├── etc ├── arno-iptables-firewall │ ├── custom-rules │ └── plugins │ │ ├── linux-upnp-igd.conf │ │ ├── dmz-dnat.conf │ │ ├── transparent-proxy.conf │ │ ├── rpc.conf │ │ ├── pptp-vpn-passthrough.conf │ │ ├── sip-voip.conf │ │ ├── traffic-accounting.conf │ │ ├── ipv6-over-ipv4.conf │ │ ├── transparent-dnat.conf │ │ ├── ipsec-vpn.conf │ │ ├── outbound-snat.conf │ │ ├── dyndns-host-open.conf │ │ ├── multiroute.conf │ │ ├── mac-address-filter.conf │ │ ├── ssh-brute-force-protection.conf │ │ ├── ids-protection.conf │ │ ├── nat-loopback.conf │ │ ├── adaptive-ban.conf │ │ ├── pptp-vpn.conf │ │ ├── dsl-ppp-modem.conf │ │ ├── traffic-shaper.conf │ │ └── parasitic-net.conf ├── logrotate.d │ └── arno-iptables-firewall ├── rsyslog.d │ └── arno-iptables-firewall.conf └── init.d │ └── arno-iptables-firewall ├── share ├── arno-iptables-firewall │ ├── plugins │ │ ├── pptp-vpn.CHANGELOG │ │ ├── outbound-snat.CHANGELOG │ │ ├── pptp-vpn-passthrough.CHANGELOG │ │ ├── nat-loopback.CHANGELOG │ │ ├── rpc.CHANGELOG │ │ ├── ids-protection.CHANGELOG │ │ ├── mac-address-filter.CHANGELOG │ │ ├── transparent-proxy.CHANGELOG │ │ ├── dsl-ppp-modem.CHANGELOG │ │ ├── ipv6-over-ipv4.CHANGELOG │ │ ├── traffic-accounting-log-rotate │ │ ├── linux-upnp-igd.CHANGELOG │ │ ├── transparent-dnat.CHANGELOG │ │ ├── dmz-dnat.CHANGELOG │ │ ├── parasitic-net.CHANGELOG │ │ ├── ssh-brute-force-protection.CHANGELOG │ │ ├── multiroute.CHANGELOG │ │ ├── sip-voip.CHANGELOG │ │ ├── traffic-accounting-show │ │ ├── traffic-shaper.CHANGELOG │ │ ├── ipsec-vpn.CHANGELOG │ │ ├── traffic-accounting.CHANGELOG │ │ ├── 50ipv6-over-ipv4.plugin │ │ ├── dyndns-host-open.CHANGELOG │ │ ├── 50linux-upnp-igd.plugin │ │ ├── 50pptp-vpn-passthrough.plugin │ │ ├── 50sip-voip.plugin │ │ ├── 90rpc.plugin │ │ ├── 50transparent-dnat.plugin │ │ ├── 50dyndns-host-open.plugin │ │ ├── 50transparent-proxy.plugin │ │ ├── dyndns-host-open-helper │ │ ├── 90traffic-accounting.plugin │ │ ├── 90outbound-snat.plugin │ │ ├── 50ssh-brute-force-protection.plugin │ │ ├── 90ids-protection.plugin │ │ ├── adaptive-ban-helper │ │ ├── 50ipsec-vpn.plugin │ │ ├── 90dmz-dnat.plugin │ │ ├── 10mac-address-filter.plugin │ │ ├── 50pptp-vpn.plugin │ │ └── 95adaptive-ban.plugin │ ├── aif-job-execute │ └── aif-job-processor └── man │ ├── man1 │ └── arno-fwfilter.1 │ └── man8 │ └── arno-iptables-firewall.8 ├── lib └── systemd │ └── system │ └── arno-iptables-firewall.service ├── contrib ├── Redhat │ └── syslog.conf ├── Slackware │ └── syslog.conf ├── Debian │ └── syslog.conf └── adsl-failover └── uninstall.sh /etc/arno-iptables-firewall/custom-rules: -------------------------------------------------------------------------------- 1 | # Put any custom (iptables) rules here down below: 2 | ################################################## 3 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/pptp-vpn.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.00 BETA (February 21, 2011) 2 | ----------------------------------- 3 | + Initial version 4 | 5 | -------------------------------------------------------------------------------- /etc/logrotate.d/arno-iptables-firewall: -------------------------------------------------------------------------------- 1 | /var/log/arno-iptables-firewall 2 | { 3 | rotate 4 4 | weekly 5 | missingok 6 | notifempty 7 | compress 8 | delaycompress 9 | copytruncate 10 | } 11 | 12 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/outbound-snat.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.01 (July 12, 2016) 2 | ---------------------------- 3 | + Add support for NAT_IF with fallback to EXT_IF 4 | 5 | Version 1.00 BETA (September 22, 2012) 6 | -------------------------------------- 7 | + Initial version 8 | 9 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.01 (June 15, 2017) 2 | ---------------------------- 3 | + Add support for v2.0.2 using the CONNTRACK_HELPER chain 4 | 5 | Version 1.00 (January 9, 2016) 6 | ------------------------------ 7 | + Initial version 8 | 9 | -------------------------------------------------------------------------------- /etc/rsyslog.d/arno-iptables-firewall.conf: -------------------------------------------------------------------------------- 1 | 2 | # Log firewall messages to /var/log/arno-iptables-firewall (asynchronously), 3 | # and then drop them so that they aren't logged again elsewhere. 4 | 5 | if $syslogfacility-text == 'kern' \ 6 | and $msg contains 'AIF:' then -/var/log/arno-iptables-firewall 7 | & stop 8 | 9 | if $syslogtag == 'firewall:' then -/var/log/arno-iptables-firewall 10 | 11 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/nat-loopback.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.02 (February 2, 2019) 2 | ------------------------------- 3 | * Remove unused for-loops 4 | 5 | Version 1.01 (July 12, 2016) 6 | ---------------------------- 7 | + Add support for NAT_IF requiring AIF 2.0.1g or later 8 | 9 | Version 1.00 BETA (October 15, 2012) 10 | ------------------------------------ 11 | + Initial version 12 | 13 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/rpc.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 0.22-BETA (April 13, 2020) 2 | ---------------------------------- 3 | ! Parsing of rpcinfo failed due to missing EOL-space conversion 4 | 5 | Version 0.2-BETA (January 16, 2012) 6 | ----------------------------------- 7 | + Added RPC_NETS variable to restrict access 8 | * Few tweaks, fixes & cleanups 9 | 10 | Version 0.1-BETA (January 16, 2012) 11 | ----------------------------------- 12 | - Initial version 13 | 14 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/linux-upnp-igd.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Linux UPnP IGD plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # We don't have parameters for now... 10 | # ------------------------------------------------------------------------------ 11 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/ids-protection.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.1 (September 21, 2010) 2 | ---------------------------- 3 | * Updated for mixed IPv4/IPv6 4 | 5 | Version 1.02 (July 27, 2009) 6 | ---------------------------- 7 | + Implemented TCP & UDP port excludes 8 | * Always ignore ICMP packets for IDS checking 9 | 10 | Version 1.01 (May 9, 2009) 11 | -------------------------- 12 | + Version bump + minor tweaks 13 | * Option to set the interfaces to protect 14 | 15 | Version 0.21BETA (August 11, 2008) 16 | ---------------------------------- 17 | * First initial working version 18 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/dmz-dnat.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - DMZ-host port forwarding plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # The host which receives traffic by default 10 | # ------------------------------------------------------------------------------ 11 | DMZ_IP="" 12 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/mac-address-filter.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.1a (July 21, 2015) 2 | ---------------------------- 3 | ! Mac module loading on newer systems 4 | 5 | Version 1.1 (September 19, 2010) 6 | ------------------------------- 7 | + Updated to support mixed IPv4/IPv6 8 | 9 | Version 1.0a (March 10, 2009) 10 | ------------------------------- 11 | ! Fixed incorrect IFS 12 | 13 | Version 1.0 (February 26, 2009) 14 | ------------------------------- 15 | ! Fixed typo in the sed syntax 16 | 17 | Version 0.1BETA (February 26, 2009) 18 | ------------------------------------ 19 | * First initial version (moved from the main script) 20 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/transparent-proxy.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.04 (July 31, 2015) 2 | -------------------------------- 3 | * Use modprobe_multi for newer kernels 4 | 5 | Version 1.03 (September 19, 2010) 6 | -------------------------------- 7 | * Changed to be IPv4-only 8 | 9 | Version 1.02 (September 8, 2008) 10 | -------------------------------- 11 | ! Fixed incorrect configuration filename 12 | 13 | Version 1.01 (September 4, 2008) 14 | ------------------------------------ 15 | ! Fixed accidental DOS formating of the plugin 16 | 17 | Version 1.0 (August 9, 2008) 18 | ------------------------------------ 19 | * Simply move of the code from the main script 20 | 21 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/dsl-ppp-modem.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.0g (October 20, 2011) 2 | ------------------------------- 3 | ! Iptables negation changed in newer versions from intraposition to extraposition 4 | ! Indent missing (cosmetic) 5 | 6 | Version 1.0e (June 18, 2009) 7 | ---------------------------- 8 | ! Fixed stop section didn't remove the INPUT-hook properly causing the main 9 | script to report an error on restart 10 | 11 | Version 1.0c (March 17, 2009) 12 | ----------------------------- 13 | * Cleanup 14 | + Allow DHCP packets by default 15 | 16 | Version 1.0 (August 11, 2008) 17 | ----------------------------- 18 | * Simple move of the code out of the main script 19 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/transparent-proxy.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Transparent Proxy plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # (Transparent) proxy settings 10 | # ------------------------------------------------------------------------------ 11 | #HTTP_PROXY_PORT="3128" 12 | HTTPS_PROXY_PORT="" 13 | FTP_PROXY_PORT="" 14 | SMTP_PROXY_PORT="" 15 | POP3_PROXY_PORT="" 16 | 17 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/ipv6-over-ipv4.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 0.2BETA (October 8, 2010) 2 | ------------------------------------ 3 | + Added IPV6_OVER_IPV4_SERVER variable to restrict source packets 4 | ! Removed IPv4 rule allowing proto 58, which is icmpv6 5 | IPv6 icmpv6 packets are handled by the main script 6 | 7 | Version 0.12BETA (February 19, 2008) 8 | ------------------------------------ 9 | * Minor tweak for PLUGIN_RET_VAL 10 | 11 | Version 0.11BETA (February 13, 2008) 12 | ------------------------------------ 13 | + Updated according to the new plugin template 14 | 15 | Version 0.1BETA (December 18, 2007) 16 | ----------------------------------- 17 | + First initial version. 18 | 19 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/rpc.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - RPC plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # RPC services to enable 10 | # ------------------------------------------------------------------------------ 11 | RPC_SERVICES="" 12 | 13 | # Nets to allow for RPC services 14 | # ------------------------------------------------------------------------------ 15 | RPC_NETS="" -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/traffic-accounting-log-rotate: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | log_file="/var/log/traffic-accounting.log" 4 | keeps=13 5 | 6 | log_rotate() 7 | { 8 | # $1 = filename 9 | # $2 = keep count 10 | filename="$1" 11 | 12 | if [ -f "$filename.$2" ]; then 13 | rm -f "$filename.$2" 14 | fi 15 | 16 | for x in `seq $(($2 + 1)) -1 1`; do 17 | if [ -f "$filename.$x" ]; then 18 | mv "$filename.$x" "$filename.$(($x + 1))" 19 | fi 20 | done 21 | 22 | if [ -f "$filename" ]; then 23 | mv "$filename" "$filename.1" 24 | 25 | # Reset counters 26 | cat "$filename.1" |awk '{ print $1" "$2" 0 0" }' > "$filename" 27 | fi 28 | } 29 | 30 | 31 | # main 32 | log_rotate "$log_file" $keeps 33 | 34 | 35 | -------------------------------------------------------------------------------- /lib/systemd/system/arno-iptables-firewall.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Arno's Iptables Firewall(AIF) 3 | Documentation=man:arno-iptables-firewall(8) 4 | Documentation=https://github.com/arno-iptables-firewall/aif 5 | DefaultDependencies=no 6 | After=local-fs.target network-online.target 7 | Requires=local-fs.target network-online.target 8 | Conflicts=shutdown.target 9 | Before=shutdown.target 10 | 11 | [Service] 12 | Type=oneshot 13 | ExecStart=/usr/local/sbin/arno-iptables-firewall start 14 | ExecStop=/usr/local/sbin/arno-iptables-firewall stop 15 | ExecReload=/usr/local/sbin/arno-iptables-firewall force-reload 16 | RemainAfterExit=yes 17 | ProtectSystem=true 18 | ProtectHome=true 19 | PrivateTmp=false 20 | LimitNPROC=1 21 | DeviceAllow=/dev/null rw 22 | 23 | [Install] 24 | WantedBy=multi-user.target 25 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - PPTP VPN Passthrough plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # PPTP uses the GRE protocol for transport, as such, when PPTP VPN clients 10 | # have NAT between them and the PPTP VPN server special packet handling must be performed. 11 | # This plugin loads the required Linux Kernel modules to handle that situation. 12 | # 13 | # No configuration options 14 | # ------------------------------------------------------------------------------ 15 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/linux-upnp-igd.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.0a (October 10, 2011) 2 | --------------------------------- 3 | ! Iptables negation changed in newer versions from intraposition to extraposition 4 | 5 | Version 0.14BETA (August 4, 2008) 6 | --------------------------------- 7 | * Plugin should be disabled by default (ENABLED=0) 8 | * Rename to "linux-upnp-igd" 9 | 10 | Version 0.13BETA (February 19, 2008) 11 | ------------------------------------ 12 | * Minor tweak for PLUGIN_RET_VAL 13 | 14 | Version 0.12BETA (February 13, 2008) 15 | ------------------------------------ 16 | + Updated according to the new plugin template 17 | 18 | Version 0.11 (January 30, 2008) 19 | ------------------------------- 20 | + Updated for new config file location / detection 21 | 22 | Version 0.1 (September 5, 2007) 23 | ------------------------------- 24 | + Creation of the first version 25 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/sip-voip.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - SIP-VOIP plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # This plugin automatically opens inbound RTP voice ports by tracking 10 | # the inbound (INET) SIP sessions. 11 | # 12 | # Specify the UDP port(s) for SIP (default is 5060) 13 | # ------------------------------------------------------------------------------ 14 | SIP_VOIP_PORTS="5060" 15 | 16 | # Specify the allowed remote hosts(s) for SIP (default is all hosts) 17 | # ------------------------------------------------------------------------------ 18 | SIP_VOIP_REMOTE_HOSTS="0/0" 19 | 20 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/traffic-accounting.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Traffic Accounting plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # Specify here the time(s) in minutes between executes of the helper script 10 | # (leave default if you don't know what it is). 11 | # ------------------------------------------------------------------------------ 12 | TRAFFIC_ACCOUNTING_TIME="15" 13 | 14 | # Put in the following variables which hosts you want to do 15 | # accounting for (space separated). 16 | # ------------------------------------------------------------------------------ 17 | TRAFFIC_ACCOUNTING_HOSTS="" 18 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/ipv6-over-ipv4.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - IPv6-over-IPv4 plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # The IPv4 address of the IPv6 tunnel server 10 | # For a 6in4 static tunnel define with the remote IPv4 address 11 | # For a 6to4 relay tunnel define with 0/0 12 | # ------------------------------------------------------------------------------ 13 | IPV6_OVER_IPV4_SERVER="0/0" 14 | 15 | # The external interface(s) to allow IPv4 packets for the IPv6 tunnel 16 | # ------------------------------------------------------------------------------ 17 | IPV6_OVER_IPV4_IF="" 18 | 19 | # Note: Be sure to add the IPv6 tunnel interface (ex. he-ipv6) to the EXT_IF 20 | # variable in your configuration. 21 | 22 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/transparent-dnat.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 0.31BETA (July 31, 2015) 2 | -------------------------------- 3 | * Use modprobe_multi for newer kernels 4 | 5 | Version 0.30BETA (March 17, 2009) 6 | --------------------------------- 7 | * Cleanup 8 | * Misc. tweaks 9 | 10 | Version 0.23BETA (February 19, 2008) 11 | ------------------------------------ 12 | * Minor tweak for PLUGIN_RET_VAL 13 | 14 | Version 0.22BETA (February 13, 2008) 15 | ------------------------------------ 16 | + Updated according to the new plugin template 17 | 18 | Version 0.21BETA (January 30, 2008) 19 | ----------------------------------- 20 | * Changed hardcoded iptables to iptables 21 | 22 | Version 0.2BETA (November 15, 2007) 23 | ----------------------------------- 24 | * Plugin cleanup 25 | * Changed OUTPUT to PREROUTING chain (cleaner + faster) 26 | * Updated for new plugin model (with PLUGIN_CMD) + better layout 27 | 28 | Version 0.1BETA (May 26, 2006) 29 | ------------------------------------ 30 | * Initial version (courtesy of Rok Potocnik) 31 | 32 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/transparent-dnat.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Transparent DNAT plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # Specify here the internal IP of this host (the IP that will be redirected TO) 10 | # ------------------------------------------------------------------------------ 11 | DNAT_MY_INTERNAL_IP="" 12 | 13 | # Specify here the external IP (the IP that will be redirected FROM) 14 | # ------------------------------------------------------------------------------ 15 | DNAT_MY_EXTERNAL_IP="" 16 | 17 | # Specify here the ports you want to enable transparent DNAT for (multiple ports comma separated) 18 | # ------------------------------------------------------------------------------ 19 | DNAT_TCP_PORTS="" 20 | DNAT_UDP_PORTS="" 21 | 22 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/ipsec-vpn.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - IPsec VPN plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # Specify here both the local & remove subnets that participate in the VPN. 10 | # If no networks are named, then all implicitly allowed (i.e. 0/0). 11 | # ------------------------------------------------------------------------------ 12 | IPSEC_VPN_NETS="" 13 | 14 | # Specify here the inet-hosts that are allowed to connect to the ipsec service 15 | # ports: 16 | # ------------------------------------------------------------------------------ 17 | IPSEC_ALLOWED_HOSTS="0/0" 18 | 19 | # To enable UDP-encapsulation for NAT traversal: 20 | # ------------------------------------------------------------------------------ 21 | IPSEC_NAT_TRAVERSAL=0 22 | 23 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/outbound-snat.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Outbound SNAT plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # When a NAT'ed external interface has multiple IPv4 addresses, it may be 10 | # desirable to specify which internal IP's or CIDR's use which external 11 | # IPv4 addresses for outbound connections. 12 | # 13 | # Format: (space or comma separated) 14 | # "SRCIP1>VIAIP1 SRCIP2>VIAIP2 ... SRCIPn>VIAIPn" 15 | # 16 | # Note 1: SRCIP (internal) may be a single IP or CIDR address. 17 | # 18 | # Note 2: VIAIP (external) must be a single IP address 19 | # 20 | # Example: 21 | # OUTBOUND_SNAT_NET_HOST="192.168.1.20>1.2.3.10 192.168.10/24>1.2.3.11" 22 | # (IPv4 Only) 23 | # ------------------------------------------------------------------------------ 24 | OUTBOUND_SNAT_NET_HOST="" 25 | 26 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/dmz-dnat.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 0.10 (January 5, 2019) 2 | ---------------------------- 3 | * Changed to support ipt_if() function (requires AIF 2.1.0+) 4 | 5 | Version 0.08 (July 12, 2016) 6 | ---------------------------- 7 | + Add support for NAT_IF with fallback to EXT_IF 8 | 9 | Version 0.07BETA (August 14, 2011) 10 | ----------------------------------- 11 | * Changed to support parse_rule() 12 | 13 | Version 0.06BETA (September 19, 2010) 14 | ----------------------------------- 15 | * Changed to be IPv4-only 16 | 17 | Version 0.05BETA (May 14, 2009) 18 | ----------------------------------- 19 | + Lonnie's patch to include $OPEN_TCP, $OPEN_UDP, $OPEN_IP 20 | 21 | Version 0.04BETA (May 12, 2009) 22 | ----------------------------------- 23 | + Quieted some harmless error messages. 24 | 25 | Version 0.03BETA (May 10, 2009) 26 | ----------------------------------- 27 | + Updated to avoid NATting HOST_OPEN_TCP and HOST_OPEN_UDP. 28 | 29 | Version 0.02BETA (May 9, 2009) 30 | ----------------------------------- 31 | + Updated to use new POST_NAT_PREROUTING chain. 32 | 33 | Version 0.01BETA (May 7, 2009) 34 | ----------------------------------- 35 | + First initial version. 36 | 37 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/parasitic-net.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.01 (January 14, 2019) 2 | ------------------------------- 3 | + Support for specifying source hosts in PARASITIC_NET_HOST_xxxxxxxxxxxxx variables 4 | 5 | Version 1.00 (May 9, 2019) 6 | -------------------------- 7 | ! Fixed (dynamic) host multi IP handling 8 | ! Fixed misplaced RETVAL=1 statement 9 | 10 | Version 1.00-RC1 (February 12, 2019) 11 | ------------------------------------ 12 | * Sync code with dyndns-host-open & traffic-accounting plugins 13 | 14 | Version 1.00-BETA3 (June 11, 2018) 15 | ---------------------------------- 16 | * Added new dynamic host support (requires AIF 2.1.0+) 17 | 18 | Version 1.00-BETA2 (April 5, 2018) 19 | ---------------------------------- 20 | + Allow specifying multiple interfaces 21 | + Allow specifying IP for interfaces to use (aliased) interfaces with multiple IPs 22 | + Allow specifying subnet for PARASITIC_NET_CLIENTS_HOSTS or leaving it empty 23 | + Instead of only allowing certain hosts, also allow specifying which TCP/UDP/ICMP/IP protos to allow/deny 24 | + Add setting to select deny-policy (DROP or REJECT) 25 | * Misc. tweaks/refactor 26 | 27 | Version 1.00-BETA1 (July 25, 2017) 28 | ---------------------------------- 29 | + Initial version 30 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/dyndns-host-open.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - DynDNS Host Open plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # Specify here the time(s) in minutes between executes of the helper script 10 | # (leave default if you don't know what it is). 11 | # ------------------------------------------------------------------------------ 12 | DYNDNS_HOST_OPEN_TIME="15" 13 | 14 | # Put in the following variables which (dyndns) hosts (names) you want to allow 15 | # for certain services. 16 | # TCP/UDP port format (DYNDNS_HOST_OPEN_TCP & DYNDNS_HOST_OPEN_UDP): 17 | # "host1,host2~port1,port2 host3,host4~port3,port4 ..." 18 | # 19 | # IP protocol format (DYNDNS_HOST_OPEN_IP): 20 | # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..." 21 | # 22 | # ICMP protocol format (DYNDNS_HOST_OPEN_ICMP): 23 | # "host1 host2 ...." 24 | # ------------------------------------------------------------------------------ 25 | DYNDNS_HOST_OPEN_TCP="" 26 | DYNDNS_HOST_OPEN_UDP="" 27 | DYNDNS_HOST_OPEN_IP="" 28 | DYNDNS_HOST_OPEN_ICMP="" 29 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/multiroute.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Multirouting plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # RP_FILTER settings (Only set this to 0, if you know what you're doing) 10 | # ------------------------------------------------------------------------------ 11 | RP_FILTER_DISABLE=1 12 | 13 | # Settings for the first interface: 14 | # ------------------------------------------------------------------------------ 15 | MULTIROUTE_EXT_IF1=eth0 16 | MULTIROUTE_EXT_ROUTER1=1.2.3.5 17 | MULTIROUTE_EXT_IP1=5.6.7.9 18 | MULTIROUTE_EXT_WEIGHT1=1 19 | 20 | # Settings for the second interface: 21 | # ------------------------------------------------------------------------------ 22 | MULTIROUTE_EXT_IF2=eth1 23 | MULTIROUTE_EXT_ROUTER2=1.2.3.4 24 | MULTIROUTE_EXT_IP2=5.6.7.8 25 | MULTIROUTE_EXT_WEIGHT2=1 26 | 27 | # Optional settings if you also use an internal interface (for your LAN/gateway) 28 | # ------------------------------------------------------------------------------ 29 | MULTIROUTE_INT_IP=192.168.0.1 30 | MULTIROUTE_INT_NET=192.168.0.0/24 31 | 32 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/mac-address-filter.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - MAC Address Filter plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # Specify interfaces that the MAC Addresses Filter is applied (eg. INT_IF) 10 | # ------------------------------------------------------------------------------ 11 | MAC_ADDRESS_IF="$INT_IF" 12 | 13 | # Enable logging for not-allowed MAC addresses (if used). 14 | # ----------------------------------------------------------------------------- 15 | MAC_ADDRESS_LOG=1 16 | 17 | # Specify the location here of the file that contains the MAC addresses of the 18 | # hosts on the interfaces specified in "$MAC_ADDRESS_IF" that are allowed. 19 | # The MAC addresses should be written like 00:11:22:33:44:55 optionally followed 20 | # by an (space-seperated) IP address, to lock the MAC-address to a certain IP. 21 | # Each line should contain one MAC address (+optional IP address) and the last 22 | # line should contain a carriage-return! 23 | # ----------------------------------------------------------------------------- 24 | MAC_ADDRESS_FILE="/etc/arno-iptables-firewall/mac-addresses" 25 | -------------------------------------------------------------------------------- /contrib/Redhat/syslog.conf: -------------------------------------------------------------------------------- 1 | # /etc/syslog.conf Example configuration file for syslogd on RedHat (you can optionally use this as a replacement). 2 | # This will redirect all kernel-debug logging to file /var/log/arno-iptables-firewall. 3 | # Don't forget to touch(create) /var/log/arno-iptables-firewall first & set "LOGLEVEL=debug" in the 4 | # firewall configuration file (firewall.conf)! 5 | 6 | # Log all kernel messages to the console. 7 | # Logging much else clutters up the screen. 8 | #kern.* /dev/console 9 | 10 | # Log anything (except mail) of level info or higher. 11 | # Don't log private authentication messages! 12 | *.info;mail.none;authpriv.none;cron.none /var/log/messages 13 | 14 | # The authpriv file has restricted access. 15 | authpriv.* /var/log/secure 16 | 17 | # Log all the mail messages in one place. 18 | mail.* /var/log/maillog 19 | 20 | 21 | # Log cron stuff 22 | cron.* /var/log/cron 23 | 24 | # Everybody gets emergency messages, plus log them on another 25 | # machine. 26 | *.emerg * 27 | 28 | # Save mail and news errors of level err and higher in a 29 | # special file. 30 | uucp,news.crit /var/log/spooler 31 | 32 | # Save boot messages also to boot.log 33 | local7.* /var/log/boot.log 34 | 35 | # Log all iptables messages to /var/log/arno-iptables-firewall 36 | kern.=debug /var/log/arno-iptables-firewall 37 | 38 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/ssh-brute-force-protection.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.1 (September 21, 2010) 2 | ------------------------------------ 3 | * Updated for mixed IPv4/IPv6 4 | 5 | Version 0.34BETA (February 19, 2008) 6 | ------------------------------------ 7 | * Minor tweak for PLUGIN_RET_VAL 8 | 9 | Version 0.33BETA (February 13, 2008) 10 | ------------------------------------ 11 | + Updated according to the new plugin template 12 | 13 | Version 0.32BETA (January 30, 2008) 14 | ------------------------------------ 15 | + Updated for new config file location / detection 16 | 17 | Version 0.31BETA (December 18, 2007) 18 | ------------------------------------ 19 | * Layout changes 20 | ! Fixed bug in port routine, rendering the plugin useless 21 | ! No port configured will now fallback to port 22 22 | 23 | Version 0.30BETA (November 21, 2007) 24 | ------------------------------------ 25 | * Updated for new plugin model (with PLUGIN_CMD) + better layout 26 | + Added SSH_BFP_PORTS to allow the user to modify the SSH port used 27 | 28 | Version 0.24BETA (May 25, 2007) 29 | ------------------------------- 30 | + Added variable sanity check 31 | * Changes some variable names 32 | 33 | Version 0.23BETA (December 28, 2006) 34 | ------------------------------------ 35 | + Added dual rate checkers. You can now use one for a short interval 36 | and one for a long interval 37 | + Separate config file (new plugin standard) 38 | + Misc. cosmetic changes 39 | 40 | Version 0.2BETA (October 20, 2006) 41 | --------------------------------- 42 | + Added SSH trusted hosts variable for whitelisting of certain hosts 43 | -------------------------------------------------------------------------------- /share/man/man1/arno-fwfilter.1: -------------------------------------------------------------------------------- 1 | .TH "ARNO_FWFILTER" "1" "September 2005" "Michael Hanke" "" 2 | .SH "NAME" 3 | arno\-fwfilter \- a filter script to make iptables firewall logs more readable for humans 4 | .SH "SYNOPSIS" 5 | \fBarno\-fwfilter\fR [\fIOPTIONS\fR] 6 | .SH "DESCRIPTION" 7 | \fBarno\-fwfilter\fR is a pipe filter script to make the firewall\-log better readable. Some usage examples are: 8 | .TP 9 | Static firewall log filtering: 10 | arno-fwfilter < logfile 11 | .TP 12 | Realtime firewall logging on tty10: 13 | tail \-\-follow | arno-fwfilter >/dev/tty10 & 14 | .SH "OPTIONS" 15 | .TP 16 | \fB\-\-help\fR, \fB\-h\fR 17 | Print the available options. 18 | .TP 19 | \fB\-\-no-resolve\fR, \fB\-r\fR 20 | Disable resolving of IPs to names. 21 | .TP 22 | \fB\-\-html\-output\fR, \fB\-o\fR 23 | Use basic HTML to format the output. 24 | .TP 25 | \fB\-\-no\-locations\fR, \fB\-l\fR 26 | Disable to (try to) obtain the IP's geographical location. By default, 27 | http://www.hostip.info/ is visited to get this information. 28 | .TP 29 | \fB\-\-no\-colors\fR, \fB\-c\fR 30 | Disable the use of colors in the output. 31 | .TP 32 | \fB\-\-single\-line\fR, \fB\-s\fR 33 | Put all information about an event in a single line 34 | .SH "SEE ALSO" 35 | .BR iptables "(8)", 36 | .BR arno\-iptables\-firewall "(8)" 37 | .PP 38 | The 39 | .I https://github.com/arno-iptables-firewall/aif 40 | web site. 41 | .SH "AUTHOR" 42 | \fBarno\-fwfilter\fR was written by Arno van Amersfoort . 43 | .PP 44 | This manual page was written by Michael Hanke , 45 | for the Debian project (but may be used by others). 46 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/multiroute.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.00 (February 6, 2020) 2 | ------------------------------- 3 | ! Replace ip route "equalize" with "scope global" since equalize is no longer supported (by default) in newer distributions 4 | 5 | Version 0.29BETA (February 19, 2008) 6 | ------------------------------------ 7 | * Minor tweak for PLUGIN_RET_VAL 8 | 9 | Version 0.28BETA (February 18, 2008) 10 | ------------------------------------ 11 | * Added some extra del rules to purge the rule & route tables on start/stop 12 | 13 | Version 0.27BETA (February 18, 2008) 14 | ------------------------------------ 15 | ! Fixed several typos/bugs 16 | 17 | Version 0.26BETA (February 17, 2008) 18 | ------------------------------------ 19 | ! Fixed double || syntax error in sanity_check() 20 | 21 | Version 0.25BETA (February 16, 2008) 22 | ------------------------------------ 23 | + Implemented stop() section which will disable multirouting on stop 24 | 25 | Version 0.24BETA (February 14, 2008) 26 | ------------------------------------ 27 | + Added weight options for the external interfaces 28 | 29 | Version 0.23BETA (February 13, 2008) 30 | ------------------------------------ 31 | + Updated according to the new plugin template 32 | 33 | Version 0.22BETA (January 30, 2008) 34 | ----------------------------------- 35 | + Updated for new config file location / detection 36 | 37 | Version 0.21BETA (May 25, 2007) 38 | ------------------------------------ 39 | + Added variable sanity check 40 | * Changed some variable names 41 | * Cosmetic improvements 42 | 43 | Version 0.20BETA (January 22, 2007) 44 | ------------------------------------ 45 | * Minor tweaks/changes 46 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/ssh-brute-force-protection.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - SSH Brute Force Protection plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # Specify here the port(s) you want the SSH checks to apply to. Note that this 10 | # plugin does NOT open the ports for you, this must be done in the main script 11 | # with eg. OPEN_TCP! 12 | # ------------------------------------------------------------------------------ 13 | SSH_BFP_PORTS="22" 14 | 15 | # Specify here the hosts you want to allow to bypass the SSH protection checks 16 | # ------------------------------------------------------------------------------ 17 | SSH_BFP_TRUSTED_HOSTS="" 18 | 19 | # 1st set of maximum allowed connection attempts 20 | # (default: 4 connections/60 seconds) 21 | # ------------------------------------------------------------------------------ 22 | SSH_BFP_MAX_RATE1="4" 23 | SSH_BFP_MAX_TIME1="60" 24 | 25 | # 2nd set of maximum allowed connection attempts 26 | # (default: 10 connections/1800 seconds) 27 | # ------------------------------------------------------------------------------ 28 | SSH_BFP_MAX_RATE2="10" 29 | SSH_BFP_MAX_TIME2="1800" 30 | 31 | # (EXPERT SETTING!) If ip6tables '-m recent' IPv6 support is not available: 32 | # Disable (0) if the kernel module xt_recent is not available, only IPv4 will be used. 33 | # ------------------------------------------------------------------------------ 34 | SSH_BFP_IPV6_ENABLE=1 35 | 36 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/sip-voip.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 0.32BETA (June 13, 2017) 2 | -------------------------------- 3 | * Add support for v2.0.2 using the CONNTRACK_HELPER chain 4 | 5 | Version 0.31BETA (July 31, 2015) 6 | -------------------------------- 7 | * Use modprobe_multi for newer kernels 8 | 9 | Version 0.3BETA (October 13, 2010) 10 | ----------------------------------- 11 | + Added SIP_VOIP_REMOTE_HOSTS variable to limit access by source address. 12 | 13 | Version 0.22BETA (August 23, 2009) 14 | ----------------------------------- 15 | ! No, that wasn't a regression, it's supposed to be called 'modprobe'. 16 | 17 | Version 0.21BETA (August 22, 2009) 18 | ----------------------------------- 19 | ! Hopefully I'll stop introducing regressions one of these days. 20 | 21 | Version 0.20BETA (August 13, 2009) 22 | ----------------------------------- 23 | ! Fixed port / kernel check -- again. 24 | + Fixed IFS value so that $ports doesn't get split up if it contains commas. 25 | 26 | Version 0.15BETA (December 3, 2008) 27 | ----------------------------------- 28 | ! Fixed port / kernel check 29 | + Added proper stop() section 30 | 31 | Version 0.14BETA (November 30, 2008) 32 | ------------------------------------ 33 | ! Fixed plugin for kernels 2.6.25 and newer 34 | * Misc. tweaks 35 | 36 | Version 0.12BETA (February 19, 2008) 37 | ------------------------------------ 38 | * Minor tweak for PLUGIN_RET_VAL 39 | 40 | Version 0.11BETA (February 13, 2008) 41 | ------------------------------------ 42 | + Updated according to the new plugin template 43 | ! Config variable name mismatch (SIP_VOIP_PORTS vs. VOIP_SIP_PORTS. Changed it 44 | to SIP_VOIP_PORTS. 45 | 46 | Version 0.1BETA (January 30, 2008) 47 | ----------------------------------- 48 | + Initial version 49 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/ids-protection.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - IDS Protection plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # Interface(s) that should be protected by IDS. Default is all external interfaces 10 | # ------------------------------------------------------------------------------ 11 | IDS_INTERFACE="" 12 | 13 | # Specify here the hosts you want to allow to bypass the IDS protection checks 14 | # ------------------------------------------------------------------------------ 15 | IDS_TRUSTED_HOSTS="" 16 | 17 | # Specify here the TCP & UDP ports you like to exclude from IDS checking 18 | # ------------------------------------------------------------------------------ 19 | IDS_EXCLUDE_TCP="" 20 | IDS_EXCLUDE_UDP="" 21 | 22 | # 1st set of maximum allowed connection attempts (default: 4 connections/60 seconds) 23 | # ------------------------------------------------------------------------------ 24 | IDS_MAX_RATE1="4" 25 | IDS_MAX_TIME1="60" 26 | 27 | # 2nd set of maximum allowed connection attempts (default: 10 connections/1800 seconds) 28 | # ------------------------------------------------------------------------------ 29 | IDS_MAX_RATE2="10" 30 | IDS_MAX_TIME2="1800" 31 | 32 | # (EXPERT SETTING!) If ip6tables '-m recent' IPv6 support is not available: 33 | # Disable (0) if the kernel module xt_recent is not available, only IPv4 will be used. 34 | # ------------------------------------------------------------------------------ 35 | IDS_IPV6_ENABLE=1 36 | 37 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/nat-loopback.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - NAT Loopback plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # NAT Loopback for local nets using existing NAT_FORWARD_TCP and NAT_FORWARD_UDP 10 | # rules. 11 | # Note: The default external IPv4 address is obtained from the first 12 | # interface defined in the EXT_IF variable. 13 | # 14 | # Limit local nets by defining NAT_LOOPBACK_NET, a space separated list. 15 | # Defaults to NAT_INTERNAL_NET if not defined. 16 | # 17 | # Example: 18 | # NAT_LOOPBACK_NET="192.168.1.0/24" 19 | # (IPv4 Only) 20 | # ------------------------------------------------------------------------------ 21 | NAT_LOOPBACK_NET="" 22 | 23 | # When local servers are in another LAN they are unreachable (by default) unless 24 | # FORWARD rules are created. When NAT_LOOPBACK_FORWARD is set to "1" the 25 | # FORWARD rules to the servers are created for all subnets in NAT_LOOPBACK_NET. 26 | # 27 | # Defaults to no added forwards if not set to "1" 28 | # ------------------------------------------------------------------------------ 29 | NAT_LOOPBACK_FORWARD=0 30 | 31 | # When this plugin's status is called, if the default external IPv4 address 32 | # has changed, the NAT_LOOPBACK_DNAT and NAT_LOOPBACK_SNAT chains will be 33 | # updated with the new address. Set NAT_LOOPBACK_UPDATE_ON_STATUS to "0" 34 | # to disable this automatic update on status. 35 | # 36 | # Example: 37 | # $ arno-iptables-firewall status-plugins nat-loopback 38 | # 39 | # Defaults to update on status if not set to "0" 40 | # ------------------------------------------------------------------------------ 41 | NAT_LOOPBACK_UPDATE_ON_STATUS=1 42 | 43 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/adaptive-ban.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Adaptive Ban plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # Log file where failed access attempts are derived 10 | # ------------------------------------------------------------------------------ 11 | ADAPTIVE_BAN_FILE="/var/log/messages" 12 | 13 | # The time in minutes between each iteration of analyzing the log file 14 | # ------------------------------------------------------------------------------ 15 | ADAPTIVE_BAN_TIME=2 16 | 17 | # The number of log failures to ban host 18 | # ------------------------------------------------------------------------------ 19 | ADAPTIVE_BAN_COUNT=6 20 | 21 | # A list of analysis types that are applied 22 | # Choose from: sshd asterisk lighttpd mini_httpd pptpd 23 | # ------------------------------------------------------------------------------ 24 | ADAPTIVE_BAN_TYPES="sshd asterisk" 25 | 26 | # By default, inbound packets from banned IP addresses will be silently DROP'ed 27 | # As an option, the packets can be REJECT'ed instead of being DROP'ed 28 | # Define ADAPTIVE_BAN_REJECT=1 for an ICMP error message to be returned 29 | # ------------------------------------------------------------------------------ 30 | ADAPTIVE_BAN_REJECT=0 31 | 32 | # Bt default, INTERNAL (LAN) networks will be whitelisted against banning 33 | # As an option, this automatic whitelisting can be disabled 34 | # Define ADAPTIVE_BAN_WHITELIST_INTERNAL=0 to disable INTERNAL whitelisting 35 | # ------------------------------------------------------------------------------ 36 | ADAPTIVE_BAN_WHITELIST_INTERNAL=1 37 | 38 | # Whitelist Hosts 39 | # A list of IP addresses whose traffic will never be banned 40 | # ------------------------------------------------------------------------------ 41 | ADAPTIVE_BAN_WHITELIST="" 42 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/traffic-accounting-show: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | TOTAL_IN=0 4 | TOTAL_OUT=0 5 | EOL=' 6 | ' 7 | 8 | show_human_size() 9 | { 10 | if [ $1 -lt 10000 ]; then 11 | echo "$1 Bytes" 12 | return 0 13 | fi 14 | 15 | if [ $1 -lt 10000000 ]; then 16 | echo "$(($1 / 1024)) KiB" 17 | return 0 18 | fi 19 | 20 | if [ $1 -lt 10000000000 ]; then 21 | echo "$(($1 / (1024*1024))) MiB" 22 | return 0 23 | fi 24 | 25 | echo "$(($1 / (1024*1024*1024))) GiB" 26 | return 0 27 | } 28 | 29 | # Program entry point 30 | 31 | if [ -n "$1" ]; then 32 | LOG_FILE="$1" 33 | else 34 | LOG_FILE="/var/log/traffic-accounting.log" 35 | fi 36 | 37 | echo "Bytes input:" 38 | echo "-------------" 39 | IFS=$EOL 40 | for LINE in `cat "$LOG_FILE" |sort -n --key=3 --reverse`; do 41 | hostname="$(echo "$LINE" |cut -s -d' ' -f1)" 42 | ip="$(echo "$LINE" |cut -s -d' ' -f2)" 43 | size="$(echo "$LINE" |cut -s -d' ' -f3)" 44 | 45 | if [ "$hostname" = "0/0" ]; then 46 | hostname="Other traffic" 47 | elif [ "$hostname" = "0.0.0.0/0" ]; then 48 | hostname="Other IPv4 traffic" 49 | elif [ "$hostname" = "::/0" ]; then 50 | hostname="Other IPv6 traffic" 51 | fi 52 | 53 | echo "$hostname ($ip): $(show_human_size $size)" 54 | 55 | TOTAL_IN=$(($TOTAL_IN + $size)) 56 | done 57 | 58 | echo "" 59 | echo "Total input traffic: $(show_human_size $TOTAL_IN)" 60 | 61 | echo "" 62 | echo "Bytes output:" 63 | echo "-------------" 64 | IFS=$EOL 65 | for LINE in `cat "$LOG_FILE" |sort -n --key=4 --reverse`; do 66 | hostname="$(echo "$LINE" |cut -s -d' ' -f1)" 67 | ip="$(echo "$LINE" |cut -s -d' ' -f2)" 68 | size="$(echo "$LINE" |cut -s -d' ' -f4)" 69 | 70 | if [ "$hostname" = "0/0" ]; then 71 | hostname="Other traffic" 72 | elif [ "$hostname" = "0.0.0.0/0" ]; then 73 | hostname="Other IPv4 traffic" 74 | elif [ "$hostname" = "::/0" ]; then 75 | hostname="Other IPv6 traffic" 76 | fi 77 | 78 | echo "$hostname ($ip): $(show_human_size $size)" 79 | 80 | TOTAL_OUT=$(($TOTAL_OUT + $size)) 81 | done 82 | 83 | echo "" 84 | echo "Total output traffic: $(show_human_size $TOTAL_OUT)" 85 | 86 | 87 | -------------------------------------------------------------------------------- /etc/init.d/arno-iptables-firewall: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # chkconfig: 2345 09 91 4 | # description: init.d script for Arno's Iptables Firewall(AIF) 5 | 6 | ### BEGIN INIT INFO 7 | # Provides: arno-iptables-firewall 8 | # Required-Start: $local_fs $remote_fs $network 9 | # Required-Stop: $local_fs $remote_fs $network 10 | # Default-Start: S 11 | # Default-Stop: 0 6 12 | # Short-Description: Setup iptables firewall configuration 13 | ### END INIT INFO 14 | 15 | ############################################################################################ 16 | # You should put this script in eg. "/etc/init.d/" . # 17 | # Furthermore make sure it's executable! -> "chmod 700" or "chmod +x" it # 18 | # If you want to run it upon boot, either add an entry in your "/etc/rc.d/rc.local" or # 19 | # (for eg. Debian) in "/etc/rcS.d/" create a symlink to the arno-iptables-firewall script # 20 | # ("ln -s /etc/init.d/arno-iptables-firewall script S99-arno-iptables-firewall script"). # 21 | ############################################################################################ 22 | 23 | PATH=/bin:/usr/bin:/sbin:/usr/sbin 24 | PROGRAM="/usr/local/sbin/arno-iptables-firewall" 25 | 26 | # Be verbose(1)?: 27 | VERBOSE=0 28 | 29 | test -x $PROGRAM || exit 0 30 | 31 | if [ "$VERBOSE" = "0" ]; then 32 | case "$1" in 33 | start) 34 | echo "Starting Arno's Iptables Firewall(AIF)..." 35 | ;; 36 | 37 | stop) 38 | echo "Stopping Arno's Iptables Firewall(AIF)..." 39 | ;; 40 | 41 | restart) 42 | echo "Restarting Arno's Iptables Firewall(AIF)..." 43 | ;; 44 | 45 | force-reload) 46 | echo "(Forced) reloading Arno's Iptables Firewall(AIF)..." 47 | ;; 48 | 49 | status) 50 | $PROGRAM $* 51 | exit $? 52 | ;; 53 | 54 | configtest) 55 | $PROGRAM check-conf 56 | exit $? 57 | ;; 58 | 59 | *) 60 | $PROGRAM 61 | exit 1 62 | ;; 63 | esac 64 | 65 | # Call firewall script: 66 | result=`$PROGRAM $*` 67 | retval=$? 68 | else 69 | $PROGRAM $* 70 | retval=$? 71 | fi 72 | 73 | # Return value: 74 | exit $retval 75 | 76 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/traffic-shaper.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.2.05 (December 27, 2012) 2 | ---------------------------------- 3 | + Allow DOWNLINK=0 to disable inbound (ingress) shaping, UPLINK must be greater than 0 4 | 5 | Version 1.2.04 (October 17, 2010) 6 | -------------------------------- 7 | + Added SHAPER_IF variable to specify a single interface should EXT_IF contain more than one 8 | 9 | Version 1.2.02 (September 11, 2009) 10 | -------------------------------- 11 | + Reformat informational message about down- and up-load speeds. 12 | 13 | Version 1.2.01 (Augest 23, 2009) 14 | -------------------------------- 15 | + Call 'modprobe' directly and not module_probe as before. 16 | 17 | Version 1.2.00 (August 21, 2009) 18 | -------------------------------- 19 | + Give the actual downstream/upstream bandwidth for visual confirmation. 20 | 21 | Version 1.1.01 (March 22, 2009) 22 | ------------------------------- 23 | + Changed invocations of iptables to use short command names. 24 | + Now unload modules on 'stop'. 25 | + Check for presence of 'ip' and 'tc' during sanity routine. 26 | 27 | Version 1.1.00 (February 9, 2009) 28 | --------------------------------- 29 | + Added support for wildcard interface names (e.g. "ppp+"). 30 | 31 | Version 1.0.01 (December 6, 2008) 32 | --------------------------------- 33 | + Lonnie added support to DSCP, and HTB. 34 | 35 | Version 0.24BETA (December 1, 2008) 36 | ----------------------------------- 37 | ! Fixed last change broke busybox setups 38 | 39 | Version 0.23BETA (November 19, 2008) 40 | ------------------------------------ 41 | ! Fix error on Ubuntu 42 | 43 | Version 0.22BETA (November 17, 2008) 44 | ------------------------------------ 45 | - Cleanups 46 | 47 | Version 0.21BETA (August 11, 2008) 48 | ---------------------------------- 49 | + Added support for multiple interfaces 50 | 51 | VERSION 0.2BETA (February 19, 2008) 52 | ----------------------------------- 53 | ! Minor tweak for PLUGIN_RET_VAL 54 | + Updated according to the new plugin template 55 | + Changed config variables to have SHAPER_ prefix (since they might be shared 56 | by other similar plugins with different schedulers, like 'red' or 'cbq') 57 | 58 | VERSION 0.1BETA (February 12, 2008) 59 | ----------------------------------- 60 | + Initial version 61 | -------------------------------------------------------------------------------- /contrib/Slackware/syslog.conf: -------------------------------------------------------------------------------- 1 | # /etc/syslog.conf Example configuration file for syslogd on Slackware (you can optionally use this as a replacement). 2 | # This will redirect all kernel-debug logging to file /var/log/arno-iptables-firewall. 3 | # Don't forget to touch(create) /var/log/arno-iptables-firewall first & set "LOGLEVEL=debug" in the 4 | # firewall configuration file (firewall.conf)! 5 | 6 | # For info about the format of this file, see "man syslog.conf" 7 | # and /usr/doc/sysklogd/README.linux. Note the '-' prefixing some 8 | # of these entries; this omits syncing the file after every logging. 9 | # In the event of a crash, some log information might be lost, so 10 | # if this is a concern to you then you might want to remove the '-'. 11 | # Be advised this will cause a performation loss if you're using 12 | # programs that do heavy logging. 13 | 14 | # Uncomment this to see kernel messages on the console. 15 | #kern.*;kern.!=debug /dev/console 16 | 17 | # Log anything 'info' or higher, but lower than 'warn'. 18 | # Exclude authpriv, cron, mail, and news. These are logged elsewhere. 19 | *.info;*.!warn;\ 20 | authpriv.none;cron.none;mail.none;news.none -/var/log/messages 21 | 22 | # Log anything 'warn' or higher. 23 | # Exclude authpriv, cron, mail, and news. These are logged elsewhere. 24 | *.warn;\ 25 | authpriv.none;cron.none;mail.none;news.none -/var/log/syslog 26 | 27 | # Debugging information is logged here. 28 | *.=debug;kern.!=debug -/var/log/debug 29 | 30 | # Logging for iptables 31 | kern.=debug -/var/log/arno-iptables-firewall 32 | 33 | # Private authentication message logging: 34 | authpriv.* -/var/log/secure 35 | 36 | # Cron related logs: 37 | cron.* -/var/log/cron 38 | 39 | # Mail related logs: 40 | mail.* -/var/log/maillog 41 | 42 | # Emergency level messages go to all users: 43 | *.emerg * 44 | 45 | # This log is for news and uucp errors: 46 | uucp,news.crit -/var/log/spooler 47 | 48 | # Uncomment these if you'd like INN to keep logs on everything. 49 | # You won't need this if you don't run INN (the InterNetNews daemon). 50 | #news.=crit -/var/log/news/news.crit 51 | #news.=err -/var/log/news/news.err 52 | #news.notice -/var/log/news/news.notice 53 | 54 | 55 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/pptp-vpn.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - PPTP VPN plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # ------------------------------------------------------------------------------ 10 | # PPTP VPN Server Support 11 | # Note: The PPP interface wildcard 'ppp+' is used, along with PPTP_VPN_NETS to 12 | # identify PPTP VPN traffic. 13 | # 14 | # If PPP interfaces are specified for the external interface, they will 15 | # automatically be excluded from the PPTP VPN interface list. Should EXT_IF 16 | # contain 'ppp+' this plugin will be disabled. 17 | # ------------------------------------------------------------------------------ 18 | 19 | # Define the local network where PPTP remote clients appear on, possibly 20 | # via proxyarp in an unused LAN/DMZ address range. 21 | # Examples: 22 | # 16 clients, 192.168.1.224-239 range, PPTP_VPN_NETS="192.168.1.224/28" 23 | # 8 clients, 192.168.1.232-239 range, PPTP_VPN_NETS="192.168.1.232/29" 24 | # 4 clients, 192.168.1.236-239 range, PPTP_VPN_NETS="192.168.1.236/30" 25 | # 26 | # PPTP_VPN_NETS must be defined to allow PPTP VPN traffic 27 | # ------------------------------------------------------------------------------ 28 | PPTP_VPN_NETS="" 29 | 30 | # Specify the tunnel external hosts that are allowed to connect to the PPTP VPN 31 | # service ports, any by default: 32 | # ------------------------------------------------------------------------------ 33 | PPTP_VPN_TUNNEL_HOSTS="0/0" 34 | 35 | # By default all valid PPTP VPN packets are allowed, use PPTP_VPN_ALLOW_HOSTS 36 | # and PPTP_VPN_DENY_HOSTS to restrict local PPTP VPN traffic. 37 | # 38 | # PPTP_VPN_ALLOW_HOSTS used in conjunction with PPTP_VPN_DENY_HOSTS, otherwise 39 | # the default policy is to allow. 40 | # ------------------------------------------------------------------------------ 41 | PPTP_VPN_ALLOW_HOSTS="" 42 | 43 | # Deny PPTP VPN packets to specified hosts, networks 44 | # ------------------------------------------------------------------------------ 45 | PPTP_VPN_DENY_HOSTS="" 46 | 47 | # Enable (1) logging of denied PPTP VPN packets 48 | # ------------------------------------------------------------------------------ 49 | PPTP_VPN_DENY_LOG=0 50 | 51 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/dsl-ppp-modem.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - (A)DSL PPP Modem plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | ############################################################################### 6 | # (ADSL) Modem settings # 7 | # # 8 | # The MODEM_xxx options should (only) be used when you have an ((A)DSL) # 9 | # modem which works with a ppp-connection between the modem and the # 10 | # host the modem is connected to. # 11 | # # 12 | # You can check whether this applies for your (hardware) setup with # 13 | # 'ifconfig' (a 'ppp' device is shown). # 14 | # This means that if your modem is bridging or an NAT router) or the # 15 | # network interface the modem is connected to doesn't have an IP, you # 16 | # should leave the MODEM_xxx options disabled (=default)! # 17 | ############################################################################### 18 | 19 | # To actually enable this plugin make ENABLED=1: 20 | # ------------------------------------------------------------------------------ 21 | ENABLED=0 22 | 23 | # The physical(!) network interface your ADSL modem is connected to (this is 24 | # not ppp0!). 25 | # ------------------------------------------------------------------------------ 26 | #MODEM_IF="eth1" 27 | 28 | # (optional) The IP of the network interface (MODEM_IF) your ADSL modem is 29 | # connected to (IP shown for the modem interface (MODEM_IF) in 'ifconfig'). 30 | # ------------------------------------------------------------------------------ 31 | #MODEM_IF_IP="10.0.0.150" 32 | 33 | # (optional) The IP of your (A)DSL modem itself. 34 | # ------------------------------------------------------------------------------ 35 | #MODEM_IP="10.0.0.138" 36 | 37 | # (EXPERT SETTING!). Here you can specify the hosts/local net(s) that should 38 | # have access to the (A)DSL modem itself (manage modem settings, if supported 39 | # by your modem!). The default setting ("$INTERNAL_NET") allows access from 40 | # everybody on your LAN. 41 | # ------------------------------------------------------------------------------ 42 | #MODEM_INTERNAL_NET="$INTERNAL_NET" 43 | 44 | -------------------------------------------------------------------------------- /contrib/Debian/syslog.conf: -------------------------------------------------------------------------------- 1 | # /etc/syslog.conf 2 | # 3 | # Example configuration file for syslogd on Debian (you can optionally use this 4 | # as a replacement). This will redirect all kernel-debug logging to file 5 | # /var/log/arno-iptables-firewall. Don't forget to touch(create) /var/log/arno-iptables-firewall first & 6 | # set "LOGLEVEL=debug" in the firewall configuration file (firewall.conf)! 7 | # You should (probably) also set "KLOGD="-c 4" in /etc/init.d/klogd to get rid of firewall logs 8 | # being spit to the console! 9 | 10 | 11 | # 12 | # First some standard logfiles. Log by facility. 13 | # 14 | 15 | auth,authpriv.* /var/log/auth.log 16 | *.*;auth,authpriv,local7,daemon,lpr.none;\ 17 | kern.!=debug;\ 18 | cron.!=info -/var/log/syslog 19 | cron.* -/var/log/cron.log 20 | daemon.* -/var/log/daemon.log 21 | #kern.* -/var/log/kern.log 22 | kern.*;kern.!=debug -/var/log/kern.log 23 | lpr.* -/var/log/lpr.log 24 | mail.* -/var/log/mail.log 25 | user.* -/var/log/user.log 26 | uucp.* /var/log/uucp.log 27 | 28 | # 29 | # Logging for the mail system. Split it up so that 30 | # it is easy to write scripts to parse these files. 31 | # 32 | mail.info -/var/log/mail.info 33 | mail.warn -/var/log/mail.warn 34 | mail.err /var/log/mail.err 35 | 36 | # Logging for INN news system 37 | # 38 | news.crit /var/log/news/news.crit 39 | news.err /var/log/news/news.err 40 | news.notice -/var/log/news/news.notice 41 | 42 | # Logging for DHCP system 43 | local7.* /var/log/dhcpd 44 | 45 | # Logging for iptables 46 | kern.=debug /var/log/arno-iptables-firewall 47 | 48 | # 49 | # Some `catch-all' logfiles. 50 | # 51 | *.=debug;\ 52 | kern.!=debug;\ 53 | local7.none;\ 54 | auth,authpriv.none;\ 55 | news.none;mail.none -/var/log/debug 56 | 57 | *.=info;*.=notice;*.=warn;\ 58 | local7.none;\ 59 | auth,authpriv.none;\ 60 | cron,daemon,lpr.none;\ 61 | mark.none;\ 62 | mail,news.none /var/log/messages 63 | 64 | # 65 | # Emergencies are sent to everybody logged in. 66 | # 67 | *.emerg * 68 | 69 | # 70 | # I like to have messages displayed on the console, but only on a virtual 71 | # console I usually leave idle. 72 | # 73 | #daemon,mail.*;\ 74 | # news.=crit;news.=err;news.=notice;\ 75 | # *.=debug;*.=info;\ 76 | # *.=notice;*.=warn /dev/tty8 77 | 78 | # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, 79 | # you must invoke `xconsole' with the `-file' option: 80 | # 81 | # $ xconsole -file /dev/xconsole [...] 82 | # 83 | # NOTE: adjust the list below, or you'll go crazy if you have a reasonably 84 | # busy site.. 85 | # 86 | daemon.*;mail.*;\ 87 | news.crit;news.err;news.notice;\ 88 | *.=debug;*.=info;\ 89 | *.=notice;*.=warn |/dev/xconsole 90 | 91 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/traffic-shaper.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Traffic Shaper plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # The external interface(s) to perform traffic shaping for 10 | # ------------------------------------------------------------------------------ 11 | SHAPER_IF="$EXT_IF" 12 | 13 | # Specify qdisc type: cfq (default), htb or hfsc (experimental) 14 | # ------------------------------------------------------------------------------ 15 | SHAPER_TYPE="cfq" 16 | 17 | ################################################################################ 18 | # NOTE: The remaining settings below don't apply to cfq (only hfsc/htb)! # 19 | # DOWNLINK/UPLINK are required to be configured, the rest is optional. # 20 | ################################################################################ 21 | 22 | # The uplink/downlink speed of your internet connection in KBit 23 | # Note: Disable incoming (ingress) shaping with DOWNLINK=0 24 | # UPLINK must be defined and greater than 0 25 | # ------------------------------------------------------------------------------ 26 | DOWNLINK=3072 27 | UPLINK=832 28 | 29 | # Most users can leave the port classification as is. The notation signifies 30 | # the destination port on *outbound* traffic. Ports are prefixed by 'u' for 31 | # UDP and 't' for TCP. Ranges are given as 5060:5064. 32 | # 33 | # Additionally, packets tagged with DSCP classes EF, CS3, etc. 34 | # will be automatically placed with the proper priority. 35 | # ------------------------------------------------------------------------------ 36 | 37 | # Higher Priority - Streaming Media - VoIP (RTP, IAX2, etc.) 38 | # ------------------------------------------------------------------------------ 39 | SHAPER_STREAMINGMEDIA_PORTS="u4569 u1720 u1731" 40 | 41 | # High Priority - Interactive - Shell (ssh, telnet, X, Vnc, etc.) 42 | # ------------------------------------------------------------------------------ 43 | SHAPER_INTERACTIVE_PORTS="u53 t22 u1194 t3389 u5060:5064 t5900" 44 | 45 | # Medium Priority - Default (SIP-signaling) 46 | # Default, no ports defined 47 | 48 | # Low Priority - Bulk data transfer (HTTP, HTTPS, POP3, SMTP, FTP, etc.) 49 | # ------------------------------------------------------------------------------ 50 | SHAPER_BULKDATA_PORTS="t20 t21 t25 t80 t110 t137:139 u137:139 t143 t443 t465 t515 t993 t8080" 51 | 52 | # Lowest Priority - P2P (BitTorrent) 53 | # ------------------------------------------------------------------------------ 54 | SHAPER_P2P_PORTS="" 55 | 56 | # (EXPERT SETTING!) If there are servers running locally, include 57 | # the protocol/port from any of the above SHAPER PORTS to also match 58 | # on the source port in addition to the destination port. 59 | # ------------------------------------------------------------------------------ 60 | SHAPER_LOCAL_SERVER_PORTS="" 61 | 62 | -------------------------------------------------------------------------------- /share/man/man8/arno-iptables-firewall.8: -------------------------------------------------------------------------------- 1 | .TH "ARNO-IPTABLES-FIREWALL" "8" "2020-03-25" "Sven Geuer" "AIF Manual" 2 | .SH "NAME" 3 | arno\-iptables\-firewall \- Single\- & multi\-homed firewall script with DSL/ADSL support. 4 | .SH "SYNOPSIS" 5 | \fBarno\-iptables\-firewall\fR start | restart | force-reload | stop | stop-block | status | status\-plugins | check-conf 6 | .SH "DESCRIPTION" 7 | \fBarno\-iptables\-firewall\fR is an iptables configuration script with support for both IPv4 & IPv6. In general, it should not be called directly, but rather should be invoked via \fI/etc/init.d/arno\-iptables\-firewall\fR or \fIsystemctl\~COMMAND\~arno\-iptables\-firewall.service\fR, depending on the init system in use. While it is extremely easy to set up a basic firewall one can nevertheless configure it to meet quite complex requirements. 8 | .P 9 | All available options are explained in the extensively documented configuration file. 10 | .P 11 | As a bare minimum the external interface of the system needs to be set up properly in the firewalls configuration (EXT_IF). The default behavior of the firewall is to deny all incoming connections. 12 | .P 13 | Instead of editing the main configuration file, it is recommended to put configuration snippets into .conf files to be placed in the configuration directory. These are sourced after the main configuration file has been read and can be used to override previous (default) configurations. 14 | .P 15 | For additional requirements not covered by the configuration file and not coverable by configuration snippets custom iptables rules can be placed in a custom rules file. This file is automatically parsed by the service script. 16 | .P 17 | Logs are written to a dedicated log file if \fBrsyslogd\fR is in use. The \fBarno\-fwfilter\fR script can be used to make the firewall logs more readable for humans (see manpage). 18 | .P 19 | Several plugins implementing advanced features come with the firewall script. Each of them brings its own configuration file to be found in the plugins configuration directory. 20 | .SH "FILES" 21 | .TP 22 | .I /etc/arno\-iptables\-firewall/firewall.conf 23 | main configuration file 24 | .TP 25 | .I /etc/arno\-iptables\-firewall/conf.d/ 26 | firewall configuration directory 27 | .TP 28 | .I /etc/arno\-iptables\-firewall/plugins/ 29 | plugins configuration directory 30 | .TP 31 | .I /etc/arno\-iptables\-firewall/custom\-rules 32 | custom iptables rules file 33 | .TP 34 | .I /etc/arno\-iptables\-firewall/blocked\-hosts 35 | host blacklist. This file does not pre-exist and its use is disabled in the main configuration file by default. 36 | .TP 37 | .I /var/log/arno\-iptables\-firewall 38 | log file maintained by rsyslogd 39 | .SH "SEE ALSO" 40 | .BR iptables "(8)", 41 | .BR arno\-fwfilter "(1)", 42 | .I /usr/local/share/doc/arno-iptables-firewall/README.gz, 43 | .I https://github.com/arno-iptables-firewall/aif 44 | .SH "AUTHORS" 45 | arno\-iptables\-firewall was written by Arno van Amersfoort and Lonnie Abelbeck . 46 | .P 47 | This manual page was initially written by Michael Hanke and has been reworked by Sven Geuer , for the Debian project (but may be used by others). 48 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/ipsec-vpn.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 0.85 (July 12, 2016) 2 | ---------------------------- 3 | + Add support for NAT_IF with fallback to EXT_IF 4 | 5 | Version 0.84BETA (July 31, 2015) 6 | -------------------------------- 7 | * Use modprobe_multi for newer kernels 8 | 9 | Version 0.83BETA (March 9, 2011) 10 | -------------------------------- 11 | ! Removed Bash-ism 12 | 13 | Version 0.82BETA (November 2, 2010) 14 | ----------------------------------- 15 | + Added IPv6 support for matching AH headers 16 | * removed unnecessary EXT_INPUT_CHAIN rule 17 | 18 | Version 0.81BETA (September 19, 2010) 19 | ---------------------------------- 20 | * Changed '-t nat' calls via ip4tables 21 | 22 | Version 0.80BETA (August 23, 2009) 23 | ---------------------------------- 24 | + Use 'modprobe' wrapper instead of module_probe. 25 | 26 | Version 0.71BETA (June 30, 2009) 27 | -------------------------------- 28 | * Fixed IFS regression introduced in 0.70BETA. 29 | 30 | Version 0.70BETA (June 23, 2009) 31 | -------------------------------- 32 | * Added policy support to SPOOF_CHK rule to allow spoofing of local addresses 33 | on VPN connections (since IPsec address pool might come out of local 34 | subnet). 35 | 36 | Version 0.61BETA (May 1, 2009) 37 | ------------------------------ 38 | * Corrected some comments 39 | 40 | Version 0.60BETA (March 18, 2009) 41 | --------------------------------- 42 | + Support 1.9.0c stop 43 | + Added back support for IPSEC_VPN_NETS. 44 | 45 | Version 0.50BETA (February 26, 2009) 46 | ------------------------------------ 47 | * Transitioned to use the "policy" module to detect policy being applied to 48 | IPSec traffic, as well as to detect its state at the various stages (pre- 49 | and post-encapsulation/decapsulation). 50 | + Decrepecated the IPSEC_VPN_NETS variable for now, though it might come in 51 | handy in the future for detecting routing problems and policy mismatches. 52 | 53 | Version 0.41BETA (February 14, 2009) 54 | ------------------------------------ 55 | + Reintroduced NATting regression with 0.40BETA... sigh. 56 | 57 | Version 0.40BETA (February 9, 2009) 58 | ----------------------------------- 59 | + Added ipt_policy module 60 | + Use -m policy to see if packet is the result of decapsulating an AH or ESP 61 | packet; if so, don't process it in the EXT_INPUT_CHAIN 62 | + Fixed NAT issue where packets that were about to be encapsulated got NATted 63 | 64 | Version 0.31BETA (August 11, 2008) 65 | ---------------------------------- 66 | + Unknown 67 | 68 | Version 0.30BETA (July 20, 2008) 69 | -------------------------------- 70 | * Renamed plugin to "ipsec-vpn" 71 | + Added NAT traversal 72 | + Added OPEN AH UDP port (just in case) 73 | 74 | Version 0.25BETA (February 19, 2008) 75 | ------------------------------------ 76 | * Minor tweak for PLUGIN_RET_VAL 77 | 78 | Version 0.24BETA (February 13, 2008) 79 | ------------------------------------ 80 | + Updated according to the new plugin template 81 | 82 | Version 0.23BETA (January 30, 2008) 83 | ----------------------------------- 84 | + Updated for new config file location / detection 85 | 86 | Version 0.22BETA (May 25, 2007) 87 | ------------------------------- 88 | + Added variable sanity check 89 | * Changed some variable names 90 | 91 | Version 0.21BETA (January 9, 2006) 92 | ---------------------------------- 93 | + Updated for new plugin system (separate conf etc.) 94 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/traffic-accounting.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.31 (May 9, 2018) 2 | -------------------------- 3 | ! Fixed (dynamic) host multi IP handling 4 | 5 | Version 1.30 (June 11, 2018) 6 | ---------------------------- 7 | * Added new dynamic host support (requires AIF 2.1.0+) 8 | * Updated helper for new aif job system (requires AIF 2.1.0+) 9 | 10 | Version 1.23a (July 10, 2017) 11 | ---------------------------- 12 | * Improve locking (handle stale lock files etc.) 13 | 14 | Version 1.23 (May 8, 2017) 15 | -------------------------- 16 | ! On restart we must flush accounting chains to get rid of removed/stale hosts 17 | * Remove BETA suffix from version 18 | 19 | Version 1.22-BETA1 (September 18, 2014) 20 | --------------------------------------- 21 | ! We should use DNS_FAST_FAIL not DYNDNS_FAST_FAIL 22 | * Handle the host cache's new cache fallback threshold column properly 23 | 24 | Version 1.21 (January 25, 2013) 25 | ------------------------------- 26 | * Show a warning in case host resolving fails instead of having iptables fail 27 | * Only try to resolve a host once per session to speed things up in case netwerk/dns fails 28 | 29 | Version 1.20-BETA (October 23, 2012) 30 | ------------------------------------ 31 | * No longer generate/use our own hostcache but the one generated by the 32 | DynDNS-plugin. Requires DynDNS-plugin v1.20+ 33 | 34 | Version 1.12 (July 14, 2011) 35 | --------------------------- 36 | ! We should call the helper script on a restart(), if required 37 | 38 | Version 1.11 (May 13, 2011) 39 | --------------------------- 40 | * Since we have support for the restart() command now the DNS cache file can be 41 | removed on stop/start 42 | 43 | Version 1.1BETA (October 19, 2010) 44 | ------------------------------------ 45 | * Added plugin_restart() function support for AIF 2.0.0 46 | * Updated for mixed IPv4/IPv6 47 | 48 | Version 1.01BETA (March 1, 2010) 49 | -------------------------------- 50 | ! Adding hosts when the plugin/firewall was already running didn't work properly 51 | 52 | Version 1.0BETA (February 15, 2010) 53 | ---------------------------------- 54 | + Adding proper caches + additional (tweak) settings for the config file 55 | * Pre-resolve all hostnames first before updating the rules in our helper script 56 | * Numerous tweaks + fixes 57 | 58 | Version 0.33BETA (September 2, 2009) 59 | ------------------------------------ 60 | ! Fixed log rotation 61 | 62 | Version 0.32BETA (August 3, 2009) 63 | --------------------------------- 64 | ! Fixed rules in the input/output chains didn't return causing traffic to also 65 | be counted for the catch-all (0/0) rule 66 | 67 | Version 0.31BETA (July 14, 2009) 68 | -------------------------------- 69 | ! Fixed catch-all rule didn't work because iptables translates 0/0 to 0.0.0.0/0 70 | 71 | Version 0.30BETA (July 1, 2009) 72 | ------------------------------- 73 | ! Fixed stupid bug that caused an infinite number of RETURN rules to build up 74 | in the traffic chains 75 | + Also show *other* traffic generated by undefined hosts 76 | * Temporary stuff now stored in /var/tmp 77 | + Have option to enable/disable DynDNS-try-first 78 | 79 | Version 0.23BETA (January 7, 2009) 80 | ---------------------------------- 81 | ! Fixes in the helper script 82 | 83 | Version 0.22BETA (November 19, 2008) 84 | ------------------------------------ 85 | ! Fix incorrect helper script name 86 | 87 | Version 0.21BETA (November 17, 2008) 88 | ------------------------------------ 89 | * Minor tweaks 90 | 91 | Version 0.2BETA (October 12, 2008) 92 | ---------------------------------- 93 | + Major cleanup 94 | + Better error handeling 95 | + Adding lockfile checking 96 | 97 | Version 0.1ALPHA (October 10, 2008) 98 | ------------------------------------ 99 | + First initial version 100 | 101 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/50ipv6-over-ipv4.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - IPv6-over-IPv4 plugin =- 3 | # 4 | PLUGIN_NAME="IPv6-over-IPv4 plugin" 5 | PLUGIN_VERSION="0.2BETA" 6 | PLUGIN_CONF_FILE="ipv6-over-ipv4.conf" 7 | # 8 | # Last changed : October 8, 2010 9 | # Requirements : kernel 2.6 with IPv6 support 10 | # Comments : This plugin opens the (IPv4) protocols to enable 11 | # IPv6 tunneling. Only works with AIF 1.9+ ! 12 | # 13 | # Author : (C) Copyright 2010 by Arno van Amersfoort 14 | # Web : https://github.com/arno-iptables-firewall/aif 15 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 16 | # (note: you must remove all spaces and substitute the @ and the . 17 | # at the proper locations!) 18 | # ------------------------------------------------------------------------------ 19 | # This program is free software; you can redistribute it and/or 20 | # modify it under the terms of the GNU General Public License 21 | # version 2 as published by the Free Software Foundation. 22 | # 23 | # This program is distributed in the hope that it will be useful, 24 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 25 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 26 | # GNU General Public License for more details. 27 | # 28 | # You should have received a copy of the GNU General Public License 29 | # along with this program; if not, write to the Free Software 30 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 31 | # ------------------------------------------------------------------------------ 32 | 33 | # Plugin start function 34 | plugin_start() 35 | { 36 | local src interface 37 | 38 | # Enable (allow) IPv6 tunnel traffic 39 | #################################### 40 | echo "${INDENT}Allowing IPv6 tunnel for $IPV6_OVER_IPV4_SERVER (INET) to interface(s): $IPV6_OVER_IPV4_IF" 41 | IFS=' ,' 42 | for src in $IPV6_OVER_IPV4_SERVER; do 43 | for interface in $IPV6_OVER_IPV4_IF; do 44 | ip4tables -A EXT_INPUT_CHAIN -s $src -i $interface -p 41 -j ACCEPT 45 | done 46 | done 47 | 48 | return 0 49 | } 50 | 51 | 52 | # Plugin stop function 53 | plugin_stop() 54 | { 55 | return 0 56 | } 57 | 58 | 59 | # Plugin status function 60 | plugin_status() 61 | { 62 | return 0 63 | } 64 | 65 | 66 | # Check sanity of eg. environment 67 | plugin_sanity_check() 68 | { 69 | if [ -z "$IPV6_OVER_IPV4_IF" -o -z "$IPV6_OVER_IPV4_SERVER" ]; then 70 | printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 71 | return 1 72 | fi 73 | 74 | return 0 75 | } 76 | 77 | 78 | ############ 79 | # Mainline # 80 | ############ 81 | 82 | # Check where to find the config file 83 | CONF_FILE="" 84 | if [ -n "$PLUGIN_CONF_PATH" ]; then 85 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 86 | fi 87 | 88 | # Preinit to success: 89 | PLUGIN_RET_VAL=0 90 | 91 | # Check if the config file exists 92 | if [ ! -f "$CONF_FILE" ]; then 93 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 94 | else 95 | # Source the plugin config file 96 | . "$CONF_FILE" 97 | 98 | if [ "$ENABLED" = "1" ] || 99 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 100 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 101 | # Show who we are: 102 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 103 | 104 | # Increment indention 105 | INDENT="$INDENT " 106 | 107 | # Only proceed if environment ok 108 | if ! plugin_sanity_check; then 109 | PLUGIN_RET_VAL=1 110 | else 111 | case $PLUGIN_CMD in 112 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 113 | stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; 114 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 115 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 116 | esac 117 | fi 118 | fi 119 | fi 120 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/dyndns-host-open.CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 1.42 (May 9, 2019) 2 | -------------------------- 3 | ! Fixed (dynamic) host multi IP handling 4 | 5 | Version 1.41 (January 5, 2019) 6 | ------------------------------ 7 | * Changed to support ipt_if() function (requires AIF 2.1.0+) 8 | 9 | Version 1.40 (June 11, 2018) 10 | ---------------------------- 11 | * Added new dynamic host support (requires AIF 2.1.0+) 12 | * Updated helper for new aif job system (requires AIF 2.1.0+) 13 | 14 | Version 1.34a (July 10, 2017) 15 | ----------------------------- 16 | * Improve locking (handle stale lock files etc.) 17 | 18 | Version 1.34 (May 8, 2017) 19 | -------------------------- 20 | * Remove BETA suffix from version 21 | 22 | Version 1.33-BETA2 (June 22, 2015) 23 | ---------------------------------- 24 | * Implement log rate limiting 25 | ! Misc. tweaks & fixes 26 | 27 | Version 1.33-BETA1 (September 18, 2014) 28 | --------------------------------------- 29 | * Implement new cache fallback threshold setting/logic 30 | 31 | Version 1.32 (January 25, 2013) 32 | ------------------------------- 33 | * Show a warning in case host resolving fails instead of having iptables fail 34 | * Only try to resolve a host once per session to speed things up in case netwerk/dns fails 35 | 36 | Version 1.31-BETA (November 5, 2012) 37 | ------------------------------------ 38 | - Remove DYNDNS_SESSION_FAILED_DNS_SKIP option since it never worked the 39 | it supposed to anyway 40 | 41 | Version 1.30-BETA (October 23, 2012) 42 | ------------------------------------ 43 | * Refactor/cleanup helper script. No need to preinit cache anymore since we 44 | can fallback on our "old"-cache anyway 45 | * Use the host-cache file provided by the main script (environment). This 46 | makes it easier for plugins to use and allows the main script to clean 47 | up 48 | ! Host resolving was broken (regression) 49 | * Improve performance by reorganising the loops 50 | * Always execute iptables command even with an empty host_ip to make clear 51 | to the user it failed 52 | ! Sanity check didn't check for DYNDNS_HOST_MISC 53 | ! Fixed typos 54 | 55 | Version 1.24 (August 14, 2011) 56 | ------------------------------ 57 | * Changed to support parse_rule() in dyndns-host-open-helper 58 | 59 | Version 1.23 (July 14, 2011) 60 | ---------------------------- 61 | * Add proper locking for our helper script (like we already did for the traffic 62 | accounting plugin) 63 | 64 | Version 1.22 (July 14, 2011) 65 | ---------------------------- 66 | ! We should call the helper script on a restart(), if required 67 | 68 | Version 1.21 (May 13, 2011) 69 | --------------------------- 70 | * Change default DYNDNS_HOST_CACHE filename to be more consistent 71 | 72 | Version 1.2BETA (October 19, 2010) 73 | ---------------------------------- 74 | * Added plugin_restart() function support for AIF 2.0.0 75 | 76 | Version 1.1BETA (January 21, 2010) 77 | ---------------------------------- 78 | + Adding proper caches + additional (tweak) settings for the config file 79 | + Improved sanity check 80 | * Pre-resolve all hostnames first before updating the rules in our helper script 81 | * Numerous tweaks + fixes 82 | 83 | Version 1.0 (March 7, 2009) 84 | --------------------------- 85 | * Tell gethostbyname() which nameserver to use (ns.dyndns.org) 86 | + Use OUR gethostbyname() to resolve the hostnames for iptables 87 | 88 | Version 0.25BETA (January 7, 2009) 89 | ---------------------------------- 90 | ! Fixes in the helper script 91 | 92 | Version 0.24BETA (November 24, 2008) 93 | ------------------------------------ 94 | ! Fixed missing IFS for ICMP rules 95 | 96 | Version 0.24BETA (November 17, 2008) 97 | ------------------------------------ 98 | * Minor tweaks 99 | 100 | Version 0.23BETA (October 10, 2008) 101 | ----------------------------------- 102 | * Cron update internal set to 15min. + made it user configurable 103 | * Misc. changs 104 | * Renamed helper script 105 | 106 | Version 0.22BETA (September 16, 2008) 107 | ------------------------------------- 108 | ! Small cosmetic fix 109 | 110 | Version 0.21BETA (September 8, 2008) 111 | ------------------------------------ 112 | * Small tweaks 113 | 114 | Version 0.20BETA (September 5, 2008) 115 | ------------------------------------ 116 | * It now automatically creates & removes the cron job 117 | * Minor cosmetic changes in the cron helper shell script 118 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/aif-job-execute: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # ------------------------------------------------------------------------------ 4 | # -= Arno's Iptables Firewall(AIF) =- 5 | # Single- & multi-homed firewall script with DSL/ADSL support 6 | # 7 | # ~ In memory of my dear parents ~ 8 | # 9 | # (C) Copyright 2001-2021 by Arno van Amersfoort & Lonnie Abelbeck 10 | # Web : https://github.com/arno-iptables-firewall/aif 11 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 12 | # (note: you must remove all spaces and substitute the @ and the . 13 | # at the proper locations!) 14 | # ------------------------------------------------------------------------------ 15 | # This program is free software; you can redistribute it and/or 16 | # modify it under the terms of the GNU General Public License 17 | # version 2 as published by the Free Software Foundation. 18 | 19 | # This program is distributed in the hope that it will be useful, 20 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 21 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 22 | # GNU General Public License for more details. 23 | 24 | # You should have received a copy of the GNU General Public License 25 | # along with this program; if not, write to the Free Software 26 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 27 | # ------------------------------------------------------------------------------ 28 | 29 | # Location of the main configuration file for the firewall 30 | ########################################################## 31 | CONF_FILE=/etc/arno-iptables-firewall/firewall.conf 32 | 33 | # Define some global variables 34 | OPT_INDENT="" 35 | JOB_HELPER_PATH="" 36 | 37 | # Check sanity of environment 38 | sanity_check() 39 | { 40 | if [ -z "$JOB_HELPER_PATH" ]; then 41 | echo "** ERROR: Missing job-helper argument!" >&2 42 | return 1 43 | fi 44 | 45 | return 0 46 | } 47 | 48 | 49 | show_help() 50 | { 51 | echo "Usage: $(basename $0) [options] {plugin_helper_path}" >&2 52 | echo "" >&2 53 | echo "Options:" >&2 54 | echo "--help|-h - Print this help" >&2 55 | echo "--indent=\'{indent}\' - Use {indent} for line indention" >&2 56 | echo "" 57 | } 58 | 59 | 60 | process_commandline() 61 | { 62 | # Check arguments 63 | while [ -n "$1" ]; do 64 | ARG="$1" 65 | ARGNAME="${ARG%%=*}" 66 | # Can't directly obtain value as = is optional!: 67 | ARGVAL="${ARG#$ARGNAME}" 68 | ARGVAL="${ARGVAL#=}" 69 | 70 | case "$ARGNAME" in 71 | --help|-h) show_help 72 | exit 0 73 | ;; 74 | --indent|-i) OPT_INDENT="$ARGVAL" 75 | ;; 76 | -*) echo "ERROR: Bad argument \"$ARG\"" >&2 77 | echo "" >&2 78 | show_help 79 | exit 1 80 | ;; 81 | *) JOB_HELPER_PATH="$ARG" 82 | ;; 83 | esac 84 | 85 | shift # Next argument 86 | done 87 | } 88 | 89 | 90 | ############ 91 | # Mainline # 92 | ############ 93 | 94 | process_commandline "$@" 95 | 96 | if [ ! -f "$CONF_FILE" ]; then 97 | echo "ERROR: Could not read configuration file ($CONF_FILE)!" >&2 98 | echo "" >&2 99 | exit 2 100 | fi 101 | 102 | # Source config file 103 | . "$CONF_FILE" 104 | 105 | # Check if the environment file exists and if so, load it 106 | ######################################################### 107 | ENV_FILE="${0%/*}/environment" 108 | 109 | if [ ! -f "$ENV_FILE" ]; then 110 | echo "** ERROR: Unable to locate environment file \"$ENV_FILE\"!" >&2 111 | exit 2 112 | fi 113 | 114 | # Source environment file 115 | . "$ENV_FILE" 116 | 117 | # Only proceed if environment ok 118 | if ! sanity_check; then 119 | exit 2 120 | fi 121 | 122 | # Reset to 0, just in case 123 | PLUGIN_RET_VAL=0 124 | 125 | LOCK_NAME="$(basename "$JOB_HELPER_PATH")" 126 | 127 | # Enter critical section (single lock) 128 | if ! lock_enter_single $LOCK_NAME; then 129 | exit 2 130 | fi 131 | 132 | # Set indent 133 | INDENT="$OPT_INDENT" 134 | 135 | # Source helper 136 | . "$JOB_HELPER_PATH" 137 | 138 | # Leave critical section 139 | if ! lock_leave $LOCK_NAME; then 140 | exit 2 141 | fi 142 | 143 | # Return helper's return code 144 | exit $PLUGIN_RET_VAL 145 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/50linux-upnp-igd.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Linux UPnP IGD plugin =- 3 | # 4 | PLUGIN_NAME="Linux UPnP IGD plugin" 5 | PLUGIN_VERSION="1.0a" 6 | PLUGIN_CONF_FILE="linux-upnp-igd.conf" 7 | # 8 | # Last changed : October 10, 2011 9 | # Requirements : kernel 2.6 + linux-igd 10 | # Comments : An UPnP-enabled application can tell linux-igd what public ports 11 | # have to be forwarded back to the application. 12 | # This plugin adds a new chain into the FORWARD chain 13 | # where the UPnP daemon "linuxigd" can insert its ports. 14 | # In "upnpd.conf" you must set the forward_chain_name = UPNP_FORWARD 15 | # 16 | # Author : (C) Copyright 2007-2011 by Joerg Straube 17 | # Homepage : http://joerg.li/ 18 | # Email : j o e r g DOT s t r a u b e AT i a e t h DOT c h 19 | # (note: you must remove all spaces and substitute the @ and the . 20 | # at the proper locations!) 21 | # ------------------------------------------------------------------------------ 22 | # This program is free software; you can redistribute it and/or 23 | # modify it under the terms of the GNU General Public License 24 | # version 2 as published by the Free Software Foundation. 25 | # 26 | # This program is distributed in the hope that it will be useful, 27 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 28 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 29 | # GNU General Public License for more details. 30 | # 31 | # You should have received a copy of the GNU General Public License 32 | # along with this program; if not, write to the Free Software 33 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 34 | # ------------------------------------------------------------------------------ 35 | 36 | # Plugin start function 37 | plugin_start() 38 | { 39 | # Create new UPNP_FORWARD chain to be used by linuxigd (aka upnpd): 40 | iptables -N UPNP_FORWARD 2>/dev/null 41 | iptables -F UPNP_FORWARD 42 | iptables -N UPNP_FORWARD_HOOK 2>/dev/null 43 | iptables -F UPNP_FORWARD_HOOK 44 | 45 | # Insert rule into the FORWARD chain: 46 | IFS=' ,' 47 | for eif in $EXT_IF; do 48 | iptables -A UPNP_FORWARD_HOOK -i $eif ! -o $eif -j UPNP_FORWARD 49 | done 50 | 51 | iptables -A FORWARD -j UPNP_FORWARD_HOOK 52 | 53 | return 0 54 | } 55 | 56 | 57 | # Plugin stop function 58 | plugin_stop() 59 | { 60 | iptables -D FORWARD -j UPNP_FORWARD_HOOK 2>/dev/null 61 | 62 | iptables -F UPNP_FORWARD_HOOK 63 | iptables -X UPNP_FORWARD_HOOK 2>/dev/null 64 | 65 | iptables -F UPNP_FORWARD 66 | iptables -X UPNP_FORWARD 2>/dev/null 67 | 68 | return 0 69 | } 70 | 71 | 72 | # Plugin status function 73 | plugin_status() 74 | { 75 | return 0 76 | } 77 | 78 | 79 | # Check sanity of eg. environment 80 | plugin_sanity_check() 81 | { 82 | return 0 83 | } 84 | 85 | 86 | ############ 87 | # Mainline # 88 | ############ 89 | 90 | # Check where to find the config file 91 | CONF_FILE="" 92 | if [ -n "$PLUGIN_CONF_PATH" ]; then 93 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 94 | fi 95 | 96 | # Preinit to success: 97 | PLUGIN_RET_VAL=0 98 | 99 | # Check if the config file exists 100 | if [ ! -f "$CONF_FILE" ]; then 101 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 102 | else 103 | # Source the plugin config file 104 | . "$CONF_FILE" 105 | 106 | if [ "$ENABLED" = "1" ] || 107 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 108 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 109 | # Show who we are: 110 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 111 | 112 | # Increment indention 113 | INDENT="$INDENT " 114 | 115 | # Only proceed if environment ok 116 | if ! plugin_sanity_check; then 117 | PLUGIN_RET_VAL=1 118 | else 119 | case $PLUGIN_CMD in 120 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 121 | stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; 122 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 123 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 124 | esac 125 | fi 126 | fi 127 | fi 128 | -------------------------------------------------------------------------------- /uninstall.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | MY_VERSION="1.0f" 4 | 5 | # ------------------------------------------------------------------------------------------ 6 | # -= Arno's Iptables Firewall(AIF) =- 7 | # Single- & multi-homed firewall script with DSL/ADSL support 8 | # 9 | # ~ In memory of my dear parents ~ 10 | # 11 | # (C) Copyright 2001-2020 by Arno van Amersfoort 12 | # Web : https://github.com/arno-iptables-firewall/aif 13 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 14 | # (note: you must remove all spaces and substitute the @ and the . 15 | # at the proper locations!) 16 | # ------------------------------------------------------------------------------------------ 17 | # This program is free software; you can redistribute it and/or 18 | # modify it under the terms of the GNU General Public License 19 | # version 2 as published by the Free Software Foundation. 20 | 21 | # This program is distributed in the hope that it will be useful, 22 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 23 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 24 | # GNU General Public License for more details. 25 | 26 | # You should have received a copy of the GNU General Public License 27 | # along with this program; if not, write to the Free Software 28 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 29 | # ------------------------------------------------------------------------------------------ 30 | 31 | check_command() 32 | { 33 | local path IFS 34 | 35 | IFS=' ' 36 | for cmd in $*; do 37 | if [ -n "$(which "$cmd" 2>/dev/null)" ]; then 38 | return 0 39 | fi 40 | done 41 | 42 | return 1 43 | } 44 | 45 | 46 | sanity_check() 47 | { 48 | # root check 49 | if [ "$(id -u)" != "0" ]; then 50 | printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n" >&2 51 | exit 1 52 | fi 53 | } 54 | 55 | 56 | get_user_yn() 57 | { 58 | if [ "$2" = "y" ]; then 59 | printf "$1 (Y/n)? " 60 | else 61 | printf "$1 (y/N)? " 62 | fi 63 | 64 | read answer_with_case 65 | 66 | ANSWER=`echo "$answer_with_case" |tr A-Z a-z` 67 | 68 | if [ "$ANSWER" = "y" -o "$ANSWER" = "yes" ]; then 69 | return 0 70 | fi 71 | 72 | if [ "$ANSWER" = "n" -o "$ANSWER" = "no" ]; then 73 | return 1 74 | fi 75 | 76 | # Fallback to default 77 | if [ "$2" = "y" ]; then 78 | return 0 79 | else 80 | return 1 81 | fi 82 | } 83 | 84 | 85 | # main line: 86 | AIF_VERSION="$(grep "MY_VERSION=" ./bin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")" 87 | 88 | printf "\033[40m\033[1;32mArno's Iptables Firewall(AIF) v$AIF_VERSION\033[0m\n" 89 | printf "Uninstall Script v$MY_VERSION\n" 90 | echo "-------------------------------------------------------------------------------" 91 | 92 | sanity_check 93 | 94 | if ! get_user_yn "Continue uninstall" "n"; then 95 | echo "*Uninstall aborted!" 96 | exit 1 97 | fi 98 | 99 | rm -fv /usr/local/sbin/arno-iptables-firewall 100 | rm -fv /usr/local/sbin/arno-fwfilter 101 | rm -fv /usr/local/sbin/traffic-accounting-show 102 | 103 | rm -fv /usr/local/bin/arno-fwfilter 104 | 105 | rm -rfv /usr/local/share/arno-iptables-firewall 106 | 107 | rm -fv /usr/local/share/man/man8/arno-iptables-firewall.8.gz 108 | rm -fv /usr/local/share/man/man8/arno-fwfilter.1.gz 109 | 110 | rm -fv /usr/local/share/doc/arno-iptables-firewall/README 111 | 112 | rm -fv /etc/logrotate.d/arno-iptables-firewall 113 | 114 | # Disable systemd 115 | if check_command systemctl; then 116 | systemctl disable arno-iptables-firewall 117 | fi 118 | 119 | # Disable via update-rc.d/chkconfig 120 | if check_command update-rc.d; then 121 | update-rc.d -f arno-iptables-firewall remove 122 | elif check_command chkconfig; then 123 | chkconfig --del arno-iptables-firewall 124 | fi 125 | 126 | # Remove init.d script 127 | rm -fv /etc/init.d/arno-iptables-firewall 128 | rm -fv /etc/rc.d/rc*.d/*arno-iptables-firewall 129 | rm -fv /etc/rc*.d/*arno-iptables-firewall 130 | 131 | # Remove systemd files 132 | rm -fv /usr/lib/systemd/system/arno-iptables-firewall.service 133 | rm -fv /lib/systemd/system/arno-iptables-firewall.service 134 | rm -fv /etc/systemd/arno-iptables-firewall.service 135 | 136 | if get_user_yn "Also remove ALL configuration files from /etc/arno-iptables-firewall/" "n"; then 137 | rm -rfv /etc/arno-iptables-firewall 138 | else 139 | echo "* Skipped" 140 | fi 141 | 142 | echo "" 143 | echo "** Uninstall done **" 144 | echo "" 145 | 146 | exit 0 147 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - PPTP VPN Passthrough plugin =- 3 | # 4 | PLUGIN_NAME="PPTP VPN Passthrough plugin" 5 | PLUGIN_VERSION="1.01" 6 | PLUGIN_CONF_FILE="pptp-vpn-passthrough.conf" 7 | # 8 | # Last changed : June 15, 2017 9 | # Requirements : AIF 2.0.0+ and ip_nat_pptp 10 | # Comments : This plugin loads the required kernel modules for PPTP VPN Clients 11 | # to access remote PPTP VPN Server(s) when NAT is enabled. 12 | # 13 | # Author : (C) Copyright 2016-2017 by Lonnie Abelbeck & Arno van Amersfoort 14 | # Web : https://github.com/arno-iptables-firewall/aif 15 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 16 | # (note: you must remove all spaces and substitute the @ and the . 17 | # at the proper locations!) 18 | # ------------------------------------------------------------------------------ 19 | # This program is free software; you can redistribute it and/or 20 | # modify it under the terms of the GNU General Public License 21 | # version 2 as published by the Free Software Foundation. 22 | # 23 | # This program is distributed in the hope that it will be useful, 24 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 25 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 26 | # GNU General Public License for more details. 27 | # 28 | # You should have received a copy of the GNU General Public License 29 | # along with this program; if not, write to the Free Software 30 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 31 | # ------------------------------------------------------------------------------ 32 | 33 | # Plugin start function 34 | plugin_start() 35 | { 36 | 37 | if [ "$NAT" = "1" ]; then 38 | echo "${INDENT}Enable PPTP NAT helper module" 39 | modprobe_multi nf_nat_pptp ip_nat_pptp 40 | 41 | if ip4tables -nL CONNTRACK_HELPER >/dev/null 2>&1; then 42 | ip4tables -A CONNTRACK_HELPER -m conntrack --ctstate RELATED -m helper --helper pptp -j ACCEPT 43 | ip4tables -t raw -A PREROUTING -p tcp --dport 1723 -j CT --helper pptp 44 | fi 45 | else 46 | echo "${INDENT}ERROR: NAT is not enabled, this plugin will be ignored." 47 | fi 48 | 49 | return 0 50 | } 51 | 52 | 53 | # Plugin restart function 54 | plugin_restart() 55 | { 56 | 57 | # Skip plugin_stop on a restart 58 | plugin_start 59 | 60 | return 0 61 | } 62 | 63 | 64 | # Plugin stop function 65 | plugin_stop() 66 | { 67 | 68 | if [ "$NAT" = "1" ]; then 69 | if [ -e /proc/modules -a -x "$MODPROBE" ]; then 70 | if ! $MODPROBE -r nf_nat_pptp >/dev/null 2>&1; then 71 | $MODPROBE -r ip_nat_pptp >/dev/null 2>&1 72 | fi 73 | if [ $? -eq 0 ]; then 74 | echo "${INDENT}Disabled PPTP NAT helper module" 75 | fi 76 | fi 77 | fi 78 | 79 | return 0 80 | } 81 | 82 | 83 | # Plugin status function 84 | plugin_status() 85 | { 86 | return 0 87 | } 88 | 89 | 90 | # Check sanity of eg. environment 91 | plugin_sanity_check() 92 | { 93 | return 0 94 | } 95 | 96 | 97 | ############ 98 | # Mainline # 99 | ############ 100 | 101 | # Check where to find the config file 102 | CONF_FILE="" 103 | if [ -n "$PLUGIN_CONF_PATH" ]; then 104 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 105 | fi 106 | 107 | # Preinit to success: 108 | PLUGIN_RET_VAL=0 109 | 110 | # Check if the config file exists 111 | if [ ! -f "$CONF_FILE" ]; then 112 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 113 | else 114 | # Source the plugin config file 115 | . "$CONF_FILE" 116 | 117 | if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || 118 | [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || 119 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 120 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 121 | # Show who we are: 122 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 123 | 124 | # Increment indention 125 | INDENT="$INDENT " 126 | 127 | # Only proceed if environment ok 128 | if ! plugin_sanity_check; then 129 | PLUGIN_RET_VAL=1 130 | else 131 | case $PLUGIN_CMD in 132 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 133 | restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; 134 | stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; 135 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 136 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 137 | esac 138 | fi 139 | fi 140 | fi 141 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/50sip-voip.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - SIP-VOIP plugin =- 3 | # 4 | PLUGIN_NAME="SIP-VOIP plugin" 5 | PLUGIN_VERSION="0.32BETA" 6 | PLUGIN_CONF_FILE="sip-voip.conf" 7 | # 8 | # Last changed : June 13, 2017 9 | # Requirements : AIF 2.0.0+ and ip_conntrack_sip 10 | # Comments : This plugin will allow/enable SIP (VOIP) support 11 | # 12 | # Author : (C) Copyright 2010-2017 by Arno van Amersfoort 13 | # Credits : Philip Prindeville for his initial idea 14 | # Web : https://github.com/arno-iptables-firewall/aif 15 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 16 | # (note: you must remove all spaces and substitute the @ and the . 17 | # at the proper locations!) 18 | # ------------------------------------------------------------------------------ 19 | # This program is free software; you can redistribute it and/or 20 | # modify it under the terms of the GNU General Public License 21 | # version 2 as published by the Free Software Foundation. 22 | # 23 | # This program is distributed in the hope that it will be useful, 24 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 25 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 26 | # GNU General Public License for more details. 27 | # 28 | # You should have received a copy of the GNU General Public License 29 | # along with this program; if not, write to the Free Software 30 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 31 | # ------------------------------------------------------------------------------ 32 | 33 | # Plugin start function 34 | plugin_start() 35 | { 36 | local port ports="" host IFS 37 | 38 | if [ -z "$SIP_VOIP_PORTS" ]; then 39 | SIP_VOIP_PORTS="5060" 40 | fi 41 | 42 | if [ -z "$SIP_VOIP_REMOTE_HOSTS" ]; then 43 | SIP_VOIP_REMOTE_HOSTS="0/0" 44 | fi 45 | 46 | # Some required modules are already loaded by the main script: 47 | modprobe_multi nf_nat ip_nat 48 | 49 | echo "${INDENT}Using SIP UDP for $SIP_VOIP_REMOTE_HOSTS (INET) to port(s): $SIP_VOIP_PORTS" 50 | 51 | # We need the SIP module loaded of course 52 | IFS=' ,' 53 | for port in $SIP_VOIP_PORTS; do 54 | # Check for kernel 2.6.25 or newer 55 | if kernel_ver_chk 2 6 25; then 56 | ports="${ports:-ports=}${ports:+,}$port" 57 | else 58 | ports="$ports${ports:+ }ports=$port" 59 | fi 60 | done 61 | 62 | IFS=' ' 63 | if ! modprobe nf_conntrack_sip $ports >/dev/null 2>&1; then 64 | modprobe ip_conntrack_sip $ports 65 | fi 66 | 67 | # Load the SIP NAT module only when required 68 | if [ "$NAT" = "1" ]; then 69 | modprobe_multi nf_nat_sip ip_nat_sip 70 | fi 71 | 72 | if ip4tables -nL CONNTRACK_HELPER >/dev/null 2>&1; then 73 | iptables -A CONNTRACK_HELPER -m conntrack --ctstate RELATED -m helper --helper sip -j ACCEPT 74 | 75 | IFS=' ,' 76 | for port in $SIP_VOIP_PORTS; do 77 | iptables -t raw -A PREROUTING -p udp --dport $port -j CT --helper sip 78 | done 79 | fi 80 | 81 | IFS=' ,' 82 | for host in $SIP_VOIP_REMOTE_HOSTS; do 83 | for port in $SIP_VOIP_PORTS; do 84 | iptables -A EXT_INPUT_CHAIN -s $host -p udp --dport $port -j ACCEPT 85 | done 86 | done 87 | 88 | return 0 89 | } 90 | 91 | 92 | # Plugin stop function 93 | plugin_stop() 94 | { 95 | return 0 96 | } 97 | 98 | 99 | # Plugin status function 100 | plugin_status() 101 | { 102 | return 0 103 | } 104 | 105 | # Sanity check environment before actual start 106 | plugin_sanity_check() 107 | { 108 | return 0 109 | } 110 | 111 | 112 | ############ 113 | # Mainline # 114 | ############ 115 | 116 | # Check where to find the config file 117 | CONF_FILE="" 118 | if [ -n "$PLUGIN_CONF_PATH" ]; then 119 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 120 | fi 121 | 122 | # Preinit to success: 123 | PLUGIN_RET_VAL=0 124 | 125 | # Check if the config file exists 126 | if [ ! -f "$CONF_FILE" ]; then 127 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 128 | else 129 | # Source the plugin config file 130 | . "$CONF_FILE" 131 | 132 | if [ "$ENABLED" = "1" ] || 133 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 134 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 135 | # Show who we are: 136 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 137 | 138 | # Increment indention 139 | INDENT="$INDENT " 140 | 141 | # Only proceed if environment ok 142 | if ! plugin_sanity_check; then 143 | PLUGIN_RET_VAL=1 144 | else 145 | case $PLUGIN_CMD in 146 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 147 | stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; 148 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 149 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 150 | esac 151 | fi 152 | fi 153 | fi 154 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/90rpc.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - RPC plugin =- 3 | # 4 | PLUGIN_NAME="RPCplugin" 5 | PLUGIN_VERSION="0.22a-BETA" 6 | PLUGIN_CONF_FILE="rpc.conf" 7 | # 8 | # Last changed : April 13, 2020 9 | # Requirements : kernel 2.6 10 | # Comments : This plugin opens RPC ports 11 | # 12 | # Author : (C) Copyright 2011-2012 by Jared H. Hudson 13 | # Email : jhhudso AT volumehost DOT com 14 | # ------------------------------------------------------------------------------ 15 | # This program is free software; you can redistribute it and/or 16 | # modify it under the terms of the GNU General Public License 17 | # version 2 as published by the Free Software Foundation. 18 | # 19 | # This program is distributed in the hope that it will be useful, 20 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 21 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 22 | # GNU General Public License for more details. 23 | # 24 | # You should have received a copy of the GNU General Public License 25 | # along with this program; if not, write to the Free Software 26 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 27 | # ------------------------------------------------------------------------------ 28 | 29 | # Plugin start function 30 | plugin_start() 31 | { 32 | # Create new DYNDNS_CHAIN chain: 33 | iptables -N RPC_CHAIN 2>/dev/null 34 | iptables -F RPC_CHAIN 35 | 36 | # Insert rule into the main chain: 37 | iptables -A EXT_INPUT_CHAIN -j RPC_CHAIN 38 | 39 | echo "${INDENT}Enabling RPC service(s) $RPC_SERVICES for net(s) $RPC_NETS" 40 | 41 | IFS=' ,' 42 | for service in $RPC_SERVICES; do 43 | ports="$(rpcinfo -p |awk "/tcp.*$service/"' { print $4 }' |uniq |tr '\n' ' ')" 44 | echo "${INDENT}Adding TCP ports $ports for RPC service $service" 45 | for net in $RPC_NETS; do 46 | for port in $ports; do 47 | iptables -I RPC_CHAIN -p tcp -s $net --dport $port -j ACCEPT 48 | done 49 | done 50 | 51 | ports="$(rpcinfo -p |awk "/udp.*$service/"' { print $4 }' |uniq |tr '\n' ' ')" 52 | echo "${INDENT}Adding UDP ports $ports for RPC service $service" 53 | for net in $RPC_NETS; do 54 | for port in $ports; do 55 | iptables -I RPC_CHAIN -p udp -s $net --dport $port -j ACCEPT 56 | done 57 | done 58 | done 59 | 60 | return 0 61 | } 62 | 63 | 64 | # Plugin restart function 65 | plugin_restart() 66 | { 67 | ## Re-add standard chain rules that are flushed on a restart 68 | echo "${INDENT}Restarting..." 69 | 70 | # Insert rule into the main chain: 71 | iptables -A EXT_INPUT_CHAIN -j RPC_CHAIN 72 | 73 | return 0 74 | } 75 | 76 | 77 | # Plugin stop function 78 | plugin_stop() 79 | { 80 | iptables -D EXT_INPUT_CHAIN -j RPC_CHAIN 2>/dev/null 81 | 82 | iptables -F RPC_CHAIN 83 | iptables -X RPC_CHAIN 2>/dev/null 84 | 85 | return 0 86 | } 87 | 88 | 89 | # Plugin status function 90 | plugin_status() 91 | { 92 | iptables -L RPC_CHAIN |sed -e "s/^/$INDENT/" 93 | 94 | return 0 95 | } 96 | 97 | 98 | plugin_sanity_check() 99 | { 100 | if [ -z "$RPC_SERVICES" ] || [ -z "$RPC_NETS" ]; then 101 | printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly setup!\033[0m\n" >&2 102 | return 1 103 | fi 104 | 105 | if ! check_command rpcinfo; then 106 | printf "\033[40m\033[1;31m${INDENT}ERROR: Required binary \"rpcinfo\" is not available!\n\033[0m" >&2 107 | return 1 108 | fi 109 | 110 | return 0 111 | } 112 | 113 | 114 | ############ 115 | # Mainline # 116 | ############ 117 | 118 | # Check where to find the config file 119 | CONF_FILE="" 120 | if [ -n "$PLUGIN_CONF_PATH" ]; then 121 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 122 | fi 123 | 124 | # Preinit to success: 125 | PLUGIN_RET_VAL=0 126 | 127 | # Check if the config file exists 128 | if [ ! -f "$CONF_FILE" ]; then 129 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 130 | else 131 | # Source the plugin config file 132 | . "$CONF_FILE" 133 | 134 | if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || 135 | [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || 136 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 137 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 138 | # Show who we are: 139 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 140 | 141 | # Increment indention 142 | INDENT="$INDENT " 143 | 144 | # Only proceed if environment ok 145 | if ! plugin_sanity_check; then 146 | PLUGIN_RET_VAL=1 147 | else 148 | case $PLUGIN_CMD in 149 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 150 | restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; 151 | stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; 152 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 153 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 154 | esac 155 | fi 156 | fi 157 | fi 158 | -------------------------------------------------------------------------------- /etc/arno-iptables-firewall/plugins/parasitic-net.conf: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Parasitic (SNAT) Network plugin =- 3 | # ------------------------------------------------------------------------------ 4 | 5 | # To actually enable this plugin make ENABLED=1: 6 | # ------------------------------------------------------------------------------ 7 | ENABLED=0 8 | 9 | # ------------------------------------------------------------------------------ 10 | # Parasitic Network 11 | # 12 | # Allows "clients" on the same subnet to use this device as a gateway upstream. 13 | # This network of "clients" is the Parasitic Network, SNAT'ed to this device's 14 | # external interface(s). 15 | # 16 | # This Parasitic Network is useful for situations when the upstream firewall 17 | # is not under your control and you desire added security for specific devices 18 | # in your subnet. Set the gateway address of Parasitic Network clients to an 19 | # external IPv4 address of this device. 20 | # 21 | # Note: To be effective, be certain the Parasitic Network clients are IPv4-only 22 | # 23 | # (IPv4 Only) 24 | # ------------------------------------------------------------------------------ 25 | 26 | # Specify which (external) network interfaces should have parasitic SNAT enabled 27 | # You can optionally also provide the interface IP in the form of interface~IP 28 | # (for eg. interfaces with multiple IP addresses). Multiple interfaces should 29 | # be space separated. Leave empty to include all external interfaces 30 | # ------------------------------------------------------------------------------ 31 | PARASITIC_NET_IF="" 32 | 33 | # Specify which "clients" are allowed to use this device as an SNAT gateway. 34 | # If not specified all hosts on parasitic SNAT enabled interfaces are allowed 35 | # NOTE: The hosts in here should be on subnets connected to interfaces specified 36 | # in PARASITIC_NET_IF 37 | # ------------------------------------------------------------------------------ 38 | PARASITIC_NET_CLIENT_HOSTS="" 39 | 40 | # Specify here the time(s) in minutes between executes of the helper script 41 | # (leave default if you don't know what it is). 42 | # ------------------------------------------------------------------------------ 43 | PARASITIC_NET_TIME="15" 44 | 45 | 46 | ################################################################################ 47 | # Use PARASITIC_NET_HOST_OPEN_xxx and PARASITIC_NET_HOST_DENY to restrict # 48 | # forwarded parasitic network traffic. # 49 | # # 50 | # By default all parasitic network packets are forwarded and NAT-ed upstream, # 51 | # unless one of the PARASATIC_NET_HOST_OPEN_xxx variables is specified. In # 52 | # that case the default policy for that protocol (TCP, UDP, ICMP, IP) will # 53 | # become deny, except for IP which always defaults to deny. # 54 | ################################################################################ 55 | 56 | #------------------------------------------------------------------------------- 57 | # PARASITIC_NET_HOST_xxxx_yyy & PARASITIC_NET_HOST_xxxx_yyy format: 58 | # 59 | # TCP/UDP port form: 60 | # "SRCIP1,SRCIP2,...>DESTIP1~port \ 61 | # SRCIP3,...>DESTIP2~port" 62 | # 63 | # IP form: 64 | # "SRCIP1,SRCIP2,...>DESTIP1~protocol \ 65 | # SRCIP3,...>DESTIP2~protocol" 66 | # 67 | # ICMP form: 68 | # "SRCIP1,SRCIP2,...>DESTIP1 \ 69 | # SRCIP3,...>DESTIP2" 70 | # 71 | # TCP/UDP examples: 72 | # ----------------- 73 | # Simple: 74 | # (Allow port 80 to INET host 1.2.3.4 for all parasitic hosts(0/0)): 75 | # PARASITIC_NET_HOST_OPEN_xxx="1.2.3.4~80" 76 | # Advanced: 77 | # (Allow port 20 & 21 to INET host 1.2.3.4 for all parasitic hosts(0/0) and 78 | # allow port 80 to INET host 1.2.3.4 for parasitic host 192.168.0.10 (only)): 79 | # PARASITIC_NET_HOST_OPEN_xxx="1.2.3.4~20,21 192.168.0.10>0/0~80" 80 | # 81 | # IP protocol example: 82 | # (Allow protocols 47 & 48 to INET host 1.2.3.4 for all parasitic hosts(0/0)) 83 | # PARASITIC_NET_HOST_OPEN_IP="1.2.3.4~47,48" 84 | # 85 | # NOTE: If no SRCIPx is specified, any source host is used 86 | #------------------------------------------------------------------------------- 87 | 88 | # Put in the following variables which hosts you want to allow(open) for certain 89 | # services 90 | # ------------------------------------------------------------------------------ 91 | PARASITIC_NET_HOST_OPEN_TCP="" 92 | PARASITIC_NET_HOST_OPEN_UDP="" 93 | PARASITIC_NET_HOST_OPEN_ICMP="" 94 | PARASITIC_NET_HOST_OPEN_IP="" 95 | 96 | # Put in the following variables which hosts you want to deny for certain 97 | # services 98 | # ------------------------------------------------------------------------------ 99 | PARASITIC_NET_HOST_DENY_TCP="" 100 | PARASITIC_NET_HOST_DENY_UDP="" 101 | PARASITIC_NET_HOST_DENY_ICMP="" 102 | PARASITIC_NET_HOST_DENY_IP="" 103 | 104 | # Enable (1) or disable(0) logging of denied packets 105 | # ------------------------------------------------------------------------------ 106 | PARASITIC_NET_DENY_LOG=1 107 | 108 | # Specify the policy for denied packets: DROP (default) or REJECT 109 | # ------------------------------------------------------------------------------ 110 | PARASITIC_NET_DENY_POLICY="DROP" 111 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/50transparent-dnat.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Transparent DNAT plugin =- 3 | # 4 | PLUGIN_NAME="Transparent DNAT plugin" 5 | PLUGIN_VERSION="0.31BETA (EXPERIMENTAL!)" 6 | PLUGIN_CONF_FILE="transparent-dnat.conf" 7 | # 8 | # Last changed : July 31, 2015 9 | # Requirements : kernel 2.6 + ip_nat + iptable_nat 10 | # Comments : This plugin enables transparent DNAT for internal hosts for 11 | # certain ports. Meaning you can redirect certain TCP/UDP ports (eg. http) 12 | # which should be redirected from a certain INET address to an 13 | # internal address. 14 | # 15 | # Author : (C) Copyright 2007-2009 by Arno van Amersfoort 16 | # Credits : Rok Potocnik for his initial idea 17 | # Web : https://github.com/arno-iptables-firewall/aif 18 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 19 | # (note: you must remove all spaces and substitute the @ and the . 20 | # at the proper locations!) 21 | # ------------------------------------------------------------------------------ 22 | # This program is free software; you can redistribute it and/or 23 | # modify it under the terms of the GNU General Public License 24 | # version 2 as published by the Free Software Foundation. 25 | # 26 | # This program is distributed in the hope that it will be useful, 27 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 28 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 29 | # GNU General Public License for more details. 30 | # 31 | # You should have received a copy of the GNU General Public License 32 | # along with this program; if not, write to the Free Software 33 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 34 | # ------------------------------------------------------------------------------------------ 35 | 36 | # Plugin start function 37 | plugin_start() 38 | { 39 | # Some required modules are already loaded by the main script: 40 | modprobe_multi nf_nat ip_nat 41 | modprobe iptable_nat 42 | 43 | echo "${INDENT}Using internal IP $DNAT_MY_INTERNAL_IP & external IP $DNAT_MY_EXTERNAL_IP" 44 | if [ -n "$DNAT_TCP_PORTS" ]; then 45 | echo "${INDENT}Enabling transparent DNAT for TCP port(s): $DNAT_TCP_PORTS" 46 | IFS=' ,' 47 | for interface in $INT_IF; do 48 | for port in $DNAT_TCP_PORTS; do 49 | ip4tables -t nat -A POSTROUTING -o $interface -p tcp --dport $port -d $DNAT_MY_INTERNAL_IP -j MASQUERADE 50 | 51 | ip4tables -t nat -A PREROUTING -i $interface -d $DNAT_MY_EXTERNAL_IP -p tcp --dport $port -j DNAT --to-destination $DNAT_MY_INTERNAL_IP 52 | done 53 | done 54 | else 55 | echo "${INDENT}No TCP ports configured" 56 | fi 57 | 58 | if [ -n "$DNAT_UDP_PORTS" ]; then 59 | echo "${INDENT}Enabling transparent DNAT for UDP port(s): $DNAT_UDP_PORTS" 60 | IFS=' ,' 61 | for interface in $INT_IF; do 62 | for port in $DNAT_UDP_PORTS; do 63 | ip4tables -t nat -A POSTROUTING -o $interface -p udp --dport $port -d $DNAT_MY_INTERNAL_IP -j MASQUERADE 64 | 65 | ip4tables -t nat -A PREROUTING -i $interface -d $DNAT_MY_EXTERNAL_IP -p udp --dport $port -j DNAT --to-destination $DNAT_MY_INTERNAL_IP 66 | done 67 | done 68 | else 69 | echo "${INDENT}No UDP ports configured" 70 | fi 71 | 72 | return 0 73 | } 74 | 75 | 76 | # Plugin stop function 77 | plugin_stop() 78 | { 79 | return 0 80 | } 81 | 82 | 83 | # Plugin status function 84 | plugin_status() 85 | { 86 | return 0 87 | } 88 | 89 | 90 | # Check sanity of eg. environment 91 | plugin_sanity_check() 92 | { 93 | if [ -z "$DNAT_MY_INTERNAL_IP" -o -z "$DNAT_MY_EXTERNAL_IP" ]; then 94 | printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 95 | return 1 96 | fi 97 | 98 | return 0 99 | } 100 | 101 | 102 | ############ 103 | # Mainline # 104 | ############ 105 | 106 | # Check where to find the config file 107 | CONF_FILE="" 108 | if [ -n "$PLUGIN_CONF_PATH" ]; then 109 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 110 | fi 111 | 112 | # Preinit to success: 113 | PLUGIN_RET_VAL=0 114 | 115 | # Check if the config file exists 116 | if [ ! -f "$CONF_FILE" ]; then 117 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 118 | else 119 | # Source the plugin config file 120 | . "$CONF_FILE" 121 | 122 | if [ "$ENABLED" = "1" ] || 123 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 124 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 125 | # Show who we are: 126 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 127 | 128 | # Increment indention 129 | INDENT="$INDENT " 130 | 131 | # Only proceed if environment ok 132 | if ! plugin_sanity_check; then 133 | PLUGIN_RET_VAL=1 134 | else 135 | case $PLUGIN_CMD in 136 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 137 | stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; 138 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 139 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 140 | esac 141 | fi 142 | fi 143 | fi 144 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/50dyndns-host-open.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - DynDNS Host Open plugin =- 3 | # 4 | PLUGIN_NAME="DynDNS Host Open plugin" 5 | PLUGIN_VERSION="1.42a" 6 | PLUGIN_CONF_FILE="dyndns-host-open.conf" 7 | # 8 | # Last changed : May 9, 2019 9 | # Requirements : AIF 2.1.0 (or newer) 10 | # Comments : This implements dynamic DNS (DynDNS) support for eg. opening ports 11 | # 12 | # Author : (C) Copyright 2008-2019 by Arno van Amersfoort 13 | # Web : https://github.com/arno-iptables-firewall/aif 14 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 15 | # (note: you must remove all spaces and substitute the @ and the . 16 | # at the proper locations!) 17 | # ------------------------------------------------------------------------------ 18 | # This program is free software; you can redistribute it and/or 19 | # modify it under the terms of the GNU General Public License 20 | # version 2 as published by the Free Software Foundation. 21 | # 22 | # This program is distributed in the hope that it will be useful, 23 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 24 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 25 | # GNU General Public License for more details. 26 | # 27 | # You should have received a copy of the GNU General Public License 28 | # along with this program; if not, write to the Free Software 29 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 30 | # ------------------------------------------------------------------------------ 31 | 32 | # (Background) job name 33 | JOB_NAME="dyndns-host-open" 34 | 35 | # (Background) job helper script 36 | JOB_HELPER_SCRIPT="$PLUGIN_BIN_PATH/dyndns-host-open-helper" 37 | 38 | dyndns_host_open_init() 39 | { 40 | # Insert rule into the main chain: 41 | iptables -A EXT_INPUT_CHAIN -j DYNDNS_CHAIN 42 | 43 | # Remove old cron job (this is in case a legacy plugin left it) 44 | rm -f /etc/cron.d/dyndns-host-open 45 | 46 | # Create background job 47 | if ! job_add "$JOB_NAME" "${DYNDNS_HOST_OPEN_TIME:-60}" "$JOB_HELPER_SCRIPT"; then 48 | return 1 49 | fi 50 | 51 | return 0 52 | } 53 | 54 | 55 | # Plugin start function 56 | plugin_start() 57 | { 58 | # Create new DYNDNS_CHAIN chain: 59 | iptables -N DYNDNS_CHAIN 2>/dev/null 60 | iptables -F DYNDNS_CHAIN 61 | 62 | # Initialize 63 | if ! dyndns_host_open_init; then 64 | return 1 65 | fi 66 | 67 | return 0 68 | } 69 | 70 | 71 | # Plugin restart function 72 | plugin_restart() 73 | { 74 | # Re-add standard chain rules that are flushed on a restart 75 | echo "${INDENT}Restarting..." 76 | 77 | # Initialize 78 | if ! dyndns_host_open_init; then 79 | return 1 80 | fi 81 | 82 | return 0 83 | } 84 | 85 | 86 | # Plugin stop function 87 | plugin_stop() 88 | { 89 | # Remove old cron job (this is in case a legacy plugin left it) 90 | rm -f /etc/cron.d/dyndns-host-open 91 | 92 | iptables -D EXT_INPUT_CHAIN -j DYNDNS_CHAIN 2>/dev/null 93 | 94 | iptables -F DYNDNS_CHAIN 95 | iptables -X DYNDNS_CHAIN 2>/dev/null 96 | 97 | return 0 98 | } 99 | 100 | 101 | # Plugin status function 102 | plugin_status() 103 | { 104 | iptables -L DYNDNS_CHAIN |sed -e "s/^/$INDENT/" 105 | 106 | return 0 107 | } 108 | 109 | 110 | # Check sanity of eg. environment 111 | plugin_sanity_check() 112 | { 113 | if [ -z "$DYNDNS_HOST_OPEN_TCP" -a -z "$DYNDNS_HOST_OPEN_UDP" -a \ 114 | -z "$DYNDNS_HOST_OPEN_IP" -a -z "$DYNDNS_HOST_OPEN_ICMP" ]; then 115 | printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not (properly) setup!\033[0m\n" >&2 116 | return 1 117 | fi 118 | 119 | if [ ! -f "$JOB_HELPER_SCRIPT" ]; then 120 | printf "\033[40m\033[1;31m${INDENT}ERROR: The job helper script($JOB_HELPER_SCRIPT) can not be found!\033[0m\n" >&2 121 | return 1 122 | fi 123 | 124 | return 0 125 | } 126 | 127 | 128 | ############ 129 | # Mainline # 130 | ############ 131 | 132 | # Check where to find the config file 133 | CONF_FILE="" 134 | if [ -n "$PLUGIN_CONF_PATH" ]; then 135 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 136 | fi 137 | 138 | # Preinit to success: 139 | PLUGIN_RET_VAL=0 140 | 141 | # Check if the config file exists 142 | if [ ! -f "$CONF_FILE" ]; then 143 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 144 | else 145 | # Source the plugin config file 146 | . "$CONF_FILE" 147 | 148 | if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || 149 | [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || 150 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 151 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 152 | # Show who we are: 153 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 154 | 155 | # Increment indention 156 | INDENT="$INDENT " 157 | 158 | # Only proceed if environment ok 159 | if ! plugin_sanity_check; then 160 | PLUGIN_RET_VAL=1 161 | else 162 | case $PLUGIN_CMD in 163 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 164 | restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; 165 | stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; 166 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 167 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 168 | esac 169 | fi 170 | fi 171 | fi 172 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/50transparent-proxy.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Transparent Proxy plugin =- 3 | # 4 | PLUGIN_NAME="Transparent Proxy plugin" 5 | PLUGIN_VERSION="1.04" 6 | PLUGIN_CONF_FILE="transparent-proxy.conf" 7 | # 8 | # Last changed : July 31, 2015 9 | # Requirements : kernel 2.6 + ip_nat + iptable_nat 10 | # Comments : This plugin enables transparent DNAT for internal hosts for 11 | # certain ports. Meaning you can redirect certain TCP/UDP ports (eg. http) 12 | # which should be redirected from a certain INET address to an 13 | # internal address. 14 | # Updated to be IPv4-only 15 | # 16 | # Author : (C) Copyright 2007-2010 by Arno van Amersfoort 17 | # Credits : Rok Potocnik for his initial idea 18 | # Web : https://github.com/arno-iptables-firewall/aif 19 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 20 | # (note: you must remove all spaces and substitute the @ and the . 21 | # at the proper locations!) 22 | # ------------------------------------------------------------------------------ 23 | # This program is free software; you can redistribute it and/or 24 | # modify it under the terms of the GNU General Public License 25 | # version 2 as published by the Free Software Foundation. 26 | # 27 | # This program is distributed in the hope that it will be useful, 28 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 29 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 30 | # GNU General Public License for more details. 31 | # 32 | # You should have received a copy of the GNU General Public License 33 | # along with this program; if not, write to the Free Software 34 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 35 | # ------------------------------------------------------------------------------ 36 | 37 | # Plugin start function 38 | plugin_start() 39 | { 40 | # Some required modules are already loaded by the main script: 41 | modprobe_multi nf_nat ip_nat 42 | modprobe iptable_nat 43 | 44 | # Setup (transparent) proxy settings: 45 | ##################################### 46 | if [ -n "$FTP_PROXY_PORT" ]; then 47 | echo "${INDENT}Redirecting all internal FTP(port 21) traffic to proxy-port $FTP_PROXY_PORT" 48 | IFS=' ,' 49 | for interface in $INT_IF; do 50 | ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 21 -j REDIRECT --to-ports $FTP_PROXY_PORT 51 | done 52 | fi 53 | 54 | if [ -n "$SMTP_PROXY_PORT" ]; then 55 | echo "${INDENT}Redirecting all internal SMTP(port 25) traffic to proxy-port $SMTP_PROXY_PORT" 56 | IFS=' ,' 57 | for interface in $INT_IF; do 58 | ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 25 -j REDIRECT --to-ports $SMTP_PROXY_PORT 59 | done 60 | fi 61 | 62 | if [ -n "$HTTP_PROXY_PORT" ]; then 63 | echo "${INDENT}Redirecting all internal HTTP(port 80) traffic to proxy-port $HTTP_PROXY_PORT" 64 | IFS=' ,' 65 | for interface in $INT_IF; do 66 | ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 80 -j REDIRECT --to-ports $HTTP_PROXY_PORT 67 | done 68 | fi 69 | 70 | if [ -n "$POP3_PROXY_PORT" ]; then 71 | echo "${INDENT}Redirecting all internal POP3(port 110) traffic to proxy-port $POP3_PROXY_PORT" 72 | IFS=' ,' 73 | for interface in $INT_IF; do 74 | ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 110 -j REDIRECT --to-ports $POP3_PROXY_PORT 75 | done 76 | fi 77 | 78 | if [ -n "$HTTPS_PROXY_PORT" ]; then 79 | echo "${INDENT}Redirecting all internal HTTPs(port 443) traffic to proxy-port $HTTPS_PROXY_PORT" 80 | IFS=' ,' 81 | for interface in $INT_IF; do 82 | ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 443 -j REDIRECT --to-ports $HTTPS_PROXY_PORT 83 | done 84 | fi 85 | 86 | return 0 87 | } 88 | 89 | 90 | # Plugin stop function 91 | plugin_stop() 92 | { 93 | return 0 94 | } 95 | 96 | 97 | # Plugin status function 98 | plugin_status() 99 | { 100 | return 0 101 | } 102 | 103 | # Check sanity of eg. environment 104 | plugin_sanity_check() 105 | { 106 | # if [ -z "$FTP_PROXY_PORT" -o -z "$SMTP_PROXY_PORT" ]; then 107 | # printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 108 | # return 1 109 | # fi 110 | 111 | return 0 112 | } 113 | 114 | 115 | ############ 116 | # Mainline # 117 | ############ 118 | 119 | # Check where to find the config file 120 | CONF_FILE="" 121 | if [ -n "$PLUGIN_CONF_PATH" ]; then 122 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 123 | fi 124 | 125 | # Preinit to success: 126 | PLUGIN_RET_VAL=0 127 | 128 | # Check if the config file exists 129 | if [ ! -f "$CONF_FILE" ]; then 130 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 131 | else 132 | # Source the plugin config file 133 | . "$CONF_FILE" 134 | 135 | if [ "$ENABLED" = "1" ] || 136 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 137 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 138 | # Show who we are: 139 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 140 | 141 | # Increment indention 142 | INDENT="$INDENT " 143 | 144 | # Only proceed if environment ok 145 | if ! plugin_sanity_check; then 146 | PLUGIN_RET_VAL=1 147 | else 148 | case $PLUGIN_CMD in 149 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 150 | stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; 151 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 152 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 153 | esac 154 | fi 155 | fi 156 | fi 157 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/dyndns-host-open-helper: -------------------------------------------------------------------------------- 1 | # The plugin configuration file 2 | ############################### 3 | PLUGIN_CONF_FILE="dyndns-host-open.conf" 4 | 5 | # Preinit return value for success 6 | PLUGIN_RET_VAL=0 7 | 8 | # Check sanity of environment 9 | dyndns_host_open_helper_sanity_check() 10 | { 11 | if [ -z "$DYNDNS_HOST_OPEN_TCP" -a -z "$DYNDNS_HOST_OPEN_UDP" -a \ 12 | -z "$DYNDNS_HOST_OPEN_IP" -a -z "$DYNDNS_HOST_OPEN_ICMP" ]; then 13 | echo "** ERROR: The plugin config file is not (properly) setup!" >&2 14 | return 1 15 | fi 16 | 17 | # Check whether chain exists 18 | if ! ip4tables -nL DYNDNS_CHAIN >/dev/null 2>&1; then 19 | echo "** ERROR: DYNDNS_CHAIN does not exist! **" >&2 20 | return 1 21 | fi 22 | 23 | # Check if chain is inserted in the main chains 24 | # if ! ip4tables -nL EXT_INPUT_CHAIN |grep -q '^DYNDNS_CHAIN '; then 25 | # echo "** ERROR: DYNDNS_CHAIN is not inserted in the EXT_INPUT_CHAIN chain! **" >&2 26 | # return 1 27 | # fi 28 | 29 | return 0 30 | } 31 | 32 | 33 | dyndns_host_open_helper_do_work() 34 | { 35 | local RETVAL=0 36 | 37 | # Flush the DYNDNS_CHAIN 38 | iptables -F DYNDNS_CHAIN 39 | 40 | # Add TCP ports to allow for certain hosts 41 | ########################################## 42 | unset IFS 43 | for rule in $DYNDNS_HOST_OPEN_TCP; do 44 | if parse_rule "$rule" DYNDNS_HOST_OPEN_TCP "interfaces-destips-hosts-ports"; then 45 | echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for TCP port(s): $ports" 46 | 47 | IFS=' ,' 48 | for host in $hosts; do 49 | # get_dynamic_host_cached returns hostname in $host_ip 50 | if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then 51 | echo "** WARNING: Skipping TCP rule(s) for \"$host\"! **" >&2 52 | RETVAL=1 53 | continue 54 | fi 55 | 56 | for interface in $interfaces; do 57 | for host_ip2 in $host_ip; do 58 | for destip in $destips; do 59 | for port in $ports; do 60 | iptables -A DYNDNS_CHAIN $(ipt_if -i "$interface") -s $host_ip2 -d $destip -p tcp --dport $port -j ACCEPT 61 | done 62 | done 63 | done 64 | done 65 | done 66 | fi 67 | done 68 | 69 | # Add UDP ports to allow for certain hosts 70 | ########################################## 71 | unset IFS 72 | for rule in $DYNDNS_HOST_OPEN_UDP; do 73 | if parse_rule "$rule" DYNDNS_HOST_OPEN_UDP "interfaces-destips-hosts-ports"; then 74 | echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for UDP port(s): $ports" 75 | 76 | IFS=' ,' 77 | for host in $hosts; do 78 | # get_dynamic_host_cached returns hostname in $host_ip 79 | if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then 80 | echo "** WARNING: Skipping UDP rule(s) for \"$host\"! **" >&2 81 | RETVAL=1 82 | continue 83 | fi 84 | 85 | for interface in $interfaces; do 86 | for host_ip2 in $host_ip; do 87 | for destip in $destips; do 88 | for port in $ports; do 89 | iptables -A DYNDNS_CHAIN $(ipt_if -i "$interface") -s $host_ip2 -d $destip -p udp --dport $port -j ACCEPT 90 | done 91 | done 92 | done 93 | done 94 | done 95 | fi 96 | done 97 | 98 | # Add IP protocols to allow for certain hosts 99 | ############################################# 100 | unset IFS 101 | for rule in $DYNDNS_HOST_OPEN_IP; do 102 | if parse_rule "$rule" DYNDNS_HOST_OPEN_IP "interfaces-destips-hosts-protos"; then 103 | echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for IP protocol(s): $protos" 104 | 105 | IFS=' ,' 106 | for host in $hosts; do 107 | # get_dynamic_host_cached returns hostname in $host_ip 108 | if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then 109 | echo "** WARNING: Skipping IP rule(s) for \"$host\"! **" >&2 110 | RETVAL=1 111 | continue 112 | fi 113 | 114 | for interface in $interfaces; do 115 | for host_ip2 in $host_ip; do 116 | for destip in $destips; do 117 | for proto in $protos; do 118 | iptables -A DYNDNS_CHAIN $(ipt_if -i "$interface") -s $host_ip2 -d $destip -p $proto -j ACCEPT 119 | done 120 | done 121 | done 122 | done 123 | done 124 | fi 125 | done 126 | 127 | # Add ICMP to allow for certain hosts 128 | ##################################### 129 | unset IFS 130 | for rule in $DYNDNS_HOST_OPEN_ICMP; do 131 | if parse_rule "$rule" DYNDNS_HOST_OPEN_ICMP "interfaces-destips-hosts"; then 132 | echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for ICMP-requests(ping)" 133 | 134 | IFS=' ,' 135 | for host in $hosts; do 136 | # get_dynamic_host_cached returns hostname in $host_ip 137 | if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then 138 | echo "** WARNING: Skipping ICMP rule(s) for \"$host\"! **" >&2 139 | RETVAL=1 140 | continue 141 | fi 142 | 143 | for interface in $interfaces; do 144 | for host_ip2 in $host_ip; do 145 | for destip in $destips; do 146 | iptables -A DYNDNS_CHAIN $(ipt_if -i "$interface") -s $host_ip2 -d $destip -p icmp --icmp-type echo-request -j ACCEPT 147 | done 148 | done 149 | done 150 | done 151 | fi 152 | done 153 | 154 | return $RETVAL 155 | } 156 | 157 | 158 | ############ 159 | # Mainline # 160 | ############ 161 | 162 | # Check where to find the config file 163 | CONF_FILE="" 164 | if [ -n "$PLUGIN_CONF_PATH" ]; then 165 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 166 | fi 167 | 168 | # Check if the config file exists 169 | if [ ! -f "$CONF_FILE" ]; then 170 | echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2 171 | PLUGIN_RET_VAL=1 172 | else 173 | # Source the plugin config file 174 | . "$CONF_FILE" 175 | 176 | # Only proceed if environment ok 177 | if ! dyndns_host_open_helper_sanity_check; then 178 | PLUGIN_RET_VAL=1 179 | else 180 | # Parse rules 181 | if ! dyndns_host_open_helper_do_work; then 182 | PLUGIN_RET_VAL=1 183 | fi 184 | fi 185 | fi 186 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/90traffic-accounting.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Traffic Accounting plugin =- 3 | # 4 | PLUGIN_NAME="Traffic Accounting plugin" 5 | PLUGIN_VERSION="1.31" 6 | PLUGIN_CONF_FILE="traffic-accounting.conf" 7 | # 8 | # Last changed : May 9, 2019 9 | # Requirements : AIF 2.1.0 (or newer) 10 | # Comments : This implements support for traffic accounting for 11 | # IPv4 & IPv6. It has support for dynamic host resolving 12 | # 13 | # Author : (C) Copyright 2008-2019 by Arno van Amersfoort 14 | # Web : https://github.com/arno-iptables-firewall/aif 15 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 16 | # (note: you must remove all spaces and substitute the @ and the . 17 | # at the proper locations!) 18 | # ------------------------------------------------------------------------------ 19 | # This program is free software; you can redistribute it and/or 20 | # modify it under the terms of the GNU General Public License 21 | # version 2 as published by the Free Software Foundation. 22 | # 23 | # This program is distributed in the hope that it will be useful, 24 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 25 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 26 | # GNU General Public License for more details. 27 | # 28 | # You should have received a copy of the GNU General Public License 29 | # along with this program; if not, write to the Free Software 30 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 31 | # ------------------------------------------------------------------------------ 32 | 33 | # (Background) job name 34 | JOB_NAME="traffic-accounting" 35 | 36 | # (Background) job helper script 37 | JOB_HELPER_SCRIPT="$PLUGIN_BIN_PATH/traffic-accounting-helper" 38 | 39 | traffic_accounting_init() 40 | { 41 | # Flush accounting chains 42 | iptables -F ACCOUNTING_INPUT_CHAIN 43 | iptables -F ACCOUNTING_OUTPUT_CHAIN 44 | 45 | # (Re)insert rule in the INPUT chain 46 | iptables -I INPUT 1 -j ACCOUNTING_INPUT_CHAIN 47 | 48 | # (Re)insert rule in the OUTPUT chain 49 | # Insert rule in the OUTPUT chain 50 | iptables -I OUTPUT 1 -j ACCOUNTING_OUTPUT_CHAIN 51 | 52 | # Remove old cron job (this is in case a legacy plugin left it) 53 | rm -f /etc/cron.d/traffic-accounting 54 | 55 | # Create background job 56 | if ! job_add "$JOB_NAME" "${TRAFFIC_ACCOUNTING_TIME:-60}" "$JOB_HELPER_SCRIPT"; then 57 | return 1 58 | fi 59 | 60 | return 0 61 | } 62 | 63 | 64 | # Plugin start function 65 | plugin_start() 66 | { 67 | # Enable Conntrack Accounting (kernel config CONFIG_NF_CT_ACCT) 68 | # CONFIG_NF_CT_ACCT is deprecated and will be removed sometime after kernel 2.6.27 69 | sysctl net.netfilter.nf_conntrack_acct=1 2>/dev/null 70 | 71 | # Create new chains 72 | iptables -N ACCOUNTING_INPUT_CHAIN 2>/dev/null 73 | iptables -N ACCOUNTING_OUTPUT_CHAIN 2>/dev/null 74 | 75 | # Initialize 76 | if ! traffic_accounting_init; then 77 | return 1 78 | fi 79 | 80 | return 0 81 | } 82 | 83 | 84 | # Plugin restart function 85 | plugin_restart() 86 | { 87 | echo "${INDENT}Restarting..." 88 | 89 | # Store current values (NOTE: Ignore return value) 90 | job_run_once "$JOB_HELPER_SCRIPT" 91 | 92 | # Initialize 93 | if ! traffic_accounting_init; then 94 | return 1 95 | fi 96 | 97 | return 0 98 | } 99 | 100 | 101 | # Plugin stop function 102 | plugin_stop() 103 | { 104 | # Remove old cron job (this is in case a legacy plugin left it) 105 | rm -f /etc/cron.d/traffic-accounting 106 | 107 | # Store current values (NOTE: Ignore return value) 108 | job_run_once "$JOB_HELPER_SCRIPT" 109 | 110 | iptables -D INPUT -j ACCOUNTING_INPUT_CHAIN 2>/dev/null 111 | iptables -D OUTPUT -j ACCOUNTING_OUTPUT_CHAIN 2>/dev/null 112 | 113 | iptables -F ACCOUNTING_INPUT_CHAIN 114 | iptables -X ACCOUNTING_INPUT_CHAIN 2>/dev/null 115 | iptables -F ACCOUNTING_OUTPUT_CHAIN 116 | iptables -X ACCOUNTING_OUTPUT_CHAIN 2>/dev/null 117 | 118 | return 0 119 | } 120 | 121 | 122 | # Plugin status function 123 | plugin_status() 124 | { 125 | # Store current values (NOTE: Ignore return value) 126 | job_run_once "$JOB_HELPER_SCRIPT" 127 | 128 | # Call parse script 129 | "$PLUGIN_BIN_PATH/traffic-accounting-show" 130 | 131 | return 0 132 | } 133 | 134 | 135 | # Check sanity of eg. environment 136 | plugin_sanity_check() 137 | { 138 | if [ ! -f "$JOB_HELPER_SCRIPT" ]; then 139 | printf "\033[40m\033[1;31m${INDENT}ERROR: The job helper script($JOB_HELPER_SCRIPT) can not be found!\033[0m\n" >&2 140 | return 1 141 | fi 142 | 143 | return 0 144 | } 145 | 146 | 147 | ############ 148 | # Mainline # 149 | ############ 150 | 151 | # Check where to find the config file 152 | CONF_FILE="" 153 | if [ -n "$PLUGIN_CONF_PATH" ]; then 154 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 155 | fi 156 | 157 | # Preinit to success: 158 | PLUGIN_RET_VAL=0 159 | 160 | # Check if the config file exists 161 | if [ ! -f "$CONF_FILE" ]; then 162 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 163 | else 164 | # Source the plugin config file 165 | . "$CONF_FILE" 166 | 167 | if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || 168 | [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || 169 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 170 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 171 | # Show who we are: 172 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 173 | 174 | # Increment indention 175 | INDENT="$INDENT " 176 | 177 | # Only proceed if environment ok 178 | if ! plugin_sanity_check; then 179 | PLUGIN_RET_VAL=1 180 | else 181 | case $PLUGIN_CMD in 182 | start|'' ) plugin_start; PLUGIN_RET_VAL=$? ;; 183 | restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; 184 | stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; 185 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 186 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 187 | esac 188 | fi 189 | fi 190 | fi 191 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/90outbound-snat.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Outbound SNAT plugin =- 3 | # 4 | PLUGIN_NAME="Outbound SNAT plugin" 5 | PLUGIN_VERSION="1.01" 6 | PLUGIN_CONF_FILE="outbound-snat.conf" 7 | # 8 | # Last changed : July 12, 2016 9 | # Requirements : AIF 2.0.0+ 10 | # Comments : When a NAT'ed external interface has multiple IPv4 addresses, 11 | # it may be desirable to specify which internal IP's or CIDR's 12 | # use which external IPv4 addresses for outbound connections. 13 | # 14 | # Author : (C) Copyright 2012-2016 by Lonnie Abelbeck & Arno van Amersfoort 15 | # Web : https://github.com/arno-iptables-firewall/aif 16 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 17 | # (note: you must remove all spaces and substitute the @ and the . 18 | # at the proper locations!) 19 | # ------------------------------------------------------------------------------ 20 | # This program is free software; you can redistribute it and/or 21 | # modify it under the terms of the GNU General Public License 22 | # version 2 as published by the Free Software Foundation. 23 | # 24 | # This program is distributed in the hope that it will be useful, 25 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 26 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 27 | # GNU General Public License for more details. 28 | # 29 | # You should have received a copy of the GNU General Public License 30 | # along with this program; if not, write to the Free Software 31 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 32 | # ------------------------------------------------------------------------------ 33 | 34 | get_extif_ipv4_addresses() 35 | { 36 | ip -o addr show dev "$1" 2>/dev/null \ 37 | | awk '$3 == "inet" { split($4, field, "/"); print field[1]; }' 38 | } 39 | 40 | get_extif_with_ipv4_address() 41 | { 42 | local host="$1" eif eip eips IFS 43 | 44 | IFS=' ,' 45 | for eif in $(wildcard_ifs ${NAT_IF:-$EXT_IF}); do 46 | eips="$(get_extif_ipv4_addresses $eif)" 47 | if [ -n "$eips" ]; then 48 | unset IFS 49 | for eip in $eips; do 50 | if [ "$host" = "$eip" ]; then 51 | echo "$eif" 52 | return 0 53 | fi 54 | done 55 | fi 56 | done 57 | 58 | return 1 59 | } 60 | 61 | # Plugin start function 62 | plugin_start() 63 | { 64 | local rule net host eif IFS 65 | 66 | ip4tables -t nat -N OUTBOUND_SNAT 2>/dev/null 67 | ip4tables -t nat -F OUTBOUND_SNAT 68 | 69 | IFS=' ,' 70 | for rule in $OUTBOUND_SNAT_NET_HOST; do 71 | net="$(echo "$rule" |cut -s -d'>' -f1)" 72 | host="$(echo "$rule" |cut -s -d'>' -f2)" 73 | if [ -n "$net" -a -n "$host" ]; then 74 | 75 | # First, look for matching external interface with "host" address. 76 | eif="$(get_extif_with_ipv4_address $host)" 77 | if [ -n "$eif" ]; then 78 | # Apply to single external interface containing "host". 79 | echo "${INDENT}Outbound SNAT internal $net via external $host for interface: $eif" 80 | ip4tables -t nat -A OUTBOUND_SNAT -o $eif -s $net ! -d $net -j SNAT --to-source $host 81 | else 82 | # Apply to all external interface(s) if "host" is not currently found. 83 | echo "${INDENT}Outbound SNAT internal $net via external $host for interface(s): ${NAT_IF:-$EXT_IF}" 84 | IFS=' ,' 85 | for eif in ${NAT_IF:-$EXT_IF}; do 86 | ip4tables -t nat -A OUTBOUND_SNAT -o $eif -s $net ! -d $net -j SNAT --to-source $host 87 | done 88 | fi 89 | else 90 | echo "** WARNING: In Variable OUTBOUND_SNAT_NET_HOST, Rule: \"$rule\" is ignored." >&2 91 | fi 92 | done 93 | 94 | ip4tables -t nat -A POSTROUTING -j OUTBOUND_SNAT 95 | 96 | return 0 97 | } 98 | 99 | 100 | # Plugin restart function 101 | plugin_restart() 102 | { 103 | 104 | # Skip plugin_stop on a restart 105 | plugin_start 106 | 107 | return 0 108 | } 109 | 110 | 111 | # Plugin stop function 112 | plugin_stop() 113 | { 114 | 115 | ip4tables -t nat -D POSTROUTING -j OUTBOUND_SNAT 116 | 117 | ip4tables -t nat -F OUTBOUND_SNAT 118 | ip4tables -t nat -X OUTBOUND_SNAT 2>/dev/null 119 | 120 | return 0 121 | } 122 | 123 | 124 | # Plugin status function 125 | plugin_status() 126 | { 127 | return 0 128 | } 129 | 130 | 131 | # Check sanity of eg. environment 132 | plugin_sanity_check() 133 | { 134 | # Sanity check 135 | if [ -z "$OUTBOUND_SNAT_NET_HOST" ]; then 136 | printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 137 | return 1 138 | fi 139 | 140 | return 0 141 | } 142 | 143 | 144 | ############ 145 | # Mainline # 146 | ############ 147 | 148 | # Check where to find the config file 149 | CONF_FILE="" 150 | if [ -n "$PLUGIN_CONF_PATH" ]; then 151 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 152 | fi 153 | 154 | # Preinit to success: 155 | PLUGIN_RET_VAL=0 156 | 157 | # Check if the config file exists 158 | if [ ! -f "$CONF_FILE" ]; then 159 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 160 | else 161 | # Source the plugin config file 162 | . "$CONF_FILE" 163 | 164 | if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || 165 | [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || 166 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 167 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 168 | # Show who we are: 169 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 170 | 171 | # Increment indention 172 | INDENT="$INDENT " 173 | 174 | # Only proceed if environment ok 175 | if ! plugin_sanity_check; then 176 | PLUGIN_RET_VAL=1 177 | else 178 | case $PLUGIN_CMD in 179 | start|'' ) plugin_start; PLUGIN_RET_VAL=$? ;; 180 | restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; 181 | stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; 182 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 183 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 184 | esac 185 | fi 186 | fi 187 | fi 188 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/50ssh-brute-force-protection.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - SSH Brute Force Protection plugin =- 3 | # 4 | PLUGIN_NAME="SSH Brute-Force Protection plugin" 5 | PLUGIN_VERSION="1.1b" 6 | PLUGIN_CONF_FILE="ssh-brute-force-protection.conf" 7 | # 8 | # Last changed : June 14, 2017 9 | # Requirements : kernel 2.6 + ipt_recent or xt_recent 10 | # : AIF 1.9.2k (and later) 11 | # Comments : This plugin implements protecting for brute force 12 | # cracking by limiting the amount of connection attempts 13 | # for each source IP in specific time slot. Its 14 | # primarely intended for SSH/port 22 but in principle 15 | # it can be used for any TCP protocol 16 | # (eg. FTP/SMTP/IMAP etc. 17 | # Updated for mixed IPv4/IPv6 18 | # 19 | # Author : (C) Copyright 2006-2017 by Arno van Amersfoort 20 | # Web : https://github.com/arno-iptables-firewall/aif 21 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 22 | # (note: you must remove all spaces and substitute the @ and the . 23 | # at the proper locations!) 24 | # ------------------------------------------------------------------------------ 25 | # This program is free software; you can redistribute it and/or 26 | # modify it under the terms of the GNU General Public License 27 | # version 2 as published by the Free Software Foundation. 28 | # 29 | # This program is distributed in the hope that it will be useful, 30 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 31 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 32 | # GNU General Public License for more details. 33 | # 34 | # You should have received a copy of the GNU General Public License 35 | # along with this program; if not, write to the Free Software 36 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 37 | # ------------------------------------------------------------------------------ 38 | 39 | # Plugin start function 40 | plugin_start() 41 | { 42 | if [ "$IPV6_DETECTED" = "1" ] && [ "$SSH_BFP_IPV6_ENABLE" = "0" ]; then 43 | echo "${INDENT}NOTE: Only IPv4 is protected." 44 | fi 45 | 46 | # Probe module xt_recent for IPv4/IPv6 or ipt_recent for IPv4: 47 | # (Allows checking for recent packets) 48 | modprobe_multi xt_recent ipt_recent 49 | 50 | # Create new SSH_CHK to insert SSH checker + whitelist: 51 | $IPTABLES -N SSH_CHK 2>/dev/null 52 | $IPTABLES -F SSH_CHK 53 | 54 | # Create new SSH_LOG_DROP chain for loggin' 'n droppin': 55 | $IPTABLES -N SSH_LOG_DROP 2>/dev/null 56 | $IPTABLES -F SSH_LOG_DROP 57 | 58 | $IPTABLES -A SSH_LOG_DROP -m limit --limit 1/m --limit-burst 1 -j LOG \ 59 | --log-level $LOGLEVEL --log-prefix "AIF:SSH Brute force attack?: " 60 | $IPTABLES -A SSH_LOG_DROP -j DROP 61 | 62 | if [ -n "$SSH_BFP_TRUSTED_HOSTS" ]; then 63 | # Create whitelist: 64 | echo "${INDENT}Allowing bypass of SSH protection checks for: $SSH_BFP_TRUSTED_HOSTS" 65 | IFS=' ,' 66 | for host in `ip_range "$SSH_BFP_TRUSTED_HOSTS"`; do 67 | $IPTABLES -A SSH_CHK -s $host -j RETURN 68 | done 69 | fi 70 | 71 | # Create rate1 & rate2 checker: 72 | $IPTABLES -A SSH_CHK -m recent --name sshchk --set 73 | $IPTABLES -A SSH_CHK -m recent --name sshchk --update \ 74 | --seconds $SSH_BFP_MAX_TIME1 --hitcount $SSH_BFP_MAX_RATE1 -j SSH_LOG_DROP 75 | $IPTABLES -A SSH_CHK -m recent --name sshchk --update \ 76 | --seconds $SSH_BFP_MAX_TIME2 --hitcount $SSH_BFP_MAX_RATE2 -j SSH_LOG_DROP 77 | 78 | # If no ports were not configured, use default of 22 79 | if [ -z "$SSH_BFP_PORTS" ]; then 80 | SSH_BFP_PORTS="22" 81 | fi 82 | 83 | echo "${INDENT}Protecting TCP port(s): $SSH_BFP_PORTS" 84 | 85 | # Insert rule into the EXTERNAL INPUT chain: 86 | IFS=' ,' 87 | for port in $SSH_BFP_PORTS; do 88 | $IPTABLES -A EXT_INPUT_CHAIN -p tcp --dport $port ${NF_CONNTRACK_STATE:--m state --state} NEW -j SSH_CHK 89 | done 90 | 91 | return 0 92 | } 93 | 94 | 95 | # Plugin stop function 96 | plugin_stop() 97 | { 98 | $IPTABLES -F SSH_CHK 99 | $IPTABLES -X SSH_CHK 2>/dev/null 100 | $IPTABLES -F SSH_LOG_DROP 101 | $IPTABLES -X SSH_LOG_DROP 2>/dev/null 102 | 103 | return 0 104 | } 105 | 106 | 107 | # Plugin status function 108 | plugin_status() 109 | { 110 | return 0 111 | } 112 | 113 | 114 | # Check sanity of eg. environment 115 | plugin_sanity_check() 116 | { 117 | if [ -z "$SSH_BFP_MAX_RATE1" -o -z "$SSH_BFP_MAX_TIME1" -o -z "$SSH_BFP_MAX_RATE2" -o -z "$SSH_BFP_MAX_TIME2" ]; then 118 | printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 119 | return 1 120 | fi 121 | 122 | return 0 123 | } 124 | 125 | 126 | ############ 127 | # Mainline # 128 | ############ 129 | 130 | # Check where to find the config file 131 | CONF_FILE="" 132 | if [ -n "$PLUGIN_CONF_PATH" ]; then 133 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 134 | fi 135 | 136 | # Preinit to success: 137 | PLUGIN_RET_VAL=0 138 | 139 | # Check if the config file exists 140 | if [ ! -f "$CONF_FILE" ]; then 141 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 142 | else 143 | # Source the plugin config file 144 | . "$CONF_FILE" 145 | 146 | if [ "$ENABLED" = "1" ] || 147 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 148 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 149 | # Show who we are: 150 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 151 | 152 | # Increment indention 153 | INDENT="$INDENT " 154 | 155 | if [ "$SSH_BFP_IPV6_ENABLE" = "0" ]; then 156 | IPTABLES="ip4tables" 157 | else 158 | IPTABLES="iptables" 159 | fi 160 | 161 | # Only proceed if environment ok 162 | if ! plugin_sanity_check; then 163 | PLUGIN_RET_VAL=1 164 | else 165 | case $PLUGIN_CMD in 166 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 167 | stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; 168 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 169 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 170 | esac 171 | fi 172 | unset IPTABLES 173 | fi 174 | fi 175 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/90ids-protection.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - IDS-protection plugin =- 3 | # 4 | PLUGIN_NAME="IDS-protection plugin" 5 | PLUGIN_VERSION="1.1a" 6 | PLUGIN_CONF_FILE="ids-protection.conf" 7 | # 8 | # Last changed : June 14, 2017 9 | # Requirements : kernel 2.6 + ipt_recent or xt_recent 10 | # : AIF 1.9.2k (and later) 11 | # Comments : This implements IDS protection aka Intrusion-Detection-System. 12 | # It will block remote hosts trying to eg. scan/access your 13 | # system on firewalled ports. 14 | # Updated for mixed IPv4/IPv6 15 | # 16 | # Author : (C) Copyright 2007-2017 by Arno van Amersfoort 17 | # Web : https://github.com/arno-iptables-firewall/aif 18 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 19 | # (note: you must remove all spaces and substitute the @ and the . 20 | # at the proper locations!) 21 | # ------------------------------------------------------------------------------ 22 | # This program is free software; you can redistribute it and/or 23 | # modify it under the terms of the GNU General Public License 24 | # version 2 as published by the Free Software Foundation. 25 | # 26 | # This program is distributed in the hope that it will be useful, 27 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 28 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 29 | # GNU General Public License for more details. 30 | # 31 | # You should have received a copy of the GNU General Public License 32 | # along with this program; if not, write to the Free Software 33 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 34 | # ------------------------------------------------------------------------------------------ 35 | 36 | # Plugin start function 37 | plugin_start() 38 | { 39 | if [ "$IPV6_DETECTED" = "1" ] && [ "$IDS_IPV6_ENABLE" = "0" ]; then 40 | echo "${INDENT}NOTE: Only IPv4 is protected." 41 | fi 42 | 43 | # Probe module xt_recent for IPv4/IPv6 or ipt_recent for IPv4: 44 | # (Allows checking for recent packets) 45 | modprobe_multi xt_recent ipt_recent 46 | 47 | # Create new IDS_LOG_DROP chain for loggin' 'n droppin': 48 | $IPTABLES -N IDS_LOG_DROP 2>/dev/null 49 | $IPTABLES -F IDS_LOG_DROP 50 | 51 | $IPTABLES -A IDS_LOG_DROP -m limit --limit 1/m --limit-burst 1 -j LOG \ 52 | --log-level $LOGLEVEL --log-prefix "AIF:IDS violation: " 53 | $IPTABLES -A IDS_LOG_DROP -j DROP 54 | 55 | # Create new IDS_CHK to insert IDS checker + whitelist: 56 | $IPTABLES -N IDS_CHK 2>/dev/null 57 | $IPTABLES -F IDS_CHK 58 | 59 | if [ -n "$IDS_TRUSTED_HOSTS" ]; then 60 | # Create whitelist: 61 | echo "${INDENT}Allowing bypass of IDS protection checks for: $IDS_TRUSTED_HOSTS" 62 | IFS=' ,' 63 | for host in `ip_range "$IDS_TRUSTED_HOSTS"`; do 64 | $IPTABLES -A IDS_CHK -s $host -j RETURN 65 | done 66 | fi 67 | 68 | # We also ignore ICMP traffic since we can not reliabily check it for IDS 69 | $IPTABLES -A IDS_CHK -p icmp -j RETURN 70 | 71 | if [ -n "$IDS_EXCLUDE_TCP" ]; then 72 | echo "${INDENT}Excluding IDS check for TCP port(s): $IDS_EXCLUDE_TCP" 73 | IFS=' ,' 74 | for port in $IDS_EXCLUDE_TCP; do 75 | $IPTABLES -A IDS_CHK -p tcp --dport $port -j RETURN 76 | done 77 | fi 78 | 79 | if [ -n "$IDS_EXCLUDE_UDP" ]; then 80 | echo "${INDENT}Excluding IDS check for UDP port(s): $IDS_EXCLUDE_UDP" 81 | IFS=' ,' 82 | for port in $IDS_EXCLUDE_UDP; do 83 | $IPTABLES -A IDS_CHK -p udp --dport $port -j RETURN 84 | done 85 | fi 86 | 87 | $IPTABLES -A IDS_CHK -m recent --set --name idschk 88 | $IPTABLES -A IDS_CHK -m recent --update --name idschk 89 | 90 | if [ -z "$IDS_INTERFACE" ]; then 91 | IDS_INTERFACE="$EXT_IF" 92 | fi 93 | 94 | IFS=' ,' 95 | for interface in $IDS_INTERFACE; do 96 | # Create rate1 & rate2 checker: 97 | $IPTABLES -A INPUT_CHAIN -i $interface -m recent --rcheck --seconds $IDS_MAX_TIME1 --hitcount $IDS_MAX_RATE1 --name idschk -j IDS_LOG_DROP 98 | $IPTABLES -A INPUT_CHAIN -i $interface -m recent --rcheck --seconds $IDS_MAX_TIME2 --hitcount $IDS_MAX_RATE2 --name idschk -j IDS_LOG_DROP 99 | 100 | # Insert rule into the POST_INPUT_DROP_CHAIN chain: 101 | $IPTABLES -A POST_INPUT_DROP_CHAIN -i $interface ${NF_CONNTRACK_STATE:--m state --state} NEW -j IDS_CHK 102 | done 103 | 104 | return 0 105 | } 106 | 107 | 108 | # Plugin stop function 109 | plugin_stop() 110 | { 111 | $IPTABLES -F IDS_CHK 112 | $IPTABLES -X IDS_CHK 2>/dev/null 113 | $IPTABLES -F IDS_LOG_DROP 114 | $IPTABLES -X IDS_LOG_DROP 2>/dev/null 115 | 116 | return 0 117 | } 118 | 119 | 120 | # Plugin status function 121 | plugin_status() 122 | { 123 | return 0 124 | } 125 | 126 | # Check sanity of eg. environment 127 | plugin_sanity_check() 128 | { 129 | if [ -z "$IDS_MAX_RATE1" -o -z "$IDS_MAX_TIME1" -o -z "$IDS_MAX_RATE2" -o -z "$IDS_MAX_TIME2" ]; then 130 | printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 131 | return 1 132 | fi 133 | 134 | return 0 135 | } 136 | 137 | 138 | ############ 139 | # Mainline # 140 | ############ 141 | 142 | # Check where to find the config file 143 | CONF_FILE="" 144 | if [ -n "$PLUGIN_CONF_PATH" ]; then 145 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 146 | fi 147 | 148 | # Preinit to success: 149 | PLUGIN_RET_VAL=0 150 | 151 | # Check if the config file exists 152 | if [ ! -f "$CONF_FILE" ]; then 153 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 154 | else 155 | # Source the plugin config file 156 | . "$CONF_FILE" 157 | 158 | if [ "$ENABLED" = "1" ] || 159 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 160 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 161 | # Show who we are: 162 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 163 | 164 | # Increment indention 165 | INDENT="$INDENT " 166 | 167 | if [ "$IDS_IPV6_ENABLE" = "0" ]; then 168 | IPTABLES="ip4tables" 169 | else 170 | IPTABLES="iptables" 171 | fi 172 | 173 | # Only proceed if environment ok 174 | if ! plugin_sanity_check; then 175 | PLUGIN_RET_VAL=1 176 | else 177 | case $PLUGIN_CMD in 178 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 179 | stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; 180 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 181 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 182 | esac 183 | fi 184 | unset IPTABLES 185 | fi 186 | fi 187 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/adaptive-ban-helper: -------------------------------------------------------------------------------- 1 | # The plugin configuration file 2 | ############################### 3 | PLUGIN_CONF_FILE="adaptive-ban.conf" 4 | 5 | # Preinit return value for success 6 | PLUGIN_RET_VAL=0 7 | 8 | TEMPFILE="/var/tmp/aif_adaptive_ban.temp" 9 | 10 | # Check sanity of environment 11 | adaptive_ban_helper_sanity_check() 12 | { 13 | # Check whether chains exists 14 | if ! check_for_chain ADAPTIVE_BAN_CHAIN; then 15 | echo "** ERROR: ADAPTIVE_BAN_CHAIN does not exist! **" >&2 16 | return 1 17 | fi 18 | 19 | if ! check_for_chain ADAPTIVE_BAN_DROP_CHAIN; then 20 | echo "** ERROR: ADAPTIVE_BAN_DROP_CHAIN does not exist! **" >&2 21 | return 1 22 | fi 23 | 24 | if [ ! -f "$ADAPTIVE_BAN_FILE" ]; then 25 | echo "** ERROR: Input log file $ADAPTIVE_BAN_FILE does not exist! **" >&2 26 | return 1 27 | fi 28 | 29 | return 0 30 | } 31 | 32 | 33 | adaptive_ban_helper_do_work() 34 | { 35 | local filetime=0 36 | 37 | if [ "$filetime" != "$(date -r "$ADAPTIVE_BAN_FILE" "+%s")" ]; then 38 | filter "$ADAPTIVE_BAN_FILE" "$ADAPTIVE_BAN_COUNT" "$ADAPTIVE_BAN_TYPES" 39 | 40 | filetime="$(date -r "$ADAPTIVE_BAN_FILE" "+%s")" 41 | fi 42 | 43 | return 0 44 | } 45 | 46 | 47 | filter() 48 | { 49 | local file="$1" count="$2" type types PREFIX HOST IFS 50 | 51 | shift 2 52 | types="$@" 53 | 54 | # regex to pull out offending IPv4/IPv6 address 55 | # 56 | HOST="([0-9a-fA-F:.]{7,})" 57 | 58 | unset IFS 59 | for type in $types; do 60 | 61 | # regex match the start of the syslog string 62 | # 63 | PREFIX=".*${type}\[[0-9]*]:[[:space:]]*" 64 | 65 | case "$type" in 66 | sshd) filter_sshd "$file" "$PREFIX" "$HOST" 67 | ;; 68 | asterisk) filter_asterisk "$file" "$PREFIX" "$HOST" 69 | ;; 70 | lighttpd) filter_lighttpd "$file" "$PREFIX" "$HOST" 71 | ;; 72 | mini_httpd) filter_mini_httpd "$file" "$PREFIX" "$HOST" 73 | ;; 74 | pptpd) filter_pptpd "$file" "$PREFIX" "$HOST" 75 | ;; 76 | *) echo "Unsupported type \"$type\"" >&2 77 | continue 78 | ;; 79 | esac 80 | if [ $? -ne 0 ]; then 81 | echo "Filter error for type \"$type\"" >&2 82 | else 83 | count_attempts_then_ban "$count" "$type" 84 | fi 85 | rm -f "$TEMPFILE" 86 | done 87 | } 88 | 89 | 90 | filter_sshd() 91 | { 92 | local file="$1" PREFIX="$2" HOST="$3" 93 | 94 | sed -n -r -e "s/^${PREFIX}Failed (password|publickey) for .* from ${HOST}( port [0-9]*)?( ssh[0-9]*)?$/\2/p" \ 95 | -e "s/^${PREFIX}[iI](llegal|nvalid) user .* from ${HOST}[[:space:]]*$/\2/p" \ 96 | "$file" >"$TEMPFILE" 97 | } 98 | 99 | filter_asterisk() 100 | { 101 | local file="$1" PREFIX="$2" HOST="$3" 102 | 103 | sed -n -r -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - Wrong password$/\1/p" \ 104 | -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - No matching peer found$/\1/p" \ 105 | -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - Username\/auth name mismatch$/\1/p" \ 106 | -e "s/^${PREFIX}NOTICE.* .*: Registration from '.*' failed for '${HOST}' - Device does not match ACL$/\1/p" \ 107 | -e "s/^${PREFIX}NOTICE.* '${HOST}' - Dialplan Noted Suspicious IP Address$/\1/p" \ 108 | -e "s/^${PREFIX}NOTICE.* ${HOST} failed to authenticate as '.*'$/\1/p" \ 109 | -e "s/^${PREFIX}NOTICE.* .*: No registration for peer '.*' \(from ${HOST}\)$/\1/p" \ 110 | -e "s/^${PREFIX}NOTICE.* .*: Host ${HOST} failed MD5 authentication for '.*' \(.*\)$/\1/p" \ 111 | "$file" >"$TEMPFILE" 112 | } 113 | 114 | filter_lighttpd() 115 | { 116 | local file="$1" PREFIX="$2" HOST="$3" 117 | 118 | sed -n -r -e "s/^${PREFIX}.* password doesn't match for .* IP: ${HOST}[[:space:]]*$/\1/p" \ 119 | -e "s/^${PREFIX}.* get_password failed, IP: ${HOST}[[:space:]]*$/\1/p" \ 120 | "$file" >"$TEMPFILE" 121 | } 122 | 123 | filter_mini_httpd() 124 | { 125 | local file="$1" PREFIX="$2" HOST="$3" 126 | 127 | sed -n -r -e "s/^${PREFIX}${HOST} authentication failure - access denied$/\1/p" \ 128 | "$file" >"$TEMPFILE" 129 | } 130 | 131 | filter_pptpd() 132 | { 133 | local file="$1" PREFIX="$2" HOST="$3" PPP_PREFIX=".*pppd\[[0-9]*]:[[:space:]]*" 134 | 135 | sed -n -r -e "/^${PPP_PREFIX}.* failed CHAP authentication$/ {N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;\ 136 | s/^.*\n${PREFIX}CTRL: Client ${HOST} control connection finished\n.*$/\1/p}" \ 137 | "$file" >"$TEMPFILE" 138 | } 139 | 140 | count_attempts_then_ban() 141 | { 142 | local count="$1" type="$2" line host IFS 143 | 144 | # Remove possible IPv4 port numbers, IPv4:PORT -> IPv4 145 | sed -i -r -e 's/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):[0-9]+$/\1/' "$TEMPFILE" 146 | 147 | IFS=$EOL 148 | for line in $(sort "$TEMPFILE" | uniq -c); do 149 | if [ "$(echo "$line" | awk '{ print $1; }')" -ge "$count" ]; then 150 | host="$(echo "$line" | awk '{ print $2; }')" 151 | ban_host "$host" "$type" 152 | fi 153 | done 154 | } 155 | 156 | ban_host() 157 | { 158 | local host="$1" type="$2" 159 | 160 | get_numeric_ip_version "$host" 161 | case $? in 162 | 4) 163 | if ! ip4tables -n -L ADAPTIVE_BAN_CHAIN | grep -q " ${host//./\.}[/ ]"; then 164 | ip4tables -A ADAPTIVE_BAN_CHAIN -s $host -j ADAPTIVE_BAN_DROP_CHAIN 165 | if [ $? -eq 0 ]; then 166 | echo "Banned IPv4 host: $host Filter type: $type" >&2 167 | fi 168 | fi 169 | ;; 170 | 6) 171 | if [ "$IPV6_SUPPORT" = "1" ]; then 172 | if ! ip6tables -n -L ADAPTIVE_BAN_CHAIN | grep -q " ${host}[/ ]"; then 173 | ip6tables -A ADAPTIVE_BAN_CHAIN -s $host -j ADAPTIVE_BAN_DROP_CHAIN 174 | if [ $? -eq 0 ]; then 175 | echo "Banned IPv6 host: $host Filter type: $type" >&2 176 | fi 177 | fi 178 | fi 179 | ;; 180 | esac 181 | } 182 | 183 | check_for_chain() 184 | { 185 | local err 186 | 187 | ip4tables -n -L "$1" >/dev/null 2>&1 188 | err=$? 189 | 190 | if [ "$IPV6_SUPPORT" = "1" -a $err -eq 0 ]; then 191 | ip6tables -n -L "$1" >/dev/null 2>&1 192 | err=$? 193 | fi 194 | 195 | return $err 196 | } 197 | 198 | ############ 199 | # Mainline # 200 | ############ 201 | 202 | # Check where to find the config file 203 | CONF_FILE="" 204 | if [ -n "$PLUGIN_CONF_PATH" ]; then 205 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 206 | fi 207 | 208 | # Check if the config file exists 209 | if [ ! -f "$CONF_FILE" ]; then 210 | echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2 211 | PLUGIN_RET_VAL=1 212 | else 213 | # Source the plugin config file 214 | . "$CONF_FILE" 215 | 216 | # Only proceed if environment ok 217 | if ! adaptive_ban_helper_sanity_check; then 218 | PLUGIN_RET_VAL=1 219 | else 220 | # Parse rules 221 | if ! adaptive_ban_helper_do_work; then 222 | PLUGIN_RET_VAL=1 223 | fi 224 | fi 225 | fi 226 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/50ipsec-vpn.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - IPsec VPN plugin =- 3 | # 4 | PLUGIN_NAME="IPsec VPN plugin" 5 | PLUGIN_VERSION="0.85" 6 | PLUGIN_CONF_FILE="ipsec-vpn.conf" 7 | # 8 | # Last changed : July 12, 2016 9 | # Requirements : AIF 2.0.0+ and kernel 2.6 + ipt_policy + iptable_nat 10 | # Comments : This plugin adds all required rules for using Racoon IPSEC. 11 | # 12 | # Author : (C) Copyright 2006-2016 by Philip Prindeville & Arno van Amersfoort 13 | # Web : https://github.com/arno-iptables-firewall/aif 14 | # Email : philipp AT redfish-solutions DOT com 15 | # (note: you must remove all spaces and substitute the @ and the . 16 | # at the proper locations!) 17 | # ------------------------------------------------------------------------------ 18 | # This program is free software; you can redistribute it and/or 19 | # modify it under the terms of the GNU General Public License 20 | # version 2 as published by the Free Software Foundation. 21 | # 22 | # This program is distributed in the hope that it will be useful, 23 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 24 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 25 | # GNU General Public License for more details. 26 | # 27 | # You should have received a copy of the GNU General Public License 28 | # along with this program; if not, write to the Free Software 29 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 30 | # ------------------------------------------------------------------------------ 31 | 32 | # Plugin start function 33 | plugin_start() 34 | { 35 | local eif net ipver IFS 36 | 37 | modprobe_multi xt_policy ipt_policy # Allows use of policy match 38 | modprobe iptable_nat # We need the NAT table 39 | 40 | iptables -N VPN_INPUT 2>/dev/null 41 | iptables -F VPN_INPUT 42 | 43 | iptables -N VPN_FORWARD 2>/dev/null 44 | iptables -F VPN_FORWARD 45 | 46 | # If the user has specified a subset of remote networks, only allow those. 47 | if [ -n "$IPSEC_VPN_NETS" ]; then 48 | echo "${INDENT}Applying rules for VPN nets $IPSEC_VPN_NETS" 49 | IFS=' ,' 50 | for vnet in $IPSEC_VPN_NETS; do 51 | iptables -A VPN_INPUT -s $vnet -j ACCEPT 52 | iptables -A VPN_FORWARD -s $vnet -j ACCEPT 53 | done 54 | iptables -A VPN_INPUT -j DROP 55 | iptables -A VPN_FORWARD -j DROP 56 | else 57 | # Otherwise, we allow everything. 58 | iptables -A VPN_INPUT -j ACCEPT 59 | iptables -A VPN_FORWARD -j ACCEPT 60 | fi 61 | 62 | # Don't apply the usual filters for the external interface on 63 | # traffic that's just been decapulated. We treat it mostly like 64 | # internal traffic. 65 | # iptables -A EXT_INPUT_CHAIN -m policy --pol ipsec --dir in -j VPN_INPUT 66 | # (unnecessary since the -A INPUT...-j VPN_INPUT rule below supersedes this rule) 67 | 68 | echo "${INDENT}Allowing internet hosts $IPSEC_ALLOWED_HOSTS to access the VPN service" 69 | IFS=' ,' 70 | for host in `ip_range "$IPSEC_ALLOWED_HOSTS"`; do 71 | iptables -A EXT_INPUT_CHAIN -p udp --dport 500 -s $host -j ACCEPT 72 | get_numeric_ip_version "$host" 73 | ipver=$? 74 | if [ $ipver -eq 4 -o $ipver -eq 0 ]; then 75 | ip4tables -A EXT_INPUT_CHAIN -p esp -s $host -j ACCEPT 76 | ip4tables -A EXT_INPUT_CHAIN -p ah -s $host -j ACCEPT 77 | fi 78 | if [ "$IPV6_SUPPORT" = "1" ]; then 79 | if [ $ipver -eq 6 -o $ipver -eq 0 ]; then 80 | ip6tables -A EXT_INPUT_CHAIN -m esp -p esp -s $host -j ACCEPT 81 | ip6tables -A EXT_INPUT_CHAIN -m ah -s $host -j ACCEPT 82 | fi 83 | fi 84 | 85 | if [ "$IPSEC_NAT_TRAVERSAL" = "1" ]; then 86 | iptables -A EXT_INPUT_CHAIN -p udp --dport 4500 -s $host -j ACCEPT 87 | fi 88 | done 89 | 90 | local cnt=0 91 | IFS=' ,' 92 | for eif in $EXT_IF; do 93 | for net in $INTERNAL_NET; do 94 | cnt=$((cnt + 1)) 95 | iptables -I SPOOF_CHK $cnt -i $eif -s $net -m policy --pol ipsec --dir in -j RETURN 96 | done 97 | done 98 | 99 | IFS=' ,' 100 | for eif in ${NAT_IF:-$EXT_IF}; do 101 | # Allow IPSEC packets in after decapsulation 102 | ip4tables -t nat -A PREROUTING -i $eif -m policy --pol ipsec --dir in -j ACCEPT 103 | 104 | # Do not apply masquerading to outbound traffic 105 | ip4tables -t nat -A POSTROUTING -o $eif -m policy --pol ipsec --dir out -j ACCEPT 106 | done 107 | 108 | IFS=' ,' 109 | for eif in $EXT_IF; do 110 | iptables -A FORWARD -i $eif -m policy --pol ipsec --dir in -j VPN_FORWARD 111 | iptables -A INPUT -i $eif -m policy --pol ipsec --dir in -j VPN_INPUT 112 | done 113 | 114 | return 0 115 | } 116 | 117 | 118 | # Plugin stop function 119 | plugin_stop() 120 | { 121 | local eif net IFS 122 | 123 | iptables -F VPN_INPUT 124 | iptables -X VPN_INPUT 2>/dev/null 125 | iptables -F VPN_FORWARD 126 | iptables -X VPN_FORWARD 2>/dev/null 127 | 128 | IFS=' ,' 129 | for eif in $EXT_IF; do 130 | for net in $INTERNAL_NET; do 131 | iptables -D SPOOF_CHK -i $eif -s $net -m policy --pol ipsec --dir in -j RETURN 132 | done 133 | done 134 | 135 | return 0 136 | } 137 | 138 | 139 | # Plugin status function 140 | plugin_status() 141 | { 142 | return 0 143 | } 144 | 145 | 146 | # Check sanity of eg. environment 147 | plugin_sanity_check() 148 | { 149 | # Sanity check 150 | if [ -z "$IPSEC_ALLOWED_HOSTS" ]; then 151 | printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 152 | return 1 153 | fi 154 | 155 | return 0 156 | } 157 | 158 | 159 | ############ 160 | # Mainline # 161 | ############ 162 | 163 | # Check where to find the config file 164 | CONF_FILE="" 165 | if [ -n "$PLUGIN_CONF_PATH" ]; then 166 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 167 | fi 168 | 169 | # Preinit to success: 170 | PLUGIN_RET_VAL=0 171 | 172 | # Check if the config file exists 173 | if [ ! -f "$CONF_FILE" ]; then 174 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 175 | else 176 | # Source the plugin config file 177 | . "$CONF_FILE" 178 | 179 | if [ "$ENABLED" = "1" ] || 180 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 181 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 182 | # Show who we are: 183 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 184 | 185 | # Increment indention 186 | INDENT="$INDENT " 187 | 188 | # Only proceed if environment ok 189 | if ! plugin_sanity_check; then 190 | PLUGIN_RET_VAL=1 191 | else 192 | case $PLUGIN_CMD in 193 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 194 | stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; 195 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 196 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 197 | esac 198 | fi 199 | fi 200 | fi 201 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/90dmz-dnat.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - DMZ-host default port forwarding plugin =- 3 | # 4 | PLUGIN_NAME="DMZ-host DNAT plugin" 5 | PLUGIN_VERSION="0.10" 6 | PLUGIN_CONF_FILE="dmz-dnat.conf" 7 | # 8 | # Last changed : January 5, 2019 9 | # Requirements : AIF 2.1.0 (or newer) 10 | # Comments : This plugin allows forwarding of all traffic to a "DMZ" host. 11 | # Updated to be IPv4-only 12 | # Updated to support parse_rule() 13 | # Updated to support ipt_if() 14 | # 15 | # Author : (C) Copyright 2010-2019 by Arno van Amersfoort 16 | # : (C) Copyright 2010-2016 by Philip A. Prindeville 17 | # Email : philipp AT redfish-solutions DOT com 18 | # (note: you must remove all spaces and substitute the @ and the . 19 | # at the proper locations!) 20 | # ------------------------------------------------------------------------------ 21 | # This program is free software; you can redistribute it and/or 22 | # modify it under the terms of the GNU General Public License 23 | # version 2 as published by the Free Software Foundation. 24 | # 25 | # This program is distributed in the hope that it will be useful, 26 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 27 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 28 | # GNU General Public License for more details. 29 | # 30 | # You should have received a copy of the GNU General Public License 31 | # along with this program; if not, write to the Free Software 32 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 33 | # ------------------------------------------------------------------------------ 34 | 35 | # Plugin start function 36 | plugin_start() 37 | { 38 | # Forward all traffic that doesn't match an explicit port-forward to the 39 | # DMZ host. 40 | ip4tables -t nat -N NAT_PREROUTING_LOCAL 2>/dev/null 41 | ip4tables -t nat -F NAT_PREROUTING_LOCAL 42 | 43 | ip4tables -t nat -A POST_NAT_PREROUTING_CHAIN -j NAT_PREROUTING_LOCAL 44 | 45 | # bail if ICMP... 46 | IFS=' ,' 47 | for eif in ${NAT_IF:-$EXT_IF}; do 48 | ip4tables -t nat -A NAT_PREROUTING_LOCAL -i $eif -p icmp -j RETURN 49 | done 50 | 51 | local open_tcp="" open_udp="" open_ip="" 52 | 53 | unset IFS 54 | for rule in $OPEN_TCP; do 55 | open_tcp="$open_tcp $ANYHOST$SEP$rule" 56 | done 57 | 58 | # intercept HOST_OPEN_TCP and HOST_OPEN_UDP (sigh... duplicate code...) 59 | unset IFS 60 | for rule in $HOST_OPEN_TCP $open_tcp; do 61 | if parse_rule "$rule" HOST_OPEN_TCP "interfaces-destips-hosts-ports"; then 62 | 63 | IFS=',' 64 | for host in `ip_range "$hosts"`; do 65 | for port in $ports; do 66 | for destip in $destips; do 67 | for interface in $interfaces; do 68 | ip4tables -t nat -A NAT_PREROUTING_LOCAL $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port -j RETURN 69 | done 70 | done 71 | done 72 | done 73 | fi 74 | done 75 | 76 | unset IFS 77 | for rule in $OPEN_UDP; do 78 | open_udp="$open_udp $ANYHOST$SEP$rule" 79 | done 80 | 81 | for rule in $HOST_OPEN_UDP $open_udp; do 82 | if parse_rule "$rule" HOST_OPEN_UDP "interfaces-destips-hosts-ports"; then 83 | 84 | IFS=',' 85 | for host in `ip_range "$hosts"`; do 86 | for port in $ports; do 87 | for destip in $destips; do 88 | for interface in $interfaces; do 89 | ip4tables -t nat -A NAT_PREROUTING_LOCAL $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j RETURN 90 | done 91 | done 92 | done 93 | done 94 | fi 95 | done 96 | 97 | unset IFS 98 | for rule in $OPEN_IP; do 99 | open_ip="$open_ip $ANYHOST$SEP$rule" 100 | done 101 | 102 | for rule in $HOST_OPEN_IP $open_ip; do 103 | if parse_rule "$rule" HOST_OPEN_IP "interfaces-destips-hosts-protos"; then 104 | 105 | IFS=',' 106 | for host in `ip_range "$hosts"`; do 107 | for proto in $protos; do 108 | for destip in $destips; do 109 | for interface in $interfaces; do 110 | ip4tables -t nat -A NAT_PREROUTING_LOCAL $(ipt_if -i "$interface") -s $host -d $destip -p $proto -j RETURN 111 | done 112 | done 113 | done 114 | done 115 | fi 116 | done 117 | 118 | ## ICMP??? 119 | 120 | echo "${INDENT}DMZ-DNAT: sending all non-local packets to $DMZ_IP" 121 | 122 | IFS=' ,' 123 | for eif in ${NAT_IF:-$EXT_IF}; do 124 | ip4tables -t nat -A NAT_PREROUTING_LOCAL -i $eif -j DNAT --to-destination $DMZ_IP 125 | ip4tables -A POST_FORWARD_CHAIN -i $eif -d $DMZ_IP -j ACCEPT 126 | done 127 | 128 | return 0 129 | } 130 | 131 | 132 | # Plugin stop function 133 | plugin_stop() 134 | { 135 | ip4tables -t nat -D POST_NAT_PREROUTING_CHAIN -j NAT_PREROUTING_LOCAL 136 | 137 | ip4tables -t nat -F NAT_PREROUTING_LOCAL 138 | ip4tables -t nat -X NAT_PREROUTING_LOCAL 2>/dev/null 139 | 140 | IFS=' ,' 141 | for eif in ${NAT_IF:-$EXT_IF}; do 142 | ip4tables -D POST_FORWARD_CHAIN -i $eif -d $DMZ_IP -j ACCEPT 143 | done 144 | 145 | return 0 146 | } 147 | 148 | 149 | # Plugin status function 150 | plugin_status() 151 | { 152 | return 0 153 | } 154 | 155 | # Check sanity of eg. environment 156 | plugin_sanity_check() 157 | { 158 | if [ -z "$DMZ_IP" ]; then 159 | printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not (properly) setup!\033[0m\n" >&2 160 | return 1 161 | fi 162 | 163 | return 0 164 | } 165 | 166 | 167 | ############ 168 | # Mainline # 169 | ############ 170 | 171 | # Check where to find the config file 172 | CONF_FILE="" 173 | if [ -n "$PLUGIN_CONF_PATH" ]; then 174 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 175 | fi 176 | 177 | # Preinit to success: 178 | PLUGIN_RET_VAL=0 179 | 180 | # Check if the config file exists 181 | if [ ! -f "$CONF_FILE" ]; then 182 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 183 | else 184 | # Source the plugin config file 185 | . "$CONF_FILE" 186 | 187 | if [ "$ENABLED" = "1" ] || 188 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 189 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 190 | # Show who we are: 191 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 192 | 193 | # Increment indention 194 | INDENT="$INDENT " 195 | 196 | # Only proceed if environment ok 197 | if ! plugin_sanity_check; then 198 | PLUGIN_RET_VAL=1 199 | else 200 | case $PLUGIN_CMD in 201 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 202 | stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; 203 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 204 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 205 | esac 206 | fi 207 | fi 208 | fi 209 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/10mac-address-filter.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - MAC Address Filter plugin =- 3 | # 4 | PLUGIN_NAME="MAC Address Filter plugin" 5 | PLUGIN_VERSION="1.1b" 6 | PLUGIN_CONF_FILE="mac-address-filter.conf" 7 | # 8 | # Last changed : July 21, 2015 9 | # Requirements : ipt_mac module 10 | # Comments : This plugin allows you to select the MAC addresses 11 | # that are allowed access for the specified interfaces 12 | # (eg. INT_IF) 13 | # 14 | # Author : (C) Copyright 2010-2015 by Arno van Amersfoort 15 | # Web : https://github.com/arno-iptables-firewall/aif 16 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 17 | # (note: you must remove all spaces and substitute the @ and the . 18 | # at the proper locations!) 19 | # ------------------------------------------------------------------------------ 20 | # This program is free software; you can redistribute it and/or 21 | # modify it under the terms of the GNU General Public License 22 | # version 2 as published by the Free Software Foundation. 23 | # 24 | # This program is distributed in the hope that it will be useful, 25 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 26 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 27 | # GNU General Public License for more details. 28 | # 29 | # You should have received a copy of the GNU General Public License 30 | # along with this program; if not, write to the Free Software 31 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 32 | # ------------------------------------------------------------------------------ 33 | 34 | # Plugin start function 35 | plugin_start() 36 | { 37 | # Probe module ipt_recent (Allows checking for recent packets): 38 | modprobe_multi xt_mac ipt_mac # Allows specifying MAC address 39 | 40 | # Create new chains 41 | iptables -N MAC_FILTER_HOOK 2>/dev/null 42 | iptables -F MAC_FILTER_HOOK 43 | iptables -N MAC_FILTER 2>/dev/null 44 | iptables -F MAC_FILTER 45 | 46 | echo " Using interface(s): $MAC_ADDRESS_IF" 47 | 48 | # Here we filter the internal hosts using their MAC address (if used) 49 | ##################################################################### 50 | 51 | # Setup the mac addresses from our file 52 | printf "${INDENT}(Re)loading allowed internal MAC addresses from $MAC_ADDRESS_FILE: " 53 | 54 | # Allow IPv4 broadcasts and IPv6 "link-scope all-hosts multicast" 55 | ip4tables -A MAC_FILTER -d 255.255.255.255 -j RETURN 56 | if [ "$IPV6_SUPPORT" = "1" ]; then 57 | ip6tables -A MAC_FILTER -d ff02::1 -j RETURN 58 | fi 59 | 60 | #iptables -A MAC_FILTER -m pkttype --pkt-type ! unicast -j RETURN 61 | #iptables -A MAC_FILTER -m addrtype --dst-type BROADCAST -j RETURN 62 | if [ -n "$INT_NET_BCAST_ADDRESS" ]; then 63 | IFS=' ,' 64 | for address in $INT_NET_BCAST_ADDRESS; do 65 | iptables -A MAC_FILTER -d $address -j RETURN 66 | done 67 | else 68 | IFS=' ,' 69 | for net in $INTERNAL_NET; do 70 | get_numeric_ip_version "$net" 71 | case $? in 72 | 4) 73 | # Class C net 74 | ip4tables -A MAC_FILTER -d $(echo "$net" |awk -F. '{ print $1"."$2"."$3".255" }') -j RETURN 75 | 76 | # Class B net 77 | ip4tables -A MAC_FILTER -d $(echo "$net" |awk -F. '{ print $1"."$2".255.255" }') -j RETURN 78 | 79 | # Class A net 80 | ip4tables -A MAC_FILTER -d $(echo "$net" |awk -F. '{ print $1".255.255.255" }') -j RETURN 81 | ;; 82 | esac 83 | done 84 | fi 85 | 86 | MCOUNT=0 87 | 88 | IFS=' 89 | ' 90 | for LINE in `cat "$MAC_ADDRESS_FILE" |sed -e 's|#.*||' -e 's| *$||'`; do 91 | if [ -n "$LINE" ]; then 92 | src_mac="$(echo "$LINE" |awk '{ print $1 }')" 93 | src_ip="$(echo "$LINE" |awk '{ print $2 }')" 94 | 95 | if [ -z "$src_ip" ]; then 96 | src_ip="0/0" 97 | fi 98 | 99 | MCOUNT=$((MCOUNT + 1)) 100 | iptables -A MAC_FILTER -m mac --mac-source $src_mac -s $src_ip -j RETURN 101 | fi 102 | done 103 | 104 | if [ "$MAC_ADDRESS_LOG" = "1" ]; then 105 | iptables -A MAC_FILTER \ 106 | -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:MAC address dropped: " 107 | fi 108 | 109 | 110 | # Anyone else is dropped 111 | iptables -A MAC_FILTER -j POST_INPUT_DROP_CHAIN 112 | 113 | IFS=' ,' 114 | for interface in $MAC_ADDRESS_IF; do 115 | iptables -A MAC_FILTER_HOOK -i $interface -j MAC_FILTER 116 | done 117 | 118 | # Insert chains 119 | iptables -A INPUT -j MAC_FILTER_HOOK 120 | iptables -A FORWARD -j MAC_FILTER_HOOK 121 | 122 | echo "$MCOUNT loaded" 123 | 124 | return 0 125 | } 126 | 127 | 128 | # Plugin stop function 129 | plugin_stop() 130 | { 131 | iptables -D INPUT -j MAC_FILTER_HOOK 2>/dev/null 132 | iptables -D FORWARD -j MAC_FILTER_HOOK 2>/dev/null 133 | 134 | iptables -F MAC_FILTER_HOOK 135 | iptables -X MAC_FILTER_HOOK 2>/dev/null 136 | 137 | iptables -F MAC_FILTER 138 | iptables -X MAC_FILTER 2>/dev/null 139 | 140 | return 0 141 | } 142 | 143 | 144 | # Plugin status function 145 | plugin_status() 146 | { 147 | # iptables -xnvL MAC_FILTER |sed -e "s/^/$INDENT/" 148 | return 0 149 | } 150 | 151 | 152 | # Check sanity of eg. environment 153 | plugin_sanity_check() 154 | { 155 | if [ ! -f "$MAC_ADDRESS_FILE" ]; then 156 | printf "\033[40m\033[1;31m${INDENT}NOTE: Cannot read the allowed internal MAC address file \"$MAC_ADDRESS_FILE\".\033[0m\n" >&2 157 | return 1 158 | fi 159 | 160 | if [ -z "$MAC_ADDRESS_IF" ]; then 161 | printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 162 | return 1 163 | fi 164 | 165 | return 0 166 | } 167 | 168 | 169 | ############ 170 | # Mainline # 171 | ############ 172 | 173 | # Check where to find the config file 174 | CONF_FILE="" 175 | if [ -n "$PLUGIN_CONF_PATH" ]; then 176 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 177 | fi 178 | 179 | # Preinit to success: 180 | PLUGIN_RET_VAL=0 181 | 182 | # Check if the config file exists 183 | if [ ! -f "$CONF_FILE" ]; then 184 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 185 | else 186 | # Source the plugin config file 187 | . "$CONF_FILE" 188 | 189 | if [ "$ENABLED" = "1" ] || 190 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 191 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 192 | # Show who we are: 193 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 194 | 195 | # Increment indention 196 | INDENT="$INDENT " 197 | 198 | # Only proceed if environment ok 199 | if ! plugin_sanity_check; then 200 | PLUGIN_RET_VAL=1 201 | else 202 | case $PLUGIN_CMD in 203 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 204 | stop ) plugin_stop; PLUGIN_RET_VAL=$? ;; 205 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 206 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 207 | esac 208 | fi 209 | fi 210 | fi 211 | -------------------------------------------------------------------------------- /contrib/adsl-failover: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script was written by Mark Cleverdon 22/11/2007 under the GPL license 4 | # email: mark at lanzarote1.com 5 | # 6 | # For automatic Failover from the main external network provider on failure 7 | # to a dialup modem or UMTS modem connection. 8 | # 9 | # REQUREMENTS 10 | # You must have IP forwarding enabled in the system. 11 | # ADSL connection with a static IP 12 | # wvdial must be installed and setup with a script that works for your service provider. 13 | # A firewall like arnos iptables firewall script or shorewall etc 14 | # 15 | # You can set this script in the system cron to check the connection at regular time intervals. 16 | # 17 | # METHODS USED IN THIS SCRIPT 18 | # We have both eth1 and ppp0 as external interfaces in iptables, if both were functioning at the same time 19 | # we would have load balancing (which could get expensive), but here we only need one active connection so 20 | # all we need to do is to adjust the dynamic IP address of the dialup connection in the firwall when there 21 | # is a problem in order to allow routing through the dialup device. Once the emergency is over we can can- 22 | # cel the dialup connection and the original routing will continue as usual with no need to adjust 23 | # the firewall again. When a new failure happens then the new IP address is assigned to the second external 24 | # interface (normally ppp0) and the firewall restarted to allow routing. 25 | # 26 | # PARAMETERS HERE 27 | # The normal external interface (DSL or cable etc) 28 | interface="eth1" 29 | normal_ext_ip="XXX.XXX.XXX.XXX" 30 | # Admin email address for failover notification 31 | admin_email="admin@your-domain" 32 | # The dialup device PCMCIA UMTS card or regular modem will normally be a ttyS0/1/2/3 etc 33 | # But here you need the device that wvdial returns which is generally ppp0 34 | dialup_if="ppp0" 35 | # Full path and name of your firewall script I use Arnos iptables firewall 36 | firewall="/etc/arno-iptables-firewall/firewall.conf" 37 | # The /etc/init.d/firewall-script that your system uses to restart the firewall 38 | firestarter="/etc/init.d/arno-iptables-firewall" 39 | # WARNING if you are not using arnos firewall script you will need to edit the sed commands parameters below 40 | # eg. on line 111 of this script 41 | # sed 's/\(search string just before substitution \)[0-9]*.[0-9]*.[0-9]*.[0-9]*/\1'$OUT_IP'/g' $firewall 42 | # 43 | # The wvdial command for dialup (you must set this up previously) 44 | # eg. this would be like "myserver:#/wvdial internet" on the command line 45 | connection="internet" 46 | # The following are the ip address of any reliable public server ie. google.com 47 | # if all three servers fail then the dialup connection will be started. 48 | # But beware of ping_server1, it must be the most reliable of the three because 49 | # it is used in further tests on its own. 50 | # Further, note it is important to use IP addresses and not domain names because if 51 | # your system is totally isolated you will not be able to do name resolution. 52 | ping_server1="64.233.167.99" 53 | ping_server2="216.109.112.135" 54 | ping_server3="66.45.254.244" 55 | 56 | route add $ping_server1 gw $normal_ext_ip 57 | if (ping -w 5 -nq -I $interface $ping_server1 |grep '100%\ packet\ loss' 2>&1>/dev/null) then 58 | SERVER1="DOWN" 59 | else 60 | SERVER1="UP" 61 | fi 62 | route del $ping_server1 63 | route add $ping_server2 gw $normal_ext_ip 64 | if (ping -w 5 -nq -I $interface $ping_server2 |grep '100%\ packet\ loss' 2>&1>/dev/null) then 65 | SERVER2="DOWN" 66 | else 67 | SERVER2="UP" 68 | fi 69 | route del $ping_server2 70 | route add $ping_server3 gw $normal_ext_ip 71 | if (ping -w 5 -nq -I $interface $ping_server3 |grep '100%\ packet\ loss' 2>&1>/dev/null) then 72 | SERVER3="DOWN" 73 | else 74 | SERVER3="UP" 75 | fi 76 | route del $ping_server3 77 | 78 | 79 | if [ "$SERVER1" = "DOWN" ] && [ "$SERVER2" = "DOWN" ] && [ "$SERVER3" = "DOWN" ] 80 | then 81 | echo "WARNING! -- We have an internet connection problem. I will attempt to discover the situation and fix it." 82 | if [[ "$interface"="eth1" ]] 83 | then 84 | echo . 85 | # Check to see if we have any connection at all (if not we dial) 86 | if (ping -w 5 -nq $ping_server1|grep '100%\ packet\ loss' 2>&1>/dev/null) 87 | then 88 | # Check for existing wvdial processes that may be hungup 89 | if (ps ax|grep wvdial) 90 | then 91 | echo "finishing any previous hung connection" 92 | killall wvdial 93 | sleep 15 94 | fi 95 | echo . 96 | echo "Dialing out ...." 97 | wvdial $connection & 98 | sleep 25 99 | if (ping -w 5 -nq -I $dialup_if $ping_server1|grep -v '100%\ packet\ loss' 2>&1>/dev/null) 100 | then 101 | # Pick up the new IP for adjusting the firewall script. 102 | OUT_IP=`ifconfig|grep -A 2 $dialup_if|grep inet\ addr:|sed 's/.*inet\ addr\:\([0-9]*.[0-9]*.[0-9]*.[0-9]*\).*/\1/g'` 103 | echo . 104 | echo "New public IP address is <$OUT_IP> from UMTS/dialup device $dialup." 105 | echo . 106 | echo "Restarting the Firewall routing for new connection." 107 | echo . 108 | # Make sure the original firewall script is saved (here we datestamp it just in case) 109 | cp -p $firewall $firewall.`date +"%d%m%Y%H%M%S"` 110 | sed 's/\(NAT_STATIC_IP="$normal_ext_ip \)[0-9]*.[0-9]*.[0-9]*.[0-9]*/\1'$OUT_IP'/g' $firewall >/tmp/firewall.conf 111 | mv /tmp/firewall.conf $firewall 112 | $firestarter restart 113 | # Get myself a copy of all this stuff for a remote firewall setup etc. 114 | echo "The ADSL connection has failed">/tmp/ifconfig_ppp0 115 | echo ".">>/tmp/ifconfig_ppp0 116 | echo "The new IP address is $OUT_IP">>/tmp/ifconfig_ppp0 117 | ifconfig $dialup_if>>/tmp/ifconfig_ppp0 118 | echo $OUT_IP>/tmp/FAILOVER_IP 119 | mail -s "FAILOVER IP $OUT_IP" $admin_email /tmp/FAILOVER_IP 134 | echo "The ADSL connection has failed">/tmp/ifconfig_ppp0 135 | echo ".">>/tmp/ifconfig_ppp0 136 | echo "The new IP address is $OUT_IP2">>/tmp/ifconfig_ppp0 137 | echo ".">>/tmp/ifconfig_ppp0 138 | ifconfig $dialup_if>>/tmp/ifconfig_ppp0 139 | mail -s "NEW FAILOVER IP $OUT_IP2" $admin_email &1>/dev/null 151 | echo "The ADSL connection is now working">/tmp/ifconfig 152 | echo ".">>/tmp/ifconfig 153 | echo "Use the original connection information to connect">>/tmp/ifconfig 154 | echo ".">>/tmp/ifconfig 155 | mail -s "FAILOVER STOPED - ADSL OK" $admin_email /dev/null 38 | iptables -F PPTP_VPN_INPUT 39 | 40 | iptables -N PPTP_VPN_FORWARD_IN 2>/dev/null 41 | iptables -F PPTP_VPN_FORWARD_IN 42 | 43 | iptables -N PPTP_VPN_FORWARD_OUT 2>/dev/null 44 | iptables -F PPTP_VPN_FORWARD_OUT 45 | 46 | IFS=' ,' 47 | for eif in $EXT_IF; do 48 | case $eif in 49 | ppp+) 50 | echo "${INDENT}ERROR: Cannot distinguish between external and PPTP-VPN 'ppp+' interfaces." 51 | echo "${INDENT} ${PLUGIN_NAME} functionally is disabled." 52 | return 0 53 | ;; 54 | ppp[0-9]*) 55 | ppp_ifs="$ppp_ifs${ppp_ifs:+ }$eif" 56 | ;; 57 | esac 58 | done 59 | 60 | # Setup PPTP VPN rules 61 | if [ -n "$ppp_ifs" ]; then 62 | echo "${INDENT}Excluding external interfaces '$ppp_ifs' from PPTP VPN" 63 | IFS=' ,' 64 | for eif in $ppp_ifs; do 65 | iptables -A PPTP_VPN_INPUT -i $eif -j RETURN 66 | iptables -A PPTP_VPN_FORWARD_IN -i $eif -j RETURN 67 | iptables -A PPTP_VPN_FORWARD_OUT -o $eif -j RETURN 68 | done 69 | fi 70 | if [ -n "$PPTP_VPN_ALLOW_HOSTS" ]; then 71 | echo "${INDENT}Allowing PPTP VPN packets to hosts: $PPTP_VPN_ALLOW_HOSTS" 72 | IFS=' ,' 73 | for host in $PPTP_VPN_ALLOW_HOSTS; do 74 | iptables -A PPTP_VPN_INPUT -d $host -j ACCEPT 75 | iptables -A PPTP_VPN_FORWARD_IN -d $host -j ACCEPT 76 | iptables -A PPTP_VPN_FORWARD_OUT -s $host -j ACCEPT 77 | done 78 | fi 79 | if [ -n "$PPTP_VPN_DENY_HOSTS" ]; then 80 | echo "${INDENT}Denying PPTP VPN packets to hosts: $PPTP_VPN_DENY_HOSTS" 81 | IFS=' ,' 82 | for host in $PPTP_VPN_DENY_HOSTS; do 83 | if [ "$PPTP_VPN_DENY_LOG" = "1" ]; then 84 | iptables -A PPTP_VPN_INPUT -d $host -m limit --limit 3/m -j LOG \ 85 | --log-level $LOGLEVEL --log-prefix "AIF:PPTP-VPN denied: " 86 | iptables -A PPTP_VPN_FORWARD_IN -d $host -m limit --limit 3/m -j LOG \ 87 | --log-level $LOGLEVEL --log-prefix "AIF:PPTP-VPN denied: " 88 | iptables -A PPTP_VPN_FORWARD_OUT -s $host -m limit --limit 3/m -j LOG \ 89 | --log-level $LOGLEVEL --log-prefix "AIF:PPTP-VPN denied: " 90 | fi 91 | iptables -A PPTP_VPN_INPUT -d $host -j DROP 92 | iptables -A PPTP_VPN_FORWARD_IN -d $host -j DROP 93 | iptables -A PPTP_VPN_FORWARD_OUT -s $host -j DROP 94 | done 95 | fi 96 | # Default policy, allow all the rest 97 | iptables -A PPTP_VPN_INPUT -j ACCEPT 98 | iptables -A PPTP_VPN_FORWARD_IN -j ACCEPT 99 | iptables -A PPTP_VPN_FORWARD_OUT -j ACCEPT 100 | 101 | # Filter ppp+ traffic related to the PPTP VPN 102 | if [ -n "$PPTP_VPN_NETS" ]; then 103 | echo "${INDENT}Applying rules for PPTP VPN nets $PPTP_VPN_NETS" 104 | IFS=' ,' 105 | for net in $PPTP_VPN_NETS; do 106 | # Adjust spoof check 107 | iptables -I SPOOF_CHK -i ppp+ -s $net -j RETURN 108 | 109 | # Insert rule in the INPUT chain 110 | iptables -A INPUT -i ppp+ -s $net -j PPTP_VPN_INPUT 111 | 112 | # Insert rules in the FORWARD chain 113 | iptables -A FORWARD -i ppp+ -s $net -j PPTP_VPN_FORWARD_IN 114 | iptables -A FORWARD -o ppp+ -d $net -j PPTP_VPN_FORWARD_OUT 115 | done 116 | fi 117 | 118 | echo "${INDENT}Allowing internet hosts $PPTP_VPN_TUNNEL_HOSTS to access the PPTP VPN service" 119 | IFS=' ,' 120 | for host in $(ip_range "$PPTP_VPN_TUNNEL_HOSTS"); do 121 | iptables -A EXT_INPUT_CHAIN -p gre -s $host -j ACCEPT 122 | iptables -A EXT_INPUT_CHAIN -p tcp --dport 1723 -s $host -j ACCEPT 123 | done 124 | 125 | return 0 126 | } 127 | 128 | 129 | # Plugin restart function 130 | plugin_restart() 131 | { 132 | 133 | # Skip plugin_stop on a restart 134 | plugin_start 135 | 136 | return 0 137 | } 138 | 139 | 140 | # Plugin stop function 141 | plugin_stop() 142 | { 143 | 144 | iptables -F PPTP_VPN_INPUT 145 | iptables -X PPTP_VPN_INPUT 2>/dev/null 146 | 147 | iptables -F PPTP_VPN_FORWARD_IN 148 | iptables -X PPTP_VPN_FORWARD_IN 2>/dev/null 149 | 150 | iptables -F PPTP_VPN_FORWARD_OUT 151 | iptables -X PPTP_VPN_FORWARD_OUT 2>/dev/null 152 | 153 | return 0 154 | } 155 | 156 | 157 | # Plugin status function 158 | plugin_status() 159 | { 160 | return 0 161 | } 162 | 163 | 164 | # Check sanity of eg. environment 165 | plugin_sanity_check() 166 | { 167 | # Sanity check 168 | if [ -z "$PPTP_VPN_TUNNEL_HOSTS" ]; then 169 | printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 170 | return 1 171 | fi 172 | 173 | return 0 174 | } 175 | 176 | 177 | ############ 178 | # Mainline # 179 | ############ 180 | 181 | # Check where to find the config file 182 | CONF_FILE="" 183 | if [ -n "$PLUGIN_CONF_PATH" ]; then 184 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 185 | fi 186 | 187 | # Preinit to success: 188 | PLUGIN_RET_VAL=0 189 | 190 | # Check if the config file exists 191 | if [ ! -f "$CONF_FILE" ]; then 192 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 193 | else 194 | # Source the plugin config file 195 | . "$CONF_FILE" 196 | 197 | if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] || 198 | [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] || 199 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 200 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 201 | # Show who we are: 202 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 203 | 204 | # Increment indention 205 | INDENT="$INDENT " 206 | 207 | # Only proceed if environment ok 208 | if ! plugin_sanity_check; then 209 | PLUGIN_RET_VAL=1 210 | else 211 | case $PLUGIN_CMD in 212 | start|'') plugin_start; PLUGIN_RET_VAL=$? ;; 213 | restart ) plugin_restart; PLUGIN_RET_VAL=$? ;; 214 | stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;; 215 | status ) plugin_status; PLUGIN_RET_VAL=$? ;; 216 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;; 217 | esac 218 | fi 219 | fi 220 | fi 221 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/aif-job-processor: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # ------------------------------------------------------------------------------ 4 | # -= Arno's Iptables Firewall(AIF) =- 5 | # Single- & multi-homed firewall script with DSL/ADSL support 6 | # 7 | # ~ In memory of my dear parents ~ 8 | # 9 | # (C) Copyright 2001-2021 by Arno van Amersfoort & Lonnie Abelbeck 10 | # Web : https://github.com/arno-iptables-firewall/aif 11 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 12 | # (note: you must remove all spaces and substitute the @ and the . 13 | # at the proper locations!) 14 | # ------------------------------------------------------------------------------ 15 | # This program is free software; you can redistribute it and/or 16 | # modify it under the terms of the GNU General Public License 17 | # version 2 as published by the Free Software Foundation. 18 | 19 | # This program is distributed in the hope that it will be useful, 20 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 21 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 22 | # GNU General Public License for more details. 23 | 24 | # You should have received a copy of the GNU General Public License 25 | # along with this program; if not, write to the Free Software 26 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 27 | # ------------------------------------------------------------------------------ 28 | 29 | # Location of the main configuration file for the firewall 30 | ########################################################## 31 | CONF_FILE=/etc/arno-iptables-firewall/firewall.conf 32 | 33 | # Set environment variables to default 34 | VERBOSE=0 35 | 36 | # Default sleep time (in minutes) 37 | SLEEP_TIME=1 38 | 39 | # Check sanity of environment 40 | sanity_check() 41 | { 42 | if [ -z "$JOBS_FILE" ]; then 43 | echo "** ERROR: Missing JOBS_FILE declaration in environment file!" >&2 44 | return 1 45 | fi 46 | 47 | if [ ! -f "$JOBS_FILE" ]; then 48 | echo "** ERROR: JOBS_FILE($JOBS_FILE) does not exist!" >&2 49 | return 1 50 | fi 51 | 52 | return 0 53 | } 54 | 55 | 56 | idle_wait() 57 | { 58 | local time="$1" chk_file="$2" cnt=0 59 | 60 | while [ $((cnt / 60)) -lt $time ]; do 61 | cnt=$((cnt + 1)) 62 | sleep 1 63 | 64 | # Check for file removal 65 | if [ ! -f "$chk_file" ]; then 66 | return 0 67 | fi 68 | done 69 | 70 | return 1 71 | } 72 | 73 | 74 | # (Background) job processor 75 | job_process() 76 | { 77 | local LINE SCRIPT_NAME SCRIPT_SET_TIME SCRIPT_CUR_TIME SCRIPT_PATH READ_JOBS_FILE result retval 78 | 79 | [ $VERBOSE -eq 1 ] && echo "Starting jobs process..." 80 | 81 | # Loop (until JOBS_FILE is deleted) 82 | while true; do 83 | # Enter critical section: 84 | if ! lock_enter "$JOBS_LOCK_NAME"; then 85 | # Lock failed, just keeping trying forever since there's no point in exiting here 86 | [ $VERBOSE -eq 1 ] && echo "Lock failed, (re)trying next loop..." 87 | else 88 | READ_JOBS_FILE="$(cat "$JOBS_FILE" 2>/dev/null)" 89 | 90 | IFS=$EOL 91 | for LINE in $READ_JOBS_FILE; do 92 | SCRIPT_NAME="$(echo "$LINE" |cut -d' ' -f1)" 93 | SCRIPT_SET_TIME="$(echo "$LINE" |cut -d' ' -f2)" 94 | SCRIPT_CUR_TIME="$(echo "$LINE" |cut -d' ' -f3)" 95 | SCRIPT_PATH="$(echo "$LINE" |cut -d' ' -f1,2,3 --complement)" 96 | 97 | # Increment current time (in minutes) 98 | SCRIPT_CUR_TIME=$((SCRIPT_CUR_TIME + SLEEP_TIME)) 99 | 100 | [ $VERBOSE -eq 1 ] && echo "Processing job \"$SCRIPT_NAME\"..." 101 | 102 | if [ $SCRIPT_CUR_TIME -ge $SCRIPT_SET_TIME ]; then 103 | [ $VERBOSE -eq 1 ] && echo " Countdown reached, running job \"$SCRIPT_NAME\"..." 104 | 105 | # Create extra FD 106 | if [ $VERBOSE -ne 1 ]; then 107 | exec 3>/dev/null 108 | else 109 | exec 3>&1 110 | fi 111 | 112 | result="$("$JOB_EXECUTER" "$SCRIPT_PATH" 2>&1 1>&3)" 113 | retval=$? 114 | 115 | # Release extra FD 116 | exec 3>&- 117 | 118 | # In case an error occurred, log it 119 | if [ $retval -ne 0 ]; then 120 | echo "$result (error=$retval)" >&2 121 | echo "$result (error=$retval)" |log_msg "${SCRIPT_NAME}: " 122 | elif [ -n "$result" -a $VERBOSE -eq 1 ]; then 123 | echo "$result" 124 | fi 125 | 126 | # Reset counter 127 | SCRIPT_CUR_TIME=0 128 | fi 129 | 130 | # As soon as the jobs file gets removed, stop processing (and terminate) 131 | if [ ! -f "$JOBS_FILE" ]; then 132 | # Leave critical section: 133 | lock_leave "$JOBS_LOCK_NAME" 134 | 135 | return 0 # We're done 136 | fi 137 | 138 | # Update job 139 | sed -i "s,^$SCRIPT_NAME[[:blank:]].*,$SCRIPT_NAME $SCRIPT_SET_TIME $SCRIPT_CUR_TIME $SCRIPT_PATH," "$JOBS_FILE" 140 | done 141 | fi 142 | 143 | # Leave critical section: 144 | lock_leave "$JOBS_LOCK_NAME" 145 | #if ! lock_leave "$JOBS_LOCK_NAME"; then 146 | # [ $VERBOSE -eq 1 ] && echo "Lock removal failed, terminating..." 147 | # return 1 148 | #fi 149 | 150 | [ $VERBOSE -eq 1 ] && echo "Sleeping $SLEEP_TIME minutes..." 151 | 152 | # Idle wait SLEEP_TIME minutes unless the jobs gets removed 153 | if idle_wait "$SLEEP_TIME" "$JOBS_FILE"; then 154 | [ $VERBOSE -eq 1 ] && echo "Jobs file removed, terminating..." 155 | return 0 # No jobs file: We're done 156 | fi 157 | done 158 | 159 | return 0 160 | } 161 | 162 | 163 | show_help() 164 | { 165 | echo "Usage: $(basename $0) [options]" >&2 166 | echo "" >&2 167 | echo "Options:" >&2 168 | echo "--help|-h - Print this help" >&2 169 | echo "--verbose - Be verbose with displaying info (only recommended when not backgrounded!)" >&2 170 | echo "--sleep=n|-s=n - Sleep n minutes after each run (default is 1)" >&2 171 | echo "" 172 | } 173 | 174 | 175 | process_commandline() 176 | { 177 | # Check arguments 178 | while [ -n "$1" ]; do 179 | ARG="$1" 180 | ARGNAME="${ARG%%=*}" 181 | # Can't directly obtain value as = is optional!: 182 | ARGVAL="${ARG#$ARGNAME}" 183 | ARGVAL="${ARGVAL#=}" 184 | 185 | case "$ARGNAME" in 186 | --sleep|-s) SLEEP_TIME="$ARGVAL";; 187 | --verbose|-v) VERBOSE=1;; 188 | --help|-h) show_help 189 | exit 0 190 | ;; 191 | -*) echo "ERROR: Bad argument \"$ARG\"" >&2 192 | echo "" >&2 193 | show_help 194 | exit 1 195 | ;; 196 | *) echo "ERROR: Bad command syntax with argument \"$ARG\"" >&2 197 | echo "" >&2 198 | show_help 199 | exit 1 200 | ;; 201 | esac 202 | 203 | shift # Next argument 204 | done 205 | } 206 | 207 | 208 | ############ 209 | # Mainline # 210 | ############ 211 | 212 | process_commandline $* 213 | 214 | if [ ! -f "$CONF_FILE" ]; then 215 | echo "ERROR: Could not read configuration file ($CONF_FILE)!" >&2 216 | echo "" >&2 217 | exit 1 218 | fi 219 | 220 | # Source config file 221 | . "$CONF_FILE" 222 | 223 | # Check if the environment file exists and if so, load it 224 | ######################################################### 225 | ENV_FILE="${0%/*}/environment" 226 | 227 | if [ ! -f "$ENV_FILE" ]; then 228 | echo "** ERROR: Unable to locate environment file \"$ENV_FILE\"!" >&2 229 | exit 2 230 | fi 231 | 232 | # Source environment file 233 | . "$ENV_FILE" 234 | 235 | # Only proceed if environment ok 236 | if sanity_check; then 237 | job_process 238 | fi 239 | -------------------------------------------------------------------------------- /share/arno-iptables-firewall/plugins/95adaptive-ban.plugin: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # -= Arno's Iptables Firewall(AIF) - Adaptive Ban plugin =- 3 | # 4 | PLUGIN_NAME="Adaptive Ban plugin" 5 | PLUGIN_VERSION="1.04 BETA" 6 | PLUGIN_CONF_FILE="adaptive-ban.conf" 7 | # 8 | # Last changed : February 3, 2019 9 | # Requirements : AIF 2.1.0 (or newer) 10 | # Comments : Parse a log file for failed access with offending IP addresses 11 | # Ban the IP address after multiple failed attempts 12 | # 13 | # Author : (C) Copyright 2010-2019 by Arno van Amersfoort & Lonnie Abelbeck 14 | # Credits : AstLinux Project 15 | # Homepage : https://www.astlinux-project.org/ 16 | # Credits : Fail2ban Project 17 | # Homepage : https://www.fail2ban.org/ 18 | # Credits : Arno van Amersfoort 19 | # Web : https://github.com/arno-iptables-firewall/aif 20 | # Email : a r n o DOT v a n DOT a m e r s f o o r t AT g m a i l DOT c o m 21 | # (note: you must remove all spaces and substitute the @ and the . 22 | # at the proper locations!) 23 | # ------------------------------------------------------------------------------ 24 | # This program is free software; you can redistribute it and/or 25 | # modify it under the terms of the GNU General Public License 26 | # version 2 as published by the Free Software Foundation. 27 | # 28 | # This program is distributed in the hope that it will be useful, 29 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 30 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 31 | # GNU General Public License for more details. 32 | # 33 | # You should have received a copy of the GNU General Public License 34 | # along with this program; if not, write to the Free Software 35 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 36 | # ------------------------------------------------------------------------------ 37 | 38 | # (Background) job name 39 | JOB_NAME="adaptive-ban" 40 | 41 | # (Background) job helper script 42 | JOB_HELPER_SCRIPT="$PLUGIN_BIN_PATH/adaptive-ban-helper" 43 | 44 | # Plugin start function 45 | plugin_start() 46 | { 47 | local host net IFS 48 | 49 | iptables -N ADAPTIVE_BAN_DROP_CHAIN 2>/dev/null 50 | iptables -F ADAPTIVE_BAN_DROP_CHAIN 51 | iptables -A ADAPTIVE_BAN_DROP_CHAIN -m limit --limit 1/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Adaptive-Ban host: " 52 | if [ "$ADAPTIVE_BAN_REJECT" = "1" ]; then 53 | ip4tables -A ADAPTIVE_BAN_DROP_CHAIN -j REJECT --reject-with icmp-host-unreachable 54 | if [ "$IPV6_SUPPORT" = "1" ]; then 55 | ip6tables -A ADAPTIVE_BAN_DROP_CHAIN -j REJECT --reject-with icmp6-addr-unreachable 56 | fi 57 | else 58 | iptables -A ADAPTIVE_BAN_DROP_CHAIN -j DROP 59 | fi 60 | 61 | iptables -N ADAPTIVE_BAN_CHAIN 2>/dev/null 62 | iptables -F ADAPTIVE_BAN_CHAIN 63 | if [ "$ADAPTIVE_BAN_WHITELIST_INTERNAL" != "0" ]; then 64 | printf "${INDENT}Adaptive Ban - Whitelisting INTERNAL net(s): " 65 | IFS=' ,' 66 | for net in $INTERNAL_NET; do 67 | printf "$net " 68 | iptables -A ADAPTIVE_BAN_CHAIN -s $net -j RETURN 69 | done 70 | echo "" 71 | fi 72 | if [ -n "$ADAPTIVE_BAN_WHITELIST" ]; then 73 | printf "${INDENT}Adaptive Ban - Whitelisting host(s): " 74 | IFS=' ,' 75 | for host in $ADAPTIVE_BAN_WHITELIST; do 76 | printf "$host " 77 | iptables -A ADAPTIVE_BAN_CHAIN -s $host -j RETURN 78 | done 79 | echo "" 80 | fi 81 | 82 | # Insert rule in the INPUT chain 83 | iptables -I INPUT -j ADAPTIVE_BAN_CHAIN 84 | 85 | # Insert rule in the FORWARD chain 86 | iptables -I FORWARD -j ADAPTIVE_BAN_CHAIN 87 | 88 | echo "${INDENT}File=$ADAPTIVE_BAN_FILE Time=$ADAPTIVE_BAN_TIME Count=$ADAPTIVE_BAN_COUNT Types=$ADAPTIVE_BAN_TYPES" 89 | 90 | # Create background job 91 | if ! job_add "$JOB_NAME" "${ADAPTIVE_BAN_TIME:-2}" "$JOB_HELPER_SCRIPT"; then 92 | return 1 93 | fi 94 | 95 | return 0 96 | } 97 | 98 | 99 | # Plugin stop function 100 | plugin_stop() 101 | { 102 | printf "${INDENT}Adaptive Ban - Stopping... " 103 | 104 | iptables -D INPUT -j ADAPTIVE_BAN_CHAIN 105 | iptables -D FORWARD -j ADAPTIVE_BAN_CHAIN 106 | 107 | iptables -F ADAPTIVE_BAN_CHAIN 108 | iptables -X ADAPTIVE_BAN_CHAIN 2>/dev/null 109 | 110 | iptables -F ADAPTIVE_BAN_DROP_CHAIN 111 | iptables -X ADAPTIVE_BAN_DROP_CHAIN 2>/dev/null 112 | 113 | return 0 114 | } 115 | 116 | 117 | # Plugin status function 118 | plugin_status() 119 | { 120 | echo " Banned Hosts:" 121 | echo " ==============================" 122 | ip4tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "ADAPTIVE_BAN_DROP_CHAIN" { print " "$4 }' 123 | if [ "$IPV6_SUPPORT" = "1" ]; then 124 | ip6tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "ADAPTIVE_BAN_DROP_CHAIN" { print " "$3 }' 125 | fi 126 | echo " ------------------------------" 127 | echo "" 128 | 129 | echo " Whitelisted Hosts:" 130 | echo " ==============================" 131 | ip4tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "RETURN" { print " "$4 }' 132 | if [ "$IPV6_SUPPORT" = "1" ]; then 133 | ip6tables -n -L ADAPTIVE_BAN_CHAIN | awk '$1 == "RETURN" { print " "$3 }' 134 | fi 135 | echo " ------------------------------" 136 | echo "" 137 | 138 | return 0 139 | } 140 | 141 | 142 | # Check sanity of eg. environment 143 | plugin_sanity_check() 144 | { 145 | if [ -z "$ADAPTIVE_BAN_FILE" -o -z "$ADAPTIVE_BAN_TIME" -o -z "$ADAPTIVE_BAN_COUNT" -o -z "$ADAPTIVE_BAN_TYPES" ]; then 146 | printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2 147 | return 1 148 | fi 149 | 150 | if [ ! -f "$JOB_HELPER_SCRIPT" ]; then 151 | printf "\033[40m\033[1;31m${INDENT}ERROR: The job helper script($JOB_HELPER_SCRIPT) can not be found!\033[0m\n" >&2 152 | return 1 153 | fi 154 | 155 | if [ "$PLUGIN_CMD" = "start" ] && [ ! -f "$ADAPTIVE_BAN_FILE" ]; then 156 | printf "\033[40m\033[1;31m${INDENT}ERROR: Input log file $ADAPTIVE_BAN_FILE does not exist!\033[0m\n" >&2 157 | return 1 158 | fi 159 | 160 | if ! check_command sort; then 161 | printf "\033[40m\033[1;31m${INDENT}ERROR: Required command sort is not available!\033[0m\n" >&2 162 | return 1 163 | fi 164 | 165 | if ! check_command uniq; then 166 | printf "\033[40m\033[1;31m${INDENT}ERROR: Required command uniq is not available!\033[0m\n" >&2 167 | return 1 168 | fi 169 | 170 | return 0 171 | } 172 | 173 | 174 | ############ 175 | # Mainline # 176 | ############ 177 | 178 | # Check where to find the config file 179 | CONF_FILE="" 180 | if [ -n "$PLUGIN_CONF_PATH" ]; then 181 | CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" 182 | fi 183 | 184 | # Preinit to success: 185 | PLUGIN_RET_VAL=0 186 | 187 | # Check if the config file exists 188 | if [ ! -f "$CONF_FILE" ]; then 189 | printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2 190 | else 191 | # Source the plugin config file 192 | . "$CONF_FILE" 193 | 194 | if [ "$ENABLED" = "1" ] || 195 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] || 196 | [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then 197 | # Show who we are: 198 | echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION" 199 | 200 | # Increment indention 201 | INDENT="$INDENT " 202 | 203 | # Only proceed if environment ok 204 | if ! plugin_sanity_check; then 205 | PLUGIN_RET_VAL=1 206 | else 207 | case $PLUGIN_CMD in 208 | start|'') plugin_start; PLUGIN_RET_VAL=$?;; 209 | stop ) plugin_stop; PLUGIN_RET_VAL=$?;; 210 | status ) plugin_status; PLUGIN_RET_VAL=$?;; 211 | * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;; 212 | esac 213 | fi 214 | fi 215 | fi 216 | --------------------------------------------------------------------------------