Репозиторий Sisyphus
Последнее обновление: 1 октября 2023 | Пакетов: 18631 | Посещений: 37714760
en ru br
Репозитории ALT
S:0.6-alt1
5.1: 0.5-alt1
4.0: 0.2-alt0.M40.1
www.altlinux.org/Changes

Группа :: Безопасность/Сети
Пакет: fw-scripts

 Главная   Изменения   Спек   Патчи   Исходники   Загрузить   Gear   Bugs and FR  Repocop 

fw-scripts-0.6/000075500000000000000000000000001173727727400134775ustar00rootroot00000000000000fw-scripts-0.6/fw-functions000075500000000000000000000160071173727727400160530ustar00rootroot00000000000000#!/bin/bash -x
#
# Copyright (C) 2008, 2009  Eugene Prokopiev <enp@altlinux.org>
#
# fw-scripts functions
#
# This file is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.


IPTABLES="/sbin/iptables"

function fw_clear()
{
	$IPTABLES -F
	$IPTABLES -X
	$IPTABLES -t nat -F
	$IPTABLES -t nat -X
}

# params: policy name
function fw_policy()
{
	$IPTABLES -P INPUT   $1
	$IPTABLES -P OUTPUT  $1
	$IPTABLES -P FORWARD $1
}


function fw_define_allowed() 
{
	$IPTABLES -N allowed
	[ -z "$NETFLOW_PARAMS" ] || $IPTABLES -A allowed -j NETFLOW
	[ -z "$ULOG_PARAMS" ] || $IPTABLES -A allowed -j ULOG $ULOG_PARAMS --ulog-prefix allow
	$IPTABLES -A allowed -j ACCEPT
}

function fw_define_rejected()
{
	$IPTABLES -N rejected
	[ -z "$NETFLOW_PARAMS"  ] || $IPTABLES -A rejected -j NETFLOW
	[ -z "$ULOG_PARAMS"  ] || $IPTABLES -A rejected -j ULOG $ULOG_PARAMS --ulog-prefix drop
	[ -z "$LOG_PARAM_CRITERIA" ] && [ -z "$LOG_PARAM_PREFIX" ] || $IPTABLES -A rejected `echo "$LOG_PARAM_CRITERIA"` -j LOG --log-prefix "`echo "$LOG_PARAM_PREFIX"`"
	$IPTABLES -A rejected -p tcp -j REJECT --reject-with tcp-reset
	$IPTABLES -A rejected -j REJECT --reject-with icmp-port-unreachable
}

# params: interface name
function fw_allow_interface()
{
	$IPTABLES -A INPUT  -i $1 -j allowed
	$IPTABLES -A OUTPUT -o $1 -j allowed
}

# params: incoming and outgoing interface names
function fw_forward_between_interfaces()
{
	$IPTABLES -A FORWARD  -i $1 -o $2 -j allowed
	$IPTABLES -A FORWARD  -o $1 -i $2 -j allowed
}

function fw_validate_tcp()
{
	$IPTABLES -A INPUT -p tcp ! --syn -m state --state new -j rejected
	$IPTABLES -A INPUT -p tcp -m state --state established,related -j allowed
	$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state new -j rejected
	$IPTABLES -A OUTPUT -p tcp -m state --state established,related -j allowed
	$IPTABLES -A FORWARD -p tcp ! --syn -m state --state new -j rejected
	$IPTABLES -A FORWARD -p tcp -m state --state established,related -j allowed
}

function fw_allow_icmp()
{
	$IPTABLES -A INPUT  -p icmp -j allowed
	$IPTABLES -A OUTPUT -p icmp -j allowed
}

function fw_allow_client_udp()
{
	$IPTABLES -A INPUT -m multiport -p udp --port 1024:65535 -j allowed
	$IPTABLES -A OUTPUT -m multiport -p udp --port 1024:65535 -j allowed
}

# params: source address, destination address, destination port, redirected host, redirected port, fake source address for incoming packets
#         destination address, source address, source port  for outgoing packets
function fw_allow_udp()
{
	case $# in
	2)
		$IPTABLES -A INPUT  -p udp -s $1 -d $2 -j allowed
		$IPTABLES -A OUTPUT -p udp -d $1 -s $2 -j allowed
		;;
	3)
		$IPTABLES -A INPUT  -p udp -s $1 -d $2 --dport $3 -j allowed
		$IPTABLES -A OUTPUT -p udp -d $1 -s $2 --sport $3 -j allowed
		;;
	6)
		$IPTABLES -t nat -A PREROUTING -p udp -s $1 -d $2 --dport $3 -j DNAT --to-destination $4:$5
		$IPTABLES -A FORWARD -p udp -s $1 -d $4 --dport $5 -j allowed
		$IPTABLES -A FORWARD -p udp -d $1 -s $4 --sport $5 -j allowed
		$IPTABLES -t nat -A POSTROUTING -p udp -s $1 -d $4 --dport $5 -j SNAT --to-source $6
		;;
	*)
		echo wrong arguments count
		;;
	esac
}

function fw_allow_client_tcp()
{
	$IPTABLES -A OUTPUT -p tcp --syn -j allowed
}

# params: source address, fake destination address, fake source address, destination address
function fw_allow_host()
{
	$IPTABLES -t nat -A PREROUTING -s $1 -d $2 -j DNAT --to-destination $4
	$IPTABLES -t nat -A POSTROUTING -s $1 -d $4 -j SNAT --to-source $3
	$IPTABLES -A FORWARD -s $1 -d $4 -j allowed
	$IPTABLES -A FORWARD -s $4 -d $1 -j allowed
}

function fw_allow_tcp()
{
	case $# in
	2)
		# params: source address, destination address 
		# for new incoming packets
		$IPTABLES -A INPUT -p tcp --syn -s $1 -d $2 -j allowed
		;;
	3)
		# params: source address, destination address, destination port 
		# for new incoming packets
		$IPTABLES -A INPUT -p tcp --syn -s $1 -d $2 --dport $3 -j allowed
		;;
	4)
		# params: source address, destination address, destination port, redirected port 
		# for new incoming packets
		$IPTABLES -t nat -A PREROUTING -p tcp -s $1 -d $2 --dport $3 -j DNAT --to-destination $2:$4
		$IPTABLES -A INPUT -p tcp --syn -s $1 -d $2 --dport $4 -j allowed
		;;
	5)
		# params: source address, destination address, destination port, redirected host, redirected port 
		# for new incoming packets
		$IPTABLES -t nat -A PREROUTING -p tcp -s $1 -d $2 --dport $3 -j DNAT --to-destination $4:$5
		$IPTABLES -A FORWARD -p tcp --syn -s $1 -d $4 --dport $5 -j allowed
		;;
	6)
		# params: source address, destination address, destination port, redirected host, redirected port, fake source address 
		# for new incoming packets
		$IPTABLES -t nat -A PREROUTING -p tcp -s $1 -d $2 --dport $3 -j DNAT --to-destination $4:$5
		$IPTABLES -A FORWARD -p tcp --syn -s $1 -d $4 --dport $5 -j allowed
		$IPTABLES -t nat -A POSTROUTING -p tcp -s $1 -d $4 --dport $5 -j SNAT --to-source $6
		;;
	*)
		echo wrong arguments count
		;;
	esac
}

function fw_forward_to_interface()
{
	case $# in
	2)
		# params: destination interface name, source address for outgoing packets
		#         source interface name, destination address for incoming packets
		$IPTABLES -A FORWARD -o $1 -s $2 -j allowed
		$IPTABLES -A FORWARD -i $1 -d $2 -j allowed
		;;
	3)
		# params: destination interface name, source address, fake source address for outgoing packets
		#         source interface name, destination address for incoming packets
		$IPTABLES -A FORWARD -o $1 -s $2 -j allowed
		$IPTABLES -A FORWARD -i $1 -d $2 -j allowed
		$IPTABLES -t nat -A POSTROUTING -o $1 -s $2 -j SNAT --to-source $3
		;;
	4)
		# params: destination interface name, source address, fake source address, destination address for outgoing packets
		#         source interface name, destination address for incoming packets
		$IPTABLES -A FORWARD -o $1 -s $2 -d $4 -j allowed
		$IPTABLES -A FORWARD -i $1 -d $2 -s $4 -j allowed
		$IPTABLES -t nat -A POSTROUTING -o $1 -s $2 -d $4 -j SNAT --to-source $3
		;;
	*)
		echo wrong arguments count
		;;
	esac
}

function fw_drop()
{
	$IPTABLES -A INPUT   -j rejected
	$IPTABLES -A OUTPUT  -j rejected
	$IPTABLES -A FORWARD -j rejected
}

function fw_begin()
{
	fw_clear
	fw_policy DROP
	fw_define_allowed
	fw_define_rejected
	fw_allow_interface lo
	fw_allow_icmp
	fw_allow_client_udp
	fw_allow_client_tcp
	fw_validate_tcp
}

function fw_begin_no_client_udp()
{
	fw_clear
	fw_policy DROP
	fw_define_allowed
	fw_define_rejected
	fw_allow_interface lo
	fw_allow_icmp
	fw_allow_client_tcp
	fw_validate_tcp
}

function fw_end()
{
	fw_drop
}
fw-scripts-0.6/fw-load000075500000000000000000000020411173727727400147530ustar00rootroot00000000000000#!/bin/sh
#
# Copyright (C) 2008  Eugene Prokopiev <enp@altlinux.org>
#
# fw-scripts loader
#
# This file is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.

error()
{
    echo $@
    exit 1
}

PROFILE_NAME=$1

[ -z $PROFILE_NAME ] && PROFILE_NAME=default

PROFILE=/etc/fw-scripts/profiles/$PROFILE_NAME

[ -f $PROFILE ] || error "profile $PROFILE not found"

. /etc/fw-scripts/options
. /usr/sbin/fw-functions

. $PROFILE
fw-scripts-0.6/options000064400000000000000000000003511173727727400151140ustar00rootroot00000000000000# fw-scripts options

#NETFLOW_PARAMS="fake"

#ULOG_PARAMS="--ulog-nlgroup 1 --ulog-qthreshold 50"

#LOG_PARAM_CRITERIA=""
#LOG_PARAM_PREFIX="rejected - "

#LOG_PARAM_CRITERIA="-p tcp --dport 25"
#LOG_PARAM_PREFIX="rejected smtp - "
fw-scripts-0.6/profiles/000075500000000000000000000000001173727727400153225ustar00rootroot00000000000000fw-scripts-0.6/profiles/default000064400000000000000000000000671173727727400166740ustar00rootroot00000000000000fw_begin

fw_allow_tcp  0.0.0.0/0 0.0.0.0/0 22

fw_end
 
дизайн и разработка: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
текущий майнтейнер: Michael Shigorin