free
/
freedombone
Obserwuj 1
Gwiazdka 0
Forkuj 0
Kod Problemy 0 Pull Requests 0 Wydania 0 Wiki Aktywność
6130 Commity
5 Gałęzie
Drzewo: f62ebca99e
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z 'f62ebca99e'
${ noResults }
freedombone/src/freedombone-utils-firewall

freedombone-utils-firewall 17KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Firewall functions

  12. #

  13. # TODO: in future investigate using nftables

  14. #

  15. # License

  16. # =======

  17. #

  18. # Copyright (C) 2014-2016 Bob Mottram <bob@freedombone.net>

  19. #

  20. # This program is free software: you can redistribute it and/or modify

  21. # it under the terms of the GNU Affero General Public License as published by

  22. # the Free Software Foundation, either version 3 of the License, or

  23. # (at your option) any later version.

  24. #

  25. # This program is distributed in the hope that it will be useful,

  26. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  27. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  28. # GNU Affero General Public License for more details.

  29. #

  30. # You should have received a copy of the GNU Affero General Public License

  31. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  32. 

  33. FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg

  34. FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg

  35. 

  36. function save_firewall_settings {

  37.     iptables-save > /etc/firewall.conf

  38.     ip6tables-save > /etc/firewall6.conf

  39.     printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables

  40.     printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables

  41.     printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables

  42.     if [ -f /etc/network/if-up.d/iptables ]; then

  43.         chmod +x /etc/network/if-up.d/iptables

  44.     fi

  45. }

  46. 

  47. function global_rate_limit {

  48.     if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then

  49.         echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf

  50.     else

  51.         sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf

  52.     fi

  53.     sysctl -p -q

  54. }

  55. 

  56. function enable_ipv6 {

  57.     # endure that ipv6 is enabled and can route

  58.     sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf

  59.     #sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf

  60.     #sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf

  61.     sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf

  62.     echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

  63. }

  64. 

  65. function configure_firewall {

  66.     if [ $INSTALLING_MESH ]; then

  67.         mesh_firewall

  68.         return

  69.     fi

  70.     if grep -q "RELATED" /etc/firewall.conf; then

  71.         # recreate the firewall to remove RELATED

  72.         sed -i "/firewall/d" $COMPLETION_FILE

  73.     fi

  74.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  75.         return

  76.     fi

  77.     if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then

  78.         # docker does its own firewalling

  79.         return

  80.     fi

  81.     iptables -P INPUT ACCEPT

  82.     ip6tables -P INPUT ACCEPT

  83.     iptables -F

  84.     ip6tables -F

  85.     iptables -t nat -F

  86.     ip6tables -t nat -F

  87.     iptables -X

  88.     ip6tables -X

  89.     iptables -P INPUT DROP

  90.     ip6tables -P INPUT DROP

  91.     iptables -P FORWARD DROP

  92.     ip6tables -P FORWARD DROP

  93.     iptables -A INPUT -i lo -j ACCEPT

  94.     iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

  95. 

  96.     # Make sure incoming tcp connections are SYN packets

  97.     iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

  98. 

  99.     # Drop packets with incoming fragments

  100.     iptables -A INPUT -f -j DROP

  101. 

  102.     # Drop bogons

  103.     iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

  104.     iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

  105.     iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

  106. 

  107.     # Incoming malformed NULL packets:

  108.     iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

  109. 

  110.     mark_completed $FUNCNAME

  111. }

  112. 

  113. function configure_firewall_ping {

  114.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  115.         return

  116.     fi

  117.     # Only allow ping for mesh installs

  118.     if [[ $SYSTEM_TYPE != "mesh"* ]]; then

  119.         return

  120.     fi

  121.     iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

  122.     iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

  123.     function_check save_firewall_settings

  124.     save_firewall_settings

  125.     mark_completed $FUNCNAME

  126. }

  127. 

  128. function configure_internet_protocol {

  129.     if [[ $(is_completed $FUNCNAME) == "1" ]]; then

  130.         return

  131.     fi

  132.     if [[ $SYSTEM_TYPE == "mesh"* ]]; then

  133.         return

  134.     fi

  135. 

  136.     sed -i "s/#net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf

  137.     sed -i "s/#net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf

  138.     sed -i "s/#net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf

  139.     sed -i "s/#net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf

  140.     sed -i "s/#net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf

  141.     sed -i "s/#net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf

  142.     sed -i "s/#net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf

  143.     sed -i "s/#net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf

  144.     sed -i "s/#net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf

  145.     sed -i "s/#net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf

  146. 

  147.     sed -i "s/# net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf

  148.     sed -i "s/# net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf

  149.     sed -i "s/# net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf

  150.     sed -i "s/# net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf

  151.     sed -i "s/# net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf

  152.     sed -i "s/# net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf

  153.     sed -i "s/# net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf

  154.     sed -i "s/# net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf

  155.     sed -i "s/# net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf

  156.     sed -i "s/# net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf

  157. 

  158. 

  159.     if ! grep -q "ignore pings" /etc/sysctl.conf; then

  160.         echo '# ignore pings' >> /etc/sysctl.conf

  161.         echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf

  162.         echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf

  163.     fi

  164.     if ! grep -q "disable ipv6" /etc/sysctl.conf; then

  165.         echo '# disable ipv6' >> /etc/sysctl.conf

  166.         echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf

  167.     fi

  168.     if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then

  169.         echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf

  170.         echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf

  171.     fi

  172.     if ! grep -q "keepalive" /etc/sysctl.conf; then

  173.         echo '# keepalive' >> /etc/sysctl.conf

  174.         echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf

  175.         echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf

  176.         echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf

  177.     fi

  178.     if ! grep -q "net.ipv4.conf.default.send_redirects" /etc/sysctl.conf; then

  179.         echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf

  180.     else

  181.         sed -i "s|# net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf

  182.         sed -i "s|#net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf

  183.         sed -i "s|net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf

  184.     fi

  185.     if ! grep -q "net.ipv4.conf.all.secure_redirects" /etc/sysctl.conf; then

  186.         echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf

  187.     else

  188.         sed -i "s|# net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf

  189.         sed -i "s|#net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf

  190.         sed -i "s|net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf

  191.     fi

  192.     if ! grep -q "net.ipv4.conf.default.accept_source_route" /etc/sysctl.conf; then

  193.         echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf

  194.     else

  195.         sed -i "s|# net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf

  196.         sed -i "s|#net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf

  197.         sed -i "s|net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf

  198.     fi

  199.     if ! grep -q "net.ipv4.conf.default.secure_redirects" /etc/sysctl.conf; then

  200.         echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf

  201.     else

  202.         sed -i "s|# net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf

  203.         sed -i "s|#net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf

  204.         sed -i "s|net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf

  205.     fi

  206.     if ! grep -q "net.ipv4.conf.default.accept_redirects" /etc/sysctl.conf; then

  207.         echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf

  208.     else

  209.         sed -i "s|# net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf

  210.         sed -i "s|#net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf

  211.         sed -i "s|net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf

  212.     fi

  213.     mark_completed $FUNCNAME

  214. }

  215. 

  216. function mesh_firewall {

  217.     FIREWALL_FILENAME=${rootdir}/etc/systemd/system/meshfirewall.service

  218.     MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall

  219. 

  220.     echo '#!/bin/bash' > $MESH_FIREWALL_SCRIPT

  221.     echo 'iptables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT

  222.     echo 'ip6tables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT

  223.     echo 'iptables -F' >> $MESH_FIREWALL_SCRIPT

  224.     echo 'ip6tables -F' >> $MESH_FIREWALL_SCRIPT

  225.     echo 'iptables -t nat -F' >> $MESH_FIREWALL_SCRIPT

  226.     echo 'ip6tables -t nat -F' >> $MESH_FIREWALL_SCRIPT

  227.     echo 'iptables -X' >> $MESH_FIREWALL_SCRIPT

  228.     echo 'ip6tables -X' >> $MESH_FIREWALL_SCRIPT

  229.     echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT

  230.     echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT

  231.     echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT

  232.     echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT

  233.     echo '' >> $MESH_FIREWALL_SCRIPT

  234.     echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT

  235.     echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT

  236.     echo '' >> $MESH_FIREWALL_SCRIPT

  237.     echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT

  238.     echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT

  239.     echo '' >> $MESH_FIREWALL_SCRIPT

  240.     echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT

  241.     echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT

  242.     echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT

  243.     echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT

  244.     echo '' >> $MESH_FIREWALL_SCRIPT

  245.     echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT

  246.     echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT

  247.     echo '' >> $MESH_FIREWALL_SCRIPT

  248.     echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  249.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  250.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  251.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  252.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  253.     echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT

  254.     chmod +x $MESH_FIREWALL_SCRIPT

  255. 

  256.     echo '[Unit]' > $FIREWALL_FILENAME

  257.     echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME

  258.     echo '' >> $FIREWALL_FILENAME

  259.     echo '[Service]' >> $FIREWALL_FILENAME

  260.     echo 'Type=oneshot' >> $FIREWALL_FILENAME

  261.     echo 'ExecStart=/usr/bin/mesh-firewall' >> $FIREWALL_FILENAME

  262.     echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME

  263.     echo '' >> $FIREWALL_FILENAME

  264.     echo 'TimeoutSec=30' >> $FIREWALL_FILENAME

  265.     echo '' >> $FIREWALL_FILENAME

  266.     echo '[Install]' >> $FIREWALL_FILENAME

  267.     echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME

  268.     chmod +x $FIREWALL_FILENAME

  269.     chroot "$rootdir" systemctl enable meshfirewall

  270. }

  271. 

  272. function firewall_add {

  273.     firewall_name=$(echo "$1" | sed "s| |-|g")

  274.     firewall_port=$2

  275.     firewall_protocol="$3"

  276. 

  277.     if ! grep -q "${firewall_name}=${firewall_port}" $FIREWALL_CONFIG; then

  278.         echo "${firewall_name}=${firewall_port}" >> $FIREWALL_CONFIG

  279.         if [ ! ${firewall_protocol} ]; then

  280.             iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT

  281.             iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  282.         else

  283.             if [[ "${firewall_protocol}" == *"udp"* ]]; then

  284.                 iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT

  285.             fi

  286.             if [[ "${firewall_protocol}" == *"tcp"* ]]; then

  287.                 iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  288.             fi

  289.         fi

  290.         save_firewall_settings

  291.     fi

  292. }

  293. 

  294. function firewall_add_range {

  295.     firewall_name=$(echo "$1" | sed "s| |-|g")

  296.     firewall_port_start=$2

  297.     firewall_port_end=$3

  298.     firewall_protocol="$4"

  299. 

  300.     if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" $FIREWALL_CONFIG; then

  301.         echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> $FIREWALL_CONFIG

  302.         if [ ! ${firewall_protocol} ]; then

  303.             iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  304.             iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  305.         else

  306.             if [[ "${firewall_protocol}" == *"udp"* ]]; then

  307.                 iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  308.             fi

  309.             if [[ "${firewall_protocol}" == *"tcp"* ]]; then

  310.                 iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT

  311.             fi

  312.         fi

  313.         save_firewall_settings

  314.     fi

  315. }

  316. 

  317. 

  318. function firewall_remove {

  319.     firewall_port=$1

  320.     firewall_protocol="$2"

  321. 

  322.     if [ ! -f $FIREWALL_CONFIG ]; then

  323.         return

  324.     fi

  325. 

  326.     if grep -q "=${firewall_port}" $FIREWALL_CONFIG; then

  327.         if [ ! ${firewall_protocol} ]; then

  328.             iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT

  329.             iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  330.         else

  331.             if [[ "${firewall_protocol}" == *"udp"* ]]; then

  332.                 iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT

  333.             fi

  334.             if [[ "${firewall_protocol}" == *"tcp"* ]]; then

  335.                 iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT

  336.             fi

  337.         fi

  338.         sed -i "/=${firewall_port}/d" $FIREWALL_CONFIG

  339.         save_firewall_settings

  340.     fi

  341. }

  342. 

  343. function domain_to_hex_string {

  344.     domain="$1"

  345.     ctr = 1

  346.     segment=$(echo "$domain" | awk -F '.' "{print \$$ctr}")

  347.     while [ ${#segment} -gt 0 ]

  348.     do

  349.         hexnum=$(echo "obase=16; $segment" | bc)

  350.         if [ ${hexnum} -lt 2 ]; then

  351.             echo -n "|0${hexnum}|$segment"

  352.         else

  353.             echo -n "|$hexnum|$segment"

  354.         fi

  355.         ctr=$((ctr + 1))

  356.         segment=$(echo "$domain" | awk -F '.' "{print \$$ctr}")

  357.     done

  358.     echo ""

  359. }

  360. 

  361. function firewall_block_domain {

  362.     blocked_domain="$1"

  363.     if ! grep "$blocked_domain" $FIREWALL_DOMAINS; then

  364.         hexstr=$(domain_to_hex_string $blocked_domain)

  365.         iptables -I FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  366.         iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  367.         echo "${blocked_domain}" >> $FIREWALL_DOMAINS

  368.         save_firewall_settings

  369.     fi

  370. }

  371. 

  372. function firewall_unblock_domain {

  373.     unblocked_domain="$1"

  374.     if grep "${unblocked_domain}" $FIREWALL_DOMAINS; then

  375.         hexstr=$(domain_to_hex_string $unblocked_domain)

  376.         iptables -D FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  377.         iptables -D FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP

  378.         sed -i "/${unblocked_domain}/d" $FIREWALL_DOMAINS

  379.         save_firewall_settings

  380.     fi

  381. }

  382. 

  383. # NOTE: deliberately no exit 0