diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 0c104d5..e2694ed 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -12,6 +12,10 @@ CONFIG_FILE=/etc/ipt-firewall/ip6t-firewall-server.conf +if [[ -z "$fail2ban_client" ]]; then + fail2ban_client="$(which fail2ban-client)" +fi + # ------------- Load Kernel Modules ------------- # @@ -98,9 +102,9 @@ fi # if ! $host_is_vm # ------------- Stop Fail2Ban if installed ------------- # -if [ -x "$fail2ban_init_script" ]; then +if [ -x "$fail2ban_client" ]; then echononl "\tStopping fail2ban.." - $fail2ban_init_script stop > /dev/null 2>&1 + $fail2ban_client stop > /dev/null 2>&1 if [ "$?" = "0" ];then echo_done else @@ -148,7 +152,19 @@ echo echononl "\tDo not firewall bridged traffic" if $do_not_firewall_bridged_traffic ; then + + # - Matches if the packet is being bridged and therefore is not being routed. + # - This is only useful in the FORWARD and POSTROUTING chains. + # - $ip6t -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT + + # - Matches if the packet has entered through a bridge interface. + # - + $ip6t -I FORWARD -m physdev --physdev-is-in -j ACCEPT + # - Matches if the packet will leave through a bridge interface. + # - + $ip6t -I FORWARD -m physdev --physdev-is-out -j ACCEPT + echo_done else echo_skipped @@ -1381,10 +1397,10 @@ echo_done # ------------- Start Fail2Ban if installed # ------------- -if [ -x "$fail2ban_init_script" ]; then +if [ -x "$fail2ban_client" ]; then echo echononl "\tStarting fail2ban.." - $fail2ban_init_script start > /dev/null 2>&1 + $fail2ban_client start > /dev/null 2>&1 if [ "$?" = "0" ];then echo_done else diff --git a/ipt-firewall-server b/ipt-firewall-server index 48378e8..e814112 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -10,7 +10,12 @@ # Short-Description: IPv4 Firewall ### END INIT INFO -CONFIG_FILE=/etc/ipt-firewall/ipt-firewall-server.conf +CONFIG_DIR="/etc/ipt-firewall" +CONFIG_FILE="${CONFIG_DIR}/ipt-firewall-server.conf" + +if [[ -z "$fail2ban_client" ]]; then + fail2ban_client="$(which fail2ban-client)" +fi # ------------- Load Kernel Modules ------------- @@ -177,9 +182,9 @@ fi # ------------- Stop Fail2Ban if installed ------------- # -if [ -x "$fail2ban_init_script" ]; then +if [ -x "$fail2ban_client" ]; then echononl "\tStopping fail2ban.." - $fail2ban_init_script stop > /dev/null 2>&1 + $fail2ban_client stop > /dev/null 2>&1 if [ "$?" = "0" ];then echo_done else @@ -227,7 +232,19 @@ echo echononl "\tDo not firewall bridged traffic" if $do_not_firewall_bridged_traffic ; then + + # - Matches if the packet is being bridged and therefore is not being routed. + # - This is only useful in the FORWARD and POSTROUTING chains. + # - $ipt -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT + + # - Matches if the packet has entered through a bridge interface. + # - + $ipt -I FORWARD -m physdev --physdev-is-in -j ACCEPT + # - Matches if the packet will leave through a bridge interface. + # - + $ipt -I FORWARD -m physdev --physdev-is-out -j ACCEPT + echo_done else echo_skipped @@ -323,6 +340,187 @@ done echo_done # Block IPs / Networks / Interfaces.. + +# --- +# - Block IPs/Netwoks reading from file 'ban_ipv4.list'" +# --- + +echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv4.list' .." + +if [[ -f "${CONFIG_DIR}/ban_ipv4.list" ]] ; then + + declare -a octets + declare -i index + + while IFS='' read -r _line || [[ -n $_line ]] ; do + + is_valid_ipv4=true + is_valid_mask=true + ipv4="" + mask="" + + # Ignore comment lines + # + [[ $_line =~ ^[[:space:]]{0,}# ]] && continue + + # Ignore blank lines + # + [[ $_line =~ ^[[:space:]]*$ ]] && continue + + # Remove leading whitespace characters + # + _line="${_line#"${_line%%[![:space:]]*}"}" + + + # Catch IPv4 Address + # + given_ipv4="$(echo $_line | cut -d ' ' -f1)" + + + # Splitt Ipv4 address from possible given CIDR number + # + IFS='/' read -ra _addr <<< "$given_ipv4" + _ipv4="${_addr[0]}" + + if [[ -n "${_addr[1]}" ]] ; then + _mask="${_addr[1]}" + test_netmask=false + + # Is 'mask' a valid CIDR number? If not, test agains a valid netmask + # + if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then + + # Its not a vaild mask number, but naybe a valit netmask. + # + test_netmask=true + else + if [[ $_mask -gt 32 ]]; then + + # Its not a vaild cidr number, but naybe a valit netmask. + # + test_netmask=true + else + + # OK, we have a vaild cidr number between '0' and '32' + # + mask=$_mask + fi + fi + + # Test if given '_mask' is a valid netmask. + # + if $test_netmask ; then + octets=( ${_mask//\./ } ) + + # Complete netmask if necessary + # + while [[ ${#octets[@]} -lt 4 ]]; do + octets+=(0) + done + + [[ ${#octets[@]} -gt 4 ]] && is_valid_mask=false + + index=0 + for octet in ${octets[@]} ; do + if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then + if [[ $octet -gt 255 ]] ; then + is_valid_mask=false + fi + if [[ $index -gt 0 ]] ; then + mask="${mask}.${octet}" + else + mask="${octet}" + fi + + else + is_valid_mask=false + fi + + ((index++)) + done + fi + + adjust_mask=false + else + mask=32 + adjust_mask=true + fi + + # Splitt given address into their octets + # + octets=( ${_ipv4//\./ } ) + + # Complete IPv4 address if necessary + # + while [[ ${#octets[@]} -lt 4 ]]; do + octets+=(0) + + # Only adjust CIDR number if not given + # + if $adjust_mask ; then + mask="$(expr $mask - 8)" + fi + done + + # Pre-check if given IPv4 Address seems to be a valid address + # + [[ ${#octets[@]} -gt 4 ]] && is_valid_ipv4=false + + # Check if given IPv4 Address is a valid address + # + if $is_valid_ipv4 ; then + index=0 + for octet in ${octets[@]} ; do + if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then + if [[ $octet -gt 255 ]] ; then + is_valid_ipv4=false + fi + if [[ $index -gt 0 ]] ; then + ipv4="${ipv4}.${octet}" + else + ipv4="${octet}" + fi + + else + is_valid_ipv4=false + fi + + ((index++)) + done + fi + + if $is_valid_ipv4 && $is_valid_mask; then + + _ip="${ipv4}/${mask}" + + for _dev in ${ext_if_arr[@]} ; do + if $log_blocked_ip || $log_all ; then + $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -s $_ip -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j DROP + fi + done + + else + msg="$msg '${given_ipv4}'" + fi + + done < "${CONFIG_DIR}/ban_ipv4.list" + echo_done + + if [[ -n "$msg" ]]; then + warn "Ignored:$msg" + fi +else + echo_skipped +fi + + # --- # - Allow Forwarding certain private Addresses # --- @@ -1574,13 +1772,14 @@ echo_done # ------------- # ------------- Start Fail2Ban if installed # ------------- - -if [ -x "$fail2ban_init_script" ]; then +if [ -x "$fail2ban_client" ]; then echo echononl "\tStarting fail2ban.." - $fail2ban_init_script start > /dev/null 2>&1 + $fail2ban_client start > /dev/null 2>&1 if [ "$?" = "0" ];then echo_done + elif [ "$?" = "255" ]; then + echo_skipped else echo_failed fi