Allow user to create additional rules

etc/lfirewall.conf

@@ -11,11 +11,21 @@
 #The network interface to use (uncomment and change value if needed)
 #NETWORK_IF=eth0
 
+
+#################################
+# Additional network tweaks     #
+#################################
 # Set ALLOW_IP_FORWARDING to 1
 #     if IP forwarding is needed
 # Set ALLOW_IP_FORWARDING to 0
 #     will write 0 into /proc/sys/net/ipv4/ip_forward
-ALLOW_IP_FORWARDING=0
+#ALLOW_IP_FORWARDING=0
+
+# Set NETWORK_PROTECTION to 1
+#    to block additional network features from the kernel
+# Set NETWORK_PROTECTION to 0
+#     will do nothing
+#NETWORK_PROTECTION=1
 
 #################################
 # Services that the system will #
@@ -27,6 +37,9 @@ SSH_PORT="22"
 
 TCP_SERVICES="22"
 
+# Web server
+#TCP_SERVICES="http https $TCP_SERVICES"
+
 # SAMBA
 #SAMBA_PORTS="137 138 139"
 #TCP_SERVICES="$TCP_SERVICES $SAMBA_PORTS"
@@ -51,3 +64,6 @@ REMOTE_TCP_SERVICES="20 $REMOTE_TCP_SERVICES" # FTP
 REMOTE_TCP_SERVICES="$REMOTE_TCP_SERVICES $SAMBA_PORTS"
 
 REMOTE_UDP_SERVICES="53" # DNS
+
+
+

scripts/lfirewall

@@ -32,12 +32,21 @@ cat <<-EOF
 		clear : stops the firewall (removes all IPTABLES rules and let all connections work)
 		stop  : stops all network connections (USE with CAUTION)
 		test	: tests the existing rules for 30 seconds
+		saveuser: backup of the user (custom) rules
 
 	OPTIONS
 		-v --verbose	: verbose mode
 		-h --help			: display this help message
 		-l --logging	: enables logging (prefix: iptables-logging)
 
+	BACKING UP USER RULES
+		WARNING: PLEASE FOLLOW CAREFULLY THE ACTIONS BELOW
+
+		1. Before setting any rule: clear the firewall
+		2. Setup your rules
+		3. run:
+			$(basename ${0}) saveuser
+
 	AUTHOR
 		Original author: Nicolargo
 		Modified by: Laurent Hubert
@@ -119,10 +128,34 @@ SSH_PORT="22"
 
 # Default IP_TABLES command path
 IP_TABLES="/sbin/iptables"
+IP_TABLES_RESTORE="/sbin/iptables-restore"
+IP_TABLES_RESTORE_6="/sbin/ip6tables-restore"
+IP_TABLES_SAVE="/sbin/iptables-save"
+IP_TABLES_SAVE_6="/sbin/ip6tables-save"
+
+
+if ! [ -x $IP_TABLES ]; then
+	echo "$IP_TABLES is not executable or not present" >&2
+	exit 1
+fi
+
+if ! [ -x $IP_TABLES_RESTORE ]; then
+	echo "$IP_TABLES_RESTORE is not executable or not present" >&2
+	exit 3
+fi
+
+if ! [ -x $IP_TABLES_RESTORE_6 ]; then
+	echo "$IP_TABLES_RESTORE_6 is not executable or not present" >&2
+	exit 6
+fi
+
 
 CONFIGURATION_DIR=/etc/lfirewall
 CONFIGURATION_FILE=${CONFIGURATION_DIR}/lfirewall.conf
 CONFIGURATION_LOCAL_FILE=${CONFIGURATION_DIR}/lfirewall.conf.local
+USER_RULES_IPTABLES=${CONFIGURATION_DIR}/iptables-user.v4
+USER_RULES_IPTABLES_6=${CONFIGURATION_DIR}/iptables-user.v6
+
 if [ -f $CONFIGURATION_FILE ] ; then
 	set +u
 	. $CONFIGURATION_FILE
@@ -134,10 +167,6 @@ if [ -f $CONFIGURATION_LOCAL_FILE ] ; then
 	set -u
 fi
 
-if ! [ -x $IP_TABLES ]; then
-	echo "$IP_TABLES is not executable or not present" >&2
-	exit 1
-fi
 
 if ! /usr/sbin/ifup --no-act $NETWORK_IF > /dev/null 2>&1
 then
@@ -249,9 +278,6 @@ fw_start () {
 	#**************************************************************************#
 	$do_action $IPTABLES_ADD $IT_INPUT -i lo -s localhost -d localhost -j ACCEPT
 	$do_action $IPTABLES_ADD $IT_OUTPUT -o lo -s localhost -d localhost -j ACCEPT
-	$do_action $IPTABLES_ADD $IT_INPUT  -p tcp --dport http -j ACCEPT
-	$do_action $IPTABLES_ADD $IT_INPUT  -p tcp --dport https -j ACCEPT
-
 
 	# Remote testing
 	### Allows PING
@@ -304,24 +330,30 @@ fw_start () {
 	$IP_TABLES -I $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
 	$IP_TABLES -I $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
 
+
+}
+
+fw_network_protection(){
 	#**************************************************************************#
 	# Other network protections
 	# (some will only work with some kernel versions)
 	#**************************************************************************#
-	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
-	if [[ "${ALLOW_IP_FORWARDING}" = 0 ]]
+	if [[ "${ALLOW_IP_FORWARDING:-0}" = 0 ]]
 	then
 		echo 0 > /proc/sys/net/ipv4/ip_forward
 	else
 		echo 1 > /proc/sys/net/ipv4/ip_forward
 	fi
-	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
-	echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
-	echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
-	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
-	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
-	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
-
+	if [[ "${NETWORK_PROTECTION:-1}" = 1 ]]
+	then
+		echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+		echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+		echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
+		echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
+		echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+		echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
+		echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
+	fi
 }
 
 do_this(){
@@ -332,6 +364,26 @@ do_this(){
 }
 
 ##########################
+# Backups user rules
+##########################
+fw_backup_user(){
+	$IP_TABLES_SAVE > ${USER_RULES_IPTABLES}
+	$IP_TABLES_SAVE_6 > ${USER_RULES_IPTABLES_6}
+}
+
+##########################
+# Restores user rules
+##########################
+fw_restore_user(){
+	if [ -f $USER_RULES_IPTABLES ] ; then
+		$IP_TABLES_RESTORE < ${USER_RULES_IPTABLES}
+	fi
+	if [ -f $USER_RULES_IPTABLES_6 ] ; then
+		$IP_TABLES_RESTORE_6 < ${USER_RULES_IPTABLES_6}
+	fi
+}
+
+##########################
 # Stop the Firewall rules
 ##########################
 
@@ -391,7 +443,14 @@ case "$1" in
 	start|restart)
 		echo -n "Starting firewall.."
 		fw_stop
+		fw_restore_user
 		fw_start
+		fw_network_protection
+		echo "done."
+	;;
+	saveuser)
+		echo -n "Backing up rules"
+		fw_backup_user
 		echo "done."
 	;;
 	stop)