firewall cli

bin/v-add-sys-firewall-rule

@@ -0,0 +1,85 @@
+#!/bin/bash
+# info: add firewall rule
+# options: ACTION PROTOCOL PORT IP [COMMENT] [RULE]
+#
+# The function adds new rule to system firewall
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument defenition
+action=$(echo $1|tr '[:lower:]' '[:upper:]')
+protocol=$(echo $2|tr '[:lower:]' '[:upper:]')
+port_ext=$3
+ip=$4
+comment=$5
+rule=$6
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+# Get next firewall rule id
+get_next_fw_rule() {
+    if [ -z "$rule" ]; then
+        curr_str=$(grep "RULE=" $VESTA/data/firewall/rules_ipv4.conf |\
+         cut -f 2 -d \' | sort -n | tail -n1)
+        rule="$((curr_str +1))"
+    fi
+}
+
+sort_fw_rules() {
+    cat $VESTA/data/firewall/rules_ipv4.conf |\
+        sort -n -k 2 -t \' > $VESTA/data/firewall/rules_ipv4.conf.tmp
+    mv -f $VESTA/data/firewall/rules_ipv4.conf.tmp \
+        $VESTA/data/firewall/rules_ipv4.conf
+}
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '4' "$#" 'ACTION PROTOCOL PORT IP [COMMENT] [RULE]'
+validate_format 'action' 'protocol' 'port_ext' 'ip'
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+get_next_fw_rule
+validate_format 'rule'
+is_object_new '../../data/firewall/rules_ipv4' 'RULE' "$rule"
+if [ ! -z "$comment"]; then
+    validate_format 'comment'
+fi
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Concatenating cron string
+str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'"
+str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'"
+str="$str TIME='$TIME' DATE='$DATE'"
+
+# Adding to crontab
+echo "$str" >> $VESTA/data/firewall/rules_ipv4.conf
+
+# Changing permissions
+chmod 660 $VESTA/data/firewall/rules_ipv4.conf
+
+# Sorting firewall rules by id number
+sort_fw_rules
+
+# Updating system firewall
+$BIN/v-update-sys-firewall
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit

bin/v-change-sys-firewall-rule

@@ -0,0 +1,73 @@
+#!/bin/bash
+# info: change firewall rule
+# options: RULE ACTION PROTOCOL PORT IP [COMMENT]
+#
+# The function is used for changing existing firewall rule.
+# It fully replace rule with new one but keeps same id.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument defenition
+rule=$1
+action=$(echo $2|tr '[:lower:]' '[:upper:]')
+protocol=$(echo $3|tr '[:lower:]' '[:upper:]')
+port_ext=$4
+ip=$5
+comment=$6
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+# Sort function
+sort_fw_rules() {
+    cat $VESTA/data/firewall/rules_ipv4.conf |\
+        sort -n -k 2 -t \' > $VESTA/data/firewall/rules_ipv4.conf.tmp
+    mv -f $VESTA/data/firewall/rules_ipv4.conf.tmp \
+        $VESTA/data/firewall/rules_ipv4.conf
+}
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '5' "$#" 'RULE ACTION PROTOCOL PORT IP [COMMENT]'
+validate_format 'rule' 'action' 'protocol' 'port_ext' 'ip' 'comment'
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Concatenating firewall rule
+str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'"
+str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'"
+str="$str TIME='$TIME' DATE='$DATE'"
+
+# Deleting old rule
+sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules_ipv4.conf
+
+# Adding new
+echo "$str" >> $VESTA/data/firewall/rules_ipv4.conf
+
+# Sorting firewall rules by id number
+sort_fw_rules
+
+# Updating system firewall
+$BIN/v-update-sys-firewall
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit

bin/v-delete-sys-firewall-rule

@@ -0,0 +1,48 @@
+#!/bin/bash
+# info: delete firewall rule
+# options: RULE
+#
+# The function deletes firewall rule.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument defenition
+rule=$1
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'RULE'
+validate_format 'rule'
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Deleting rule
+sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules_ipv4.conf
+
+# Updating system firewall
+$BIN/v-update-sys-firewall
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit

bin/v-list-sys-firewall

@@ -0,0 +1,44 @@
+#!/bin/bash
+# info: list iptables rules
+# options: [FORMAT]
+#
+# The function of obtaining the list of all iptables rules.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument defenition
+format=${1-shell}
+
+# Includes
+source $VESTA/func/main.sh
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Defining config
+conf=$VESTA/data/firewall/rules_ipv4.conf
+
+# Defining fileds to select
+fields="\$RULE \$ACTION \$PROTOCOL \$PORT \$IP \$COMMENT"
+fields="$fields \$RULE \$SUSPENDED \$TIME \$DATE"
+
+# Listing domains
+case $format in 
+    json)   json_list ;;
+    plain)  nohead=1; shell_list ;;
+    shell)  fields="\$ACTION \$PROTOCOL \$PORT \$IP";
+            shell_list | column -t ;;
+    *)      check_args '1' '0' 'USER [FORMAT]'
+esac
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+exit

bin/v-list-sys-firewall-rule

@@ -0,0 +1,89 @@
+#!/bin/bash
+# info: list firewall rule
+# options: RULE [FORMAT]
+#
+# The function of obtaining firewall rule parameters.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument defenition
+rule=$1
+format=${2-shell}
+
+# Includes
+source $VESTA/func/main.sh
+
+# Json function
+json_list_fw_rule() {
+    i=1
+    fileds_count=$(echo "$fields" | wc -w)
+    line=$(grep "RULE='$rule'" $conf)
+    echo '{'
+    eval $line
+    for field in $fields; do
+        eval value=$field
+        if [ "$i" -eq 1 ]; then
+            echo -e "\t\"$value\": {"
+        else
+            if [ "$fileds_count" -eq "$i" ]; then
+                echo -e "\t\t\"${field//$/}\": \"$value\""
+            else
+                echo -e "\t\t\"${field//$/}\": \"$value\","
+            fi
+        fi
+        (( ++i))
+    done
+    if [ -n "$value" ]; then
+        echo -e '        }'
+    fi
+    echo -e "}"
+}
+
+# Shell function
+shell_list_fw_rule() {
+    line=$(grep "RULE='$rule'" $conf)
+    eval $line
+    for field in $fields; do
+        eval key="$field"
+        if [ -z "$key" ]; then
+            key=NULL
+        fi
+        echo "${field//$/}: $key "
+    done
+}
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'RULE [FORMAT]'
+is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Defining config and fields to select
+conf=$VESTA/data/firewall/rules_ipv4.conf
+fields="\$RULE \$ACTION \$PROTOCOL \$PORT \$IP \$COMMENT"
+fields="$fields \$RULE \$SUSPENDED \$TIME \$DATE"
+
+# Listing fw rule
+case $format in 
+    json)   json_list_fw_rule ;;
+    plain)  nohead=1; shell_list_fw_rule ;;
+    shell)  shell_list_fw_rule |column -t ;;
+    *)      check_args '2' '0' 'RULE [FORMAT]'
+esac
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+exit

bin/v-list-sys-services

@@ -187,6 +187,18 @@ if [ ! -z "$service" ] && [ "$service" != 'remote' ]; then
     str="$str CPU='$cpu' MEM='$mem' RTIME='$rtime'"
 fi
 
+# FIREWALL
+service=$FIREWALL_SYSTEM
+if [ ! -z "$service" ] && [ "$service" != 'remote' ]; then
+    state="stopped"
+    /sbin/iptables -L vesta >/dev/null 2>&1
+    if [ "$?" -eq 0 ]; then
+        state="running"
+    fi
+    str="$str\nNAME='$FIREWALL_SYSTEM' SYSTEM='firewall'"
+    str="$str STATE='$state' CPU='0' MEM='0' RTIME='0'"
+fi
+
 # Defining config
 echo -e "$str" > $tmp_file
 conf=$tmp_file

bin/v-update-sys-firewall

@@ -0,0 +1,125 @@
+#!/bin/bash
+# info: update system firewall rules
+# options: NONE
+#
+# The function updates iptables rules
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Defining absolute path for iptables and modprobe
+iptables="/sbin/iptables"
+modprobe="/sbin/modprobe"
+
+# Includes
+source /etc/profile.d/vesta.sh
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Checking local IPv4 rules
+rules="$VESTA/data/firewall/rules_ipv4.conf"
+if [ ! -e "$rules" ]; then
+    exit
+fi
+
+# Checking conntrack module avaiabilty
+$modprobe nf_conntrack >/dev/null 2>&1
+$modprobe nf_conntrack_ftp >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+    stateful='no'
+fi
+
+# Creating temporary file
+tmp=$(mktemp)
+
+# Flushing INPUT chain
+echo "$iptables -P INPUT ACCEPT" >> $tmp
+echo "$iptables -F INPUT" >> $tmp
+
+# Pasring iptables rules
+IFS=$'\n'
+for line in $(sort -r -n -k 2 -t \' $rules); do
+    eval $line
+    if [ "$SUSPENDED" = 'no' ]; then
+        chain="-A INPUT"
+        proto="-p $PROTOCOL"
+        port="--dport $PORT"
+        ip="-s $IP"
+        state=""
+        action="-j $ACTION"
+
+        # Adding multiport module
+        if [[ "$PORT" =~ ,|-|: ]] ; then
+            port="-m multiport --dports ${PORT//-/:}"
+        fi
+
+        # Accepting all dst ports
+        if [[ "$PORT" = "0" ]] || [ "$PROTOCOL" = 'ICMP' ]; then
+            port=""
+        fi
+
+        # Checking FTP for contrack module
+        if [ "$TYPE" = "FTP" ] || [ "$PORT" = '21' ]; then
+            if [ "$stateful" != 'no' ]; then
+                state="-m conntrack --ctstate NEW"
+            else
+                port="-m multiport --dports 20,21,12000:12100"
+            fi
+            ftp="yes"
+        fi
+
+        # Adding firewall rule
+        echo "$iptables $chain $proto $port $ip $state $action" >> $tmp
+    fi
+done
+
+# Handling DNS replies
+proto="-p udp"
+port="--sport 53"
+action="-j ACCEPT"
+echo "$iptables $chain $proto $port $state $action" >> $tmp
+
+# Enabling stateful firewall
+if [ "$stateful" != 'no' ]; then
+    proto="-p tcp"
+    state="-m state --state ESTABLISHED,RELATED"
+    action="-j ACCEPT"
+    echo "$iptables $chain $proto $state $action" >> $tmp
+fi
+
+# Switching chain policy to DROP
+echo "$iptables -P INPUT DROP" >> $tmp
+
+# Applying rules
+bash $tmp
+
+# Saving rules to the master iptables file
+if [ -e "/etc/redhat-release" ]; then
+    /sbin/iptables-save > /etc/sysconfig/iptables
+    if [ -z "$(ls /etc/rc3.d/S*iptables 2>/dev/null)" ]; then
+        /sbin/chkconfig iptables on
+    fi
+else
+    sbin/iptables-save > /etc/iptables.up.rules
+fi
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+exit