PF-to-iptables-конвертер
#!/bin/sh # Simple pf to iptables converter # Enable compiling rules for other systems without # changing local iptables rules: if [ $dry_run = on ]; then IPT="echo iptables" elif [ $dry_run = off ]; then IPT="iptables" fi pass_out=" $IPT -A OUTPUT -j ACCEPT" block_out="$IPT -A OUTPUT -j DROP" pass_in=" $IPT -A INPUT -j ACCEPT" block_in="$IPT -A INPUT -j DROP" block_log="$IPT -A LOGGING -j DROP" match_out_log="$IPT -A LOGGING -j LOG --log-level 4 --log-uid" match_in_log=" $IPT -A LOGGING -j LOG --log-level 4" match_out_label="$IPT -A OUTPUT -j CONNMARK --set-mark" label="-m connmark --mark" on_o="-o" on_i="-i" log_label="--log-prefix" proto="-p" from="-s" from_not="! -s" to="-d" to_not="! -d" st_port="-m tcp --sport" dt_port="-m tcp --dport" su_port="-m udp --sport" du_port="-m udp --dport" to_ipset="dst,dst" from_ipset="src,src" for_ipset="-m set --match-set" ipt_module="-m" user="-m owner --uid-owner" user_not="-m owner ! --uid-owner" keep_state="-m state --state ESTABLISHED" #keep_state="-m state --state RELATED,ESTABLISHED" state_invalid="-m state --state INVALID" socket_exists="-m owner --socket-exists" clear_all(){ $IPT -F $IPT -X LOGGING } block_all(){ # Default policy is to block everything. $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP #for block_proto in udplite esp ah sctp; do ##for block_proto in udplite icmp esp ah sctp; do # $block_out $proto $block_proto #done } block_bug(){ # This function blocks packets which will not be allowed by iptables # anyway (kernel-iptables bug?). Currently works only with tcp. local intf=$1 #local our_proto=$2 local srcIP=$2 # local IP local dstIP=$3 # remote IP local dstPORT=$4 # remote port # Client: $block_out $on_o $intf $proto tcp $from $srcIP $to $dstIP $dt_port $dstPORT # Server: $block_out $on_o $intf $proto tcp $from $dstIP $st_port $dstPORT $to $srcIP } block_bug_mports(){ # This function blocks all packets which will not be allowed by iptables # anyway (kernel-iptables bug?). It accepts list of ports. Currently works # only with tcp. local intf=$1 #local our_proto=$2 local srcIP=$2 local dstIP=$3 for i in $(seq 4 $#) ; do local dstPORT=$(eval echo "\$$i") block_bug $intf $srcIP $dstIP $dstPORT done } allow_out(){ # This function allows outgoing traffic and the corresponding replies. # The network myIP/24 is blocked. local intf=$1 local our_proto=$2 local srcIP=$3 # local IP local dstIP=$4 # remote IP local dstPORT=$5 # remote port local our_user=$6 if [ $dstIP = all ]; then if [ $our_proto = tcp ]; then $pass_out $on_o $intf $proto tcp $from $srcIP \ $to_not $srcIP/24 $dt_port $dstPORT $user $our_user $pass_in $on_i $intf $proto tcp $from_not $srcIP/24 $st_port $dstPORT \ $to $srcIP $keep_state elif [ $our_proto = udp ]; then $pass_out $on_o $intf $proto udp $from $srcIP \ $to_not $srcIP/24 $du_port $dstPORT $user $our_user $pass_in $on_i $intf $proto udp $from_not $srcIP/24 $su_port $dstPORT \ $to $srcIP $keep_state fi else if [ $our_proto = tcp ]; then $pass_out $on_o $intf $proto tcp $from $srcIP \ $to $dstIP $dt_port $dstPORT $user $our_user $pass_in $on_i $intf $proto tcp $from $dstIP $st_port $dstPORT \ $to $srcIP $keep_state elif [ $our_proto = udp ]; then $pass_out $on_o $intf $proto udp $from $srcIP \ $to $dstIP $du_port $dstPORT $user $our_user $pass_in $on_i $intf $proto udp $from $dstIP $su_port $dstPORT \ $to $srcIP $keep_state fi fi } allow_out_ipset(){ # This function allows outgoing traffic to particular ipset list # (hash:ip,proto:port) and the corresponding replies. It is supposed # that all protocols in ipset list are the same (either tcp or udp). local intf=$1 local our_proto=$2 local srcIP=$3 # local IP local ipset_list=$4 local our_user=$5 $pass_out $on_o $intf $proto $our_proto $from $srcIP \ $for_ipset $ipset_list $to_ipset $ipt_module $our_proto $user $our_user $pass_in $on_i $intf $proto $our_proto $to $srcIP \ $for_ipset $ipset_list $from_ipset $ipt_module $our_proto $keep_state } multi_allow_out(){ # This function allows outgoing traffic and the corresponding replies to the # list of hosts. The network myIP/24 is blocked. local intf=$1 local our_proto=$2 local srcIP=$3 # local IP local dstIPandPORT_list=$4 # Format: HOST:PORT local our_user=$5 old_IFS=$IFS cat $dstIPandPORT_list | sed 's/#.*//;/^[[:space:]]*$/d' \ | while IFS=: read dstIP dstPORT; do allow_out $intf $our_proto $srcIP $dstIP $dstPORT $our_user done IFS=$old_IFS } allow_out_tor(){ # This function allows outgoing traffic of tor users and the corresponding # replies. The function accepts list of Tor ports as argument. local intf=$1 local srcIP=$2 local dstIP=$3 local our_user=$(eval echo "\$$#") for i in $(seq 4 $(($#-1))) ; do local dstPORT=$(eval echo "\$$i") allow_out $intf tcp $srcIP $dstIP $dstPORT $our_user done } allow_in(){ # This function allows incoming traffic and the corresponding replies. local intf=$1 local our_proto=$2 local srcIP=$3 # remote side local dstIP=$4 # local side local dstPORT=$5 # local port local our_user=$6 if [ $our_proto = tcp ]; then $pass_in $on_i $intf $proto tcp $from $srcIP \ $to $dstIP $dt_port $dstPORT $pass_out $on_o $intf $proto tcp $from $dstIP $st_port $dstPORT \ $to $srcIP $user $our_user $keep_state elif [ $our_proto = udp ]; then $pass_in $on_i $intf $proto udp $from $srcIP \ $to $dstIP $du_port $dstPORT $pass_out $on_o $intf $proto udp $from $dstIP $su_port $dstPORT \ $to $srcIP $user $our_user $keep_state fi } allow_in_tor(){ # This function allows incoming tor traffic for tor user and the corresponding # replies. It also includes bug workaround to allow replies from user root. # The function accepts list of ports as argument. local intf=$1 local srcIP=$2 local dstIP=$3 local our_user=$(eval echo "\$$#") for i in $(seq 4 $(($#-1))) ; do local dstPORT=$(eval echo "\$$i") $pass_in $on_i $intf $proto tcp $from $srcIP \ $to $dstIP $dt_port $dstPORT $pass_out $on_o $intf $proto tcp $from $dstIP $st_port $dstPORT \ $to $srcIP $user $our_user $keep_state $pass_out $on_o $intf $proto tcp $from $dstIP $st_port $dstPORT \ $to $srcIP $user root $keep_state done } lh_filter(){ # This function allows both outgoing and incoming traffic on loopback interface. # It is also assumed that the same user runs both the client and the server. local dstPORT=$1 local our_user=$2 # Client side: allow_out lo tcp $lh $lh $dstPORT $our_user # Server (daemon) side: allow_in lo tcp $lh $lh $dstPORT $our_user } tor_lh_filter(){ # Experimental function, it consists of lh_filter + hacks to catch all Tor # traffic. It catches more than usual lh_filter, but not all. local dstPORT=$1 local our_user=$2 # Client side: $match_out_label 1 $on_o lo $proto tcp $from $lh \ $to $lh $dt_port $dstPORT $user $our_user $pass_out $on_o lo $proto tcp $from $lh \ $to $lh $dt_port $dstPORT $user $our_user $pass_in $on_i lo $proto tcp $from $lh $st_port $dstPORT \ $to $lh $keep_state $pass_in $on_i lo $proto tcp $from $lh $st_port $dstPORT \ $to $lh $label 1 # Server (daemon) side: $pass_in $on_i lo $proto tcp $from $lh \ $to $lh $dt_port $dstPORT $pass_out $on_o lo $proto tcp $from $lh $st_port $dstPORT \ $to $lh $user $our_user $keep_state $pass_out $on_o lo $proto tcp $from $lh $st_port $dstPORT \ $to $lh $keep_state $label 1 $pass_out $on_o lo $proto tcp $from $lh $st_port $dstPORT \ $to $lh $label 1 } allow_dns(){ # This function allows DNS requests for particular user. local our_user=$1 #for DNS_server in $DNS_local_1 $DNS_local_2; do # allow_out $eIF udp $eIP $DNS_server 53 $our_user #done for DNS_server in $DNS_inet_1 $DNS_inet_2; do allow_out $oIF udp $oIP $DNS_server 53 $our_user done } allow_dhcp(){ local dhcp_server=$1 $pass_out $on_o $oIF $proto udp $from $az $su_port 68 \ $to $a255 $du_port 67 $user root $pass_in $on_i $oIF $proto udp $from $dhcp_server $su_port 67 \ $to $az $du_port 68 $keep_state } bug_workaround(){ # Experimental function. # An attempt to find workaround for iptables-tor-firefox bug. $pass_out $on_o lo $proto tcp $from $lh $st_port 9150:9151 \ $to $lh $socket_exists $user_not 0-2000 $keep_state $pass_out $on_o lo $proto tcp $from $lh $st_port 9150:9151 \ $to $lh $user_not 0-2000 $keep_state #$pass_out $on_o lo $proto tcp $from $lh $st_port 9150:9151 \ # $to $lh $socket_exists $user_not 0-2000 $state_invalid #$pass_out $on_o lo $proto tcp $from $lh $st_port 9150:9151 \ # $to $lh $user_not 0-2000 $state_invalid } start_logging(){ # Start of logging all dropped packets. # This function should be called at the end of the set of iptables rules. $IPT -N LOGGING $IPT -A OUTPUT -j LOGGING $IPT -A INPUT -j LOGGING } log_out(){ # Logging and blocking output connections. local our_log_label=$1 local intf=$2 local our_proto=$3 if [ $# -eq 3 ] ; then # Particular protocol $match_out_log $log_label ${our_log_label} $on_o $intf $proto $our_proto $block_log $on_o $intf $proto $our_proto elif [ $# -eq 2 ] ; then # All protocols $match_out_log $log_label ${our_log_label} $on_o $intf $block_log $on_o $intf else echo Wrong number of arguments in function log_out exit 8 fi } log_in(){ # Logging and blocking input connections. local our_log_label=$1 local intf=$2 local our_proto=$3 local dstIP=$4 if [ $# -eq 4 ] ; then # Particular protocol $match_in_log $log_label ${our_log_label} $on_i $intf $proto $our_proto \ $to $dstIP $block_log $on_i $intf $proto $our_proto $to $dstIP elif [ $# -eq 3 ] ; then # All protocols local dstIP=$3 $match_in_log $log_label ${our_log_label} $on_i $intf $to $dstIP $block_log $on_i $intf $to $dstIP elif [ $# -eq 1 ] ; then # All protocols and all IPs local intf=$1 $block_log $on_i $intf else echo Wrong number of arguments in function log_in exit 7 fi }
Комментариев нет [показать комментарии/форму]
Ваша оценка документа [показать результаты]