freedombone-utils-firewall 17KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Firewall functions
  12. #
  13. # TODO: in future investigate using nftables
  14. #
  15. # License
  16. # =======
  17. #
  18. # Copyright (C) 2014-2016 Bob Mottram <bob@freedombone.net>
  19. #
  20. # This program is free software: you can redistribute it and/or modify
  21. # it under the terms of the GNU Affero General Public License as published by
  22. # the Free Software Foundation, either version 3 of the License, or
  23. # (at your option) any later version.
  24. #
  25. # This program is distributed in the hope that it will be useful,
  26. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  27. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  28. # GNU Affero General Public License for more details.
  29. #
  30. # You should have received a copy of the GNU Affero General Public License
  31. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  32. FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg
  33. FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg
  34. function save_firewall_settings {
  35. iptables-save > /etc/firewall.conf
  36. ip6tables-save > /etc/firewall6.conf
  37. printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables
  38. printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables
  39. printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables
  40. if [ -f /etc/network/if-up.d/iptables ]; then
  41. chmod +x /etc/network/if-up.d/iptables
  42. fi
  43. }
  44. function global_rate_limit {
  45. if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
  46. echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
  47. else
  48. sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
  49. fi
  50. sysctl -p -q
  51. }
  52. function enable_ipv6 {
  53. # endure that ipv6 is enabled and can route
  54. sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf
  55. #sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf
  56. #sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf
  57. sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf
  58. echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
  59. }
  60. function configure_firewall {
  61. if [ $INSTALLING_MESH ]; then
  62. mesh_firewall
  63. return
  64. fi
  65. if grep -q "RELATED" /etc/firewall.conf; then
  66. # recreate the firewall to remove RELATED
  67. sed -i "/firewall/d" $COMPLETION_FILE
  68. fi
  69. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  70. return
  71. fi
  72. if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
  73. # docker does its own firewalling
  74. return
  75. fi
  76. iptables -P INPUT ACCEPT
  77. ip6tables -P INPUT ACCEPT
  78. iptables -F
  79. ip6tables -F
  80. iptables -t nat -F
  81. ip6tables -t nat -F
  82. iptables -X
  83. ip6tables -X
  84. iptables -P INPUT DROP
  85. ip6tables -P INPUT DROP
  86. iptables -P FORWARD DROP
  87. ip6tables -P FORWARD DROP
  88. iptables -A INPUT -i lo -j ACCEPT
  89. iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
  90. # Make sure incoming tcp connections are SYN packets
  91. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  92. # Drop packets with incoming fragments
  93. iptables -A INPUT -f -j DROP
  94. # Drop bogons
  95. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
  96. iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
  97. iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  98. # Incoming malformed NULL packets:
  99. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  100. mark_completed $FUNCNAME
  101. }
  102. function configure_firewall_ping {
  103. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  104. return
  105. fi
  106. # Only allow ping for mesh installs
  107. if [[ $SYSTEM_TYPE != "mesh"* ]]; then
  108. return
  109. fi
  110. iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  111. iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
  112. function_check save_firewall_settings
  113. save_firewall_settings
  114. mark_completed $FUNCNAME
  115. }
  116. function configure_internet_protocol {
  117. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  118. return
  119. fi
  120. if [[ $SYSTEM_TYPE == "mesh"* ]]; then
  121. return
  122. fi
  123. sed -i "s/#net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf
  124. sed -i "s/#net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  125. sed -i "s/#net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  126. sed -i "s/#net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf
  127. sed -i "s/#net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  128. sed -i "s/#net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  129. sed -i "s/#net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf
  130. sed -i "s/#net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf
  131. sed -i "s/#net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf
  132. sed -i "s/#net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf
  133. sed -i "s/# net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf
  134. sed -i "s/# net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  135. sed -i "s/# net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf
  136. sed -i "s/# net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf
  137. sed -i "s/# net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  138. sed -i "s/# net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf
  139. sed -i "s/# net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf
  140. sed -i "s/# net.ipv4.conf.all.rp_filter.*/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf
  141. sed -i "s/# net.ipv4.ip_forward.*/net.ipv4.ip_forward=0/g" /etc/sysctl.conf
  142. sed -i "s/# net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf
  143. if ! grep -q "ignore pings" /etc/sysctl.conf; then
  144. echo '# ignore pings' >> /etc/sysctl.conf
  145. echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
  146. echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf
  147. fi
  148. if ! grep -q "disable ipv6" /etc/sysctl.conf; then
  149. echo '# disable ipv6' >> /etc/sysctl.conf
  150. echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf
  151. fi
  152. if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then
  153. echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf
  154. echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf
  155. fi
  156. if ! grep -q "keepalive" /etc/sysctl.conf; then
  157. echo '# keepalive' >> /etc/sysctl.conf
  158. echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf
  159. echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf
  160. echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf
  161. fi
  162. if ! grep -q "net.ipv4.conf.default.send_redirects" /etc/sysctl.conf; then
  163. echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
  164. else
  165. sed -i "s|# net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf
  166. sed -i "s|#net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf
  167. sed -i "s|net.ipv4.conf.default.send_redirects.*|net.ipv4.conf.default.send_redirects = 0|g" /etc/sysctl.conf
  168. fi
  169. if ! grep -q "net.ipv4.conf.all.secure_redirects" /etc/sysctl.conf; then
  170. echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
  171. else
  172. sed -i "s|# net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf
  173. sed -i "s|#net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf
  174. sed -i "s|net.ipv4.conf.all.secure_redirects.*|net.ipv4.conf.all.secure_redirects = 0|g" /etc/sysctl.conf
  175. fi
  176. if ! grep -q "net.ipv4.conf.default.accept_source_route" /etc/sysctl.conf; then
  177. echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
  178. else
  179. sed -i "s|# net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf
  180. sed -i "s|#net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf
  181. sed -i "s|net.ipv4.conf.default.accept_source_route.*|net.ipv4.conf.default.accept_source_route = 0|g" /etc/sysctl.conf
  182. fi
  183. if ! grep -q "net.ipv4.conf.default.secure_redirects" /etc/sysctl.conf; then
  184. echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
  185. else
  186. sed -i "s|# net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf
  187. sed -i "s|#net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf
  188. sed -i "s|net.ipv4.conf.default.secure_redirects.*|net.ipv4.conf.default.secure_redirects = 0|g" /etc/sysctl.conf
  189. fi
  190. if ! grep -q "net.ipv4.conf.default.accept_redirects" /etc/sysctl.conf; then
  191. echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
  192. else
  193. sed -i "s|# net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf
  194. sed -i "s|#net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf
  195. sed -i "s|net.ipv4.conf.default.accept_redirects.*|net.ipv4.conf.default.accept_redirects = 0|g" /etc/sysctl.conf
  196. fi
  197. mark_completed $FUNCNAME
  198. }
  199. function mesh_firewall {
  200. FIREWALL_FILENAME=${rootdir}/etc/systemd/system/meshfirewall.service
  201. MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
  202. echo '#!/bin/bash' > $MESH_FIREWALL_SCRIPT
  203. echo 'iptables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
  204. echo 'ip6tables -P INPUT ACCEPT' >> $MESH_FIREWALL_SCRIPT
  205. echo 'iptables -F' >> $MESH_FIREWALL_SCRIPT
  206. echo 'ip6tables -F' >> $MESH_FIREWALL_SCRIPT
  207. echo 'iptables -t nat -F' >> $MESH_FIREWALL_SCRIPT
  208. echo 'ip6tables -t nat -F' >> $MESH_FIREWALL_SCRIPT
  209. echo 'iptables -X' >> $MESH_FIREWALL_SCRIPT
  210. echo 'ip6tables -X' >> $MESH_FIREWALL_SCRIPT
  211. echo 'iptables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
  212. echo 'ip6tables -P INPUT DROP' >> $MESH_FIREWALL_SCRIPT
  213. echo 'iptables -A INPUT -i lo -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
  214. echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $MESH_FIREWALL_SCRIPT
  215. echo '' >> $MESH_FIREWALL_SCRIPT
  216. echo '# Make sure incoming tcp connections are SYN packets' >> $MESH_FIREWALL_SCRIPT
  217. echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $MESH_FIREWALL_SCRIPT
  218. echo '' >> $MESH_FIREWALL_SCRIPT
  219. echo '# Drop packets with incoming fragments' >> $MESH_FIREWALL_SCRIPT
  220. echo 'iptables -A INPUT -f -j DROP' >> $MESH_FIREWALL_SCRIPT
  221. echo '' >> $MESH_FIREWALL_SCRIPT
  222. echo '# Drop bogons' >> $MESH_FIREWALL_SCRIPT
  223. echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $MESH_FIREWALL_SCRIPT
  224. echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
  225. echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $MESH_FIREWALL_SCRIPT
  226. echo '' >> $MESH_FIREWALL_SCRIPT
  227. echo '# Incoming malformed NULL packets:' >> $MESH_FIREWALL_SCRIPT
  228. echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $MESH_FIREWALL_SCRIPT
  229. echo '' >> $MESH_FIREWALL_SCRIPT
  230. echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  231. echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  232. echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  233. echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  234. echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  235. echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $MESH_FIREWALL_SCRIPT
  236. chmod +x $MESH_FIREWALL_SCRIPT
  237. echo '[Unit]' > $FIREWALL_FILENAME
  238. echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME
  239. echo '' >> $FIREWALL_FILENAME
  240. echo '[Service]' >> $FIREWALL_FILENAME
  241. echo 'Type=oneshot' >> $FIREWALL_FILENAME
  242. echo 'ExecStart=/usr/bin/mesh-firewall' >> $FIREWALL_FILENAME
  243. echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME
  244. echo '' >> $FIREWALL_FILENAME
  245. echo 'TimeoutSec=30' >> $FIREWALL_FILENAME
  246. echo '' >> $FIREWALL_FILENAME
  247. echo '[Install]' >> $FIREWALL_FILENAME
  248. echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME
  249. chmod +x $FIREWALL_FILENAME
  250. chroot "$rootdir" systemctl enable meshfirewall
  251. }
  252. function firewall_add {
  253. firewall_name=$(echo "$1" | sed "s| |-|g")
  254. firewall_port=$2
  255. firewall_protocol="$3"
  256. if ! grep -q "${firewall_name}=${firewall_port}" $FIREWALL_CONFIG; then
  257. echo "${firewall_name}=${firewall_port}" >> $FIREWALL_CONFIG
  258. if [ ! ${firewall_protocol} ]; then
  259. iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
  260. iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  261. else
  262. if [[ "${firewall_protocol}" == *"udp"* ]]; then
  263. iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
  264. fi
  265. if [[ "${firewall_protocol}" == *"tcp"* ]]; then
  266. iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  267. fi
  268. fi
  269. save_firewall_settings
  270. fi
  271. }
  272. function firewall_add_range {
  273. firewall_name=$(echo "$1" | sed "s| |-|g")
  274. firewall_port_start=$2
  275. firewall_port_end=$3
  276. firewall_protocol="$4"
  277. if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" $FIREWALL_CONFIG; then
  278. echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> $FIREWALL_CONFIG
  279. if [ ! ${firewall_protocol} ]; then
  280. iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  281. iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  282. else
  283. if [[ "${firewall_protocol}" == *"udp"* ]]; then
  284. iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  285. fi
  286. if [[ "${firewall_protocol}" == *"tcp"* ]]; then
  287. iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
  288. fi
  289. fi
  290. save_firewall_settings
  291. fi
  292. }
  293. function firewall_remove {
  294. firewall_port=$1
  295. firewall_protocol="$2"
  296. if [ ! -f $FIREWALL_CONFIG ]; then
  297. return
  298. fi
  299. if grep -q "=${firewall_port}" $FIREWALL_CONFIG; then
  300. if [ ! ${firewall_protocol} ]; then
  301. iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT
  302. iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  303. else
  304. if [[ "${firewall_protocol}" == *"udp"* ]]; then
  305. iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT
  306. fi
  307. if [[ "${firewall_protocol}" == *"tcp"* ]]; then
  308. iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT
  309. fi
  310. fi
  311. sed -i "/=${firewall_port}/d" $FIREWALL_CONFIG
  312. save_firewall_settings
  313. fi
  314. }
  315. function domain_to_hex_string {
  316. domain="$1"
  317. ctr = 1
  318. segment=$(echo "$domain" | awk -F '.' "{print \$$ctr}")
  319. while [ ${#segment} -gt 0 ]
  320. do
  321. hexnum=$(echo "obase=16; $segment" | bc)
  322. if [ ${hexnum} -lt 2 ]; then
  323. echo -n "|0${hexnum}|$segment"
  324. else
  325. echo -n "|$hexnum|$segment"
  326. fi
  327. ctr=$((ctr + 1))
  328. segment=$(echo "$domain" | awk -F '.' "{print \$$ctr}")
  329. done
  330. echo ""
  331. }
  332. function firewall_block_domain {
  333. blocked_domain="$1"
  334. if ! grep "$blocked_domain" $FIREWALL_DOMAINS; then
  335. hexstr=$(domain_to_hex_string $blocked_domain)
  336. iptables -I FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  337. iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  338. echo "${blocked_domain}" >> $FIREWALL_DOMAINS
  339. save_firewall_settings
  340. fi
  341. }
  342. function firewall_unblock_domain {
  343. unblocked_domain="$1"
  344. if grep "${unblocked_domain}" $FIREWALL_DOMAINS; then
  345. hexstr=$(domain_to_hex_string $unblocked_domain)
  346. iptables -D FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  347. iptables -D FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
  348. sed -i "/${unblocked_domain}/d" $FIREWALL_DOMAINS
  349. save_firewall_settings
  350. fi
  351. }
  352. # NOTE: deliberately no exit 0