jablonka.czprosek.czf

freenet-router

Subversion Repositories:
[/] [trunk/] [freenet-router/] [etc/] [init.d/] [firewall] - Rev 2

Compare with Previous - Blame - Download


#! /bin/bash
# Firewall novĂŠ generace pro Czela Debian 3.1
# Autor: Mirek Slugeň
# Spoluautoři: Michal Perlík, Michal Vondráček, Jan Chmelenský, Adam Pribyl
# Vytvořeno: 06.11.2006
# Naposledy změněno: 08.2014
# Tento skript můžete volně šířit a upravovat.

# definujeme cesty v systemu
PATH="/usr/sbin:/usr/bin:/sbin:/bin"

# zadame cesty k potrebnym binarnim souborum (programum)
IPTABLES=$(which iptables)              # iptables umoznuji kontrolovat a ovladat sitove pakety, neumi omezovat rychlost
TC=$(which tc)                          # soubor z baliku iproute 2, slouzi pro kontrolovani provozu na danem zarizeni
IP=$(which ip)                          # soubor z baliku iproute 2, slouzi pro zjisteni smerovacich tabulek a ip adres
SYSCTL="$(which sysctl)"                # nastaveni zakladnich vlastnosti site v jadru
# zadame cestu k dulezitym konfiguracnim souborum
QOS_CONFIG="/etc/firewall/qos.conf"     # zde jsou ulozeni clenove ktere chceme navic vyrazne omezit pomoci qosu
NAT_CONFIG="/etc/firewall/nat.conf"     # soubor pro nastaveni natu 1:1
MACGUARD_DIR="/home/safe/macguard"      # adresar kde jsou ulozeny soubory pro macguarda
SSHD_CONFIG="/etc/ssh/sshd_config"      # nastaveni sshd serveru, potrebne jen pro zjisteni portu kde bezi ssh
TMP="/tmp/firewall"                     # odkladaci adresar, kam hodime docasne soubory, zatim pouze pro nat

# zakladni nastaveni (globalni)
FIREWALL="yes"                  # vypnuti/zapnuti firewallu
QOS="yes"                       # vypnuti/zapnuti QoSu
QOS_TYPE="none"                 # layer7_esfq - nejkomplexnejsi a take nejlepsi volba, vyzaduje nastaveni spravne QOS_DIRECTION na vsech rozhranich s qosem
                                # layer7 - rozdeluje pasmo podle typu protokolu
                                # esfq - spravedlive rozdeluje pasmo na ip adresy
                                # none - pouzije se obycejne sfq
QOS_LIMIT_TYPE="hfsc"           # hfsc | htb - oboje je pro omezovani rychlosti, hfsc se zda byt spolehlivejsi
QOS_DEVICE="ifb"                # imq - nejlepsi volba | ifb - neumi HD (polovicni duplex) a layer7, zaroven muze zpusobit kernel panic na atherosech | none - omezuje se jen jednim smerem
NAT="no"                        # prekladani adres, pouziva se jen u hranicnich routeru (internetovych bran)
NO_P2P="no"                     # zakazani P2P paketu, pouzivejte jen na velmi pomale lince!
MACGUARD="yes"                  # system kontroly pripojenych clenu na router, neni vhodne pouzivat rezim HD u QoSu, nemusi to potom fungovat spravne
MACGUARD_SERVER="10.101.0.1"    # kde bezi macguard-server
ACCOUNT="yes"                   # velmi rychle a presne pociani prenesenych dat
ACCOUNT_GRAPHS="yes"            # pravidelne vytvareni grafu pomoci rrdtool pro webove rozhrani
ACCOUNT_GRAPHS_SYSTEM="yes"     # vytvareni grafu systemovych parametru, jako zatech cpu, obsazeni disku atd...
ACCOUNT_GRAPHS_IFACE="yes"      # vytvareni grafu zatizeni jednotlivych rozhrani
ACCOUNT_GRAPHS_DRIVES="yes"     # grafy vyuziti pevnych disku
ACCOUNT_GRAPHS_PING="yes"       # vytvareni grafu pingu na ruzne uzivatelem definovane servery
ACCOUNT_GRAPHS_IP="yes"         # vytvareni grafu prutoku dat vsech ip adres z vnitrniho rozsahu
ACCOUNT_GRAPHS_IP_EX="yes"      # ukladani nulovych hodnot do grafu ip, vypnuti snizi presnost grafu, ale podstatne snizi zatez PC
ACCOUNT_GRAPHS_SIGNAL="yes"     # vytvareni grafu signalu pro wifi klient
ACCOUNT_GRAPHS_MK_SIGNAL="yes"  # ziskavani signalu wifi klientu pripojenych primo na Mikrotik
DNS_PRIMARY="10.101.253.14"             # primarni dns pro tvorbu dhcp serveru pomoci macguarda
DNS_SECONDARY="10.101.254.193"          # sekundarni dns pro tvorbu dhcp serveru pomoci macguarda
NETBIOS="10.101.253.14"         # netbios pro tvorbu dhcp serveru pomoci macguarda
DOMAIN="lbcfree.net"            # nazev domeny pro tvorbu dhcp serveru pomoci macguarda

# lokalni loopback rozhrani (rozhrani ktere ma kazde pc, nejedna se o fyzicke rozhrani)
LO_IFACE="lo"

# rozsah czela.netu, nebo vnitrni site (nastaveni pro nat)
NAT_DEV="eth0"                  # rozhrani pres ktere pristupujeme do venkovni site
NAT_TYPE="normal"               # tree | normal, tree je vhodnejsi pro vice jak 50 adres
INTERNAL_IP="10.101.0.0/16"     # rozsah vnitrnich adres
EXTERNAL_IP="78.108.105.0/24"   # rozsah venkovnich adres

# dummy rozhrani (rozhrani pro identifikaci pc s vice kartami, nejedna se o fyzicke rozhrani)
DUMMY_IFACE="dummy0"

DEV0_IFACE="eth0"
DEV0_QOS="no"
DEV0_QOS_RATE="2000"
DEV0_QOS_DUPLEX="FD"
DEV0_QOS_DIRECTION="LAN"
DEV0_MACGUARD="no"
DEV0_MACGUARD_DHCP="no"
DEV0_NO_P2P="no"
DEV0_DESCRIPTION=""

DEV1_IFACE="eth0.3300"
DEV1_QOS="no"
DEV1_QOS_RATE="2000"
DEV1_QOS_DUPLEX="FD"
DEV1_QOS_DIRECTION="LAN"
DEV1_MACGUARD="no"
DEV1_MACGUARD_DHCP="no"
DEV1_NO_P2P="no"
DEV1_DESCRIPTION="Paterni VLANa"

DEV2_IFACE="eth1"
DEV2_QOS="yes"
DEV2_QOS_RATE="2000"
DEV2_QOS_DUPLEX="FD"
DEV2_QOS_DIRECTION="LAN"
DEV2_MACGUARD="yes"
DEV2_MACGUARD_DHCP="yes"
DEV2_NO_P2P="no"
DEV2_DESCRIPTION=""

DEV3_IFACE="eth2"
DEV3_QOS="yes"
DEV3_QOS_RATE="2000"
DEV3_QOS_DUPLEX="FD"
DEV3_QOS_DIRECTION="LAN"
DEV3_MACGUARD="yes"
DEV3_MACGUARD_DHCP="yes"
DEV3_NO_P2P="no"
DEV3_DESCRIPTION=""

# nacteme dulezite casti firewallu
. /etc/firewall/qos
. /etc/firewall/qos.conf
. /etc/firewall/macguard
. /etc/firewall/nat
. /etc/firewall/p2p
. /etc/firewall/account

# Hlavni cast celeho skriptu
case "$1" in

start)
    # Zacatek firewallu, v teto casti pridavejte vlastni pravidla
    echo -n "Starting firewall..."

    if [ $FIREWALL != "yes" ]; then
        echo "firewall is disabled."
        exit 0
    fi

    # Pokud pouzivame stromovou sktrukturu tak jeste pred spustenim firewallu vygenerujeme pravidla
    [ "$NAT" == "yes" ] && [ "$NAT_TYPE" == "tree" ] && nat

    # Vsechna puvodni pravidla smazat
    $IPTABLES -F
    $IPTABLES -t nat -F
    $IPTABLES -t mangle -F
    $IPTABLES -X
    $IPTABLES -t nat -X
    $IPTABLES -t mangle -X

    # spustime vygenerovana pravidla
    [ "$NAT" == "yes" ] && [ "$NAT_TYPE" == "tree" ] && iptables-restore $TMP/table

    # Standartne vse povolit, jen pakety mirici primo na router zahodime
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT

    # Loopback
    $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT

    # Jiz navazana spojeni povolime
    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # ---------------------------------------------------------------------------

    # Spyware na TCP portech
    $IPTABLES -I FORWARD -p TCP --dport 135 -j DROP
    $IPTABLES -I FORWARD -p TCP --dport 139 -j DROP
    $IPTABLES -I FORWARD -p TCP --dport 445 -j DROP
    $IPTABLES -I FORWARD -p TCP --sport 135 -j DROP
    $IPTABLES -I FORWARD -p TCP --sport 139 -j DROP
    $IPTABLES -I FORWARD -p TCP --sport 445 -j DROP

    # Spyware na UDP portech
    $IPTABLES -I FORWARD -p UDP --dport 135 -j DROP
    $IPTABLES -I FORWARD -p UDP --dport 137 -j DROP
    $IPTABLES -I FORWARD -p UDP --dport 139 -j DROP
    $IPTABLES -I FORWARD -p UDP --dport 445 -j DROP
    $IPTABLES -I FORWARD -p UDP --sport 135 -j DROP
    $IPTABLES -I FORWARD -p UDP --sport 137 -j DROP
    $IPTABLES -I FORWARD -p UDP --sport 139 -j DROP
    $IPTABLES -I FORWARD -p UDP --sport 445 -j DROP

    # Limit 300 aktivnich spojeni na 1 IP adresu, velmi narocne na vykon
    #$IPTABLES -I FORWARD -p TCP -m connlimit --connlimit-above 300 -j REJECT --reject-with tcp-reset

    # Dropovane IP adresy
    #$IPTABLES -I FORWARD -s 10.93.44.2 -j DROP
    #$IPTABLES -I FORWARD -d 10.93.44.2 -j DROP

    # ---------------------------------------------------------------------------

    # FTP, vcetne ochrany pred utoky z internetu
    $IPTABLES -A INPUT -p TCP --dport 21 -j ACCEPT
    $IPTABLES -A INPUT -p TCP --dport 21 -m state --state NEW -m recent --set
    $IPTABLES -A INPUT -p TCP --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 --rttl -j DROP

    # SSH, vcetne ochrany pred utoky z internetu
    $IPTABLES -A INPUT -p TCP --dport 22 -j ACCEPT
    $IPTABLES -A INPUT -p TCP --dport 22 -m state --state NEW -m recent --set
    $IPTABLES -A INPUT -p TCP --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 --rttl -j DROP
    # tvrdsi blokovani utoku na ssh
    #$IPTABLES -A INPUT -p TCP --syn --dport 22 -m recent --set
    #$IPTABLES -A INPUT -p TCP --syn --dport 22 -m recent --seconds 300 --hitcount 3 -rcheck -j REJECT --reject-with tcp-reset

    # HTTP
    $IPTABLES -A INPUT -s $INTERNAL_IP -p TCP --dport 80 -j ACCEPT
    $IPTABLES -A INPUT -s 192.168.0.0/16 -p TCP --dport 80 -j ACCEPT

    # HTTPS
    $IPTABLES -A INPUT -s $INTERNAL_IP -p TCP --dport 443 -j ACCEPT
    $IPTABLES -A INPUT -s 192.168.0.0/16 -p TCP --dport 443 -j ACCEPT

    # SNMP
    $IPTABLES -A INPUT -s $INTERNAL_IP -p UDP --dport 161:162 -j ACCEPT

    # net-test
    $IPTABLES -A INPUT -s $INTERNAL_IP -p TCP --dport 5001 -j ACCEPT

    # QUAGGA
    $IPTABLES -A INPUT -p TCP --dport 2601 -j ACCEPT
    $IPTABLES -A INPUT -p TCP --dport 2604 -j ACCEPT
    $IPTABLES -A INPUT -d 224.0.0.5/32 -j ACCEPT
    $IPTABLES -A INPUT -d 224.0.0.6/32 -j ACCEPT
    $IPTABLES -A INPUT -d 224.0.0.9/32 -j ACCEPT
    $IPTABLES -A INPUT -p ospf -j ACCEPT

    # BGP
    #$IPTABLES -A INPUT -p TCP --dport 2605 -j ACCEPT
    #$IPTABLES -A INPUT -p TCP --dport 179 -j ACCEPT

    # multicast - TV, Radio czela.net
    #$IPTABLES -A INPUT -d 224.0.0.0/24 -j ACCEPT

    # ICMP - ping
    $IPTABLES -A INPUT -p ICMP -j ACCEPT

    # AUTH neni dobre filtrovat pomoci DROP
    $IPTABLES -A INPUT -p TCP --dport 113 -j REJECT --reject-with tcp-reset

    # ---------------------------------------------------------------------------

    # Pokusime se zjistit jestli ssh nebezi na jinem portu, pokud ano pak z cele
    # site czela.net presmerujeme spojeni na portu 22 na aktualni port a samozrejme
    # dany port povolime, aby bylo mozno se na pc pres ssh prihlasit.

    if [ -e "$SSHD_CONFIG" ]; then
        while read A B; do
            if [ "`echo $A | grep -v \# | grep -i port`" != "" ] && [ "$B" != "22" ]; then
                echo -n "ssh port $B detected..."
                # Z vnitrni site povolime pristup na port 22
                $IPTABLES -A INPUT -s $INTERNAL_IP -p TCP --dport 22 -j ACCEPT
                # Z vnejsi site povolime pristup na port na kterem bezi opravdu ssh
                $IPTABLES -A INPUT -p TCP --dport $B -j ACCEPT
                # Prichozi spojeni na ssh 22 presmerujeme ze vnitrni site na dany port na kterem ssh opravdu bezi
                I="1"
                while true; do
                    LOCAL_IP="`$IP addr show | grep inet | grep -v inet6 | grep -v : | awk '{print\$2}' | cut -d/ -f1 | sed -n ${I}p`"
                    if [ "$LOCAL_IP" != "" ]; then
                        $IPTABLES -t nat -I PREROUTING -s $INTERNAL_IP -p TCP -d $LOCAL_IP --dport 22 -j REDIRECT --to-ports $B
                    else
                        break
                    fi
                    ((I++))
                done
            fi
        done < $SSHD_CONFIG
    fi

    # NAT - vystupni rozhrani je eth0, natovane adresy jsou z rozsahu 192.168.100.0/24 a budou
    # vystupovat na vystupnim rozhrani jako jedina adresa 10.93.251.251
    #$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.100.0/24 -j SNAT --to 10.93.251.251

    [ "$NAT" == "yes" ] && [ "$NAT_TYPE" != "tree" ] && nat
    [ "$NO_P2P" == "yes" ] && p2p_start
    [ "$QOS" == "yes" ] && qos_start
    [ "$MACGUARD" == "yes" ] && macguard_start
    [ "$ACCOUNT" == "yes" ] && account_start

    # Limit poctu celkovych spojeni navazanych skrze router byl presunut do /etc/sysctl.conf
    # Spustime sysctl, ktery nastavi jednotlive parametry v souboru /etc/sysctl.conf
    $SYSCTL -q -p

    echo "done."
    ;;

stop)
    echo -n "Stopping firewall..."
    # Vsechna puvodni pravidla smazat
    $IPTABLES -F
    $IPTABLES -t nat -F
    $IPTABLES -t mangle -F
    $IPTABLES -X
    $IPTABLES -t nat -X
    $IPTABLES -t mangle -X

    # Vse povolit
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT

    echo "done."
    # Vypneme QoS v tc
    qos_stop
    ;;

restart)
    "$0" start
    ;;

qos_start)
    [ "$QOS" == "yes" ] && qos_start
    ;;

qos_stop)
    qos_stop
    ;;

qos_restart)
    [ "$QOS" == "yes" ] && qos_start
    [ "$QOS" != "yes" ] && qos_stop
    ;;

qos_guaranted_classes)
    [ "$QOS" == "yes" ] && qos_guaranted_classes
    ;;

qos_guaranted_class_add_user)
    [ "$QOS" == "yes" ] && qos_guaranted_class_add_user "$2" "$3" "$4"
    ;;

qos_guaranted_class_del_user)
    [ "$QOS" == "yes" ] && qos_guaranted_class_del_user "$2"
    ;;

macguard_update)
    [ "$MACGUARD" == "yes" ] && macguard_start "update" "$2"
    ;;

macguard_stop)
    macguard_stop
    ;;

macguard_start)
    [ "$MACGUARD" == "yes" ] && macguard_start
    ;;

macguard_allow_user)
    [ "$MACGUARD" == "yes" ] && macguard_allow_user "$2" "$3"
    ;;

macguard_deny_user)
    [ "$MACGUARD" == "yes" ] && macguard_deny_user "$2" "$3"
    ;;

p2p_start)
    p2p_start
    ;;

p2p_stop)
    p2p_stop
    ;;

p2p_allow)
    p2p_allow_all
    ;;

p2p_deny)
    p2p_deny_all
    ;;

p2p_allow_ip)
    p2p_allow_ip "$2"
    ;;

p2p_deny_ip)
    p2p_deny_ip "$2"
    ;;

account_start)
    account_start
    ;;

account_stop)
    account_stop
    ;;

account_restart)
    account_restart
    ;;

account_reset)
    account_reset
    ;;

account_graphs_generate)
    [ "$ACCOUNT_GRAPHS_SYSTEM" == "yes" ] && account_graphs_generate_system
    [ "$ACCOUNT_GRAPHS_IFACE" == "yes" ] && account_graphs_generate_interfaces
    [ "$ACCOUNT_GRAPHS_SIGNAL" == "yes" ] && account_graphs_generate_signal
    [ "$ACCOUNT_GRAPHS_DRIVES" == "yes" ] && account_graphs_generate_drives
    # Generování ip může trvat velmi dlouho, hlavně pokud je adres opravdu moc
    [ "$ACCOUNT_GRAPHS_IP" == "yes" ] && account_graphs_generate_ip
    # GenerovĂĄnĂ­ mikrotikĹŻ a pingĹŻ mĹŻĹže trvat velmi dlouho, je lepĹĄĂ­ je dĂĄ aĹž nakonec
    [ "$ACCOUNT_GRAPHS_PING" == "yes" ] && account_graphs_generate_pings
    [ "$ACCOUNT_GRAPHS_MK_SIGNAL" == "yes" ] && account_graphs_get_mikrotik_wifi_clients
    ;;

account_graphs_generate_ip)
    account_graphs_generate_ip
    ;;

account_graphs_generate_system)
    account_graphs_generate_system
    ;;

account_graphs_generate_interfaces)
    account_graphs_generate_interfaces
    ;;

account_graphs_generate_pings)
    account_graphs_generate_pings
    ;;

account_graphs_generate_signal)
    account_graphs_generate_signal
    ;;

account_graphs_generate_drives)
    account_graphs_generate_drives
    ;;

account_graphs_reset)
    account_graphs_reset
    ;;

*)
    echo "Usage: $0 {start|stop|restart|macguard_update {force}|qos_start|qos_stop}"
    exit 1
    ;;

esac

exit 0

Powered by WebSVN 2.2.1