summaryrefslogtreecommitdiffstats
path: root/firewall_wizard/scripts/do_it_firew.sh
diff options
context:
space:
mode:
authorArnaud Desmons <adesmons@mandriva.com>2002-09-05 07:37:06 +0000
committerArnaud Desmons <adesmons@mandriva.com>2002-09-05 07:37:06 +0000
commitf7cca6ea32444a7764d54989bf360530d07d6092 (patch)
tree779049ed3b297fa40354f497a5e0d6ca86505096 /firewall_wizard/scripts/do_it_firew.sh
parent52d4a220029dac288c8b86c3271ce9ab5fbdc6c2 (diff)
downloaddrakwizard-f7cca6ea32444a7764d54989bf360530d07d6092.tar
drakwizard-f7cca6ea32444a7764d54989bf360530d07d6092.tar.gz
drakwizard-f7cca6ea32444a7764d54989bf360530d07d6092.tar.bz2
drakwizard-f7cca6ea32444a7764d54989bf360530d07d6092.tar.xz
drakwizard-f7cca6ea32444a7764d54989bf360530d07d6092.zip
untouched
Diffstat (limited to 'firewall_wizard/scripts/do_it_firew.sh')
-rwxr-xr-xfirewall_wizard/scripts/do_it_firew.sh230
1 files changed, 230 insertions, 0 deletions
diff --git a/firewall_wizard/scripts/do_it_firew.sh b/firewall_wizard/scripts/do_it_firew.sh
new file mode 100755
index 00000000..89defad7
--- /dev/null
+++ b/firewall_wizard/scripts/do_it_firew.sh
@@ -0,0 +1,230 @@
+#!/bin/bash
+#
+# firewall This script sets up firewall rules.
+#
+# description: Sets up or removes firewall rules.
+#
+# Firewall rules for a firewall between a private internal network and the
+# Internet.
+#
+# hacked to fit with wizard, protection level and initscripts.
+#
+# initial copyright :
+# Copyright (C) 2000 Roaring Penguin Software Inc. This software may
+# be distributed under the terms of the GNU General Public License, version
+# 2 or any later version.
+
+# firewall protection level
+#
+#- level 0 : no protection
+# open all TCP/UDP PORT on / and through the server/firewall
+# DROP unroutable network
+#
+#- level 1 : light filtering, usual services opened
+# open all TCP/UDP PORT on / and through the server/firewall
+# DROP unroutable network
+# NAT Activated on external interface
+#
+#- level 2 : only 'internet' services
+# open only configured services on this server/firewall
+# DROP unroutable network
+# NAT Activated on external interface
+#
+#- level 3 : strong protection : only out mail & http
+# DROP unroutable network
+# block all ports except ssh
+#
+
+# this should be launched by a wizard screen ?
+${CWD}/scripts/store_fwall.sh
+
+typeset -i firewall_level
+wiz_firewall_level=`get_var wiz_firewall_level`
+[ -z "${wiz_firewall_level}" ] && wiz_firewall_level=0
+[ ${wiz_firewall_level} -le 0 ] && wiz_firewall_level=0
+[ ${wiz_firewall_level} -ge 3 ] && wiz_firewall_level=3
+echo_debug "# firewall level : ${wiz_firewall_level}"
+
+firewall_cfg=/etc/Bastille/bastille-firewall.cfg
+bastille_firewall=/etc/init.d/bastille-firewall
+bastille_ipchains=/sbin/bastille-ipchains
+bastille_netfilter=/sbin/bastille-netfilter
+file=/etc/sysconfig/mdk_serv
+
+# check requires files
+[ -f $firewall_cfg ] || {
+ echo_debug "no Bastille config file"
+ cp -a ./scripts/bastille-firewall.cfg.default $firewall_cfg
+ }
+for f in $bastille_firewall $bastille_ipchains $bastille_netfilter; do
+ [ -f $f ] || {
+ echo_debug "no $f file"
+ cp /usr/share/Bastille/$(basename $f) $f
+ chmod +x $f
+}
+done
+
+TCP_PUBLIC_SERVICES=""
+UDP_PUBLIC_SERVICES=""
+TCP_INTERNAL_SERVICES=""
+UDP_INTERNAL_SERVICES=""
+
+# Wildcard address
+ANY=0.0.0.0/0
+
+# Interface to Internet
+EXTIF=`get_var wiz_ext_device`
+if [ -z "${EXTIF}" ]; then
+ EXTIF=ppp0
+fi
+
+INTERNAL_IFACES=`get_var wiz_device`
+if [ -z "${INTERNAL_IFACES}" ]; then
+ echo_debug "# no internal network, exiting"
+ exit 1
+fi
+if [ "x$INTERNAL_IFACES" = "x$EXTIF" ]; then
+ echo_debug "# external network device : ${EXTIF}"
+ chg_val ${firewall_cfg} PUBLIC_IFACES ""
+
+ echo_debug "# internal network device : ${INTERNAL_IFACES}"
+ chg_val ${firewall_cfg} INTERNAL_IFACES ${INTERNAL_IFACES}
+
+else
+ echo_debug "# external network device : ${EXTIF}"
+ chg_val ${firewall_cfg} PUBLIC_IFACES ${EXTIF}
+
+ echo_debug "# internal network device : ${INTERNAL_IFACES}"
+ chg_val ${firewall_cfg} INTERNAL_IFACES ${INTERNAL_IFACES}
+fi
+
+# Internal network address. For stand-alone machines, delete this and
+# all the "forward" rules.
+INTERNAL=`get_var wiz_ip_net`/24
+if [ "${INTERNAL}" = "/24" ]; then
+ echo_debug "# no internal network, exiting"
+ exit 1
+fi
+
+# DNS Caching Name Server activated or not
+wiz_caching_dns=`get_val ${file} wiz_caching_dns`
+if [ ${wiz_caching_dns} -eq 1 ]; then
+ echo_debug "# DNS caching dns server : ${wiz_caching_dns}"
+ chg_val ${firewall_cfg} DNS_SERVERS ${ANY} s
+ UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES domain "
+else
+ echo_debug "# No DNS caching dns server : ${wiz_caching_dns}"
+ chg_val ${firewall_cfg} DNS_SERVERS "" s
+fi
+# news
+echo_debug "# if exist, activate news server queries"
+wiz_news_server=`get_val ${file} wiz_news_server`
+if [ ! -z "${wiz_news_server}" ]; then
+ chg_val ${firewall_cfg} NTP_SERVERS ${wiz_news_server} s
+ TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES nntp "
+ UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES nntp "
+else
+ chg_val ${firewall_cfg} NTP_SERVERS "" s
+fi
+
+echo_debug "# check ftp server"
+wiz_ftp_internal=`get_val ${file} wiz_ftp_internal`
+wiz_ftp_external=`get_val ${file} wiz_ftp_external`
+
+if [ ${wiz_ftp_external} -eq 1 ]; then
+ TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES ftp ftp-data "
+ UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES ftp ftp-data "
+ TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ftp ftp-data "
+ UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ftp ftp-data "
+elif [ ${wiz_ftp_internal} -eq 1 ]; then
+ TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES "
+ UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES "
+ TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ftp ftp-data "
+ UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ftp ftp-data "
+fi
+
+echo_debug "# check http server"
+wiz_web_internal=`get_val ${file} wiz_web_internal`
+wiz_web_external=`get_val ${file} wiz_web_external`
+
+if [ ${wiz_web_external} -eq 1 ]; then
+ TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES http https "
+ UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES http https "
+ TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES http https "
+ UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES http https "
+elif [ ${wiz_web_internal} -eq 1 ]; then
+ TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES "
+ UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES "
+ TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES http https "
+ UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES http https "
+fi
+
+echo_debug "# check Samba server"
+wiz_workgroup=`get_val ${file} wiz_workgroup`
+
+if [ ! -z ${wiz_workgroup} ]; then
+ TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES netbios-ns netbios-dgm netbios-ssn "
+ UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES netbios-ns netbios-dgm netbios-ssn "
+fi
+
+echo_debug "# check Mail server"
+wiz_mail_server=`get_val ${file} wiz_mail_server`
+if [ ! -z ${wiz_mail_server} ]; then
+ TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps "
+ UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps "
+fi
+echo_debug "# check DHCP server"
+wiz_ip_range1=`get_val ${file} wiz_ip_range1`
+if [ ! -z ${wiz_ip_range1} -a ! -z ${wiz_ip_range2} ]; then
+ TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES bootps bootpc "
+ UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES bootps bootpc "
+fi
+# open ssh
+TCP_PUBLIC_SERVICES="$TCP_INTERNAL_SERVICES ssh "
+UDP_PUBLIC_SERVICES="$UDP_INTERNAL_SERVICES ssh "
+TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ssh "
+UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ssh "
+
+
+# Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS.
+#. /etc/rc.d/init.d/functions
+
+# level 0 et 3
+if [ ${wiz_firewall_level} -eq 0 -o ${wiz_firewall_level} -eq 3 ]; then
+ echo_debug "# Direct routing (without NAT)"
+ chg_val ${firewall_cfg} IP_MASQ_NETWORK "" s
+else
+ echo_debug "# NAT internal network : ${INTERNAL}"
+ chg_val ${firewall_cfg} IP_MASQ_NETWORK ${INTERNAL}
+fi
+
+# level 0 ou 1
+if [ ${wiz_firewall_level} -le 1 ]; then
+ echo_debug "# open all TCP/UDP PORT on/and through the server/firewall"
+ chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES ":" s
+ chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES ":" s
+ chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES ":" s
+ chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES ":" s
+fi
+
+
+if [ ${wiz_firewall_level} -eq 2 ]; then
+ chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES "$TCP_PUBLIC_SERVICES" s
+ chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES "$UDP_PUBLIC_SERVICES" s
+ chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES "$TCP_INTERNAL_SERVICES" s
+ chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES "$UDP_INTERNAL_SERVICES" s
+fi
+
+if [ ${wiz_firewall_level} -eq 3 ]; then
+ chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES " " s
+ chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES " " s
+ chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES "ssh" s
+ chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES "ssh" s
+fi
+
+echo_debug "# launch bastille-firewall script"
+
+chkconfig --level 345 bastille-firewall on
+service bastille-firewall start
+
+exit 0