Split init script and code script
This commit is contained in:
parent
c4ec8c9ac0
commit
620331c29d
44
init.sh
Normal file
44
init.sh
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: minifirewall
|
||||||
|
# Required-Start:
|
||||||
|
# Required-Stop:
|
||||||
|
# Should-Start: $network $syslog $named
|
||||||
|
# Should-Stop: $syslog
|
||||||
|
# Default-Start: 2 3 4 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Short-Description: start and stop the firewall
|
||||||
|
# Description: Firewall designed for standalone server
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
minifirewall_bin=/usr/local/sbin/minifirewall
|
||||||
|
|
||||||
|
if [ -z "${minifirewall_bin}" ]; then
|
||||||
|
echo "${minifirewall_bin}: not found"
|
||||||
|
elif [ ! -x "${minifirewall_bin}" ]; then
|
||||||
|
echo "${minifirewall_bin}: not executable"
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
${minifirewall_bin} start
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
${minifirewall_bin} stop
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
${minifirewall_bin} status
|
||||||
|
;;
|
||||||
|
restart|reload|condrestart)
|
||||||
|
${minifirewall_bin} restart
|
||||||
|
;;
|
||||||
|
reset)
|
||||||
|
${minifirewall_bin} reset
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Usage: $0 {start|stop|restart|status|reset}"
|
||||||
|
exit 1
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit 0
|
321
minifirewall
321
minifirewall
|
@ -1,159 +1,50 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
# shellcheck disable=SC2059
|
# shellcheck disable=SC2059
|
||||||
|
|
||||||
# minifirewall is a shell script for easy firewalling on a standalone server
|
PROGNAME="minifirewall"
|
||||||
# It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
|
|
||||||
# See https://gitea.evolix.org/evolix/minifirewall
|
|
||||||
|
|
||||||
# Copyright (c) 2007-2022 Evolix
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of the GNU General Public License
|
|
||||||
# as published by the Free Software Foundation; either version 3
|
|
||||||
# of the License.
|
|
||||||
|
|
||||||
# Description
|
|
||||||
# script for standalone server
|
|
||||||
|
|
||||||
# Start or stop minifirewall
|
|
||||||
#
|
|
||||||
|
|
||||||
### BEGIN INIT INFO
|
|
||||||
# Provides: minifirewall
|
|
||||||
# Required-Start:
|
|
||||||
# Required-Stop:
|
|
||||||
# Should-Start: $network $syslog $named
|
|
||||||
# Should-Stop: $syslog
|
|
||||||
# Default-Start: 2 3 4 5
|
|
||||||
# Default-Stop: 0 1 6
|
|
||||||
# Short-Description: start and stop the firewall
|
|
||||||
# Description: Firewall designed for standalone server
|
|
||||||
### END INIT INFO
|
|
||||||
|
|
||||||
VERSION="22.04"
|
|
||||||
|
|
||||||
NAME="minifirewall"
|
|
||||||
# shellcheck disable=SC2034
|
# shellcheck disable=SC2034
|
||||||
DESC="Firewall designed for standalone server"
|
REPOSITORY="https://gitea.evolix.org/evolix/minifirewall"
|
||||||
|
|
||||||
|
VERSION="22.04.3"
|
||||||
|
readonly VERSION
|
||||||
|
|
||||||
set -u
|
set -u
|
||||||
|
|
||||||
# Variables configuration
|
show_version() {
|
||||||
#########################
|
cat <<END
|
||||||
|
${PROGNAME} version ${VERSION}
|
||||||
|
|
||||||
config_file="/etc/default/minifirewall"
|
Copyright 2007-2022 Evolix <info@evolix.fr>.
|
||||||
includes_dir="/etc/minifirewall.d"
|
|
||||||
|
|
||||||
# iptables paths
|
${PROGNAME} comes with ABSOLUTELY NO WARRANTY.
|
||||||
IPT=$(command -v iptables)
|
This program is free software; you can redistribute it and/or
|
||||||
if [ -z "${IPT}" ]; then
|
modify it under the terms of the GNU General Public License
|
||||||
echo "Unable to find 'iptables\` command in PATH." >&2
|
as published by the Free Software Foundation; either version 3
|
||||||
exit 1
|
of the License.
|
||||||
fi
|
END
|
||||||
IPT6=$(command -v ip6tables)
|
}
|
||||||
if [ -z "${IPT6}" ]; then
|
show_help() {
|
||||||
echo "Unable to find 'ip6tables\` command in PATH." >&2
|
cat <<END
|
||||||
exit 1
|
minifirewall is wrapper around netfilter/iptables for easy local firewalling on Linux.
|
||||||
fi
|
|
||||||
|
|
||||||
# TCP/IP variables
|
Usage: minifirewall start
|
||||||
LOOPBACK='127.0.0.0/8'
|
or minifirewall stop
|
||||||
CLASSA='10.0.0.0/8'
|
or minifirewall restart
|
||||||
CLASSB='172.16.0.0/12'
|
or minifirewall reset
|
||||||
CLASSC='192.168.0.0/16'
|
or minifirewall status
|
||||||
CLASSD='224.0.0.0/4'
|
or minifirewall {version|--version|-V}
|
||||||
CLASSE='240.0.0.0/5'
|
or minifirewall {help|--help|-h|-?}
|
||||||
ALL='0.0.0.0'
|
END
|
||||||
BROAD='255.255.255.255'
|
}
|
||||||
PORTSROOT='0:1023'
|
|
||||||
PORTSUSER='1024:65535'
|
|
||||||
|
|
||||||
# Configuration
|
|
||||||
|
|
||||||
INT=''
|
|
||||||
IPV6=''
|
|
||||||
DOCKER=''
|
|
||||||
INTLAN=''
|
|
||||||
TRUSTEDIPS=''
|
|
||||||
PRIVILEGIEDIPS=''
|
|
||||||
SERVICESTCP1p=''
|
|
||||||
SERVICESUDP1p=''
|
|
||||||
SERVICESTCP1=''
|
|
||||||
SERVICESUDP1=''
|
|
||||||
SERVICESTCP2=''
|
|
||||||
SERVICESUDP2=''
|
|
||||||
SERVICESTCP3=''
|
|
||||||
SERVICESUDP3=''
|
|
||||||
DNSSERVEURS=''
|
|
||||||
HTTPSITES=''
|
|
||||||
HTTPSSITES=''
|
|
||||||
FTPSITES=''
|
|
||||||
SSHOK=''
|
|
||||||
SMTPOK=''
|
|
||||||
SMTPSECUREOK=''
|
|
||||||
NTPOK=''
|
|
||||||
PROXY=''
|
|
||||||
PROXYBYPASS=''
|
|
||||||
PROXYPORT=''
|
|
||||||
BACKUPSERVERS=''
|
|
||||||
|
|
||||||
LEGACY_CONFIG='off'
|
|
||||||
|
|
||||||
STATE_FILE_LATEST='/var/run/minifirewall_state_latest'
|
|
||||||
STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
|
|
||||||
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
|
|
||||||
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
|
|
||||||
|
|
||||||
LOGGER_BIN=$(command -v logger)
|
|
||||||
|
|
||||||
# No colors by default
|
|
||||||
RED=''
|
|
||||||
GREEN=''
|
|
||||||
YELLOW=''
|
|
||||||
BLUE=''
|
|
||||||
MAGENTA=''
|
|
||||||
CYAN=''
|
|
||||||
WHITE=''
|
|
||||||
BOLD=''
|
|
||||||
RESET=''
|
|
||||||
# check if stdout is a terminal...
|
|
||||||
if [ -t 1 ]; then
|
|
||||||
|
|
||||||
# see if it supports colors...
|
|
||||||
ncolors=$(tput colors)
|
|
||||||
|
|
||||||
if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then
|
|
||||||
RED=$(tput setaf 1)
|
|
||||||
GREEN=$(tput setaf 2)
|
|
||||||
YELLOW=$(tput setaf 3)
|
|
||||||
BLUE=$(tput setaf 4)
|
|
||||||
MAGENTA=$(tput setaf 5)
|
|
||||||
CYAN=$(tput setaf 6)
|
|
||||||
WHITE=$(tput setaf 7)
|
|
||||||
BOLD=$(tput bold)
|
|
||||||
RESET='\e[m'
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
## pseudo dry-run :
|
|
||||||
## Uncomment and call these functions instead of the real iptables and ip6tables commands
|
|
||||||
# IPT="fake_iptables"
|
|
||||||
# IPT6="fake_ip6tables"
|
|
||||||
# fake_iptables() {
|
|
||||||
# printf "DRY-RUN iptables %s\n" "$*"
|
|
||||||
# }
|
|
||||||
# fake_ip6tables() {
|
|
||||||
# printf "DRY-RUN ip6tables %s\n" "$*"
|
|
||||||
# }
|
|
||||||
## Beware that commands executed from included files are not modified by this trick.
|
|
||||||
|
|
||||||
syslog_info() {
|
syslog_info() {
|
||||||
if [ -x "${LOGGER_BIN}" ]; then
|
if [ -x "${LOGGER_BIN}" ]; then
|
||||||
${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1"
|
${LOGGER_BIN} -t "${PROGNAME}" -p daemon.info "$1"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
syslog_error() {
|
syslog_error() {
|
||||||
if [ -x "${LOGGER_BIN}" ]; then
|
if [ -x "${LOGGER_BIN}" ]; then
|
||||||
${LOGGER_BIN} -t "${NAME}" -p daemon.error "$1"
|
${LOGGER_BIN} -t "${PROGNAME}" -p daemon.error "$1"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
sort_values() {
|
sort_values() {
|
||||||
|
@ -335,11 +226,11 @@ report_state_changes() {
|
||||||
|
|
||||||
start() {
|
start() {
|
||||||
syslog_info "starting"
|
syslog_info "starting"
|
||||||
printf "${BOLD}${NAME} starting${RESET}\n"
|
printf "${BOLD}${PROGNAME} starting${RESET}\n"
|
||||||
|
|
||||||
# Stop and warn if error!
|
# Stop and warn if error!
|
||||||
set -e
|
set -e
|
||||||
trap 'printf "${RED}${NAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT
|
trap 'printf "${RED}${PROGNAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT
|
||||||
|
|
||||||
# sysctl network security settings
|
# sysctl network security settings
|
||||||
##################################
|
##################################
|
||||||
|
@ -890,7 +781,7 @@ start() {
|
||||||
trap - INT TERM EXIT
|
trap - INT TERM EXIT
|
||||||
|
|
||||||
syslog_info "started"
|
syslog_info "started"
|
||||||
printf "${GREEN}${BOLD}${NAME} started${RESET}\n"
|
printf "${GREEN}${BOLD}${PROGNAME} started${RESET}\n"
|
||||||
|
|
||||||
# No need to exit on error anymore
|
# No need to exit on error anymore
|
||||||
set +e
|
set +e
|
||||||
|
@ -900,7 +791,7 @@ start() {
|
||||||
|
|
||||||
stop() {
|
stop() {
|
||||||
syslog_info "stopping"
|
syslog_info "stopping"
|
||||||
printf "${BOLD}${NAME} stopping${RESET}\n"
|
printf "${BOLD}${PROGNAME} stopping${RESET}\n"
|
||||||
|
|
||||||
printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
|
printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
|
||||||
|
|
||||||
|
@ -983,7 +874,7 @@ stop() {
|
||||||
rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}"
|
rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}"
|
||||||
|
|
||||||
syslog_info "stopped"
|
syslog_info "stopped"
|
||||||
printf "${GREEN}${BOLD}${NAME} stopped${RESET}\n"
|
printf "${GREEN}${BOLD}${PROGNAME} stopped${RESET}\n"
|
||||||
}
|
}
|
||||||
|
|
||||||
status() {
|
status() {
|
||||||
|
@ -1018,7 +909,7 @@ status_without_numbers() {
|
||||||
|
|
||||||
reset() {
|
reset() {
|
||||||
syslog_info "resetting"
|
syslog_info "resetting"
|
||||||
printf "${BOLD}${NAME} resetting${RESET}\n"
|
printf "${BOLD}${PROGNAME} resetting${RESET}\n"
|
||||||
|
|
||||||
${IPT} -Z
|
${IPT} -Z
|
||||||
if is_ipv6_enabled; then
|
if is_ipv6_enabled; then
|
||||||
|
@ -1033,23 +924,11 @@ reset() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
syslog_info "reset"
|
syslog_info "reset"
|
||||||
printf "${GREEN}${BOLD}${NAME} reset${RESET}\n"
|
printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n"
|
||||||
}
|
|
||||||
show_version() {
|
|
||||||
cat <<END
|
|
||||||
${NAME} version ${VERSION}
|
|
||||||
|
|
||||||
Copyright 2007-2022 Evolix <info@evolix.fr>.
|
|
||||||
|
|
||||||
${NAME} comes with ABSOLUTELY NO WARRANTY.
|
|
||||||
This program is free software; you can redistribute it and/or
|
|
||||||
modify it under the terms of the GNU General Public License
|
|
||||||
as published by the Free Software Foundation; either version 3
|
|
||||||
of the License.
|
|
||||||
END
|
|
||||||
}
|
}
|
||||||
|
|
||||||
case "${1:-''}" in
|
main() {
|
||||||
|
case "${1:-''}" in
|
||||||
start)
|
start)
|
||||||
source_configuration
|
source_configuration
|
||||||
check_unpersisted_state
|
check_unpersisted_state
|
||||||
|
@ -1086,14 +965,128 @@ case "${1:-''}" in
|
||||||
start
|
start
|
||||||
;;
|
;;
|
||||||
|
|
||||||
version)
|
version|--version|-V)
|
||||||
show_version
|
show_version
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
|
||||||
|
help|-h|-\?|--help)
|
||||||
|
show_help
|
||||||
|
exit 0
|
||||||
;;
|
;;
|
||||||
|
|
||||||
*)
|
*)
|
||||||
echo "Usage: $0 {start|stop|restart|status|reset|version}"
|
show_help
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
exit 0
|
config_file="/etc/default/minifirewall"
|
||||||
|
includes_dir="/etc/minifirewall.d"
|
||||||
|
|
||||||
|
# iptables paths
|
||||||
|
IPT=$(command -v iptables)
|
||||||
|
if [ -z "${IPT}" ]; then
|
||||||
|
echo "Unable to find 'iptables\` command in PATH." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
IPT6=$(command -v ip6tables)
|
||||||
|
if [ -z "${IPT6}" ]; then
|
||||||
|
echo "Unable to find 'ip6tables\` command in PATH." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
## pseudo dry-run :
|
||||||
|
## Uncomment and call these functions instead of the real iptables and ip6tables commands
|
||||||
|
# IPT="fake_iptables"
|
||||||
|
# IPT6="fake_ip6tables"
|
||||||
|
# fake_iptables() {
|
||||||
|
# printf "DRY-RUN iptables %s\n" "$*"
|
||||||
|
# }
|
||||||
|
# fake_ip6tables() {
|
||||||
|
# printf "DRY-RUN ip6tables %s\n" "$*"
|
||||||
|
# }
|
||||||
|
## Beware that commands executed from included files are not modified by this trick.
|
||||||
|
|
||||||
|
# TCP/IP variables
|
||||||
|
LOOPBACK='127.0.0.0/8'
|
||||||
|
CLASSA='10.0.0.0/8'
|
||||||
|
CLASSB='172.16.0.0/12'
|
||||||
|
CLASSC='192.168.0.0/16'
|
||||||
|
CLASSD='224.0.0.0/4'
|
||||||
|
CLASSE='240.0.0.0/5'
|
||||||
|
ALL='0.0.0.0'
|
||||||
|
BROAD='255.255.255.255'
|
||||||
|
PORTSROOT='0:1023'
|
||||||
|
PORTSUSER='1024:65535'
|
||||||
|
|
||||||
|
# Configuration
|
||||||
|
|
||||||
|
INT=''
|
||||||
|
IPV6=''
|
||||||
|
DOCKER=''
|
||||||
|
INTLAN=''
|
||||||
|
TRUSTEDIPS=''
|
||||||
|
PRIVILEGIEDIPS=''
|
||||||
|
SERVICESTCP1p=''
|
||||||
|
SERVICESUDP1p=''
|
||||||
|
SERVICESTCP1=''
|
||||||
|
SERVICESUDP1=''
|
||||||
|
SERVICESTCP2=''
|
||||||
|
SERVICESUDP2=''
|
||||||
|
SERVICESTCP3=''
|
||||||
|
SERVICESUDP3=''
|
||||||
|
DNSSERVEURS=''
|
||||||
|
HTTPSITES=''
|
||||||
|
HTTPSSITES=''
|
||||||
|
FTPSITES=''
|
||||||
|
SSHOK=''
|
||||||
|
SMTPOK=''
|
||||||
|
SMTPSECUREOK=''
|
||||||
|
NTPOK=''
|
||||||
|
PROXY=''
|
||||||
|
PROXYBYPASS=''
|
||||||
|
PROXYPORT=''
|
||||||
|
BACKUPSERVERS=''
|
||||||
|
|
||||||
|
LEGACY_CONFIG='off'
|
||||||
|
|
||||||
|
STATE_FILE_LATEST='/var/run/minifirewall_state_latest'
|
||||||
|
STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
|
||||||
|
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
|
||||||
|
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
|
||||||
|
|
||||||
|
LOGGER_BIN=$(command -v logger)
|
||||||
|
|
||||||
|
# No colors by default
|
||||||
|
RED=''
|
||||||
|
GREEN=''
|
||||||
|
YELLOW=''
|
||||||
|
BLUE=''
|
||||||
|
MAGENTA=''
|
||||||
|
CYAN=''
|
||||||
|
WHITE=''
|
||||||
|
BOLD=''
|
||||||
|
RESET=''
|
||||||
|
# check if stdout is a terminal...
|
||||||
|
if [ -t 1 ]; then
|
||||||
|
|
||||||
|
# see if it supports colors...
|
||||||
|
ncolors=$(tput colors)
|
||||||
|
|
||||||
|
if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then
|
||||||
|
RED=$(tput setaf 1)
|
||||||
|
GREEN=$(tput setaf 2)
|
||||||
|
YELLOW=$(tput setaf 3)
|
||||||
|
BLUE=$(tput setaf 4)
|
||||||
|
MAGENTA=$(tput setaf 5)
|
||||||
|
CYAN=$(tput setaf 6)
|
||||||
|
WHITE=$(tput setaf 7)
|
||||||
|
BOLD=$(tput bold)
|
||||||
|
RESET='\e[m'
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
main ${ARGS}
|
Loading…
Reference in a new issue