evolix/minifirewall
21
0
Fork 0
Code Issues 4 Pull requests 3 Releases 1 Activity

split-init #9

Open
whirigoyen wants to merge 7 commits from split-init into master
pull from: split-init
merge into: evolix:master
Conversation 3 Commits 7 Files changed 5 +277 -199
5 changed files with 277 additions and 199 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGELOG.md
View file

@ -13,6 +13,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
### Fixed ### Fixed
* status output (number of # in headers)
### Security ### Security
## [22.04] - 2022-04-28 ## [22.04] - 2022-04-28

14
README.md
View file

@ -8,9 +8,13 @@ See https://gitea.evolix.org/evolix/minifirewall
## Install ## Install
~~~ ~~~
install --mode 0700 minifirewall /etc/init.d/minifirewall install --mode 0700 minifirewall /usr/local/sbin/
install --mode 0700 init.sh /etc/init.d/minifirewall
install --mode 0600 minifirewall.conf /etc/default/minifirewall install --mode 0600 minifirewall.conf /etc/default/minifirewall
mkdir --mode 0700 /etc/minifirewall.d mkdir --mode 0700 /etc/minifirewall.d
install --mode 0644 minifirewall.service /etc/systemd/system/minifirewall.service
systemctl daemon-reload
~~~ ~~~
## Config ## Config
@ -37,11 +41,17 @@ you need to use the port used by the container (ie: 8080) in the public/semi-pub
## Usage ## Usage
~~~
systemctl start/stop/restart minifirewall
minifirewall status
~~~
Formerly :
~~~ ~~~
/etc/init.d/minifirewall start/stop/restart /etc/init.d/minifirewall start/stop/restart
~~~ ~~~
If you want to add minifirewall in boot sequence, add the start command to `/usr/share/scripts/alert5`. If you want to add minifirewall in SysV Init boot sequence, add the start command to `/usr/share/scripts/alert5`.
## License ## License

44
init.sh Normal file
View file

@ -0,0 +1,44 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: minifirewall
# Required-Start:
# Required-Stop:
# Should-Start: $network $syslog $named
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop the firewall
# Description: Firewall designed for standalone server
### END INIT INFO
minifirewall_bin=/usr/local/sbin/minifirewall
if [ -z "${minifirewall_bin}" ]; then
echo "${minifirewall_bin}: not found"
elif [ ! -x "${minifirewall_bin}" ]; then
echo "${minifirewall_bin}: not executable"
fi
case "$1" in
start)
systemctl start minifirewall
;;
stop)
systemctl stop minifirewall
;;
status)
systemctl status minifirewall
;;
restart|reload|condrestart)
systemctl restart minifirewall
;;
reset)
${minifirewall_bin} reset
;;
*)
echo "Usage: $0 {start|stop|restart|status|reset}"
exit 1
esac
exit 0

398
minifirewall
View file

@ -1,159 +1,51 @@
#!/bin/sh #!/bin/sh
# shellcheck disable=SC2059 # shellcheck disable=SC2059
# minifirewall is a shell script for easy firewalling on a standalone server PROGNAME="minifirewall"
# It uses netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
# See https://gitea.evolix.org/evolix/minifirewall
# Copyright (c) 2007-2022 Evolix
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 3
# of the License.
# Description
# script for standalone server
# Start or stop minifirewall
#
### BEGIN INIT INFO
# Provides: minifirewall
# Required-Start:
# Required-Stop:
# Should-Start: $network $syslog $named
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop the firewall
# Description: Firewall designed for standalone server
### END INIT INFO
VERSION="22.04"
NAME="minifirewall"
# shellcheck disable=SC2034 # shellcheck disable=SC2034
DESC="Firewall designed for standalone server" REPOSITORY="https://gitea.evolix.org/evolix/minifirewall"
VERSION="22.04.3"
readonly VERSION
set -u set -u
# Variables configuration show_version() {
######################### cat <<END
${PROGNAME} version ${VERSION}
config_file="/etc/default/minifirewall" Copyright 2007-2022 Evolix <info@evolix.fr>.
includes_dir="/etc/minifirewall.d"
# iptables paths ${PROGNAME} comes with ABSOLUTELY NO WARRANTY.
IPT=$(command -v iptables) This program is free software; you can redistribute it and/or
if [ -z "${IPT}" ]; then modify it under the terms of the GNU General Public License
echo "Unable to find 'iptables\` command in PATH." >&2 as published by the Free Software Foundation; either version 3
exit 1 of the License.
fi END
IPT6=$(command -v ip6tables) }
if [ -z "${IPT6}" ]; then show_help() {
echo "Unable to find 'ip6tables\` command in PATH." >&2 cat <<END
exit 1 minifirewall is wrapper around netfilter/iptables for easy local firewalling on Linux.
fi
# TCP/IP variables Usage: systemctl start minifirewall
LOOPBACK='127.0.0.0/8' or systemctl stop minifirewall
CLASSA='10.0.0.0/8' or systemctl restart minifirewall
CLASSB='172.16.0.0/12' or systemctl status minifirewall
CLASSC='192.168.0.0/16' or minifirewall status
CLASSD='224.0.0.0/4' or minifirewall reset
CLASSE='240.0.0.0/5' or minifirewall {version|--version|-V}
ALL='0.0.0.0' or minifirewall {help|--help|-h|-?}
BROAD='255.255.255.255' END
PORTSROOT='0:1023' }
PORTSUSER='1024:65535'
# Configuration
INT=''
IPV6=''
DOCKER=''
INTLAN=''
TRUSTEDIPS=''
PRIVILEGIEDIPS=''
SERVICESTCP1p=''
SERVICESUDP1p=''
SERVICESTCP1=''
SERVICESUDP1=''
SERVICESTCP2=''
SERVICESUDP2=''
SERVICESTCP3=''
SERVICESUDP3=''
DNSSERVEURS=''
HTTPSITES=''
HTTPSSITES=''
FTPSITES=''
SSHOK=''
SMTPOK=''
SMTPSECUREOK=''
NTPOK=''
PROXY=''
PROXYBYPASS=''
PROXYPORT=''
BACKUPSERVERS=''
LEGACY_CONFIG='off'
STATE_FILE_LATEST='/var/run/minifirewall_state_latest'
STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
LOGGER_BIN=$(command -v logger)
# No colors by default
RED=''
GREEN=''
YELLOW=''
BLUE=''
MAGENTA=''
CYAN=''
WHITE=''
BOLD=''
RESET=''
# check if stdout is a terminal...
if [ -t 1 ]; then
# see if it supports colors...
ncolors=$(tput colors)
if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then
RED=$(tput setaf 1)
GREEN=$(tput setaf 2)
YELLOW=$(tput setaf 3)
BLUE=$(tput setaf 4)
MAGENTA=$(tput setaf 5)
CYAN=$(tput setaf 6)
WHITE=$(tput setaf 7)
BOLD=$(tput bold)
RESET='\e[m'
fi
fi
## pseudo dry-run :
## Uncomment and call these functions instead of the real iptables and ip6tables commands
# IPT="fake_iptables"
# IPT6="fake_ip6tables"
# fake_iptables() {
# printf "DRY-RUN iptables %s\n" "$*"
# }
# fake_ip6tables() {
# printf "DRY-RUN ip6tables %s\n" "$*"
# }
## Beware that commands executed from included files are not modified by this trick.
syslog_info() { syslog_info() {
if [ -x "${LOGGER_BIN}" ]; then if [ -x "${LOGGER_BIN}" ]; then
${LOGGER_BIN} -t "${NAME}" -p daemon.info "$1" ${LOGGER_BIN} -t "${PROGNAME}" -p daemon.info "$1"
fi fi
} }
syslog_error() { syslog_error() {
if [ -x "${LOGGER_BIN}" ]; then if [ -x "${LOGGER_BIN}" ]; then
${LOGGER_BIN} -t "${NAME}" -p daemon.error "$1" ${LOGGER_BIN} -t "${PROGNAME}" -p daemon.error "$1"
fi fi
} }
sort_values() { sort_values() {
@ -258,6 +150,13 @@ source_includes() {
done done
fi fi
} }
exit_if_not_systemd() {
if [ $PPID -ne 1 ]; then
echo "Error: Please use minifirewall systemd service instead of direct call." 1>&2
show_help
exit 1
fi
}
check_unpersisted_state() { check_unpersisted_state() {
cmp_bin=$(command -v cmp) cmp_bin=$(command -v cmp)
diff_bin=$(command -v diff) diff_bin=$(command -v diff)
@ -335,11 +234,11 @@ report_state_changes() {
start() { start() {
syslog_info "starting" syslog_info "starting"
printf "${BOLD}${NAME} starting${RESET}\n" printf "${BOLD}${PROGNAME} starting${RESET}\n"
# Stop and warn if error! # Stop and warn if error!
set -e set -e
trap 'printf "${RED}${NAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT trap 'printf "${RED}${PROGNAME} failed : an error occured during startup.${RESET}\n"; syslog_error "failed" ' INT TERM EXIT
# sysctl network security settings # sysctl network security settings
################################## ##################################
@ -890,7 +789,7 @@ start() {
trap - INT TERM EXIT trap - INT TERM EXIT
syslog_info "started" syslog_info "started"
printf "${GREEN}${BOLD}${NAME} started${RESET}\n" printf "${GREEN}${BOLD}${PROGNAME} started${RESET}\n"
# No need to exit on error anymore # No need to exit on error anymore
set +e set +e
@ -900,7 +799,7 @@ start() {
stop() { stop() {
syslog_info "stopping" syslog_info "stopping"
printf "${BOLD}${NAME} stopping${RESET}\n" printf "${BOLD}${PROGNAME} stopping${RESET}\n"
printf "${BLUE}flushing all rules and accepting everything${RESET}\n" printf "${BLUE}flushing all rules and accepting everything${RESET}\n"
@ -983,13 +882,13 @@ stop() {
rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}" rm -f "${STATE_FILE_LATEST}" "${STATE_FILE_CURRENT}"
syslog_info "stopped" syslog_info "stopped"
printf "${GREEN}${BOLD}${NAME} stopped${RESET}\n" printf "${GREEN}${BOLD}${PROGNAME} stopped${RESET}\n"
} }
status() { status() {
printf "${BLUE}#### iptables --list ###############################${RESET}\n" printf "${BLUE}#### iptables --list ###############################${RESET}\n"
${IPT} --list --numeric --verbose --line-numbers ${IPT} --list --numeric --verbose --line-numbers
printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n" printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n"
${IPT} --table nat --list --numeric --verbose --line-numbers ${IPT} --table nat --list --numeric --verbose --line-numbers
printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n" printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n"
${IPT} --table mangle --list --numeric --verbose --line-numbers ${IPT} --table mangle --list --numeric --verbose --line-numbers
@ -1004,7 +903,7 @@ status() {
status_without_numbers() { status_without_numbers() {
printf "${BLUE}#### iptables --list ###############################${RESET}\n" printf "${BLUE}#### iptables --list ###############################${RESET}\n"
${IPT} --list --numeric ${IPT} --list --numeric
printf "\n${BLUE}### iptables --table nat --list ####################${RESET}\n" printf "\n${BLUE}#### iptables --table nat --list ###################${RESET}\n"
${IPT} --table nat --list --numeric ${IPT} --table nat --list --numeric
printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n" printf "\n${BLUE}#### iptables --table mangle --list ################${RESET}\n"
${IPT} --table mangle --list --numeric ${IPT} --table mangle --list --numeric
@ -1018,7 +917,7 @@ status_without_numbers() {
reset() { reset() {
syslog_info "resetting" syslog_info "resetting"
printf "${BOLD}${NAME} resetting${RESET}\n" printf "${BOLD}${PROGNAME} resetting${RESET}\n"
${IPT} -Z ${IPT} -Z
if is_ipv6_enabled; then if is_ipv6_enabled; then
@ -1033,67 +932,172 @@ reset() {
fi fi
syslog_info "reset" syslog_info "reset"
printf "${GREEN}${BOLD}${NAME} reset${RESET}\n" printf "${GREEN}${BOLD}${PROGNAME} reset${RESET}\n"
}
show_version() {
cat <<END
${NAME} version ${VERSION}
Copyright 2007-2022 Evolix <info@evolix.fr>.
${NAME} comes with ABSOLUTELY NO WARRANTY.
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 3
of the License.
END
} }
case "${1:-''}" in main() {
start) case "${1:-''}" in
source_configuration start)
check_unpersisted_state exit_if_not_systemd
source_configuration
check_unpersisted_state
start start
;; ;;
stop) stop)
source_configuration exit_if_not_systemd
check_unpersisted_state source_configuration
check_unpersisted_state
stop stop
;; ;;
status) status)
source_configuration source_configuration
check_unpersisted_state check_unpersisted_state
status status
;; ;;
reset) reset)
source_configuration source_configuration
check_unpersisted_state check_unpersisted_state
reset reset
;; ;;
restart) restart)
source_configuration exit_if_not_systemd
check_unpersisted_state source_configuration
check_unpersisted_state
stop stop
start start
;; ;;
version) version|--version|-V)
show_version show_version
;; exit 0
;;
*) help|-h|-\?|--help)
echo "Usage: $0 {start|stop|restart|status|reset|version}" show_help
exit 1 exit 0
;; ;;
esac
exit 0 *)
show_help
exit 1
;;
esac
}
config_file="/etc/default/minifirewall"
includes_dir="/etc/minifirewall.d"
# iptables paths
IPT=$(command -v iptables)
if [ -z "${IPT}" ]; then
echo "Unable to find 'iptables\` command in PATH." >&2
exit 1
fi
IPT6=$(command -v ip6tables)
if [ -z "${IPT6}" ]; then
echo "Unable to find 'ip6tables\` command in PATH." >&2
exit 1
fi
## pseudo dry-run :
## Uncomment and call these functions instead of the real iptables and ip6tables commands
# IPT="fake_iptables"
# IPT6="fake_ip6tables"
# fake_iptables() {
# printf "DRY-RUN iptables %s\n" "$*"
# }
# fake_ip6tables() {
# printf "DRY-RUN ip6tables %s\n" "$*"
# }
## Beware that commands executed from included files are not modified by this trick.
# TCP/IP variables
LOOPBACK='127.0.0.0/8'
CLASSA='10.0.0.0/8'
CLASSB='172.16.0.0/12'
CLASSC='192.168.0.0/16'
CLASSD='224.0.0.0/4'
CLASSE='240.0.0.0/5'
ALL='0.0.0.0'
BROAD='255.255.255.255'
PORTSROOT='0:1023'
PORTSUSER='1024:65535'
# Configuration
INT=''
IPV6=''
DOCKER=''
INTLAN=''
TRUSTEDIPS=''
PRIVILEGIEDIPS=''
SERVICESTCP1p=''
SERVICESUDP1p=''
SERVICESTCP1=''
SERVICESUDP1=''
SERVICESTCP2=''
SERVICESUDP2=''
SERVICESTCP3=''
SERVICESUDP3=''
DNSSERVEURS=''
HTTPSITES=''
HTTPSSITES=''
FTPSITES=''
SSHOK=''
SMTPOK=''
SMTPSECUREOK=''
NTPOK=''
PROXY=''
PROXYBYPASS=''
PROXYPORT=''
BACKUPSERVERS=''
LEGACY_CONFIG='off'
STATE_FILE_LATEST='/var/run/minifirewall_state_latest'
STATE_FILE_CURRENT='/var/run/minifirewall_state_current'
STATE_FILE_PREVIOUS='/var/run/minifirewall_state_previous'
STATE_FILE_DIFF='/var/run/minifirewall_state_diff'
LOGGER_BIN=$(command -v logger)
# No colors by default
RED=''
GREEN=''
YELLOW=''
BLUE=''
MAGENTA=''
CYAN=''
WHITE=''
BOLD=''
RESET=''
# check if stdout is a terminal...
if [ -t 1 ]; then
# see if it supports colors...
ncolors=$(tput colors)
if [ -n "${ncolors}" ] && [ ${ncolors} -ge 8 ]; then
RED=$(tput setaf 1)
GREEN=$(tput setaf 2)
YELLOW=$(tput setaf 3)
BLUE=$(tput setaf 4)
MAGENTA=$(tput setaf 5)
CYAN=$(tput setaf 6)
WHITE=$(tput setaf 7)
BOLD=$(tput bold)
RESET='\e[m'
fi
fi
# shellcheck disable=SC2086
main $@

18
minifirewall.service Normal file
View file

@ -0,0 +1,18 @@
# /etc/systemd/system/minifirewall.service
[Unit]
Description=Control the firewall
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
Restart=no
TimeoutSec=5min
IgnoreSIGPIPE=no
RemainAfterExit=yes
ExecStart=/usr/local/sbin/minifirewall start
ExecStop=/usr/local/sbin/minifirewall stop
[Install]
WantedBy=default.target