From a6a4861488c0dcadf6ecc85b7558f1dbae5c8b65 Mon Sep 17 00:00:00 2001 From: teldra Date: Mon, 22 Jun 2020 18:42:59 +0200 Subject: [PATCH] firewall.sh: some improvements --- firewall.sh | 229 ++++++++++++++++++++-------------------------------- 1 file changed, 89 insertions(+), 140 deletions(-) diff --git a/firewall.sh b/firewall.sh index e72ec7c..019ac01 100755 --- a/firewall.sh +++ b/firewall.sh @@ -12,12 +12,17 @@ if [[ ! -f "${CFG}" ]]; then done echo "alldevs=(${devs[*]})" > "${CFG}" echo "ignore=()" >> "${CFG}" - echo "hometcp=(ssh)" >> "${CFG}" - echo "homeudp=()" >> "${CFG}" - echo "outtcp=(ssh)" >> "${CFG}" - echo "outudp=()" >> "${CFG}" - echo "vpntcp=(ssh)" >> "${CFG}" - echo "vpnudp=()" >> "${CFG}" + echo "home_tcp=(ssh)" >> "${CFG}" + echo "home_udp=()" >> "${CFG}" + echo "out_tcp=(ssh)" >> "${CFG}" + echo "out_udp=()" >> "${CFG}" + echo "vpn_tcp=(ssh)" >> "${CFG}" + echo "vpn_udp=()" >> "${CFG}" + echo "" >> "${CFG}" + echo "PROFILE=" >> "${CFG}" + echo "" >> "${CFG}" + echo "NM=" >> "${CFG}" + echo "" >> "${CFG}" echo "VPN_UNRESTRICTED=1" >> "${CFG}" echo "" >> "${CFG}" echo "nft="/usr/sbin/nft"" >> "${CFG}" @@ -59,14 +64,14 @@ source <(sed -n '/^#functions/,$p' $(dirname "$0")/$(basename "$0")) # echo "${ports[$index]}" #done -while getopts Aia:r:l:fDhnL option +while getopts Aia:r:p:fDhnL option do case "${option}" in A) AUTOMATIC=1;; i) INIT=1;; a) ADEVICE+=("${OPTARG}");; r) RDEVICE+=("${OPTARG}");; - l) LOCATION="${OPTARG}";; + p) PROFILE="${OPTARG}";; f) FLUSH=1;; D) DEBUG=1;; h) HELP=1;; @@ -81,7 +86,7 @@ help flush check_deviceinput get_devices -location +profile init add_device remove_device @@ -112,34 +117,34 @@ flush() { fi } -location() { +profile() { [[ $INIT == "1" ]] && return 0 - if [[ -z $LOCATION ]]; then + if [[ -z $PROFILE ]]; then if [[ -e /run/home ]]; then HOME=$(cat /run/home) if [[ "${HOME}" == "home" ]]; then - LOCATION=home + PROFILE=home elif [[ "${HOME}" == "out" ]]; then - LOCATION=out + PROFILE=out fi else - LOCATION=out + PROFILE=out fi fi - case $LOCATION in + case $PROFILE in h|home) - portstcp=("${hometcp[@]}") - portsudp=("${homeudp[@]}");; + portstcp=("${home_tcp[@]}") + portsudp=("${home_udp[@]}");; o|out) - portstcp=("${outtcp[@]}") - portsudp=("${outudp[@]}") ;; + portstcp=("${out_tcp[@]}") + portsudp=("${out_udp[@]}") ;; esac - debug location: "${LOCATION[@]}" + debug profile: "${PROFILE[@]}" debug tcp ports: "${portstcp[@]}" debug udp ports: "${portsudp[@]}" if [[ ! "$VPN_UNRESTRICTED" == "1" ]]; then - debug vpntcp ports: "${vpntcp[@]}" - debug vpnudp ports: "${vpnudp[@]}" + debug vpntcp ports: "${vpn_tcp[@]}" + debug vpnudp ports: "${vpn_udp[@]}" elif [[ "$VPN_UNRESTRICTED" == "1" ]]; then debug "vpn ports unrestricted" fi @@ -246,7 +251,7 @@ get_devices() { function init() { if ! $nft -a list ruleset | grep -q "table inet filter"; then - debug "Initialise rule: nft add table inet filter" + debug "Initialise ruletable: nft add table inet filter" $nft add table inet filter $nft add chain inet filter INPUT \{ type filter hook input priority 0 \; policy drop \; \} $nft add rule inet filter INPUT ct state invalid drop comment \"early drop of invalid packets\" @@ -315,126 +320,70 @@ getports() { done if [[ ! ${dev} == *"vpn"* ]]; then - #TCP - unchangedtcp=() - for item1 in "${portstcp[@]}"; do - for item2 in "${istportstcp[@]}"; do - if [[ $item1 == "$item2" ]]; then - unchangedtcp+=("$item1") - break - fi - done - done - turnofftcp=() - for item1 in "${istportstcp[@]}"; do - for item2 in "${portstcp[@]}"; do - [[ $item1 == "$item2" ]] && continue 2 - done - turnofftcp+=("$item1") - done - if [[ ! $2 == "off" ]]; then - turnontcp=() - for item1 in "${portstcp[@]}"; do - for item2 in "${istportstcp[@]}"; do - [[ $item1 == "$item2" ]] && continue 2 - done - turnontcp+=("$item1") - done - fi + ptcp=("${portstcp[@]}") + pudp=("${portsudp[@]}") + elif [[ ${dev} == *"vpn"* ]]; then + ptcp=("${vpn_tcp[@]}") + pudp=("${vpn_udp[@]}") + fi + #TCP + unchangedtcp=() + for item1 in "${ptcp[@]}"; do + for item2 in "${istportstcp[@]}"; do + if [[ $item1 == "$item2" ]]; then + unchangedtcp+=("$item1") + break + fi + done + done + turnofftcp=() + for item1 in "${istportstcp[@]}"; do + for item2 in "${ptcp[@]}"; do + [[ $item1 == "$item2" ]] && continue 2 + done + turnofftcp+=("$item1") + done + if [[ ! $2 == "off" ]]; then + turnontcp=() + for item1 in "${ptcp[@]}"; do + for item2 in "${istportstcp[@]}"; do + [[ $item1 == "$item2" ]] && continue 2 + done + turnontcp+=("$item1") + done + fi + #UDP + unchangedudp=() + for item1 in "${pudp[@]}"; do + for item2 in "${istportsudp[@]}"; do + if [[ $item1 == "$item2" ]]; then + unchangedudp+=("$item1") + break + fi + done + done - #UDP - unchangedudp=() - for item1 in "${portsudp[@]}"; do - for item2 in "${istportsudp[@]}"; do - if [[ $item1 == "$item2" ]]; then - unchangedudp+=("$item1") - break - fi - done - done + turnoffudp=() + for item1 in "${istportsudp[@]}"; do + for item2 in "${pudp[@]}"; do + [[ $item1 == "$item2" ]] && continue 2 + done - turnoffudp=() - for item1 in "${istportsudp[@]}"; do - for item2 in "${portsudp[@]}"; do - [[ $item1 == "$item2" ]] && continue 2 - done + # If we reached here, nothing matched. + turnoffudp+=("$item1") + done + if [[ ! $2 == "off" ]]; then + turnonudp=() + for item1 in "${pudp[@]}"; do + for item2 in "${istportsudp[@]}"; do + [[ $item1 == "$item2" ]] && continue 2 + done - # If we reached here, nothing matched. - turnoffudp+=("$item1") - done - if [[ ! $2 == "off" ]]; then - turnonudp=() - for item1 in "${portsudp[@]}"; do - for item2 in "${istportsudp[@]}"; do - [[ $item1 == "$item2" ]] && continue 2 - done - - # If we reached here, nothing matched. - turnonudp+=("$item1") - done - fi - - - elif [[ ${dev} == *"vpn"* ]]; then - #TCP VPN - unchangedtcp=() - for item1 in "${vpntcp[@]}"; do - for item2 in "${istportstcp[@]}"; do - if [[ $item1 == "$item2" ]]; then - unchangedtcp+=("$item1") - break - fi - done - done - turnofftcp=() - for item1 in "${istportstcp[@]}"; do - for item2 in "${vpntcp[@]}"; do - [[ $item1 == "$item2" ]] && continue 2 - done - turnofftcp+=("$item1") - done - if [[ ! $2 == "off" ]]; then - vpnturnontcp=() - for item1 in "${vpntcp[@]}"; do - for item2 in "${istportstcp[@]}"; do - [[ $item1 == "$item2" ]] && continue 2 - done - turnontcp+=("$item1") - done - fi - - - #UDP - unchangedudp=() - for item1 in "${vpnudp[@]}"; do - for item2 in "${istportsudp[@]}"; do - if [[ $item1 == "$item2" ]]; then - unchangedudp+=("$item1") - break - fi - done - done - - turnoffudp=() - for item1 in "${istportsudp[@]}"; do - for item2 in "${vpnudp[@]}"; do - [[ $item1 == "$item2" ]] && continue 2 - done - - # If we reached here, nothing matched. - turnoffudp+=("$item1") - done - if [[ ! $2 == "off" ]]; then - turnonudp=() - for item1 in "${vpnudp[@]}"; do - for item2 in "${istportsudp[@]}"; do - [[ $item1 == "$item2" ]] && continue 2 - done - - # If we reached here, nothing matched. - turnonudp+=("$item1") - done + # If we reached here, nothing matched. + turnonudp+=("$item1") + done + if [[ ${dev} == *"vpn"* ]]; then if [[ ! "$VPN_UNRESTRICTED" == "1" ]]; then if $nft -a list ruleset | grep -q "${dev}: accept all"; then debug "${dev}: remove rule \"${dev}: accept all\"" @@ -520,7 +469,7 @@ set_rules() { help() { [[ ! $HELP == "1" ]] && return 0 cat <] [-r ] [-l ] +usage: $(basename "$0") [-A] [-i] [-a ] [-r ] [-l ] [-f] [-D] [-h] -A Automagic find connected devices