#!/bin/bash # # firewall This script sets up firewall rules. # # description: Sets up or removes firewall rules. # # Firewall rules for a firewall between a private internal network and the # Internet. # # hacked to fit with wizard, protection level and initscripts. # # initial copyright : # Copyright (C) 2000 Roaring Penguin Software Inc. This software may # be distributed under the terms of the GNU General Public License, version # 2 or any later version. # firewall protection level # #- level 0 : no protection # open all TCP/UDP PORT on / and through the server/firewall # DROP unroutable network # #- level 1 : light filtering, usual services opened # open all TCP/UDP PORT on / and through the server/firewall # DROP unroutable network # NAT Activated on external interface # #- level 2 : only 'internet' services # open only configured services on this server/firewall # DROP unroutable network # NAT Activated on external interface # #- level 3 : strong protection : only out mail & http # DROP unroutable network # block all ports except ssh # # this should be launched by a wizard screen ? ${CWD}/scripts/store_fwall.sh typeset -i firewall_level wiz_firewall_level=`get_var wiz_firewall_level` [ -z "${wiz_firewall_level}" ] && wiz_firewall_level=0 [ ${wiz_firewall_level} -le 0 ] && wiz_firewall_level=0 [ ${wiz_firewall_level} -ge 3 ] && wiz_firewall_level=3 echo_debug "# firewall level : ${wiz_firewall_level}" firewall_cfg=/etc/Bastille/bastille-firewall.cfg bastille_firewall=/etc/init.d/bastille-firewall bastille_ipchains=/sbin/bastille-ipchains bastille_netfilter=/sbin/bastille-netfilter file=/etc/sysconfig/mdk_serv # check requires files [ -f $firewall_cfg ] || { echo_debug "no Bastille config file" cp -a ./scripts/bastille-firewall.cfg.default $firewall_cfg } for f in $bastille_firewall $bastille_ipchains $bastille_netfilter; do [ -f $f ] || { echo_debug "no $f file" cp /usr/share/Bastille/$(basename $f) $f chmod +x $f } done TCP_PUBLIC_SERVICES="" UDP_PUBLIC_SERVICES="" TCP_INTERNAL_SERVICES="" UDP_INTERNAL_SERVICES="" # Wildcard address ANY=0.0.0.0/0 # Interface to Internet EXTIF=`get_var wiz_ext_device` if [ -z "${EXTIF}" ]; then EXTIF=ppp0 fi INTERNAL_IFACES=`get_var wiz_device` if [ -z "${INTERNAL_IFACES}" ]; then echo_debug "# no internal network, exiting" exit 1 fi if [ "x$INTERNAL_IFACES" = "x$EXTIF" ]; then echo_debug "# external network device : ${EXTIF}" chg_val ${firewall_cfg} PUBLIC_IFACES "" echo_debug "# internal network device : ${INTERNAL_IFACES}" chg_val ${firewall_cfg} INTERNAL_IFACES ${INTERNAL_IFACES} else echo_debug "# external network device : ${EXTIF}" chg_val ${firewall_cfg} PUBLIC_IFACES ${EXTIF} echo_debug "# internal network device : ${INTERNAL_IFACES}" chg_val ${firewall_cfg} INTERNAL_IFACES ${INTERNAL_IFACES} fi # Internal network address. For stand-alone machines, delete this and # all the "forward" rules. INTERNAL=`get_var wiz_ip_net`/24 if [ "${INTERNAL}" = "/24" ]; then echo_debug "# no internal network, exiting" exit 1 fi # DNS Caching Name Server activated or not wiz_caching_dns=`get_val ${file} wiz_caching_dns` if [ ${wiz_caching_dns} -eq 1 ]; then echo_debug "# DNS caching dns server : ${wiz_caching_dns}" chg_val ${firewall_cfg} DNS_SERVERS ${ANY} s UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES domain " else echo_debug "# No DNS caching dns server : ${wiz_caching_dns}" chg_val ${firewall_cfg} DNS_SERVERS "" s fi # news echo_debug "# if exist, activate news server queries" wiz_news_server=`get_val ${file} wiz_news_server` if [ ! -z "${wiz_news_server}" ]; then chg_val ${firewall_cfg} NTP_SERVERS ${wiz_news_server} s TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES nntp " UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES nntp " else chg_val ${firewall_cfg} NTP_SERVERS "" s fi echo_debug "# check ftp server" wiz_ftp_internal=`get_val ${file} wiz_ftp_internal` wiz_ftp_external=`get_val ${file} wiz_ftp_external` if [ ${wiz_ftp_external} -eq 1 ]; then TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES ftp ftp-data " UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES ftp ftp-data " TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ftp ftp-data " UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ftp ftp-data " elif [ ${wiz_ftp_internal} -eq 1 ]; then TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES " UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES " TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ftp ftp-data " UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ftp ftp-data " fi echo_debug "# check http server" wiz_web_internal=`get_val ${file} wiz_web_internal` wiz_web_external=`get_val ${file} wiz_web_external` if [ ${wiz_web_external} -eq 1 ]; then TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES http https " UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES http https " TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES http https " UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES http https " elif [ ${wiz_web_internal} -eq 1 ]; then TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES " UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES " TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES http https " UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES http https " fi echo_debug "# check Samba server" wiz_workgroup=`get_val ${file} wiz_workgroup` if [ ! -z ${wiz_workgroup} ]; then TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES netbios-ns netbios-dgm netbios-ssn " UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES netbios-ns netbios-dgm netbios-ssn " fi echo_debug "# check Mail server" wiz_mail_server=`get_val ${file} wiz_mail_server` if [ ! -z ${wiz_mail_server} ]; then TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps " UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps " fi echo_debug "# check DHCP server" wiz_ip_range1=`get_val ${file} wiz_ip_range1` if [ ! -z ${wiz_ip_range1} -a ! -z ${wiz_ip_range2} ]; then TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES bootps bootpc " UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES bootps bootpc " fi # open ssh TCP_PUBLIC_SERVICES="$TCP_INTERNAL_SERVICES ssh " UDP_PUBLIC_SERVICES="$UDP_INTERNAL_SERVICES ssh " TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ssh " UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ssh " # Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS. #. /etc/rc.d/init.d/functions # level 0 et 3 if [ ${wiz_firewall_level} -eq 0 -o ${wiz_firewall_level} -eq 3 ]; then echo_debug "# Direct routing (without NAT)" chg_val ${firewall_cfg} IP_MASQ_NETWORK "" s else echo_debug "# NAT internal network : ${INTERNAL}" chg_val ${firewall_cfg} IP_MASQ_NETWORK ${INTERNAL} fi # level 0 ou 1 if [ ${wiz_firewall_level} -le 1 ]; then echo_debug "# open all TCP/UDP PORT on/and through the server/firewall" chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES ":" s chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES ":" s chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES ":" s chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES ":" s fi if [ ${wiz_firewall_level} -eq 2 ]; then chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES "$TCP_PUBLIC_SERVICES" s chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES "$UDP_PUBLIC_SERVICES" s chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES "$TCP_INTERNAL_SERVICES" s chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES "$UDP_INTERNAL_SERVICES" s fi if [ ${wiz_firewall_level} -eq 3 ]; then chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES " " s chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES " " s chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES "ssh" s chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES "ssh" s fi echo_debug "# launch bastille-firewall script" chkconfig --level 345 bastille-firewall on service bastille-firewall start exit 0