Logs activted + fw_stop refactoring

etc/lfirewall.conf

@@ -11,6 +11,15 @@
 #The network interface to use (uncomment and change value if needed)
 #NETWORK_IF=eth0
 
+#################################
+# Logging     #
+#################################
+# Set ACTIVATE_LOGGING to 1
+#     will activate logs
+# Set ACTIVATE_LOGGING to 0
+#     will disable logs
+#ACTIVATE_LOGGING=0
+
 
 #################################
 # Additional network tweaks     #

scripts/lfirewall

@@ -174,10 +174,9 @@ then
 	exit 2
 fi
 
-do_action=do_exec
-
 IPTABLES_CHECK=__iptables_check_action
 IPTABLES_ADD=__iptable_add_action
+IPTABLES_INSERT=__iptable_insert_action
 IPTABLES_SET_POLICY=__iptable_set_policy_action
 
 do_exec () {
@@ -186,6 +185,10 @@ do_exec () {
 			shift
 			iptables_option=-A
 		;;
+		__iptable_insert_action)
+			shift
+			iptables_option=-I
+		;;
 		__iptable_set_policy_action)
 			shift
 			iptables_option=-P
@@ -207,6 +210,9 @@ do_check () {
 		__iptable_add_action)
 			iptables_option=-A
 		;;
+		__iptable_insert_action)
+			iptables_option=-I
+		;;
 		__iptable_set_policy_action)
 			return 0
 		;;
@@ -238,7 +244,9 @@ do_log=do_not_log_action
 # Start the Firewall rules
 ##########################
 
-fw_start () {
+fw_execute () {
+	local do_action
+	do_action=$1
 	#**************************************************************************#
 	# Input traffic:
 	#**************************************************************************#
@@ -286,8 +294,7 @@ fw_start () {
 	### Allows LOOPBACK
 	$do_action $IPTABLES_ADD $IT_INPUT -i lo -j ACCEPT
 
-	$IP_TABLES -P $IT_INPUT DROP
-	$do_action $IPTABLES_ADD $IT_INPUT -j LOG
+	$do_action $IPTABLES_SET_POLICY $IT_INPUT DROP
 
 	#**************************************************************************#
 	# Output:
@@ -313,24 +320,30 @@ fw_start () {
 			$do_action $IPTABLES_ADD $IT_OUTPUT -p udp --dport ${PORT} -j ACCEPT
 		done
 	fi
-	# All other connections are registered in syslog
-	$do_action $IPTABLES_ADD $IT_OUTPUT -j LOG
-	$do_action $IPTABLES_ADD $IT_OUTPUT -j REJECT
+	if [[ "${ACTIVATE_LOGGING:-1}" = 1 ]]
+	then
+		# All other connections are registered in system log's backend
+		$do_action $IPTABLES_ADD $IT_INPUT -j LOG
+		$do_action $IPTABLES_ADD $IT_OUTPUT -j LOG
+		$do_action $IPTABLES_ADD $IT_OUTPUT -j REJECT
+		$do_action $IPTABLES_ADD FORWARD -j LOG
+	fi
 	$do_action $IPTABLES_SET_POLICY $IT_OUTPUT DROP
 
-	$do_action $IPTABLES_ADD FORWARD -j LOG
 
 	#**************************************************************************#
 	# DOS attack protection
 	#**************************************************************************#
 	# See http://rockdio.org/ayudatech/how-to-stop-small-ddos-attacks-some-basic-security-advice/
 	#
-	$IP_TABLES -I $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --set
-	$IP_TABLES -I $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
-	$IP_TABLES -I $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
-	$IP_TABLES -I $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
-
-
+	#$IP_TABLES -I $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --set
+	#$IP_TABLES -I $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
+	#$IP_TABLES -I $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
+	#$IP_TABLES -I $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
+	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --set
+	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
+	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
+	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
 }
 
 fw_network_protection(){
@@ -363,6 +376,10 @@ do_this(){
     $*
 }
 
+translate_iptables_rule(){
+	echo $* | sed -e 's/'$IPTABLES_ADD'/-A/g' -e 's/'$IPTABLES_INSERT'/-I/g'  -e 's/'$IPTABLES_SET_POLICY'/-P/g' 
+}
+
 ##########################
 # Backups user rules
 ##########################
@@ -387,8 +404,53 @@ fw_restore_user(){
 # Stop the Firewall rules
 ##########################
 
+do_delete () {
+	the_action=$1
+	shift
+	if [[ ${verbose} -ge 1 ]] ; then
+		echo "Trying to delete:" $(translate_iptables_rule $IP_TABLES $the_action $*)
+	fi
+	case $the_action in
+		__iptable_add_action)
+			iptables_option=-D
+		;;
+		__iptable_insert_action)
+			iptables_option=-D
+		;;
+		__iptable_set_policy_action)
+			CHAIN_NAME="$1"
+			$do_log "DELETING: $IP_TABLES -P $CHAIN_NAME DROP" $*
+			$IP_TABLES -P $CHAIN_NAME ACCEPT
+			return 0
+		;;
+		*)
+			echo "Nothing to be done for $1"
+		;;
+	esac
+
+
+	# Checks the rule then delete it, if it exists
+	if $IP_TABLES -C $* > /dev/null 2>&1
+	then
+		$IP_TABLES $iptables_option $* || echo "DID NOT EXIST: "$IP_TABLES $iptables_option $*
+		$do_log "DELETING:" $IP_TABLES $iptables_option $*
+	else
+		$do_log "NOT EXISTING:" $IP_TABLES $iptables_option $*
+	fi
+	global_status=$((global_status+$?))
+}
+
 fw_stop () {
-	do_this $IP_TABLES -F
+	global_status=0
+	# Start will not really start but exec the "do_delete" action
+	fw_execute do_delete
+	if [ 0 -eq "$global_status" ] ; then
+		echo "Firewall rules removed"
+		return 0
+	else
+		echo "Some firewall rules were not removed !!!"
+		return $global_status
+	fi
 }
 
 ##########################
@@ -398,6 +460,9 @@ fw_stop () {
 fw_clear () {
 	do_this $IP_TABLES -F
 	do_this $IP_TABLES -X
+	do_this $IPTABLES -P INPUT ACCEPT
+	do_this $IPTABLES -P FORWARD ACCEPT
+	do_this $IPTABLES -P OUTPUT ACCEPT
 }
 
 ##########################
@@ -406,35 +471,38 @@ fw_clear () {
 
 fw_save () {
   if [[ ${verbose} -ge 1 ]] ; then
-    echo "$IP_TABLES-save > /etc/iptables.backup"
+    echo "$IP_TABLES-save > /etc/lfirewall/iptables.backup"
   fi
 
-	$IP_TABLES-save > /etc/iptables.backup
+	$IP_TABLES-save > /etc/lfirewall/iptables.backup
 }
 
 fw_restore () {
 	if [ -e /etc/iptables.backup ]; then
 	  if [[ ${verbose} -ge 1 ]] ; then
-	    echo "$IP_TABLES-save > /etc/iptables.backup"
+	    echo "$IP_TABLES-save > /etc/lfirewall/iptables.backup"
 	  fi
 
-		$IP_TABLES-restore < /etc/iptables.backup
+		$IP_TABLES-restore < /etc/lfirewall/iptables.backup
 	fi
 }
 
 fw_test () {
 	fw_save
 	sleep 30 && echo "Restore previous Firewall rules..." && fw_restore &
-	fw_stop
-	fw_start
+	fw_clear
+	fw_execute do_exec
 }
 
 case "$1" in
 	start|restart)
+		if [ "${2:-}" = "-v" ] ; then
+			do_log=log_action
+		fi
 		echo -n "Starting firewall.."
 		fw_stop
 		fw_restore_user
-		fw_start
+		fw_execute do_exec
 		fw_network_protection
 		echo "done."
 	;;
@@ -444,11 +512,15 @@ case "$1" in
 		echo "done."
 	;;
 	stop)
+		if [ "${2:-}" = "-v" ] ; then
+			do_log=log_action
+		fi
 		echo "###############################################################"
 		echo "I do not stop for now."
 		echo "Use 'clear' to remove all firewall blocking rules."
 		echo "Use 'dropall' to stop any traffic and block everything."
 		echo "###############################################################"
+		fw_stop
 	;;
 	clear)
 		echo -n "Clearing firewall rules.."
@@ -466,13 +538,12 @@ case "$1" in
 		echo -n "Previous configuration will be restore in 30 seconds"
 	;;
 	status)
-		do_action=do_check
 		global_status=0
 		if [ "${2:-}" = "-v" ] ; then
 			do_log=log_action
 		fi
 		# Start will not really start but exec the "check" action
-		fw_start
+		fw_execute do_check
 		if [ 0 -eq "$global_status" ] ; then
 			echo "Firewall rules match configuration"
 			exit 0