diff --git a/bin/v-add-sys-firewall-rule b/bin/v-add-sys-firewall-rule new file mode 100755 index 000000000..5e65ad30a --- /dev/null +++ b/bin/v-add-sys-firewall-rule @@ -0,0 +1,85 @@ +#!/bin/bash +# info: add firewall rule +# options: ACTION PROTOCOL PORT IP [COMMENT] [RULE] +# +# The function adds new rule to system firewall + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Argument defenition +action=$(echo $1|tr '[:lower:]' '[:upper:]') +protocol=$(echo $2|tr '[:lower:]' '[:upper:]') +port_ext=$3 +ip=$4 +comment=$5 +rule=$6 + +# Includes +source $VESTA/func/main.sh +source $VESTA/conf/vesta.conf + +# Get next firewall rule id +get_next_fw_rule() { + if [ -z "$rule" ]; then + curr_str=$(grep "RULE=" $VESTA/data/firewall/rules_ipv4.conf |\ + cut -f 2 -d \' | sort -n | tail -n1) + rule="$((curr_str +1))" + fi +} + +sort_fw_rules() { + cat $VESTA/data/firewall/rules_ipv4.conf |\ + sort -n -k 2 -t \' > $VESTA/data/firewall/rules_ipv4.conf.tmp + mv -f $VESTA/data/firewall/rules_ipv4.conf.tmp \ + $VESTA/data/firewall/rules_ipv4.conf +} + + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +check_args '4' "$#" 'ACTION PROTOCOL PORT IP [COMMENT] [RULE]' +validate_format 'action' 'protocol' 'port_ext' 'ip' +is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM' +get_next_fw_rule +validate_format 'rule' +is_object_new '../../data/firewall/rules_ipv4' 'RULE' "$rule" +if [ ! -z "$comment"]; then + validate_format 'comment' +fi + + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Concatenating cron string +str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'" +str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'" +str="$str TIME='$TIME' DATE='$DATE'" + +# Adding to crontab +echo "$str" >> $VESTA/data/firewall/rules_ipv4.conf + +# Changing permissions +chmod 660 $VESTA/data/firewall/rules_ipv4.conf + +# Sorting firewall rules by id number +sort_fw_rules + +# Updating system firewall +$BIN/v-update-sys-firewall + + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +# Logging +log_event "$OK" "$EVENT" + +exit diff --git a/bin/v-change-sys-firewall-rule b/bin/v-change-sys-firewall-rule new file mode 100755 index 000000000..46964b9fb --- /dev/null +++ b/bin/v-change-sys-firewall-rule @@ -0,0 +1,73 @@ +#!/bin/bash +# info: change firewall rule +# options: RULE ACTION PROTOCOL PORT IP [COMMENT] +# +# The function is used for changing existing firewall rule. +# It fully replace rule with new one but keeps same id. + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Argument defenition +rule=$1 +action=$(echo $2|tr '[:lower:]' '[:upper:]') +protocol=$(echo $3|tr '[:lower:]' '[:upper:]') +port_ext=$4 +ip=$5 +comment=$6 + +# Includes +source $VESTA/func/main.sh +source $VESTA/conf/vesta.conf + +# Sort function +sort_fw_rules() { + cat $VESTA/data/firewall/rules_ipv4.conf |\ + sort -n -k 2 -t \' > $VESTA/data/firewall/rules_ipv4.conf.tmp + mv -f $VESTA/data/firewall/rules_ipv4.conf.tmp \ + $VESTA/data/firewall/rules_ipv4.conf +} + + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +check_args '5' "$#" 'RULE ACTION PROTOCOL PORT IP [COMMENT]' +validate_format 'rule' 'action' 'protocol' 'port_ext' 'ip' 'comment' +is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM' +is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule" + + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Concatenating firewall rule +str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'" +str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'" +str="$str TIME='$TIME' DATE='$DATE'" + +# Deleting old rule +sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules_ipv4.conf + +# Adding new +echo "$str" >> $VESTA/data/firewall/rules_ipv4.conf + +# Sorting firewall rules by id number +sort_fw_rules + +# Updating system firewall +$BIN/v-update-sys-firewall + + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +# Logging +log_event "$OK" "$EVENT" + +exit diff --git a/bin/v-delete-sys-firewall-rule b/bin/v-delete-sys-firewall-rule new file mode 100755 index 000000000..a9dad9264 --- /dev/null +++ b/bin/v-delete-sys-firewall-rule @@ -0,0 +1,48 @@ +#!/bin/bash +# info: delete firewall rule +# options: RULE +# +# The function deletes firewall rule. + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Argument defenition +rule=$1 + +# Includes +source $VESTA/func/main.sh +source $VESTA/conf/vesta.conf + + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +check_args '1' "$#" 'RULE' +validate_format 'rule' +is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM' +is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule" + + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Deleting rule +sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules_ipv4.conf + +# Updating system firewall +$BIN/v-update-sys-firewall + + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +# Logging +log_event "$OK" "$EVENT" + +exit diff --git a/bin/v-list-sys-firewall b/bin/v-list-sys-firewall new file mode 100755 index 000000000..f8c133d10 --- /dev/null +++ b/bin/v-list-sys-firewall @@ -0,0 +1,44 @@ +#!/bin/bash +# info: list iptables rules +# options: [FORMAT] +# +# The function of obtaining the list of all iptables rules. + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Argument defenition +format=${1-shell} + +# Includes +source $VESTA/func/main.sh + + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Defining config +conf=$VESTA/data/firewall/rules_ipv4.conf + +# Defining fileds to select +fields="\$RULE \$ACTION \$PROTOCOL \$PORT \$IP \$COMMENT" +fields="$fields \$RULE \$SUSPENDED \$TIME \$DATE" + +# Listing domains +case $format in + json) json_list ;; + plain) nohead=1; shell_list ;; + shell) fields="\$ACTION \$PROTOCOL \$PORT \$IP"; + shell_list | column -t ;; + *) check_args '1' '0' 'USER [FORMAT]' +esac + + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +exit diff --git a/bin/v-list-sys-firewall-rule b/bin/v-list-sys-firewall-rule new file mode 100755 index 000000000..7b0c288de --- /dev/null +++ b/bin/v-list-sys-firewall-rule @@ -0,0 +1,89 @@ +#!/bin/bash +# info: list firewall rule +# options: RULE [FORMAT] +# +# The function of obtaining firewall rule parameters. + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Argument defenition +rule=$1 +format=${2-shell} + +# Includes +source $VESTA/func/main.sh + +# Json function +json_list_fw_rule() { + i=1 + fileds_count=$(echo "$fields" | wc -w) + line=$(grep "RULE='$rule'" $conf) + echo '{' + eval $line + for field in $fields; do + eval value=$field + if [ "$i" -eq 1 ]; then + echo -e "\t\"$value\": {" + else + if [ "$fileds_count" -eq "$i" ]; then + echo -e "\t\t\"${field//$/}\": \"$value\"" + else + echo -e "\t\t\"${field//$/}\": \"$value\"," + fi + fi + (( ++i)) + done + if [ -n "$value" ]; then + echo -e ' }' + fi + echo -e "}" +} + +# Shell function +shell_list_fw_rule() { + line=$(grep "RULE='$rule'" $conf) + eval $line + for field in $fields; do + eval key="$field" + if [ -z "$key" ]; then + key=NULL + fi + echo "${field//$/}: $key " + done +} + + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +check_args '1' "$#" 'RULE [FORMAT]' +is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule" + + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Defining config and fields to select +conf=$VESTA/data/firewall/rules_ipv4.conf +fields="\$RULE \$ACTION \$PROTOCOL \$PORT \$IP \$COMMENT" +fields="$fields \$RULE \$SUSPENDED \$TIME \$DATE" + +# Listing fw rule +case $format in + json) json_list_fw_rule ;; + plain) nohead=1; shell_list_fw_rule ;; + shell) shell_list_fw_rule |column -t ;; + *) check_args '2' '0' 'RULE [FORMAT]' +esac + + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +exit diff --git a/bin/v-list-sys-services b/bin/v-list-sys-services index c73742b67..dd82c578f 100755 --- a/bin/v-list-sys-services +++ b/bin/v-list-sys-services @@ -187,6 +187,18 @@ if [ ! -z "$service" ] && [ "$service" != 'remote' ]; then str="$str CPU='$cpu' MEM='$mem' RTIME='$rtime'" fi +# FIREWALL +service=$FIREWALL_SYSTEM +if [ ! -z "$service" ] && [ "$service" != 'remote' ]; then + state="stopped" + /sbin/iptables -L vesta >/dev/null 2>&1 + if [ "$?" -eq 0 ]; then + state="running" + fi + str="$str\nNAME='$FIREWALL_SYSTEM' SYSTEM='firewall'" + str="$str STATE='$state' CPU='0' MEM='0' RTIME='0'" +fi + # Defining config echo -e "$str" > $tmp_file conf=$tmp_file diff --git a/bin/v-update-sys-firewall b/bin/v-update-sys-firewall new file mode 100755 index 000000000..041e509c1 --- /dev/null +++ b/bin/v-update-sys-firewall @@ -0,0 +1,125 @@ +#!/bin/bash +# info: update system firewall rules +# options: NONE +# +# The function updates iptables rules + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Defining absolute path for iptables and modprobe +iptables="/sbin/iptables" +modprobe="/sbin/modprobe" + +# Includes +source /etc/profile.d/vesta.sh +source $VESTA/func/main.sh +source $VESTA/conf/vesta.conf + + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM' + + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Checking local IPv4 rules +rules="$VESTA/data/firewall/rules_ipv4.conf" +if [ ! -e "$rules" ]; then + exit +fi + +# Checking conntrack module avaiabilty +$modprobe nf_conntrack >/dev/null 2>&1 +$modprobe nf_conntrack_ftp >/dev/null 2>&1 +if [ $? -ne 0 ]; then + stateful='no' +fi + +# Creating temporary file +tmp=$(mktemp) + +# Flushing INPUT chain +echo "$iptables -P INPUT ACCEPT" >> $tmp +echo "$iptables -F INPUT" >> $tmp + +# Pasring iptables rules +IFS=$'\n' +for line in $(sort -r -n -k 2 -t \' $rules); do + eval $line + if [ "$SUSPENDED" = 'no' ]; then + chain="-A INPUT" + proto="-p $PROTOCOL" + port="--dport $PORT" + ip="-s $IP" + state="" + action="-j $ACTION" + + # Adding multiport module + if [[ "$PORT" =~ ,|-|: ]] ; then + port="-m multiport --dports ${PORT//-/:}" + fi + + # Accepting all dst ports + if [[ "$PORT" = "0" ]] || [ "$PROTOCOL" = 'ICMP' ]; then + port="" + fi + + # Checking FTP for contrack module + if [ "$TYPE" = "FTP" ] || [ "$PORT" = '21' ]; then + if [ "$stateful" != 'no' ]; then + state="-m conntrack --ctstate NEW" + else + port="-m multiport --dports 20,21,12000:12100" + fi + ftp="yes" + fi + + # Adding firewall rule + echo "$iptables $chain $proto $port $ip $state $action" >> $tmp + fi +done + +# Handling DNS replies +proto="-p udp" +port="--sport 53" +action="-j ACCEPT" +echo "$iptables $chain $proto $port $state $action" >> $tmp + +# Enabling stateful firewall +if [ "$stateful" != 'no' ]; then + proto="-p tcp" + state="-m state --state ESTABLISHED,RELATED" + action="-j ACCEPT" + echo "$iptables $chain $proto $state $action" >> $tmp +fi + +# Switching chain policy to DROP +echo "$iptables -P INPUT DROP" >> $tmp + +# Applying rules +bash $tmp + +# Saving rules to the master iptables file +if [ -e "/etc/redhat-release" ]; then + /sbin/iptables-save > /etc/sysconfig/iptables + if [ -z "$(ls /etc/rc3.d/S*iptables 2>/dev/null)" ]; then + /sbin/chkconfig iptables on + fi +else + sbin/iptables-save > /etc/iptables.up.rules +fi + + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +exit