X-Git-Url: https://git.rohieb.name/openwrt.git/blobdiff_plain/b8fc6bb720916110856951b7f3afcb184d7612a5..4ccd13ebfa22d9ae1dee2091ee780147088d6eec:/package/firewall/files/uci_firewall.sh?ds=sidebyside diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh index ff82f8bf0..8d7538201 100755 --- a/package/firewall/files/uci_firewall.sh +++ b/package/firewall/files/uci_firewall.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/sh # Copyright (C) 2008 John Crispin . /etc/functions.sh @@ -16,144 +16,244 @@ config_load firewall config fw_zones ZONE_LIST=$CONFIG_SECTION +CUSTOM_CHAINS=1 DEF_INPUT=DROP DEF_OUTPUT=DROP DEF_FORWARD=DROP +CONNTRACK_ZONES= +NOTRACK_DISABLED= + +find_item() { + local item="$1"; shift + for i in "$@"; do + [ "$i" = "$item" ] && return 0 + done + return 1 +} load_policy() { config_get input $1 input config_get output $1 output config_get forward $1 forward - [ -z "$input" ] && input=$DEF_INPUT - [ -z "$output" ] && output=$DEF_OUTPUT - [ -z "$forward" ] && forward=$DEF_FORWARD + DEF_INPUT="${input:-$DEF_INPUT}" + DEF_OUTPUT="${output:-$DEF_OUTPUT}" + DEF_FORWARD="${forward:-$DEF_FORWARD}" } create_zone() { local exists - + [ "$1" == "loopback" ] && return config_get exists $ZONE_LIST $1 [ -n "$exists" ] && return - config_set $ZONE_LIST $1 1 + config_set $ZONE_LIST $1 1 $IPTABLES -N zone_$1 + $IPTABLES -N zone_$1_MSSFIX $IPTABLES -N zone_$1_ACCEPT $IPTABLES -N zone_$1_DROP $IPTABLES -N zone_$1_REJECT $IPTABLES -N zone_$1_forward - $IPTABLES -A zone_$1_forward -j zone_$1_$5 - $IPTABLES -A zone_$1 -j zone_$1_$3 - $IPTABLES -A OUTPUT -j zone_$1_$4 + [ "$4" ] && $IPTABLES -A output -j zone_$1_$4 $IPTABLES -N zone_$1_nat -t nat $IPTABLES -N zone_$1_prerouting -t nat - [ "$6" == "1" ] && $IPTABLES -t nat -A POSTROUTING -j zone_$2_nat + $IPTABLES -t raw -N zone_$1_notrack + [ "$6" == "1" ] && $IPTABLES -t nat -A POSTROUTING -j zone_$1_nat + [ "$7" == "1" ] && $IPTABLES -I FORWARD 1 -j zone_$1_MSSFIX } + addif() { - logger "adding $1 to firewall zone $2" - $IPTABLES -A INPUT -i $1 -j zone_$2 - $IPTABLES -I zone_$2_ACCEPT 1 -o $1 -j ACCEPT - $IPTABLES -I zone_$2_DROP 1 -o $1 -j DROP - $IPTABLES -I zone_$2_REJECT 1 -o $1 -j REJECT - $IPTABLES -I zone_$2_ACCEPT 1 -i $1 -j ACCEPT - $IPTABLES -I zone_$2_DROP 1 -i $1 -j DROP - $IPTABLES -I zone_$2_REJECT 1 -i $1 -j REJECT - $IPTABLES -I zone_$2_nat 1 -t nat -o $1 -j MASQUERADE - $IPTABLES -I PREROUTING 1 -t nat -i $1 -j zone_$2_prerouting - $IPTABLES -A FORWARD -i $1 -j zone_$2_forward + local network="$1" + local ifname="$2" + local zone="$3" + + local n_if n_zone + config_get n_if core "${network}_ifname" + config_get n_zone core "${network}_zone" + [ -n "$n_zone" ] && { + if [ "$n_zone" != "$zone" ]; then + delif "$network" "$n_if" "$n_zone" + else + return + fi + } + + logger "adding $network ($ifname) to firewall zone $zone" + $IPTABLES -A input -i "$ifname" -j zone_${zone} + $IPTABLES -I zone_${zone}_MSSFIX 1 -o "$ifname" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + $IPTABLES -I zone_${zone}_ACCEPT 1 -o "$ifname" -j ACCEPT + $IPTABLES -I zone_${zone}_DROP 1 -o "$ifname" -j DROP + $IPTABLES -I zone_${zone}_REJECT 1 -o "$ifname" -j reject + $IPTABLES -I zone_${zone}_ACCEPT 1 -i "$ifname" -j ACCEPT + $IPTABLES -I zone_${zone}_DROP 1 -i "$ifname" -j DROP + $IPTABLES -I zone_${zone}_REJECT 1 -i "$ifname" -j reject + $IPTABLES -I zone_${zone}_nat 1 -t nat -o "$ifname" -j MASQUERADE + $IPTABLES -I PREROUTING 1 -t nat -i "$ifname" -j zone_${zone}_prerouting + $IPTABLES -A forward -i "$ifname" -j zone_${zone}_forward + $IPTABLES -t raw -I PREROUTING 1 -i "$ifname" -j zone_${zone}_notrack + uci_set_state firewall core "${network}_ifname" "$ifname" + uci_set_state firewall core "${network}_zone" "$zone" + ACTION=add ZONE="$zone" INTERFACE="$network" DEVICE="$ifname" /sbin/hotplug-call firewall } delif() { - logger "removing $1 from firewall zone $2" - $IPTABLES -D INPUT -i $1 -j zone_$2 - $IPTABLES -D zone_$2_ACCEPT -o $1 -j ACCEPT - $IPTABLES -D zone_$2_DROP -o $1 -j DROP - $IPTABLES -D zone_$2_REJECT -o $1 -j REJECT - $IPTABLES -D zone_$2_ACCEPT -i $1 -j ACCEPT - $IPTABLES -D zone_$2_DROP -i $1 -j DROP - $IPTABLES -D zone_$2_REJECT -i $1 -j REJECT - $IPTABLES -D zone_$2_nat -t nat -o $1 -j MASQUERADE - $IPTABLES -D PREROUTING -t nat -i $1 -j zone_$2_prerouting - $IPTABLES -D FORWARD -i $1 -j zone_$2_forward + local network="$1" + local ifname="$2" + local zone="$3" + + logger "removing $network ($ifname) from firewall zone $zone" + $IPTABLES -D input -i "$ifname" -j zone_$zone + $IPTABLES -D zone_${zone}_MSSFIX -o "$ifname" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + $IPTABLES -D zone_${zone}_ACCEPT -o "$ifname" -j ACCEPT + $IPTABLES -D zone_${zone}_DROP -o "$ifname" -j DROP + $IPTABLES -D zone_${zone}_REJECT -o "$ifname" -j reject + $IPTABLES -D zone_${zone}_ACCEPT -i "$ifname" -j ACCEPT + $IPTABLES -D zone_${zone}_DROP -i "$ifname" -j DROP + $IPTABLES -D zone_${zone}_REJECT -i "$ifname" -j reject + $IPTABLES -D zone_${zone}_nat -t nat -o "$ifname" -j MASQUERADE + $IPTABLES -D PREROUTING -t nat -i "$ifname" -j zone_${zone}_prerouting + $IPTABLES -D forward -i "$ifname" -j zone_${zone}_forward + uci_revert_state firewall core "${network}_ifname" + uci_revert_state firewall core "${network}_zone" + ACTION=remove ZONE="$zone" INTERFACE="$network" DEVICE="$ifname" /sbin/hotplug-call firewall } load_synflood() { + local rate=${1:-25} + local burst=${2:-50} echo "Loading synflood protection" - $IPTABLES -N SYN_FLOOD - $IPTABLES -A SYN_FLOOD -p tcp --syn -m limit --limit ${1}/second --limit-burst $2 -j RETURN - $IPTABLES -A SYN_FLOOD -p ! tcp -j RETURN - $IPTABLES -A SYN_FLOOD -p tcp ! --syn -j RETURN - $IPTABLES -A SYN_FLOOD -j LOG --log-prefix "syn_flood: " - $IPTABLES -A SYN_FLOOD -j DROP - $IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD + $IPTABLES -N syn_flood + $IPTABLES -A syn_flood -p tcp --syn -m limit --limit $rate/second --limit-burst $burst -j RETURN + $IPTABLES -A syn_flood -j DROP + $IPTABLES -A INPUT -p tcp --syn -j syn_flood +} + +fw_set_chain_policy() { + local chain=$1 + local target=$2 + [ "$target" == "REJECT" ] && { + $IPTABLES -A $chain -j reject + target=DROP + } + $IPTABLES -P $chain $target +} + +fw_clear() { + $IPTABLES -F + $IPTABLES -t nat -F + $IPTABLES -t nat -X + $IPTABLES -t raw -F + $IPTABLES -t raw -X + $IPTABLES -X } fw_defaults() { - load_policy $1 - DEF_INPUT=$input - DEF_OUTPUT=$output - DEF_FORWARD=$forward + [ -n "$DEFAULTS_APPLIED" ] && { + echo "Error: multiple defaults sections detected" + return; + } + DEFAULTS_APPLIED=1 + + load_policy "$1" echo 1 > /proc/sys/net/ipv4/tcp_syncookies - for f in /proc/sys/net/ipv4/conf/*/accept_redirects + for f in /proc/sys/net/ipv4/conf/*/accept_redirects do echo 0 > $f done - for f in /proc/sys/net/ipv4/conf/*/accept_source_route + for f in /proc/sys/net/ipv4/conf/*/accept_source_route do echo 0 > $f - done + done + + uci_revert_state firewall core + uci_set_state firewall core "" firewall_state + + $IPTABLES -P INPUT DROP + $IPTABLES -P OUTPUT DROP + $IPTABLES -P FORWARD DROP + + fw_clear + config_get_bool drop_invalid $1 drop_invalid 0 + + [ "$drop_invalid" -gt 0 ] && { + $IPTABLES -A INPUT -m state --state INVALID -j DROP + $IPTABLES -A OUTPUT -m state --state INVALID -j DROP + $IPTABLES -A FORWARD -m state --state INVALID -j DROP + NOTRACK_DISABLED=1 + } - $IPTABLES -F - $IPTABLES -t nat -F - $IPTABLES -t mangle -F - $IPTABLES -X -t nat - $IPTABLES -X - - $IPTABLES -P INPUT $input - $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - - $IPTABLES -P OUTPUT $output - $IPTABLES -A OUTPUT -m state --state INVALID -j DROP $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - - $IPTABLES -P FORWARD $forward - $IPTABLES -A FORWARD -m state --state INVALID -j DROP - $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - + $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT config_get syn_flood $1 syn_flood config_get syn_rate $1 syn_rate config_get syn_burst $1 syn_burst - - [ -z "$syn_rate" ] && syn_rate=25 - [ -z "$syn_burst" ] && syn_burst=50 [ "$syn_flood" == "1" ] && load_synflood $syn_rate $syn_burst + + echo "Adding custom chains" + fw_custom_chains + + $IPTABLES -N input + $IPTABLES -N output + $IPTABLES -N forward + + $IPTABLES -A INPUT -j input + $IPTABLES -A OUTPUT -j output + $IPTABLES -A FORWARD -j forward + + $IPTABLES -N reject + $IPTABLES -A reject -p tcp -j REJECT --reject-with tcp-reset + $IPTABLES -A reject -j REJECT --reject-with icmp-port-unreachable + + fw_set_chain_policy INPUT "$DEF_INPUT" + fw_set_chain_policy OUTPUT "$DEF_OUTPUT" + fw_set_chain_policy FORWARD "$DEF_FORWARD" } -fw_zone() { +fw_zone_defaults() { local name local network local masq config_get name $1 name config_get network $1 network - config_get masq $1 masq + config_get_bool masq $1 masq "0" + config_get_bool conntrack $1 conntrack "0" + config_get_bool mtu_fix $1 mtu_fix 0 + load_policy $1 + [ "$forward" ] && $IPTABLES -A zone_${name}_forward -j zone_${name}_${forward} + [ "$input" ] && $IPTABLES -A zone_${name} -j zone_${name}_${input} +} +fw_zone() { + local name + local network + local masq + + config_get name $1 name + config_get network $1 network + config_get_bool masq $1 masq "0" + config_get_bool conntrack $1 conntrack "0" + config_get_bool mtu_fix $1 mtu_fix 0 + + load_policy $1 + [ "$conntrack" = "1" -o "$masq" = "1" ] && append CONNTRACK_ZONES "$name" [ -z "$network" ] && network=$name - create_zone "$name" "$network" "$input" "$output" "$forward" "$masq" + create_zone "$name" "$network" "$input" "$output" "$forward" "$masq" "$mtu_fix" + fw_custom_chains_zone "$name" } fw_rule() { - local src + local src local src_ip local src_mac local src_port @@ -162,6 +262,7 @@ fw_rule() { local dest_ip local dest_port local proto + local icmp_type local target local ruleset @@ -173,22 +274,48 @@ fw_rule() { config_get dest_ip $1 dest_ip config_get dest_port $1 dest_port config_get proto $1 proto + config_get icmp_type $1 icmp_type config_get target $1 target config_get ruleset $1 ruleset + src_port_first=${src_port%-*} + src_port_last=${src_port#*-} + [ "$src_port_first" -ne "$src_port_last" ] && { \ + src_port="$src_port_first:$src_port_last"; } + + dest_port_first=${dest_port%-*} + dest_port_last=${dest_port#*-} + [ "$dest_port_first" -ne "$dest_port_last" ] && { \ + dest_port="$dest_port_first:$dest_port_last"; } + + ZONE=input + TARGET=$target [ -z "$target" ] && target=DROP - [ -n "$src" ] && ZONE=zone_$src || ZONE=INPUT - [ -n "$dest" ] && TARGET=zone_${dest}_$target || TARGET=$target - [ -n "$dest_port" -a -z "$proto" ] && { \ - echo "dport may only be used it proto is defined"; return; } - $IPTABLES -I $ZONE 1 \ - ${proto:+-p $proto} \ - ${src_ip:+-s $src_ip} \ - ${src_port:+--sport $src_port} \ - ${src_mac:+-m mac --mac-source $src_mac} \ - ${dest_ip:+-d $dest_ip} \ - ${dest_port:+--dport $dest_port} \ - -j $TARGET + [ -n "$src" -a -z "$dest" ] && ZONE=zone_$src + [ -n "$src" -a -n "$dest" ] && ZONE=zone_${src}_forward + [ -n "$dest" ] && TARGET=zone_${dest}_$target + + eval 'RULE_COUNT=$((++RULE_COUNT_'$ZONE'))' + + add_rule() { + $IPTABLES -I $ZONE $RULE_COUNT \ + ${proto:+-p $proto} \ + ${icmp_type:+--icmp-type $icmp_type} \ + ${src_ip:+-s $src_ip} \ + ${src_port:+--sport $src_port} \ + ${src_mac:+-m mac --mac-source $src_mac} \ + ${dest_ip:+-d $dest_ip} \ + ${dest_port:+--dport $dest_port} \ + -j $TARGET + } + [ "$proto" == "tcpudp" -o -z "$proto" ] && { + proto=tcp + add_rule + proto=udp + add_rule + return + } + add_rule } fw_forwarding() { @@ -198,9 +325,13 @@ fw_forwarding() { config_get src $1 src config_get dest $1 dest - [ -n "$src" ] && z_src=zone_${src}_forward || z_src=FORWARD + [ -n "$src" ] && z_src=zone_${src}_forward || z_src=forward [ -n "$dest" ] && z_dest=zone_${dest}_ACCEPT || z_dest=ACCEPT $IPTABLES -I $z_src 1 -j $z_dest + + # propagate masq zone flag + find_item "$src" $CONNTRACK_ZONES && append CONNTRACK_ZONES $dest + find_item "$dest" $CONNTRACK_ZONES && append CONNTRACK_ZONES $src } fw_redirect() { @@ -210,36 +341,64 @@ fw_redirect() { local src_dport local src_mac local dest_ip - local dest_port - local protocol - + local dest_port dest_port2 + local proto + config_get src $1 src config_get src_ip $1 src_ip + config_get src_dip $1 src_dip config_get src_port $1 src_port config_get src_dport $1 src_dport config_get src_mac $1 src_mac config_get dest_ip $1 dest_ip config_get dest_port $1 dest_port - config_get protocol $1 protocol + config_get proto $1 proto [ -z "$src" -o -z "$dest_ip" ] && { \ echo "redirect needs src and dest_ip"; return ; } - [ -n "$dest_port" -a -z "$protocol" ] && { \ - echo "dport may only be used it proto is defined"; return; } - $IPTABLES -A zone_${src}_prerouting -t nat \ - ${protocol:+-p $protocol} \ - ${src_ip:+-s $src_ip} \ - ${src_port:+--sport $src_port} \ - ${src_dport:+--dport $src_dport} \ - ${src_mac:+-m mac --mac-source $src_mac} \ - -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port} - $IPTABLES -I zone_${src}_forward 1 \ - ${protocol:+-p $protocol} \ - -d $dest_ip \ - ${src_ip:+-s $src_ip} \ - ${src_port:+--sport $src_port} \ - ${dest_port:+--dport $dest_port} \ - ${src_mac:+-m mac --mac-source $src_mac} \ - -j ACCEPT + + src_port_first=${src_port%-*} + src_port_last=${src_port#*-} + [ "$src_port_first" != "$src_port_last" ] && { \ + src_port="$src_port_first:$src_port_last"; } + + src_dport_first=${src_dport%-*} + src_dport_last=${src_dport#*-} + [ "$src_dport_first" != "$src_dport_last" ] && { \ + src_dport="$src_dport_first:$src_dport_last"; } + + dest_port2=${dest_port:-$src_dport} + dest_port_first=${dest_port2%-*} + dest_port_last=${dest_port2#*-} + [ "$dest_port_first" != "$dest_port_last" ] && { \ + dest_port2="$dest_port_first:$dest_port_last"; } + + add_rule() { + $IPTABLES -A zone_${src}_prerouting -t nat \ + ${proto:+-p $proto} \ + ${src_ip:+-s $src_ip} \ + ${src_dip:+-d $src_dip} \ + ${src_port:+--sport $src_port} \ + ${src_dport:+--dport $src_dport} \ + ${src_mac:+-m mac --mac-source $src_mac} \ + -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port} + + $IPTABLES -I zone_${src}_forward 1 \ + ${proto:+-p $proto} \ + -d $dest_ip \ + ${src_ip:+-s $src_ip} \ + ${src_port:+--sport $src_port} \ + ${dest_port2:+--dport $dest_port2} \ + ${src_mac:+-m mac --mac-source $src_mac} \ + -j ACCEPT + } + [ "$proto" == "tcpudp" -o -z "$proto" ] && { + proto=tcp + add_rule + proto=udp + add_rule + return + } + add_rule } fw_include() { @@ -248,43 +407,124 @@ fw_include() { [ -e $path ] && . $path } +get_interface_zones() { + local interface="$2" + local name + local network + config_get name $1 name + config_get network $1 network + [ -z "$network" ] && network=$name + for n in $network; do + [ "$n" = "$interface" ] && append add_zone "$name" + done +} + +fw_event() { + local action="$1" + local interface="$2" + local ifname="$(sh -c ". /etc/functions.sh; include /lib/network; scan_interfaces; config_get "$interface" ifname")" + add_zone= + local up + + [ -z "$ifname" ] && return 0 + config_foreach get_interface_zones zone "$interface" + [ -z "$add_zone" ] && return 0 + + case "$action" in + ifup) + for z in $add_zone; do + local loaded + config_get loaded core loaded + [ -n "$loaded" ] && addif "$interface" "$ifname" "$z" + done + ;; + ifdown) + config_get up "$interface" up + + for z in $ZONE; do + [ "$up" == "1" ] && delif "$interface" "$ifname" "$z" + done + ;; + esac +} + fw_addif() { local up local ifname config_get up $1 up - config_get ifname $1 ifname [ -n "$up" ] || return 0 - (ACTION="ifup" INTERFACE="$1" . /etc/hotplug.d/iface/20-firewall) + fw_event ifup "$1" +} + +fw_custom_chains() { + [ -n "$CUSTOM_CHAINS" ] || return 0 + $IPTABLES -N input_rule + $IPTABLES -N output_rule + $IPTABLES -N forwarding_rule + $IPTABLES -N prerouting_rule -t nat + $IPTABLES -N postrouting_rule -t nat + + $IPTABLES -A INPUT -j input_rule + $IPTABLES -A OUTPUT -j output_rule + $IPTABLES -A FORWARD -j forwarding_rule + $IPTABLES -A PREROUTING -t nat -j prerouting_rule + $IPTABLES -A POSTROUTING -t nat -j postrouting_rule +} + +fw_custom_chains_zone() { + local zone="$1" + + [ -n "$CUSTOM_CHAINS" ] || return 0 + $IPTABLES -N input_${zone} + $IPTABLES -N forwarding_${zone} + $IPTABLES -N prerouting_${zone} -t nat + $IPTABLES -I zone_${zone} 1 -j input_${zone} + $IPTABLES -I zone_${zone}_forward 1 -j forwarding_${zone} + $IPTABLES -I zone_${zone}_prerouting 1 -t nat -j prerouting_${zone} +} + +fw_check_notrack() { + local zone="$1" + config_get name "$zone" name + [ -n "$NOTRACK_DISABLED" ] || \ + find_item "$name" $CONNTRACK_ZONES || \ + $IPTABLES -t raw -A zone_${name}_notrack -j NOTRACK } fw_init() { + DEFAULTS_APPLIED= + echo "Loading defaults" config_foreach fw_defaults defaults echo "Loading zones" config_foreach fw_zone zone - echo "Loading rules" - config_foreach fw_rule rule echo "Loading forwarding" config_foreach fw_forwarding forwarding echo "Loading redirects" config_foreach fw_redirect redirect + echo "Loading rules" + config_foreach fw_rule rule echo "Loading includes" config_foreach fw_include include - - uci_set_state firewall core "" firewall_state + echo "Loading zone defaults" + config_foreach fw_zone_defaults zone uci_set_state firewall core loaded 1 - unset CONFIG_APPEND - config_load network - config_foreach fw_addif interface + config_set core loaded 1 + config_foreach fw_check_notrack zone + INTERFACES="$(sh -c ' + . /etc/functions.sh; config_load network + echo_up() { local up; config_get_bool up "$1" up 0; [ $up = 1 ] && echo "$1"; } + config_foreach echo_up interface + ')" + for interface in $INTERFACES; do + fw_event ifup "$interface" + done } fw_stop() { - $IPTABLES -F - $IPTABLES -t nat -F - $IPTABLES -t mangle -F - $IPTABLES -X -t nat - $IPTABLES -X + fw_clear $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT + uci_revert_state firewall }