Home Esplora Aiuto
Accedi
yosoyhendrix
/
vesta
1
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Albero (Tree): 09e4c2d22e
Rami (Branch) Tag
vesta
/
bin
/
v-update-sys-firewall

v-update-sys-firewall 3.2 KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125 
  1. #!/bin/bash
    2. 

  2. # info: update system firewall rules
    3. 

  3. # options: NONE
    4. 

  4. #
    5. 

  5. # The function updates iptables rules
    6. 

  6. 

  7. 

  8. #----------------------------------------------------------#
    9. 

  9. #                    Variable&Function                     #
    10. 

  10. #----------------------------------------------------------#
    11. 

  11. 

  12. # Defining absolute path for iptables and modprobe
    13. 

  13. iptables="/sbin/iptables"
    14. 

  14. modprobe="/sbin/modprobe"
    15. 

  15. 

  16. # Includes
    17. 

  17. source /etc/profile.d/vesta.sh
    18. 

  18. source $VESTA/func/main.sh
    19. 

  19. source $VESTA/conf/vesta.conf
    20. 

  20. 

  21. 

  22. #----------------------------------------------------------#
    23. 

  23. #                    Verifications                         #
    24. 

  24. #----------------------------------------------------------#
    25. 

  25. 

  26. is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
    27. 

  27. 

  28. 

  29. #----------------------------------------------------------#
    30. 

  30. #                       Action                             #
    31. 

  31. #----------------------------------------------------------#
    32. 

  32. 

  33. # Checking local IPv4 rules
    34. 

  34. rules="$VESTA/data/firewall/rules_ipv4.conf"
    35. 

  35. if [ ! -e "$rules" ]; then
    36. 

  36.     exit
    37. 

  37. fi
    38. 

  38. 

  39. # Checking conntrack module avaiabilty
    40. 

  40. $modprobe nf_conntrack >/dev/null 2>&1
    41. 

  41. $modprobe nf_conntrack_ftp >/dev/null 2>&1
    42. 

  42. if [ $? -ne 0 ]; then
    43. 

  43.     stateful='no'
    44. 

  44. fi
    45. 

  45. 

  46. # Creating temporary file
    47. 

  47. tmp=$(mktemp)
    48. 

  48. 

  49. # Flushing INPUT chain
    50. 

  50. echo "$iptables -P INPUT ACCEPT" >> $tmp
    51. 

  51. echo "$iptables -F INPUT" >> $tmp
    52. 

  52. 

  53. # Pasring iptables rules
    54. 

  54. IFS=$'\n'
    55. 

  55. for line in $(sort -r -n -k 2 -t \' $rules); do
    56. 

  56.     eval $line
    57. 

  57.     if [ "$SUSPENDED" = 'no' ]; then
    58. 

  58.         chain="-A INPUT"
    59. 

  59.         proto="-p $PROTOCOL"
    60. 

  60.         port="--dport $PORT"
    61. 

  61.         ip="-s $IP"
    62. 

  62.         state=""
    63. 

  63.         action="-j $ACTION"
    64. 

  64. 

  65.         # Adding multiport module
    66. 

  66.         if [[ "$PORT" =~ ,|-|: ]] ; then
    67. 

  67.             port="-m multiport --dports ${PORT//-/:}"
    68. 

  68.         fi
    69. 

  69. 

  70.         # Accepting all dst ports
    71. 

  71.         if [[ "$PORT" = "0" ]] || [ "$PROTOCOL" = 'ICMP' ]; then
    72. 

  72.             port=""
    73. 

  73.         fi
    74. 

  74. 

  75.         # Checking FTP for contrack module
    76. 

  76.         if [ "$TYPE" = "FTP" ] || [ "$PORT" = '21' ]; then
    77. 

  77.             if [ "$stateful" != 'no' ]; then
    78. 

  78.                 state="-m conntrack --ctstate NEW"
    79. 

  79.             else
    80. 

  80.                 port="-m multiport --dports 20,21,12000:12100"
    81. 

  81.             fi
    82. 

  82.             ftp="yes"
    83. 

  83.         fi
    84. 

  84. 

  85.         # Adding firewall rule
    86. 

  86.         echo "$iptables $chain $proto $port $ip $state $action" >> $tmp
    87. 

  87.     fi
    88. 

  88. done
    89. 

  89. 

  90. # Handling DNS replies
    91. 

  91. proto="-p udp"
    92. 

  92. port="--sport 53"
    93. 

  93. action="-j ACCEPT"
    94. 

  94. echo "$iptables $chain $proto $port $state $action" >> $tmp
    95. 

  95. 

  96. # Enabling stateful firewall
    97. 

  97. if [ "$stateful" != 'no' ]; then
    98. 

  98.     proto="-p tcp"
    99. 

  99.     state="-m state --state ESTABLISHED,RELATED"
    100. 

  100.     action="-j ACCEPT"
    101. 

  101.     echo "$iptables $chain $proto $state $action" >> $tmp
    102. 

  102. fi
    103. 

  103. 

  104. # Switching chain policy to DROP
    105. 

  105. echo "$iptables -P INPUT DROP" >> $tmp
    106. 

  106. 

  107. # Applying rules
    108. 

  108. bash $tmp
    109. 

  109. 

  110. # Saving rules to the master iptables file
    111. 

  111. if [ -e "/etc/redhat-release" ]; then
    112. 

  112.     /sbin/iptables-save > /etc/sysconfig/iptables
    113. 

  113.     if [ -z "$(ls /etc/rc3.d/S*iptables 2>/dev/null)" ]; then
    114. 

  114.         /sbin/chkconfig iptables on
    115. 

  115.     fi
    116. 

  116. else
    117. 

  117.     sbin/iptables-save > /etc/iptables.up.rules
    118. 

  118. fi
    119. 

  119. 

  120. 

  121. #----------------------------------------------------------#
    122. 

  122. #                       Vesta                              #
    123. 

  123. #----------------------------------------------------------#
    124. 

  124. 

  125. exit
    126.