firewall.sh: some improvements
This commit is contained in:
parent
e43d0242cb
commit
a6a4861488
229
firewall.sh
229
firewall.sh
|
@ -12,12 +12,17 @@ if [[ ! -f "${CFG}" ]]; then
|
|||
done
|
||||
echo "alldevs=(${devs[*]})" > "${CFG}"
|
||||
echo "ignore=()" >> "${CFG}"
|
||||
echo "hometcp=(ssh)" >> "${CFG}"
|
||||
echo "homeudp=()" >> "${CFG}"
|
||||
echo "outtcp=(ssh)" >> "${CFG}"
|
||||
echo "outudp=()" >> "${CFG}"
|
||||
echo "vpntcp=(ssh)" >> "${CFG}"
|
||||
echo "vpnudp=()" >> "${CFG}"
|
||||
echo "home_tcp=(ssh)" >> "${CFG}"
|
||||
echo "home_udp=()" >> "${CFG}"
|
||||
echo "out_tcp=(ssh)" >> "${CFG}"
|
||||
echo "out_udp=()" >> "${CFG}"
|
||||
echo "vpn_tcp=(ssh)" >> "${CFG}"
|
||||
echo "vpn_udp=()" >> "${CFG}"
|
||||
echo "" >> "${CFG}"
|
||||
echo "PROFILE=" >> "${CFG}"
|
||||
echo "" >> "${CFG}"
|
||||
echo "NM=" >> "${CFG}"
|
||||
echo "" >> "${CFG}"
|
||||
echo "VPN_UNRESTRICTED=1" >> "${CFG}"
|
||||
echo "" >> "${CFG}"
|
||||
echo "nft="/usr/sbin/nft"" >> "${CFG}"
|
||||
|
@ -59,14 +64,14 @@ source <(sed -n '/^#functions/,$p' $(dirname "$0")/$(basename "$0"))
|
|||
# echo "${ports[$index]}"
|
||||
#done
|
||||
|
||||
while getopts Aia:r:l:fDhnL option
|
||||
while getopts Aia:r:p:fDhnL option
|
||||
do
|
||||
case "${option}" in
|
||||
A) AUTOMATIC=1;;
|
||||
i) INIT=1;;
|
||||
a) ADEVICE+=("${OPTARG}");;
|
||||
r) RDEVICE+=("${OPTARG}");;
|
||||
l) LOCATION="${OPTARG}";;
|
||||
p) PROFILE="${OPTARG}";;
|
||||
f) FLUSH=1;;
|
||||
D) DEBUG=1;;
|
||||
h) HELP=1;;
|
||||
|
@ -81,7 +86,7 @@ help
|
|||
flush
|
||||
check_deviceinput
|
||||
get_devices
|
||||
location
|
||||
profile
|
||||
init
|
||||
add_device
|
||||
remove_device
|
||||
|
@ -112,34 +117,34 @@ flush() {
|
|||
fi
|
||||
}
|
||||
|
||||
location() {
|
||||
profile() {
|
||||
[[ $INIT == "1" ]] && return 0
|
||||
if [[ -z $LOCATION ]]; then
|
||||
if [[ -z $PROFILE ]]; then
|
||||
if [[ -e /run/home ]]; then
|
||||
HOME=$(cat /run/home)
|
||||
if [[ "${HOME}" == "home" ]]; then
|
||||
LOCATION=home
|
||||
PROFILE=home
|
||||
elif [[ "${HOME}" == "out" ]]; then
|
||||
LOCATION=out
|
||||
PROFILE=out
|
||||
fi
|
||||
else
|
||||
LOCATION=out
|
||||
PROFILE=out
|
||||
fi
|
||||
fi
|
||||
case $LOCATION in
|
||||
case $PROFILE in
|
||||
h|home)
|
||||
portstcp=("${hometcp[@]}")
|
||||
portsudp=("${homeudp[@]}");;
|
||||
portstcp=("${home_tcp[@]}")
|
||||
portsudp=("${home_udp[@]}");;
|
||||
o|out)
|
||||
portstcp=("${outtcp[@]}")
|
||||
portsudp=("${outudp[@]}") ;;
|
||||
portstcp=("${out_tcp[@]}")
|
||||
portsudp=("${out_udp[@]}") ;;
|
||||
esac
|
||||
debug location: "${LOCATION[@]}"
|
||||
debug profile: "${PROFILE[@]}"
|
||||
debug tcp ports: "${portstcp[@]}"
|
||||
debug udp ports: "${portsudp[@]}"
|
||||
if [[ ! "$VPN_UNRESTRICTED" == "1" ]]; then
|
||||
debug vpntcp ports: "${vpntcp[@]}"
|
||||
debug vpnudp ports: "${vpnudp[@]}"
|
||||
debug vpntcp ports: "${vpn_tcp[@]}"
|
||||
debug vpnudp ports: "${vpn_udp[@]}"
|
||||
elif [[ "$VPN_UNRESTRICTED" == "1" ]]; then
|
||||
debug "vpn ports unrestricted"
|
||||
fi
|
||||
|
@ -246,7 +251,7 @@ get_devices() {
|
|||
|
||||
function init() {
|
||||
if ! $nft -a list ruleset | grep -q "table inet filter"; then
|
||||
debug "Initialise rule: nft add table inet filter"
|
||||
debug "Initialise ruletable: nft add table inet filter"
|
||||
$nft add table inet filter
|
||||
$nft add chain inet filter INPUT \{ type filter hook input priority 0 \; policy drop \; \}
|
||||
$nft add rule inet filter INPUT ct state invalid drop comment \"early drop of invalid packets\"
|
||||
|
@ -315,126 +320,70 @@ getports() {
|
|||
done
|
||||
|
||||
if [[ ! ${dev} == *"vpn"* ]]; then
|
||||
#TCP
|
||||
unchangedtcp=()
|
||||
for item1 in "${portstcp[@]}"; do
|
||||
for item2 in "${istportstcp[@]}"; do
|
||||
if [[ $item1 == "$item2" ]]; then
|
||||
unchangedtcp+=("$item1")
|
||||
break
|
||||
fi
|
||||
done
|
||||
done
|
||||
turnofftcp=()
|
||||
for item1 in "${istportstcp[@]}"; do
|
||||
for item2 in "${portstcp[@]}"; do
|
||||
[[ $item1 == "$item2" ]] && continue 2
|
||||
done
|
||||
turnofftcp+=("$item1")
|
||||
done
|
||||
if [[ ! $2 == "off" ]]; then
|
||||
turnontcp=()
|
||||
for item1 in "${portstcp[@]}"; do
|
||||
for item2 in "${istportstcp[@]}"; do
|
||||
[[ $item1 == "$item2" ]] && continue 2
|
||||
done
|
||||
turnontcp+=("$item1")
|
||||
done
|
||||
fi
|
||||
ptcp=("${portstcp[@]}")
|
||||
pudp=("${portsudp[@]}")
|
||||
elif [[ ${dev} == *"vpn"* ]]; then
|
||||
ptcp=("${vpn_tcp[@]}")
|
||||
pudp=("${vpn_udp[@]}")
|
||||
fi
|
||||
#TCP
|
||||
unchangedtcp=()
|
||||
for item1 in "${ptcp[@]}"; do
|
||||
for item2 in "${istportstcp[@]}"; do
|
||||
if [[ $item1 == "$item2" ]]; then
|
||||
unchangedtcp+=("$item1")
|
||||
break
|
||||
fi
|
||||
done
|
||||
done
|
||||
turnofftcp=()
|
||||
for item1 in "${istportstcp[@]}"; do
|
||||
for item2 in "${ptcp[@]}"; do
|
||||
[[ $item1 == "$item2" ]] && continue 2
|
||||
done
|
||||
turnofftcp+=("$item1")
|
||||
done
|
||||
if [[ ! $2 == "off" ]]; then
|
||||
turnontcp=()
|
||||
for item1 in "${ptcp[@]}"; do
|
||||
for item2 in "${istportstcp[@]}"; do
|
||||
[[ $item1 == "$item2" ]] && continue 2
|
||||
done
|
||||
turnontcp+=("$item1")
|
||||
done
|
||||
fi
|
||||
|
||||
#UDP
|
||||
unchangedudp=()
|
||||
for item1 in "${pudp[@]}"; do
|
||||
for item2 in "${istportsudp[@]}"; do
|
||||
if [[ $item1 == "$item2" ]]; then
|
||||
unchangedudp+=("$item1")
|
||||
break
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
#UDP
|
||||
unchangedudp=()
|
||||
for item1 in "${portsudp[@]}"; do
|
||||
for item2 in "${istportsudp[@]}"; do
|
||||
if [[ $item1 == "$item2" ]]; then
|
||||
unchangedudp+=("$item1")
|
||||
break
|
||||
fi
|
||||
done
|
||||
done
|
||||
turnoffudp=()
|
||||
for item1 in "${istportsudp[@]}"; do
|
||||
for item2 in "${pudp[@]}"; do
|
||||
[[ $item1 == "$item2" ]] && continue 2
|
||||
done
|
||||
|
||||
turnoffudp=()
|
||||
for item1 in "${istportsudp[@]}"; do
|
||||
for item2 in "${portsudp[@]}"; do
|
||||
[[ $item1 == "$item2" ]] && continue 2
|
||||
done
|
||||
# If we reached here, nothing matched.
|
||||
turnoffudp+=("$item1")
|
||||
done
|
||||
if [[ ! $2 == "off" ]]; then
|
||||
turnonudp=()
|
||||
for item1 in "${pudp[@]}"; do
|
||||
for item2 in "${istportsudp[@]}"; do
|
||||
[[ $item1 == "$item2" ]] && continue 2
|
||||
done
|
||||
|
||||
# If we reached here, nothing matched.
|
||||
turnoffudp+=("$item1")
|
||||
done
|
||||
if [[ ! $2 == "off" ]]; then
|
||||
turnonudp=()
|
||||
for item1 in "${portsudp[@]}"; do
|
||||
for item2 in "${istportsudp[@]}"; do
|
||||
[[ $item1 == "$item2" ]] && continue 2
|
||||
done
|
||||
|
||||
# If we reached here, nothing matched.
|
||||
turnonudp+=("$item1")
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
elif [[ ${dev} == *"vpn"* ]]; then
|
||||
#TCP VPN
|
||||
unchangedtcp=()
|
||||
for item1 in "${vpntcp[@]}"; do
|
||||
for item2 in "${istportstcp[@]}"; do
|
||||
if [[ $item1 == "$item2" ]]; then
|
||||
unchangedtcp+=("$item1")
|
||||
break
|
||||
fi
|
||||
done
|
||||
done
|
||||
turnofftcp=()
|
||||
for item1 in "${istportstcp[@]}"; do
|
||||
for item2 in "${vpntcp[@]}"; do
|
||||
[[ $item1 == "$item2" ]] && continue 2
|
||||
done
|
||||
turnofftcp+=("$item1")
|
||||
done
|
||||
if [[ ! $2 == "off" ]]; then
|
||||
vpnturnontcp=()
|
||||
for item1 in "${vpntcp[@]}"; do
|
||||
for item2 in "${istportstcp[@]}"; do
|
||||
[[ $item1 == "$item2" ]] && continue 2
|
||||
done
|
||||
turnontcp+=("$item1")
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
#UDP
|
||||
unchangedudp=()
|
||||
for item1 in "${vpnudp[@]}"; do
|
||||
for item2 in "${istportsudp[@]}"; do
|
||||
if [[ $item1 == "$item2" ]]; then
|
||||
unchangedudp+=("$item1")
|
||||
break
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
turnoffudp=()
|
||||
for item1 in "${istportsudp[@]}"; do
|
||||
for item2 in "${vpnudp[@]}"; do
|
||||
[[ $item1 == "$item2" ]] && continue 2
|
||||
done
|
||||
|
||||
# If we reached here, nothing matched.
|
||||
turnoffudp+=("$item1")
|
||||
done
|
||||
if [[ ! $2 == "off" ]]; then
|
||||
turnonudp=()
|
||||
for item1 in "${vpnudp[@]}"; do
|
||||
for item2 in "${istportsudp[@]}"; do
|
||||
[[ $item1 == "$item2" ]] && continue 2
|
||||
done
|
||||
|
||||
# If we reached here, nothing matched.
|
||||
turnonudp+=("$item1")
|
||||
done
|
||||
# If we reached here, nothing matched.
|
||||
turnonudp+=("$item1")
|
||||
done
|
||||
if [[ ${dev} == *"vpn"* ]]; then
|
||||
if [[ ! "$VPN_UNRESTRICTED" == "1" ]]; then
|
||||
if $nft -a list ruleset | grep -q "${dev}: accept all"; then
|
||||
debug "${dev}: remove rule \"${dev}: accept all\""
|
||||
|
@ -520,7 +469,7 @@ set_rules() {
|
|||
help() {
|
||||
[[ ! $HELP == "1" ]] && return 0
|
||||
cat <<EOF
|
||||
usage: $(basename "$0") [-A] [-i] [-a <device>] [-r <device>] [-l <location>]
|
||||
usage: $(basename "$0") [-A] [-i] [-a <device>] [-r <device>] [-l <profile>]
|
||||
[-f] [-D] [-h]
|
||||
|
||||
-A Automagic find connected devices
|
||||
|
|
Loading…
Reference in New Issue