From f1d6b8a9d3c06f74e904959887cf043d09aff687 Mon Sep 17 00:00:00 2001 From: Dexter Morgan Date: Thu, 2 Jun 2011 20:51:50 +0000 Subject: Branch for updates --- firewall_wizard/scripts/do_it_firew.sh | 230 +++++++++++++++++++++++++++++++++ 1 file changed, 230 insertions(+) create mode 100755 firewall_wizard/scripts/do_it_firew.sh (limited to 'firewall_wizard/scripts/do_it_firew.sh') diff --git a/firewall_wizard/scripts/do_it_firew.sh b/firewall_wizard/scripts/do_it_firew.sh new file mode 100755 index 00000000..89defad7 --- /dev/null +++ b/firewall_wizard/scripts/do_it_firew.sh @@ -0,0 +1,230 @@ +#!/bin/bash +# +# firewall This script sets up firewall rules. +# +# description: Sets up or removes firewall rules. +# +# Firewall rules for a firewall between a private internal network and the +# Internet. +# +# hacked to fit with wizard, protection level and initscripts. +# +# initial copyright : +# Copyright (C) 2000 Roaring Penguin Software Inc. This software may +# be distributed under the terms of the GNU General Public License, version +# 2 or any later version. + +# firewall protection level +# +#- level 0 : no protection +# open all TCP/UDP PORT on / and through the server/firewall +# DROP unroutable network +# +#- level 1 : light filtering, usual services opened +# open all TCP/UDP PORT on / and through the server/firewall +# DROP unroutable network +# NAT Activated on external interface +# +#- level 2 : only 'internet' services +# open only configured services on this server/firewall +# DROP unroutable network +# NAT Activated on external interface +# +#- level 3 : strong protection : only out mail & http +# DROP unroutable network +# block all ports except ssh +# + +# this should be launched by a wizard screen ? +${CWD}/scripts/store_fwall.sh + +typeset -i firewall_level +wiz_firewall_level=`get_var wiz_firewall_level` +[ -z "${wiz_firewall_level}" ] && wiz_firewall_level=0 +[ ${wiz_firewall_level} -le 0 ] && wiz_firewall_level=0 +[ ${wiz_firewall_level} -ge 3 ] && wiz_firewall_level=3 +echo_debug "# firewall level : ${wiz_firewall_level}" + +firewall_cfg=/etc/Bastille/bastille-firewall.cfg +bastille_firewall=/etc/init.d/bastille-firewall +bastille_ipchains=/sbin/bastille-ipchains +bastille_netfilter=/sbin/bastille-netfilter +file=/etc/sysconfig/mdk_serv + +# check requires files +[ -f $firewall_cfg ] || { + echo_debug "no Bastille config file" + cp -a ./scripts/bastille-firewall.cfg.default $firewall_cfg + } +for f in $bastille_firewall $bastille_ipchains $bastille_netfilter; do + [ -f $f ] || { + echo_debug "no $f file" + cp /usr/share/Bastille/$(basename $f) $f + chmod +x $f +} +done + +TCP_PUBLIC_SERVICES="" +UDP_PUBLIC_SERVICES="" +TCP_INTERNAL_SERVICES="" +UDP_INTERNAL_SERVICES="" + +# Wildcard address +ANY=0.0.0.0/0 + +# Interface to Internet +EXTIF=`get_var wiz_ext_device` +if [ -z "${EXTIF}" ]; then + EXTIF=ppp0 +fi + +INTERNAL_IFACES=`get_var wiz_device` +if [ -z "${INTERNAL_IFACES}" ]; then + echo_debug "# no internal network, exiting" + exit 1 +fi +if [ "x$INTERNAL_IFACES" = "x$EXTIF" ]; then + echo_debug "# external network device : ${EXTIF}" + chg_val ${firewall_cfg} PUBLIC_IFACES "" + + echo_debug "# internal network device : ${INTERNAL_IFACES}" + chg_val ${firewall_cfg} INTERNAL_IFACES ${INTERNAL_IFACES} + +else + echo_debug "# external network device : ${EXTIF}" + chg_val ${firewall_cfg} PUBLIC_IFACES ${EXTIF} + + echo_debug "# internal network device : ${INTERNAL_IFACES}" + chg_val ${firewall_cfg} INTERNAL_IFACES ${INTERNAL_IFACES} +fi + +# Internal network address. For stand-alone machines, delete this and +# all the "forward" rules. +INTERNAL=`get_var wiz_ip_net`/24 +if [ "${INTERNAL}" = "/24" ]; then + echo_debug "# no internal network, exiting" + exit 1 +fi + +# DNS Caching Name Server activated or not +wiz_caching_dns=`get_val ${file} wiz_caching_dns` +if [ ${wiz_caching_dns} -eq 1 ]; then + echo_debug "# DNS caching dns server : ${wiz_caching_dns}" + chg_val ${firewall_cfg} DNS_SERVERS ${ANY} s + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES domain " +else + echo_debug "# No DNS caching dns server : ${wiz_caching_dns}" + chg_val ${firewall_cfg} DNS_SERVERS "" s +fi +# news +echo_debug "# if exist, activate news server queries" +wiz_news_server=`get_val ${file} wiz_news_server` +if [ ! -z "${wiz_news_server}" ]; then + chg_val ${firewall_cfg} NTP_SERVERS ${wiz_news_server} s + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES nntp " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES nntp " +else + chg_val ${firewall_cfg} NTP_SERVERS "" s +fi + +echo_debug "# check ftp server" +wiz_ftp_internal=`get_val ${file} wiz_ftp_internal` +wiz_ftp_external=`get_val ${file} wiz_ftp_external` + +if [ ${wiz_ftp_external} -eq 1 ]; then + TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES ftp ftp-data " + UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES ftp ftp-data " + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ftp ftp-data " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ftp ftp-data " +elif [ ${wiz_ftp_internal} -eq 1 ]; then + TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES " + UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES " + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ftp ftp-data " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ftp ftp-data " +fi + +echo_debug "# check http server" +wiz_web_internal=`get_val ${file} wiz_web_internal` +wiz_web_external=`get_val ${file} wiz_web_external` + +if [ ${wiz_web_external} -eq 1 ]; then + TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES http https " + UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES http https " + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES http https " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES http https " +elif [ ${wiz_web_internal} -eq 1 ]; then + TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES " + UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES " + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES http https " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES http https " +fi + +echo_debug "# check Samba server" +wiz_workgroup=`get_val ${file} wiz_workgroup` + +if [ ! -z ${wiz_workgroup} ]; then + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES netbios-ns netbios-dgm netbios-ssn " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES netbios-ns netbios-dgm netbios-ssn " +fi + +echo_debug "# check Mail server" +wiz_mail_server=`get_val ${file} wiz_mail_server` +if [ ! -z ${wiz_mail_server} ]; then + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps " +fi +echo_debug "# check DHCP server" +wiz_ip_range1=`get_val ${file} wiz_ip_range1` +if [ ! -z ${wiz_ip_range1} -a ! -z ${wiz_ip_range2} ]; then + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES bootps bootpc " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES bootps bootpc " +fi +# open ssh +TCP_PUBLIC_SERVICES="$TCP_INTERNAL_SERVICES ssh " +UDP_PUBLIC_SERVICES="$UDP_INTERNAL_SERVICES ssh " +TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ssh " +UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ssh " + + +# Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS. +#. /etc/rc.d/init.d/functions + +# level 0 et 3 +if [ ${wiz_firewall_level} -eq 0 -o ${wiz_firewall_level} -eq 3 ]; then + echo_debug "# Direct routing (without NAT)" + chg_val ${firewall_cfg} IP_MASQ_NETWORK "" s +else + echo_debug "# NAT internal network : ${INTERNAL}" + chg_val ${firewall_cfg} IP_MASQ_NETWORK ${INTERNAL} +fi + +# level 0 ou 1 +if [ ${wiz_firewall_level} -le 1 ]; then + echo_debug "# open all TCP/UDP PORT on/and through the server/firewall" + chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES ":" s + chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES ":" s + chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES ":" s + chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES ":" s +fi + + +if [ ${wiz_firewall_level} -eq 2 ]; then + chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES "$TCP_PUBLIC_SERVICES" s + chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES "$UDP_PUBLIC_SERVICES" s + chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES "$TCP_INTERNAL_SERVICES" s + chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES "$UDP_INTERNAL_SERVICES" s +fi + +if [ ${wiz_firewall_level} -eq 3 ]; then + chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES " " s + chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES " " s + chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES "ssh" s + chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES "ssh" s +fi + +echo_debug "# launch bastille-firewall script" + +chkconfig --level 345 bastille-firewall on +service bastille-firewall start + +exit 0 -- cgit v1.2.1