github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-21 13:54:28 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Firewall with Fail2ban support

Browse source
This commit is contained in:
Serghey Rodin 2014-10-05 14:52:15 +03:00
commit 357eb42647
27 changed files with 936 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

150
bin/v-update-firewall Executable file
View file

@ -0,0 +1,150 @@
#!/bin/bash
# info: update system firewall rules
# options: NONE
#
# The function updates iptables rules
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Defining absolute path for iptables and modprobe
iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
# Includes
source /etc/profile.d/vesta.sh
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Checking local IPv4 rules
rules="$VESTA/data/firewall/rules.conf"
ports="$VESTA/data/firewall/ports.conf"
fail2ban="$VESTA/data/firewall/fail2ban.conf"
if [ ! -e "$rules" ]; then
exit
fi
# Checking conntrack module avaiabilty
$modprobe nf_conntrack >/dev/null 2>&1
$modprobe nf_conntrack_ftp >/dev/null 2>&1
if [ $? -ne 0 ]; then
stateful='no'
fi
# Creating temporary file
tmp=$(mktemp)
# Flushing INPUT chain
echo "$iptables -P INPUT ACCEPT" >> $tmp
echo "$iptables -F INPUT" >> $tmp
# Pasring iptables rules
IFS=$'\n'
for line in $(sort -r -n -k 2 -t \' $rules); do
eval $line
if [ "$SUSPENDED" = 'no' ]; then
proto="-p $PROTOCOL"
port="--dport $PORT"
ip="-s $IP"
state=""
action="-j $ACTION"
# Adding multiport module
if [[ "$PORT" =~ ,|-|: ]] ; then
port="-m multiport --dports ${PORT//-/:}"
fi
# Accepting all dst ports
if [[ "$PORT" = "0" ]] || [ "$PROTOCOL" = 'ICMP' ]; then
port=""
fi
# Checking FTP for contrack module
if [ "$TYPE" = "FTP" ] || [ "$PORT" = '21' ]; then
if [ "$stateful" != 'no' ]; then
state="-m conntrack --ctstate NEW"
else
port="-m multiport --dports 20,21,12000:12100"
fi
ftp="yes"
fi
# Adding firewall rule
echo "$iptables -A INPUT $proto $port $ip $state $action" >> $tmp
fi
done
# Handling local traffic
for ip in $(ls $VESTA/data/ips); do
echo "$iptables -A INPUT -s $ip -j ACCEPT" >> $tmp
done
echo "$iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $tmp
IFS=$'\n'
for p_rule in $(cat $ports); do
eval $p_rule
rule="$iptables -A INPUT -p $PROTOCOL"
echo "$rule --sport $PORT -j ACCEPT" >> $tmp
done
# Enabling stateful support
if [ "$stateful" != 'no' ]; then
str="$iptables -A INPUT -p tcp -m state"
str="$str --state ESTABLISHED,RELATED -j ACCEPT"
echo "$str" >> $tmp
fi
# Switching chain policy to DROP
echo "$iptables -P INPUT DROP" >> $tmp
# Adding vesta chain
echo "$iptables -N vesta" >> $tmp
# Applying rules
bash $tmp 2>/dev/null
# Deleting temporary file
rm -f $tmp
# Checking custom trigger
if [ -x "$VESTA/data/firewall/custom.sh" ]; then
bash $VESTA/data/firewall/custom.sh
fi
# Checking fail2ban support
chains=$VESTA/data/firewall/chains.conf
for chain in $(cat $chains 2>/dev/null); do
eval $chain
$iptables -I INPUT -p $PROTOCOL --dport $PORT -j fail2ban-$CHAIN
done
# Saving rules to the master iptables file
if [ -e "/etc/redhat-release" ]; then
/sbin/iptables-save > /etc/sysconfig/iptables
if [ -z "$(ls /etc/rc3.d/S*iptables 2>/dev/null)" ]; then
/sbin/chkconfig iptables on
fi
else
sbin/iptables-save > /etc/iptables.up.rules
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
exit