Contributing: A decent firewall script

A collection of tips on howto tweak your Bubba.
Post Reply
Gordon
Posts: 1346
Joined: 10 Aug 2011, 03:18

Contributing: A decent firewall script

Post by Gordon » 03 May 2012, 12:21

After having experimented with Shorewall I decided to implement my own ruleset around some xtables-addons and was again confronted with the weirdness of the bubba-firewall script that promptly caused me to overwrite the default rules myself (which is stupid because I knew it did that :evil:).

Anyway I figured it was time to rewrite it and I'm sharing the base version here:

Code listing of /etc/init.d/bubba-firewall

Code: Select all

#!/bin/sh
#
# Bubba firewall initscript
#
# Original author: Gordon Bos <gordon@bosvangennip.nl>
#
#
### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    
# Required-Stop::    
# X-Start-Before:    ifupdown ifplugd
# X-Stop-After:      ifupdown ifplugd
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Controls the firewall status
### END INIT INFO

DESC="Bubba firewall"
NAME=bubba-firewall
SCRIPTNAME=/etc/init.d/$NAME
DEFAULT=/etc/default/$NAME
PIDFILE=/var/run/$NAME
MODULES=""
SAVE_ON_STOP="yes"
START_FIREWALL="yes"

# Read configuration variable file if it is present
[ -r ${DEFAULT} ] && . ${DEFAULT}

# Define LSB log_* functions.
. /lib/lsb/init-functions

# Bail out if START_FIREWALL is disabled in DEFAULT
if [ "${START_FIREWALL}" != "yes" ] && [ "$1" != "stop" ]; then
	log_warning_msg "${NAME}: Not starting ${DESC}."
	log_warning_msg "${NAME}: Disabled in ${DEFAULT}."
	exit 0
fi

# Remove the pid file if it was created before boottime
# i.e. we're recovering from power failure
if [ -f ${PIDFILE} ] ; then
	boottime=$((`date +%s`-`cut -d. -f1 /proc/uptime`))
	starttime=$(cat ${PIDFILE})
	if [ $boottime -gt $starttime ]; then
		log_warning_msg "${NAME}: Fantom pid file found."
		rm -f ${PIDFILE}
	fi
fi



# Insert modules
for module in ${MODULES} ; do
  modprobe ${module}
done



# Helper function that clears all rules
flush_rules() {
	local table
	for table in $(cat /proc/net/ip_tables_names) ; do
		local chains
		case ${table} in
			nat)    chains="PREROUTING POSTROUTING OUTPUT";;
			mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
			filter) chains="INPUT FORWARD OUTPUT";;
			*)      chains="";;
		esac
		local chain
		for chain in ${chains} ; do
			/sbin/iptables -t ${table} -P ${chain} ACCEPT
		done

		/sbin/iptables -F -t ${table}
		/sbin/iptables -X -t ${table}
	done
}

# Function that saves the active rules to be reinstated the next time
# the firewall is started
save() {
	log_action_begin_msg "Saving firewall"
	/sbin/iptables-save > /etc/network/firewall.conf
	log_action_end_msg $?
}


case "$1" in
	start)
		if [ -f ${PIDFILE} ] ; then
			log_warning_msg "${NAME}: ${DESC} already started."
			exit 1
		fi
		log_action_begin_msg "Setting up firewall"

		echo "1" > /proc/sys/net/ipv4/ip_forward

		/sbin/iptables-restore /etc/network/firewall.conf
		date +%s>${PIDFILE}

		log_action_end_msg $?
		exit 0
		;;

	stop)
		if [ ! -f ${PIDFILE} ] ; then
			log_warning_msg "${NAME}: ${DESC} not started."
			exit 1
		fi

		if [ "${SAVE_ON_STOP}" = "yes" ] ; then
			save || return 1
		fi

		rm -f ${PIDFILE}

		flush_rules

		if [ -r  /etc/network/firewall.stopped ]; then
			log_action_begin_msg "Loading 'stopped' rules"
			/sbin/iptables-restore /etc/network/firewall.stopped
			log_action_end_msg $?
		fi
		exit 0
		;;

	restart|force-reload)
		if [ ! -f ${PIDFILE} ] ; then
			log_warning_msg "${NAME}: ${DESC} not started."
			exit 1
		fi
		log_action_begin_msg "Restoring firewall"

		flush_rules

		/sbin/iptables-restore /etc/network/firewall.conf

		log_action_end_msg $?
		exit 0
		;;

	*)
		echo "Usage: ${NAME} {start|stop|restart|force-reload}" >&2
		exit 3
		;;
esac
Code listing of accompanying file /etc/default/bubba-firewall

Code: Select all

# Defaults for bubba-firewall script

# Only start the firewall if set to "yes"
START_FIREWALL="yes"

# Saves the active rules on shutdown if set to "yes"
SAVE_ON_STOP="yes"

# Modules to load when starting the firewall
MODULES="nf_conntrack_ftp ip_nat_ftp ip_conntrack_irc"


# Place holders for the firewall control files. These
# paths are hardcoded in the init script and are just
# here for reference.

# Controls the rules to enable when the firewall is up
FIREWALL_UP="/etc/network/firewall.conf"

# Controls the rules that should be enabled when the
# firewall is in stopped state
FIREWALL_STOPPED="/etc/network/firewall.stopped"
:arrow: Do note that by using this script, stopping the Bubba firewall will fully expose it on all interfaces. There's a optional config file that you can use to change this behaviour.

Example code listing of /etc/network/firewall.stopped (a strict firewall with all ports closed)

Code: Select all

# Generated by iptables-save v1.4.8 on Thu May  3 14:02:07 2012
*mangle
:PREROUTING ACCEPT [224983640:168229642522]
:INPUT ACCEPT [43592479:8157963675]
:FORWARD ACCEPT [181467008:160077121356]
:OUTPUT ACCEPT [42416524:72733375407]
:POSTROUTING ACCEPT [224083770:232858830134]
COMMIT
# Completed on Thu May  3 14:02:07 2012
# Generated by iptables-save v1.4.8 on Thu May  3 14:02:07 2012
*filter
:INPUT DROP [63157:14714433]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [35689113:64408889296]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -i br0 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT 
-A FORWARD -i br0 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT 
COMMIT
# Completed on Thu May  3 14:02:07 2012
# Generated by iptables-save v1.4.8 on Thu May  3 14:02:07 2012
*nat
:PREROUTING ACCEPT [1200645:106203212]
:INPUT ACCEPT [115179:7103073]
:OUTPUT ACCEPT [339515:30523145]
:POSTROUTING ACCEPT [312787:27664775]
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Thu May  3 14:02:07 2012
# Generated by iptables-save v1.4.8 on Thu May  3 14:02:07 2012
*raw
:PREROUTING ACCEPT [224983648:168229642926]
:OUTPUT ACCEPT [42416525:72733376779]
COMMIT
# Completed on Thu May  3 14:02:07 2012

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Contributing: A decent firewall script

Post by Ubi » 07 May 2012, 14:36

This is really excellent Gordon.

Post Reply