freenet-router |
Subversion Repositories: |
Compare with Previous - Blame - Download
#! /bin/bash
# Firewall novĂŠ generace pro Czela Debian 3.1
# Autor: Mirek SlugeĹ
# SpoluautoĹi: Michal PerlĂk, Michal VondrĂĄÄek, Jan ChmelenskĂ˝, Adam Pribyl
# VytvoĹeno: 06.11.2006
# Naposledy zmÄnÄno: 08.2014
# Tento skript mĹŻĹžete volnÄ ĹĄĂĹit a upravovat.
# definujeme cesty v systemu
PATH="/usr/sbin:/usr/bin:/sbin:/bin"
# zadame cesty k potrebnym binarnim souborum (programum)
IPTABLES=$(which iptables) # iptables umoznuji kontrolovat a ovladat sitove pakety, neumi omezovat rychlost
TC=$(which tc) # soubor z baliku iproute 2, slouzi pro kontrolovani provozu na danem zarizeni
IP=$(which ip) # soubor z baliku iproute 2, slouzi pro zjisteni smerovacich tabulek a ip adres
SYSCTL="$(which sysctl)" # nastaveni zakladnich vlastnosti site v jadru
# zadame cestu k dulezitym konfiguracnim souborum
QOS_CONFIG="/etc/firewall/qos.conf" # zde jsou ulozeni clenove ktere chceme navic vyrazne omezit pomoci qosu
NAT_CONFIG="/etc/firewall/nat.conf" # soubor pro nastaveni natu 1:1
MACGUARD_DIR="/home/safe/macguard" # adresar kde jsou ulozeny soubory pro macguarda
SSHD_CONFIG="/etc/ssh/sshd_config" # nastaveni sshd serveru, potrebne jen pro zjisteni portu kde bezi ssh
TMP="/tmp/firewall" # odkladaci adresar, kam hodime docasne soubory, zatim pouze pro nat
# zakladni nastaveni (globalni)
FIREWALL="yes" # vypnuti/zapnuti firewallu
QOS="yes" # vypnuti/zapnuti QoSu
QOS_TYPE="none" # layer7_esfq - nejkomplexnejsi a take nejlepsi volba, vyzaduje nastaveni spravne QOS_DIRECTION na vsech rozhranich s qosem
# layer7 - rozdeluje pasmo podle typu protokolu
# esfq - spravedlive rozdeluje pasmo na ip adresy
# none - pouzije se obycejne sfq
QOS_LIMIT_TYPE="hfsc" # hfsc | htb - oboje je pro omezovani rychlosti, hfsc se zda byt spolehlivejsi
QOS_DEVICE="ifb" # imq - nejlepsi volba | ifb - neumi HD (polovicni duplex) a layer7, zaroven muze zpusobit kernel panic na atherosech | none - omezuje se jen jednim smerem
NAT="no" # prekladani adres, pouziva se jen u hranicnich routeru (internetovych bran)
NO_P2P="no" # zakazani P2P paketu, pouzivejte jen na velmi pomale lince!
MACGUARD="yes" # system kontroly pripojenych clenu na router, neni vhodne pouzivat rezim HD u QoSu, nemusi to potom fungovat spravne
MACGUARD_SERVER="10.101.0.1" # kde bezi macguard-server
ACCOUNT="yes" # velmi rychle a presne pociani prenesenych dat
ACCOUNT_GRAPHS="yes" # pravidelne vytvareni grafu pomoci rrdtool pro webove rozhrani
ACCOUNT_GRAPHS_SYSTEM="yes" # vytvareni grafu systemovych parametru, jako zatech cpu, obsazeni disku atd...
ACCOUNT_GRAPHS_IFACE="yes" # vytvareni grafu zatizeni jednotlivych rozhrani
ACCOUNT_GRAPHS_DRIVES="yes" # grafy vyuziti pevnych disku
ACCOUNT_GRAPHS_PING="yes" # vytvareni grafu pingu na ruzne uzivatelem definovane servery
ACCOUNT_GRAPHS_IP="yes" # vytvareni grafu prutoku dat vsech ip adres z vnitrniho rozsahu
ACCOUNT_GRAPHS_IP_EX="yes" # ukladani nulovych hodnot do grafu ip, vypnuti snizi presnost grafu, ale podstatne snizi zatez PC
ACCOUNT_GRAPHS_SIGNAL="yes" # vytvareni grafu signalu pro wifi klient
ACCOUNT_GRAPHS_MK_SIGNAL="yes" # ziskavani signalu wifi klientu pripojenych primo na Mikrotik
DNS_PRIMARY="10.101.253.14" # primarni dns pro tvorbu dhcp serveru pomoci macguarda
DNS_SECONDARY="10.101.254.193" # sekundarni dns pro tvorbu dhcp serveru pomoci macguarda
NETBIOS="10.101.253.14" # netbios pro tvorbu dhcp serveru pomoci macguarda
DOMAIN="lbcfree.net" # nazev domeny pro tvorbu dhcp serveru pomoci macguarda
# lokalni loopback rozhrani (rozhrani ktere ma kazde pc, nejedna se o fyzicke rozhrani)
LO_IFACE="lo"
# rozsah czela.netu, nebo vnitrni site (nastaveni pro nat)
NAT_DEV="eth0" # rozhrani pres ktere pristupujeme do venkovni site
NAT_TYPE="normal" # tree | normal, tree je vhodnejsi pro vice jak 50 adres
INTERNAL_IP="10.101.0.0/16" # rozsah vnitrnich adres
EXTERNAL_IP="78.108.105.0/24" # rozsah venkovnich adres
# dummy rozhrani (rozhrani pro identifikaci pc s vice kartami, nejedna se o fyzicke rozhrani)
DUMMY_IFACE="dummy0"
DEV0_IFACE="eth0"
DEV0_QOS="no"
DEV0_QOS_RATE="2000"
DEV0_QOS_DUPLEX="FD"
DEV0_QOS_DIRECTION="LAN"
DEV0_MACGUARD="no"
DEV0_MACGUARD_DHCP="no"
DEV0_NO_P2P="no"
DEV0_DESCRIPTION=""
DEV1_IFACE="eth0.3300"
DEV1_QOS="no"
DEV1_QOS_RATE="2000"
DEV1_QOS_DUPLEX="FD"
DEV1_QOS_DIRECTION="LAN"
DEV1_MACGUARD="no"
DEV1_MACGUARD_DHCP="no"
DEV1_NO_P2P="no"
DEV1_DESCRIPTION="Paterni VLANa"
DEV2_IFACE="eth1"
DEV2_QOS="yes"
DEV2_QOS_RATE="2000"
DEV2_QOS_DUPLEX="FD"
DEV2_QOS_DIRECTION="LAN"
DEV2_MACGUARD="yes"
DEV2_MACGUARD_DHCP="yes"
DEV2_NO_P2P="no"
DEV2_DESCRIPTION=""
DEV3_IFACE="eth2"
DEV3_QOS="yes"
DEV3_QOS_RATE="2000"
DEV3_QOS_DUPLEX="FD"
DEV3_QOS_DIRECTION="LAN"
DEV3_MACGUARD="yes"
DEV3_MACGUARD_DHCP="yes"
DEV3_NO_P2P="no"
DEV3_DESCRIPTION=""
# nacteme dulezite casti firewallu
. /etc/firewall/qos
. /etc/firewall/qos.conf
. /etc/firewall/macguard
. /etc/firewall/nat
. /etc/firewall/p2p
. /etc/firewall/account
# Hlavni cast celeho skriptu
case "$1" in
start)
# Zacatek firewallu, v teto casti pridavejte vlastni pravidla
echo -n "Starting firewall..."
if [ $FIREWALL != "yes" ]; then
echo "firewall is disabled."
exit 0
fi
# Pokud pouzivame stromovou sktrukturu tak jeste pred spustenim firewallu vygenerujeme pravidla
[ "$NAT" == "yes" ] && [ "$NAT_TYPE" == "tree" ] && nat
# Vsechna puvodni pravidla smazat
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
# spustime vygenerovana pravidla
[ "$NAT" == "yes" ] && [ "$NAT_TYPE" == "tree" ] && iptables-restore $TMP/table
# Standartne vse povolit, jen pakety mirici primo na router zahodime
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
# Loopback
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
# Jiz navazana spojeni povolime
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ---------------------------------------------------------------------------
# Spyware na TCP portech
$IPTABLES -I FORWARD -p TCP --dport 135 -j DROP
$IPTABLES -I FORWARD -p TCP --dport 139 -j DROP
$IPTABLES -I FORWARD -p TCP --dport 445 -j DROP
$IPTABLES -I FORWARD -p TCP --sport 135 -j DROP
$IPTABLES -I FORWARD -p TCP --sport 139 -j DROP
$IPTABLES -I FORWARD -p TCP --sport 445 -j DROP
# Spyware na UDP portech
$IPTABLES -I FORWARD -p UDP --dport 135 -j DROP
$IPTABLES -I FORWARD -p UDP --dport 137 -j DROP
$IPTABLES -I FORWARD -p UDP --dport 139 -j DROP
$IPTABLES -I FORWARD -p UDP --dport 445 -j DROP
$IPTABLES -I FORWARD -p UDP --sport 135 -j DROP
$IPTABLES -I FORWARD -p UDP --sport 137 -j DROP
$IPTABLES -I FORWARD -p UDP --sport 139 -j DROP
$IPTABLES -I FORWARD -p UDP --sport 445 -j DROP
# Limit 300 aktivnich spojeni na 1 IP adresu, velmi narocne na vykon
#$IPTABLES -I FORWARD -p TCP -m connlimit --connlimit-above 300 -j REJECT --reject-with tcp-reset
# Dropovane IP adresy
#$IPTABLES -I FORWARD -s 10.93.44.2 -j DROP
#$IPTABLES -I FORWARD -d 10.93.44.2 -j DROP
# ---------------------------------------------------------------------------
# FTP, vcetne ochrany pred utoky z internetu
$IPTABLES -A INPUT -p TCP --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p TCP --dport 21 -m state --state NEW -m recent --set
$IPTABLES -A INPUT -p TCP --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 --rttl -j DROP
# SSH, vcetne ochrany pred utoky z internetu
$IPTABLES -A INPUT -p TCP --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p TCP --dport 22 -m state --state NEW -m recent --set
$IPTABLES -A INPUT -p TCP --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 --rttl -j DROP
# tvrdsi blokovani utoku na ssh
#$IPTABLES -A INPUT -p TCP --syn --dport 22 -m recent --set
#$IPTABLES -A INPUT -p TCP --syn --dport 22 -m recent --seconds 300 --hitcount 3 -rcheck -j REJECT --reject-with tcp-reset
# HTTP
$IPTABLES -A INPUT -s $INTERNAL_IP -p TCP --dport 80 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.0/16 -p TCP --dport 80 -j ACCEPT
# HTTPS
$IPTABLES -A INPUT -s $INTERNAL_IP -p TCP --dport 443 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.0/16 -p TCP --dport 443 -j ACCEPT
# SNMP
$IPTABLES -A INPUT -s $INTERNAL_IP -p UDP --dport 161:162 -j ACCEPT
# net-test
$IPTABLES -A INPUT -s $INTERNAL_IP -p TCP --dport 5001 -j ACCEPT
# QUAGGA
$IPTABLES -A INPUT -p TCP --dport 2601 -j ACCEPT
$IPTABLES -A INPUT -p TCP --dport 2604 -j ACCEPT
$IPTABLES -A INPUT -d 224.0.0.5/32 -j ACCEPT
$IPTABLES -A INPUT -d 224.0.0.6/32 -j ACCEPT
$IPTABLES -A INPUT -d 224.0.0.9/32 -j ACCEPT
$IPTABLES -A INPUT -p ospf -j ACCEPT
# BGP
#$IPTABLES -A INPUT -p TCP --dport 2605 -j ACCEPT
#$IPTABLES -A INPUT -p TCP --dport 179 -j ACCEPT
# multicast - TV, Radio czela.net
#$IPTABLES -A INPUT -d 224.0.0.0/24 -j ACCEPT
# ICMP - ping
$IPTABLES -A INPUT -p ICMP -j ACCEPT
# AUTH neni dobre filtrovat pomoci DROP
$IPTABLES -A INPUT -p TCP --dport 113 -j REJECT --reject-with tcp-reset
# ---------------------------------------------------------------------------
# Pokusime se zjistit jestli ssh nebezi na jinem portu, pokud ano pak z cele
# site czela.net presmerujeme spojeni na portu 22 na aktualni port a samozrejme
# dany port povolime, aby bylo mozno se na pc pres ssh prihlasit.
if [ -e "$SSHD_CONFIG" ]; then
while read A B; do
if [ "`echo $A | grep -v \# | grep -i port`" != "" ] && [ "$B" != "22" ]; then
echo -n "ssh port $B detected..."
# Z vnitrni site povolime pristup na port 22
$IPTABLES -A INPUT -s $INTERNAL_IP -p TCP --dport 22 -j ACCEPT
# Z vnejsi site povolime pristup na port na kterem bezi opravdu ssh
$IPTABLES -A INPUT -p TCP --dport $B -j ACCEPT
# Prichozi spojeni na ssh 22 presmerujeme ze vnitrni site na dany port na kterem ssh opravdu bezi
I="1"
while true; do
LOCAL_IP="`$IP addr show | grep inet | grep -v inet6 | grep -v : | awk '{print\$2}' | cut -d/ -f1 | sed -n ${I}p`"
if [ "$LOCAL_IP" != "" ]; then
$IPTABLES -t nat -I PREROUTING -s $INTERNAL_IP -p TCP -d $LOCAL_IP --dport 22 -j REDIRECT --to-ports $B
else
break
fi
((I++))
done
fi
done < $SSHD_CONFIG
fi
# NAT - vystupni rozhrani je eth0, natovane adresy jsou z rozsahu 192.168.100.0/24 a budou
# vystupovat na vystupnim rozhrani jako jedina adresa 10.93.251.251
#$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.100.0/24 -j SNAT --to 10.93.251.251
[ "$NAT" == "yes" ] && [ "$NAT_TYPE" != "tree" ] && nat
[ "$NO_P2P" == "yes" ] && p2p_start
[ "$QOS" == "yes" ] && qos_start
[ "$MACGUARD" == "yes" ] && macguard_start
[ "$ACCOUNT" == "yes" ] && account_start
# Limit poctu celkovych spojeni navazanych skrze router byl presunut do /etc/sysctl.conf
# Spustime sysctl, ktery nastavi jednotlive parametry v souboru /etc/sysctl.conf
$SYSCTL -q -p
echo "done."
;;
stop)
echo -n "Stopping firewall..."
# Vsechna puvodni pravidla smazat
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
# Vse povolit
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "done."
# Vypneme QoS v tc
qos_stop
;;
restart)
"$0" start
;;
qos_start)
[ "$QOS" == "yes" ] && qos_start
;;
qos_stop)
qos_stop
;;
qos_restart)
[ "$QOS" == "yes" ] && qos_start
[ "$QOS" != "yes" ] && qos_stop
;;
qos_guaranted_classes)
[ "$QOS" == "yes" ] && qos_guaranted_classes
;;
qos_guaranted_class_add_user)
[ "$QOS" == "yes" ] && qos_guaranted_class_add_user "$2" "$3" "$4"
;;
qos_guaranted_class_del_user)
[ "$QOS" == "yes" ] && qos_guaranted_class_del_user "$2"
;;
macguard_update)
[ "$MACGUARD" == "yes" ] && macguard_start "update" "$2"
;;
macguard_stop)
macguard_stop
;;
macguard_start)
[ "$MACGUARD" == "yes" ] && macguard_start
;;
macguard_allow_user)
[ "$MACGUARD" == "yes" ] && macguard_allow_user "$2" "$3"
;;
macguard_deny_user)
[ "$MACGUARD" == "yes" ] && macguard_deny_user "$2" "$3"
;;
p2p_start)
p2p_start
;;
p2p_stop)
p2p_stop
;;
p2p_allow)
p2p_allow_all
;;
p2p_deny)
p2p_deny_all
;;
p2p_allow_ip)
p2p_allow_ip "$2"
;;
p2p_deny_ip)
p2p_deny_ip "$2"
;;
account_start)
account_start
;;
account_stop)
account_stop
;;
account_restart)
account_restart
;;
account_reset)
account_reset
;;
account_graphs_generate)
[ "$ACCOUNT_GRAPHS_SYSTEM" == "yes" ] && account_graphs_generate_system
[ "$ACCOUNT_GRAPHS_IFACE" == "yes" ] && account_graphs_generate_interfaces
[ "$ACCOUNT_GRAPHS_SIGNAL" == "yes" ] && account_graphs_generate_signal
[ "$ACCOUNT_GRAPHS_DRIVES" == "yes" ] && account_graphs_generate_drives
# GenerovĂĄnĂ ip mĹŻĹže trvat velmi dlouho, hlavnÄ pokud je adres opravdu moc
[ "$ACCOUNT_GRAPHS_IP" == "yes" ] && account_graphs_generate_ip
# GenerovĂĄnĂ mikrotikĹŻ a pingĹŻ mĹŻĹže trvat velmi dlouho, je lepĹĄĂ je dĂĄ aĹž nakonec
[ "$ACCOUNT_GRAPHS_PING" == "yes" ] && account_graphs_generate_pings
[ "$ACCOUNT_GRAPHS_MK_SIGNAL" == "yes" ] && account_graphs_get_mikrotik_wifi_clients
;;
account_graphs_generate_ip)
account_graphs_generate_ip
;;
account_graphs_generate_system)
account_graphs_generate_system
;;
account_graphs_generate_interfaces)
account_graphs_generate_interfaces
;;
account_graphs_generate_pings)
account_graphs_generate_pings
;;
account_graphs_generate_signal)
account_graphs_generate_signal
;;
account_graphs_generate_drives)
account_graphs_generate_drives
;;
account_graphs_reset)
account_graphs_reset
;;
*)
echo "Usage: $0 {start|stop|restart|macguard_update {force}|qos_start|qos_stop}"
exit 1
;;
esac
exit 0