github/vesta
1
0
Fork 0
mirror of https://github.com/serghey-rodin/vesta.git synced 2025-08-19 13:01:51 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

firewall cli

Browse source
This commit is contained in:
Serghey Rodin 2014-09-17 00:32:25 +03:00
commit 09e4c2d22e
7 changed files with 476 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

85
bin/v-add-sys-firewall-rule Executable file
View file

@ -0,0 +1,85 @@
#!/bin/bash
# info: add firewall rule
# options: ACTION PROTOCOL PORT IP [COMMENT] [RULE]
#
# The function adds new rule to system firewall
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument defenition
action=$(echo $1|tr '[:lower:]' '[:upper:]')
protocol=$(echo $2|tr '[:lower:]' '[:upper:]')
port_ext=$3
ip=$4
comment=$5
rule=$6
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
# Get next firewall rule id
get_next_fw_rule() {
if [ -z "$rule" ]; then
curr_str=$(grep "RULE=" $VESTA/data/firewall/rules_ipv4.conf |\
cut -f 2 -d \' | sort -n | tail -n1)
rule="$((curr_str +1))"
fi
}
sort_fw_rules() {
cat $VESTA/data/firewall/rules_ipv4.conf |\
sort -n -k 2 -t \' > $VESTA/data/firewall/rules_ipv4.conf.tmp
mv -f $VESTA/data/firewall/rules_ipv4.conf.tmp \
$VESTA/data/firewall/rules_ipv4.conf
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '4' "$#" 'ACTION PROTOCOL PORT IP [COMMENT] [RULE]'
validate_format 'action' 'protocol' 'port_ext' 'ip'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
get_next_fw_rule
validate_format 'rule'
is_object_new '../../data/firewall/rules_ipv4' 'RULE' "$rule"
if [ ! -z "$comment"]; then
validate_format 'comment'
fi
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Concatenating cron string
str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'"
str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'"
str="$str TIME='$TIME' DATE='$DATE'"
# Adding to crontab
echo "$str" >> $VESTA/data/firewall/rules_ipv4.conf
# Changing permissions
chmod 660 $VESTA/data/firewall/rules_ipv4.conf
# Sorting firewall rules by id number
sort_fw_rules
# Updating system firewall
$BIN/v-update-sys-firewall
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$EVENT"
exit

73
bin/v-change-sys-firewall-rule Executable file
View file

@ -0,0 +1,73 @@
#!/bin/bash
# info: change firewall rule
# options: RULE ACTION PROTOCOL PORT IP [COMMENT]
#
# The function is used for changing existing firewall rule.
# It fully replace rule with new one but keeps same id.
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument defenition
rule=$1
action=$(echo $2|tr '[:lower:]' '[:upper:]')
protocol=$(echo $3|tr '[:lower:]' '[:upper:]')
port_ext=$4
ip=$5
comment=$6
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
# Sort function
sort_fw_rules() {
cat $VESTA/data/firewall/rules_ipv4.conf |\
sort -n -k 2 -t \' > $VESTA/data/firewall/rules_ipv4.conf.tmp
mv -f $VESTA/data/firewall/rules_ipv4.conf.tmp \
$VESTA/data/firewall/rules_ipv4.conf
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '5' "$#" 'RULE ACTION PROTOCOL PORT IP [COMMENT]'
validate_format 'rule' 'action' 'protocol' 'port_ext' 'ip' 'comment'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Concatenating firewall rule
str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'"
str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'"
str="$str TIME='$TIME' DATE='$DATE'"
# Deleting old rule
sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules_ipv4.conf
# Adding new
echo "$str" >> $VESTA/data/firewall/rules_ipv4.conf
# Sorting firewall rules by id number
sort_fw_rules
# Updating system firewall
$BIN/v-update-sys-firewall
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$EVENT"
exit

48
bin/v-delete-sys-firewall-rule Executable file
View file

@ -0,0 +1,48 @@
#!/bin/bash
# info: delete firewall rule
# options: RULE
#
# The function deletes firewall rule.
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument defenition
rule=$1
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '1' "$#" 'RULE'
validate_format 'rule'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Deleting rule
sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules_ipv4.conf
# Updating system firewall
$BIN/v-update-sys-firewall
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$EVENT"
exit

44
bin/v-list-sys-firewall Executable file
View file

@ -0,0 +1,44 @@
#!/bin/bash
# info: list iptables rules
# options: [FORMAT]
#
# The function of obtaining the list of all iptables rules.
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument defenition
format=${1-shell}
# Includes
source $VESTA/func/main.sh
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Defining config
conf=$VESTA/data/firewall/rules_ipv4.conf
# Defining fileds to select
fields="\$RULE \$ACTION \$PROTOCOL \$PORT \$IP \$COMMENT"
fields="$fields \$RULE \$SUSPENDED \$TIME \$DATE"
# Listing domains
case $format in
json) json_list ;;
plain) nohead=1; shell_list ;;
shell) fields="\$ACTION \$PROTOCOL \$PORT \$IP";
shell_list | column -t ;;
*) check_args '1' '0' 'USER [FORMAT]'
esac
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
exit

89
bin/v-list-sys-firewall-rule Executable file
View file

@ -0,0 +1,89 @@
#!/bin/bash
# info: list firewall rule
# options: RULE [FORMAT]
#
# The function of obtaining firewall rule parameters.
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument defenition
rule=$1
format=${2-shell}
# Includes
source $VESTA/func/main.sh
# Json function
json_list_fw_rule() {
i=1
fileds_count=$(echo "$fields" | wc -w)
line=$(grep "RULE='$rule'" $conf)
echo '{'
eval $line
for field in $fields; do
eval value=$field
if [ "$i" -eq 1 ]; then
echo -e "\t\"$value\": {"
else
if [ "$fileds_count" -eq "$i" ]; then
echo -e "\t\t\"${field//$/}\": \"$value\""
else
echo -e "\t\t\"${field//$/}\": \"$value\","
fi
fi
(( ++i))
done
if [ -n "$value" ]; then
echo -e ' }'
fi
echo -e "}"
}
# Shell function
shell_list_fw_rule() {
line=$(grep "RULE='$rule'" $conf)
eval $line
for field in $fields; do
eval key="$field"
if [ -z "$key" ]; then
key=NULL
fi
echo "${field//$/}: $key "
done
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '1' "$#" 'RULE [FORMAT]'
is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Defining config and fields to select
conf=$VESTA/data/firewall/rules_ipv4.conf
fields="\$RULE \$ACTION \$PROTOCOL \$PORT \$IP \$COMMENT"
fields="$fields \$RULE \$SUSPENDED \$TIME \$DATE"
# Listing fw rule
case $format in
json) json_list_fw_rule ;;
plain) nohead=1; shell_list_fw_rule ;;
shell) shell_list_fw_rule |column -t ;;
*) check_args '2' '0' 'RULE [FORMAT]'
esac
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
exit

12
bin/v-list-sys-services
View file

@ -187,6 +187,18 @@ if [ ! -z "$service" ] && [ "$service" != 'remote' ]; then
str="$str CPU='$cpu' MEM='$mem' RTIME='$rtime'" str="$str CPU='$cpu' MEM='$mem' RTIME='$rtime'"
fi fi
# FIREWALL
service=$FIREWALL_SYSTEM
if [ ! -z "$service" ] && [ "$service" != 'remote' ]; then
state="stopped"
/sbin/iptables -L vesta >/dev/null 2>&1
if [ "$?" -eq 0 ]; then
state="running"
fi
str="$str\nNAME='$FIREWALL_SYSTEM' SYSTEM='firewall'"
str="$str STATE='$state' CPU='0' MEM='0' RTIME='0'"
fi
# Defining config # Defining config
echo -e "$str" > $tmp_file echo -e "$str" > $tmp_file
conf=$tmp_file conf=$tmp_file

125
bin/v-update-sys-firewall Executable file
View file

@ -0,0 +1,125 @@
#!/bin/bash
# info: update system firewall rules
# options: NONE
#
# The function updates iptables rules
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Defining absolute path for iptables and modprobe
iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
# Includes
source /etc/profile.d/vesta.sh
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Checking local IPv4 rules
rules="$VESTA/data/firewall/rules_ipv4.conf"
if [ ! -e "$rules" ]; then
exit
fi
# Checking conntrack module avaiabilty
$modprobe nf_conntrack >/dev/null 2>&1
$modprobe nf_conntrack_ftp >/dev/null 2>&1
if [ $? -ne 0 ]; then
stateful='no'
fi
# Creating temporary file
tmp=$(mktemp)
# Flushing INPUT chain
echo "$iptables -P INPUT ACCEPT" >> $tmp
echo "$iptables -F INPUT" >> $tmp
# Pasring iptables rules
IFS=$'\n'
for line in $(sort -r -n -k 2 -t \' $rules); do
eval $line
if [ "$SUSPENDED" = 'no' ]; then
chain="-A INPUT"
proto="-p $PROTOCOL"
port="--dport $PORT"
ip="-s $IP"
state=""
action="-j $ACTION"
# Adding multiport module
if [[ "$PORT" =~ ,|-|: ]] ; then
port="-m multiport --dports ${PORT//-/:}"
fi
# Accepting all dst ports
if [[ "$PORT" = "0" ]] || [ "$PROTOCOL" = 'ICMP' ]; then
port=""
fi
# Checking FTP for contrack module
if [ "$TYPE" = "FTP" ] || [ "$PORT" = '21' ]; then
if [ "$stateful" != 'no' ]; then
state="-m conntrack --ctstate NEW"
else
port="-m multiport --dports 20,21,12000:12100"
fi
ftp="yes"
fi
# Adding firewall rule
echo "$iptables $chain $proto $port $ip $state $action" >> $tmp
fi
done
# Handling DNS replies
proto="-p udp"
port="--sport 53"
action="-j ACCEPT"
echo "$iptables $chain $proto $port $state $action" >> $tmp
# Enabling stateful firewall
if [ "$stateful" != 'no' ]; then
proto="-p tcp"
state="-m state --state ESTABLISHED,RELATED"
action="-j ACCEPT"
echo "$iptables $chain $proto $state $action" >> $tmp
fi
# Switching chain policy to DROP
echo "$iptables -P INPUT DROP" >> $tmp
# Applying rules
bash $tmp
# Saving rules to the master iptables file
if [ -e "/etc/redhat-release" ]; then
/sbin/iptables-save > /etc/sysconfig/iptables
if [ -z "$(ls /etc/rc3.d/S*iptables 2>/dev/null)" ]; then
/sbin/chkconfig iptables on
fi
else
sbin/iptables-save > /etc/iptables.up.rules
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
exit