teldra
/
firewall.sh
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

firewall.sh: some improvements

This commit is contained in:
teldra 2020-06-22 18:42:59 +02:00
parent e43d0242cb
commit a6a4861488
1 changed files with 89 additions and 140 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

229
firewall.sh
View File

@ -12,12 +12,17 @@ if [[ ! -f "${CFG}" ]]; then
done
echo "alldevs=(${devs[*]})" > "${CFG}"
echo "ignore=()" >> "${CFG}"
echo "hometcp=(ssh)" >> "${CFG}"
echo "homeudp=()" >> "${CFG}"
echo "outtcp=(ssh)" >> "${CFG}"
echo "outudp=()" >> "${CFG}"
echo "vpntcp=(ssh)" >> "${CFG}"
echo "vpnudp=()" >> "${CFG}"
echo "home_tcp=(ssh)" >> "${CFG}"
echo "home_udp=()" >> "${CFG}"
echo "out_tcp=(ssh)" >> "${CFG}"
echo "out_udp=()" >> "${CFG}"
echo "vpn_tcp=(ssh)" >> "${CFG}"
echo "vpn_udp=()" >> "${CFG}"
echo "" >> "${CFG}"
echo "PROFILE=" >> "${CFG}"
echo "" >> "${CFG}"
echo "NM=" >> "${CFG}"
echo "" >> "${CFG}"
echo "VPN_UNRESTRICTED=1" >> "${CFG}"
echo "" >> "${CFG}"
echo "nft="/usr/sbin/nft"" >> "${CFG}"
@ -59,14 +64,14 @@ source <(sed -n '/^#functions/,$p' $(dirname "$0")/$(basename "$0"))
# echo "${ports[$index]}"
#done
while getopts Aia:r:l:fDhnL option
while getopts Aia:r:p:fDhnL option
do
case "${option}" in
A) AUTOMATIC=1;;
i) INIT=1;;
a) ADEVICE+=("${OPTARG}");;
r) RDEVICE+=("${OPTARG}");;
l) LOCATION="${OPTARG}";;
p) PROFILE="${OPTARG}";;
f) FLUSH=1;;
D) DEBUG=1;;
h) HELP=1;;
@ -81,7 +86,7 @@ help
flush
check_deviceinput
get_devices
location
profile
init
add_device
remove_device
@ -112,34 +117,34 @@ flush() {
fi
}
location() {
profile() {
[[ $INIT == "1" ]] && return 0
if [[ -z $LOCATION ]]; then
if [[ -z $PROFILE ]]; then
if [[ -e /run/home ]]; then
HOME=$(cat /run/home)
if [[ "${HOME}" == "home" ]]; then
LOCATION=home
PROFILE=home
elif [[ "${HOME}" == "out" ]]; then
LOCATION=out
PROFILE=out
fi
else
LOCATION=out
PROFILE=out
fi
fi
case $LOCATION in
case $PROFILE in
h|home)
portstcp=("${hometcp[@]}")
portsudp=("${homeudp[@]}");;
portstcp=("${home_tcp[@]}")
portsudp=("${home_udp[@]}");;
o|out)
portstcp=("${outtcp[@]}")
portsudp=("${outudp[@]}") ;;
portstcp=("${out_tcp[@]}")
portsudp=("${out_udp[@]}") ;;
esac
debug location: "${LOCATION[@]}"
debug profile: "${PROFILE[@]}"
debug tcp ports: "${portstcp[@]}"
debug udp ports: "${portsudp[@]}"
if [[ ! "$VPN_UNRESTRICTED" == "1" ]]; then
debug vpntcp ports: "${vpntcp[@]}"
debug vpnudp ports: "${vpnudp[@]}"
debug vpntcp ports: "${vpn_tcp[@]}"
debug vpnudp ports: "${vpn_udp[@]}"
elif [[ "$VPN_UNRESTRICTED" == "1" ]]; then
debug "vpn ports unrestricted"
fi
@ -246,7 +251,7 @@ get_devices() {
function init() {
if ! $nft -a list ruleset | grep -q "table inet filter"; then
debug "Initialise rule: nft add table inet filter"
debug "Initialise ruletable: nft add table inet filter"
$nft add table inet filter
$nft add chain inet filter INPUT \{ type filter hook input priority 0 \; policy drop \; \}
$nft add rule inet filter INPUT ct state invalid drop comment \"early drop of invalid packets\"
@ -315,126 +320,70 @@ getports() {
done
if [[ ! ${dev} == *"vpn"* ]]; then
#TCP
unchangedtcp=()
for item1 in "${portstcp[@]}"; do
for item2 in "${istportstcp[@]}"; do
if [[ $item1 == "$item2" ]]; then
unchangedtcp+=("$item1")
break
fi
done
done
turnofftcp=()
for item1 in "${istportstcp[@]}"; do
for item2 in "${portstcp[@]}"; do
[[ $item1 == "$item2" ]] && continue 2
done
turnofftcp+=("$item1")
done
if [[ ! $2 == "off" ]]; then
turnontcp=()
for item1 in "${portstcp[@]}"; do
for item2 in "${istportstcp[@]}"; do
[[ $item1 == "$item2" ]] && continue 2
done
turnontcp+=("$item1")
done
fi
ptcp=("${portstcp[@]}")
pudp=("${portsudp[@]}")
elif [[ ${dev} == *"vpn"* ]]; then
ptcp=("${vpn_tcp[@]}")
pudp=("${vpn_udp[@]}")
fi
#TCP
unchangedtcp=()
for item1 in "${ptcp[@]}"; do
for item2 in "${istportstcp[@]}"; do
if [[ $item1 == "$item2" ]]; then
unchangedtcp+=("$item1")
break
fi
done
done
turnofftcp=()
for item1 in "${istportstcp[@]}"; do
for item2 in "${ptcp[@]}"; do
[[ $item1 == "$item2" ]] && continue 2
done
turnofftcp+=("$item1")
done
if [[ ! $2 == "off" ]]; then
turnontcp=()
for item1 in "${ptcp[@]}"; do
for item2 in "${istportstcp[@]}"; do
[[ $item1 == "$item2" ]] && continue 2
done
turnontcp+=("$item1")
done
fi
#UDP
unchangedudp=()
for item1 in "${pudp[@]}"; do
for item2 in "${istportsudp[@]}"; do
if [[ $item1 == "$item2" ]]; then
unchangedudp+=("$item1")
break
fi
done
done
#UDP
unchangedudp=()
for item1 in "${portsudp[@]}"; do
for item2 in "${istportsudp[@]}"; do
if [[ $item1 == "$item2" ]]; then
unchangedudp+=("$item1")
break
fi
done
done
turnoffudp=()
for item1 in "${istportsudp[@]}"; do
for item2 in "${pudp[@]}"; do
[[ $item1 == "$item2" ]] && continue 2
done
turnoffudp=()
for item1 in "${istportsudp[@]}"; do
for item2 in "${portsudp[@]}"; do
[[ $item1 == "$item2" ]] && continue 2
done
# If we reached here, nothing matched.
turnoffudp+=("$item1")
done
if [[ ! $2 == "off" ]]; then
turnonudp=()
for item1 in "${pudp[@]}"; do
for item2 in "${istportsudp[@]}"; do
[[ $item1 == "$item2" ]] && continue 2
done
# If we reached here, nothing matched.
turnoffudp+=("$item1")
done
if [[ ! $2 == "off" ]]; then
turnonudp=()
for item1 in "${portsudp[@]}"; do
for item2 in "${istportsudp[@]}"; do
[[ $item1 == "$item2" ]] && continue 2
done
# If we reached here, nothing matched.
turnonudp+=("$item1")
done
fi
elif [[ ${dev} == *"vpn"* ]]; then
#TCP VPN
unchangedtcp=()
for item1 in "${vpntcp[@]}"; do
for item2 in "${istportstcp[@]}"; do
if [[ $item1 == "$item2" ]]; then
unchangedtcp+=("$item1")
break
fi
done
done
turnofftcp=()
for item1 in "${istportstcp[@]}"; do
for item2 in "${vpntcp[@]}"; do
[[ $item1 == "$item2" ]] && continue 2
done
turnofftcp+=("$item1")
done
if [[ ! $2 == "off" ]]; then
vpnturnontcp=()
for item1 in "${vpntcp[@]}"; do
for item2 in "${istportstcp[@]}"; do
[[ $item1 == "$item2" ]] && continue 2
done
turnontcp+=("$item1")
done
fi
#UDP
unchangedudp=()
for item1 in "${vpnudp[@]}"; do
for item2 in "${istportsudp[@]}"; do
if [[ $item1 == "$item2" ]]; then
unchangedudp+=("$item1")
break
fi
done
done
turnoffudp=()
for item1 in "${istportsudp[@]}"; do
for item2 in "${vpnudp[@]}"; do
[[ $item1 == "$item2" ]] && continue 2
done
# If we reached here, nothing matched.
turnoffudp+=("$item1")
done
if [[ ! $2 == "off" ]]; then
turnonudp=()
for item1 in "${vpnudp[@]}"; do
for item2 in "${istportsudp[@]}"; do
[[ $item1 == "$item2" ]] && continue 2
done
# If we reached here, nothing matched.
turnonudp+=("$item1")
done
# If we reached here, nothing matched.
turnonudp+=("$item1")
done
if [[ ${dev} == *"vpn"* ]]; then
if [[ ! "$VPN_UNRESTRICTED" == "1" ]]; then
if $nft -a list ruleset | grep -q "${dev}: accept all"; then
debug "${dev}: remove rule \"${dev}: accept all\""
@ -520,7 +469,7 @@ set_rules() {
help() {
[[ ! $HELP == "1" ]] && return 0
cat <<EOF
usage: $(basename "$0") [-A] [-i] [-a <device>] [-r <device>] [-l <location>]
usage: $(basename "$0") [-A] [-i] [-a <device>] [-r <device>] [-l <profile>]
[-f] [-D] [-h]
-A Automagic find connected devices