-
Notifications
You must be signed in to change notification settings - Fork 0
/
fwfunctions
821 lines (715 loc) · 32.7 KB
/
fwfunctions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
#!/bin/bash
# (C) Copyright Dariusz Kowalczyk
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License Version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
function get_config {
echo "$current_time - Connecting to LMS and downloading configuration files" >> $logdir/$logfile
$copy_cmd_url/* ${FW_CONFIG_TEMP_DIR} || { echo "$current_time - Can not download config files" >> $logdir/$logfile; exit 1; }
cd $confdir
for FILENAME in *
do
mv $FILENAME $oldconfdir/$FILENAME || { echo "$current_time - Can not move old config file $FILENAME to $oldconfdir/$FILENAME" >> $logdir/$logfile; exit 1; }
done
cp ${FW_CONFIG_TEMP_DIR}/* $confdir/ || { echo "$current_time - Can not copy new config files $FILENAME to cuurent config" >> $logdir/$logfile; exit 1; }
echo "$current_time - get_config OK" >> $logdir/$logfile
}
function get_shaper_config {
echo "The LMS generates a configuration for the Shaper"
$exec_cmd "timeout 10 $lmsd -q -i $lmsd_shaper_instance -h $lms_dbhost:3306 -H $lmsd_host -u $lms_dbuser -d $lms_db" || { echo "$current_time - Can not connect to database" >> $logdir/$logfile; exit 1; }
echo "Waiting a few seconds"
sleep 5
mv $confdir/$shaper_file $oldconfdir/$shaper_file
echo "Connecting to the server and download the configuration file for Shaper"
$copy_cmd_url/$shaper_file $confdir/ || { echo "$current_time - Can not download shaper config file - $shaper_file" >> $logdir/$logfile; mv $oldconfdir/$shaper_file $confdir/; exit 1; }
echo "$current_time - get_shaper_config OK" >> $logdir/$logfile
}
function lmsd_reload {
echo "Reloading all lmsd instances on the remote machine"
$exec_cmd "$lmsd -q -h $lms_dbhost:3306 -H $lmsd_host -u $lms_dbuser -d $lms_db" || { echo "$current_time - Can not connect to database" >> $logdir/$logfile; exit 1; }
echo "$current_time - Waiting 10s for lmsd to create new configuration files" >> $logdir/$logfile
sleep 10
}
function dhcpd_cmd {
if [ "$1" = "restart" ]; then
dhcpd_conf_current=$(cat $confdir/dhcpd.conf |sha1sum)
dhcpd_conf_new=$(cat $oldconfdir/dhcpd.conf |sha1sum)
if [ "$dhcpd_conf_current" != "$dhcpd_conf_new" ]; then
echo "$current_time - The dhcpd.conf file has a new configuration, restarting the DHCP server" >> $logdir/$logfile
systemctl restart dhcpd.service
else
echo "Configuration of dhcpd.conf is identical, reboot is not needed"
fi
elif [ "$1" = "start" ]; then
systemctl restart dhcpd.service
elif [ "$1" = "stop" ]; then
systemctl stop dhcpd.service
fi
}
function htb_cmd {
if [ "$1" = "restart" ]; then
rc_htb_current=$(cat $confdir/rc.htb |sha1sum)
rc_htb_new=$(cat $oldconfdir/rc.htb |sha1sum)
if [ "$rc_htb_current" != "$rc_htb_new" ]; then
echo "$current_time - The rc.htb file has a new configuration, restarting Shaper" >> $logdir/$logfile
bash $confdir/rc.htb stop
bash $confdir/rc.htb start
else
echo "The rc.htb configuration is identical, a restart is not needed"
fi
elif [ "$1" = "stop" ]; then
bash $confdir/rc.htb stop
echo "$current_time - htb_cmd stop OK" >> $logdir/$logfile
elif [ "$1" = "start" ]; then
echo "Launching a Shaper"
bash $confdir/rc.htb start
fi
}
function shaper_cmd {
if [ "$1" = "restart" ]; then
shaper_current=$(cat $confdir/$shaper_file |sha1sum)
shaper_new=$(cat $oldconfdir/$shaper_file |sha1sum)
if [ "$shaper_current" != "$shaper_new" ]; then
echo "$current_time - Shaper has a new configuration, restarting Shaper" >> $logdir/$logfile
sleep 5
shaper_cmd stop
shaper_cmd start
else
echo "The Shaper configuration is identical, a restart is not needed"
fi
elif [ "$1" = "stop" ]; then
tc qdisc del dev $LAN root 2> /dev/null
tc qdisc del dev $WAN root 2> /dev/null
iptables -t mangle -F
iptables -t mangle -X
elif [ "$1" = "start" ]; then
shaper_cmd stop
delimiter=$IFS
while IFS='=' read arg1 arg2; do
if [ "$arg1" = "LAN_INTERFACE_SPEED_LIMIT" ]; then
LAN_INTERFACE_SPEED_LIMIT=$arg2
elif [ "$arg1" = "ISP_RX_LIMIT" ]; then
ISP_RX_LIMIT=$arg2
elif [ "$arg1" = "ISP_TX_LIMIT" ]; then
ISP_TX_LIMIT=$arg2
elif [ "$arg1" = "LAN_UNCLASSIFIED_RATE_LIMIT" ]; then
LAN_UNCLASSIFIED_RATE_LIMIT=$arg2
elif [ "$arg1" = "LAN_UNCLASSIFIED_CEIL_LIMIT" ]; then
LAN_UNCLASSIFIED_CEIL_LIMIT=$arg2
elif [ "$arg1" = "WAN_UNCLASSIFIED_RATE_LIMIT" ]; then
WAN_UNCLASSIFIED_RATE_LIMIT=$arg2
elif [ "$arg1" = "WAN_UNCLASSIFIED_CEIL_LIMIT" ]; then
WAN_UNCLASSIFIED_CEIL_LIMIT=$arg2
elif [ "$arg1" = "GW_TO_LAN_RATE_LIMIT" ]; then
GW_TO_LAN_RATE_LIMIT=$arg2
elif [ "$arg1" = "GW_TO_LAN_CEIL_LIMIT" ]; then
GW_TO_LAN_CEIL_LIMIT=$arg2
elif [ "$arg1" = "GW_TO_WAN_RATE_LIMIT" ]; then
GW_TO_WAN_RATE_LIMIT=$arg2
elif [ "$arg1" = "GW_TO_WAN_CEIL_LIMIT" ]; then
GW_TO_WAN_CEIL_LIMIT=$arg2
elif [ "$arg1" = "GW_TO_LAN_PRIORITY" ]; then
GW_TO_LAN_PRIORITY=$arg2
elif [ "$arg1" = "GW_TO_WAN_PRIORITY" ]; then
GW_TO_WAN_PRIORITY=$arg2
elif [ "$arg1" = "LAN_UNCLASSIFIED_PRIORITY" ]; then
LAN_UNCLASSIFIED_PRIORITY=$arg2
elif [ "$arg1" = "WAN_UNCLASSIFIED_PRIORITY" ]; then
WAN_UNCLASSIFIED_PRIORITY=$arg2
elif [ "$arg1" = "LAN_HOSTS_PRIORITY" ]; then
LAN_HOSTS_PRIORITY=$arg2
elif [ "$arg1" = "WAN_HOSTS_PRIORITY" ]; then
WAN_HOSTS_PRIORITY=$arg2
fi
done < <(cat $confdir/$shaper_file|grep -v \#)
IFS=$delimiter
if [ -z "$LAN_INTERFACE_SPEED_LIMIT" ]; then
LAN_INTERFACE_SPEED_LIMIT=$DEFAULT_LAN_INTERFACE_SPEED_LIMIT
fi
if [ -z "$ISP_RX_LIMIT" ]; then
ISP_RX_LIMIT=$DEFAULT_ISP_RX_LIMIT
fi
if [ -z "$ISP_TX_LIMIT" ]; then
ISP_TX_LIMIT=$DEFAULT_ISP_TX_LIMIT
fi
if [ -z "$LAN_UNCLASSIFIED_RATE_LIMIT" ]; then
LAN_UNCLASSIFIED_RATE_LIMIT=$DEFAULT_LAN_UNCLASSIFIED_RATE_LIMIT
fi
if [ -z "$LAN_UNCLASSIFIED_CEIL_LIMIT" ]; then
LAN_UNCLASSIFIED_CEIL_LIMIT=$DEFAULT_LAN_UNCLASSIFIED_CEIL_LIMIT
fi
if [ -z "$WAN_UNCLASSIFIED_RATE_LIMIT" ]; then
WAN_UNCLASSIFIED_RATE_LIMIT=$DEFAULT_WAN_UNCLASSIFIED_RATE_LIMIT
fi
if [ -z "$WAN_UNCLASSIFIED_CEIL_LIMIT" ]; then
WAN_UNCLASSIFIED_CEIL_LIMIT=$DEFAULT_WAN_UNCLASSIFIED_CEIL_LIMIT
fi
if [ -z "$GW_TO_LAN_RATE_LIMIT" ]; then
GW_TO_LAN_RATE_LIMIT=$DEFAULT_GW_TO_LAN_RATE_LIMIT
fi
if [ -z "$GW_TO_LAN_CEIL_LIMIT" ]; then
GW_TO_LAN_CEIL_LIMIT=$DEFAULT_GW_TO_LAN_CEIL_LIMIT
fi
if [ -z "$GW_TO_WAN_RATE_LIMIT" ]; then
GW_TO_WAN_RATE_LIMIT=$DEFAULT_GW_TO_WAN_RATE_LIMIT
fi
if [ -z "$GW_TO_WAN_CEIL_LIMIT" ]; then
GW_TO_WAN_CEIL_LIMIT=$DEFAULT_GW_TO_WAN_CEIL_LIMIT
fi
if [ -z "$GW_TO_LAN_PRIORITY" ]; then
GW_TO_LAN_PRIORITY=$DEFAULT_GW_TO_LAN_PRIORITY
fi
if [ -z "$GW_TO_WAN_PRIORITY" ]; then
GW_TO_WAN_PRIORITY=$DEFAULT_GW_TO_WAN_PRIORITY
fi
if [ -z "$LAN_UNCLASSIFIED_PRIORITY" ]; then
LAN_UNCLASSIFIED_PRIORITY=$DEFAULT_LAN_UNCLASSIFIED_PRIORITY
fi
if [ -z "$WAN_UNCLASSIFIED_PRIORITY" ]; then
WAN_UNCLASSIFIED_PRIORITY=$DEFAULT_WAN_UNCLASSIFIED_PRIORITY
fi
if [ -z "$LAN_HOSTS_PRIORITY" ]; then
LAN_HOSTS_PRIORITY=$DEFAULT_LAN_HOSTS_PRIORITY
fi
if [ -z "$WAN_HOSTS_PRIORITY" ]; then
WAN_HOSTS_PRIORITY=$DEFAULT_WAN_HOSTS_PRIORITY
fi
if [ -z "$BURST" ]; then
BURST=""
else
BURST="burst $BURST"
fi
echo LAN_INTERFACE_SPEED_LIMIT=$LAN_INTERFACE_SPEED_LIMIT
echo ISP_RX_LIMIT=$ISP_RX_LIMIT
echo ISP_TX_LIMIT=$ISP_TX_LIMIT
echo LAN_UNCLASSIFIED_RATE_LIMIT=$LAN_UNCLASSIFIED_RATE_LIMIT
echo LAN_UNCLASSIFIED_CEIL_LIMIT=$LAN_UNCLASSIFIED_CEIL_LIMIT
echo WAN_UNCLASSIFIED_RATE_LIMIT=$WAN_UNCLASSIFIED_RATE_LIMIT
echo WAN_UNCLASSIFIED_CEIL_LIMIT=$WAN_UNCLASSIFIED_CEIL_LIMIT
echo GW_TO_LAN_RATE_LIMIT=$GW_TO_LAN_RATE_LIMIT
echo GW_TO_LAN_CEIL_LIMIT=$GW_TO_LAN_CEIL_LIMIT
echo GW_TO_WAN_RATE_LIMIT=$GW_TO_WAN_RATE_LIMIT
echo GW_TO_WAN_CEIL_LIMIT=$GW_TO_WAN_CEIL_LIMIT
echo GW_TO_LAN_PRIORITY=$GW_TO_LAN_PRIORITY
echo GW_TO_WAN_PRIORITY=$GW_TO_WAN_PRIORITY
echo LAN_UNCLASSIFIED_PRIORITY=$LAN_UNCLASSIFIED_PRIORITY
echo WAN_UNCLASSIFIED_PRIORITY=$WAN_UNCLASSIFIED_PRIORITY
echo LAN_HOSTS_PRIORITY=$LAN_HOSTS_PRIORITY
echo WAN_HOSTS_PRIORITY=$WAN_HOSTS_PRIORITY
#To LAN
# Set global limit for LAN interface
tc qdisc add dev $LAN root handle 1:0 htb default 3 r2q 1
tc class add dev $LAN parent 1:0 classid 1:1 htb rate $LAN_INTERFACE_SPEED_LIMIT ceil $LAN_INTERFACE_SPEED_LIMIT $BURST quantum 1500
# Set limit for all traffic from Internet to LAN
tc class add dev $LAN parent 1:1 classid 1:2 htb rate $ISP_RX_LIMIT ceil $ISP_RX_LIMIT $BURST quantum 1500
#Set default limit for traffic from Internet to LAN
tc class add dev $LAN parent 1:1 classid 1:3 htb rate $LAN_UNCLASSIFIED_RATE_LIMIT ceil $LAN_UNCLASSIFIED_CEIL_LIMIT prio $LAN_UNCLASSIFIED_PRIORITY quantum 1500
tc qdisc add dev $LAN parent 1:3 sfq perturb 10
#Set limit for traffic from GATEWAY to LAN
tc class add dev $LAN parent 1:1 classid 1:4 htb rate $GW_TO_LAN_RATE_LIMIT ceil $GW_TO_LAN_CEIL_LIMIT $BURST prio $GW_TO_LAN_PRIORITY quantum 1500
tc qdisc add dev $LAN parent 1:4 sfq perturb 10
iptables -t mangle -A OUTPUT -o $LAN -j CLASSIFY --set-class 1:4
#To WAN
# Set limit for all traffic from WAN to Internet
tc qdisc add dev $WAN root handle 2:0 htb default 3 r2q 1
tc class add dev $WAN parent 2:0 classid 2:1 htb rate $ISP_TX_LIMIT ceil $ISP_TX_LIMIT $BURST quantum 1500
# Set default limit for traffic from WAN to Internet
tc class add dev $WAN parent 2:1 classid 2:3 htb rate $WAN_UNCLASSIFIED_RATE_LIMIT ceil $WAN_UNCLASSIFIED_CEIL_LIMIT prio $WAN_UNCLASSIFIED_PRIORITY quantum 1500
tc qdisc add dev $WAN parent 2:3 sfq perturb 10
#Set limit for traffic from GATEWAY to WAN
tc class add dev $WAN parent 2:1 classid 2:4 htb rate $GW_TO_WAN_RATE_LIMIT ceil $GW_TO_WAN_CEIL_LIMIT $BURST prio $GW_TO_WAN_PRIORITY quantum 1500
tc qdisc add dev $WAN parent 2:4 sfq perturb 10
iptables -t mangle -A OUTPUT -o $WAN -j CLASSIFY --set-class 2:4
#To and from CUSTOMERS
#Set limit for customers host
# network_list=$(cat $confdir/$shaper_file |grep filter |awk '{print $2}'|awk -F\. '{print $1"."$2"."$3}'|sort -u)
network_list=$(awk '/filter / {split($2, ip, "."); print ip[1]"."ip[2]"."ip[3]}' "$confdir"/"$shaper_file" | sort -u )
for net in $network_list; do
iptables -t mangle -N COUNTERSIN$net
iptables -t mangle -N COUNTERSOUT$net
iptables -t mangle -I FORWARD -i $WAN -d $net.0/24 -j COUNTERSIN$net
iptables -t mangle -I FORWARD -o $WAN -s $net.0/24 -j COUNTERSOUT$net
done
h=99
while read arg1 arg2 arg3 arg4; do
if [ "$arg1" = "customer" ]; then
let h=$h+1
elif [ "$arg1" = "class_up" ]; then
tc class add dev $WAN parent 2:1 classid 2:$h htb rate $arg2 ceil $arg3 $BURST prio $WAN_HOSTS_PRIORITY quantum 1500
tc qdisc add dev $WAN parent 2:$h sfq perturb 10
elif [ "$arg1" = "class_down" ]; then
tc class add dev $LAN parent 1:2 classid 1:$h htb rate $arg2 ceil $arg3 $BURST prio $LAN_HOSTS_PRIORITY quantum 1500
tc qdisc add dev $LAN parent 1:$h sfq perturb 10
elif [ "$arg1" = "filter" ]; then
echo $arg2 | { IFS='.' read -r octet1 octet2 octet3 octet4;
iptables -t mangle -A COUNTERSOUT$octet1.$octet2.$octet3 -s $arg2 -j CLASSIFY --set-class 2:$h;
iptables -t mangle -A COUNTERSIN$octet1.$octet2.$octet3 -d $arg2 -j CLASSIFY --set-class 1:$h; }
fi
done < <(cat $confdir/$shaper_file|grep -v \#)
elif [ "$1" = "stats" ]; then
#IPT_TABLE_CC=$(iptables -t mangle -w 2 -nL FORWARD |grep COUNTERSOUT |awk '{print $1}')
IPT_TABLE_CC=$(iptables -t mangle -w 2 -nL FORWARD |awk '/COUNTERSOUT/{print $1}')
if [ ! -z "$IPT_TABLE_CC" ]; then
for IPT_TABLE_ELEMENT in $IPT_TABLE_CC; do
#iptables -t mangle -w 1 -nvxL $IPT_TABLE_ELEMENT |tail -n +3 | awk '{print $8 " "$2}' |grep -v 0.0.0.0 >> /tmp/upload.tmp
iptables -t mangle -w 1 -nvxL $IPT_TABLE_ELEMENT |awk 'NR>2 {if ($8 != "0.0.0.0") print $8 " "$2}' >> /tmp/upload.tmp
done
for IPT_TABLE_ELEMENT in $(iptables -t mangle -nL FORWARD |grep COUNTERSIN |awk '{print $1}'); do
#iptables -t mangle -w 1 -nvxL $IPT_TABLE_ELEMENT |tail -n +3 | awk '{print $9 " "$2}' |grep -v 0.0.0.0 >> /tmp/download.tmp
iptables -t mangle -w 1 -nvxL $IPT_TABLE_ELEMENT | awk 'NR>2 {if ($8 != "0.0.0.0") print $9 " "$2}' >> /tmp/download.tmp
done
iptables -t mangle -Z
join /tmp/upload.tmp /tmp/download.tmp | grep -v " 0 0"
rm /tmp/upload.tmp /tmp/download.tmp
fi
elif [ "$1" = "status" ]; then
iptables -t mangle -w 2 -nvL
echo
echo "$LAN interface"
echo "----------------"
for TC_OPTIONS in qdisc class filter; do
if [ ! -z "$LAN" ]; then
echo
echo "$TC_OPTIONS"
echo "------"
tc $TC_OPTIONS show dev $LAN
fi
done
echo
echo "$WAN interface"
echo "----------------"
for TC_OPTIONS in qdisc class filter; do
if [ ! -z "$WAN" ]; then
echo
echo "$TC_OPTIONS"
echo "------"
tc $TC_OPTIONS show dev $WAN
fi
done
fi
}
function create_fw_hashtables {
#hashtable for granted host
current_ipset_list=$(ipset -q --list fw_ip)
if ([ "$current_ipset_list" = "" ]); then
ipset create fw_ip hash:ip hashsize 2048
fi
#hashtable for denied host
current_ipset_list=$(ipset -q --list fw_denied_hosts)
if ([ "$current_ipset_list" = "" ]); then
ipset create fw_denied_hosts hash:ip hashsize 1024
fi
#hashtable for warned host
current_ipset_list=$(ipset -q --list fw_warned_hosts)
if ([ "$current_ipset_list" = "" ]); then
ipset create fw_warned_hosts hash:ip hashsize 2048
fi
#hashtable for blacklisted host/networks
current_ipset_list=$(ipset -q --list fw_blacklist)
if ([ "$current_ipset_list" = "" ]); then
ipset create fw_time_blacklist hash:net hashsize 2048 timeout 900
ipset create fw_permanent_blacklist hash:net hashsize 2048
fi
#hashtable for permanent banned dst ports on LAN interface
current_ipset_list=$(ipset -q --list fw_lan_banned_dst_ports)
if ([ "$current_ipset_list" = "" ]); then
ipset create fw_lan_banned_dst_ports bitmap:port range 0-65535
fi
#hashtable for permanent banned dst ports on WAN interface
current_ipset_list=$(ipset -q --list fw_wan_banned_dst_ports)
if ([ "$current_ipset_list" = "" ]); then
ipset create fw_wan_banned_dst_ports bitmap:port range 0-65535
fi
#hashtable for ddos protected dst ports on LAN interface
current_ipset_list=$(ipset -q --list fw_lan_ddos_protected_ports)
if ([ "$current_ipset_list" = "" ]); then
ipset create fw_lan_ddos_protected_ports bitmap:port range 0-65535
fi
#hashtable for ddos source from WAN interface
current_ipset_list=$(ipset -q --list fw_wan_ddos_source)
if ([ "$current_ipset_list" = "" ]); then
ipset create fw_wan_ddos_source hash:ip hashsize 2048 timeout 900
fi
#hashtable for nat1-n host
while read nat_name ip; do
ipset create "$nat_name" hash:ip hashsize 1024
done <$confdir/$nat_1n_ip_file
echo "$current_time - create_fw_hashtables OK" >> $logdir/$logfile
}
function create_tmp_hashtables {
#create tmp hashtable for granted host
ipset create fw_ip.tmp hash:ip hashsize 2048
#create tmp hashtable for denied host
ipset create fw_denied_hosts.tmp hash:ip hashsize 1024
#create tmp hashtable for warned host
ipset create fw_warned_hosts.tmp hash:ip hashsize 2048
#create tmp hashtable for blacklisted hosts/networks
ipset create fw_permanent_blacklist.tmp hash:net hashsize 2048
#create tmp hashtable for banned dst ports on LAN interface
ipset create fw_lan_banned_dst_ports.tmp bitmap:port range 0-65535
#create tmp hashtable for banned dst ports on WAN interface
ipset create fw_wan_banned_dst_ports.tmp bitmap:port range 0-65535
#create tmp hashtable for DDoS protected dst ports on LAN interface
ipset create fw_lan_ddos_protected_ports.tmp bitmap:port range 0-65535
#create tmp hashtable for nat1-n host
while read nat_name ip; do
ipset create "$nat_name".tmp hash:ip hashsize 1024
done <$confdir/$nat_1n_ip_file
echo "$current_time - create_tmp_hashtables OK" >> $logdir/$logfile
}
function destroy_tmp_hashtables {
for ipsetlist in $(ipset list -n|grep .tmp)
do
ipset destroy $ipsetlist
done
echo "$current_time - destroy_tmp_hashtables OK" >> $logdir/$logfile
}
function load_tmp_fw_ip_hashtable {
while read status i; do
if [ "$status" = "grantedhost" ]; then
ipset add fw_ip.tmp $i
elif [ "$status" = "deniedhost" ]; then
ipset add fw_denied_hosts.tmp $i
elif [ "$status" = "warnedhost" ]; then
ipset add fw_warned_hosts.tmp $i
else
echo "The file $ public_ip_file has an invalid format, the correct one is: grantedhost|deniedhost|warnedhost ip_addres" >> $logdir/$logfile
fi
done < $confdir/$public_ip_file
echo "$current_time - load_tmp_fw_ip_hashtable OK" >> $logdir/$logfile
}
function load_tmp_nat1n_hashtables {
while read nat_name ip; do
while read status i; do
if [ "$status" = "grantedhost" ]; then
ipset add $nat_name.tmp $i
ipset add fw_ip.tmp $i
elif [ "$status" = "deniedhost" ]; then
ipset add fw_denied_hosts.tmp $i
elif [ "$status" = "warnedhost" ]; then
ipset add fw_warned_hosts.tmp $i
else
echo "The file $ nat_name is not in the correct format, the correct format is: grantedhost | deniedhost | warnedhost ip_address" >> $logdir/$logfile
fi
done < $confdir/$nat_name
done <$confdir/$nat_1n_ip_file
echo "$current_time - load_tmp_nat1n_hashtables OK" >> $logdir/$logfile
}
function load_tmp_nat_11_hashtable {
while read status i ipub; do
if [ "$status" = "grantedhost" ]; then
ipset add fw_ip.tmp $i
elif [ "$status" = "deniedhost" ]; then
ipset add fw_denied_hosts.tmp $i
elif [ "$status" = "warnedhost" ]; then
ipset add fw_warned_hosts.tmp $i
else
echo "File $nat_11_file has the wrong format, correct format: grantedhost|deniedhost|warnedhost ip_adres ipub_adres" >> $logdir/$logfile
fi
done < $confdir/$nat_11_file
echo "$current_time - load_tmp_nat_11_hashtable OK" >> $logdir/$logfile
}
function load_tmp_blacklist_hashtable {
while read network; do
ipset add fw_permanent_blacklist.tmp $network
done < $confdir/$blacklist_file
echo "$current_time - load_permanent_blacklist_tmp_hashtable OK" >> $logdir/$logfile
}
function load_tmp_lan_banned_dst_ports_hashtable {
while read ports; do
ipset add fw_lan_banned_dst_ports.tmp $ports
done < $confdir/$lan_banned_dst_ports_file
echo "$current_time - load_tmp_lan_banned_dst_ports_hashtable OK" >> $logdir/$logfile
}
function load_tmp_wan_banned_dst_ports_hashtable {
while read ports; do
ipset add fw_wan_banned_dst_ports.tmp $ports
done < $confdir/$wan_banned_dst_ports_file
echo "$current_time - load_tmp_wan_banned_dst_ports_hashtable OK" >> $logdir/$logfile
}
function load_tmp_lan_ddos_protected_ports_hashtable {
while read ports; do
ipset add fw_lan_ddos_protected_ports.tmp $ports
done < $confdir/$lan_ddos_protected_ports_file
echo "$current_time - load_tmp_lan_ddos_protected_ports_hashtable OK" >> $logdir/$logfile
}
function load_new_ipset_hashtables {
for ipsetname in $(ipset list -n|grep -v .tmp|grep -v fw_time_blacklist |grep -v fw_wan_ddos_source); do
current=$(ipset list $ipsetname |tail -n +9 |sort |sha1sum)
new=$(ipset list $ipsetname.tmp |tail -n +9 |sort |sha1sum)
if [ "$current" != "$new" ]; then
echo "$current_time - Loading new content into $ipsetname" >> $logdir/$logfile
ipset -W $ipsetname $ipsetname.tmp
fi
ipset -X $ipsetname.tmp
echo "$current_time - Deleting $ipsetname.tmp" >> $logdir/$logfile
done
echo "$current_time - load_new_ipset_hashtables OK" >> $logdir/$logfile
}
function load_nat_1n_fw_rules {
while read nat_name ip; do
iptables -t nat -A POSTROUTING -o $WAN -m set --match-set $nat_name src -j SNAT --to-source $ip
done <$confdir/$nat_1n_ip_file
echo "$current_time - load_nat_1n_fw_rules OK" >> $logdir/$logfile
}
function load_nat_11_fw_rules {
while read status i ipub; do
if [ "$status" = "grantedhost" ]; then
iptables -t nat -A POSTROUTING -o $WAN -s $i -j SNAT --to-source $ipub
iptables -t nat -A PREROUTING -i $WAN -d $ipub -j DNAT --to-destination $i
fi
done < $confdir/$nat_11_file
echo "$current_time - load_nat_11_fw_rules OK" >> $logdir/$logfile
}
function modify_nat11_fw_rules {
lista_zmian=$(diff --unchanged-line-format="" --old-line-format="removed %L" --new-line-format="added %L" $oldconfdir/$nat_11_file $confdir/$nat_11_file)
while read arg1 arg2 arg3 arg4; do
if ([ "$arg1" = "added" ] && [ "$arg2" = "deniedhost" ]) || ([ "$arg1" = "removed" ] && [ "$arg2" = "grantedhost" ]); then
current_iptables_nat11_postrouting_rules=$(iptables -L POSTROUTING -n -t nat --line-numbers|grep -v match-set|grep NAT)
while read ipt_num ipt_target ipt_prot ipt_opt ipt_source ipt_destination ipt_destination2
do
if [ "$arg3" = "$ipt_source" ]; then
iptables -t nat -D POSTROUTING $ipt_num
fi
done < <(echo -e "$current_iptables_nat11_postrouting_rules")
current_iptables_nat11_prerouting_rules=$(iptables -L PREROUTING -n -t nat --line-numbers|grep -v match-set|grep NAT)
while read ipt_num ipt_target ipt_prot ipt_opt ipt_source ipt_destination ipt_destination2
do
if [ "$arg4" = "$ipt_destination" ]; then
iptables -t nat -D PREROUTING $ipt_num
fi
done < <(echo -e "$current_iptables_nat11_prerouting_rules")
fi
if ([ "$arg1" = "added" ] && [ "$arg2" = "grantedhost" ]); then
current_iptables_postrouting_rules=$(iptables -L POSTROUTING -n -t nat --line-numbers|grep -v match-set|grep SNAT|grep $arg4$)
if [ "$current_iptables_postrouting_rules" = "" ]; then
iptables -t nat -A POSTROUTING -o $WAN -s $arg3 -j SNAT --to-source $arg4
fi
current_iptables_prerouting_rules=$(iptables -L PREROUTING -n -t nat --line-numbers|grep -v match-set|grep DNAT|grep $arg3$)
if [ "$current_iptables_prerouting_rules" = "" ]; then
iptables -t nat -A PREROUTING -i $WAN -d $arg4 -j DNAT --to-destination $arg3
fi
fi
done < <(echo -e "$lista_zmian")
echo "$current_time - modify_nat11_fw_rules OK" >> $logdir/$logfile
}
function modify_nat1n_fw_rules {
lista_zmian=$(diff --unchanged-line-format="" --old-line-format="removed %L" --new-line-format="added %L" $oldconfdir/$nat_1n_ip_file $confdir/$nat_1n_ip_file)
while read arg1 arg2 arg3; do
if ([ "$arg1" = "removed" ]); then
current_iptables_nat1n_postrouting_rules=$(iptables -L POSTROUTING -n -t nat --line-numbers|grep match-set)
while read ipt1 ipt2 ipt3 ipt4 ipt5 ipt6 ipt7 ipt8 ipt9 ipt10
do
if [ "to:$arg3" = "$ipt10" ]; then
iptables -t nat -D POSTROUTING $ipt1
ipset destroy $arg2
fi
done < <(echo -e "$current_iptables_nat1n_postrouting_rules")
fi
if ([ "$arg1" = "added" ]); then
current_iptables_postrouting_rules=$(iptables -L POSTROUTING -n -t nat --line-numbers|grep match-set|grep $arg3$)
current_ipset_list=$(ipset -q --list $arg2)
if ([ "$current_iptables_postrouting_rules" = "" ] && [ "$current_ipset_list" = "" ]); then
ipset create "$arg2" hash:ip hashsize 1024
iptables -t nat -I POSTROUTING -o $WAN -m set --match-set $arg2 src -j SNAT --to-source $arg3
fi
fi
done < <(echo -e "$lista_zmian")
echo "$current_time - modify_nat1n_fw_rules OK" >> $logdir/$logfile
}
function firewall_up {
#Network Tuning Factors
#Change default ARP table for large networks.
if [ $(cat /proc/sys/net/ipv4/neigh/default/gc_thresh1) -lt 2048 ]; then
sysctl -w net.ipv4.neigh.default.gc_thresh1=2048
sysctl -w net.ipv4.neigh.default.gc_thresh2=4096
sysctl -w net.ipv4.neigh.default.gc_thresh3=8192
fi
#Defines the default and maximum receive window size.
if [ $(cat /proc/sys/net/core/rmem_default) -lt 1048576 ]; then
sysctl -w net.core.rmem_default=1048576
sysctl -w net.core.rmem_max=2097152
fi
#Defines the default and maximum send window size.
if [ $(cat /proc/sys/net/core/wmem_default) -lt 1048576 ]; then
sysctl -w net.core.wmem_default=1048576
sysctl -w net.core.wmem_max=2097152
fi
#Increasing nf_conntrack table size
sysctl -w net.netfilter.nf_conntrack_max=524288
#Enable IP forwardings
sysctl -w net.ipv4.ip_forward=1
#Set chains default policy
iptables -P FORWARD DROP
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
#
#FILTER TABLE
#
#INPUT CHAIN
iptables -I INPUT -i $WAN -p tcp --match multiport --dport 22,25 -j SET --add-set fw_time_blacklist src
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A INPUT -i $WAN -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $WAN -p tcp -m state --state NEW -m tcp --dport 222 -j ACCEPT
iptables -A INPUT -i $LAN -p tcp -m state --state NEW -m tcp --dport 222 -j ACCEPT
iptables -A INPUT -i $LAN -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m state --state NEW -m tcp --dport 222 -j ACCEPT
iptables -A INPUT -i eno1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
#FORWARD CHAIN
#Drop forward some ports from WAN to LAN
iptables -A FORWARD -i $WAN -o $LAN -p tcp -m set --match-set fw_lan_banned_dst_ports dst -j DROP
#Drop ddos attack from fw_wan_ddos_source to fw_lan_ddos_protected_ports
iptables -A FORWARD -i $WAN -o $LAN -p tcp -m set --match-set fw_lan_ddos_protected_ports dst -m set --match-set fw_wan_ddos_source src -j DROP
#Drop forward some ports from WAN to LAN
iptables -A FORWARD -i $LAN -o $WAN -p tcp -m set --match-set fw_wan_banned_dst_ports dst -j DROP
#https://pl.wikibooks.org/wiki/Sieci_w_Linuksie/Netfilter/iptables/dopasowania
#Drop DDoS on RDP port
## iptables -A FORWARD -i $WAN -o $LAN -p tcp --dport 3389 -m recent --name forcerdp --rdest --set
## iptables -A FORWARD -i $WAN -o $LAN -p tcp --dport 3389 -m recent --name forcerdp --rdest --update --seconds 120 --hitcount 5 -j DROP
#iptables -A FORWARD -i $WAN -o $LAN -p tcp --match multiport --dport 22,23,3389 -m state --state NEW -m recent --set --name RMTMGMT
#iptables -A FORWARD -i $WAN -o $LAN -p tcp --match multiport --dport 22,23,3389 -m state --state NEW -m recent --update --seconds 120 --hitcount 5 --rttl --name RMTMGMT -j SET --add-set fw_time_blacklist src
iptables -A FORWARD -i $WAN -o $LAN -p tcp -m set --match-set fw_lan_ddos_protected_ports dst -m state --state NEW -m recent --set --name LDDOSPP
iptables -A FORWARD -i $WAN -o $LAN -p tcp -m set --match-set fw_lan_ddos_protected_ports dst -m state --state NEW -m recent --update --seconds 120 --hitcount 5 --rttl --name LDDOSPP -j SET --add-set fw_wan_ddos_source src
#Enable packet logging
iptables -A FORWARD -i $LAN -m state --state NEW -p tcp -j ULOG --ulog-nlgroup 1 --ulog-prefix FORWARDED-CONN
#Allow packet transfer only between LAN and WAN interfaces for selected hosts from the fw_ip list
iptables -A FORWARD -i $LAN -o $WAN -m set --match-set fw_ip src -j ACCEPT
iptables -A FORWARD -i $WAN -o $LAN -m set --match-set fw_ip dst -j ACCEPT
iptables -A FORWARD -i $LAN -o $LAN -m set --match-set fw_ip src -j ACCEPT
#
#NAT TABLE
#
#Redirect for blocked clients with enabled warning in LMS
iptables -t nat -A PREROUTING -i $LAN -m set --match-set fw_warned_hosts src -m set --match-set fw_denied_hosts src -p tcp --dport 80 -j DNAT --to $proxy_ip:3128
#Redirect for clients with LMS warning enabled
# iptables -t nat -A PREROUTING -i $LAN -m set --match-set fw_warned_hosts src -p tcp --dport 80 -j DNAT --to $proxy_ip:3128
#Load SNAT rules for NAT 1:n users
load_nat_1n_fw_rules
#Load SNAT / DNAT rules for 1:1 NAT users
load_nat_11_fw_rules
echo "$current_time - firewall_up OK" >> $logdir/$logfile
#
#RAW TABLE
#
#Blacklisted host/network
iptables -t raw -A PREROUTING -m set --match-set fw_permanent_blacklist src -j DROP
iptables -t raw -A PREROUTING -m set --match-set fw_time_blacklist src -j DROP
}
function firewall_down {
sysctl -w net.ipv4.ip_forward=0
for i in raw filter nat mangle
do
iptables -t $i -F
iptables -t $i -X
done
iptables -P FORWARD DROP
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
echo "$current_time - firewall_down OK" >> $logdir/$logfile
}
function destroy_all_hashtables {
for ipsetlist in $(ipset list -n)
do
ipset destroy $ipsetlist
done
echo "$current_time - destroy_all_hashtables OK" >> $logdir/$logfile
}
function load_fw_hashtables {
destroy_tmp_hashtables
create_tmp_hashtables
load_tmp_fw_ip_hashtable
load_tmp_nat1n_hashtables
load_tmp_nat_11_hashtable
load_tmp_lan_banned_dst_ports_hashtable
load_tmp_wan_banned_dst_ports_hashtable
load_tmp_lan_ddos_protected_ports_hashtable
load_tmp_blacklist_hashtable
load_new_ipset_hashtables
echo "$current_time - load_fw_hashtables OK" >> $logdir/$logfile
}
function static_routing_up {
if [ -s $confdir/$routed_nets_file ]; then
while read net gw interface; do
ip route add $net via $gw dev $interface
done < $confdir/$routed_nets_file
echo "$current_time - Adding static routing entries" >> $logdir/$logfile
else
echo "$current_time - Static routing enries not exist" >> $logdir/$logfile
fi
}
function static_routing_down {
while read net gw interface; do
ip route del $net via $gw dev $interface
done < $confdir/$routed_nets_file
echo "$current_time - Removing static routing entries" >> $logdir/$logfile
}
function fw_cron {
if [ "$1" = "start" ]; then
echo "# Run the fw.sh cron jobs
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=""
* * * * * root $scriptsdir/fw.sh lmsd > /dev/null 2>&1
00 22 * * * root $scriptsdir/fw.sh shaper_restart > /dev/null 2>&1
00 10 * * * root $scriptsdir/fw.sh shaper_restart > /dev/null 2>&1
" > /etc/cron.d/fw_sh
echo "$current_time - Enabling cron for fw.sh" >> $logdir/$logfile
elif [ "$1" = "stop" ]; then
if [ -f /etc/cron.d/fw_sh ]; then
rm /etc/cron.d/fw_sh
fi
echo "$current_time - Disabling cron for fw.sh" >> $logdir/$logfile
fi
}
function fwstatus {
echo "--------"
echo "IPTABLES"
echo "--------"
echo ""
for tablename in raw filter nat mangle
do
echo "-------"
echo "$tablename"
echo "-------"
iptables -t $tablename -nvL --line-numbers
echo ""
done
echo "-----"
echo "IPSET"
echo "-----"
echo ""
# for ipsetname in $(ipset list -n)
# do
# ipset list $ipsetname
# echo ""
# done
echo "----------"
echo "IPSET LIST"
echo "----------"
ipset list -n
echo ""
echo "-----------------------------"
echo Kernel Network Core Paremeters
echo "-----------------------------"
sysctl net.ipv4.neigh.default.gc_thresh1
sysctl net.ipv4.neigh.default.gc_thresh2
sysctl net.ipv4.neigh.default.gc_thresh3
sysctl net.core.rmem_default
sysctl net.core.rmem_max
sysctl net.core.wmem_default
sysctl net.core.wmem_max
sysctl net.netfilter.nf_conntrack_max
sysctl net.netfilter.nf_conntrack_count
echo ""
echo "$current_time - fwstatus OK" >> $logdir/$logfile
}