lfirewall/scripts/lfirewall

#!/bin/dash
### BEGIN INIT INFO
# Provides:          firewall.sh
# Required-Start:    $syslog $network
# Required-Stop:     $syslog $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start firewall daemon at boot time
# Description:       Custom Firewall scrip.
### END INIT INFO

#
# Light Firewall configuration.
#
# Original author : Nicolargo
#
# chkconfig: 2345 9 91
# description: Activates/Deactivates the firewall at boot time
#
CONFIGURATION_DIR=/etc/lfirewall

. ${CONFIGURATION_DIR}/setup

process_and_parent=`find_systemctl_pids`

restart_mode=no

if [ -n "${process_and_parent}" ]
then
	if has_parent_process ${process_and_parent} > /dev/null
	then
		shell_process=`echo ${process_and_parent} | awk '{print $1}'`
		parent_term=`readlink /proc/${shell_process}/fd/2`
	fi

	# Find if systemctl is in restart mode
	for process_id in ${process_and_parent}
	do
		if [ `ps -o comm= -p $process_id` = "systemctl" ] \
			&& ps -o args -p $process_id | grep -v COMMAND | grep restart > /dev/null
		then
			restart_mode=yes
			break
		fi
	done
fi

set -eu

help_message_lfirewall(){
cat <<-EOF
  Light Firewall configuration script.

  `basename ${0}` [OPTIONS...] COMMAND

	COMMANDS

		start		: starts the firewall
		stop		: stops the firewall (removes rules set by this script)
		clear		: clears the firewall (removes all IPTABLES rules and let all connections work)
		dropall 	: drops all network connections (USE with CAUTION)
		test		: tests the existing rules for 30 seconds
		saveuser	: backup of the user (custom) rules

	OPTIONS
		-v --verbose	: verbose mode
		-h --help		: display this help message
		-l --logging	: enables logging (prefix: iptables-logging)

	BACKING UP USER RULES
		WARNING: PLEASE FOLLOW CAREFULLY THE ACTIONS BELOW

		1. Before setting any rule: clear the firewall
		2. Setup your rules
		3. run:
			`basename ${0}` saveuser

	AUTHOR
		Author: Laurent Hubert
		Idea by: Nicolargo
EOF
}

options=$(getopt -l "help,verbose,logging" -o "hvl" -- "$@")

if [ $? != 0 ] ; then
	help_message_lfirewall
	exit 1
fi

eval set -- "$options"

verbose=0
logging=" "

while :
do
	if [ ${verbose} = "1" ] ; then
		echo "$@"
	fi

	case "$1" in
		-h|--help)
			help_message_lfirewall
			exit 0
			;;
		-v|--verbose)
			verbose=$(( verbose + 1 ))
			if [ ${verbose} -gt 1 ]
			then
				set -x
			fi
			if [ ${verbose} -gt 2 ]
			then
				set -v
			fi
			;;
		-l|--logging)
			logging="-j LOG --log-prefix 'iptables-logging'"
			IT_INPUT=${IT_INPUT_LOG}
			IT_OUTPUT=${IT_OUTPUT_LOG}
			;;
		--)
			shift
			break
			;;
	esac
	shift
done

if ! [ -x $IP_TABLES ]; then
	echo "$IP_TABLES is not executable or not present" >&2
	exit 1
fi

if ! [ -x $IP_TABLES_RESTORE ]; then
	echo "$IP_TABLES_RESTORE is not executable or not present" >&2
	exit 3
fi

if ! [ -x $IP_TABLES_RESTORE_6 ]; then
	echo "$IP_TABLES_RESTORE_6 is not executable or not present" >&2
	exit 6
fi

if [ -f $CONFIGURATION_FILE ] ; then
	set +u
	. $CONFIGURATION_FILE
	set -u
fi
if [ -f $CONFIGURATION_LOCAL_FILE ] ; then
	set +u
	. $CONFIGURATION_LOCAL_FILE
	set -u
fi

# Should I disable this ?
# I think I should... but will the 
if ! /usr/bin/ip link show $NETWORK_IF > /dev/null 2>&1
then
	echo "Network interface '$NETWORK_IF' is not present" >&2
	exit 2
fi

do_log=do_not_log_action

export verbose

##########################
# Drops INPUT
##########################

fw_exec_basic_input_rules(){
	local do_action
	do_action=$1

	### Blocks any incoming
	$do_action $IPTABLES_SET_POLICY $IT_INPUT DROP

	### Keep existing connections
	$do_action $IPTABLES_ADD $IT_INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Remote testing
	### Allows PING
	$do_action $IPTABLES_ADD $IT_INPUT -p icmp -j ACCEPT

	### Allows LOOPBACK
	$do_action $IPTABLES_ADD $IT_INPUT -i lo -j ACCEPT
}


##########################
# Executes the Firewall rules
##########################
fw_execute () {
	local do_action
	do_action=$1
	#**************************************************************************#
	# Input traffic:
	#**************************************************************************#
	fw_exec_basic_input_rules $do_action

	# Services
	if [ -n "$TCP_SERVICES" ] ; then
		for PORT in $TCP_SERVICES; do
			$do_action $IPTABLES_ADD $IT_INPUT -p tcp --dport ${PORT} -j ACCEPT
		done
	fi
	if [ -n "$UDP_SERVICES" ] ; then
		for PORT in $UDP_SERVICES; do
			$do_action $IPTABLES_ADD $IT_INPUT -p udp --dport ${PORT} -j ACCEPT
		done
	fi
	# Remote management
	if [ "${NETWORK_MGMT:=UNBOUND_VARIABLE}" != "UNBOUND_VARIABLE" ] ; then
		$do_action $IPTABLES_ADD $IT_INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
	else
		$do_action $IPTABLES_ADD $IT_INPUT -p tcp --dport ${SSH_PORT}  -j ACCEPT
	fi

	# SSH
	if [ ! -z "${SSH_PORT:-}" ] ; then
	    $do_action $IPTABLES_ADD $IT_OUTPUT -t filter -p tcp --dport "$SSH_PORT" -j ACCEPT
		$do_action $IPTABLES_ADD $IT_INPUT -t filter -p tcp --dport "$SSH_PORT" -j ACCEPT
	else
	    $do_action $IPTABLES_ADD $IT_OUTPUT -t filter -p tcp --dport "22" -j ACCEPT
		$do_action $IPTABLES_ADD $IT_INPUT -t filter -p tcp --dport "22" -j ACCEPT
	fi


	#**************************************************************************#
	# NGINX
	#**************************************************************************#
	$do_action $IPTABLES_ADD $IT_INPUT -i lo -s localhost -d localhost -j ACCEPT
	$do_action $IPTABLES_ADD $IT_OUTPUT -o lo -s localhost -d localhost -j ACCEPT


	#**************************************************************************#
	# Output:
	#**************************************************************************#
	### Allows LOOPBACK
	$do_action $IPTABLES_ADD $IT_OUTPUT -j ACCEPT -o lo

	###
	$do_action $IPTABLES_ADD $IT_OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# ICMP is permitted:
	### Allows ping:
	$do_action $IPTABLES_ADD $IT_OUTPUT -p icmp -j ACCEPT

	# As well as the services we have defined:
	if [ -n "$REMOTE_TCP_SERVICES" ] ; then
		for PORT in $REMOTE_TCP_SERVICES; do
			$do_action $IPTABLES_ADD $IT_OUTPUT -p tcp --dport ${PORT} -j ACCEPT
		done
	fi
	if [ -n "$REMOTE_UDP_SERVICES" ] ; then
		for PORT in $REMOTE_UDP_SERVICES; do
			$do_action $IPTABLES_ADD $IT_OUTPUT -p udp --dport ${PORT} -j ACCEPT
		done
	fi
	if [ "${ACTIVATE_LOGGING:-1}" = 1 ]
	then
		# All other connections are registered in system log's backend
		$do_action $IPTABLES_ADD $IT_INPUT -j LOG
		$do_action $IPTABLES_ADD $IT_OUTPUT -j LOG
		$do_action $IPTABLES_ADD $IT_OUTPUT -j REJECT
		$do_action $IPTABLES_ADD FORWARD -j LOG
	fi
	$do_action $IPTABLES_SET_POLICY $IT_OUTPUT DROP


	#**************************************************************************#
	# DOS attack protection
	#**************************************************************************#
	# See http://rockdio.org/ayudatech/how-to-stop-small-ddos-attacks-some-basic-security-advice/
	#
	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --set
	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP

	#**************************************************************************#
	# blacklist action
	#**************************************************************************#
	fw_blacklist $do_action

	fw_execute_post_up_down $do_action
	fw_execute_post_start_stop $do_action

	#**************************************************************************#
	# whitelist action
	#**************************************************************************#
	fw_whitelist $do_action
}

EXECUTE_LFIREWALL_DIR=`dirname $0`/execute_lfirewall_dir

fw_execute_post_up_down(){
	local do_action
	do_action=$1
	set +eu
	${EXECUTE_LFIREWALL_DIR} -f ${do_action} ${POST_UP_DOWN_SCRIPTS_DIR}
	set -eu
}


fw_execute_post_start_stop(){
	local do_action
	do_action=$1
	set +eu
	${EXECUTE_LFIREWALL_DIR} ${do_action} ${POST_START_STOP_SCRIPTS_DIR}
	set -eu
}


warn_user_missing_ban_list() {
	local ban_list_name
	ban_list_name=$1
	printf "###############################################################\n\r" >&2
	printf "#                   IMPORTANT WARNING !!!                     #\n\r" >&2
	printf "# Banned list named '$ban_list_name' does not exist           #\n\r" >&2
	printf "# Please create it using with at least one entry using :      #\n\r" >&2
	printf "# # ipset create $ban_list_name hash:net hashsize 4096              #\n\r" >&2
	printf "#                                                             #\n\r" >&2
	printf "###############################################################\n\r" >&2
}

fw_blacklist(){
	local do_action
	do_action=$1
	case $do_action in
		do_exec)
			if [ -n "${BANNED_LISTS:-}" ]
			then
				for ban_list in ${BANNED_LISTS}
				do
					if ipset list ${ban_list} > /dev/null
					then
						if ! iptables -C INPUT -m set --match-set ${ban_list} src -j DROP > /dev/null 2>&1
						then
							echo "Enabling $ban_list"
							iptables -I INPUT -m set --match-set ${ban_list} src -j DROP
						fi
					else
						warn_user_missing_ban_list ${ban_list}
					fi
				done
			fi
			;;
		*)
			;;
	esac
}

warn_user_no_whitelist() {
	printf "###############################################################\n\r" >&2
	printf "#                   IMPORTANT WARNING !!!                     #\n\r" >&2
	printf "# Your whitelist is empty or non existent                     #\n\r" >&2
	printf "# Please create one using with at least one entry using :     #\n\r" >&2
	printf "# # ipset create whitelist hash:net hashsize 4096              #\n\r" >&2
	printf "#                                                             #\n\r" >&2
	printf "# Append at least your IP address using one of the following: #\n\r" >&2
	printf "# # ipset add whitelist 12.34.56.78                        #\n\r" >&2
	printf "# # ipset add whitelist 192.168.0.0/16                        #\n\r" >&2
	printf "#                                                             #\n\r" >&2
	printf "###############################################################\n\r" >&2
}

fw_whitelist() {
	local do_action
	do_action=$1
	if ! ipset list whitelist > /dev/null
	then
		warn_user_no_whitelist
		return
	else
		if [ `ipset list whitelist 2> /dev/null | awk '/Number of entries/ {print $NF}'` -eq 0 ]
		then
			warn_user_no_whitelist
			return
		fi
	fi
	
	if [ -n "$TCP_SERVICES" ] ; then
		for PORT in $TCP_SERVICES; do
			$do_action $IPTABLES_INSERT $IT_INPUT -p tcp -m tcp --dport ${PORT} -m set --match-set whitelist src -j ACCEPT
		done
	fi
	if [ -n "$UDP_SERVICES" ] ; then
		for PORT in $UDP_SERVICES; do
			$do_action $IPTABLES_INSERT $IT_INPUT -p udp -m udp --dport ${PORT} -m set --match-set whitelist src -j ACCEPT
		done
	fi

}

fw_network_protection(){
	#**************************************************************************#
	# Other network protections
	# (some will only work with some kernel versions)
	#**************************************************************************#
	if [ "${ALLOW_IP_FORWARDING:-0}" = 0 ]
	then
		echo 0 > /proc/sys/net/ipv4/ip_forward
	else
		echo 1 > /proc/sys/net/ipv4/ip_forward
	fi
	if [ "${NETWORK_PROTECTION:-1}" = 1 ]
	then
		echo 1 > /proc/sys/net/ipv4/tcp_syncookies
		echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
		echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
		echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
		echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
		echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
		echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
		echo "Firewall network protection enhancement set"
	fi
}

do_this(){
    if [ ${verbose} -ge 1 ] ; then
      echo $*
    fi
    $*
}

##########################
# Backups user rules
##########################
fw_backup_user(){
	$IP_TABLES_SAVE > ${USER_RULES_IPTABLES}
	$IP_TABLES_SAVE_6 > ${USER_RULES_IPTABLES_6}
}

##########################
# Restores user rules
##########################
fw_restore_user(){
	if [ -f $USER_RULES_IPTABLES ] ; then
		$IP_TABLES_RESTORE < ${USER_RULES_IPTABLES}
	fi
	if [ -f $USER_RULES_IPTABLES_6 ] ; then
		$IP_TABLES_RESTORE_6 < ${USER_RULES_IPTABLES_6}
	fi
}

##########################
# Stop the Firewall rules
##########################

fw_stop () {
	global_status=0
	# Start will not really start but exec the "do_delete" action
	fw_execute do_delete
	if [ 0 -eq "$global_status" ] ; then
		echo "Firewall rules removed"
		return 0
	else
		echo "Some firewall rules were not removed !!!"
		return $global_status
	fi
}


##########################
# Drop any incoming
# but keep existing ones
##########################

fw_dropall(){
	do_this $IP_TABLES -F
	do_this $IP_TABLES -t nat -F
	do_this $IP_TABLES -t mangle -F
	fw_exec_basic_input_rules do_exec
	do_this $IP_TABLES -P FORWARD ACCEPT
	do_this $IP_TABLES -P OUTPUT ACCEPT
}

##########################
# Clear the Firewall rules
##########################

fw_clear () {
	do_this $IP_TABLES -F
	do_this $IP_TABLES -X
	do_this $IP_TABLES -P INPUT ACCEPT
	do_this $IP_TABLES -P FORWARD ACCEPT
	do_this $IP_TABLES -P OUTPUT ACCEPT
}

##########################
# Test the Firewall rules
##########################

fw_save () {
	if [ ${verbose} -ge 1 ] ; then
	    echo "$IP_TABLES_SAVE > /etc/lfirewall/iptables.backup"
	fi

	$IP_TABLES_SAVE > /etc/lfirewall/iptables.backup
}

fw_restore () {
	fw_clear
	BACKUP_FILE=/etc/lfirewall/iptables.backup
	if [ -e $BACKUP_FILE ]; then
	  if [ ${verbose} -ge 1 ] ; then
	    echo "IP_TABLES_RESTORE > $BACKUP_FILE"
	  fi

		$IP_TABLES_RESTORE < $BACKUP_FILE
	fi
}

fw_test () {
	fw_save
	sleep 30 && echo "Restoring previous Firewall rules" && fw_restore && echo "Done" &
	fw_stop
	fw_execute do_exec
	wait $(jobs -p)
}

if [ ${verbose} -gt 0 ] ; then
	do_log=log_action
fi
export do_log

case "$1" in
	start|restart)
		echo -n "Starting firewall.."
		fw_stop
		fw_restore_user
		fw_execute do_exec
		echo "Firewall rules added"
		fw_network_protection
		echo "done."
	;;
	saveuser)
		echo "###############################################################"
		echo "# Backing up user rules to /etc/lfirewall/iptables-user.v*    #"
		echo "#                                                             #"
		echo "# Other iptables rules should not be removed unless you use   #"
		echo "# the 'clear' command (which deletes every rule)              #"
		echo "# If you used the 'clear' command, you can restore them by    #"
		echo "# using the 'start' command to restore them                   #"
		echo "###############################################################"
		echo -n "Backing up rules"
		fw_backup_user
		echo "done."
	;;
	stop)
		echo "###############################################################"
		echo "# Removing rules set by this tool                             #"
		echo "#                                                             #"
		echo "# Other iptables rules should not be removed unless you use   #"
		echo "# the 'clear' command                                         #"
		echo "# Use 'dropall' to stop any traffic and block everything.     #"
		echo "###############################################################"
		fw_stop
	;;
	clear)
		echo "###############################################################"
		echo "# Clearing any rule and let the firewall pass any packet      #"
		echo "#                                                             #"
		echo "# You can restore them by using the 'start' command           #"
		echo "###############################################################"
		echo -n "Clearing firewall rules.."
		fw_clear
		echo "done."
	;;
	dropall)
		echo "Droping all connections !!!"
		fw_dropall
		echo "done."
		if [ -c "${parent_term:-}" ]
		then
			exec 2>${parent_term}
		fi
		if [ "${restart_mode}" = "no" ]
		then
			printf "###############################################################\n\r" >&2
			printf "#                   IMPORTANT WARNING !!!                     #\n\r" >&2
			printf "# From now any new SSH session or INPUT                       #\n\r" >&2
			printf "#                      WILL BE REFUSED                        #\n\r" >&2
			printf "# If you NEED to continue working remotely,                   #\n\r" >&2
			printf "# run one of the 'lfirewall clear', 'lfirewall stop'          #\n\r" >&2
			printf "# 'lfirewall start' commands                                  #\n\r" >&2
			printf "#                           NOW !!!                           #\n\r" >&2
			printf "###############################################################\n\r" >&2
		fi
	;;
	test)
		echo "Test Firewall rules..."
		echo "Previous configuration will be restore in 30 seconds"
		fw_test
	;;
	status)
		global_status=0
		# Start will not really start but exec the "check" action
		fw_execute do_check
		if [ 0 -eq "$global_status" ] ; then
			echo "Firewall rules match configuration"
			exit 0
		else
			echo "Some firewall rules are not set correctly"
			exit $global_status
		fi
	;;
	*)
		echo "Usage: $0 {start|dropall|stop|restart|clear|test}"
		echo "###############################################################"
		echo "# Be aware that 'dropall' will block                          #"
		echo "# all incoming/outgoing traffic !!!                           #"
		echo "###############################################################"
		echo "Use start option to restore all rules."
		echo "Use clear option to remove all traffic."
		echo "Use stop option to allow all traffic."
		exit 1
	;;
esac