#!/usr/bin/bash #This is Firewall control #Steffen - mailto: - Steffen's Minitools #This may or may not work for you - ABSOLUTLY NO WARRANTY! ######################################################## # Input: open (allowed) ports for anybody (any source) ############################ #TCP: PUBLIC_PORTS_TCP="auth ftp telnet smtp" #UDP: PUBLIC_PORTS_UDP="route" #TCP and UDP: PUBLIC_PORTS="echo ssh www domain pop2 pop3 imap imap3 1024:65535" #policy: friendly: REJECT (generates error ICMessageP ) # ... or just trash packets and don't answer: DENY DENY_POL=REJECT #DENY_POL=DENY LOCALHOST="127.0.0.1" SSH_SOURCE="1.2.3.4 12345" ####################################################### # The Funcitons ################## function open_all() { #deny anything not in open echo "Firewall OPEN! System unprotected!"; for chain in input output forward do ipchains -P $chain ACCEPT; ipchains -F $chain; done } function list_all() { #deny anything not in open echo "Firewall OPEN! System unprotected!"; for chain in input output forward do echo " ---------------[ $chain ]------------------"; ipchains -L $chain; done } function close_para() { #deny anything not in open echo "Firewall closed for ALL - PARANOIA MODE ($DENY_POL policy)"; ipchains -P input $DENY_POL; ipchains -F input; ipchains -P output $DENY_POL; ipchains -F output; ipchains -P forward $DENY_POL; ipchains -F forward; } function close_input() { #deny anything not in open echo "Firewall inputs closed."; ipchains -P input $DENY_POL; ipchains -F input; #localhost still allowed !! ipchains --insert input -s $LOCALHOST -d $LOCALHOST -j ACCEPT ipchains -P output ACCEPT; ipchains -F output; ipchains -P forward ACCEPT; ipchains -F forward; } function open_input() { proto=$1 shift; CHAIN_CMD="--append input --destination-port" for port in $@ do echo "Opening Port: $port for $proto protocol"; ipchains $CHAIN_CMD $port --proto $proto -j ACCEPT; done } function input_deny_log() { echo "Appending input deny rule for syslog"; ipchains --append input --log -j $DENY_POL; } function help() { echo "Firewall control - user frontend for controlling firewalls"; echo "usage: $0 "; echo " where command is a list of:"; echo " start (starts default configuration)"; echo " stop, off, open (disables firewalls)"; echo " list (lists rules)"; echo " para (Paranoid close, systems denies ALL packets)"; echo " ssh (checks for working ssh [and opens])"; } function force_ssh_open() { #quick and dirty check, may or may not work ... SSH=OK OUT=OK PORT=FAIL if ! ipchains --check input -p tcp -s $SSH_SOURCE \ -d 0.0.0.1 ssh -i eth0 | grep "accepted" >/dev/null then SSH=FAIL echo "WARNING!! SSH would be REJECTED!" fi if ! ipchains --check output -p tcp -d $SSH_SOURCE \ -s 0.0.0.1 ssh -i eth0 | grep "accepted" >/dev/null then OUT=FAIL echo "WARNING!! SSH output would be REJECTED!" fi if ipchains --check input -p tcp -s $SSH_SOURCE \ -d 0.0.0.1 1024 -i eth0 | grep "accepted" >/dev/null then PORT=OK fi if ipchains --check input -p tcp -s $SSH_SOURCE \ -d 0.0.0.1 1023 -i eth0 | grep "accepted" >/dev/null then PORT=OK else echo "SSH needs user port! (ssh -P ...)" fi if [ $SSH == "OK" -a $PORT == "OK" -a $OUT == "OK" ] then echo "SSH OK!" else echo "SSH FAILED!" echo "inserting ssh accept rules in input chain..." ipchains --insert input --destination-port \ ssh -p tcp -j ACCEPT ipchains --insert input --destination-port \ 1024:65535 -p tcp -j ACCEPT echo "opening output chains completly..." ipchains --insert output -j ACCEPT fi } ############################################## # M A I N ################## if [ "$1" == "" ] then echo "(No action specified)"; help; else for par in $@ do case $par in start) close_input; open_input tcp $PUBLIC_PORTS_TCP $PUBLIC_PORTS; open_input udp $PUBLIC_PORTS_UDP $PUBLIC_PORTS; input_deny_log; force_ssh_open; ;; stop|open|off) open_all; ;; para) close_para; ;; list) list_all; ;; ssh) force_ssh_open; ;; help) help; ;; noaction) ;; *) echo "Unknow Command!!"; ;; esac done fi