File: bastille-firewall-early.sh

package info (click to toggle)
bastille 1%3A2.1.1-19
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 2,384 kB
  • ctags: 513
  • sloc: perl: 13,476; sh: 2,195; ansic: 951; makefile: 194; csh: 17; python: 9
file content (131 lines) | stat: -rw-r--r-- 4,770 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#
# /etc/Bastille/bastille-firewall-early.sh
#
# a Bourne script
#
# ** This script is sourced, so do NOT use 'exit' **
#
# Use this file for commands run after the Bastille firewall
# script flushes the chains, but before it constructs any rules.


# The Bastille firewall is designed to work with 'ipchains'
# or 'iptables', so you should implement custom rules inside
# conditional tests, for both systems, like this:
#
# if [ -n "${IPCHAINS}" ]; then
#	# using 2.2/ipchains or 2.4/ipchains, add ipchains rules
#	#${IPCHAINS} -A input ...etc...
# fi
#
# if [ -n "${IPTABLES}" ]; then
#	# using 2.4/iptables, add iptables rules
#	#${IPTABLES} -A INPUT ...etc...
# fi


# Logic to try to accomodate Mandrake "Internet Connection Sharing"
#
if [ -f /etc/sysconfig/inet_sharing -a -x /etc/rc.d/rc.firewall.inet_sharing ]; then
	#
	# Mandrake user who has ICS installed, check if it's enabled
	# (this config file should define the variable $INET_SHARING)
	#
	unset INTERFACE
	. /etc/sysconfig/inet_sharing
	#
	if [ "${INET_SHARING}" = "enabled" ]; then
	    if [ -z "${IP_MASQ_NETWORK}" ]; then
		#
		# We do not have NAT enabled in the Bastille firewall
		# Let them know we're loading Mandrake's rules
		#
		echo "Enabling Mandrake Internet Connection sharing"
		echo "If you would like to use Bastille's masquerading"
		echo "support instead, edit /etc/Bastille/bastille-firewall.cfg"
		echo "(especially the IP_MASQ_NETWORK setting) and run"
		echo " /etc/rc.d/init.d/bastille-firewall start"
		echo "to use Bastille's masquerading/connection sharing rules."
		#
		# if they're using ipchains, they would have needed to
		# declare the interface connected to the MASQ network as
		# "trusted" so the traffic can flow...
		#
		# We don't care about trusted interfaces unless you're
		# using ipchains and an old version of Mandrake ICS
		more_than_lo=1
		#
		# if we see $INTERFACE, it means they have a newer Mandrake
		# ICS setup which will handle the needed input rule
		#
		if [ -n "${IPCHAINS}" -a -z "${INTERFACE}" ]; then
			# now we care bout having other trusted interfaces
			more_than_lo=0
			# Let's add the interface for them if we can figure it out..
			#
			# looking for "/sbin/ipchains -A forward -s A.B.C.0/24 -j MASQ"
			ics_if_regexp=`grep '^/sbin/ipchains \-A forward \-s ' /etc/rc.d/rc.firewall.inet_sharing | egrep '\-j MASQ' | awk '{print $5}' | awk -F/ '{print $1}'| awk -F. '{print "^"$1"\\\\."$2"\\\\."$3"\\\\."}'`
			# now look for the matching interface in `netstat -nr`
			ics_iface=`netstat -nr | egrep $ics_if_regexp | awk '{print $8}'`
			# make sure that interface is in TRUSTED_IFACES
			TRUSTED_IFACES="${TRUSTED_IFACES} ${ics_iface}"
			# tell the user what we're doing
			if [ -n "${ics_iface}" ]; then
				echo "Adding \"${ics_iface}\" to the trusted interface list"
			fi
			unset ics_if_regexp
			unset ics_iface
		fi
		#
		# See if any non-loopback interfaces are defined. We loop through all
		# the values in ${TRUSTED_IFACES} because there may be weird spacing,
		# e.g., "lo" != "lo " != " lo", etc.
		#
		for i in ${TRUSTED_IFACES} ; do
			if [ "${i}" != "lo" ]; then
				more_than_lo=1
			fi
		done
		if [ $more_than_lo -eq 0 -a -n "${IPCHAINS}" ]; then
		    #
		    # this is definitely true for 2.2 and 2.4/ipchains!
		    #
		    echo "WARNING: no non-local \"trusted\" interfaces are configured"
		    echo "in /etc/Bastille/bastille-firewall.cfg -- Internet Connection"
		    echo "Sharing will most like NOT work. Please consider using"
		    echo "Bastille's masquerading/connection sharing rules instead!"
		    echo "Doing so will allow you to share a connection while using"
		    echo "more strict firewall rules."
		fi
		unset more_than_lo
		#
		# If using Mandrake ICS we also need to allow DNS queries
		# from outside, so the caching DNS server will work
		#
		echo "WARNING: to allow the caching DNS server in Mandrake's"
		echo "Internet Connection Sharing system to work, we are"
		echo "adding DNS to the list of public UDP and TCP services"
		TCP_PUBLIC_SERVICES="${TCP_PUBLIC_SERVICES} domain"
		UDP_PUBLIC_SERVICES="${UDP_PUBLIC_SERVICES} domain"
		if [ -n "${IPCHAINS}" ]; then
			echo "and allowing UDP responses from any DNS server"	
			DNS_SERVERS="0.0.0.0/0"
		fi
		#
		# run Mandrake's ICS rules
		#
		/etc/rc.d/rc.firewall.inet_sharing
	    else
		#
		# NAT is configured for the Bastille firewall
		#
		echo "You have Bastille configured for masquerading and"
		echo "you have enabled Mandrake's Internet Connection Sharing."
		echo "We will use Bastille's rules. To get rid of this"
		echo "warning, use DrakConf to disable Internet Connection Sharing"
		echo "or disable Bastille's ICS by setting IP_MASQ_NETWORK to \"\""
		echo "in /etc/Bastille/bastille-firewall.cfg"
	    fi
	fi
fi