diff options
Diffstat (limited to 'roles/common/files/usr/local/sbin/update-firewall.sh')
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 86 |
1 files changed, 43 insertions, 43 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 994df14..207eada 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -47,7 +47,7 @@ else ipsec=n fi -fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S' +fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A f2b-\S' IPsec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$" declare -A rss=() tables=() @@ -66,21 +66,21 @@ usage() { } log() { - /usr/bin/logger -st firewall -p user.info -- "$@" + logger -st firewall -p user.info -- "$@" } fatal() { - /usr/bin/logger -st firewall -p user.err -- "$@" + logger -st firewall -p user.err -- "$@" exit 1 } iptables() { # Fake iptables/ip6tables(8); use the more efficient # iptables-restore(8) instead. - echo "$@" >> "$new"; + echo "$@" >>"$new"; } commit() { # End a table - echo COMMIT >> "$new" + echo COMMIT >>"$new" } inet46() { case "$1" in @@ -96,25 +96,25 @@ ipt-chains() { ?*) echo "*$1";; esac shift - done >> "$new" + done >>"$new" } ipt-trim() { # Remove dynamic chain/rules from the input stream, as they are # automatically included by third-party servers (such as strongSwan # or fail2ban). The output is ready to be made persistent. - grep -Ev -e '^:fail2ban-\S' \ + grep -Ev -e '^:f2b-\S' \ -e "$IPsec_re" \ - -e '-j fail2ban-\S+$' \ + -e '-j f2b-\S+$' \ -e "$fail2ban_re" } ipt-diff() { # Get the difference between two rulesets. if [ $verbose -eq 1 ]; then - /usr/bin/diff -u -I '^#' "$1" "$2" + diff -u -I '^#' --color=auto "$@" else - /usr/bin/diff -q -I '^#' "$1" "$2" >/dev/null + diff -q -I '^#' "$@" >/dev/null fi } @@ -127,12 +127,12 @@ ipt-persist() { local f rs table for f in "${!tables[@]}"; do - ipts=/sbin/$(inet46 $f iptables ip6tables)-save + ipts=$(inet46 $f iptables ip6tables)-save rs=/etc/iptables/rules.v$f for table in ${tables[$f]}; do - /bin/ip netns exec $netns $ipts -t $table - done | ipt-trim > "$rs" + ip netns exec $netns $ipts -t $table + done | ipt-trim >"$rs" chmod 0600 "$rs" done } @@ -143,7 +143,7 @@ ipt-revert() { local rs for f in "${!rss[@]}"; do - /sbin/$(inet46 $f iptables ip6tables)-restore -c < "${rss[$f]}" + $(inet46 $f iptables ip6tables)-restore -c <"${rss[$f]}" rm -f "${rss[$f]}" done exit 1 @@ -152,7 +152,7 @@ ipt-revert() { run() { # Build and apply the firewall for IPv4/6. local f="$1" - local ipt=/sbin/$(inet46 $f iptables ip6tables) + local ipt=$(inet46 $f iptables ip6tables) tables[$f]=filter # The default interface associated with this address. @@ -164,14 +164,14 @@ run() { new=$(mktemp --tmpdir new-rules.v$f.XXXXXX) for table in ${tables[$f]}; do $ipt-save -ct $table - done > "$old" + done >"$old" rss[$f]="$old" local fail2ban=0 # XXX: As of Wheezy, fail2ban is IPv4 only. See # https://github.com/fail2ban/fail2ban/issues/39 for the current # state of the art. - if [ "$f" = 4 ] && which /usr/bin/fail2ban-server >/dev/null; then + if [ "$f" = 4 ] && which fail2ban-server >/dev/null; then fail2ban=1 fi @@ -191,14 +191,14 @@ run() { if [ $fail2ban -eq 1 ]; then echo ":fail2ban - [0:0]" # Don't remove existing rules & traps in the current rulest - grep -- '^:fail2ban-\S' "$old" || true - grep -E -- ' -j fail2ban-\S+$' "$old" || true - grep -E -- "$fail2ban_re" "$old" || true - fi >> "$new" + grep -- '^:f2b-\S' "$old" || true + grep -E -- ' -j f2b-\S+$' "$old" || true + grep -E -- "$fail2ban_re" "$old" || true + fi >>"$new" - if [ "$f" = 4 -a "$ipsec" = y ]; then + if [ "$f" = 4 -o "$f" = 6 ] && [ "$ipsec" = y ]; then # IPsec tunnels come first (IPv4 only). - grep -E -- "$IPsec_re" "$old" >> "$new" || true + grep -E -- "$IPsec_re" "$old" >>"$new" || true # Allow any IPsec $secproto protocol packets to be sent and received. iptables -A INPUT -i $if -p $secproto -j ACCEPT @@ -212,14 +212,14 @@ run() { # http://baldric.net/loose-iptables-firewall-for-servers/ local ip - if [ "$f" = 4 -a "$ipsec" = y ]; then + if [ "$f" = 4 ] && [ "$ipsec" = y ]; then # Private-use networks (RFC 1918) and link local (RFC 3927) - local MyIPsec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )" - local MyNetwork="$( /bin/ip -4 -o address show dev $if scope global \ + local MyIPsec="$( ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )" + local MyNetwork="$( ip -4 -o address show dev $if scope global \ | sed -nr "s/^[0-9]+:\s+$if\s+inet\s(\S+).*/\1/p" \ | while read ip; do for ips in $MyIPsec; do - [ "$ips" = "$(/usr/bin/netmask -nc "$ip" "$ips" | sed 's/^ *//')" ] || echo "$ip" + [ "$ips" = "$(netmask -nc "$ip" "$ips" | sed 's/^ *//')" ] || echo "$ip" done done )" @@ -227,7 +227,7 @@ run() { for ip in 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16; do # Don't lock us out if we are behind a NAT ;-) for myip in $MyNetwork; do - [ "$ip" = "$(/usr/bin/netmask -nc "$ip" "$myip" | sed 's/^ *//')" ] || echo "$ip" + [ "$ip" = "$(netmask -nc "$ip" "$myip" | sed 's/^ *//')" ] || echo "$ip" done | uniq | while read ip; do iptables -A INPUT -i $if -s "$ip" -j DROP; done done @@ -260,9 +260,9 @@ run() { local localhost=$(inet46 $f '127.0.0.1/8' '::1/128') iptables -A INPUT -i lo -s "$localhost" -d "$localhost" -j ACCEPT iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT - if [ "$f" = 4 -a "$ipsec" = y ]; then + if [ "$f" = 4 ] && [ "$ipsec" = y ]; then # Allow local access to our virtual IP - /bin/ip -4 -o route show table 220 dev $if \ + ip -4 -o route show table 220 dev $if \ | sed -nr 's/.*\ssrc\s+([[:digit:].]{7,15})(\s.*)?$/\1/p' \ | while read ips; do iptables -A INPUT -i lo -s "$ips" -d "$ips" -j ACCEPT @@ -340,25 +340,25 @@ run() { # to restore the counters when reverting.) sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \ -e 's/^\[[0-9]+:[0-9]+\]\s+//' \ - "$old" > "$oldz" + "$old" >"$oldz" - /bin/ip netns exec $netns $ipt-restore <"$new" || ipt-revert + ip netns exec $netns $ipt-restore <"$new" || ipt-revert for table in ${tables[$f]}; do - /bin/ip netns exec $netns $ipt-save -t $table - done > "$new" + ip netns exec $netns $ipt-save -t $table + done >"$new" - ipt-diff "$oldz" "$new" || rv1=$? + ipt-diff --label="a/$ipt-save" --label="b/$ipt-save" "$oldz" "$new" || rv1=$? - if ! [ -f "$persistent" -a -x /etc/network/if-pre-up.d/iptables ]; then + if ! [ -f "$persistent" ] && [ -x /etc/network/if-pre-up.d/iptables ]; then rv2=1 else - ipt-trim < "$oldz" | ipt-diff - "$persistent" || rv2=$? + ipt-trim <"$new" | ipt-diff --label="a/rules.v$f" --label="b/$ipt-save" "$persistent" - || rv2=$? fi local update="Please run '${0##*/}'." if [ $check -eq 0 ]; then - $ipt-restore <"$new" || ipt-revert + uniq "$new" | $ipt-restore || ipt-revert else if [ $rv1 -ne 0 ]; then log "WARN: The IPv$f firewall is not up to date! $update" @@ -394,7 +394,7 @@ done # If we are going to apply the ruleset, we should either have a TTY, or # use -f. -if ! /usr/bin/tty -s && [ $force -eq 0 -a $check -eq 0 ]; then +if ! tty -s && [ $force -eq 0 ] && [ $check -eq 0 ]; then echo "Error: Not a TTY. Try with -f (at your own risks!)" >&2 exit 1 fi @@ -403,10 +403,10 @@ fi # we can easily get a normalized version we can compare latter. See # http://bugzilla.netfilter.org/show_bug.cgi?id=790 netns="ipt-firewall-test-$$" -/bin/ip netns add $netns +ip netns add $netns -trap '/bin/ip netns del $netns 2>/dev/null || true; ipt-revert' SIGINT -trap '/bin/ip netns del $netns; rm -f "${rss[@]}"' EXIT +trap 'ip netns del $netns 2>/dev/null || true; ipt-revert' SIGINT +trap 'ip netns del $netns; rm -f "${rss[@]}"' EXIT rv=0 for f in ${addrfam:=4 6}; do @@ -417,7 +417,7 @@ if [ $force -eq 1 ]; then # At the user's own risks... ipt-persist -elif [ $check -eq 1 -o $rv -eq 0 ]; then +elif [ $check -eq 1 ] || [ $rv -eq 0 ]; then # Nothing to do, we're all set. exit $rv |