lhubert
/
lfirewall


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298
							
###############################################################
# iptables chain names
###############################################################
IT_INPUT=INPUT
IT_INPUT_LOG=LOGINPUT
IT_OUTPUT=OUTPUT
IT_OUTPUT_LOG=LOGOUTPUT
IT_POSTROUTING=POSTROUTING
IT_PREROUTING=PREROUTING

PATH=/bin:/sbin:/usr/bin:/usr/sbin

#Defautl network interface
NETWORK_IF=eth0

# Services that the system will offer to the network
TCP_SERVICES="22" # SSH only
UDP_SERVICES=""
# Services the system will use from the network
REMOTE_TCP_SERVICES="80 443" # web browsing
REMOTE_UDP_SERVICES="53" # DNS

# Port used for the SSH service, define this is you have setup a
# management network but remove it from TCP_SERVICES
SSH_PORT="22"

###############################################################
# Default IP_TABLES command path
###############################################################
IP_TABLES="/sbin/iptables"
IP_TABLES_RESTORE="/sbin/iptables-restore"
IP_TABLES_RESTORE_6="/sbin/ip6tables-restore"
IP_TABLES_SAVE="/sbin/iptables-save"
IP_TABLES_SAVE_6="/sbin/ip6tables-save"

###############################################################
# iptables action definition
###############################################################

# -C
export IPTABLES_CHECK=__iptables_check_action
# -A
export IPTABLES_ADD=__iptable_add_action
# -I
export IPTABLES_INSERT=__iptable_insert_action
# -P
export IPTABLES_SET_POLICY=__iptable_set_policy_action

export IP_TABLES
export NETWORK_IF


###############################################################
# File and folder paths
###############################################################
CONFIGURATION_FILE=${CONFIGURATION_DIR}/lfirewall.conf
CONFIGURATION_LOCAL_FILE=${CONFIGURATION_DIR}/lfirewall.conf.local
USER_RULES_IPTABLES=${CONFIGURATION_DIR}/iptables-user.v4
USER_RULES_IPTABLES_6=${CONFIGURATION_DIR}/iptables-user.v6
POST_UP_DOWN_SCRIPTS_DIR=${CONFIGURATION_DIR}/post-up-down.d
POST_START_STOP_SCRIPTS_DIR=${CONFIGURATION_DIR}/post-start-stop.d


###############################################################

###############################################################
# Firewall log function definition
###############################################################
log_action () {
	echo $*
}

do_not_log_action () {
	return 0
}

###############################################################
# Firewall actions function definition
###############################################################
get_table_information(){
    if [ "$1" = "-t" ]
    then
        echo "$1 $2"
    else
        echo ""
    fi
}

get_action_information(){
    if [ "$1" = "-t" ]
    then
        echo "$3"
    else
        echo "$1"
    fi
}


get_command_information(){
    if [ "$1" = "-t" ]
    then
        shift 3
    else
        shift
    fi
    echo "$*"
}

get_chain_information(){
    if [ "$1" = "-t" ]
    then
        shift 3
    else
        shift
    fi
    echo "$1"
}

do_exec () {
    local it_action=`get_action_information $*`
    local it_table=`get_table_information $*`
    local it_command=`get_command_information $*`
    local it_option
	case ${it_action} in
		__iptable_add_action)
			shift
			it_option=-A
		;;
		__iptable_insert_action)
			shift
			it_option=-I
		;;
		__iptable_set_policy_action)
			shift
			it_option=-P
		;;
		*)
			echo "Nothing to be done for $1"
		;;
	esac
	if [ ${verbose} -ge 1 ] ; then
		echo $IP_TABLES $it_table $it_option $it_command
	fi
	if ! $IP_TABLES $it_table -C $it_command > /dev/null 2>&1
	then
		$IP_TABLES $it_table $it_option $it_command
	fi
}


do_check () {
    if [ ${verbose} -ge 1 ] ; then
        echo "do_check params='$*'"
    fi
    local it_action=`get_action_information $*`
    local it_table=`get_table_information $*`
    local it_command=`get_command_information $*`
    local it_option
	case $it_action in
		__iptable_add_action)
			it_option=-A
		;;
		__iptable_insert_action)
			it_option=-I
		;;
		__iptable_set_policy_action)
			return 0
		;;
		*)
			echo "Nothing to be done for $1"
		;;
	esac
	default_option=-C
	if [ ${verbose} -ge 1 ] ; then
		echo "it_action=$it_action"
		echo "it_table=$it_table"
		echo "it_command=$it_command"
		echo $do_log "$it_action:" $IP_TABLES $it_table -C $it_command
		echo $IP_TABLES $it_table -C $it_command
	fi
	$do_log "$it_action:" $IP_TABLES $it_table -C $it_command
	$IP_TABLES $it_table -C $it_command
	global_status=$((global_status+$?))
}


do_delete () {
    local it_action=`get_action_information $*`
    local it_table=`get_table_information $*`
    local it_command=`get_command_information $*`
    local it_option
	if [ ${verbose} -gt 1 ] ; then
		$do_log "Trying to delete:" \
         $(translate_iptables_rule $IP_TABLES $it_table $it_action $it_command)
	fi
	case $it_action in
		__iptable_add_action)
			it_option=-D
		;;
		__iptable_insert_action)
			it_option=-D
		;;
		__iptable_set_policy_action)
			CHAIN_NAME=`get_chain_information $*`
			$do_log "DELETING: $IP_TABLES $it_table -P $CHAIN_NAME DROP"
			$IP_TABLES $it_table -P $CHAIN_NAME ACCEPT
			return 0
		;;
		*)
			echo "Nothing to be done for $1"
		;;
	esac


	# Checks the rule then delete it, if it exists
	if $IP_TABLES $it_table -C $it_command > /dev/null 2>&1
	then
		$IP_TABLES $it_table $it_option $it_command || echo "DID NOT EXIST: "$IP_TABLES $it_option $it_command
		$do_log "DELETING:" $IP_TABLES $it_table $it_option $it_command
	else
		$do_log "NOT EXISTING:" $IP_TABLES $it_table $it_option $it_command
	fi
	global_status=$((global_status+$?))
}

###############################################################
# Utility functions definition
###############################################################

has_parent_process(){
	local parent_to_search
	local ppid
	parent_to_search="${1:-}"
	if [ -z "${parent_to_search:-}" ]
	then
		echo "ERROR: need parent process pid as first arg" >&2
		return 5
	fi
	local pid
	pid="${2:-}"
	if [ -z "${pid:-}" ]
	then
		pid=$$
	fi
	if [ $parent_to_search = $pid ]
	then
		echo ${parent_to_search}
		return 0
	else if [ $pid -gt 1 ]
		then
			ppid=$(ps --pid ${pid} -o ppid= | xargs) || echo "OUT OF RANGE PID=${pid}" >&2
			if [ -n "$ppid" ]
			then
				if [ $ppid = $pid ]
				then
					#echo "ERROR: pid=$pid is the same as ppid=$ppid" >&2
					echo -1
				else
					has_parent_process ${parent_to_search} ${ppid}
				fi
			else
				#echo "ERROR: pid='$pid' has ppid='$ppid'" >&2
				echo -2
			fi
		else
			#echo "NOT FOUND: ${parent_to_search}" >&2
			echo 1
		fi
	fi
	return 1
}

find_pid_user_of(){
	local used_file=$1
	local regex="$2"
	lsof ${used_file} | awk 'NR>1 && $1 ~ /'${regex}'/ && !($2 in a){a[$2]++; print $2}'
}

find_systemctl_pids(){
	local shell_pid
	local systemctl_pid
	ps -elf | grep 'systemctl' | grep -v grep | awk '{print $13}' | sort -u | while read term
	do
		#echo ${shell_pid} ${systemctl_pid} >&2
		if [ -z "${shell_pid:-}" ]
		then
			shell_pid=$(find_pid_user_of /dev/$term '.*sh$')
		fi
		if [ -z "${systemctl_pid:-}" ]
		then
			systemctl_pid=$(find_pid_user_of /dev/$term 'systemctl')
		fi
		echo ${shell_pid} ${systemctl_pid}
	done
}