split-init #9
|
@ -13,6 +13,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
|
|||
|
||||
### Fixed
|
||||
|
||||
* status output (number of # in headers)
|
||||
|
||||
### Security
|
||||
|
||||
## [22.04] - 2022-04-28
|
||||
|
|
14
README.md
14
README.md
|
@ -8,9 +8,13 @@ See https://gitea.evolix.org/evolix/minifirewall
|
|||
## Install
|
||||
|
||||
~~~
|
||||
install --mode 0700 minifirewall /etc/init.d/minifirewall
|
||||
install --mode 0700 minifirewall /usr/local/sbin/
|
||||
install --mode 0700 init.sh /etc/init.d/minifirewall
|
||||
install --mode 0600 minifirewall.conf /etc/default/minifirewall
|
||||
mkdir --mode 0700 /etc/minifirewall.d
|
||||
|
||||
install --mode 0644 minifirewall.service /etc/systemd/system/minifirewall.service
|
||||
systemctl daemon-reload
|
||||
~~~
|
||||
|
||||
## Config
|
||||
|
@ -37,11 +41,17 @@ you need to use the port used by the container (ie: 8080) in the public/semi-pub
|
|||
|
||||
## Usage
|
||||
|
||||
~~~
|
||||
systemctl start/stop/restart minifirewall
|
||||
minifirewall status
|
||||
~~~
|
||||
|
||||
Formerly :
|
||||
~~~
|
||||
/etc/init.d/minifirewall start/stop/restart
|
||||
~~~
|
||||
|
||||
If you want to add minifirewall in boot sequence, add the start command to `/usr/share/scripts/alert5`.
|
||||
If you want to add minifirewall in SysV Init boot sequence, add the start command to `/usr/share/scripts/alert5`.
|
||||
|
||||
## License
|
||||
|
||||
|
|
44
init.sh
Normal file
44
init.sh
Normal file
|
@ -0,0 +1,44 @@
|
|||
#!/bin/sh
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: minifirewall
|
||||
# Required-Start:
|
||||
# Required-Stop:
|
||||
# Should-Start: $network $syslog $named
|
||||
# Should-Stop: $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: start and stop the firewall
|
||||
# Description: Firewall designed for standalone server
|
||||
### END INIT INFO
|
||||
|
||||
minifirewall_bin=/usr/local/sbin/minifirewall
|
||||
|
||||
if [ -z "${minifirewall_bin}" ]; then
|
||||
echo "${minifirewall_bin}: not found"
|
||||
elif [ ! -x "${minifirewall_bin}" ]; then
|
||||
echo "${minifirewall_bin}: not executable"
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
systemctl start minifirewall
|
||||
;;
|
||||
stop)
|
||||
systemctl stop minifirewall
|
||||
;;
|
||||
status)
|
||||
systemctl status minifirewall
|
||||
;;
|
||||
restart|reload|condrestart)
|
||||
systemctl restart minifirewall
|
||||
;;
|
||||
reset)
|
||||
${minifirewall_bin} reset
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart|status|reset}"
|
||||
exit 1
|
||||
esac
|
||||
|
||||
exit 0
|
398
minifirewall
398
minifirewall
|
@ -1,159 +1,51 @@
|
|||
#!/bin/sh
|
||||
# shellcheck disable=SC2059
|
||||
|
||||
# minifirewall is a shell script for easy firewalling on a standalone server
|
||||
# It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
|
||||
# See https://gitea.evolix.org/evolix/minifirewall
|
||||
|
||||
# Copyright (c) 2007-2022 Evolix
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License
|
||||
# as published by the Free Software Foundation; either version 3
|
||||
# of the License.
|
||||
|
||||
# Description
|
||||
# script for standalone server
|
||||
|
||||
# Start or stop minifirewall
|
||||
#
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: minifirewall
|
||||
# Required-Start:
|
||||
# Required-Stop:
|
||||
# Should-Start: $network $syslog $named
|
||||
# Should-Stop: $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: start and stop the firewall
|
||||
# Description: Firewall designed for standalone server
|
||||
### END INIT INFO
|
||||
|
||||
VERSION="22.04"
|
||||
|
||||
NAME="minifirewall"
|
||||
PROGNAME="minifirewall"
|
||||
# shellcheck disable=SC2034
|
||||
DESC="Firewall designed for standalone server"
|
||||
REPOSITORY="https://gitea.evolix.org/evolix/minifirewall"
|
||||
|
||||
VERSION="22.04.3"
|
||||
readonly VERSION
|
||||
|
||||
set -u
|
||||
|
||||
# Variables configuration
|
||||
#########################
|
||||
show_version() {
|
||||
cat <<END
|
||||
${PROGNAME} version ${VERSION}
|
||||
|
||||
config_file="/etc/default/minifirewall"
|
||||
includes_dir="/etc/minifirewall.d"
|
||||
Copyright 2007-2022 Evolix <info@evolix.fr>.
|
||||
|
||||
# iptables paths
|
||||
IPT=$(command -v iptables)
|
||||
if [ -z "${IPT}" ]; then
|
||||
echo "Unable to find 'iptables\` command in PATH." >&2
|
||||
exit 1
|
||||
fi
|
||||
IPT6=$(command -v ip6tables)
|
||||
if [ -z "${IPT6}" ]; then
|
||||
echo "Unable to find 'ip6tables\` command in PATH." >&2
|
||||
exit 1
|
||||
fi
|
||||
${PROGNAME} comes with ABSOLUTELY NO WARRANTY.
|
||||
This program is free software; you can redistribute it and/or
|
||||
modify it under the terms of the GNU General Public License
|
||||
as published by the Free Software Foundation; either version 3
|
||||
of the License.
|
||||
END
|
||||
}
|
||||
show_help() {
|
||||
cat <<END
|
||||
minifirewall is wrapper around netfilter/iptables for easy local firewalling on Linux.
|
||||
|
||||
# TCP/IP variables
|
||||
LOOPBACK='127.0.0.0/8'
|
||||
CLASSA='10.0.0.0/8'
|
||||
CLASSB='172.16.0.0/12'
|
||||
CLASSC='192.168.0.0/16'
|
||||
CLASSD='224.0.0.0/4'
|
||||
CLASSE='240.0.0.0/5'
|
||||
ALL='0.0.0.0'
|
||||
BROAD='255.255.255.255'
|
||||
PORTSROOT='0:1023'
|
||||
PORTSUSER='1024:65535'
|
||||
|
||||
# Configuration
|
||||
|
||||
INT=''
|
||||
IPV6=''
|
||||
DOCKER=''
|
||||
INTLAN=''
|
||||
TRUSTEDIPS=''
|
||||
PRIVILEGIEDIPS=''
|
||||
SERVICESTCP1p=''
|
||||
SERVICESUDP1p=''
|
||||
SERVICESTCP1=''
|
||||
SERVICESUDP1=''
|
||||
SERVICESTCP2=''
|
||||
SERVICESUDP2=''
|
||||
SERVICESTCP3=''
|
||||
SERVICESUDP3=''
|
||||
DNSSERVEURS=''
|
||||
HTTPSITES=''
|
||||
HTTPSSITES=''
|
||||
FTPSITES=''
|
||||
SSHOK=''
|
||||
SMTPOK=''
|
||||
SMTPSECUREOK=''
|
||||
NTPOK=''
|
||||
PROXY=''
|
||||
PROXYBYPASS=''
|
||||
PROXYPORT=''
|
||||
BACKUPSERVERS=''
|
||||
|
||||
LEGACY_CONFIG='off'
|
||||
|
||||
STATE_FILE_LATEST='/var/run/minifirewall_state_latest'
|
||||
STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
|
||||
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
|
||||
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
|
||||
|
||||
LOGGER_BIN=$(command -v logger)
|
||||
|
||||
# No colors by default
|
||||
RED=''
|
||||
GREEN=''
|
||||
YELLOW=''
|
||||
BLUE=''
|
||||
MAGENTA=''
|
||||
CYAN=''
|
||||
WHITE=''
|
||||
BOLD=''
|
||||
RESET=''
|
||||
# check if stdout is a terminal...
|
||||
if [ -t 1 ]; then
|
||||
|
||||
# see if it supports colors...
|
||||
ncolors=$(tput colors)
|
||||
|
||||
if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then
|
||||
RED=$(tput setaf 1)
|
||||
GREEN=$(tput setaf 2)
|
||||
YELLOW=$(tput setaf 3)
|
||||
BLUE=$(tput setaf 4)
|
||||
MAGENTA=$(tput setaf 5)
|
||||
CYAN=$(tput setaf 6)
|
||||
WHITE=$(tput setaf 7)
|
||||
BOLD=$(tput bold)
|
||||
RESET='\e[m'
|
||||
fi
|
||||
fi
|
||||
|
||||
## pseudo dry-run :
|
||||
## Uncomment and call these functions instead of the real iptables and ip6tables commands
|
||||
# IPT="fake_iptables"
|
||||
# IPT6="fake_ip6tables"
|
||||
# fake_iptables() {
|
||||
# printf "DRY-RUN iptables %s\n" "$*"
|
||||
# }
|
||||
# fake_ip6tables() {
|
||||
# printf "DRY-RUN ip6tables %s\n" "$*"
|
||||
# }
|
||||
## Beware that commands executed from included files are not modified by this trick.
|
||||
Usage: systemctl start minifirewall
|
||||
or systemctl stop minifirewall
|
||||
or systemctl restart minifirewall
|
||||
or systemctl status minifirewall
|
||||
or minifirewall status
|
||||
or minifirewall reset
|
||||
or minifirewall {version|--version|-V}
|
||||
or minifirewall {help|--help|-h|-?}
|
||||
END
|
||||
}
|
||||
|
||||
syslog_info() {
|
||||
if [ -x "${LOGGER_BIN}" ]; then
|
||||
${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1"
|
||||
${LOGGER_BIN} -t "${PROGNAME}" -p daemon.info "$1"
|
||||
fi
|
||||
}
|
||||
syslog_error() {
|
||||
if [ -x "${LOGGER_BIN}" ]; then
|
||||
${LOGGER_BIN} -t "${NAME}" -p daemon.error "$1"
|
||||
${LOGGER_BIN} -t "${PROGNAME}" -p daemon.error "$1"
|
||||
fi
|
||||
}
|
||||
sort_values() {
|
||||
|
@ -258,6 +150,13 @@ source_includes() {
|
|||
done
|
||||
fi
|
||||
}
|
||||
exit_if_not_systemd() {
|
||||
if [ $PPID -ne 1 ]; then
|
||||
echo "Error: Please use minifirewall systemd service instead of direct call." 1>&2
|
||||
show_help
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
check_unpersisted_state() {
|
||||
cmp_bin=$(command -v cmp)
|
||||
diff_bin=$(command -v diff)
|
||||
|
@ -335,11 +234,11 @@ report_state_changes() {
|
|||
|
||||
start() {
|
||||
syslog_info "starting"
|
||||
printf "${BOLD}${NAME} starting${RESET}\n"
|
||||
printf "${BOLD}${PROGNAME} starting${RESET}\n"
|
||||
|
||||
# Stop and warn if error!
|
||||
set -e
|
||||
trap 'printf "${RED}${NAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT
|
||||
trap 'printf "${RED}${PROGNAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT
|
||||
|
||||
# sysctl network security settings
|
||||
##################################
|
||||
|
@ -890,7 +789,7 @@ start() {
|
|||
trap - INT TERM EXIT
|
||||
|
||||
syslog_info "started"
|
||||
printf "${GREEN}${BOLD}${NAME} started${RESET}\n"
|
||||
printf "${GREEN}${BOLD}${PROGNAME} started${RESET}\n"
|
||||
|
||||
# No need to exit on error anymore
|
||||
set +e
|
||||
|
@ -900,7 +799,7 @@ start() {
|
|||
|
||||
stop() {
|
||||
syslog_info "stopping"
|
||||
printf "${BOLD}${NAME} stopping${RESET}\n"
|
||||
printf "${BOLD}${PROGNAME} stopping${RESET}\n"
|
||||
|
||||
printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
|
||||
|
||||
|
@ -983,13 +882,13 @@ stop() {
|
|||
rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}"
|
||||
|
||||
syslog_info "stopped"
|
||||
printf "${GREEN}${BOLD}${NAME} stopped${RESET}\n"
|
||||
printf "${GREEN}${BOLD}${PROGNAME} stopped${RESET}\n"
|
||||
}
|
||||
|
||||
status() {
|
||||
printf "${BLUE}#### iptables --list ###############################${RESET}\n"
|
||||
${IPT} --list --numeric --verbose --line-numbers
|
||||
printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n"
|
||||
printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n"
|
||||
${IPT} --table nat --list --numeric --verbose --line-numbers
|
||||
printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n"
|
||||
${IPT} --table mangle --list --numeric --verbose --line-numbers
|
||||
|
@ -1004,7 +903,7 @@ status() {
|
|||
status_without_numbers() {
|
||||
printf "${BLUE}#### iptables --list ###############################${RESET}\n"
|
||||
${IPT} --list --numeric
|
||||
printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n"
|
||||
printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n"
|
||||
${IPT} --table nat --list --numeric
|
||||
printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n"
|
||||
${IPT} --table mangle --list --numeric
|
||||
|
@ -1018,7 +917,7 @@ status_without_numbers() {
|
|||
|
||||
reset() {
|
||||
syslog_info "resetting"
|
||||
printf "${BOLD}${NAME} resetting${RESET}\n"
|
||||
printf "${BOLD}${PROGNAME} resetting${RESET}\n"
|
||||
|
||||
${IPT} -Z
|
||||
if is_ipv6_enabled; then
|
||||
|
@ -1033,67 +932,172 @@ reset() {
|
|||
fi
|
||||
|
||||
syslog_info "reset"
|
||||
printf "${GREEN}${BOLD}${NAME} reset${RESET}\n"
|
||||
}
|
||||
show_version() {
|
||||
cat <<END
|
||||
${NAME} version ${VERSION}
|
||||
|
||||
Copyright 2007-2022 Evolix <info@evolix.fr>.
|
||||
|
||||
${NAME} comes with ABSOLUTELY NO WARRANTY.
|
||||
This program is free software; you can redistribute it and/or
|
||||
modify it under the terms of the GNU General Public License
|
||||
as published by the Free Software Foundation; either version 3
|
||||
of the License.
|
||||
END
|
||||
printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n"
|
||||
}
|
||||
|
||||
case "${1:-''}" in
|
||||
start)
|
||||
source_configuration
|
||||
check_unpersisted_state
|
||||
main() {
|
||||
case "${1:-''}" in
|
||||
start)
|
||||
exit_if_not_systemd
|
||||
source_configuration
|
||||
check_unpersisted_state
|
||||
|
||||
start
|
||||
;;
|
||||
start
|
||||
;;
|
||||
|
||||
stop)
|
||||
source_configuration
|
||||
check_unpersisted_state
|
||||
stop)
|
||||
exit_if_not_systemd
|
||||
source_configuration
|
||||
check_unpersisted_state
|
||||
|
||||
stop
|
||||
;;
|
||||
stop
|
||||
;;
|
||||
|
||||
status)
|
||||
source_configuration
|
||||
check_unpersisted_state
|
||||
status)
|
||||
source_configuration
|
||||
check_unpersisted_state
|
||||
|
||||
status
|
||||
;;
|
||||
status
|
||||
;;
|
||||
|
||||
reset)
|
||||
source_configuration
|
||||
check_unpersisted_state
|
||||
reset)
|
||||
source_configuration
|
||||
check_unpersisted_state
|
||||
|
||||
reset
|
||||
;;
|
||||
reset
|
||||
;;
|
||||
|
||||
restart)
|
||||
source_configuration
|
||||
check_unpersisted_state
|
||||
restart)
|
||||
exit_if_not_systemd
|
||||
source_configuration
|
||||
check_unpersisted_state
|
||||
|
||||
stop
|
||||
start
|
||||
;;
|
||||
stop
|
||||
start
|
||||
;;
|
||||
|
||||
version)
|
||||
show_version
|
||||
;;
|
||||
version|--version|-V)
|
||||
show_version
|
||||
exit 0
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart|status|reset|version}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
help|-h|-\?|--help)
|
||||
show_help
|
||||
exit 0
|
||||
;;
|
||||
|
||||
exit 0
|
||||
*)
|
||||
show_help
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
config_file="/etc/default/minifirewall"
|
||||
includes_dir="/etc/minifirewall.d"
|
||||
|
||||
# iptables paths
|
||||
IPT=$(command -v iptables)
|
||||
if [ -z "${IPT}" ]; then
|
||||
echo "Unable to find 'iptables\` command in PATH." >&2
|
||||
exit 1
|
||||
fi
|
||||
IPT6=$(command -v ip6tables)
|
||||
if [ -z "${IPT6}" ]; then
|
||||
echo "Unable to find 'ip6tables\` command in PATH." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
## pseudo dry-run :
|
||||
## Uncomment and call these functions instead of the real iptables and ip6tables commands
|
||||
# IPT="fake_iptables"
|
||||
# IPT6="fake_ip6tables"
|
||||
# fake_iptables() {
|
||||
# printf "DRY-RUN iptables %s\n" "$*"
|
||||
# }
|
||||
# fake_ip6tables() {
|
||||
# printf "DRY-RUN ip6tables %s\n" "$*"
|
||||
# }
|
||||
## Beware that commands executed from included files are not modified by this trick.
|
||||
|
||||
# TCP/IP variables
|
||||
LOOPBACK='127.0.0.0/8'
|
||||
CLASSA='10.0.0.0/8'
|
||||
CLASSB='172.16.0.0/12'
|
||||
CLASSC='192.168.0.0/16'
|
||||
CLASSD='224.0.0.0/4'
|
||||
CLASSE='240.0.0.0/5'
|
||||
ALL='0.0.0.0'
|
||||
BROAD='255.255.255.255'
|
||||
PORTSROOT='0:1023'
|
||||
PORTSUSER='1024:65535'
|
||||
|
||||
# Configuration
|
||||
|
||||
INT=''
|
||||
IPV6=''
|
||||
DOCKER=''
|
||||
INTLAN=''
|
||||
TRUSTEDIPS=''
|
||||
PRIVILEGIEDIPS=''
|
||||
SERVICESTCP1p=''
|
||||
SERVICESUDP1p=''
|
||||
SERVICESTCP1=''
|
||||
SERVICESUDP1=''
|
||||
SERVICESTCP2=''
|
||||
SERVICESUDP2=''
|
||||
SERVICESTCP3=''
|
||||
SERVICESUDP3=''
|
||||
DNSSERVEURS=''
|
||||
HTTPSITES=''
|
||||
HTTPSSITES=''
|
||||
FTPSITES=''
|
||||
SSHOK=''
|
||||
SMTPOK=''
|
||||
SMTPSECUREOK=''
|
||||
NTPOK=''
|
||||
PROXY=''
|
||||
PROXYBYPASS=''
|
||||
PROXYPORT=''
|
||||
BACKUPSERVERS=''
|
||||
|
||||
LEGACY_CONFIG='off'
|
||||
|
||||
STATE_FILE_LATEST='/var/run/minifirewall_state_latest'
|
||||
STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
|
||||
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
|
||||
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
|
||||
|
||||
LOGGER_BIN=$(command -v logger)
|
||||
|
||||
# No colors by default
|
||||
RED=''
|
||||
GREEN=''
|
||||
YELLOW=''
|
||||
BLUE=''
|
||||
MAGENTA=''
|
||||
CYAN=''
|
||||
WHITE=''
|
||||
BOLD=''
|
||||
RESET=''
|
||||
# check if stdout is a terminal...
|
||||
if [ -t 1 ]; then
|
||||
|
||||
# see if it supports colors...
|
||||
ncolors=$(tput colors)
|
||||
|
||||
if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then
|
||||
RED=$(tput setaf 1)
|
||||
GREEN=$(tput setaf 2)
|
||||
YELLOW=$(tput setaf 3)
|
||||
BLUE=$(tput setaf 4)
|
||||
MAGENTA=$(tput setaf 5)
|
||||
CYAN=$(tput setaf 6)
|
||||
WHITE=$(tput setaf 7)
|
||||
BOLD=$(tput bold)
|
||||
RESET='\e[m'
|
||||
fi
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
main $@
|
||||
|
|
18
minifirewall.service
Normal file
18
minifirewall.service
Normal file
|
@ -0,0 +1,18 @@
|
|||
# /etc/systemd/system/minifirewall.service
|
||||
|
||||
[Unit]
|
||||
Description=Control the firewall
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
Restart=no
|
||||
TimeoutSec=5min
|
||||
IgnoreSIGPIPE=no
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/local/sbin/minifirewall start
|
||||
ExecStop=/usr/local/sbin/minifirewall stop
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
Loading…
Reference in a new issue