evolix/minifirewall
21
0
Fork 0
Code Issues 4 Pull requests 3 Releases 1 Activity

Split init script and code script

Browse source
This commit is contained in:
Jérémy Lecour 2022-04-29 14:07:30 +02:00 committed by Jérémy Lecour
parent c4ec8c9ac0
commit 620331c29d
2 changed files with 232 additions and 195 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
init.sh Normal file
View file

@ -0,0 +1,44 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: minifirewall
# Required-Start:
# Required-Stop:
# Should-Start: $network $syslog $named
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop the firewall
# Description: Firewall designed for standalone server
### END INIT INFO
minifirewall_bin=/usr/local/sbin/minifirewall
if [ -z "${minifirewall_bin}" ]; then
echo "${minifirewall_bin}: not found"
elif [ ! -x "${minifirewall_bin}" ]; then
echo "${minifirewall_bin}: not executable"
fi
case "$1" in
start)
${minifirewall_bin} start
;;
stop)
${minifirewall_bin} stop
;;
status)
${minifirewall_bin} status
;;
restart|reload|condrestart)
${minifirewall_bin} restart
;;
reset)
${minifirewall_bin} reset
;;
*)
echo "Usage: $0 {start|stop|restart|status|reset}"
exit 1
esac
exit 0

383
minifirewall
View file

@ -1,159 +1,50 @@
#!/bin/sh #!/bin/sh
# shellcheck disable=SC2059 # shellcheck disable=SC2059
# minifirewall is a shell script for easy firewalling on a standalone server PROGNAME="minifirewall"
# It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
# See https://gitea.evolix.org/evolix/minifirewall
# Copyright (c) 2007-2022 Evolix
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 3
# of the License.
# Description
# script for standalone server
# Start or stop minifirewall
#
### BEGIN INIT INFO
# Provides: minifirewall
# Required-Start:
# Required-Stop:
# Should-Start: $network $syslog $named
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop the firewall
# Description: Firewall designed for standalone server
### END INIT INFO
VERSION="22.04"
NAME="minifirewall"
# shellcheck disable=SC2034 # shellcheck disable=SC2034
DESC="Firewall designed for standalone server" REPOSITORY="https://gitea.evolix.org/evolix/minifirewall"
VERSION="22.04.3"
readonly VERSION
set -u set -u
# Variables configuration show_version() {
######################### cat <<END
${PROGNAME} version ${VERSION}
config_file="/etc/default/minifirewall" Copyright 2007-2022 Evolix <info@evolix.fr>.
includes_dir="/etc/minifirewall.d"
# iptables paths ${PROGNAME} comes with ABSOLUTELY NO WARRANTY.
IPT=$(command -v iptables) This program is free software; you can redistribute it and/or
if [ -z "${IPT}" ]; then modify it under the terms of the GNU General Public License
echo "Unable to find 'iptables\` command in PATH." >&2 as published by the Free Software Foundation; either version 3
exit 1 of the License.
fi END
IPT6=$(command -v ip6tables) }
if [ -z "${IPT6}" ]; then show_help() {
echo "Unable to find 'ip6tables\` command in PATH." >&2 cat <<END
exit 1 minifirewall is wrapper around netfilter/iptables for easy local firewalling on Linux.
fi
# TCP/IP variables Usage: minifirewall start
LOOPBACK='127.0.0.0/8' or minifirewall stop
CLASSA='10.0.0.0/8' or minifirewall restart
CLASSB='172.16.0.0/12' or minifirewall reset
CLASSC='192.168.0.0/16' or minifirewall status
CLASSD='224.0.0.0/4' or minifirewall {version|--version|-V}
CLASSE='240.0.0.0/5' or minifirewall {help|--help|-h|-?}
ALL='0.0.0.0' END
BROAD='255.255.255.255' }
PORTSROOT='0:1023'
PORTSUSER='1024:65535'
# Configuration
INT=''
IPV6=''
DOCKER=''
INTLAN=''
TRUSTEDIPS=''
PRIVILEGIEDIPS=''
SERVICESTCP1p=''
SERVICESUDP1p=''
SERVICESTCP1=''
SERVICESUDP1=''
SERVICESTCP2=''
SERVICESUDP2=''
SERVICESTCP3=''
SERVICESUDP3=''
DNSSERVEURS=''
HTTPSITES=''
HTTPSSITES=''
FTPSITES=''
SSHOK=''
SMTPOK=''
SMTPSECUREOK=''
NTPOK=''
PROXY=''
PROXYBYPASS=''
PROXYPORT=''
BACKUPSERVERS=''
LEGACY_CONFIG='off'
STATE_FILE_LATEST='/var/run/minifirewall_state_latest'
STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
LOGGER_BIN=$(command -v logger)
# No colors by default
RED=''
GREEN=''
YELLOW=''
BLUE=''
MAGENTA=''
CYAN=''
WHITE=''
BOLD=''
RESET=''
# check if stdout is a terminal...
if [ -t 1 ]; then
# see if it supports colors...
ncolors=$(tput colors)
if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then
RED=$(tput setaf 1)
GREEN=$(tput setaf 2)
YELLOW=$(tput setaf 3)
BLUE=$(tput setaf 4)
MAGENTA=$(tput setaf 5)
CYAN=$(tput setaf 6)
WHITE=$(tput setaf 7)
BOLD=$(tput bold)
RESET='\e[m'
fi
fi
## pseudo dry-run :
## Uncomment and call these functions instead of the real iptables and ip6tables commands
# IPT="fake_iptables"
# IPT6="fake_ip6tables"
# fake_iptables() {
# printf "DRY-RUN iptables %s\n" "$*"
# }
# fake_ip6tables() {
# printf "DRY-RUN ip6tables %s\n" "$*"
# }
## Beware that commands executed from included files are not modified by this trick.
syslog_info() { syslog_info() {
if [ -x "${LOGGER_BIN}" ]; then if [ -x "${LOGGER_BIN}" ]; then
${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1" ${LOGGER_BIN} -t "${PROGNAME}" -p daemon.info "$1"
fi fi
} }
syslog_error() { syslog_error() {
if [ -x "${LOGGER_BIN}" ]; then if [ -x "${LOGGER_BIN}" ]; then
${LOGGER_BIN} -t "${NAME}" -p daemon.error "$1" ${LOGGER_BIN} -t "${PROGNAME}" -p daemon.error "$1"
fi fi
} }
sort_values() { sort_values() {
@ -335,11 +226,11 @@ report_state_changes() {
start() { start() {
syslog_info "starting" syslog_info "starting"
printf "${BOLD}${NAME} starting${RESET}\n" printf "${BOLD}${PROGNAME} starting${RESET}\n"
# Stop and warn if error! # Stop and warn if error!
set -e set -e
trap 'printf "${RED}${NAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT trap 'printf "${RED}${PROGNAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT
# sysctl network security settings # sysctl network security settings
################################## ##################################
@ -890,7 +781,7 @@ start() {
trap - INT TERM EXIT trap - INT TERM EXIT
syslog_info "started" syslog_info "started"
printf "${GREEN}${BOLD}${NAME} started${RESET}\n" printf "${GREEN}${BOLD}${PROGNAME} started${RESET}\n"
# No need to exit on error anymore # No need to exit on error anymore
set +e set +e
@ -900,7 +791,7 @@ start() {
stop() { stop() {
syslog_info "stopping" syslog_info "stopping"
printf "${BOLD}${NAME} stopping${RESET}\n" printf "${BOLD}${PROGNAME} stopping${RESET}\n"
printf "${BLUE}flushing all rules and accepting everything${RESET}\n" printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
@ -983,7 +874,7 @@ stop() {
rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}"
syslog_info "stopped" syslog_info "stopped"
printf "${GREEN}${BOLD}${NAME} stopped${RESET}\n" printf "${GREEN}${BOLD}${PROGNAME} stopped${RESET}\n"
} }
status() { status() {
@ -1018,7 +909,7 @@ status_without_numbers() {
reset() { reset() {
syslog_info "resetting" syslog_info "resetting"
printf "${BOLD}${NAME} resetting${RESET}\n" printf "${BOLD}${PROGNAME} resetting${RESET}\n"
${IPT} -Z ${IPT} -Z
if is_ipv6_enabled; then if is_ipv6_enabled; then
@ -1033,67 +924,169 @@ reset() {
fi fi
syslog_info "reset" syslog_info "reset"
printf "${GREEN}${BOLD}${NAME} reset${RESET}\n" printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n"
}
show_version() {
cat <<END
${NAME} version ${VERSION}
Copyright 2007-2022 Evolix <info@evolix.fr>.
${NAME} comes with ABSOLUTELY NO WARRANTY.
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 3
of the License.
END
} }
case "${1:-''}" in main() {
start) case "${1:-''}" in
source_configuration start)
check_unpersisted_state source_configuration
check_unpersisted_state
start start
;; ;;
stop) stop)
source_configuration source_configuration
check_unpersisted_state check_unpersisted_state
stop stop
;; ;;
status) status)
source_configuration source_configuration
check_unpersisted_state check_unpersisted_state
status status
;; ;;
reset) reset)
source_configuration source_configuration
check_unpersisted_state check_unpersisted_state
reset reset
;; ;;
restart) restart)
source_configuration source_configuration
check_unpersisted_state check_unpersisted_state
stop stop
start start
;; ;;
version) version|--version|-V)
show_version show_version
;; exit 0
;;
*) help|-h|-\?|--help)
echo "Usage: $0 {start|stop|restart|status|reset|version}" show_help
exit 1 exit 0
;; ;;
esac
exit 0 *)
show_help
exit 1
;;
esac
}
config_file="/etc/default/minifirewall"
includes_dir="/etc/minifirewall.d"
# iptables paths
IPT=$(command -v iptables)
if [ -z "${IPT}" ]; then
echo "Unable to find 'iptables\` command in PATH." >&2
exit 1
fi
IPT6=$(command -v ip6tables)
if [ -z "${IPT6}" ]; then
echo "Unable to find 'ip6tables\` command in PATH." >&2
exit 1
fi
## pseudo dry-run :
## Uncomment and call these functions instead of the real iptables and ip6tables commands
# IPT="fake_iptables"
# IPT6="fake_ip6tables"
# fake_iptables() {
# printf "DRY-RUN iptables %s\n" "$*"
# }
# fake_ip6tables() {
# printf "DRY-RUN ip6tables %s\n" "$*"
# }
## Beware that commands executed from included files are not modified by this trick.
# TCP/IP variables
LOOPBACK='127.0.0.0/8'
CLASSA='10.0.0.0/8'
CLASSB='172.16.0.0/12'
CLASSC='192.168.0.0/16'
CLASSD='224.0.0.0/4'
CLASSE='240.0.0.0/5'
ALL='0.0.0.0'
BROAD='255.255.255.255'
PORTSROOT='0:1023'
PORTSUSER='1024:65535'
# Configuration
INT=''
IPV6=''
DOCKER=''
INTLAN=''
TRUSTEDIPS=''
PRIVILEGIEDIPS=''
SERVICESTCP1p=''
SERVICESUDP1p=''
SERVICESTCP1=''
SERVICESUDP1=''
SERVICESTCP2=''
SERVICESUDP2=''
SERVICESTCP3=''
SERVICESUDP3=''
DNSSERVEURS=''
HTTPSITES=''
HTTPSSITES=''
FTPSITES=''
SSHOK=''
SMTPOK=''
SMTPSECUREOK=''
NTPOK=''
PROXY=''
PROXYBYPASS=''
PROXYPORT=''
BACKUPSERVERS=''
LEGACY_CONFIG='off'
STATE_FILE_LATEST='/var/run/minifirewall_state_latest'
STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
LOGGER_BIN=$(command -v logger)
# No colors by default
RED=''
GREEN=''
YELLOW=''
BLUE=''
MAGENTA=''
CYAN=''
WHITE=''
BOLD=''
RESET=''
# check if stdout is a terminal...
if [ -t 1 ]; then
# see if it supports colors...
ncolors=$(tput colors)
if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then
RED=$(tput setaf 1)
GREEN=$(tput setaf 2)
YELLOW=$(tput setaf 3)
BLUE=$(tput setaf 4)
MAGENTA=$(tput setaf 5)
CYAN=$(tput setaf 6)
WHITE=$(tput setaf 7)
BOLD=$(tput bold)
RESET='\e[m'
fi
fi
# shellcheck disable=SC2086
main ${ARGS}