yosoyhendrix
/
hestiacp


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220
							#!/bin/bash
# info: update system firewall rules
# options: NONE
# labels: panel
#
# example: v-update-firewall
#
# The function updates iptables rules


#----------------------------------------------------------#
#                    Variable&Function                     #
#----------------------------------------------------------#

# Defining absolute path for iptables and modprobe
iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
sysctl="/sbin/sysctl"

# Includes
source /etc/profile.d/hestia.sh
# shellcheck source=/usr/local/hestia/func/main.sh
source $HESTIA/func/main.sh
# shellcheck source=/usr/local/hestia/func/firewall.sh
source $HESTIA/func/firewall.sh
# shellcheck source=/usr/local/hestia/conf/hestia.conf
source $HESTIA/conf/hestia.conf


#----------------------------------------------------------#
#                    Verifications                         #
#----------------------------------------------------------#

is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'


#----------------------------------------------------------#
#                       Action                             #
#----------------------------------------------------------#

# Self heal iptables links
heal_iptables_links

# Checking local IPv4 rules
rules="$HESTIA/data/firewall/rules.conf"

if [ ! -e "$rules" ]; then
    exit
fi

# Checking conntrack module avaiabilty
$modprobe nf_conntrack >/dev/null 2>&1
if [ $? -ne 0 ]; then
    $sysctl net.netfilter.nf_conntrack_max >/dev/null 2>&1
    if [ $? -ne 0 ]; then
        conntrack='no'
    fi
fi

$modprobe nf_conntrack_ftp >/dev/null 2>&1
if [ $? -ne 0 ]; then
    conntrack_ftp='no'
fi

# Checking custom OpenSSH  port
sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
if [[ "$sshport" =~ ^[0-9]+$ ]] && [ "$sshport" -ne "22"  ]; then
    sed -i "s/PORT='22'/PORT=\'$sshport\'/" $rules
fi

# Load ipset lists before adding Hestia iptables rules
[ -x "$(which ipset)" ] && $BIN/v-update-firewall-ipset

# Creating temporary file
tmp=$(mktemp)

# Flushing INPUT chain
echo "$iptables -P INPUT ACCEPT" >> $tmp
echo "$iptables -F INPUT" >> $tmp

# Enabling stateful support
if [ "$conntrack" != 'no' ] || grep --quiet container=lxc /proc/1/environ; then
    str="$iptables -A INPUT -m state"
    str="$str --state ESTABLISHED,RELATED -j ACCEPT"
    echo "$str" >> $tmp
fi

# Handling local traffic
for ip in $(ls $HESTIA/data/ips); do
    echo "$iptables -A INPUT -s $ip -j ACCEPT" >> $tmp
done
echo "$iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $tmp

# Pasring iptables rules
IFS=$'\n'
for line in $(sort -r -n -k 2 -t \' $rules); do
    parse_object_kv_list "$line"
    if [ "$SUSPENDED" = 'no' ]; then
        proto="-p $PROTOCOL"
        port="--dport $PORT"
        state=""
        action="-j $ACTION"

        if [[ "$IP" =~ ^ipset: ]]; then
            ipset_name="${IP#ipset:}"
            $(v-list-firewall-ipset plain | grep "^$ipset_name\s" >/dev/null) || log_event $E_NOTEXIST "ipset object ($ipset_name) not found"
            ip="-m set --match-set '${ipset_name}' src"
        else
            ip="-s $IP"
        fi

        # Adding multiport module
        if [[ "$PORT" =~ ,|-|: ]] ; then
            port="-m multiport --dports ${PORT//-/:}"
        fi

        # Accepting all dst ports
        if [[ "$PORT" = "0" ]] || [ "$PROTOCOL" = 'ICMP' ]; then
            port=""
        fi

        # Checking FTP for contrack module
        if [ "$TYPE" = "FTP" ] || [ "$PORT" = '21' ]; then
            if [ "$conntrack_ftp" != 'no' ]; then
                state="-m conntrack --ctstate NEW"
            else
                port="-m multiport --dports 20,21,12000:12100"
            fi
            ftp="yes"
        fi

        # Adding firewall rule
        echo "$iptables -A INPUT $proto $port $ip $state $action" >> $tmp
    fi
done

# Switching chain policy to DROP
echo "$iptables -P INPUT DROP" >> $tmp

# Adding hestia chain
echo "$iptables -N hestia" >> $tmp

# Applying rules
bash $tmp 2>/dev/null

# Deleting temporary file
rm -f $tmp

# Checking custom trigger
if [ -x "$HESTIA/data/firewall/custom.sh" ]; then
    bash $HESTIA/data/firewall/custom.sh
fi

# Checking fail2ban support
if [ ! -z "$FIREWALL_EXTENSION" ]; then
    for chain in $(cat $HESTIA/data/firewall/chains.conf 2>/dev/null); do
        parse_object_kv_list "$chain"
        if [[ "$PORT" =~ ,|-|: ]] ; then
            port="-m multiport --dports $PORT"
        else
            port="--dport $PORT"
        fi
        echo "$iptables -N fail2ban-$CHAIN" >> $tmp
        echo "$iptables -F fail2ban-$CHAIN" >> $tmp
        echo "$iptables -I fail2ban-$CHAIN -s 0.0.0.0/0 -j RETURN" >> $tmp
        echo "$iptables -I INPUT -p $PROTOCOL $port -j fail2ban-$CHAIN" >>$tmp
    done
    bash $tmp 2>/dev/null
    rm -f $tmp

    for ban in $(cat $HESTIA/data/firewall/banlist.conf 2>/dev/null); do
        parse_object_kv_list "$ban"
        echo -n "$iptables -I fail2ban-$CHAIN 1 -s $IP" >> $tmp
        echo " -j REJECT --reject-with icmp-port-unreachable" >> $tmp
    done
    bash $tmp 2>/dev/null
    rm -f $tmp
fi

# Saving rules to the master iptables file
if [ -d "/etc/sysconfig" ]; then
    /sbin/iptables-save > /etc/sysconfig/iptables
    if [ -z "$(ls /etc/rc3.d/S*iptables 2>/dev/null)" ]; then
        /sbin/chkconfig iptables on
    fi
else
    /sbin/iptables-save > /etc/iptables.rules
    routable="/usr/lib/networkd-dispatcher/routable.d/10-hestia-iptables"
    preup="/etc/network/if-pre-up.d/hestia-iptables"
    # Recreate the Hestia iptables rules loading script
    rm -f $routable $preup
    if dpkg-query -W -f'${Status}' "netplan*" 2>/dev/null | grep -q "ok installed" && [ -d /etc/netplan ] && [ -n "$(ls -A /etc/netplan 2>/dev/null)" ]; then
        echo '#!/bin/sh' > $routable
        echo '' >> $routable
        echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $routable
        echo '    [ -x "'$(which ipset)'" ] && '"${HESTIA}/bin/v-update-firewall-ipset" >> $routable
        echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $routable
        echo 'fi' >> $routable
        echo '' >> $routable
        echo "exit 0" >> $routable
        chmod +x $routable
    else
        echo '#!/bin/sh' > $preup
        echo '' >> $preup
        echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $preup
        echo '    [ -x "'$(which ipset)'" ] && '"${HESTIA}/bin/v-update-firewall-ipset" >> $preup
        echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
        echo 'fi' >> $preup
        echo '' >> $preup
        echo "exit 0" >> $preup
        chmod +x $preup
    fi
fi


#----------------------------------------------------------#
#                       Hestia                             #
#----------------------------------------------------------#

exit