Commit 813c1fe5 authored by Sven Geuer's avatar Sven Geuer

Import Upstream version 2.0.3

parent 84dbdb9d
Version 2.0.3 (June 28, 2018)
-----------------------------
! Missing mention in man page of arno-fwfilter's --no-resolve option
! Various fixes in the installer
* Improvements in the parasitic net plugin
* Various tweaks
Version 2.0.2a (October 26, 2017)
---------------------------------
! Fixed log line being too long (>28 chars)
! Fixed systemd installation failed on some systems
! Service file should start AIF after network is up and local filesystems are mounted
* Tweaks/improvements in configure/install scripts
Version 2.0.2 (July 28, 2017)
-----------------------------
+ Added new Parasitic Network plugin, allows "clients" on the same subnet to use this device as a gateway upstream.
* Improve lock-file handling in the "DynDNS Host Open" and "Traffic Accounting" plugins.
+ Disable nf_conntrack automatic helper assignment when possible, attach with CT target, Issue #35
! Fixed IPv6 NAT table was not flushed on start/stop/restart, Issue #36
+ Added EXT_IF_DHCPV6_IPV6 config variable supporting DHCPv6 when DHCP is not enabled, Issue #34
+ Added ability to selectively log blocked hosts by inbound and outbound direction.
BLOCKED_HOST_LOG Options: 0 = Disable, 1 = Inbound & Outbound, 2 = Inbound, 3 = Outbound
Version 2.0.1g (October 11, 2016)
---------------------------------
+ Added new BLOCK_NETSET_DIR variable which efficiently creates ipsets for blocklists using .netset files.
+ Added expert DEFAULT_NETSET_WHITELIST and DEFAULT_NETSET_WHITELISTV6 variables when BLOCK_NETSET_DIR is defined.
+ Added ipset support when IPTABLES_IPSET=1 and ipset is installed, disabled by default, Issues: #1, #24, #31
+ Added LAN to DMZ forwarding policy, new optional LAN_DMZ_ALLOW_IF variable, Issue #30
+ Added NAT_IF option to optionally specify external interfaces to be used for NAT
+ Added LAN to LAN (Inter-LAN) filtering rules, LAN_LAN_HOST_OPEN_xxx, Issue #28
- Removed unused INT_FORWARD_IN_CHAIN and INT_FORWARD_OUT_CHAIN user chains, related to Issue #28
Note: Any custom rule or plugin should generally use the FORWARD_CHAIN or POST_FORWARD_CHAIN to access the FORWARD chain.
Additionally, the new LAN_LAN_HOST_OPEN_xxx rules natively handle Inter-LAN filtering.
* New support for ICMPv6 Multicast Listener Discovery, enable with OPEN_ICMPV6_MLD=1, disabled by default
* Keep external ICMPv6 packets appearing as annoying logs, common with native IPv6 ISP's. Thanks to David Kerr
+ Added new PPTP VPN Passthrough plugin, suggested by Yuriy Cherniavsky, Issue #27
* Detect and remove stale lockfiles for plugin helpers
! Support kernel version check where "uname -r" doesn't contain a '-' character
! Leave the IPv6 sysctl accept_ra setting alone when forwarding=1, fixes WAN DHCPv6-client, Issue #21
Version 2.0.1f (October 1, 2015)
--------------------------------
* Honour Debian recommendations for systemd service file
......
......@@ -3,7 +3,7 @@
~ In memory of my dear father ~
(C) Copyright 2001-2015 by Arno van Amersfoort & Lonnie Abelbeck
(C) Copyright 2001-2017 by Arno van Amersfoort & Lonnie Abelbeck
Homepage : http://rocky.eld.leidenuniv.nl/
Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
(note: you must remove all spaces and substitute the @ and the .
......@@ -29,18 +29,13 @@ Almost *all* my work is distributed under the terms of the GNU GPL License,
which means it's free (open-source) software. If you like my work or you want
me to implement a certain feature, you are encouraged to donate money. You can
(preferably) donate directly to me through my bank account (mail me for my IBAN
number (International Bank Account Number). Or you can donate it to one of my
favourite charity organisations:
number (International Bank Account Number). My favourite charity organisations are:
- foundations for cancer research (in The Netherlands: "KWF Kanker Bestrijding");
- foundations for brain desease research (in The Netherlands: "De Hersenstichting");
- foundations for the welfare of animals ("IFAW" or in the Netherlands: "De Dierenbescherming")
Note that *ALL* donations I receive go to one of the above foundations.
I can also provide paid support (for commercial businesses). For example for
firewall customisation, (special) feature requests or other support. Just
contact me and we can work something out.
IMPORTANT NOTE:
---------------
I don't provide enduser support on my email address. Any problems & questions
......@@ -71,7 +66,7 @@ An explanation of the files in the package:
The configuration file used for Arno's iptables firewall script.
Normally you should put it in /etc/arno-iptables-firewall/. Make sure
root is owner/group (with "chown 0:0").
/etc/arno-iptables-firewall/plugins/ :
Put any plugin config files (.conf files) for my firewall in this
directory.
......@@ -117,7 +112,7 @@ An explanation of the files in the package:
/configure.sh :
Script to setup a basic configuration.
/install.sh :
Install script to deploy my firewall on your system.
......@@ -128,12 +123,12 @@ An explanation of the files in the package:
Directory contains any misc. (user contributed) files (scripts etc.) It
also contains examples on how to modify your syslogger to log your
firewall stuff into a separate file.
------------------------------------------
| Some IMPORTANT (security) information: |
------------------------------------------
1) If possible try to start the firewall before you enable your (ADSL) internet
connection (if possible). For an ppp-interface that doesn't exist yet
connection. For an ppp-interface that doesn't exist yet
you can use the wildcard device called "ppp+" (but you can only use
ppp+ if there aren't any other ppp interfaces!).
......@@ -319,7 +314,7 @@ features are enabled by default to protect you from hostile attacks.
NOTE 4: Don't forget to set EXT_IF_DHCP_IP=1 in firewall.conf too, in
case your ISP uses DHCP.
b) In case your on a corporate network which uses public IPs I'd suggest to add
your local subnet (range) to "FULL_ACCESS_HOSTS".
......@@ -444,7 +439,7 @@ Notes on writing your own plugins
chains like INPUT/OUTPUT/FORWARD/PREROUTING/POSTROUTING. Only do this when
it's absolutely necessary!
Available iptables chains created by Arno's Iptables Firewall
-------------------------------------------------------------
BASE_INPUT_CHAIN - Base input chain. For internal use by AIF only!
......@@ -471,15 +466,13 @@ DMZ_INPUT_CHAIN - DMZ INPUT chain
DMZ_LAN_FORWARD_CHAIN - DMZ to LAN/internal-net forward chain
DMZ_OUTPUT_CHAIN - DMZ output chain
INET_DMZ_FORWARD_CHAIN - External-net(internet) to DMZ forward chain
HOST_BLOCK_DROP - Chain where packets from dropped blocked hosts go
HOST_BLOCK_DST - Chain containing the list of destination based
blocked hosts
HOST_BLOCK_SRC - Chain containing the list of source based blocked
hosts
INT_FORWARD_IN_CHAIN - Internal-net FORWARD chain for INcoming traffic
INT_FORWARD_OUT_CHAIN - Internal-net FORWARD chain for OUTcoming traffic
HOST_BLOCK_SRC - Chain containing the list of inbound blocked hosts
HOST_BLOCK_DST - Chain containing the list of outbound blocked hosts
HOST_BLOCK_SRC_DROP - Chain where packets from dropped inbound blocked hosts go
HOST_BLOCK_DST_DROP - Chain where packets from dropped outbound blocked hosts go
INT_INPUT_CHAIN - Internal-net INPUT chain
INT_OUTPUT_CHAIN - Internal-net OUTPUT chain
LAN_LAN_FORWARD_CHAIN - LAN to LAN (Inter-LAN) forward chain (AIF private use only)
LAN_INET_FORWARD_CHAIN - LAN to internet (external net) forward chain
POST_INPUT_CHAIN - This chain is always processed last(post) in the
INPUT chain
......@@ -642,3 +635,4 @@ topics related to the scope of this firewall script.
CONFIG_NF_CT_ACCT was scheduled to be removed in 2.6.29, but has not yet
been removed, as of writing.
This diff is collapsed.
#!/bin/bash
MY_VERSION="1.02h"
MY_VERSION="1.03"
# ------------------------------------------------------------------------------------------
# -= Arno's iptables firewall =-
......@@ -8,7 +8,7 @@ MY_VERSION="1.02h"
#
# ~ In memory of my dear father ~
#
# (C) Copyright 2001-2015 by Arno van Amersfoort
# (C) Copyright 2001-2017 by Arno van Amersfoort
# Homepage : http://rocky.eld.leidenuniv.nl/
# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
# (note: you must remove all spaces and substitute the @ and the .
......@@ -269,7 +269,7 @@ printf "\033[40m\033[1;32mArno's Iptables Firewall Script v$AIF_VERSION\033[0m\n
printf "Configure Script v$MY_VERSION\n"
echo "-------------------------------------------------------------------------------"
sanity_check;
sanity_check
RC_PATH="/etc"
# Check for Redhat/SUSE rc.d
......@@ -287,9 +287,15 @@ rm -f $RC_PATH/rc5.d/*arno-iptables-firewall
rm -f $RC_PATH/rc6.d/*arno-iptables-firewall
rm -f $RC_PATH/rcS.d/*arno-iptables-firewall
if get_user_yn "Do you want to start the firewall at boot (via /etc/init.d/)" "y"; then
if get_user_yn "Do you want to start the firewall at boot" "y"; then
DONE=0
if check_command update-rc.d; then
if check_command systemctl; then
if systemctl enable arno-iptables-firewall; then
echo "* Successfully enabled service with systemctl"
DONE=1
fi
elif check_command update-rc.d; then
# Note: Currently update-rc.d doesn't seem to properly use the init script's LSB header, so specify explicitly
if update-rc.d -f arno-iptables-firewall start 11 S . stop 10 0 6 .; then
echo "* Successfully enabled service with update-rc.d"
......@@ -300,9 +306,7 @@ if get_user_yn "Do you want to start the firewall at boot (via /etc/init.d/)" "y
echo "* Successfully enabled service with chkconfig"
DONE=1
fi
fi
if [ $DONE -eq 0 ]; then
else
if [ -d "$RC_PATH/rcS.d" ]; then
if ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rcS.d/S11arno-iptables-firewall" &&
ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc0.d/K10arno-iptables-firewall" &&
......@@ -335,13 +339,13 @@ fi
if diff ./etc/arno-iptables-firewall/firewall.conf "$FIREWALL_CONF" >/dev/null; then
if get_user_yn "Your firewall.conf is not configured yet.\nDo you want me to help you setup a basic configuration" "y"; then
setup_conf_file;
setup_conf_file
else
echo "* Skipped"
fi
else
if get_user_yn "Your firewall.conf looks already customized.\nModify configuration" "n"; then
setup_conf_file;
setup_conf_file
else
echo "* Skipped"
fi
......
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv,local7,daemon,lpr.none;\
kern.!=debug;\
cron.!=info -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.*;kern.!=debug -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
# Logging for iptables
kern.=debug /var/log/firewall.log
#
# Some "catch-all" log files.
#
*.=debug;\
kern.!=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
# Log firewall messages to /var/log/arno-iptables-firewall (asynchronously),
# and then drop them so that they aren't logged again elsewhere.
if $syslogfacility-text == 'kern' \
and $msg contains 'AIF:' then -/var/log/firewall.log
& stop
This diff is collapsed.
# ------------------------------------------------------------------------------
# -= Arno's iptables firewall - Transparent DNAT plugin =-
# -= Arno's iptables firewall - (A)DSL PPP Modem plugin =-
# ------------------------------------------------------------------------------
###############################################################################
......
# ------------------------------------------------------------------------------
# -= Arno's iptables firewall - Parasitic (SNAT) Network plugin =-
# ------------------------------------------------------------------------------
# To actually enable this plugin make ENABLED=1:
# ------------------------------------------------------------------------------
ENABLED=0
# ------------------------------------------------------------------------------
# Parasitic Network
#
# Allows "clients" on the same subnet to use this device as a gateway upstream.
# This network of "clients" is the Parasitic Network, SNAT'ed to this device's
# external interface(s).
#
# This Parasitic Network is useful for situations when the upstream firewall
# is not under your control and you desire added security for specific devices
# in your subnet. Set the gateway address of Parasitic Network clients to an
# external IPv4 address of this device.
#
# Note: To be effective, be certain the Parasitic Network clients are IPv4-only
#
# (IPv4 Only)
# ------------------------------------------------------------------------------
# Specify which (external) network interfaces should have parasitic SNAT enabled
# You can optionally also provide the interface IP in the form of interface~IP
# (for eg. interfaces with multiple IP addresses). Multiple interfaces should
# be space separated. Leave empty to include all external interfaces
# ------------------------------------------------------------------------------
PARASITIC_NET_IF=""
# Specify which "clients" are allowed to use this device as an SNAT gateway.
# If not specified all hosts on parasitic SNAT enabled interfaces are allowed
# NOTE: The hosts in here should be on subnets connected to interfaces specified
# in PARASITIC_NET_IF
# ------------------------------------------------------------------------------
PARASITIC_NET_CLIENT_HOSTS=""
################################################################################
# Use PARASITIC_NET_HOST_OPEN_xxx and PARASITIC_NET_HOST_DENY to restrict #
# forwarded parasitic network traffic. #
# #
# By default all parasitic network packets are forwarded and NAT'ed upstream, #
# unless one of the PARASATIC_NET_HOST_OPEN_xxx variables is specified. In #
# that case the default policy for that protocol (TCP, UDP, ICMP, IP) will #
# become deny, except for IP which always defaults to deny. #
################################################################################
# Put in the following variables which hosts you want to allow(open) for certain
# services
# TCP/UDP port format (PARASITIC_NET_HOST_OPEN_TCP & PARASITIC_NET_HOST_OPEN_UDP):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# ICMP protocol format (PARASITIC_NET_HOST_OPEN_ICMP):
# "host1 host2 ...."
#
# IP protocol format (PARASITIC_NET_HOST_OPEN_IP):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
# ------------------------------------------------------------------------------
PARASITIC_NET_HOST_OPEN_TCP=""
PARASITIC_NET_HOST_OPEN_UDP=""
PARASITIC_NET_HOST_OPEN_ICMP=""
PARASITIC_NET_HOST_OPEN_IP=""
# Put in the following variables which hosts you want to deny for certain
# services
# TCP/UDP port format (PARASITIC_NET_HOST_DENY_TCP & PARASITIC_NET_HOST_DENY_UDP):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
#
# ICMP protocol format (PARASITIC_NET_HOST_DENY_ICMP):
# "host1 host2 ...."
#
# IP protocol format (PARASITIC_NET_HOST_DENY_IP):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
# ------------------------------------------------------------------------------
PARASITIC_NET_HOST_DENY_TCP=""
PARASITIC_NET_HOST_DENY_UDP=""
PARASITIC_NET_HOST_DENY_ICMP=""
PARASITIC_NET_HOST_DENY_IP=""
# Enable (1) or disable(0) logging of denied packets
# ------------------------------------------------------------------------------
PARASITIC_NET_DENY_LOG=1
# Specify the policy for denied packets: DROP (default) or REJECT
# ------------------------------------------------------------------------------
PARASITIC_NET_DENY_POLICY="DROP"
# ------------------------------------------------------------------------------
# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
# ------------------------------------------------------------------------------
# To actually enable this plugin make ENABLED=1:
# ------------------------------------------------------------------------------
ENABLED=0
# PPTP uses the GRE protocol for transport, as such, when PPTP VPN clients
# have NAT between them and the PPTP VPN server special packet handling must be performed.
# This plugin loads the required Linux Kernel modules to handle that situation.
#
# No configuration options
# ------------------------------------------------------------------------------
#!/bin/bash
MY_VERSION="1.07c"
MY_VERSION="1.09"
# ------------------------------------------------------------------------------------------
# -= Arno's iptables firewall =-
......@@ -8,7 +8,7 @@ MY_VERSION="1.07c"
#
# ~ In memory of my dear father ~
#
# (C) Copyright 2001-2015 by Arno van Amersfoort
# (C) Copyright 2001-2018 by Arno van Amersfoort
# Homepage : http://rocky.eld.leidenuniv.nl/
# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
# (note: you must remove all spaces and substitute the @ and the .
......@@ -104,7 +104,7 @@ copy_ask_if_exist()
if [ ! -d "$target_dir" ]; then
printf "\033[40m\033[1;31m* WARNING: Target directory $target_dir does not exist. Skipping copy of $source!\033[0m\n" >&2
continue;
continue
fi
if [ -f "$source" -a -f "$target" ]; then
......@@ -113,21 +113,21 @@ copy_ask_if_exist()
if ! get_user_yn "File \"$target\" already exists. Overwrite" "n"; then
if [ -z "$3" ]; then
echo "Skipped..."
continue;
continue
else
# Copy as e.g. .dist-file:
target="${target}.${3}"
rm -f "$target"
fi
fi
else
echo "* Target file \"$target\" is the same as source. Skipping copy of $source"
continue;
# else
# echo "* Target file \"$target\" is already the same as source." # Skipping copy of $source"
# #continue
fi
fi
# copy file & create backup of old file if exists
if ! cp -bv "$source" "$target"; then
if ! cp -bv --preserve=mode,timestamps "$source" "$target"; then
echo "ERROR: Copy error of \"$source\" to \"$target\"!" >&2
exit 3
fi
......@@ -163,13 +163,13 @@ copy_skip_if_exist()
if [ ! -d "$target_dir" ]; then
printf "\033[40m\033[1;31m* WARNING: Target directory $target_dir does not exist. Skipping copy of $source!\033[0m\n" >&2
continue;
continue
fi
if [ -f "$target" ]; then
if [ -z "$3" ]; then
echo "* File \"$target\" already exists. Skipping copy of $source"
continue;
continue
else
# Copy as e.g. .dist-file:
target="${target}.${3}"
......@@ -177,7 +177,7 @@ copy_skip_if_exist()
fi
fi
if ! cp -v "$source" "$target"; then
if ! cp -v --preserve=mode,timestamps "$source" "$target"; then
echo "ERROR: Copy error of \"$source\" to \"$target!\"" >&2
exit 3
fi
......@@ -213,18 +213,18 @@ copy_overwrite()
if [ ! -d "$target_dir" ]; then
printf "\033[40m\033[1;31m* WARNING: Target directory $target_dir does not exist. Skipping copy of $source!\033[0m\n" >&2
continue;
continue
fi
if [ -f "$source" -a -f "$target" ]; then
# if [ -f "$source" -a -f "$target" ]; then
# Ignore files that are the same in the target
if diff "$source" "$target" >/dev/null; then
echo "* Target file \"$target\" is the same as source. Skipping copy of $source"
continue;
fi
fi
# if diff "$source" "$target" >/dev/null; then
# echo "* Target file \"$target\" is already the same as source." # Skipping copy of $source"
# continue
# fi
# fi
if ! cp -fv "$source" "$target"; then
if ! cp -fv --preserve=mode,timestamps "$source" "$target"; then
echo "ERROR: Copy error of \"$source\" to \"$target\"!" >&2
exit 3
fi
......@@ -303,7 +303,7 @@ printf "\033[40m\033[1;32mArno's Iptables Firewall Script v$AIF_VERSION\033[0m\n
printf "Install Script v$MY_VERSION\n"
echo "-------------------------------------------------------------------------------"
sanity_check;
sanity_check
# We want to run in the dir the install script is in
cd "$(dirname $0)"
......@@ -314,10 +314,12 @@ if ! get_user_yn "Continue install" "n"; then
fi
# Make sure there still isn't an old version installed
check_18_version;
check_18_version
copy_overwrite ./bin/arno-iptables-firewall /usr/local/sbin/
copy_overwrite ./bin/arno-fwfilter /usr/local/bin/
# Remove old version:
rm -f /usr/local/sbin/arno-fwfilter
mkdir -pv /usr/local/share/arno-iptables-firewall/plugins || exit 1
......@@ -337,9 +339,18 @@ copy_overwrite ./README /usr/local/share/doc/arno-iptables-firewall/
copy_ask_if_exist ./etc/init.d/arno-iptables-firewall /etc/init.d/
# Install service file if systemd directory is available
if [ -d "/usr/lib/systemd/system/" ]; then
copy_ask_if_exist ./lib/systemd/system/arno-iptables-firewall.service /usr/lib/systemd/system/
# Make sure only one service file exists in /lib/.. or /usr/lib/ where we prefer /lib/
rm -f /usr/lib/systemd/system/arno-iptables-firewall.service
# Install service file if systemd directory is available, use fallbacks to support different systems
if [ -d "/lib/systemd/system" ]; then
copy_overwrite ./lib/systemd/system/arno-iptables-firewall.service /lib/systemd/system/
elif [ -d "/usr/lib/systemd/system" ]; then
copy_overwrite ./lib/systemd/system/arno-iptables-firewall.service /usr/lib/systemd/system/
elif [ -d "/etc/systemd/system" ]; then
copy_ask_if_exist ./lib/systemd/system/arno-iptables-firewall.service /etc/systemd/system/
else
echo "NOTE: Could not find any systemd/system directory, skipping systemd configuration" >&2
fi
mkdir -pv /etc/arno-iptables-firewall || exit 1
......@@ -353,7 +364,7 @@ copy_ask_if_exist ./etc/arno-iptables-firewall/plugins/ /etc/arno-iptables-firew
mkdir -pv /etc/arno-iptables-firewall/conf.d || exit 1
echo "Files with a .conf extension in this directory will be sourced by the environment file" >/etc/arno-iptables-firewall/conf.d/README
check_plugins;
check_plugins
echo ""
echo "** Install done **"
......@@ -377,4 +388,3 @@ if get_user_yn "(Re)start firewall"; then
fi
exit 0
[Unit]
Description=Arno's Iptables Firewall
DefaultDependencies=no
Wants=network-pre.target
Before=network-pre.target shutdown.target
After=local-fs.target network-online.target
Requires=local-fs.target network-online.target
Conflicts=shutdown.target
[Service]
......
This diff is collapsed.
......@@ -2,17 +2,17 @@
# -= Arno's iptables firewall - NAT Loopback plugin =-
#
PLUGIN_NAME="NAT Loopback plugin"
PLUGIN_VERSION="1.00 BETA"
PLUGIN_VERSION="1.01"
PLUGIN_CONF_FILE="nat-loopback.conf"
#
# Last changed : October 15, 2012
# Requirements : AIF 2.0.0+
# Last changed : July 12, 2016
# Requirements : AIF 2.0.1g+
# Comments : NAT Loopback for local nets using existing NAT_FORWARD_TCP
# and NAT_FORWARD_UDP rules.
# Local nets may be able to use the external IPv4 address and
# port to access NAT forwarded internal servers.
#
# Author : (C) Copyright 2012 by Lonnie Abelbeck & Arno van Amersfoort
# Author : (C) Copyright 2012-2016 by Lonnie Abelbeck & Arno van Amersfoort
# Homepage : http://rocky.eld.leidenuniv.nl/
# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
# (note: you must remove all spaces and substitute the @ and the .
......@@ -39,7 +39,7 @@ nat_loopback_default_ext_ipv4()
local eif IFS
IFS=' ,'
for eif in $(wildcard_ifs $EXT_IF); do
for eif in $(wildcard_ifs $NAT_IF); do
ip -o addr show dev $eif \
| awk '$3 == "inet" { split($4, field, "/"); print field[1]; nextfile; }'
break # Only use first external interface
......@@ -108,7 +108,7 @@ plugin_start()
unset IFS
for rule in $NAT_FORWARD_TCP; do
if parse_rule "$rule" NAT_FORWARD_TCP "interfaces:EXT_IF-destips-shosts-ports-dhost_dport"; then
if parse_rule "$rule" NAT_FORWARD_TCP "interfaces:NAT_IF-destips-shosts-ports-dhost_dport"; then
IFS=' ,'
for shost in $(ip_range "$shosts"); do
......@@ -140,7 +140,7 @@ plugin_start()
unset IFS
for rule in $NAT_FORWARD_UDP; do
if parse_rule "$rule" NAT_FORWARD_UDP "interfaces:EXT_IF-destips-shosts-ports-dhost_dport"; then
if parse_rule "$rule" NAT_FORWARD_UDP "interfaces:NAT_IF-destips-shosts-ports-dhost_dport"; then
IFS=' ,'
for shost in $(ip_range "$shosts"); do
......
This diff is collapsed.
......@@ -2,14 +2,14 @@
# -= Arno's iptables firewall - DynDNS Host Open plugin =-
#
PLUGIN_NAME="DynDNS Host Open plugin"
PLUGIN_VERSION="1.33-BETA2"
PLUGIN_VERSION="1.34a"
PLUGIN_CONF_FILE="dyndns-host-open.conf"
#
# Last changed : June 22, 2015
# Last changed : July 10, 2017
# Requirements : kernel 2.6 + AIF 2.0.1f or better
# Comments : This implements dynamic DNS (DynDNS) support for eg. opening ports
#
# Author : (C) Copyright 2008-2014 by Arno van Amersfoort
# Author : (C) Copyright 2008-2017 by Arno van Amersfoort
# Homepage : http://rocky.eld.leidenuniv.nl/
# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
# (note: you must remove all spaces and substitute the @ and the .
......@@ -36,6 +36,9 @@ else
DYNDNS_HOST_CACHE="/var/tmp/aif_dyndns_host_cache"
fi
# Use a lock file for protection
LOCK_FILE="/var/lock/aif_dyndns_helper.lock"
# Plugin start function
plugin_start()
{
......@@ -48,7 +51,10 @@ plugin_start()
# Remove the cache file
rm -f "$DYNDNS_HOST_CACHE"
# Check for stale lock file
rm -f "$LOCK_FILE"
# Create cron job
echo "$DYNDNS_HOST_OPEN_CRON root $PLUGIN_BIN_PATH/dyndns-host-open-helper >/dev/null" >/etc/cron.d/dyndns-host-open
......@@ -67,7 +73,7 @@ plugin_restart()
{
## Re-add standard chain rules that are flushed on a restart
echo "${INDENT}Restarting..."
# Insert rule into the main chain:
iptables -A EXT_INPUT_CHAIN -j DYNDNS_CHAIN
......@@ -86,15 +92,22 @@ plugin_stop()
{
# Remove cron job
rm -f /etc/cron.d/dyndns-host-open
# Wait for helper to stop, if running
cnt=5
while [ $cnt -gt 0 ] && [ -f "$LOCK_FILE" ]; do
cnt=$((cnt - 1))
sleep 1
done
# Remove the cache file
rm -f "$DYNDNS_HOST_CACHE"
iptables -D EXT_INPUT_CHAIN -j DYNDNS_CHAIN 2>/dev/null
iptables -F DYNDNS_CHAIN
iptables -X DYNDNS_CHAIN 2>/dev/null