From 21bbdc24c397671e68606e846837f28df89a5a23 Mon Sep 17 00:00:00 2001 From: John Crispin Date: Mon, 4 Aug 2008 11:51:58 +0000 Subject: [PATCH] adds a new uci firewall - iptbales and netfilter packages need to be rewrapped when we switch to this firewall as default - there are some examples in the file /etc/config/firewall - iptables-save/restore are still missing - hotplug takes care of adding/removing netdevs during runtime - misisng features ? wishes ? let me know ... SVN-Revision: 12089 --- include/target.mk | 2 +- package/firewall/Config.in | 17 + package/firewall/Makefile | 69 +++++ package/firewall/files/new/20-firewall | 41 +++ package/firewall/files/new/firewall.config | 80 +++++ package/firewall/files/new/firewall.init | 14 + package/firewall/files/new/uci_firewall.sh | 291 ++++++++++++++++++ .../files => firewall/files/old}/firewall.awk | 0 .../files/old}/firewall.config | 0 .../files/old}/firewall.init | 0 .../files/old}/firewall.user | 0 package/iptables/Makefile | 12 - 12 files changed, 513 insertions(+), 13 deletions(-) create mode 100644 package/firewall/Config.in create mode 100644 package/firewall/Makefile create mode 100644 package/firewall/files/new/20-firewall create mode 100755 package/firewall/files/new/firewall.config create mode 100755 package/firewall/files/new/firewall.init create mode 100755 package/firewall/files/new/uci_firewall.sh rename package/{iptables/files => firewall/files/old}/firewall.awk (100%) rename package/{iptables/files => firewall/files/old}/firewall.config (100%) rename package/{iptables/files => firewall/files/old}/firewall.init (100%) rename package/{iptables/files => firewall/files/old}/firewall.user (100%) diff --git a/include/target.mk b/include/target.mk index 8b123959d3..34d2935fe8 100644 --- a/include/target.mk +++ b/include/target.mk @@ -14,7 +14,7 @@ DEVICE_TYPE?=router # Default packages - the really basic set DEFAULT_PACKAGES:=base-files libgcc uclibc busybox dropbear mtd uci # For router targets -DEFAULT_PACKAGES.router:=dnsmasq iptables ppp ppp-mod-pppoe kmod-ipt-nathelper bridge +DEFAULT_PACKAGES.router:=dnsmasq iptables ppp ppp-mod-pppoe kmod-ipt-nathelper bridge firewall # Additional packages for Linux 2.6 ifneq ($(KERNEL),2.4) diff --git a/package/firewall/Config.in b/package/firewall/Config.in new file mode 100644 index 0000000000..616b0206b0 --- /dev/null +++ b/package/firewall/Config.in @@ -0,0 +1,17 @@ +choice + prompt "Choose firewall" + default FIREWALL_OLD + depends PACKAGE_firewall + +config FIREWALL_OLD + bool "old firewall" + +config FIREWALL_NEW + bool "new uci firewall" + select PACKAGE_iptables-mod-conntrack + select PACKAGE_iptables-mod-extra + select PACKAGE_iptables-mod-ipopt + select PACKAGE_iptables-mod-ulog + select PACKAGE_kmod-ipt-nathelper + +endchoice diff --git a/package/firewall/Makefile b/package/firewall/Makefile new file mode 100644 index 0000000000..e073b5771c --- /dev/null +++ b/package/firewall/Makefile @@ -0,0 +1,69 @@ +# +# Copyright (C) 2008 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. + +include $(TOPDIR)/rules.mk + +PKG_NAME:=firewall + +PKG_VERSION:=1 +PKG_RELEASE:=1 + +include $(INCLUDE_DIR)/package.mk + +define Package/firewall + SECTION:=net + CATEGORY:=Base system + URL:=http://openwrt.org/ + TITLE:=OpenWrt firewall + DEPENDS:=+iptables +endef + +define Package/firewall/description + firewall for openwrt, you can select if you want to use the old version or the new uci based script +endef + +define Package/firewall/config + source "$(SOURCE)/Config.in" +endef + +define Build/Compile + true +endef + +ifeq ($(CONFIG_FIREWALL_NEW),y) +define Package/firewall/conffiles +/etc/config/firewall +endef + +define Package/firewall/install + $(INSTALL_DIR) $(1)/lib/firewall + $(INSTALL_DATA) ./files/new/uci_firewall.sh $(1)/lib/firewall + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DATA) ./files/new/firewall.config $(1)/etc/config/firewall + $(INSTALL_DIR) $(1)/etc/init.d/ + $(INSTALL_BIN) ./files/new/firewall.init $(1)/etc/init.d/firewall + $(INSTALL_DIR) $(1)/etc/hotplug.d/iface + $(INSTALL_DATA) ./files/new/20-firewall $(1)/etc/hotplug.d/iface +endef + +else + +define Package/firewall/conffiles +/etc/firewall.config +/etc/firewall.user +endef + +define Package/firewall/install + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DATA) ./files/old/firewall.config $(1)/etc/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/old/firewall.init $(1)/etc/init.d/firewall + $(INSTALL_BIN) ./files/old/firewall.user $(1)/etc/ + $(INSTALL_DIR) $(1)/usr/lib + $(INSTALL_DATA) ./files/old/firewall.awk $(1)/usr/lib +endef +endif +$(eval $(call BuildPackage,firewall)) diff --git a/package/firewall/files/new/20-firewall b/package/firewall/files/new/20-firewall new file mode 100644 index 0000000000..a8ce17c976 --- /dev/null +++ b/package/firewall/files/new/20-firewall @@ -0,0 +1,41 @@ +. /lib/firewall/uci_firewall.sh +unset ZONE +config_get ifname $INTERFACE ifname +INTERFACE=$ifname +[ "$INTERFACE" == "lo" ] && exit 0 +load_zones() { + local name + local network + config_get name $1 name + config_get network $1 network + [ -z "$network" ] && return + for n in $network; do + local ifname + config_get ifname $n ifname + list_contains ifname $INTERFACE && { + list_contains ZONE $name || ZONE="$ZONE $name" + } + done +} + +config_foreach load_zones zone + +IFACE=$(find_config $INTERFACE) +[ -n "$IFACE" ] && + list_contains ZONE $IFACE || ZONE="$ZONE $IFACE" + +[ ifup = "$ACTION" ] && { + for z in $ZONE; do + local loaded + config_get loaded core loaded + [ -n "$loaded" ] && addif $INTERFACE $z + done +} + +[ ifdown = "$ACTION" ] && { + for z in $ZONE; do + local up + config_get up $z up + [ "$up" == "1" ] && delif $INTERFACE $z + done +} diff --git a/package/firewall/files/new/firewall.config b/package/firewall/files/new/firewall.config new file mode 100755 index 0000000000..073169013d --- /dev/null +++ b/package/firewall/files/new/firewall.config @@ -0,0 +1,80 @@ +config defaults + option syn_flood 1 + option input DROP + option output ACCEPT + option forward DROP + +config zone + option name lan + option input ACCEPT + option output ACCEPT + option forward DROP + +config zone + option name wan + option input DROP + option output ACCEPT + option forward DROP + option masq 1 + +config forwarding + option src lan + option dest wan + + +### EXAMPLE CONFIG SECTIONS +# do not allow a specific ip to access wan +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option dest wan +# option proto tcp +# option target REJECT + +# block a specific mac on wan +#config rule +# option dest wan +# option src_mac 00:11:22:33:44:66 +# option target REJECT + +# block incoming ICMP traffic on a zone +#config rule +# option src lan +# option proto ICMP +# option target DROP + +# port redirect port coming in on wan to lan +#config redirect +# option src wan +# option src_dport 80 +# option dest lan +# option dest_ip 192.168.16.235 +# option dest_port 80 +# option protocol tcp + +# include a file with users custom iptables rules +#config include +# option path /etc/firewall.user + + +### FULL CONFIG SECTIONS +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 80 +# option dest wan +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp +# option target REJECT + +#config redirect +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 1024 +# option src_dport 80 +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp diff --git a/package/firewall/files/new/firewall.init b/package/firewall/files/new/firewall.init new file mode 100755 index 0000000000..26855f39ad --- /dev/null +++ b/package/firewall/files/new/firewall.init @@ -0,0 +1,14 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2008 OpenWrt.org + +START=45 + +start() { + . /lib/firewall/uci_firewall.sh + fw_init +} + +stop() { + . /lib/firewall/uci_firewall.sh + fw_stop +} diff --git a/package/firewall/files/new/uci_firewall.sh b/package/firewall/files/new/uci_firewall.sh new file mode 100755 index 0000000000..dcb9c100bf --- /dev/null +++ b/package/firewall/files/new/uci_firewall.sh @@ -0,0 +1,291 @@ +#!/bin/sh +# Copyright (C) 2008 John Crispin + +. /etc/functions.sh + +IPTABLES="echo iptables" +IPTABLES=iptables + +config_clear +include /lib/network +scan_interfaces + +CONFIG_APPEND=1 +config_load firewall + +config fw_zones +ZONE_LIST=$CONFIG_SECTION + +DEF_INPUT=DROP +DEF_OUTPUT=DROP +DEF_FORWARD=DROP + +load_policy() { + config_get input $1 input + config_get output $1 output + config_get forward $1 forward + + [ -z "$input" ] && input=$DEF_INPUT + [ -z "$output" ] && output=$DEF_OUTPUT + [ -z "$forward" ] && forward=$DEF_FORWARD +} + +create_zone() { + local exists + + [ "$1" == "loopback" ] && return + + config_get exists $ZONE_LIST $1 + [ -n "$exists" ] && return + config_set $ZONE_LIST $1 1 + + $IPTABLES -N zone_$1 + $IPTABLES -N zone_$1_ACCEPT + $IPTABLES -N zone_$1_DROP + $IPTABLES -N zone_$1_REJECT + $IPTABLES -N zone_$1_forward + $IPTABLES -A zone_$1_forward -j zone_$1_$5 + $IPTABLES -A zone_$1 -j zone_$1_$3 + $IPTABLES -A OUTPUT -j zone_$1_$4 + $IPTABLES -N zone_$1_nat -t nat + $IPTABLES -N zone_$1_prerouting -t nat + [ "$6" == "1" ] && $IPTABLES -t nat -A POSTROUTING -j zone_$2_nat +} + +addif() { + logger "adding $1 to firewall zone $2" + $IPTABLES -A INPUT -i $1 -j zone_$2 + $IPTABLES -I zone_$2_ACCEPT 1 -o $1 -j ACCEPT + $IPTABLES -I zone_$2_DROP 1 -o $1 -j DROP + $IPTABLES -I zone_$2_REJECT 1 -o $1 -j REJECT + $IPTABLES -I zone_$2_ACCEPT 1 -i $1 -j ACCEPT + $IPTABLES -I zone_$2_DROP 1 -i $1 -j DROP + $IPTABLES -I zone_$2_REJECT 1 -i $1 -j REJECT + $IPTABLES -I zone_$2_nat 1 -t nat -o $1 -j MASQUERADE + $IPTABLES -I PREROUTING 1 -t nat -i $1 -j zone_$2_prerouting + $IPTABLES -A FORWARD -i $1 -j zone_$2_forward +} + +delif() { + logger "removing $1 from firewall zone $2" + $IPTABLES -D INPUT -i $1 -j zone_$2 + $IPTABLES -D zone_$2_ACCEPT -o $1 -j ACCEPT + $IPTABLES -D zone_$2_DROP -o $1 -j DROP + $IPTABLES -D zone_$2_REJECT -o $1 -j REJECT + $IPTABLES -D zone_$2_ACCEPT -i $1 -j ACCEPT + $IPTABLES -D zone_$2_DROP -i $1 -j DROP + $IPTABLES -D zone_$2_REJECT -i $1 -j REJECT + $IPTABLES -D zone_$2_nat -t nat -o $1 -j MASQUERADE + $IPTABLES -D PREROUTING -t nat -i $1 -j zone_$2_prerouting + $IPTABLES -D FORWARD -i $1 -j zone_$2_forward +} + +load_synflood() { + echo "Loading synflood protection" + $IPTABLES -N SYN_FLOOD + $IPTABLES -A SYN_FLOOD -p tcp --syn -m limit --limit ${1}/second --limit-burst $2 -j RETURN + $IPTABLES -A SYN_FLOOD -p ! tcp -j RETURN + $IPTABLES -A SYN_FLOOD -p tcp ! --syn -j RETURN + $IPTABLES -A SYN_FLOOD -j LOG --log-prefix "syn_flood: " + $IPTABLES -A SYN_FLOOD -j DROP + $IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD +} + +create_network_zone() { + create_zone "$1" "$1" +} + +fw_defaults() { + load_policy $1 + DEF_INPUT=$input + DEF_OUTPUT=$output + DEF_FORWARD=$forward + + echo 1 > /proc/sys/net/ipv4/tcp_syncookies + for f in /proc/sys/net/ipv4/conf/*/accept_redirects + do + echo 0 > $f + done + for f in /proc/sys/net/ipv4/conf/*/accept_source_route + do + echo 0 > $f + done + + $IPTABLES -F + $IPTABLES -t nat -F + $IPTABLES -t mangle -F + $IPTABLES -X -t nat + $IPTABLES -X + + $IPTABLES -P INPUT $input + $IPTABLES -A INPUT -m state --state INVALID -j DROP + $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + + $IPTABLES -P OUTPUT $output + $IPTABLES -A OUTPUT -m state --state INVALID -j DROP + $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + + $IPTABLES -P FORWARD $forward + $IPTABLES -A FORWARD -m state --state INVALID -j DROP + $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + + $IPTABLES -A INPUT -i lo -j ACCEPT + $IPTABLES -A OUTPUT -o lo -j ACCEPT + + config_get syn_flood $1 syn_flood + config_get syn_rate $1 syn_rate + config_get syn_burst $1 syn_burst + + [ -z "$syn_rate" ] && syn_rate=25 + [ -z "$syn_burst" ] && syn_burst=50 + [ "$syn_flood" == "1" ] && load_synflood $syn_rate $syn_burst +} + +fw_zone() { + local name + local network + local masq + + config_get name $1 name + config_get network $1 network + config_get masq $1 masq + load_policy $1 + + [ -z "$network" ] && network=$name + create_zone "$name" "$network" "$input" "$output" "$forward" "$masq" +} + +fw_rule() { + local src + local src_ip + local src_mac + local src_port + local src_mac + local dest + local dest_ip + local dest_port + local proto + local target + + config_get src $1 src + config_get src_ip $1 src_ip + config_get src_mac $1 src_mac + config_get src_port $1 src_port + config_get dest $1 dest + config_get dest_ip $1 dest_ip + config_get dest_port $1 dest_port + config_get proto $1 proto + config_get target $1 target + config_get ruleset $1 ruleset + + [ -z "$target" ] && target=DROP + [ -n "$src" ] && ZONE=zone_$src || ZONE=INPUT + [ -n "$dest" ] && TARGET=zone_${dest}_$target || TARGET=$target + $IPTABLES -I $ZONE 1 \ + ${proto:+-p $proto} \ + ${src_ip:+-s $src_ip} \ + ${src_port:+--sport $src_port} \ + ${src_mac:+-m mac --mac-source $src_mac} \ + ${dest_ip:+-d $dest_ip} \ + ${dest_port:+--dport $dest_port} \ + -j $TARGET +} + +fw_forwarding() { + local src + local dest + local masq + + config_get src $1 src + config_get dest $1 dest + [ -n "$src" ] && z_src=zone_${src}_forward || z_src=FORWARD + [ -n "$dest" ] && z_dest=zone_${dest}_ACCEPT || z_dest=ACCEPT + $IPTABLES -I $z_src 1 -j $z_dest +} + +fw_redirect() { + local src + local src_ip + local src_port + local src_dport + local src_mac + local dest_ip + local dest_port + local protocol + + config_get src $1 src + config_get src_ip $1 src_ip + config_get src_port $1 src_port + config_get src_dport $1 src_dport + config_get src_mac $1 src_mac + config_get dest_ip $1 dest_ip + config_get dest_port $1 dest_port + config_get protocol $1 protocol + [ -z "$src" -o -z "$dest_ip" ] && { \ + echo "redirect needs src and dest_ip"; return ; } + $IPTABLES -A zone_${src}_prerouting -t nat \ + ${protocol:+-p $protocol} \ + ${src_ip:+-s $srcdip} \ + ${src_port:+--sport $src_port} \ + ${src_dport:+--dport $src_dport} \ + ${src_mac:+-m mac --mac-source $src_mac} \ + -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port} + $IPTABLES -I zone_${src}_forward 1 \ + ${protocol:+-p $protocol} \ + -d $dest_ip \ + ${src_ip:+-s $srcdip} \ + ${src_port:+--sport $src_port} \ + ${dest_port:+--dport $dest_port} \ + ${src_mac:+-m mac --mac-source $src_mac} \ + -j ACCEPT +} + +fw_include() { + local path + config_get path $1 path + [ -e $path ] && . $path +} + +fw_addif() { + local up + local ifname + config_get up $1 up + config_get ifname $1 ifname + [ -n "$up" ] || return 0 + (ACTION="ifup" INTERFACE="$1" . /etc/hotplug.d/iface/20-firewall) +} + +fw_init() { + echo "Loading defaults" + config_foreach fw_defaults defaults + echo "Loading zones" + config_foreach fw_zone zone + echo "Loading interfaces" + config_foreach create_network_zone interface + echo "Loading rules" + config_foreach fw_rule rule + echo "Loading forwarding" + config_foreach fw_forwarding forwarding + echo "Loading redirects" + config_foreach fw_redirect redirect + echo "Loading includes" + config_foreach fw_include include + + uci_set_state firewall core "" firewall_state + uci_set_state firewall core loaded 1 + unset CONFIG_APPEND + config_load network + config_foreach fw_addif interface +} + +fw_stop() { + $IPTABLES -F + $IPTABLES -t nat -F + $IPTABLES -t mangle -F + $IPTABLES -X -t nat + $IPTABLES -X + $IPTABLES -P INPUT ACCEPT + $IPTABLES -P OUTPUT ACCEPT + $IPTABLES -P FORWARD ACCEPT +} diff --git a/package/iptables/files/firewall.awk b/package/firewall/files/old/firewall.awk similarity index 100% rename from package/iptables/files/firewall.awk rename to package/firewall/files/old/firewall.awk diff --git a/package/iptables/files/firewall.config b/package/firewall/files/old/firewall.config similarity index 100% rename from package/iptables/files/firewall.config rename to package/firewall/files/old/firewall.config diff --git a/package/iptables/files/firewall.init b/package/firewall/files/old/firewall.init similarity index 100% rename from package/iptables/files/firewall.init rename to package/firewall/files/old/firewall.init diff --git a/package/iptables/files/firewall.user b/package/firewall/files/old/firewall.user similarity index 100% rename from package/iptables/files/firewall.user rename to package/firewall/files/old/firewall.user diff --git a/package/iptables/Makefile b/package/iptables/Makefile index 05ef15b1dd..5b43dfefb7 100644 --- a/package/iptables/Makefile +++ b/package/iptables/Makefile @@ -58,11 +58,6 @@ $(call Package/iptables/Default) MENU:=1 endef -define Package/iptables/conffiles -/etc/firewall.config -/etc/firewall.user -endef - define Package/iptables-mod-conntrack $(call Package/iptables/Module, +kmod-ipt-conntrack) TITLE:=connection tracking modules @@ -247,13 +242,6 @@ define Build/InstallDev endef define Package/iptables/install - $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_DATA) ./files/firewall.config $(1)/etc/ - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall - $(INSTALL_BIN) ./files/firewall.user $(1)/etc/ - $(INSTALL_DIR) $(1)/usr/lib - $(INSTALL_DATA) ./files/firewall.awk $(1)/usr/lib $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/usr/lib/iptables -- 2.25.1