firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Support list of IPv4 addresses to ban ('ban_ipv4.list'). Change handling of bridged interfaces.

Browse Source
This commit is contained in:
Christoph 2018-10-01 04:06:17 +02:00
parent 9e7a82e408
commit 1a57a304e6
2 changed files with 225 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
ip6t-firewall-server
View File

@ -12,6 +12,10 @@
CONFIG_FILE=/etc/ipt-firewall/ip6t-firewall-server.conf
if [[ -z "$fail2ban_client" ]]; then
fail2ban_client="$(which fail2ban-client)"
fi
# ------------- Load Kernel Modules -------------
#
@ -98,9 +102,9 @@ fi # if ! $host_is_vm
# ------------- Stop Fail2Ban if installed -------------
#
if [ -x "$fail2ban_init_script" ]; then
if [ -x "$fail2ban_client" ]; then
echononl "\tStopping fail2ban.."
$fail2ban_init_script stop > /dev/null 2>&1
$fail2ban_client stop > /dev/null 2>&1
if [ "$?" = "0" ];then
echo_done
else
@ -148,7 +152,19 @@ echo
echononl "\tDo not firewall bridged traffic"
if $do_not_firewall_bridged_traffic ; then
# - Matches if the packet is being bridged and therefore is not being routed.
# - This is only useful in the FORWARD and POSTROUTING chains.
# -
$ip6t -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
# - Matches if the packet has entered through a bridge interface.
# -
$ip6t -I FORWARD -m physdev --physdev-is-in -j ACCEPT
# - Matches if the packet will leave through a bridge interface.
# -
$ip6t -I FORWARD -m physdev --physdev-is-out -j ACCEPT
echo_done
else
echo_skipped
@ -1381,10 +1397,10 @@ echo_done
# ------------- Start Fail2Ban if installed
# -------------
if [ -x "$fail2ban_init_script" ]; then
if [ -x "$fail2ban_client" ]; then
echo
echononl "\tStarting fail2ban.."
$fail2ban_init_script start > /dev/null 2>&1
$fail2ban_client start > /dev/null 2>&1
if [ "$?" = "0" ];then
echo_done
else

211
ipt-firewall-server
View File

@ -10,7 +10,12 @@
# Short-Description: IPv4 Firewall
### END INIT INFO
CONFIG_FILE=/etc/ipt-firewall/ipt-firewall-server.conf
CONFIG_DIR="/etc/ipt-firewall"
CONFIG_FILE="${CONFIG_DIR}/ipt-firewall-server.conf"
if [[ -z "$fail2ban_client" ]]; then
fail2ban_client="$(which fail2ban-client)"
fi
# ------------- Load Kernel Modules -------------
@ -177,9 +182,9 @@ fi
# ------------- Stop Fail2Ban if installed -------------
#
if [ -x "$fail2ban_init_script" ]; then
if [ -x "$fail2ban_client" ]; then
echononl "\tStopping fail2ban.."
$fail2ban_init_script stop > /dev/null 2>&1
$fail2ban_client stop > /dev/null 2>&1
if [ "$?" = "0" ];then
echo_done
else
@ -227,7 +232,19 @@ echo
echononl "\tDo not firewall bridged traffic"
if $do_not_firewall_bridged_traffic ; then
# - Matches if the packet is being bridged and therefore is not being routed.
# - This is only useful in the FORWARD and POSTROUTING chains.
# -
$ipt -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
# - Matches if the packet has entered through a bridge interface.
# -
$ipt -I FORWARD -m physdev --physdev-is-in -j ACCEPT
# - Matches if the packet will leave through a bridge interface.
# -
$ipt -I FORWARD -m physdev --physdev-is-out -j ACCEPT
echo_done
else
echo_skipped
@ -323,6 +340,187 @@ done
echo_done # Block IPs / Networks / Interfaces..
# ---
# - Block IPs/Netwoks reading from file 'ban_ipv4.list'"
# ---
echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv4.list' .."
if [[ -f "${CONFIG_DIR}/ban_ipv4.list" ]] ; then
declare -a octets
declare -i index
while IFS='' read -r _line || [[ -n $_line ]] ; do
is_valid_ipv4=true
is_valid_mask=true
ipv4=""
mask=""
# Ignore comment lines
#
[[ $_line =~ ^[[:space:]]{0,}# ]] && continue
# Ignore blank lines
#
[[ $_line =~ ^[[:space:]]*$ ]] && continue
# Remove leading whitespace characters
#
_line="${_line#"${_line%%[![:space:]]*}"}"
# Catch IPv4 Address
#
given_ipv4="$(echo $_line | cut -d ' ' -f1)"
# Splitt Ipv4 address from possible given CIDR number
#
IFS='/' read -ra _addr <<< "$given_ipv4"
_ipv4="${_addr[0]}"
if [[ -n "${_addr[1]}" ]] ; then
_mask="${_addr[1]}"
test_netmask=false
# Is 'mask' a valid CIDR number? If not, test agains a valid netmask
#
if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then
# Its not a vaild mask number, but naybe a valit netmask.
#
test_netmask=true
else
if [[ $_mask -gt 32 ]]; then
# Its not a vaild cidr number, but naybe a valit netmask.
#
test_netmask=true
else
# OK, we have a vaild cidr number between '0' and '32'
#
mask=$_mask
fi
fi
# Test if given '_mask' is a valid netmask.
#
if $test_netmask ; then
octets=( ${_mask//\./ } )
# Complete netmask if necessary
#
while [[ ${#octets[@]} -lt 4 ]]; do
octets+=(0)
done
[[ ${#octets[@]} -gt 4 ]] && is_valid_mask=false
index=0
for octet in ${octets[@]} ; do
if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then
if [[ $octet -gt 255 ]] ; then
is_valid_mask=false
fi
if [[ $index -gt 0 ]] ; then
mask="${mask}.${octet}"
else
mask="${octet}"
fi
else
is_valid_mask=false
fi
((index++))
done
fi
adjust_mask=false
else
mask=32
adjust_mask=true
fi
# Splitt given address into their octets
#
octets=( ${_ipv4//\./ } )
# Complete IPv4 address if necessary
#
while [[ ${#octets[@]} -lt 4 ]]; do
octets+=(0)
# Only adjust CIDR number if not given
#
if $adjust_mask ; then
mask="$(expr $mask - 8)"
fi
done
# Pre-check if given IPv4 Address seems to be a valid address
#
[[ ${#octets[@]} -gt 4 ]] && is_valid_ipv4=false
# Check if given IPv4 Address is a valid address
#
if $is_valid_ipv4 ; then
index=0
for octet in ${octets[@]} ; do
if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then
if [[ $octet -gt 255 ]] ; then
is_valid_ipv4=false
fi
if [[ $index -gt 0 ]] ; then
ipv4="${ipv4}.${octet}"
else
ipv4="${octet}"
fi
else
is_valid_ipv4=false
fi
((index++))
done
fi
if $is_valid_ipv4 && $is_valid_mask; then
_ip="${ipv4}/${mask}"
for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then
$ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
fi
fi
$ipt -A INPUT -i $_dev -s $_ip -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j DROP
fi
done
else
msg="$msg '${given_ipv4}'"
fi
done < "${CONFIG_DIR}/ban_ipv4.list"
echo_done
if [[ -n "$msg" ]]; then
warn "Ignored:$msg"
fi
else
echo_skipped
fi
# ---
# - Allow Forwarding certain private Addresses
# ---
@ -1574,13 +1772,14 @@ echo_done
# -------------
# ------------- Start Fail2Ban if installed
# -------------
if [ -x "$fail2ban_init_script" ]; then
if [ -x "$fail2ban_client" ]; then
echo
echononl "\tStarting fail2ban.."
$fail2ban_init_script start > /dev/null 2>&1
$fail2ban_client start > /dev/null 2>&1
if [ "$?" = "0" ];then
echo_done
elif [ "$?" = "255" ]; then
echo_skipped
else
echo_failed
fi