evolix/minifirewall
21
0
Fork 0
Code Issues 4 Pull requests 3 Releases 1 Activity

split-init #9

Open
whirigoyen wants to merge 7 commits from split-init into master
pull from: split-init
merge into: evolix:master
Conversation 3 Commits 7 Files changed 5 +277 -199
5 changed files with 277 additions and 199 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGELOG.md
View file

@ -13,6 +13,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
### Fixed
* status output (number of # in headers)
### Security
## [22.04] - 2022-04-28

14
README.md
View file

@ -8,9 +8,13 @@ See https://gitea.evolix.org/evolix/minifirewall
## Install
~~~
install --mode 0700 minifirewall /etc/init.d/minifirewall
install --mode 0700 minifirewall /usr/local/sbin/
install --mode 0700 init.sh /etc/init.d/minifirewall
install --mode 0600 minifirewall.conf /etc/default/minifirewall
mkdir --mode 0700 /etc/minifirewall.d
install --mode 0644 minifirewall.service /etc/systemd/system/minifirewall.service
systemctl daemon-reload
~~~
## Config
@ -37,11 +41,17 @@ you need to use the port used by the container (ie: 8080) in the public/semi-pub
## Usage
~~~
systemctl start/stop/restart minifirewall
minifirewall status
~~~
Formerly :
~~~
/etc/init.d/minifirewall start/stop/restart
~~~
If you want to add minifirewall in boot sequence, add the start command to `/usr/share/scripts/alert5`.
If you want to add minifirewall in SysV Init boot sequence, add the start command to `/usr/share/scripts/alert5`.
## License

44
init.sh Normal file
View file

@ -0,0 +1,44 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: minifirewall
# Required-Start:
# Required-Stop:
# Should-Start: $network $syslog $named
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop the firewall
# Description: Firewall designed for standalone server
### END INIT INFO
minifirewall_bin=/usr/local/sbin/minifirewall
if [ -z "${minifirewall_bin}" ]; then
echo "${minifirewall_bin}: not found"
elif [ ! -x "${minifirewall_bin}" ]; then
echo "${minifirewall_bin}: not executable"
fi
case "$1" in
start)
systemctl start minifirewall
;;
stop)
systemctl stop minifirewall
;;
status)
systemctl status minifirewall
;;
restart|reload|condrestart)
systemctl restart minifirewall
;;
reset)
${minifirewall_bin} reset
;;
*)
echo "Usage: $0 {start|stop|restart|status|reset}"
exit 1
esac
exit 0

398
minifirewall
View file

@ -1,159 +1,51 @@
#!/bin/sh
# shellcheck disable=SC2059
# minifirewall is a shell script for easy firewalling on a standalone server
# It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
# See https://gitea.evolix.org/evolix/minifirewall
# Copyright (c) 2007-2022 Evolix
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 3
# of the License.
# Description
# script for standalone server
# Start or stop minifirewall
#
### BEGIN INIT INFO
# Provides: minifirewall
# Required-Start:
# Required-Stop:
# Should-Start: $network $syslog $named
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop the firewall
# Description: Firewall designed for standalone server
### END INIT INFO
VERSION="22.04"
NAME="minifirewall"
PROGNAME="minifirewall"
# shellcheck disable=SC2034
DESC="Firewall designed for standalone server"
REPOSITORY="https://gitea.evolix.org/evolix/minifirewall"
VERSION="22.04.3"
readonly VERSION
set -u
# Variables configuration
#########################
show_version() {
cat <<END
${PROGNAME} version ${VERSION}
config_file="/etc/default/minifirewall"
includes_dir="/etc/minifirewall.d"
Copyright 2007-2022 Evolix <info@evolix.fr>.
# iptables paths
IPT=$(command -v iptables)
if [ -z "${IPT}" ]; then
echo "Unable to find 'iptables\` command in PATH." >&2
exit 1
fi
IPT6=$(command -v ip6tables)
if [ -z "${IPT6}" ]; then
echo "Unable to find 'ip6tables\` command in PATH." >&2
exit 1
fi
${PROGNAME} comes with ABSOLUTELY NO WARRANTY.
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 3
of the License.
END
}
show_help() {
cat <<END
minifirewall is wrapper around netfilter/iptables for easy local firewalling on Linux.
# TCP/IP variables
LOOPBACK='127.0.0.0/8'
CLASSA='10.0.0.0/8'
CLASSB='172.16.0.0/12'
CLASSC='192.168.0.0/16'
CLASSD='224.0.0.0/4'
CLASSE='240.0.0.0/5'
ALL='0.0.0.0'
BROAD='255.255.255.255'
PORTSROOT='0:1023'
PORTSUSER='1024:65535'
# Configuration
INT=''
IPV6=''
DOCKER=''
INTLAN=''
TRUSTEDIPS=''
PRIVILEGIEDIPS=''
SERVICESTCP1p=''
SERVICESUDP1p=''
SERVICESTCP1=''
SERVICESUDP1=''
SERVICESTCP2=''
SERVICESUDP2=''
SERVICESTCP3=''
SERVICESUDP3=''
DNSSERVEURS=''
HTTPSITES=''
HTTPSSITES=''
FTPSITES=''
SSHOK=''
SMTPOK=''
SMTPSECUREOK=''
NTPOK=''
PROXY=''
PROXYBYPASS=''
PROXYPORT=''
BACKUPSERVERS=''
LEGACY_CONFIG='off'
STATE_FILE_LATEST='/var/run/minifirewall_state_latest'
STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
LOGGER_BIN=$(command -v logger)
# No colors by default
RED=''
GREEN=''
YELLOW=''
BLUE=''
MAGENTA=''
CYAN=''
WHITE=''
BOLD=''
RESET=''
# check if stdout is a terminal...
if [ -t 1 ]; then
# see if it supports colors...
ncolors=$(tput colors)
if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then
RED=$(tput setaf 1)
GREEN=$(tput setaf 2)
YELLOW=$(tput setaf 3)
BLUE=$(tput setaf 4)
MAGENTA=$(tput setaf 5)
CYAN=$(tput setaf 6)
WHITE=$(tput setaf 7)
BOLD=$(tput bold)
RESET='\e[m'
fi
fi
## pseudo dry-run :
## Uncomment and call these functions instead of the real iptables and ip6tables commands
# IPT="fake_iptables"
# IPT6="fake_ip6tables"
# fake_iptables() {
# printf "DRY-RUN iptables %s\n" "$*"
# }
# fake_ip6tables() {
# printf "DRY-RUN ip6tables %s\n" "$*"
# }
## Beware that commands executed from included files are not modified by this trick.
Usage: systemctl start minifirewall
or systemctl stop minifirewall
or systemctl restart minifirewall
or systemctl status minifirewall
or minifirewall status
or minifirewall reset
or minifirewall {version|--version|-V}
or minifirewall {help|--help|-h|-?}
END
}
syslog_info() {
if [ -x "${LOGGER_BIN}" ]; then
${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1"
${LOGGER_BIN} -t "${PROGNAME}" -p daemon.info "$1"
fi
}
syslog_error() {
if [ -x "${LOGGER_BIN}" ]; then
${LOGGER_BIN} -t "${NAME}" -p daemon.error "$1"
${LOGGER_BIN} -t "${PROGNAME}" -p daemon.error "$1"
fi
}
sort_values() {
@ -258,6 +150,13 @@ source_includes() {
done
fi
}
exit_if_not_systemd() {
if [ $PPID -ne 1 ]; then
echo "Error: Please use minifirewall systemd service instead of direct call." 1>&2
show_help
exit 1
fi
}
check_unpersisted_state() {
cmp_bin=$(command -v cmp)
diff_bin=$(command -v diff)
@ -335,11 +234,11 @@ report_state_changes() {
start() {
syslog_info "starting"
printf "${BOLD}${NAME} starting${RESET}\n"
printf "${BOLD}${PROGNAME} starting${RESET}\n"
# Stop and warn if error!
set -e
trap 'printf "${RED}${NAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT
trap 'printf "${RED}${PROGNAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT
# sysctl network security settings
##################################
@ -890,7 +789,7 @@ start() {
trap - INT TERM EXIT
syslog_info "started"
printf "${GREEN}${BOLD}${NAME} started${RESET}\n"
printf "${GREEN}${BOLD}${PROGNAME} started${RESET}\n"
# No need to exit on error anymore
set +e
@ -900,7 +799,7 @@ start() {
stop() {
syslog_info "stopping"
printf "${BOLD}${NAME} stopping${RESET}\n"
printf "${BOLD}${PROGNAME} stopping${RESET}\n"
printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
@ -983,13 +882,13 @@ stop() {
rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}"
syslog_info "stopped"
printf "${GREEN}${BOLD}${NAME} stopped${RESET}\n"
printf "${GREEN}${BOLD}${PROGNAME} stopped${RESET}\n"
}
status() {
printf "${BLUE}#### iptables --list ###############################${RESET}\n"
${IPT} --list --numeric --verbose --line-numbers
printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n"
printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n"
${IPT} --table nat --list --numeric --verbose --line-numbers
printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n"
${IPT} --table mangle --list --numeric --verbose --line-numbers
@ -1004,7 +903,7 @@ status() {
status_without_numbers() {
printf "${BLUE}#### iptables --list ###############################${RESET}\n"
${IPT} --list --numeric
printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n"
printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n"
${IPT} --table nat --list --numeric
printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n"
${IPT} --table mangle --list --numeric
@ -1018,7 +917,7 @@ status_without_numbers() {
reset() {
syslog_info "resetting"
printf "${BOLD}${NAME} resetting${RESET}\n"
printf "${BOLD}${PROGNAME} resetting${RESET}\n"
${IPT} -Z
if is_ipv6_enabled; then
@ -1033,67 +932,172 @@ reset() {
fi
syslog_info "reset"
printf "${GREEN}${BOLD}${NAME} reset${RESET}\n"
}
show_version() {
cat <<END
${NAME} version ${VERSION}
Copyright 2007-2022 Evolix <info@evolix.fr>.
${NAME} comes with ABSOLUTELY NO WARRANTY.
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 3
of the License.
END
printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n"
}
case "${1:-''}" in
start)
source_configuration
check_unpersisted_state
main() {
case "${1:-''}" in
start)
exit_if_not_systemd
source_configuration
check_unpersisted_state
start
;;
start
;;
stop)
source_configuration
check_unpersisted_state
stop)
exit_if_not_systemd
source_configuration
check_unpersisted_state
stop
;;
stop
;;
status)
source_configuration
check_unpersisted_state
status)
source_configuration
check_unpersisted_state
status
;;
status
;;
reset)
source_configuration
check_unpersisted_state
reset)
source_configuration
check_unpersisted_state
reset
;;
reset
;;
restart)
source_configuration
check_unpersisted_state
restart)
exit_if_not_systemd
source_configuration
check_unpersisted_state
stop
start
;;
stop
start
;;
version)
show_version
;;
version|--version|-V)
show_version
exit 0
;;
*)
echo "Usage: $0 {start|stop|restart|status|reset|version}"
exit 1
;;
esac
help|-h|-\?|--help)
show_help
exit 0
;;
exit 0
*)
show_help
exit 1
;;
esac
}
config_file="/etc/default/minifirewall"
includes_dir="/etc/minifirewall.d"
# iptables paths
IPT=$(command -v iptables)
if [ -z "${IPT}" ]; then
echo "Unable to find 'iptables\` command in PATH." >&2
exit 1
fi
IPT6=$(command -v ip6tables)
if [ -z "${IPT6}" ]; then
echo "Unable to find 'ip6tables\` command in PATH." >&2
exit 1
fi
## pseudo dry-run :
## Uncomment and call these functions instead of the real iptables and ip6tables commands
# IPT="fake_iptables"
# IPT6="fake_ip6tables"
# fake_iptables() {
# printf "DRY-RUN iptables %s\n" "$*"
# }
# fake_ip6tables() {
# printf "DRY-RUN ip6tables %s\n" "$*"
# }
## Beware that commands executed from included files are not modified by this trick.
# TCP/IP variables
LOOPBACK='127.0.0.0/8'
CLASSA='10.0.0.0/8'
CLASSB='172.16.0.0/12'
CLASSC='192.168.0.0/16'
CLASSD='224.0.0.0/4'
CLASSE='240.0.0.0/5'
ALL='0.0.0.0'
BROAD='255.255.255.255'
PORTSROOT='0:1023'
PORTSUSER='1024:65535'
# Configuration
INT=''
IPV6=''
DOCKER=''
INTLAN=''
TRUSTEDIPS=''
PRIVILEGIEDIPS=''
SERVICESTCP1p=''
SERVICESUDP1p=''
SERVICESTCP1=''
SERVICESUDP1=''
SERVICESTCP2=''
SERVICESUDP2=''
SERVICESTCP3=''
SERVICESUDP3=''
DNSSERVEURS=''
HTTPSITES=''
HTTPSSITES=''
FTPSITES=''
SSHOK=''
SMTPOK=''
SMTPSECUREOK=''
NTPOK=''
PROXY=''
PROXYBYPASS=''
PROXYPORT=''
BACKUPSERVERS=''
LEGACY_CONFIG='off'
STATE_FILE_LATEST='/var/run/minifirewall_state_latest'
STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
LOGGER_BIN=$(command -v logger)
# No colors by default
RED=''
GREEN=''
YELLOW=''
BLUE=''
MAGENTA=''
CYAN=''
WHITE=''
BOLD=''
RESET=''
# check if stdout is a terminal...
if [ -t 1 ]; then
# see if it supports colors...
ncolors=$(tput colors)
if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then
RED=$(tput setaf 1)
GREEN=$(tput setaf 2)
YELLOW=$(tput setaf 3)
BLUE=$(tput setaf 4)
MAGENTA=$(tput setaf 5)
CYAN=$(tput setaf 6)
WHITE=$(tput setaf 7)
BOLD=$(tput bold)
RESET='\e[m'
fi
fi
# shellcheck disable=SC2086
main $@

18
minifirewall.service Normal file
View file

@ -0,0 +1,18 @@
# /etc/systemd/system/minifirewall.service
[Unit]
Description=Control the firewall
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
Restart=no
TimeoutSec=5min
IgnoreSIGPIPE=no
RemainAfterExit=yes
ExecStart=/usr/local/sbin/minifirewall start
ExecStop=/usr/local/sbin/minifirewall stop
[Install]
WantedBy=default.target