; esac ## stop firewall.. [ "$1" == "stop" ] && bailsafe "Dirwall: stopped." ## flush/delete everything.. ipt_flush ## setup default chain policies.. ipt -t filter -P INPUT "$POLICY_FILTER_INPUT" ipt -t filter -P FORWARD "$POLICY_FILTER_FORWARD" ipt -t filter -P OUTPUT "$POLICY_FILTER_OUTPUT" ipt -t nat -P PREROUTING "$POLICY_NAT_PREROUTING" ipt -t nat -P POSTROUTING "$POLICY_NAT_POSTROUTING" ipt -t nat -P OUTPUT "$POLICY_NAT_OUTPUT" ## run custom local iptables commands.. [ -x "$CONFIG_SCRIPTS/dirwall-begin" ] \ && runscript "$CONFIG_SCRIPTS/dirwall-begin" ## setup internal DROP chain.. ipt -t filter -N DIRWALL_DROP ipt -t filter -A DIRWALL_DROP -p tcp -j REJECT --reject-with tcp-reset ipt -t filter -A DIRWALL_DROP ! -p tcp -j REJECT \ --reject-with icmp-port-unreachable ipt -t filter -A DIRWALL_DROP -j DROP ## setup chains.. # allow local traffic.. ipt -t filter -A INPUT -i lo -j ACCEPT # allow some icmp.. for icmp in $ALLOW_ICMP; do ipt -t filter -A INPUT -p icmp --icmp-type "$icmp" -j ACCEPT done # allow established/related.. ipt -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT CHAINS="REJECT MASQ FORWARD NAT ACCEPT" # drop invalid.. ipt -t filter -A INPUT -m state --state INVALID -j DROP # setup internal LOG chain (if desired).. if [ "$LOG" == "1" ]; then ipt -t filter -N DIRWALL_LOG CHAINS="NOLOG $CHAINS" fi # use rules to setup other chains.. for chain in $CHAINS; do rules=`ls -1 $DIRWALL/$chain/ |grep -v '~'` [ -n "$rules" ] && out "$chain:" for rule in $rules; do for token in `get_tokens $DIRWALL/$chain/$rule`; do out " $rule: $token" parsetoken "$token" \ | while read ip1 p1 ip2 p2 p x; do case $chain in ACCEPT ) if [ "$p" == "tcp" -o "$p" == "udp" ]; then ipt -t filter -A INPUT -p "$p" -s "$ip1" --sport "$p1" \ -d "$ip2" --dport "$p2" -j ACCEPT else ipt -t filter -A INPUT -p "$p" -s "$ip1" -d "$ip2" -j ACCEPT fi ;; FORWARD ) if [ "$p" == "tcp" -o "$p" == "udp" ]; then ipt -t nat -A PREROUTING -p "$p" -d "$ip1" \ --dport "$p1" -j DNAT \ --to-destination "$ip2:${p2//:/$p1}" ipt -t filter -A FORWARD -p "$p" -d "$ip2" \ --dport "${p2//:/$p1}" -j ACCEPT fi ;; MASQ ) ipt -t filter -A FORWARD -s "$ip1" -j ACCEPT ipt -t filter -A FORWARD -d "$ip1" \ -m state --state ESTABLISHED,RELATED -j ACCEPT ipt -t nat -A POSTROUTING -s "$ip1" -o "$IFACE_WAN" \ -j MASQUERADE ;; NAT ) ipt -t nat -A PREROUTING -d "$ip1" -j DNAT \ --to-destination "$ip2" ipt -t filter -A FORWARD -i "$IFACE_WAN" -d "$ip2" -j ACCEPT ipt -t nat -A POSTROUTING -s "$ip2" -j SNAT --to-source "$ip1" if [ "$x" != "0" ]; then ipt -t nat -A POSTROUTING -s "$x" -d "$ip2" \ -j SNAT --to-source "${x%/*}" fi ;; NOLOG ) if [ "$p" == "tcp" -o "$p" == "udp" ]; then ipt -t filter -A DIRWALL_LOG -p "$p" -s "$ip1" \ --sport "$p1" -d "$ip2" --dport "$p2" -j DIRWALL_DROP else ipt -t filter -A DIRWALL_LOG -p "$p" -s "$ip1" -d "$ip2" \ -j DIRWALL_DROP fi ;; REJECT ) if [ "$p" == "tcp" -o "$p" == "udp" ]; then ipt -t filter -A INPUT -p "$p" -s "$ip1" --sport "$p1" \ -d "$ip2" --dport "$p2" -j DIRWALL_DROP else ipt -t filter -A INPUT -p "$p" -s "$ip1" -d "$ip2" \ -j DIRWALL_DROP fi ;; esac done done done done ## run custom local iptables commands.. [ -x "$CONFIG_SCRIPTS/dirwall-end" ] && runscript "$CONFIG_SCRIPTS/dirwall-end" ## finish INPUT chain.. if [ "$LOG" == "1" ]; then ipt -t filter -A DIRWALL_LOG -p tcp -m limit --limit "$LOG_FLOOD" \ -j LOG --log-level "$LOG_LEVEL" --log-prefix 'rejected_tcp ' ipt -t filter -A DIRWALL_LOG -p udp -m limit --limit "$LOG_FLOOD" \ -j LOG --log-level "$LOG_LEVEL" --log-prefix 'rejected_udp ' ipt -t filter -A DIRWALL_LOG -p icmp -m limit --limit "$LOG_FLOOD" \ -j LOG --log-level "$LOG_LEVEL" --log-prefix 'rejected_icmp ' ipt -t filter -A DIRWALL_LOG -j DIRWALL_DROP ipt -t filter -A INPUT -j DIRWALL_LOG else ipt -t filter -A INPUT -j DIRWALL_DROP fi echo "Dirwall: started." exit 0 dirwall-0.11/etc/dirwall/0040700000175000017500000000000010073366270014624 5ustar tkoodatkoodadirwall-0.11/etc/dirwall/ACCEPT/0040700000175000017500000000000010073366270015563 5ustar tkoodatkoodadirwall-0.11/etc/dirwall/ACCEPT/local-ftp0100600000175000017500000000006110073366270017363 0ustar tkoodatkooda# example: allow public ftp access # >:20-21:80:2210.0.0.17:80internal10.0.0.16:135,137-139,443 dirwall-0.11/etc/dirwall/scripts/0040700000175000017500000000000010073366270016313 5ustar tkoodatkoodadirwall-0.11/etc/dirwall/scripts/dirwall-end0100700000175000017500000000012010073366270020431 0ustar tkoodatkooda#!/bin/bash ## dirwall-end : custom script that runs at the end of the script dirwall-0.11/etc/dirwall/scripts/dirwall-begin0100700000175000017500000000013110073366270020751 0ustar tkoodatkooda#!/bin/bash ## dirwall-begin : custom rule script that runs at the start of the script dirwall-0.11/etc/dirwall/scripts/iface-wan0100700000175000017500000000012210073366270020063 0ustar tkoodatkooda#!/bin/bash ## iface-wan : print the wan interface (default route) echo "eth0" dirwall-0.11/etc/dirwall/config/0040700000175000017500000000000010073366270016071 5ustar tkoodatkoodadirwall-0.11/etc/dirwall/config/DEBUG0100600000175000017500000000000210073366270016631 0ustar tkoodatkooda0 dirwall-0.11/etc/dirwall/config/VERBOSE0100600000175000017500000000000210073366270017110 0ustar tkoodatkooda1 dirwall-0.11/etc/dirwall/config/ALLOW_ICMP0100600000175000017500000000011610073366270017477 0ustar tkoodatkoodaecho-request echo-reply time-exceed destination-unreachable parameter-problem dirwall-0.11/etc/dirwall/config/LOG_FLOOD0100600000175000017500000000000510073366270017352 0ustar tkoodatkooda10/s dirwall-0.11/etc/dirwall/config/LOG_LEVEL0100600000175000017500000000000610073366270017357 0ustar tkoodatkoodadebug dirwall-0.11/etc/dirwall/config/LOG0100600000175000017500000000000210073366270016424 0ustar tkoodatkooda0 dirwall-0.11/etc/dirwall/config/FORWARD0100600000175000017500000000000210073366270017107 0ustar tkoodatkooda1 dirwall-0.11/etc/dirwall/config/RPFILTER0100600000175000017500000000000210073366270017232 0ustar tkoodatkooda1 dirwall-0.11/etc/dirwall/config/POLICY_FILTER_FORWARD0100600000175000017500000000000510073366270021236 0ustar tkoodatkoodaDROP dirwall-0.11/etc/dirwall/config/POLICY_FILTER_INPUT0100600000175000017500000000000710073366270021033 0ustar tkoodatkoodaACCEPT dirwall-0.11/etc/dirwall/config/POLICY_FILTER_OUTPUT0100600000175000017500000000000710073366270021174 0ustar tkoodatkoodaACCEPT dirwall-0.11/etc/dirwall/REJECT/0040700000175000017500000000000010073366270015600 5ustar tkoodatkoodadirwall-0.11/etc/dirwall/REJECT/local-smb0100600000175000017500000000010210073366270017364 0ustar tkoodatkooda# example: reject samba traffic (tcp and udp) # >:135,137-139,443 dirwall-0.11/INSTALL0100600000175000017500000000014510073366270013443 0ustar tkoodatkoodaTo install: ----------- make install To remove: ---------- make remove rm -r /etc/dirwall dirwall-0.11/LICENSE0100600000175000017500000000302710073366270013421 0ustar tkoodatkoodaThis is distributed under the BSD liscense. Copyright (c) 2004, Thor Kooda All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the organisation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. dirwall-0.11/Changelog0100600000175000017500000000047110073374740014227 0ustar tkoodatkoodadirwall changelog ================= v0.11 - 2004-07-08 * added REJECT target support * added nat table flushing and setting of default nat table policies * renamed default filter policy config files to support nat policies * better documentation v0.10 - 2004-06-24 * cleaned up for public release dirwall-0.11/Makefile0100600000175000017500000000213510073366270014053 0ustar tkoodatkooda# simple dirwall install Makefile SYSVLINK="/etc/rc2.d" RCSCRIPT="/etc/init.d" dirwall : install : @[ -e "/etc/dirwall" ] && echo "/etc/dirwall dir already exists, skipping.." || ( cp -r etc/dirwall /etc; echo "installed: /etc/dirwall" ) @[ -e "$(RCSCRIPT)/dirwall" ] && echo "$(RCSCRIPT)/dirwall file already exists, skipping.." || ( cp etc/init.d/dirwall $(RCSCRIPT); chmod a+rx $(RCSCRIPT)/dirwall; echo "installed: $(RCSCRIPT)/dirwall" ) @[ -h "$(SYSVLINK)/S19dirwall" ] && echo "$(SYSVLINK)/S19dirwall link already exists, skipping.." || ( ln -s $(RCSCRIPT)/dirwall $(SYSVLINK)/S19dirwall; echo "installed: $(SYSVLINK)/S19dirwall" ) remove : @[ ! -e "/etc/dirwall" ] && echo "/etc/dirwall dir dosn't exist, skipping.." || ( echo "please remove /etc/dirwall manually" ) @[ ! -e "$(RCSCRIPT)/dirwall" ] && echo "$(RCSCRIPT)/dirwall file dosn't exist, skipping.." || ( rm $(RCSCRIPT)/dirwall; echo "removed: $(RCSCRIPT)/dirwall" ) @[ ! -h "$(SYSVLINK)/S19dirwall" ] && echo "$(SYSVLINK)/S19dirwall link dosn't exist, skipping.." || ( rm $(SYSVLINK)/S19dirwall; echo "removed: $(SYSVLINK)/S19dirwall" ) dirwall-0.11/README0100600000175000017500000001131710073366537013303 0ustar tkoodatkoodadirwall ======= ## ABOUT: I wrote this because I wanted to have the ability to have useful iptables rules described in a concice and (hopefully) sane format. I separated the rules from the script logic to make it easier to update the script without touching the actual rules. This also makes it easy for other packages to manage the rules. ## FAQ: dirwall is a linux iptables firewall script that stores the rules seperate from the script logic. The rule syntax is intended to be simpler than the iptables commands they generate. ## CONFIG: Configuration settings are either stored in files in the "/etc/dirwall/config/" dir, or generated via scripts in the "/etc/dirwall/scripts/" dir. ## CONFIG FILES (in "/etc/dirwall/config/"): VERBOSE - boolean to enable verbose output DEBUG - boolean to enable debugging LOG - boolean to enable logging via syslog LOG_FLOOD - log flood limit LOG_LEVEL - syslog log level ALLOW_ICMP - icmp types to allow RPFILTER - boolean to enable rp_filter (required until interfaces supported) FORWARD - boolean to enable forwarding ("/proc/sys/net/ipv4/ip_forward") POLICY_FILTER_INPUT - filter chain input target default policy POLICY_FILTER_FORWARD - filter chain forward target default policy POLICY_FILTER_OUTPUT - filter chain output target default policy POLICY_NAT_PREROUTING - nat chain prerouting target default policy POLICY_NAT_POSTROUTING - nat chain postrouting target default policy POLICY_NAT_OUTPUT - nat chain output target default policy (all config files are optional) ## CONFIG SCRIPTS (in "/etc/dirwall/scripts/"): dirwall-begin - for custom local commands to be run before the dirwall script has done most of it's work dirwall-end - for custom local commands to be run after the dirwall script has done most of it's work iface-wan - custom local script that prints the local wan interface ## RULES: The dirwall rules are stored in rule files located in "/etc/dirwall/{ACCEPT,FORWARD,MASQ,NAT,NOLOG,REJECT}/*". There may be multiple rules per file, seperated by whitespaces. Comments starting with a '#' are allowed anywhere in the rule files. The rule filenames are reserved for packages that have that name (i.e. the "ssh" package has the right to manage the "/etc/dirwall/ACCEPT/ssh" rule file). Local rule files should begin with the word "local-" so that they don't conflict. ## RULE SYNTAX: rule = [ hostlist ] [ ">" hostlist ] [ "<" proto ] [ "=" extra ] hostlist = [ host [ "," host [...] ] ] [ ":" portlist ] host = [ [ ip [ "/" mask ] ] ip = ( ipv4 dotted decimal address | dns host address ) mask = ( ipv4 dotted decimal bitmask | integer bitmask ) portlist = [ portrange [ "," portrange [...] ] ] portrange = [ port [ "-" port ] ] port = ( ipv4 port integer ) proto = "tcp" | "udp" | "icmp" | "all" | ( other from /etc/protocols ) extra = [ host ] ## RULE EXAMPLES: * allow http access from anywhere: echo '>:80 /etc/dirwall/ACCEPT/local-http * allow ssh access from lan: echo '10.0.0.0/24>:22 /etc/dirwall/ACCEPT/local-ssh * allow dns access from anywhere: echo '>:53' > /etc/dirwall/ACCEPT/local-dns * enable logging: echo 1 > /etc/dirwall/config/LOG * don't log samba traffic: echo '>:135,137-139,443' > /etc/dirwall/NOLOG/local-samba * allow proxy access from 1.2.3.4: echo '1.2.3.4>:8080 /etc/dirwall/ACCEPT/local-proxy * NAT all traffic from 5.6.7.8 to 10.0.0.2: echo '1.2.3.4>10.0.0.2: /etc/dirwall/NAT/local-lan-2 (The "ext->int works. ## TODO: * don't print chain name if rule files have no rules (i.e. commented out) * more robust handling of invalid rules * mangle table support? dirwall-0.11/UPGRADING0100600000175000017500000000032010073366270013650 0ustar tkoodatkoodav0.11 - 2004-07-08 * the default filter policy config files have moved from: /etc/dirwall/config/POLICY_{FORWARD,INPUT,OUTPUT} to: /etc/dirwall/config/POLICY_FILTER_{FORWARD,INPUT,OUTPUT}