|
@@ -47,7 +47,7 @@ function save_firewall_settings {
|
47
|
47
|
}
|
48
|
48
|
|
49
|
49
|
function firewall_block_bad_ip_ranges {
|
50
|
|
- if [ $INSTALLING_MESH ]; then
|
|
50
|
+ if [ "$INSTALLING_MESH" ]; then
|
51
|
51
|
return
|
52
|
52
|
fi
|
53
|
53
|
if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
|
|
@@ -135,13 +135,13 @@ function firewall_enable_vpn {
|
135
|
135
|
}
|
136
|
136
|
|
137
|
137
|
function configure_firewall {
|
138
|
|
- if [ $INSTALLING_MESH ]; then
|
|
138
|
+ if [ "$INSTALLING_MESH" ]; then
|
139
|
139
|
mesh_firewall
|
140
|
140
|
return
|
141
|
141
|
fi
|
142
|
142
|
if grep -q "RELATED" /etc/firewall.conf; then
|
143
|
143
|
# recreate the firewall to remove RELATED
|
144
|
|
- sed -i "/firewall/d" $COMPLETION_FILE
|
|
144
|
+ sed -i "/firewall/d" "$COMPLETION_FILE"
|
145
|
145
|
fi
|
146
|
146
|
if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
|
147
|
147
|
return
|
|
@@ -276,10 +276,10 @@ function configure_internet_protocol {
|
276
|
276
|
echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf
|
277
|
277
|
fi
|
278
|
278
|
if ! grep -q "keepalive" /etc/sysctl.conf; then
|
279
|
|
- echo '# keepalive' >> /etc/sysctl.conf
|
280
|
|
- echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf
|
281
|
|
- echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf
|
282
|
|
- echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf
|
|
279
|
+ { echo '# keepalive';
|
|
280
|
+ echo 'net.ipv4.tcp_keepalive_probes = 9';
|
|
281
|
+ echo 'net.ipv4.tcp_keepalive_intvl = 75';
|
|
282
|
+ echo 'net.ipv4.tcp_keepalive_time = 7200'; } >> /etc/sysctl.conf
|
283
|
283
|
fi
|
284
|
284
|
if ! grep -q "net.ipv4.conf.default.send_redirects" /etc/sysctl.conf; then
|
285
|
285
|
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
|
|
@@ -335,103 +335,100 @@ function configure_internet_protocol {
|
335
|
335
|
}
|
336
|
336
|
|
337
|
337
|
function mesh_firewall {
|
338
|
|
- FIREWALL_FILENAME=${rootdir}/etc/systemd/system/meshfirewall.service
|
|
338
|
+ # shellcheck disable=SC2154
|
|
339
|
+ FIREWALL_FILENAME="${rootdir}/etc/systemd/system/meshfirewall.service"
|
339
|
340
|
MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
|
340
|
341
|
|
341
|
|
- echo '#!/bin/bash' > $MESH_FIREWALL_SCRIPT
|
342
|
|
- echo 'iptables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
|
343
|
|
- echo 'ip6tables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
|
344
|
|
- echo 'iptables -F' >> $MESH_FIREWALL_SCRIPT
|
345
|
|
- echo 'ip6tables -F' >> $MESH_FIREWALL_SCRIPT
|
346
|
|
- echo 'iptables -t nat -F' >> $MESH_FIREWALL_SCRIPT
|
347
|
|
- echo 'ip6tables -t nat -F' >> $MESH_FIREWALL_SCRIPT
|
348
|
|
- echo 'iptables -X' >> $MESH_FIREWALL_SCRIPT
|
349
|
|
- echo 'ip6tables -X' >> $MESH_FIREWALL_SCRIPT
|
350
|
|
- echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
|
351
|
|
- echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
|
352
|
|
- echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
|
353
|
|
- echo 'ip6tables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
|
354
|
|
- echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
|
355
|
|
- echo 'ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
|
356
|
|
- echo '' >> $MESH_FIREWALL_SCRIPT
|
357
|
|
- echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
|
358
|
|
- echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
|
359
|
|
- echo 'ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
|
360
|
|
- echo '' >> $MESH_FIREWALL_SCRIPT
|
361
|
|
- echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
|
362
|
|
- echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
|
363
|
|
- echo 'ip6tables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
|
364
|
|
- echo '' >> $MESH_FIREWALL_SCRIPT
|
365
|
|
- echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
|
366
|
|
- echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
|
367
|
|
- echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
|
368
|
|
- echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
|
369
|
|
- echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
|
370
|
|
- echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
|
371
|
|
- echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
|
372
|
|
- echo '' >> $MESH_FIREWALL_SCRIPT
|
373
|
|
- echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
|
374
|
|
- echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
|
375
|
|
- echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
|
376
|
|
- echo '' >> $MESH_FIREWALL_SCRIPT
|
377
|
|
- echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
378
|
|
- echo "ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
379
|
|
- echo "iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
380
|
|
- echo "ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
381
|
|
- echo "iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
382
|
|
- echo "ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
383
|
|
- echo "iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
384
|
|
- echo "ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
385
|
|
- echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
386
|
|
- echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
387
|
|
- echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
388
|
|
- echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
|
389
|
|
- chmod +x $MESH_FIREWALL_SCRIPT
|
390
|
|
-
|
391
|
|
- echo '[Unit]' > $FIREWALL_FILENAME
|
392
|
|
- echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME
|
393
|
|
- echo '' >> $FIREWALL_FILENAME
|
394
|
|
- echo '[Service]' >> $FIREWALL_FILENAME
|
395
|
|
- echo 'Type=oneshot' >> $FIREWALL_FILENAME
|
396
|
|
- echo 'ExecStart=/usr/bin/mesh-firewall' >> $FIREWALL_FILENAME
|
397
|
|
- echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME
|
398
|
|
- echo '' >> $FIREWALL_FILENAME
|
399
|
|
- echo 'TimeoutSec=30' >> $FIREWALL_FILENAME
|
400
|
|
- echo '' >> $FIREWALL_FILENAME
|
401
|
|
- echo '[Install]' >> $FIREWALL_FILENAME
|
402
|
|
- echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME
|
403
|
|
- chmod +x $FIREWALL_FILENAME
|
|
342
|
+ { echo '#!/bin/bash';
|
|
343
|
+ echo 'iptables -P INPUT ACCEPT';
|
|
344
|
+ echo 'ip6tables -P INPUT ACCEPT';
|
|
345
|
+ echo 'iptables -F';
|
|
346
|
+ echo 'ip6tables -F';
|
|
347
|
+ echo 'iptables -t nat -F';
|
|
348
|
+ echo 'ip6tables -t nat -F';
|
|
349
|
+ echo 'iptables -X';
|
|
350
|
+ echo 'ip6tables -X';
|
|
351
|
+ echo 'iptables -P INPUT DROP';
|
|
352
|
+ echo 'ip6tables -P INPUT DROP';
|
|
353
|
+ echo 'iptables -A INPUT -i lo -j ACCEPT';
|
|
354
|
+ echo 'ip6tables -A INPUT -i lo -j ACCEPT';
|
|
355
|
+ echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT';
|
|
356
|
+ echo 'ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT';
|
|
357
|
+ echo '';
|
|
358
|
+ echo '# Make sure incoming tcp connections are SYN packets';
|
|
359
|
+ echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP';
|
|
360
|
+ echo 'ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP';
|
|
361
|
+ echo '';
|
|
362
|
+ echo '# Drop packets with incoming fragments';
|
|
363
|
+ echo 'iptables -A INPUT -f -j DROP';
|
|
364
|
+ echo 'ip6tables -A INPUT -f -j DROP';
|
|
365
|
+ echo '';
|
|
366
|
+ echo '# Drop bogons';
|
|
367
|
+ echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP';
|
|
368
|
+ echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP';
|
|
369
|
+ echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP';
|
|
370
|
+ echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP';
|
|
371
|
+ echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP';
|
|
372
|
+ echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP';
|
|
373
|
+ echo '';
|
|
374
|
+ echo '# Incoming malformed NULL packets:';
|
|
375
|
+ echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP';
|
|
376
|
+ echo 'ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP';
|
|
377
|
+ echo '';
|
|
378
|
+ echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT";
|
|
379
|
+ echo "ip6tables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT";
|
|
380
|
+ echo "iptables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT";
|
|
381
|
+ echo "ip6tables -A INPUT -p udp --dport $ZERONET_PORT -j ACCEPT";
|
|
382
|
+ echo "iptables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT";
|
|
383
|
+ echo "ip6tables -A INPUT -p tcp --dport $ZERONET_PORT -j ACCEPT";
|
|
384
|
+ echo "iptables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT";
|
|
385
|
+ echo "ip6tables -A INPUT -p udp --dport $TRACKER_PORT -j ACCEPT";
|
|
386
|
+ echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
|
|
387
|
+ echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
|
|
388
|
+ echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT";
|
|
389
|
+ echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT"; } > "$MESH_FIREWALL_SCRIPT"
|
|
390
|
+ chmod +x "$MESH_FIREWALL_SCRIPT"
|
|
391
|
+
|
|
392
|
+ { echo '[Unit]';
|
|
393
|
+ echo 'Description=Mesh Firewall';
|
|
394
|
+ echo '';
|
|
395
|
+ echo '[Service]';
|
|
396
|
+ echo 'Type=oneshot';
|
|
397
|
+ echo 'ExecStart=/usr/bin/mesh-firewall';
|
|
398
|
+ echo 'RemainAfterExit=no';
|
|
399
|
+ echo '';
|
|
400
|
+ echo 'TimeoutSec=30';
|
|
401
|
+ echo '';
|
|
402
|
+ echo '[Install]';
|
|
403
|
+ echo 'WantedBy=multi-user.target'; } > "$FIREWALL_FILENAME"
|
|
404
|
+ chmod +x "$FIREWALL_FILENAME"
|
404
|
405
|
chroot "$rootdir" systemctl enable meshfirewall
|
405
|
406
|
}
|
406
|
407
|
|
407
|
408
|
function firewall_add {
|
408
|
|
- firewall_name=$(echo "$1" | sed "s| |-|g")
|
|
409
|
+ firewall_name=$(string="$1" ; echo "${string// /-}")
|
409
|
410
|
firewall_port=$2
|
410
|
411
|
firewall_protocol="$3"
|
411
|
412
|
|
412
|
|
- if ! grep -q "${firewall_name}=${firewall_port}" $FIREWALL_CONFIG; then
|
413
|
|
- echo "${firewall_name}=${firewall_port}" >> $FIREWALL_CONFIG
|
414
|
|
- if [ ! ${firewall_protocol} ]; then
|
415
|
|
- iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT
|
416
|
|
- if [ ! "$?" = "0" ]; then
|
417
|
|
- iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
|
|
413
|
+ if ! grep -q "${firewall_name}=${firewall_port}" "$FIREWALL_CONFIG"; then
|
|
414
|
+ echo "${firewall_name}=${firewall_port}" >> "$FIREWALL_CONFIG"
|
|
415
|
+ if [ ! "${firewall_protocol}" ]; then
|
|
416
|
+ if ! iptables -C INPUT -p udp --dport "${firewall_port}" -j ACCEPT; then
|
|
417
|
+ iptables -A INPUT -p udp --dport "${firewall_port}" -j ACCEPT
|
418
|
418
|
fi
|
419
|
419
|
|
420
|
|
- iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT
|
421
|
|
- if [ ! "$?" = "0" ]; then
|
422
|
|
- iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
|
|
420
|
+ if ! iptables -C INPUT -p tcp --dport "${firewall_port}" -j ACCEPT; then
|
|
421
|
+ iptables -A INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
|
423
|
422
|
fi
|
424
|
423
|
else
|
425
|
424
|
if [[ "${firewall_protocol}" == *"udp"* ]]; then
|
426
|
|
- iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT
|
427
|
|
- if [ ! "$?" = "0" ]; then
|
428
|
|
- iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
|
|
425
|
+ if ! iptables -C INPUT -p udp --dport "${firewall_port}" -j ACCEPT; then
|
|
426
|
+ iptables -A INPUT -p udp --dport "${firewall_port}" -j ACCEPT
|
429
|
427
|
fi
|
430
|
428
|
fi
|
431
|
429
|
if [[ "${firewall_protocol}" == *"tcp"* ]]; then
|
432
|
|
- iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT
|
433
|
|
- if [ ! "$?" = "0" ]; then
|
434
|
|
- iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
|
|
430
|
+ if ! iptables -C INPUT -p tcp --dport "${firewall_port}" -j ACCEPT; then
|
|
431
|
+ iptables -A INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
|
435
|
432
|
fi
|
436
|
433
|
fi
|
437
|
434
|
fi
|
|
@@ -440,33 +437,29 @@ function firewall_add {
|
440
|
437
|
}
|
441
|
438
|
|
442
|
439
|
function firewall_add_range {
|
443
|
|
- firewall_name=$(echo "$1" | sed "s| |-|g")
|
|
440
|
+ firewall_name=$(string="$1" ; echo "${string// /-}")
|
444
|
441
|
firewall_port_start=$2
|
445
|
442
|
firewall_port_end=$3
|
446
|
443
|
firewall_protocol="$4"
|
447
|
444
|
|
448
|
|
- if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" $FIREWALL_CONFIG; then
|
449
|
|
- echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> $FIREWALL_CONFIG
|
450
|
|
- if [ ! ${firewall_protocol} ]; then
|
451
|
|
- iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
452
|
|
- if [ ! "$?" = "0" ]; then
|
453
|
|
- iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
445
|
+ if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" "$FIREWALL_CONFIG"; then
|
|
446
|
+ echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> "$FIREWALL_CONFIG"
|
|
447
|
+ if [ ! "${firewall_protocol}" ]; then
|
|
448
|
+ if ! iptables -C INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
|
|
449
|
+ iptables -A INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
|
454
|
450
|
fi
|
455
|
|
- iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
456
|
|
- if [ ! "$?" = "0" ]; then
|
457
|
|
- iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
451
|
+ if ! iptables -C INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
|
|
452
|
+ iptables -A INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
|
458
|
453
|
fi
|
459
|
454
|
else
|
460
|
455
|
if [[ "${firewall_protocol}" == *"udp"* ]]; then
|
461
|
|
- iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
462
|
|
- if [ ! "$?" = "0" ]; then
|
463
|
|
- iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
456
|
+ if ! iptables -C INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
|
|
457
|
+ iptables -A INPUT -p udp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
|
464
|
458
|
fi
|
465
|
459
|
fi
|
466
|
460
|
if [[ "${firewall_protocol}" == *"tcp"* ]]; then
|
467
|
|
- iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
468
|
|
- if [ ! "$?" = "0" ]; then
|
469
|
|
- iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
461
|
+ if ! iptables -C INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT; then
|
|
462
|
+ iptables -A INPUT -p tcp --dport "${firewall_port_start}":"${firewall_port_end}" -j ACCEPT
|
470
|
463
|
fi
|
471
|
464
|
fi
|
472
|
465
|
fi
|
|
@@ -479,23 +472,23 @@ function firewall_remove {
|
479
|
472
|
firewall_port=$1
|
480
|
473
|
firewall_protocol="$2"
|
481
|
474
|
|
482
|
|
- if [ ! -f $FIREWALL_CONFIG ]; then
|
|
475
|
+ if [ ! -f "$FIREWALL_CONFIG" ]; then
|
483
|
476
|
return
|
484
|
477
|
fi
|
485
|
478
|
|
486
|
|
- if grep -q "=${firewall_port}" $FIREWALL_CONFIG; then
|
487
|
|
- if [ ! ${firewall_protocol} ]; then
|
488
|
|
- iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT
|
489
|
|
- iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT
|
|
479
|
+ if grep -q "=${firewall_port}" "$FIREWALL_CONFIG"; then
|
|
480
|
+ if [ ! "${firewall_protocol}" ]; then
|
|
481
|
+ iptables -D INPUT -p udp --dport "${firewall_port}" -j ACCEPT
|
|
482
|
+ iptables -D INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
|
490
|
483
|
else
|
491
|
484
|
if [[ "${firewall_protocol}" == *"udp"* ]]; then
|
492
|
|
- iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT
|
|
485
|
+ iptables -D INPUT -p udp --dport "${firewall_port}" -j ACCEPT
|
493
|
486
|
fi
|
494
|
487
|
if [[ "${firewall_protocol}" == *"tcp"* ]]; then
|
495
|
|
- iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT
|
|
488
|
+ iptables -D INPUT -p tcp --dport "${firewall_port}" -j ACCEPT
|
496
|
489
|
fi
|
497
|
490
|
fi
|
498
|
|
- sed -i "/=${firewall_port}/d" $FIREWALL_CONFIG
|
|
491
|
+ sed -i "/=${firewall_port}/d" "$FIREWALL_CONFIG"
|
499
|
492
|
save_firewall_settings
|
500
|
493
|
fi
|
501
|
494
|
}
|
|
@@ -509,7 +502,7 @@ function domain_to_hex_string {
|
509
|
502
|
characters=$(echo -n "$segment" | wc -c)
|
510
|
503
|
hexnum=$(echo "obase=16; $characters" | bc)
|
511
|
504
|
echo -n "|"
|
512
|
|
- if [ $(echo -n "$hexnum" | wc -c) -lt 2 ]; then
|
|
505
|
+ if [ "$(echo -n "$hexnum" | wc -c)" -lt 2 ]; then
|
513
|
506
|
echo -n "0"
|
514
|
507
|
fi
|
515
|
508
|
echo -n "$hexnum|$segment"
|
|
@@ -523,20 +516,19 @@ function firewall_block_domain {
|
523
|
516
|
blocked_domain="$1"
|
524
|
517
|
if [[ "$blocked_domain" == *'@'* ]]; then
|
525
|
518
|
# Don't try to block email/microblog addresses
|
526
|
|
- echo "${blocked_domain}" >> $FIREWALL_DOMAINS
|
|
519
|
+ echo "${blocked_domain}" >> "$FIREWALL_DOMAINS"
|
527
|
520
|
return
|
528
|
521
|
fi
|
529
|
|
- if ! grep -q "$blocked_domain" $FIREWALL_DOMAINS; then
|
530
|
|
- hexstr=$(domain_to_hex_string $blocked_domain)
|
531
|
|
- iptables -C INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
532
|
|
- if [ ! "$?" = "0" ]; then
|
|
522
|
+ if ! grep -q "$blocked_domain" "$FIREWALL_DOMAINS"; then
|
|
523
|
+ hexstr=$(domain_to_hex_string "$blocked_domain")
|
|
524
|
+ if ! iptables -C INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP; then
|
533
|
525
|
iptables -A INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
534
|
526
|
iptables -A INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
535
|
527
|
iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
536
|
528
|
iptables -A OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
537
|
529
|
iptables -I FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
538
|
530
|
iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
539
|
|
- echo "${blocked_domain}" >> $FIREWALL_DOMAINS
|
|
531
|
+ echo "${blocked_domain}" >> "$FIREWALL_DOMAINS"
|
540
|
532
|
save_firewall_settings
|
541
|
533
|
fi
|
542
|
534
|
|
|
@@ -559,13 +551,12 @@ function firewall_block_ip {
|
559
|
551
|
# Don't try to block email/microblog addresses
|
560
|
552
|
return
|
561
|
553
|
fi
|
562
|
|
- if ! grep -q "$blocked_ip" $FIREWALL_DOMAINS; then
|
563
|
|
- iptables -C INPUT -s $blocked_ip -j DROP
|
564
|
|
- if [ ! "$?" = "0" ]; then
|
565
|
|
- iptables -A INPUT -s $blocked_ip -j DROP
|
566
|
|
- iptables -A OUTPUT -s $blocked_ip -j DROP
|
|
554
|
+ if ! grep -q "$blocked_ip" "$FIREWALL_DOMAINS"; then
|
|
555
|
+ if ! iptables -C INPUT -s "$blocked_ip" -j DROP; then
|
|
556
|
+ iptables -A INPUT -s "$blocked_ip" -j DROP
|
|
557
|
+ iptables -A OUTPUT -s "$blocked_ip" -j DROP
|
567
|
558
|
|
568
|
|
- echo "${blocked_ip}" >> $FIREWALL_DOMAINS
|
|
559
|
+ echo "${blocked_ip}" >> "$FIREWALL_DOMAINS"
|
569
|
560
|
save_firewall_settings
|
570
|
561
|
fi
|
571
|
562
|
fi
|
|
@@ -577,31 +568,31 @@ function firewall_unblock_ip {
|
577
|
568
|
# Don't try to block email/microblog addresses
|
578
|
569
|
return
|
579
|
570
|
fi
|
580
|
|
- if grep -q "$blocked_ip" $FIREWALL_DOMAINS; then
|
581
|
|
- iptables -D INPUT -s $blocked_ip -j DROP
|
582
|
|
- iptables -D OUTPUT -s $blocked_ip -j DROP
|
|
571
|
+ if grep -q "$blocked_ip" "$FIREWALL_DOMAINS"; then
|
|
572
|
+ iptables -D INPUT -s "$blocked_ip" -j DROP
|
|
573
|
+ iptables -D OUTPUT -s "$blocked_ip" -j DROP
|
583
|
574
|
|
584
|
|
- sed -i '/$blocked_ip/d' $FIREWALL_DOMAINS
|
585
|
|
- echo "${blocked_ip}" >> $FIREWALL_DOMAINS
|
|
575
|
+ sed -i "/$blocked_ip/d" "$FIREWALL_DOMAINS"
|
|
576
|
+ echo "${blocked_ip}" >> "$FIREWALL_DOMAINS"
|
586
|
577
|
save_firewall_settings
|
587
|
578
|
fi
|
588
|
579
|
}
|
589
|
580
|
|
590
|
581
|
function firewall_refresh_blocklist {
|
591
|
|
- if [ ! -f /root/${PROJECT_NAME}-firewall-domains.cfg ]; then
|
|
582
|
+ if [ ! -f "/root/${PROJECT_NAME}-firewall-domains.cfg" ]; then
|
592
|
583
|
return
|
593
|
584
|
fi
|
594
|
585
|
|
595
|
|
- while read blocked_domain; do
|
596
|
|
- firewall_block_domain $blocked_domain
|
597
|
|
- done </root/${PROJECT_NAME}-firewall-domains.cfg
|
|
586
|
+ while read -r blocked_domain; do
|
|
587
|
+ firewall_block_domain "$blocked_domain"
|
|
588
|
+ done <"/root/${PROJECT_NAME}-firewall-domains.cfg"
|
598
|
589
|
}
|
599
|
590
|
|
600
|
591
|
function firewall_unblock_domain {
|
601
|
592
|
unblocked_domain="$1"
|
602
|
|
- if grep -q "${unblocked_domain}" $FIREWALL_DOMAINS; then
|
|
593
|
+ if grep -q "${unblocked_domain}" "$FIREWALL_DOMAINS"; then
|
603
|
594
|
if [[ "${unblocked_domain}" != *'@'* ]]; then
|
604
|
|
- hexstr=$(domain_to_hex_string $unblocked_domain)
|
|
595
|
+ hexstr=$(domain_to_hex_string "$unblocked_domain")
|
605
|
596
|
iptables -D INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
606
|
597
|
iptables -D INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
607
|
598
|
iptables -D OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
@@ -610,7 +601,7 @@ function firewall_unblock_domain {
|
610
|
601
|
iptables -D FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
611
|
602
|
save_firewall_settings
|
612
|
603
|
fi
|
613
|
|
- sed -i "/${unblocked_domain}/d" $FIREWALL_DOMAINS
|
|
604
|
+ sed -i "/${unblocked_domain}/d" "$FIREWALL_DOMAINS"
|
614
|
605
|
fi
|
615
|
606
|
}
|
616
|
607
|
|