BASH 13
Rc.firewall Guest on 21st November 2020 05:37:21 PM
  1. #!/bin/sh
  2. #
  3. # Steve Eisner - [email protected]
  4. # 2/12/2003
  5. #
  6. # Coyote Firewall Startup Script
  7. #       called by: /etc/rc.d/rc.inet, /etc/ppp/ip-up, /etc/dhcpc/dhcpc.updown
  8.  
  9. DEBUG=0
  10.  
  11. PATH=$PATH:/usr/sbin
  12.  
  13. # Load Coyote variables
  14. [ -z "$CONFIG_LOADED" ] && . /etc/coyote/coyote.conf
  15. [ -e /tmp/netsubsys.state ] && . /tmp/netsubsys.state
  16.  
  17. if [ -n "$1" ]; then
  18.  IF_INET=$1
  19.  logger -p daemon.info -t rc.firewall "Firewall script called with: ${@}"
  20. else
  21.  if [ "$INETTYPE" = "PPPOE" -o "$INETTYPE" = "PPP" ]; then
  22.         IF_INET=ppp0
  23.  elif [ -z "$IF_INET" ] ; then
  24.         IF_INET=eth1
  25.  fi
  26.  logger -p daemon.info -t rc.firewall "Firewall script set with default: ${IF_INET}"
  27. fi
  28.  
  29. IPADDR=`getifaddr $IF_INET`
  30.  
  31. # Renew call to if-filter (just to be sure it will be the last one)
  32. iptables -D INPUT   -m state --state NEW -j if-filter  2>/dev/null
  33. iptables -A INPUT   -m state --state NEW -j if-filter  2>/dev/null
  34. iptables -D FORWARD -m state --state NEW -j if-filter  2>/dev/null
  35. iptables -A FORWARD -m state --state NEW -j if-filter  2>/dev/null
  36.  
  37. # Build Log and Drop chain
  38. iptables -F log-and-drop
  39. [ "$LOG_ATTEMPTS" = "YES" ] && iptables -A log-and-drop -j LOG --log-prefix "BLOCKED CONNECTION:"
  40. iptables -A log-and-drop -j DROP
  41.  
  42. # Build Interface Filtering Chain
  43. iptables -F if-filter
  44. iptables -A if-filter -i $IF_INET -j log-and-drop
  45. [ -n "$INET2_IPADDR" ] && iptables -A if-filter -i $IF_INET2 -j log-and-drop
  46. [ -n "$INET3_IPADDR" ] && iptables -A if-filter -i $IF_INET3 -j log-and-drop
  47. [ -n "$INET4_IPADDR" ] && iptables -A if-filter -i $IF_INET4 -j log-and-drop
  48. [ -n "$DMZ_IPADDR" ] && iptables -A if-filter -i $IF_DMZ -o $IF_LOCAL -j log-and-drop
  49. [ -n "$DMZ_IPADDR" ] && [ -n "$LOCAL2_IPADDR" ] && iptables -A if-filter -i $IF_DMZ -o $IF_LOCAL2 -j log-and-drop
  50. [ -n "$DMZ_IPADDR" ] && [ -n "$LOCAL3_IPADDR" ] && iptables -A if-filter -i $IF_DMZ -o $IF_LOCAL3 -j log-and-drop
  51. [ -n "$DMZ_IPADDR" ] && [ -n "$LOCAL4_IPADDR" ] && iptables -A if-filter -i $IF_DMZ -o $IF_LOCAL4 -j log-and-drop
  52. [ -n "$DMZ_IPADDR" ] && [ -n "$WLAN_IPADDR" ]   && iptables -A if-filter -i $IF_DMZ -o $IF_WLAN   -j log-and-drop
  53.  
  54. # Flush the iptables rules associated with forwarding
  55. iptables -F access-acl
  56. iptables -F remote-admin
  57. iptables -t nat -F nat-acl
  58.  
  59. # Flush the iptables rules for simplified firewall
  60. iptables -F user-filter
  61. iptables -F port-filter
  62. iptables -t mangle -F l7-filter
  63.  
  64. # Pre firewall rules
  65. if [ -r /etc/coyote/firewall.pre ]; then
  66.  # echo "Configuring pre firewall rules..."
  67.  . /etc/coyote/firewall.pre
  68. fi
  69.  
  70. set_address() {
  71.  PP="$1"
  72.  
  73.  NOT=`echo "$PP" | cut -c -3`
  74.  [ "$NOT" = "not" ] && PP=`echo "$PP" | cut -c 5-`
  75.  TAG=`echo "$PP" | cut -c -3`
  76.  [ "$TAG" = mac ] 2>/dev/null && PP=`echo "$PP" | cut -c 5-`
  77.  
  78.  case $PP in
  79.         lan) [ -z $LOCAL_IPADDR ] && return 1
  80.          ADDRESS="$LOCAL_IPADDR"; return 0;
  81.  ;;
  82.         lan2) [ -z $LOCAL_IPADDR2 ] && return 1
  83.          ADDRESS="$LOCAL_IPADDR2"; return 0;
  84.  ;;
  85.         lan3) [ -z $LOCAL_IPADDR3 ] && return 1
  86.          ADDRESS="$LOCAL_IPADDR3"; return 0;
  87.  ;;
  88.         lan-if) [ -z $IF_LOCAL ] && return 1
  89.          ADDRESS="$IF_LOCAL"; return 0;
  90.  ;;
  91.         lan-net) [ -z $LOCAL_IPADDR ] || [ -z $LOCAL_NETMASK ] && return 1
  92.          eval `ipcalc -p -n $LOCAL_IPADDR $LOCAL_NETMASK`
  93.          ADDRESS="$NETWORK/$PREFIX"
  94.          return 0
  95.  ;;
  96.         lan2-net) [ -z $LOCAL_IPADDR2 ] || [ -z $LOCAL_NETMASK2 ] && return 1
  97.          eval `ipcalc -p -n $LOCAL_IPADDR2 $LOCAL_NETMASK2`
  98.          ADDRESS="$NETWORK/$PREFIX"
  99.          return 0
  100.  ;;
  101.         lan3-net) [ -z $LOCAL_IPADDR3 ] || [ -z $LOCAL_NETMASK3 ] && return 1
  102.          eval `ipcalc -p -n $LOCAL_IPADDR3 $LOCAL_NETMASK3`
  103.          ADDRESS="$NETWORK/$PREFIX"
  104.          return 0
  105.  ;;
  106.         int) [ -z $IPADDR ] && return 1
  107.          ADDRESS="$IPADDR"; return 0;
  108.  ;;
  109.         int2) [ -z $IPADDR2 ] && return 1
  110.          ADDRESS="$IPADDR2"; return 0;
  111.  ;;
  112.         int3) [ -z $IPADDR3 ] && return 1
  113.          ADDRESS="$IPADDR3"; return 0;
  114.  ;;
  115.         int4) [ -z $IPADDR4 ] && return 1
  116.          ADDRESS="$IPADDR4"; return 0;
  117.  ;;
  118.         int-if) [ -z $IF_INET ] && return 1
  119.          ADDRESS="$IF_INET"; return 0;
  120.  ;;
  121.         int-net) [ -z $IPADDR ] || [ -z $NETMASK ] && return 1
  122.          eval `ipcalc -p -n $IPADDR $NETMASK`
  123.          ADDRESS="$NETWORK/$PREFIX"
  124.          return 0
  125.  ;;
  126.         int2-net) [ -z $IPADDR2 ] || [ -z $NETMASK2 ] && return 1
  127.          eval `ipcalc -p -n $IPADDR2 $NETMASK2`
  128.          ADDRESS="$NETWORK/$PREFIX"
  129.          return 0
  130.  ;;
  131.         int3-net) [ -z $IPADDR3 ] || [ -z $NETMASK3 ] && return 1
  132.          eval `ipcalc -p -n $IPADDR3 $NETMASK3`
  133.          ADDRESS="$NETWORK/$PREFIX"
  134.          return 0
  135.  ;;
  136.         int4-net) [ -z $IPADDR4 ] || [ -z $NETMASK4 ] && return 1
  137.          eval `ipcalc -p -n $IPADDR4 $NETMASK4`
  138.          ADDRESS="$NETWORK/$PREFIX"
  139.          return 0
  140.  ;;
  141.         dmz) [ -z $DMZ_IPADDR ] && return 1
  142.          ADDRESS="$DMZ_IPADDR"; return 0;
  143.  ;;
  144.         dmz2) [ -z $DMZ_IPADDR2 ] && return 1
  145.          ADDRESS="$DMZ_IPADDR2"; return 0;
  146.  ;;
  147.         dmz3) [ -z $DMZ_IPADDR3 ] && return 1
  148.          ADDRESS="$DMZ_IPADDR3"; return 0;
  149.  ;;
  150.         dmz-if) [ -z $IF_DMZ ] && return 1
  151.          ADDRESS="$IF_DMZ"; return 0;
  152.  ;;
  153.         dmz-net) [ -z $DMZ_IPADDR ] || [ -z $DMZ_NETMASK ] && return 1
  154.          eval `ipcalc -p -n $DMZ_IPADDR $DMZ_NETMASK`
  155.          ADDRESS="$NETWORK/$PREFIX"
  156.          return 0
  157.  ;;
  158.         dmz2-net) [ -z $DMZ_IPADDR2 ] || [ -z $DMZ_NETMASK2 ] && return 1
  159.          eval `ipcalc -p -n $DMZ_IPADDR2 $DMZ_NETMASK2`
  160.          ADDRESS="$NETWORK/$PREFIX"
  161.          return 0
  162.  ;;
  163.         dmz3-net) [ -z $DMZ_IPADDR3 ] || [ -z $DMZ_NETMASK3 ] && return 1
  164.          eval `ipcalc -p -n $DMZ_IPADDR3 $DMZ_NETMASK3`
  165.          ADDRESS="$NETWORK/$PREFIX"
  166.          return 0
  167.  ;;
  168.         local2) [ -z $LOCAL2_IPADDR ] && return 1
  169.          ADDRESS="$LOCAL2_IPADDR"; return 0;
  170.  ;;
  171.         local2-if) [ -z $IF_LOCAL2 ] && return 1
  172.          ADDRESS="$IF_LOCAL2"; return 0;
  173.  ;;
  174.         local2-net) [ -z $LOCAL2_IPADDR ] || [ -z $LOCAL2_NETMASK ] && return 1
  175.          eval `ipcalc -p -n $LOCAL2_IPADDR $LOCAL2_NETMASK`
  176.          ADDRESS="$NETWORK/$PREFIX"; return 0;
  177.  ;;
  178.         local3) [ -z $LOCAL3_IPADDR ] && return 1
  179.          ADDRESS="$LOCAL3_IPADDR"; return 0;
  180.  ;;
  181.         local3-if) [ -z $IF_LOCAL3 ] && return 1
  182.          ADDRESS="$IF_LOCAL3"; return 0;
  183.  ;;
  184.         local3-net) [ -z $LOCAL3_IPADDR ] || [ -z $LOCAL3_NETMASK ] && return 1
  185.          eval `ipcalc -p -n $LOCAL3_IPADDR $LOCAL3_NETMASK`
  186.          ADDRESS="$NETWORK/$PREFIX"
  187.         return 0
  188.  ;;
  189.         local4) [ -z $LOCAL4_IPADDR ] && return 1
  190.          ADDRESS="$LOCAL4_IPADDR"; return 0;
  191.  ;;
  192.         local4-if) [ -z $IF_LOCAL4 ] && return 1
  193.          ADDRESS="$IF_LOCAL4"; return 0;
  194.  ;;
  195.         local4-net) [ -z $LOCAL4_IPADDR ] || [ -z $LOCAL4_NETMASK ] && return 1
  196.          eval `ipcalc -p -n $LOCAL4_IPADDR $LOCAL4_NETMASK`
  197.          ADDRESS="$NETWORK/$PREFIX"
  198.         return 0
  199.  ;;
  200.         wlan) [ -z $WLAN_IPADDR ] && return 1
  201.          ADDRESS="$WLAN_IPADDR"; return 0;
  202.  ;;
  203.         wlan-if) [ -z $IF_WLAN ] && return 1
  204.          ADDRESS="$IF_WLAN"; return 0;
  205.  ;;
  206.         wlan-net) [ -z $WLAN_IPADDR ] || [ -z $WLAN_NETMASK ] && return 1
  207.          eval `ipcalc -p -n $WLAN_IPADDR $WLAN_NETMASK`
  208.          ADDRESS="$NETWORK/$PREFIX"
  209.         return 0
  210.  ;;
  211.         any|all) ADDRESS="0.0.0.0/0"; return 0;
  212.  ;;
  213.         *) ADDRESS="$PP"
  214.          [ "$NOT" = "not" ] && ADDRESS="! $ADDRESS"
  215.          return 0
  216.  ;;
  217. esac
  218. [ "$NOT" = "not" ] && ADDRESS="! $ADDRESS"
  219. }
  220.  
  221. set_access() {
  222.         [ $DEBUG = 1 ] && logger $FWDRULE
  223.         if [ $# -lt 7 ]; then
  224.                 echo "   Invalid access entry rule line# $LINE in /etc/coyote/firewall"
  225.                 return 1
  226.         fi
  227.  
  228.         if [ "$2" = "y" ]; then
  229.                 # Rule Option
  230.                 RULE=
  231.                 if [ "$3" = "permit" ]; then
  232.                         RULE=ACCEPT
  233.                 elif [ "$3" = "deny" ]; then
  234.                         RULE=REJECT
  235.                 else
  236.                         RULE="$3"
  237.                 fi
  238.                
  239.                 # Protocol Option
  240.                 PROTO="$4"
  241.                 PROTOOPT=
  242.                 if [ "$PROTO" = "any" -o "$PROTO" = "all" ]; then
  243.                         PROTOOPT=""
  244.                 elif [ "$PROTO" = "icmp" -o "$PROTO" = "tcp" -o "$PROTO" = "udp" ] || [ "$PROTO" -ge 0 -a "$PROTO" -le 255 ] 2>/dev/null; then
  245.                         PROTOOPT="-p $PROTO"
  246.                 else
  247.                         echo "   Firewall rule line# $LINE - protocol option error"
  248.                         return 1
  249.                 fi
  250.                
  251.                 # Source Address Option
  252.                 SRC="$5"
  253.                 TAG=
  254.                 SRCTAG=
  255.                 SRCOPT=
  256.                 set_address $SRC
  257.                 if [ $? -ne 0 ]; then
  258.                         echo "   Firewall rule line# $LINE - source address error"
  259.                         return 1
  260.                 elif [ "$TAG" = mac ]; then
  261.                         SRCTAG="$TAG"
  262.                         SRCOPT="--match mac --mac-source $ADDRESS"
  263.                 elif [ "$SRC" = "lan-if" -o "$SRC" = "int-if" -o "$SRC" = "dmz-if" -o "$SRC" = "local2-if" -o "$SRC"  = "local3-if" -o "$SRC"  = "local4-if" -o "$SRC" = "wlan-if" -o "$SRC" = "int2-if" -o "$SRC" = "int3-if" -o "$SRC" = "int4-if" ]; then
  264.                         SRCOPT="-i $ADDRESS"
  265.                 else
  266.                         SRCOPT="-s $ADDRESS"
  267.                 fi
  268.                
  269.                 # Destination Address Option
  270.                 DEST="$6"
  271.                 TAG=
  272.                 DESTTAG=
  273.                 DSTOPT=
  274.                 set_address $DEST
  275.                 if [ $? -ne 0 ]; then
  276.                         echo "   Firewall rule line# $LINE - destination address error"
  277.                         return 1
  278.                 elif [ "$TAG" = mac ]; then
  279.                         DESTTAG="$TAG"
  280.                         DSTOPT="--match mac --mac-source $ADDRESS"
  281.                 elif [ "$DEST" = "lan-if" -o "$DEST" = "int-if" -o "$DEST" = "dmz-if" -o "$DEST" = "local2-if" -o "$DEST"  = "local3-if" -o "$DEST"  = "local4-if" -o "$DEST" = "wlan-if" -o "$DEST" = "int2-if" -o "$DEST" = "int3-if" -o "$DEST" = "int4-if" ]; then
  282.                         DSTOPT="-o $ADDRESS"
  283.                 else
  284.                         DSTOPT="-d $ADDRESS"
  285.                 fi
  286.                
  287.                 #Dport Option
  288.                 DPORT=`echo $7 | sed s/not:/!\ /`
  289.                 DPORTOPT=
  290.                 if [ "$DPORT" = "any" -o "$DPORT" = "all" -o "$PROTOOPT" = "" ]; then
  291.                         DPORTOPT=""
  292.                 elif [ "$PROTO" = "icmp" ]; then
  293.                         DPORTOPT="--icmp-type $DPORT"
  294.                 elif [ ! -z "$DPORT" ]; then
  295.                         DPORTOPT="--dport $DPORT"
  296.                 else
  297.                         echo "   Firewall rule line# $LINE - Dest. port option error"
  298.                         return 1
  299.                 fi
  300.  
  301.                 #Sport Option
  302.                 SPORT=`echo $8 | sed s/not:/!\ /`
  303.                 SPORTOPT=
  304.                 if [ "$SPORT" = "any" -o "$SPORT" = "all" -o "$PROTOOPT" = "" ]; then
  305.                         SPORTOPT=""
  306.                 elif [ "$PROTO" = "icmp" ]; then
  307.                         SPORTOPT="--icmp-type $DPORT"
  308.                 elif [ ! -z "$SPORT" ]; then
  309.                         SPORTOPT="--sport $SPORT"
  310.                 else
  311.                         echo "   Firewall rule line# $LINE - Source port option error"
  312.                         return 1
  313.                 fi
  314.         else
  315.                 return 0
  316.         fi     
  317.        
  318.         # Add the control acl
  319.         if [ $1 = access -a "$SRCTAG" = mac -a $6 = int-if ]; then
  320.                 iptables -t nat -A nat-acl $PROTOOPT $SRCOPT $DSTOPT $DPORTOPT $SPORTOPT -j $RULE
  321.                 [ $DEBUG = 1 ] && logger "iptables -t nat -A nat-acl $PROTOOPT $SRCOPT $DSTOPT $DPORTOPT $SPORTOPT -j $RULE"
  322.  
  323.         elif [ $1 = access -a "$DESTTAG" = mac ] && [ $5 = lan-if -o $5 = dmz-if ]; then
  324.                 iptables -A remote-admin $PROTOOPT $SRCOPT $DSTOPT $DPORTOPT $SPORTOPT -j $RULE
  325.                 [ $DEBUG = 1 ] && logger "iptables -A remote-admin $PROTOOPT $SRCOPT $DSTOPT $DPORTOPT $SPORTOPT -j $RULE"
  326.  
  327.         elif [ $1 != admin ]; then
  328.                 iptables -A access-acl $PROTOOPT $SRCOPT $DSTOPT $DPORTOPT $SPORTOPT -j $RULE
  329.                 [ $DEBUG = 1 ] && logger "iptables -A access-acl $PROTOOPT $SRCOPT $DSTOPT $DPORTOPT $SPORTOPT -j $RULE"
  330.  
  331.         elif [ $1 = admin ]; then
  332.                  iptables -A remote-admin $PROTOOPT $SRCOPT $DSTOPT $DPORTOPT $SPORTOPT -j $RULE
  333.                 [ $DEBUG = 1 ] && logger "iptables -A remote-admin $PROTOOPT $SRCOPT $DSTOPT $DPORTOPT $SPORTOPT -j $RULE"
  334.         fi
  335. }
  336.  
  337. #Simplified Firewall Functions
  338. block_ip() {
  339.  if [ "$DEFAULT_USERS_FILTER" != "BLOCK_ALL" ] ; then
  340.         [ $DEBUG = 1 ] && logger $FWDRULE
  341.         COMMAND="iptables -A user-filter -s $1 -j DROP"
  342.         $COMMAND
  343.         [ $DEBUG = 1 ] && logger "$COMMAND"
  344.  fi            
  345. }
  346.  
  347. allow_ip() {
  348.  if [ "$DEFAULT_USERS_FILTER" = "BLOCK_ALL" ] ; then
  349.         [ $DEBUG = 1 ] && logger $FWDRULE
  350.         COMMAND="iptables -A user-filter -s $1 -j RETURN"
  351.         $COMMAND
  352.         [ $DEBUG = 1 ] && logger "$COMMAND"
  353.  fi
  354. }
  355.  
  356. block_mac() {
  357.  if [ "$DEFAULT_USERS_FILTER" != "BLOCK_ALL" ] ; then
  358.         [ $DEBUG = 1 ] && logger $FWDRULE
  359.         COMMAND="iptables -A user-filter --match mac --mac-source $1 -j DROP"
  360.         $COMMAND
  361.         [ $DEBUG = 1 ] && logger "$COMMAND"
  362.  fi            
  363. }
  364.  
  365. allow_mac() {
  366.  if [ "$DEFAULT_USERS_FILTER" = "BLOCK_ALL" ] ; then
  367.         [ $DEBUG = 1 ] && logger $FWDRULE
  368.         COMMAND="iptables -A user-filter --match mac --mac-source $1 -j RETURN"
  369.         $COMMAND
  370.         [ $DEBUG = 1 ] && logger "$COMMAND"
  371.  fi
  372. }
  373.  
  374. match_ip_mac() {
  375.  if [ "$DEFAULT_USERS_FILTER" = "BLOCK_ALL" ] ; then
  376.         [ $DEBUG = 1 ] && logger $FWDRULE
  377.         COMMAND="iptables -A user-filter -s $1 --match mac --mac-source $2 -j RETURN"
  378.         $COMMAND
  379.         [ $DEBUG = 1 ] && logger "$COMMAND"
  380.  fi
  381. }
  382.  
  383. block_port() {
  384.  if [ "$DEFAULT_SERVICES_FILTER" != "BLOCK_ALL" ] ; then
  385.         [ $DEBUG = 1 ] && logger $FWDRULE
  386.         PORTOPT=""
  387.         case $1 in
  388.          tcp|udp|icmp|gre) PROTO=$1      ;;
  389.          *)
  390.                 PORT=$1
  391.                 PROTO=$2
  392.                 if [ "$PROTO" = "icmp" ]; then
  393.                  PORTOPT="--icmp-type $PORT"
  394.                 elif [ ! -z "$PORT" ]; then
  395.                  PORTOPT="--dport $PORT"
  396.                 fi
  397.          ;;
  398.         esac
  399.         COMMAND="iptables -A port-filter -p $PROTOCOL $PORTOPT $PORT -j DROP"
  400.         $COMMAND
  401.         [ $DEBUG = 1 ] && logger "$COMMAND"
  402.  fi
  403. }
  404.  
  405. allow_port() {
  406.  if [ "$DEFAULT_SERVICES_FILTER" = "BLOCK_ALL" ] ; then
  407.         [ $DEBUG = 1 ] && logger $FWDRULE
  408.         PORTOPT=""
  409.         case $1 in
  410.          tcp|udp|icmp|gre) PROTO=$1      ;;
  411.          *)
  412.                 PORT=$1
  413.                 PROTO=$2
  414.                 if [ "$PROTO" = "icmp" ]; then
  415.                  PORTOPT="--icmp-type $PORT"
  416.                 elif [ ! -z "$PORT" ]; then
  417.                  PORTOPT="--dport $PORT"
  418.                 fi
  419.          ;;
  420.         esac
  421.         COMMAND="iptables -A port-filter -p $PROTO $PORTOPT -j ACCEPT"
  422.         $COMMAND
  423.         [ $DEBUG = 1 ] && logger "$COMMAND"
  424.  fi
  425. }
  426.  
  427. block_protocol() {
  428.  [ $DEBUG = 1 ] && logger $FWDRULE
  429.  COMMAND="iptables -t mangle -A l7-filter -m layer7 --l7proto $1 -j DROP"
  430.  $COMMAND
  431.  [ $DEBUG = 1 ] && logger "$COMMAND"
  432. }
  433.  
  434. #Set permission to access dhcp server when policy is block all users
  435.  
  436. if [ "$DEFAULT_USERS_FILTER" = "BLOCK_ALL" -a "$DHCPSERVER" = "YES" ] ; then
  437.  COMMAND="iptables -I user-filter -p udp --dport 67 -j RETURN"
  438.  $COMMAND
  439.  [ $DEBUG = 1 ] && logger "$COMMAND"
  440. fi
  441.  
  442. # Set administrative options
  443. [ -z "$SSH_PORT" ] && SSH_PORT=22
  444. [ -z "`sed /^.*"tcp int-if any "$SSH_PORT" 1024:65535"/!d /etc/coyote/firewall`" ] && \
  445.  sed -ie '10i\' -e "admin N permit tcp int-if any "$SSH_PORT" 1024:65535 #Example - Permit external SSH access" /etc/coyote/firewall
  446. [ "$ENABLE_EXTERNAL_SSH" != "NO" ] && sed -i /"permit tcp int-if any "$SSH_PORT" 1024:65535"/s/N/Y/g /etc/coyote/firewall \
  447.  || sed -i /"permit tcp int-if any "$SSH_PORT" 1024:65535"/s/Y/N/g /etc/coyote/firewall
  448.  
  449. [ -z "`sed /^.*"icmp int-if any echo-request all"/!d /etc/coyote/firewall`" ] && \
  450.  sed -ie '11i\' -e "admin N permit icmp int-if any echo-request all #Example - Permit external PING reply" /etc/coyote/firewall
  451. [ "$ENABLE_EXTERNAL_PING" = "YES" ] && sed -i /"icmp int-if any echo-request all"/s/N/Y/g /etc/coyote/firewall \
  452.  || sed -i /"icmp int-if any echo-request all"/s/Y/N/g /etc/coyote/firewall
  453.  
  454. # Process firewall rules file
  455. if [ -r /etc/coyote/firewall ]; then
  456.  echo "Configuring firewall rules..."
  457.  LINE=0
  458.  cat /etc/coyote/firewall | while read FWDRULE; do
  459.         LINE=$(($LINE+1))
  460.         FWDRULE=`echo "$FWDRULE" | cut -f 1 -d \# | tr [A-Z] [a-z]`
  461.         case "$FWDRULE" in
  462.          \#*|"") continue ;;
  463.          access*) set_access $FWDRULE ;;
  464.          admin*) set_access $FWDRULE ;;
  465.          block_ip*) $FWDRULE ;;
  466.          allow_ip*) $FWDRULE ;;
  467.          block_port*) $FWDRULE ;;
  468.          allow_port*) $FWDRULE ;;
  469.          block_mac*) $FWDRULE ;;
  470.          allow_mac*) $FWDRULE ;;
  471.          block_protocol*) $FWDRULE ;;
  472.          match_ip_mac*) $FWDRULE ;;
  473.         esac
  474.  done
  475. fi
  476.  
  477. blk_lan() {
  478.  COMMAND="iptables -A $1 -i $2 -j DROP"
  479.  $COMMAND
  480.  [ $DEBUG = 1 ] && logger "$COMMAND"
  481. }
  482.  
  483. #Set default policies to Simplified Firewall
  484. if [ "$DEFAULT_USERS_FILTER" = "BLOCK_ALL" ] ; then
  485.  [ $DEBUG = 1 ] && DEFAULT_USERS_FILTER=BLOCK_ALL
  486.  COMMAND="iptables -A user-filter -i $IF_LOCAL  -j DROP"
  487.  $COMMAND
  488.  [ $DEBUG = 1 ] && logger "$COMMAND"
  489.  [ ! -z $LOCAL2_IPADDR ] && blk_lan user-filter $IF_LOCAL2
  490.  [ ! -z $LOCAL3_IPADDR ] && blk_lan user-filter $IF_LOCAL3
  491.  [ ! -z $LOCAL4_IPADDR ] && blk_lan user-filter $IF_LOCAL4
  492.  [ ! -z $WLAN_IPADDR ] && blk_lan user-filter $IF_WLAN
  493. fi
  494. if [ "$DEFAULT_SERVICES_FILTER" = "BLOCK_ALL" ] ; then
  495.  [ $DEBUG = 1 ] && DEFAULT_SERVICES_FILTER=BLOCK_ALL
  496.  COMMAND="iptables -A port-filter -i $IF_LOCAL -j DROP"
  497.  $COMMAND
  498.  [ $DEBUG = 1 ] && logger "$COMMAND"
  499.  [ ! -z $LOCAL2_IPADDR ] && blk_lan port-filter $IF_LOCAL2
  500.  [ ! -z $LOCAL3_IPADDR ] && blk_lan port-filter $IF_LOCAL3
  501.  [ ! -z $LOCAL4_IPADDR ] && blk_lan port-filter $IF_LOCAL4
  502.  [ ! -z $WLAN_IPADDR ] && blk_lan port-filter $IF_WLAN
  503. fi
  504.  
  505. # Local Custom firewall rules
  506. if [ -r /etc/coyote/firewall.local ]; then
  507.  echo "Configuring custom firewall rules..."
  508.  . /etc/coyote/firewall.local
  509. fi
  510.  
  511. # Activate IP Masquerading - You can comment this line out to use Coyote as
  512. # as a true IP router. The masq script switches the default forwarding
  513. # policy to DENY (to prevent non-masq'ed routing) and establishes masquerading.
  514. [ "$DISABLE_NAT" != "YES" ] && . /etc/rc.d/rc.masquerade $IF_INET
  515.  
  516. FILES=`ls /etc/rc.d/pkgs/lu.* 2>/dev/null`
  517. if [ ! -z "$FILES" ]; then
  518.  echo "Running Line UP Scripts..."
  519.  for RCS in $FILES; do
  520.         [ -x $RCS ] && $RCS
  521.  done
  522. fi
  523.  
  524. if [ ! -z "$TIMESERVER" ]; then
  525.  echo -n "Setting clock using timeserver ${TIMESERVER}: "
  526.  logger "Setting clock using timeserver ${TIMESERVER}: "
  527.  /usr/sbin/ntpclient -c 1 -g 1 -h ${TIMESERVER} -s 1>/dev/null 2>&1
  528.  if [ $? = 0 ]; then
  529.         echo -e "Success."
  530.         logger "Success."
  531.         # Set the bios clock using timeserver
  532.         if [ -x /sbin/hwclock ]; then
  533.          echo "Set the bios clock using timeserver"
  534.          logger "Set the bios clock using timeserver"
  535.          [ -e /var/state/adjtime ] && rm -rf /var/state/adjtime
  536.          /sbin/hwclock -w -l >/dev/null
  537.         fi
  538.  else
  539.         echo -e "Failed!"
  540.         logger "Failed!"
  541.  fi
  542. fi

Paste is for source code and general debugging text.

Login or Register to edit, delete and keep track of your pastes and more.

Raw Paste

Login or Register to edit or fork this paste. It's free.