From: John Crispin Date: Mon, 11 Aug 2008 22:27:36 +0000 (+0000) Subject: uci firewall - make uci firewall default and remove old code - fix up dependencies X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=5627667654db791fc105117c8d5717caacbaa1b9;p=openwrt%2Fstaging%2Flynxis%2Fomap.git uci firewall - make uci firewall default and remove old code - fix up dependencies SVN-Revision: 12284 --- diff --git a/package/firewall/Config.in b/package/firewall/Config.in deleted file mode 100644 index 616b0206b0..0000000000 --- a/package/firewall/Config.in +++ /dev/null @@ -1,17 +0,0 @@ -choice - prompt "Choose firewall" - default FIREWALL_OLD - depends PACKAGE_firewall - -config FIREWALL_OLD - bool "old firewall" - -config FIREWALL_NEW - bool "new uci firewall" - select PACKAGE_iptables-mod-conntrack - select PACKAGE_iptables-mod-extra - select PACKAGE_iptables-mod-ipopt - select PACKAGE_iptables-mod-ulog - select PACKAGE_kmod-ipt-nathelper - -endchoice diff --git a/package/firewall/Makefile b/package/firewall/Makefile index e073b5771c..23f23e6dc1 100644 --- a/package/firewall/Makefile +++ b/package/firewall/Makefile @@ -18,52 +18,30 @@ define Package/firewall CATEGORY:=Base system URL:=http://openwrt.org/ TITLE:=OpenWrt firewall - DEPENDS:=+iptables + DEPENDS:=+iptables +iptables-mod-ipopt +iptables-mod-extra endef define Package/firewall/description firewall for openwrt, you can select if you want to use the old version or the new uci based script endef -define Package/firewall/config - source "$(SOURCE)/Config.in" -endef - define Build/Compile true endef -ifeq ($(CONFIG_FIREWALL_NEW),y) define Package/firewall/conffiles /etc/config/firewall endef define Package/firewall/install $(INSTALL_DIR) $(1)/lib/firewall - $(INSTALL_DATA) ./files/new/uci_firewall.sh $(1)/lib/firewall + $(INSTALL_DATA) ./files/uci_firewall.sh $(1)/lib/firewall $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_DATA) ./files/new/firewall.config $(1)/etc/config/firewall + $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall $(INSTALL_DIR) $(1)/etc/init.d/ - $(INSTALL_BIN) ./files/new/firewall.init $(1)/etc/init.d/firewall + $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall $(INSTALL_DIR) $(1)/etc/hotplug.d/iface - $(INSTALL_DATA) ./files/new/20-firewall $(1)/etc/hotplug.d/iface + $(INSTALL_DATA) ./files/20-firewall $(1)/etc/hotplug.d/iface endef -else - -define Package/firewall/conffiles -/etc/firewall.config -/etc/firewall.user -endef - -define Package/firewall/install - $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_DATA) ./files/old/firewall.config $(1)/etc/ - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/old/firewall.init $(1)/etc/init.d/firewall - $(INSTALL_BIN) ./files/old/firewall.user $(1)/etc/ - $(INSTALL_DIR) $(1)/usr/lib - $(INSTALL_DATA) ./files/old/firewall.awk $(1)/usr/lib -endef -endif $(eval $(call BuildPackage,firewall)) diff --git a/package/firewall/files/20-firewall b/package/firewall/files/20-firewall new file mode 100644 index 0000000000..126fb9bad0 --- /dev/null +++ b/package/firewall/files/20-firewall @@ -0,0 +1,39 @@ +. /lib/firewall/uci_firewall.sh +unset ZONE +config_get ifname $INTERFACE ifname +INTERFACE=$ifname +[ "$INTERFACE" == "lo" ] && exit 0 +load_zones() { + local name + local network + config_get name $1 name + config_get network $1 network + [ -z "$network" ] && network=$name + for n in $network; do + local ifname + config_get ifname $n ifname + list_contains ifname $INTERFACE && { + list_contains ZONE $name || ZONE="$ZONE $name" + } + done +} + +config_foreach load_zones zone + +[ -z "$ZONE" ] && exit 0 + +[ ifup = "$ACTION" ] && { + for z in $ZONE; do + local loaded + config_get loaded core loaded + [ -n "$loaded" ] && addif $INTERFACE $z + done +} + +[ ifdown = "$ACTION" ] && { + for z in $ZONE; do + local up + config_get up $z up + [ "$up" == "1" ] && delif $INTERFACE $z + done +} diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config new file mode 100755 index 0000000000..073169013d --- /dev/null +++ b/package/firewall/files/firewall.config @@ -0,0 +1,80 @@ +config defaults + option syn_flood 1 + option input DROP + option output ACCEPT + option forward DROP + +config zone + option name lan + option input ACCEPT + option output ACCEPT + option forward DROP + +config zone + option name wan + option input DROP + option output ACCEPT + option forward DROP + option masq 1 + +config forwarding + option src lan + option dest wan + + +### EXAMPLE CONFIG SECTIONS +# do not allow a specific ip to access wan +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option dest wan +# option proto tcp +# option target REJECT + +# block a specific mac on wan +#config rule +# option dest wan +# option src_mac 00:11:22:33:44:66 +# option target REJECT + +# block incoming ICMP traffic on a zone +#config rule +# option src lan +# option proto ICMP +# option target DROP + +# port redirect port coming in on wan to lan +#config redirect +# option src wan +# option src_dport 80 +# option dest lan +# option dest_ip 192.168.16.235 +# option dest_port 80 +# option protocol tcp + +# include a file with users custom iptables rules +#config include +# option path /etc/firewall.user + + +### FULL CONFIG SECTIONS +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 80 +# option dest wan +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp +# option target REJECT + +#config redirect +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 1024 +# option src_dport 80 +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp diff --git a/package/firewall/files/firewall.init b/package/firewall/files/firewall.init new file mode 100755 index 0000000000..26855f39ad --- /dev/null +++ b/package/firewall/files/firewall.init @@ -0,0 +1,14 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2008 OpenWrt.org + +START=45 + +start() { + . /lib/firewall/uci_firewall.sh + fw_init +} + +stop() { + . /lib/firewall/uci_firewall.sh + fw_stop +} diff --git a/package/firewall/files/new/20-firewall b/package/firewall/files/new/20-firewall deleted file mode 100644 index 126fb9bad0..0000000000 --- a/package/firewall/files/new/20-firewall +++ /dev/null @@ -1,39 +0,0 @@ -. /lib/firewall/uci_firewall.sh -unset ZONE -config_get ifname $INTERFACE ifname -INTERFACE=$ifname -[ "$INTERFACE" == "lo" ] && exit 0 -load_zones() { - local name - local network - config_get name $1 name - config_get network $1 network - [ -z "$network" ] && network=$name - for n in $network; do - local ifname - config_get ifname $n ifname - list_contains ifname $INTERFACE && { - list_contains ZONE $name || ZONE="$ZONE $name" - } - done -} - -config_foreach load_zones zone - -[ -z "$ZONE" ] && exit 0 - -[ ifup = "$ACTION" ] && { - for z in $ZONE; do - local loaded - config_get loaded core loaded - [ -n "$loaded" ] && addif $INTERFACE $z - done -} - -[ ifdown = "$ACTION" ] && { - for z in $ZONE; do - local up - config_get up $z up - [ "$up" == "1" ] && delif $INTERFACE $z - done -} diff --git a/package/firewall/files/new/firewall.config b/package/firewall/files/new/firewall.config deleted file mode 100755 index 073169013d..0000000000 --- a/package/firewall/files/new/firewall.config +++ /dev/null @@ -1,80 +0,0 @@ -config defaults - option syn_flood 1 - option input DROP - option output ACCEPT - option forward DROP - -config zone - option name lan - option input ACCEPT - option output ACCEPT - option forward DROP - -config zone - option name wan - option input DROP - option output ACCEPT - option forward DROP - option masq 1 - -config forwarding - option src lan - option dest wan - - -### EXAMPLE CONFIG SECTIONS -# do not allow a specific ip to access wan -#config rule -# option src lan -# option src_ip 192.168.45.2 -# option dest wan -# option proto tcp -# option target REJECT - -# block a specific mac on wan -#config rule -# option dest wan -# option src_mac 00:11:22:33:44:66 -# option target REJECT - -# block incoming ICMP traffic on a zone -#config rule -# option src lan -# option proto ICMP -# option target DROP - -# port redirect port coming in on wan to lan -#config redirect -# option src wan -# option src_dport 80 -# option dest lan -# option dest_ip 192.168.16.235 -# option dest_port 80 -# option protocol tcp - -# include a file with users custom iptables rules -#config include -# option path /etc/firewall.user - - -### FULL CONFIG SECTIONS -#config rule -# option src lan -# option src_ip 192.168.45.2 -# option src_mac 00:11:22:33:44:55 -# option src_port 80 -# option dest wan -# option dest_ip 194.25.2.129 -# option dest_port 120 -# option proto tcp -# option target REJECT - -#config redirect -# option src lan -# option src_ip 192.168.45.2 -# option src_mac 00:11:22:33:44:55 -# option src_port 1024 -# option src_dport 80 -# option dest_ip 194.25.2.129 -# option dest_port 120 -# option proto tcp diff --git a/package/firewall/files/new/firewall.init b/package/firewall/files/new/firewall.init deleted file mode 100755 index 26855f39ad..0000000000 --- a/package/firewall/files/new/firewall.init +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh /etc/rc.common -# Copyright (C) 2008 OpenWrt.org - -START=45 - -start() { - . /lib/firewall/uci_firewall.sh - fw_init -} - -stop() { - . /lib/firewall/uci_firewall.sh - fw_stop -} diff --git a/package/firewall/files/new/uci_firewall.sh b/package/firewall/files/new/uci_firewall.sh deleted file mode 100755 index e1683e9cf0..0000000000 --- a/package/firewall/files/new/uci_firewall.sh +++ /dev/null @@ -1,285 +0,0 @@ -#!/bin/sh -# Copyright (C) 2008 John Crispin - -. /etc/functions.sh - -IPTABLES="echo iptables" -IPTABLES=iptables - -config_clear -include /lib/network -scan_interfaces - -CONFIG_APPEND=1 -config_load firewall - -config fw_zones -ZONE_LIST=$CONFIG_SECTION - -DEF_INPUT=DROP -DEF_OUTPUT=DROP -DEF_FORWARD=DROP - -load_policy() { - config_get input $1 input - config_get output $1 output - config_get forward $1 forward - - [ -z "$input" ] && input=$DEF_INPUT - [ -z "$output" ] && output=$DEF_OUTPUT - [ -z "$forward" ] && forward=$DEF_FORWARD -} - -create_zone() { - local exists - - [ "$1" == "loopback" ] && return - - config_get exists $ZONE_LIST $1 - [ -n "$exists" ] && return - config_set $ZONE_LIST $1 1 - - $IPTABLES -N zone_$1 - $IPTABLES -N zone_$1_ACCEPT - $IPTABLES -N zone_$1_DROP - $IPTABLES -N zone_$1_REJECT - $IPTABLES -N zone_$1_forward - $IPTABLES -A zone_$1_forward -j zone_$1_$5 - $IPTABLES -A zone_$1 -j zone_$1_$3 - $IPTABLES -A OUTPUT -j zone_$1_$4 - $IPTABLES -N zone_$1_nat -t nat - $IPTABLES -N zone_$1_prerouting -t nat - [ "$6" == "1" ] && $IPTABLES -t nat -A POSTROUTING -j zone_$2_nat -} - -addif() { - logger "adding $1 to firewall zone $2" - $IPTABLES -A INPUT -i $1 -j zone_$2 - $IPTABLES -I zone_$2_ACCEPT 1 -o $1 -j ACCEPT - $IPTABLES -I zone_$2_DROP 1 -o $1 -j DROP - $IPTABLES -I zone_$2_REJECT 1 -o $1 -j REJECT - $IPTABLES -I zone_$2_ACCEPT 1 -i $1 -j ACCEPT - $IPTABLES -I zone_$2_DROP 1 -i $1 -j DROP - $IPTABLES -I zone_$2_REJECT 1 -i $1 -j REJECT - $IPTABLES -I zone_$2_nat 1 -t nat -o $1 -j MASQUERADE - $IPTABLES -I PREROUTING 1 -t nat -i $1 -j zone_$2_prerouting - $IPTABLES -A FORWARD -i $1 -j zone_$2_forward -} - -delif() { - logger "removing $1 from firewall zone $2" - $IPTABLES -D INPUT -i $1 -j zone_$2 - $IPTABLES -D zone_$2_ACCEPT -o $1 -j ACCEPT - $IPTABLES -D zone_$2_DROP -o $1 -j DROP - $IPTABLES -D zone_$2_REJECT -o $1 -j REJECT - $IPTABLES -D zone_$2_ACCEPT -i $1 -j ACCEPT - $IPTABLES -D zone_$2_DROP -i $1 -j DROP - $IPTABLES -D zone_$2_REJECT -i $1 -j REJECT - $IPTABLES -D zone_$2_nat -t nat -o $1 -j MASQUERADE - $IPTABLES -D PREROUTING -t nat -i $1 -j zone_$2_prerouting - $IPTABLES -D FORWARD -i $1 -j zone_$2_forward -} - -load_synflood() { - echo "Loading synflood protection" - $IPTABLES -N SYN_FLOOD - $IPTABLES -A SYN_FLOOD -p tcp --syn -m limit --limit ${1}/second --limit-burst $2 -j RETURN - $IPTABLES -A SYN_FLOOD -p ! tcp -j RETURN - $IPTABLES -A SYN_FLOOD -p tcp ! --syn -j RETURN - $IPTABLES -A SYN_FLOOD -j LOG --log-prefix "syn_flood: " - $IPTABLES -A SYN_FLOOD -j DROP - $IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD -} - -fw_defaults() { - load_policy $1 - DEF_INPUT=$input - DEF_OUTPUT=$output - DEF_FORWARD=$forward - - echo 1 > /proc/sys/net/ipv4/tcp_syncookies - for f in /proc/sys/net/ipv4/conf/*/accept_redirects - do - echo 0 > $f - done - for f in /proc/sys/net/ipv4/conf/*/accept_source_route - do - echo 0 > $f - done - - $IPTABLES -F - $IPTABLES -t nat -F - $IPTABLES -t mangle -F - $IPTABLES -X -t nat - $IPTABLES -X - - $IPTABLES -P INPUT $input - $IPTABLES -A INPUT -m state --state INVALID -j DROP - $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - - $IPTABLES -P OUTPUT $output - $IPTABLES -A OUTPUT -m state --state INVALID -j DROP - $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - - $IPTABLES -P FORWARD $forward - $IPTABLES -A FORWARD -m state --state INVALID -j DROP - $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - - $IPTABLES -A INPUT -i lo -j ACCEPT - $IPTABLES -A OUTPUT -o lo -j ACCEPT - - config_get syn_flood $1 syn_flood - config_get syn_rate $1 syn_rate - config_get syn_burst $1 syn_burst - - [ -z "$syn_rate" ] && syn_rate=25 - [ -z "$syn_burst" ] && syn_burst=50 - [ "$syn_flood" == "1" ] && load_synflood $syn_rate $syn_burst -} - -fw_zone() { - local name - local network - local masq - - config_get name $1 name - config_get network $1 network - config_get masq $1 masq - load_policy $1 - - [ -z "$network" ] && network=$name - create_zone "$name" "$network" "$input" "$output" "$forward" "$masq" -} - -fw_rule() { - local src - local src_ip - local src_mac - local src_port - local src_mac - local dest - local dest_ip - local dest_port - local proto - local target - - config_get src $1 src - config_get src_ip $1 src_ip - config_get src_mac $1 src_mac - config_get src_port $1 src_port - config_get dest $1 dest - config_get dest_ip $1 dest_ip - config_get dest_port $1 dest_port - config_get proto $1 proto - config_get target $1 target - config_get ruleset $1 ruleset - - [ -z "$target" ] && target=DROP - [ -n "$src" ] && ZONE=zone_$src || ZONE=INPUT - [ -n "$dest" ] && TARGET=zone_${dest}_$target || TARGET=$target - $IPTABLES -I $ZONE 1 \ - ${proto:+-p $proto} \ - ${src_ip:+-s $src_ip} \ - ${src_port:+--sport $src_port} \ - ${src_mac:+-m mac --mac-source $src_mac} \ - ${dest_ip:+-d $dest_ip} \ - ${dest_port:+--dport $dest_port} \ - -j $TARGET -} - -fw_forwarding() { - local src - local dest - local masq - - config_get src $1 src - config_get dest $1 dest - [ -n "$src" ] && z_src=zone_${src}_forward || z_src=FORWARD - [ -n "$dest" ] && z_dest=zone_${dest}_ACCEPT || z_dest=ACCEPT - $IPTABLES -I $z_src 1 -j $z_dest -} - -fw_redirect() { - local src - local src_ip - local src_port - local src_dport - local src_mac - local dest_ip - local dest_port - local protocol - - config_get src $1 src - config_get src_ip $1 src_ip - config_get src_port $1 src_port - config_get src_dport $1 src_dport - config_get src_mac $1 src_mac - config_get dest_ip $1 dest_ip - config_get dest_port $1 dest_port - config_get protocol $1 protocol - [ -z "$src" -o -z "$dest_ip" ] && { \ - echo "redirect needs src and dest_ip"; return ; } - $IPTABLES -A zone_${src}_prerouting -t nat \ - ${protocol:+-p $protocol} \ - ${src_ip:+-s $srcdip} \ - ${src_port:+--sport $src_port} \ - ${src_dport:+--dport $src_dport} \ - ${src_mac:+-m mac --mac-source $src_mac} \ - -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port} - $IPTABLES -I zone_${src}_forward 1 \ - ${protocol:+-p $protocol} \ - -d $dest_ip \ - ${src_ip:+-s $srcdip} \ - ${src_port:+--sport $src_port} \ - ${dest_port:+--dport $dest_port} \ - ${src_mac:+-m mac --mac-source $src_mac} \ - -j ACCEPT -} - -fw_include() { - local path - config_get path $1 path - [ -e $path ] && . $path -} - -fw_addif() { - local up - local ifname - config_get up $1 up - config_get ifname $1 ifname - [ -n "$up" ] || return 0 - (ACTION="ifup" INTERFACE="$1" . /etc/hotplug.d/iface/20-firewall) -} - -fw_init() { - echo "Loading defaults" - config_foreach fw_defaults defaults - echo "Loading zones" - config_foreach fw_zone zone - echo "Loading rules" - config_foreach fw_rule rule - echo "Loading forwarding" - config_foreach fw_forwarding forwarding - echo "Loading redirects" - config_foreach fw_redirect redirect - echo "Loading includes" - config_foreach fw_include include - - uci_set_state firewall core "" firewall_state - uci_set_state firewall core loaded 1 - unset CONFIG_APPEND - config_load network - config_foreach fw_addif interface -} - -fw_stop() { - $IPTABLES -F - $IPTABLES -t nat -F - $IPTABLES -t mangle -F - $IPTABLES -X -t nat - $IPTABLES -X - $IPTABLES -P INPUT ACCEPT - $IPTABLES -P OUTPUT ACCEPT - $IPTABLES -P FORWARD ACCEPT -} diff --git a/package/firewall/files/old/firewall.awk b/package/firewall/files/old/firewall.awk deleted file mode 100644 index 31dbae0f33..0000000000 --- a/package/firewall/files/old/firewall.awk +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright (C) 2006 OpenWrt.org - -BEGIN { - FS=":" -} - -($1 == "accept") || ($1 == "drop") || ($1 == "forward") { - delete _opt - str2data($2) - if ((_l["proto"] == "") && (_l["sport"] _l["dport"] != "")) { - _opt[0] = " -p tcp" - _opt[1] = " -p udp" - } else { - _opt[0] = "" - } -} - -($1 == "accept") { - target = " -j ACCEPT" - for (o in _opt) { - print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) target - print "iptables -A input_wan " _opt[o] str2ipt($2) target - print "" - } -} - -($1 == "drop") { - for (o in _opt) { - print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) " -j DROP" - print "" - } -} - -($1 == "forward") { - target = " -j DNAT --to " $3 - fwopts = "" - if ($4 != "") { - if ((_l["proto"] == "tcp") || (_l["proto"] == "udp") || (_l["proto"] == "")) { - if (_l["proto"] != "") fwopts = " -p " _l["proto"] - fwopts = fwopts " --dport " $4 - target = target ":" $4 - } - else fwopts = "" - } - for (o in _opt) { - print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) target - print "iptables -A forwarding_wan " _opt[o] " -d " $3 fwopts " -j ACCEPT" - print "" - } -} diff --git a/package/firewall/files/old/firewall.config b/package/firewall/files/old/firewall.config deleted file mode 100644 index 1b92954c93..0000000000 --- a/package/firewall/files/old/firewall.config +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright (C) 2006 OpenWrt.org - -# RULE SYNTAX: -# -# forward::[:] -# - forwards all packets matched by to , -# optionally changing the port to -# -# accept: -# - accepts all traffic matched by -# -# drop: -# - drops all traffic matched by -# -# -# MATCHING OPTIONS: -# -# src= -# - match the source ip -# -# dest= -# - match the destination ip -# -# proto= -# - match the protocol by name or number -# -# sport= -# - match the source port(s), see below for syntax -# -# dport= -# - match the destination port(s), see below for syntax -# -# -# -# PORT SYNTAX: -# -# You can enter an arbitrary list of ports and port ranges in the following format: -# - 22,53,993,1000-1024 -# -# If you don't set the protocol to tcp or udp, it will apply to both -# -# -# -# EXAMPLES: -# -# drop:dport=22 src=1.3.3.7 -# accept:proto=tcp dport=22 -# forward:dport=60168:192.168.1.2:60169 diff --git a/package/firewall/files/old/firewall.init b/package/firewall/files/old/firewall.init deleted file mode 100755 index 0da97f836f..0000000000 --- a/package/firewall/files/old/firewall.init +++ /dev/null @@ -1,142 +0,0 @@ -#!/bin/sh /etc/rc.common -# Copyright (C) 2006 OpenWrt.org - -## Please make changes in /etc/firewall.user -START=45 -start() { - include /lib/network - scan_interfaces - - config_get WAN wan ifname - config_get WANDEV wan device - config_get LAN lan ifname - config_get_bool NAT_LAN lan nat 1 - if [ $NAT_LAN -ne 0 ] - then - config_get LAN_MASK lan netmask - config_get LAN_IP lan ipaddr - LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2) - fi - - ## CLEAR TABLES - for T in filter nat; do - iptables -t $T -F - iptables -t $T -X - done - - iptables -N input_rule - iptables -N input_wan - iptables -N output_rule - iptables -N forwarding_rule - iptables -N forwarding_wan - - iptables -t nat -N NEW - iptables -t nat -N prerouting_rule - iptables -t nat -N prerouting_wan - iptables -t nat -N postrouting_rule - - iptables -N LAN_ACCEPT - [ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN - [ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN - iptables -A LAN_ACCEPT -j ACCEPT - - ### INPUT - ### (connections with the router as destination) - - # base case - iptables -P INPUT DROP - iptables -A INPUT -m state --state INVALID -j DROP - iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP - - # - # insert accept rule or to jump to new accept-check table here - # - iptables -A INPUT -j input_rule - [ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan - - # allow - iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces - iptables -A INPUT -p icmp -j ACCEPT # allow ICMP - iptables -A INPUT -p gre -j ACCEPT # allow GRE - - # reject (what to do with anything not allowed earlier) - iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset - iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable - - ### OUTPUT - ### (connections with the router as source) - - # base case - iptables -P OUTPUT DROP - iptables -A OUTPUT -m state --state INVALID -j DROP - iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - - # - # insert accept rule or to jump to new accept-check table here - # - iptables -A OUTPUT -j output_rule - - # allow - iptables -A OUTPUT -j ACCEPT #allow everything out - - # reject (what to do with anything not allowed earlier) - iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset - iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable - - ### FORWARDING - ### (connections routed through the router) - - # base case - iptables -P FORWARD DROP - iptables -A FORWARD -m state --state INVALID -j DROP - iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - - # - # insert accept rule or to jump to new accept-check table here - # - iptables -A FORWARD -j forwarding_rule - [ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan - - # allow - iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT - [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT - - # reject (what to do with anything not allowed earlier) - # uses the default -P DROP - - ### MASQ - iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW - iptables -t nat -A PREROUTING -j prerouting_rule - [ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan - iptables -t nat -A POSTROUTING -j postrouting_rule - ### Only LAN, unless told not to - if [ $NAT_LAN -ne 0 ] - then - [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE - fi - - iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \ - iptables -t nat -A NEW -j DROP - - ## USER RULES - [ -f /etc/firewall.user ] && . /etc/firewall.user - [ -n "$WAN" -a -e /etc/firewall.config ] && { - export WAN - awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/firewall.config | ash - } -} - -stop() { - iptables -P INPUT ACCEPT - iptables -P OUTPUT ACCEPT - iptables -P FORWARD ACCEPT - iptables -F - iptables -X - iptables -t nat -P PREROUTING ACCEPT - iptables -t nat -P POSTROUTING ACCEPT - iptables -t nat -P OUTPUT ACCEPT - iptables -t nat -F - iptables -t nat -X -} diff --git a/package/firewall/files/old/firewall.user b/package/firewall/files/old/firewall.user deleted file mode 100644 index f4eb18ef7d..0000000000 --- a/package/firewall/files/old/firewall.user +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/sh -# Copyright (C) 2006 OpenWrt.org - -iptables -F input_rule -iptables -F output_rule -iptables -F forwarding_rule -iptables -t nat -F prerouting_rule -iptables -t nat -F postrouting_rule - -# The following chains are for traffic directed at the IP of the -# WAN interface - -iptables -F input_wan -iptables -F forwarding_wan -iptables -t nat -F prerouting_wan - -### Open port to WAN -## -- This allows port 22 to be answered by (dropbear on) the router -# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT -# iptables -A input_wan -p tcp --dport 22 -j ACCEPT - -### Port forwarding -## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2 -# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80 -# iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT - -### DMZ -## -- Connections to ports not handled above will be forwarded to 192.168.1.2 -# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2 -# iptables -A forwarding_wan -d 192.168.1.2 -j ACCEPT diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh new file mode 100755 index 0000000000..e1683e9cf0 --- /dev/null +++ b/package/firewall/files/uci_firewall.sh @@ -0,0 +1,285 @@ +#!/bin/sh +# Copyright (C) 2008 John Crispin + +. /etc/functions.sh + +IPTABLES="echo iptables" +IPTABLES=iptables + +config_clear +include /lib/network +scan_interfaces + +CONFIG_APPEND=1 +config_load firewall + +config fw_zones +ZONE_LIST=$CONFIG_SECTION + +DEF_INPUT=DROP +DEF_OUTPUT=DROP +DEF_FORWARD=DROP + +load_policy() { + config_get input $1 input + config_get output $1 output + config_get forward $1 forward + + [ -z "$input" ] && input=$DEF_INPUT + [ -z "$output" ] && output=$DEF_OUTPUT + [ -z "$forward" ] && forward=$DEF_FORWARD +} + +create_zone() { + local exists + + [ "$1" == "loopback" ] && return + + config_get exists $ZONE_LIST $1 + [ -n "$exists" ] && return + config_set $ZONE_LIST $1 1 + + $IPTABLES -N zone_$1 + $IPTABLES -N zone_$1_ACCEPT + $IPTABLES -N zone_$1_DROP + $IPTABLES -N zone_$1_REJECT + $IPTABLES -N zone_$1_forward + $IPTABLES -A zone_$1_forward -j zone_$1_$5 + $IPTABLES -A zone_$1 -j zone_$1_$3 + $IPTABLES -A OUTPUT -j zone_$1_$4 + $IPTABLES -N zone_$1_nat -t nat + $IPTABLES -N zone_$1_prerouting -t nat + [ "$6" == "1" ] && $IPTABLES -t nat -A POSTROUTING -j zone_$2_nat +} + +addif() { + logger "adding $1 to firewall zone $2" + $IPTABLES -A INPUT -i $1 -j zone_$2 + $IPTABLES -I zone_$2_ACCEPT 1 -o $1 -j ACCEPT + $IPTABLES -I zone_$2_DROP 1 -o $1 -j DROP + $IPTABLES -I zone_$2_REJECT 1 -o $1 -j REJECT + $IPTABLES -I zone_$2_ACCEPT 1 -i $1 -j ACCEPT + $IPTABLES -I zone_$2_DROP 1 -i $1 -j DROP + $IPTABLES -I zone_$2_REJECT 1 -i $1 -j REJECT + $IPTABLES -I zone_$2_nat 1 -t nat -o $1 -j MASQUERADE + $IPTABLES -I PREROUTING 1 -t nat -i $1 -j zone_$2_prerouting + $IPTABLES -A FORWARD -i $1 -j zone_$2_forward +} + +delif() { + logger "removing $1 from firewall zone $2" + $IPTABLES -D INPUT -i $1 -j zone_$2 + $IPTABLES -D zone_$2_ACCEPT -o $1 -j ACCEPT + $IPTABLES -D zone_$2_DROP -o $1 -j DROP + $IPTABLES -D zone_$2_REJECT -o $1 -j REJECT + $IPTABLES -D zone_$2_ACCEPT -i $1 -j ACCEPT + $IPTABLES -D zone_$2_DROP -i $1 -j DROP + $IPTABLES -D zone_$2_REJECT -i $1 -j REJECT + $IPTABLES -D zone_$2_nat -t nat -o $1 -j MASQUERADE + $IPTABLES -D PREROUTING -t nat -i $1 -j zone_$2_prerouting + $IPTABLES -D FORWARD -i $1 -j zone_$2_forward +} + +load_synflood() { + echo "Loading synflood protection" + $IPTABLES -N SYN_FLOOD + $IPTABLES -A SYN_FLOOD -p tcp --syn -m limit --limit ${1}/second --limit-burst $2 -j RETURN + $IPTABLES -A SYN_FLOOD -p ! tcp -j RETURN + $IPTABLES -A SYN_FLOOD -p tcp ! --syn -j RETURN + $IPTABLES -A SYN_FLOOD -j LOG --log-prefix "syn_flood: " + $IPTABLES -A SYN_FLOOD -j DROP + $IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD +} + +fw_defaults() { + load_policy $1 + DEF_INPUT=$input + DEF_OUTPUT=$output + DEF_FORWARD=$forward + + echo 1 > /proc/sys/net/ipv4/tcp_syncookies + for f in /proc/sys/net/ipv4/conf/*/accept_redirects + do + echo 0 > $f + done + for f in /proc/sys/net/ipv4/conf/*/accept_source_route + do + echo 0 > $f + done + + $IPTABLES -F + $IPTABLES -t nat -F + $IPTABLES -t mangle -F + $IPTABLES -X -t nat + $IPTABLES -X + + $IPTABLES -P INPUT $input + $IPTABLES -A INPUT -m state --state INVALID -j DROP + $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + + $IPTABLES -P OUTPUT $output + $IPTABLES -A OUTPUT -m state --state INVALID -j DROP + $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + + $IPTABLES -P FORWARD $forward + $IPTABLES -A FORWARD -m state --state INVALID -j DROP + $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + + $IPTABLES -A INPUT -i lo -j ACCEPT + $IPTABLES -A OUTPUT -o lo -j ACCEPT + + config_get syn_flood $1 syn_flood + config_get syn_rate $1 syn_rate + config_get syn_burst $1 syn_burst + + [ -z "$syn_rate" ] && syn_rate=25 + [ -z "$syn_burst" ] && syn_burst=50 + [ "$syn_flood" == "1" ] && load_synflood $syn_rate $syn_burst +} + +fw_zone() { + local name + local network + local masq + + config_get name $1 name + config_get network $1 network + config_get masq $1 masq + load_policy $1 + + [ -z "$network" ] && network=$name + create_zone "$name" "$network" "$input" "$output" "$forward" "$masq" +} + +fw_rule() { + local src + local src_ip + local src_mac + local src_port + local src_mac + local dest + local dest_ip + local dest_port + local proto + local target + + config_get src $1 src + config_get src_ip $1 src_ip + config_get src_mac $1 src_mac + config_get src_port $1 src_port + config_get dest $1 dest + config_get dest_ip $1 dest_ip + config_get dest_port $1 dest_port + config_get proto $1 proto + config_get target $1 target + config_get ruleset $1 ruleset + + [ -z "$target" ] && target=DROP + [ -n "$src" ] && ZONE=zone_$src || ZONE=INPUT + [ -n "$dest" ] && TARGET=zone_${dest}_$target || TARGET=$target + $IPTABLES -I $ZONE 1 \ + ${proto:+-p $proto} \ + ${src_ip:+-s $src_ip} \ + ${src_port:+--sport $src_port} \ + ${src_mac:+-m mac --mac-source $src_mac} \ + ${dest_ip:+-d $dest_ip} \ + ${dest_port:+--dport $dest_port} \ + -j $TARGET +} + +fw_forwarding() { + local src + local dest + local masq + + config_get src $1 src + config_get dest $1 dest + [ -n "$src" ] && z_src=zone_${src}_forward || z_src=FORWARD + [ -n "$dest" ] && z_dest=zone_${dest}_ACCEPT || z_dest=ACCEPT + $IPTABLES -I $z_src 1 -j $z_dest +} + +fw_redirect() { + local src + local src_ip + local src_port + local src_dport + local src_mac + local dest_ip + local dest_port + local protocol + + config_get src $1 src + config_get src_ip $1 src_ip + config_get src_port $1 src_port + config_get src_dport $1 src_dport + config_get src_mac $1 src_mac + config_get dest_ip $1 dest_ip + config_get dest_port $1 dest_port + config_get protocol $1 protocol + [ -z "$src" -o -z "$dest_ip" ] && { \ + echo "redirect needs src and dest_ip"; return ; } + $IPTABLES -A zone_${src}_prerouting -t nat \ + ${protocol:+-p $protocol} \ + ${src_ip:+-s $srcdip} \ + ${src_port:+--sport $src_port} \ + ${src_dport:+--dport $src_dport} \ + ${src_mac:+-m mac --mac-source $src_mac} \ + -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port} + $IPTABLES -I zone_${src}_forward 1 \ + ${protocol:+-p $protocol} \ + -d $dest_ip \ + ${src_ip:+-s $srcdip} \ + ${src_port:+--sport $src_port} \ + ${dest_port:+--dport $dest_port} \ + ${src_mac:+-m mac --mac-source $src_mac} \ + -j ACCEPT +} + +fw_include() { + local path + config_get path $1 path + [ -e $path ] && . $path +} + +fw_addif() { + local up + local ifname + config_get up $1 up + config_get ifname $1 ifname + [ -n "$up" ] || return 0 + (ACTION="ifup" INTERFACE="$1" . /etc/hotplug.d/iface/20-firewall) +} + +fw_init() { + echo "Loading defaults" + config_foreach fw_defaults defaults + echo "Loading zones" + config_foreach fw_zone zone + echo "Loading rules" + config_foreach fw_rule rule + echo "Loading forwarding" + config_foreach fw_forwarding forwarding + echo "Loading redirects" + config_foreach fw_redirect redirect + echo "Loading includes" + config_foreach fw_include include + + uci_set_state firewall core "" firewall_state + uci_set_state firewall core loaded 1 + unset CONFIG_APPEND + config_load network + config_foreach fw_addif interface +} + +fw_stop() { + $IPTABLES -F + $IPTABLES -t nat -F + $IPTABLES -t mangle -F + $IPTABLES -X -t nat + $IPTABLES -X + $IPTABLES -P INPUT ACCEPT + $IPTABLES -P OUTPUT ACCEPT + $IPTABLES -P FORWARD ACCEPT +}