#!/bin/bash
# FiQs 3.2 (C) 2006 by INTRUX - All Rights Reserved
# Katalog roboczy dla skryptu i plikow konfiguracyjnych - nie zmieniaj!
WKDIR="/etc/firewall/"
# Zaladowanie konfiguracji z pliku main.cfg
if [ ! -f ${WKDIR}main.cfg ] ; then echo "Brak pliku konfiguracji main.cfg!" ; exit 1
else source ${WKDIR}main.cfg ; fi
# Okreslenie plikow lub zaladowanie wartosci z plikow konfiguracyjnych do zmiennych
CLIENT_FILE="${WKDIR}client.cfg"
IPF_FILE="${WKDIR}ipf.cfg"
IPFAST_FILE=`cat ${WKDIR}ipfast.cfg | cut -d'#' -f1`
ISERV_FILE="${WKDIR}iserv.cfg"
LAN_FILE="${WKDIR}lan.cfg"
MAC_FILE="${WKDIR}mac.cfg"
MSERV_FILE="${WKDIR}mserv.cfg"
NOPORT_FILE="${WKDIR}noport.cfg"
P2PT_FILE="${WKDIR}p2pt.cfg"
PFAST_FILE="${WKDIR}pfast.cfg"
PORTF_FILE="${WKDIR}portf.cfg"
# Wlaczenie debugowania (a wyjscie najlepiej skierowac do pliku)
if [ "$SCRIPT_DEBUG" == "yes" ] ; then set -x ; fi
# Zaladowanie alternatywnej konfiguracji klientow z pliku podanego jako 2 parametr startowy
if [ ! "$2" == "" ] ; then CLIENT_FILE="${WKDIR}$2" ; fi
# Gdy IP na interfejsie internetowym jest zmienne... odczytaj aktualne z interfejsu
if [ "$NAT_ON" == "masq" ] ; then INTERNET_IP=`ifconfig $INTERNET_DEV | grep "inet addr:" | cut -d':' -f2 | cut -d' ' -f1` ; fi
# Wyczyszczenie wszystkich tablic iptables
clear_table() {
iptables -F
iptables -X
iptables -Z
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
}
# Ustawienie domyslnej polityki firewalla na DROP
set_drop() {
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
}
# Ustawienie domyslnej polityki firewalla na ACCEPT
set_accept() {
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
}
# Ruch na interfejsie lo
set_lo(){
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
}
# Zaladowanie modulow kernela
modules(){
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_nat_h323
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_conntrack_h323
if [ "$PSDLOG" == "yes" ] ; then
modprobe ipt_recent
modprobe ipt_psd
fi
}
# Ustawienia zabezpieczen
kernel_secure() {
echo "1" >/proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/tcp_timestamps
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
#logowanie "dziwnych" pakietow (spoofed, source routed, redirects...)
if [ "$MARTIAN_LOG" == "yes" ] ; then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else echo "0" > /proc/sys/net/ipv4/conf/all/log_martians ; fi
#nie odpowiadamy na ping
if [ "$PING_OFF" == "yes" ] ; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
else echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all ; fi
#wlaczenie przekazywania pakietow przez router
echo "1" > /proc/sys/net/ipv4/ip_forward
#ustawienia limitow dla sesji tcp
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "36000" > /proc/sys/net/ipv4/ip_conntrack_max
echo "20" > /proc/sys/net/ipv4/ipfrag_time
echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "86400" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo "60" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
}
set_secure() {
#unclean
if [ "$UNCLEAN_ON" == "yes" ] ; then
if [ "$UNCLEAN_LOG" == "yes" ] ; then
iptables -A INPUT -m unclean -m limit --limit 1/h -j LOG --log-prefix "INPUT UNCL: "
fi
iptables -A INPUT -m unclean -j DROP
if [ "$UNCLEAN_LOG" == "yes" ] ; then
iptables -A FORWARD -m unclean -m limit --limit 1/h -j LOG --log-prefix "FORWD UNCL: "
fi
iptables -A FORWARD -m unclean -j DROP
fi
#syn flood (ochrona przed atakiem DoS)
if [ "$TCPSYN_ON" == "yes" ] ; then
iptables -N syn_flood
iptables -A syn_flood -m limit --limit ${TCPSYN_LIMIT_S}/s --limit-burst $TCPSYN_LIMIT_BURST -j RETURN
iptables -A syn_flood -m limit --limit ${TCPSYN_LIMIT_S}/s --limit-burst $TCPSYN_LIMIT_BURST -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn_flood -j DROP
if [ "$TCPSYN_DEV" == "" ] ; then TCPSYN_DEV="$INTERNET_DEV" ; fi
for x in $TCPSYN_DEV ; do
iptables -A INPUT -i $x -p tcp --syn -j syn_flood
done
fi
#blokowanie dostepu z/do okreslonych adresow IP
for x in $BADHOSTS ; do
iptables -A INPUT -s $x -j DROP ; iptables -A FORWARD -s $x -j DROP ; iptables -A OUTPUT -d $x -j DROP
done
#blokowanie portow dla polaczen internetowych klientow z LAN
cat $NOPORT_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $2, $3 }' | while read PROTO IP PORT ; do
if [ ! `echo $PORT | grep ,` == "" ] ; then
iptables -A FORWARD -p $PROTO -s $IP -d 0/0 -m multiport --dport $PORT -j DROP
iptables -A FORWARD -p $PROTO -s 0/0 -d $IP -m multiport --sport $PORT -j DROP
else
iptables -A FORWARD -p $PROTO -s $IP -d 0/0 --dport $PORT -j DROP
iptables -A FORWARD -p $PROTO -s 0/0 -d $IP --sport $PORT -j DROP
fi
done
#blokowanie polaczen internetowych klientow z LAN przy pomocy modulu string
#NOSTRING_FILE="${WKDIR}nostring.cfg"
# cat $NOSTRING_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $2 }' | while read IP STRING ; do
# iptables -A FORWARD -s 0/0 -d $IP -m string --string "$STRING" -j DROP
# iptables -A FORWARD -s $IP -d 0/0 -m string --string "$STRING" -j DROP
# done
#blokowanie ruchu pryw. klas adres., netbios i innych "smieci" na interfejsie internetowym
NOSMBIP="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/5 127.0.0.0/8"
if [ "$NOSMB" == "yes" ] ; then
for x in $NOSMBIP ; do
iptables -A INPUT -i $INTERNET_DEV -s $x -j DROP
iptables -A OUTPUT -o $INTERNET_DEV -d $x -j DROP
iptables -A FORWARD -i $INTERNET_DEV -s $x -j DROP
iptables -A FORWARD -o $INTERNET_DEV -d $x -j DROP
done
fi
#blokowanie ruchu na portach netbios - interfejs internetowy (zapobieganie wirusom)
BPORTS="135-tcp 137-tcp 138-tcp 139-tcp 445-tcp 137-udp 138-udp 139-udp"
if [ "$BADPORTS" == "yes" ] ; then
for x in $BPORTS ; do PORT=`echo $x | cut -d'-' -f1` ; PROT=`echo $x | cut -d'-' -f2`
iptables -A FORWARD -i $INTERNET_DEV -p $PROT --dport $PORT -j DROP
iptables -A FORWARD -o $INTERNET_DEV -p $PROT --dport $PORT -j DROP
done
fi
#powiazanie IP z MAC-adresem karty sieciowej klienta w LAN
if [ ! "$MAC_CHECK" == "" ] && [ ! "$MAC_CHECK" == "no" ] ; then
iptables -N mac_check
iptables -A mac_check -j LOG
iptables -A mac_check -j DROP
cat $MAC_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $2, $3 }' | while read IP MAC DEV ; do
iptables -I mac_check 1 -m mac --mac-source $MAC -s $IP -j RETURN
iptables -A FORWARD -i $DEV -s $IP -j mac_check
if [ "$MAC_CHECK" == "yes" ] ; then
iptables -A INPUT -i $DEV -s $IP -j mac_check
fi
done
if [ ! "$MAC_CHECK_ALL_DEV" == "" ] && [ ! "$MAC_CHECK_ALL_DEV" == "no" ] ; then
for m in $MAC_CHECK_ALL_DEV ; do
iptables -A FORWARD -i $m -j mac_check
if [ "$MAC_CHECK" == "yes" ] ; then
iptables -A INPUT -i $m -j mac_check
fi
done
fi
fi
}
set_misc_mtu() {
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -f -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
#MTU
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
}
# Ustawienia dla polaczen p2p
set_p2p() {
#wykorzystujac modul ipp2p blokujemy proby dzialalnosci p2p na portach...
if [ ! "$P2P_NO_PORT" == "" ] ; then
for x in $P2P_NO_PORT ; do
iptables -I PREROUTING -t mangle -p tcp --sport $x -m ipp2p --ipp2p -j DROP
iptables -I PREROUTING -t mangle -p udp --sport $x -m ipp2p --ipp2p -j DROP
iptables -I POSTROUTING -t mangle -p tcp --dport $x -m ipp2p --ipp2p -j DROP
iptables -I POSTROUTING -t mangle -p udp --dport $x -m ipp2p --ipp2p -j DROP
done
fi
#blokowanie ruchu p2p dla okreslonych IP lub calej sieci (modul ipp2p i p2p)
if [ ! "$P2P_DENY" == "" ] ; then
for x in $P2P_DENY ; do
iptables -I PREROUTING -t mangle -s $x -m ipp2p --ipp2p -j DROP
iptables -I PREROUTING -t mangle -s $x -m p2p --p2p all -j DROP
iptables -I POSTROUTING -t mangle -s $x -m ipp2p --ipp2p -j DROP
iptables -I POSTROUTING -t mangle -s $x -m p2p --p2p all -j DROP
#blokowanie przy pomocy layer7
if [ "$P2P_L7" == "yes" ] && [ ! "$P2P_L7_PROTO" == "" ] ; then
for z in $P2P_L7_PROTO ; do
iptables -I PREROUTING -t mangle -s $x -m layer7 --l7proto $z -j DROP
iptables -I POSTROUTING -t mangle -s $x -m layer7 --l7proto $z -j DROP
iptables -A FORWARD -s $x -m layer7 --l7proto $z -j DROP
iptables -A FORWARD -d $x -m layer7 --l7proto $z -j DROP
done
fi
done
iptables -N p2p_block
iptables -A FORWARD -j p2p_block
for x in $P2P_DENY ; do
iptables -A p2p_block -s $x -m ipp2p --ipp2p -j DROP
iptables -A p2p_block -d $x -m ipp2p --ipp2p -j DROP
iptables -A p2p_block -s $x -m p2p --p2p all -j DROP
iptables -A p2p_block -d $x -m p2p --p2p all -j DROP
done
fi
#calkowite blokowanie p2p w okreslonych porach dnia (modul ipp2p i p2p)
if [ "$P2P_DENY_TIME" == "yes" ] ; then iptables -N p2p_time ; iptables -A FORWARD -j p2p_time
cat $P2PT_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $2, $3, $4 }' | while read IP HSTART HSTOP DAYS ; do
iptables -A p2p_time -s $IP -m time --timestart $HSTART --timestop $HSTOP --days $DAYS -m ipp2p --ipp2p -j DROP
iptables -A p2p_time -d $IP -m time --timestart $HSTART --timestop $HSTOP --days $DAYS -m ipp2p --ipp2p -j DROP
iptables -A p2p_time -s $IP -m time --timestart $HSTART --timestop $HSTOP --days $DAYS -m p2p --p2p all -j DROP
iptables -A p2p_time -d $IP -m time --timestart $HSTART --timestop $HSTOP --days $DAYS -m p2p --p2p all -j DROP
done
fi
}
# Ustawienia limitow transferu oraz logowania i statystyk
limit_log() {
#limity transferu - przy wspolpracy z ipt_account
if [ ! "$STATIPTA" == "" ] && [ ! "$DL_LIMIT_UNIT" == "" ] && [ ! "$DL_LIMIT_UNIT" == "no" ] ; then
iptables -N quota_check ; iptables -N quota_tbl ; iptables -A FORWARD -j quota_tbl
cat $CLIENT_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $7 }' | while read CLIENT TLIMIT ; do
if [ ! "$TLIMIT" == "0" ] ; then
if [ "$DL_LIMIT_UNIT" == "MB" ] ; then TLIMITB=$[$TLIMIT*1024*1024] ; fi
if [ "$DL_LIMIT_UNIT" == "GB" ] ; then TLIMITB=$[$TLIMIT*1024*1024*1024] ; fi
QUOTA="-m quota --quota $TLIMITB"
if [ -f ${WKDIR}.mynetwork.save ] ; then
AFILE="${WKDIR}.mynetwork.save"
BD=`grep -w "$CLIENT" $AFILE | awk '{ print $12 }'`
if [ "$TLIMITB" -gt "$BD" ] ; then TLIMITB=$[$TLIMITB-$BD] ; QUOTA="-m quota --quota $TLIMITB"
else QUOTA="0" ; fi
fi
fi
if [ ! "$QUOTA" == "" ] && [ ! "$TLIMIT" == "0" ] ; then
if [ ! "$QUOTA" == "0" ] ; then
iptables -A quota_check -s 0/0 -d $CLIENT $QUOTA -j RETURN
iptables -A quota_check -s 0/0 -d $CLIENT -j DROP
iptables -A quota_tbl -s 0/0 -d $CLIENT -j quota_check
else
iptables -A quota_tbl -s 0/0 -d $CLIENT -j DROP
fi
fi
done
fi
#logowanie do statystyk przy uzyciu ipt_account
for x in $STATIPTA ; do iptables -N statistics
iptables -A statistics -m account --aaddr $x --aname mynetwork --ashort
iptables -I FORWARD -j statistics
done
#zaladowanie licznikow account
if [ ! "$STATIPTA" == "" ] ; then
if [ -f ${WKDIR}.mynetwork.save ] ; then
while read line ; do echo $line > /proc/net/ipt_account/mynetwork ; done < ${WKDIR}.mynetwork.save
fi
fi
#logowanie ruchu internetowego
for x in $LOGS_IP ; do
iptables -A POSTROUTING -t nat -s $x -d 0/0 -j LOG --log-level info --log-prefix "IP NAT: " -m state --state NEW -m limit --limit 1/s
done
#ULOG
if [ "$ULOG_ON" == "yes" ] ; then
iptables -A FORWARD -j ULOG --ulog-nlgroup 1 --ulog-cprange 48 --ulog-qthreshold 50 --ulog-prefix "FORWARD"
ulog-acctd &> /dev/null
fi
#zliczanie ruchu internetowego dla potrzeb lstat
if [ "$COUNT" == "yes" ] ; then iptables -N net_count_dl ; iptables -A FORWARD -s 0/0 -j net_count_dl
iptables -N net_count_ul ; iptables -A FORWARD -d 0/0 -j net_count_ul
if [ ! -f ${WKDIR}clinat.cfg ] ; then CLIENT_FILE_C="$CLIENT_FILE" ; else CLIENT_FILE_C="${WKDIR}clinat.cfg" ; fi
cat $CLIENT_FILE_C | grep -v "#" | sed -e '/^$/d' | awk '{ print $1 }' | while read IP ; do
iptables -A net_count_dl -d $IP -j RETURN
iptables -A net_count_ul -s $IP -j RETURN
done
fi
}
# Ustawienia dostepu do serwera przez SSH
ssh_allow() {
if [ ! "$SSH_LIST" == "" ] && [ ! "$SSH_LIST" == "no" ] ; then
for x in $SSH_LIST ; do INT=`echo $x | cut -d'-' -f1` ; PORT=`echo $x | cut -d'-' -f2`
iptables -A INPUT -i $INT -p tcp --dport $PORT -m state --state NEW -m recent --set
iptables -A INPUT -i $INT -p tcp --dport $PORT -m state --state NEW -m recent --update --seconds 60 --hitcount $SSH_LIST_LIMIT_M -j DROP
iptables -A INPUT -i $INT -p tcp --dport $PORT -j ACCEPT
done
else
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
fi
}
# Ruch wychodzacy
output() {
iptables -A OUTPUT -j ACCEPT
}
# Ustawienia dostepu do serwera
server() {
#dostep do serwera od strony LAN - dokladnie
if [ "$LIMIT_LAN" == "yes" ] ; then
cat $LAN_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $2, $3, $4, $5 }' | while read PROTO PORT SRC DST INT ; do
if [ ! "$PORT" == "all" ] ; then PORT_IN="--dport $PORT"
else PORT_IN="" ; fi
if [ ! "$SRC" == "all" ] ; then IP_SRC="-s $SRC"
else IP_SRC="" ; fi
if [ ! "$DST" == "all" ] ; then IP_DST="-d $DST"
else IP_DST="" ; fi
if [ ! `echo $PORT | grep ,` == "" ] ; then
iptables -A INPUT -i $INT -p $PROTO $IP_SRC -m multiport $PORT_IN $IP_DST -j ACCEPT
else
iptables -A INPUT -i $INT -p $PROTO $IP_SRC $PORT_IN $IP_DST -j ACCEPT
fi
done
else
#dostep do serwera od strony LAN - uproszczony
for x in $LAN_LIST ; do INT=`echo $x | cut -d'-' -f1` ; CL_IP=`echo $x | cut -d'-' -f2`
iptables -A INPUT -i $INT -s $CL_IP -j ACCEPT
iptables -A INPUT -i $INT -s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67 -j ACCEPT
done
fi
#ustawienia forwardingu pomiedzy sieciami LAN
for x in $LAN_FORWARD ; do LAN1=`echo $x | cut -d'-' -f1` ; LAN2=`echo $x | cut -d'-' -f2`
iptables -A FORWARD -s $LAN1 -d $LAN2 -j ACCEPT ; iptables -A FORWARD -s $LAN2 -d $LAN1 -j ACCEPT
done
#ustawienia dla polaczen od strony internetu (uslugi serwera)
cat $ISERV_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $2, $3 }' | while read PROTO PORT IP ; do
if [ ! "$PORT" == "all" ] ; then PORT_IN="--dport $PORT" ; else PORT_IN="" ; fi
if [ ! "$IP" == "all" ] ; then IP_IN="-s $IP" ; else IP_IN="" ; fi
if [ ! `echo $PORT | grep ,` == "" ] ; then
iptables -A INPUT -i $INTERNET_DEV -p $PROTO $IP_IN -m multiport $PORT_IN -j ACCEPT
else
iptables -A INPUT -i $INTERNET_DEV -p $PROTO $IP_IN $PORT_IN -j ACCEPT
fi
done
#udostepnianie portow (port-forwarding)
cat $PORTF_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $2, $3, $4, $5 }' | while read PROTO PORT_IN LOCAL_IP PORT_OUT FROM ; do
if [ ! "$FROM" == "all" ] ; then SRC="-s $FROM" ; else SRC="" ; fi
iptables -A FORWARD -i $INTERNET_DEV -p $PROTO $SRC --dport $PORT_OUT -d $LOCAL_IP -j ACCEPT
iptables -A PREROUTING -t nat -p $PROTO -d $INTERNET_IP --dport $PORT_IN -j DNAT --to $LOCAL_IP:$PORT_OUT
if [ "$LOCAL_PORTF_ON" == "yes" ] ; then
iptables -A POSTROUTING -t nat -o $LOCAL_DEV -j SNAT --to $INTERNET_IP
iptables -A POSTROUTING -t nat -p $PROTO $SRC -d $LOCAL_SERV_IP --dport $PORT_IN -j SNAT --to $LOCAL_IP:$PORT_OUT
fi
done
#miniserv/vh apache forwarding - informacje dla klientow w LAN
cat $MSERV_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $2, $3 }' | while read IP CEL LIMIT ; do
iptables -A PREROUTING -t nat -s $IP -p tcp --dport 80 -j DNAT --to-destination $CEL -m limit --limit ${LIMIT}/h --limit-burst 1
done
#udostepnianie IP zewn. dla klienta w LAN (wymaga takze utworzenia aliasu na interfejsie WAN)
if [ "$IPF_ALIAS_ON" == "yes" ] ; then
INTERNET_MASK=`ip address show $INTERNET_DEV | grep "$INTERNET_IP" | awk '{ print $2 }' | cut -d'/' -f2`
INTERNET_BRD=`ip address show $INTERNET_DEV | grep "$INTERNET_IP" | awk '{ print $4 }'`
fi
cat $IPF_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $2, $3, $4 }' | while read EXT_IP LOCAL_IP PROTO CLIMIT ; do
if [ ! "$PROTO" == "all" ] ; then PROT="-p $PROTO" ; else PROT="" ; fi
if [ ! "$CLIMIT" == "0" ] ; then
iptables -A FORWARD -p tcp --syn -s $LOCAL_IP -m connlimit --connlimit-above $CLIMIT -j REJECT
iptables -A FORWARD -p tcp --syn -d $LOCAL_IP -m connlimit --connlimit-above $CLIMIT -j REJECT
fi
iptables -A FORWARD $PROT -s 0/0 -d $LOCAL_IP -j ACCEPT
iptables -A FORWARD $PROT -s $LOCAL_IP -d 0/0 -j ACCEPT
iptables -A PREROUTING -t nat $PROT -s 0/0 -d $EXT_IP -j DNAT --to $LOCAL_IP
iptables -A POSTROUTING -t nat $PROT -s $LOCAL_IP -d 0/0 -j SNAT --to $EXT_IP
if [ "$IPF_ALIAS_ON" == "yes" ] ; then
ip addr del ${EXT_IP}/${INTERNET_MASK} broadcast $INTERNET_BRD dev $INTERNET_DEV &> /dev/null
ip addr add ${EXT_IP}/${INTERNET_MASK} broadcast $INTERNET_BRD dev $INTERNET_DEV
fi
done
#icmp, polaczenia powrotne nawiazane
iptables -A INPUT -p icmp -s 0/0 -m limit --limit 2/s --limit-burst 4 -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p udp -m state --state ESTABLISHED -j ACCEPT
#zalogowanie i zablokowanie (15 min.) skanowania portow (moduly psd i recent)
if [ "$PSDLOG" == "yes" ] ; then iptables -N portscan
iptables -A portscan -m recent --name portscan-allow --rcheck -j RETURN
iptables -A portscan -m recent --name portscan --set -j LOG --log-prefix "PORTSCAN: " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A portscan -m limit --limit 1/h -j LOG --log-level info --log-prefix "PORTSCAN DROP: "
iptables -A portscan -j DROP
iptables -A INPUT -m recent --name portscan --rcheck --seconds 900 -j DROP
iptables -A INPUT -m psd -j portscan
fi
#a dla pozostalych reject
iptables -A INPUT -p tcp -i $INTERNET_DEV -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i $INTERNET_DEV -j REJECT --reject-with icmp-port-unreachable
#vpn gre forward
if [ "$VPN_GRE_FORWARD" == "yes" ] ; then
iptables -A FORWARD -p gre -j ACCEPT
else
if [ ! "$VPN_GRE_FORWARD" == "no" ] ; then
for v in $VPN_GRE_FORWARD ; do
iptables -A FORWARD -p gre -s 0/0 -d $v -j ACCEPT
iptables -A FORWARD -p gre -s $v -d 0/0 -j ACCEPT
done
fi
fi
}
# Ustawienia przekierowan
set_proxy() {
#transparentne proxy
if [ ! "$PROXY_SERV" == "" ] ; then IPS=`echo $PROXY_SERV | cut -d'-' -f1` ; PORT=`echo $PROXY_SERV | cut -d'-' -f2`
if [ "$IPS" == "REDIRECT" ] ; then
for x in $PROXY_CLIENT ; do CLIENT=`echo $x | cut -d'-' -f1`
if [ ! "$LOCAL_PROXY_SERV_IP" == "" ] ; then
iptables -A PREROUTING -t nat -p tcp -s $CLIENT -d ! $LOCAL_PROXY_SERV_IP --dport 80 -j REDIRECT --to-port $PORT
else
iptables -A PREROUTING -t nat -p tcp -s $CLIENT -d 0/0 --dport 80 -j REDIRECT --to-port $PORT
fi
done
else
for x in $PROXY_CLIENT ; do CLIENT=`echo $x | cut -d'-' -f1` ; GATEWAY=`echo $x | cut -d'-' -f2`
if [ ! "$LOCAL_PROXY_SERV_IP" == "" ] ; then
iptables -A PREROUTING -t nat -p tcp -s $CLIENT -d ! $LOCAL_PROXY_SERV_IP --dport 80 -j DNAT --to ${IPS}:${PORT}
else
iptables -A PREROUTING -t nat -p tcp -s $CLIENT -d 0/0 --dport 80 -j DNAT --to ${IPS}:${PORT}
fi
iptables -A POSTROUTING -t nat -s $CLIENT -d $IPS -j SNAT --to $GATEWAY
done
fi
fi
#zaawansowane przekierowania
for x in $REDIRECT ; do
KTO=`echo $x | cut -d'-' -f1`
CO=`echo $x | cut -d'-' -f2`
GDZIE=`echo $x | cut -d'-' -f3`
PORT=`echo $x | cut -d'-' -f4`
PROTO=`echo $x | cut -d'-' -f5`
if [ "$PORT" == "all" ] ; then
if [ "$GDZIE" == "REDIRECT" ] ; then CEL="-j REDIRECT"
else CEL="-j DNAT --to ${GDZIE}" ; fi
iptables -A PREROUTING -t nat -s $KTO -d $CO $CEL
else
if [ "$GDZIE" == "REDIRECT" ] ; then CEL="-j REDIRECT --to-port $PORT"
else CEL="-j DNAT --to ${GDZIE}:${PORT}" ; fi
iptables -A PREROUTING -t nat -p $PROTO -s $KTO -d $CO --dport $PORT $CEL
fi
done
}
# Ustawienia nat - udostepnianie internetu klientom w LAN
set_nat() {
if [ ! "$NAT_ON" == "no" ] && [ ! "$NAT_ON" == "" ] ; then
if [ ! -f ${WKDIR}clinat.cfg ] ; then CLIENT_FILE_C="$CLIENT_FILE" ; else CLIENT_FILE_C="${WKDIR}clinat.cfg" ; fi
#stale IP
if [ "$NAT_ON" == "yes" ] ; then
cat $CLIENT_FILE_C | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $6, $8 }' | while read KTO CLIMIT ACL ; do
if [ ! "$CLIMIT" == "0" ] ; then
iptables -A FORWARD -p tcp --syn -s $KTO -m connlimit --connlimit-above $CLIMIT -j REJECT
fi
if [ ! "$USER_ACL_ON" == "yes" ] ; then
iptables -A FORWARD -s $KTO -d 0/0 -j ACCEPT
fi
if [ "$USER_ACL_ON" == "yes" ] && [ "$ACL" == "0" ] ; then
iptables -A FORWARD -s $KTO -d 0/0 -j ACCEPT
fi
iptables -A POSTROUTING -t nat -s $KTO -o $INTERNET_DEV -d 0/0 -j SNAT --to $INTERNET_IP
done
fi
#zmienne IP
if [ "$NAT_ON" == "masq" ] ; then
cat $CLIENT_FILE_C | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $6, $8 }' | while read KTO CLIMIT ACL ; do
if [ ! "$CLIMIT" == "0" ] ; then
iptables -A FORWARD -p tcp --syn -s $KTO -m connlimit --connlimit-above $CLIMIT -j REJECT
fi
if [ ! "$USER_ACL_ON" == "yes" ] ; then
iptables -A FORWARD -s $KTO -d 0/0 -j ACCEPT
fi
if [ "$USER_ACL_ON" == "yes" ] && [ "$ACL" == "0" ] ; then
iptables -A FORWARD -s $KTO -d 0/0 -j ACCEPT
fi
iptables -A POSTROUTING -t nat -s $KTO -o $INTERNET_DEV -d 0/0 -j MASQUERADE
done
fi
fi
}
# Ustawienia TTL
set_ttl() {
for x in $TTL ; do IP=`echo $x | cut -d'-' -f1` ; TTL=`echo $x | cut -d'-' -f2`
iptables -A POSTROUTING -t mangle -p ! icmp -d $IP -j TTL --ttl-set $TTL
iptables -A OUTPUT -t mangle -p ! icmp -d $IP -j TTL --ttl-set $TTL
iptables -A FORWARD -t mangle -p ! icmp -d $IP -j TTL --ttl-set $TTL
done
}
# Ustawienia TOS
set_tos() {
#typ dec hex
#Minimalize-delay 16 0x10
#Maximalize-throughput 8 0x08
#Maxymalize-Reliability 4 0x04
#Minimalize-cost 2 0x02
#Normal-service 0 0x00
iptables -A PREROUTING -t mangle -p tcp --dport 20 -j TOS --set-tos 0x08 #ftp
iptables -A PREROUTING -t mangle -p tcp --dport 21 -j TOS --set-tos 0x10 #ftp
iptables -A PREROUTING -t mangle -p tcp --dport 22 -j TOS --set-tos 0x10 #ssh
iptables -A PREROUTING -t mangle -p tcp --dport 25 -j TOS --set-tos 0x10 #smtp
iptables -A PREROUTING -t mangle -p tcp --dport 53 -j TOS --set-tos 0x10 #dns
iptables -A PREROUTING -t mangle -p udp --dport 53 -j TOS --set-tos 0x10 #dns
iptables -A PREROUTING -t mangle -p tcp --dport 80 -j TOS --set-tos 0x08 #http
iptables -A OUTPUT -t mangle -p tcp --dport 20 -j TOS --set-tos 0x08 #ftp
iptables -A OUTPUT -t mangle -p tcp --dport 21 -j TOS --set-tos 0x10 #ftp
iptables -A OUTPUT -t mangle -p tcp --dport 22 -j TOS --set-tos 0x10 #ssh
iptables -A OUTPUT -t mangle -p tcp --dport 25 -j TOS --set-tos 0x10 #smtp
iptables -A OUTPUT -t mangle -p tcp --dport 53 -j TOS --set-tos 0x10 #dns
iptables -A OUTPUT -t mangle -p udp --dport 53 -j TOS --set-tos 0x10 #dns
iptables -A OUTPUT -t mangle -p tcp --dport 80 -j TOS --set-tos 0x08 #http
}
# Ustawienia QoS IMQ
mark_qos() {
if [ "$QOS_ON" == "yes" ] ; then
#prawie wszystko do interfejsow IMQ
#download (sciaganie) - imq0
if [ ! "$NO_QOS_ROUTER" == "" ] ; then
for x in $NO_QOS_ROUTER ; do
iptables -A PREROUTING -t mangle -i $INTERNET_DEV -s $x -d $INTERNET_IP -j RETURN
done
iptables -A PREROUTING -t mangle -i $INTERNET_DEV -j IMQ --todev 0
else
iptables -A PREROUTING -t mangle -i $INTERNET_DEV -j IMQ --todev 0
fi
if [ "$LOCAL_PROXY_DL_ON" == "yes" ] ; then
for x in $LOCAL_DEV_P ; do
iptables -A OUTPUT -t mangle -o $x -p tcp --sport $LOCAL_PORT_PROXY -m connmark --mark 0 -m string --string 'X-Cache: MISS from ' -j CONNMARK --set-mark 0x7
iptables -A OUTPUT -t mangle -o $x -p tcp --sport $LOCAL_PORT_PROXY -j CONNMARK --restore-mark
iptables -A OUTPUT -t mangle -o $x -p tcp --sport $LOCAL_PORT_PROXY -m mark --mark 0x7 -j IMQ --todev 0
done
fi
#upload (wysylanie) - imq1
if [ ! "$NO_QOS_ROUTER" == "" ] ; then
for x in $NO_QOS_ROUTER ; do
iptables -A POSTROUTING -t mangle -o $INTERNET_DEV -s $INTERNET_IP -d $x -j RETURN
done
iptables -A POSTROUTING -t mangle -o $INTERNET_DEV -j IMQ --todev 1
else
iptables -A POSTROUTING -t mangle -o $INTERNET_DEV -j IMQ --todev 1
fi
#oznaczenie ruchu icmp (ping) - do szybkiej kolejki fast
iptables -A PREROUTING -t mangle -p icmp -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -p icmp -j RETURN
iptables -A POSTROUTING -t mangle -p icmp -j MARK --set-mark 1
iptables -A POSTROUTING -t mangle -p icmp -j RETURN
#oznaczenie wybranego ruchu - do szybkiej kolejki fast
cat $PFAST_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $2 }' | while read PROTO PORT ; do
if [ ! `echo $PORT | grep ,` == "" ] ; then
iptables -A PREROUTING -t mangle -p $PROTO -m multiport --sport $PORT -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -p $PROTO -m multiport --sport $PORT -j RETURN
iptables -A POSTROUTING -t mangle -p $PROTO -m multiport --dport $PORT -j MARK --set-mark 1
iptables -A POSTROUTING -t mangle -p $PROTO -m multiport --dport $PORT -j RETURN
else
iptables -A PREROUTING -t mangle -p $PROTO --sport $PORT -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -p $PROTO --sport $PORT -j RETURN
iptables -A POSTROUTING -t mangle -p $PROTO --dport $PORT -j MARK --set-mark 1
iptables -A POSTROUTING -t mangle -p $PROTO --dport $PORT -j RETURN
fi
done
#rozpoznanie przy pomocy layer7 - do szybkiej kolejki fast
if [ "$FAST_L7" == "yes" ] && [ ! "$FAST_L7_PROTO" == "" ] ; then
for x in $FAST_L7_PROTO ; do
iptables -A PREROUTING -t mangle -m layer7 --l7proto $x -j MARK --set-mark 1
iptables -A POSTROUTING -t mangle -m layer7 --l7proto $x -j RETURN
done
fi
#oznaczenie do szybkiej kolejki fast dla polaczen ze wskazanymi IP
for x in $IPFAST_FILE ; do
iptables -A PREROUTING -t mangle -s $x -d 0/0 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -s $x -d 0/0 -j RETURN
iptables -A POSTROUTING -t mangle -s 0/0 -d $x -j MARK --set-mark 1
iptables -A POSTROUTING -t mangle -s 0/0 -d $x -j RETURN
done
#oznaczenie ruchu p2p
if [ ! "$P2P_LIMIT" == "" ] ; then
iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
if [ "$P2P_IPP2P_PMARK" == "all" ] || [ "$P2P_IPP2P_PMARK" == "" ] ; then
iptables -A PREROUTING -t mangle -m ipp2p --ipp2p -j MARK --set-mark 0x62
fi
if [ "$P2P_IPP2P_PMARK" == "tcp" ] ; then
iptables -A PREROUTING -t mangle -p tcp -m ipp2p --ipp2p -j MARK --set-mark 0x62
fi
iptables -A PREROUTING -t mangle -m p2p --p2p all -j MARK --set-mark 0x62
#rozpoznanie przy pomocy layer7
if [ "$P2P_L7" == "yes" ] && [ ! "$P2P_L7_PROTO" == "" ] ; then
for x in $P2P_L7_PROTO ; do
iptables -A PREROUTING -t mangle -m layer7 --l7proto $x -j MARK --set-mark 0x62
done
fi
iptables -A PREROUTING -t mangle -m mark --mark 0x62 -j CONNMARK --save-mark
if [ "$P2P_IPP2P_PMARK" == "tcp" ] ; then
iptables -A PREROUTING -t mangle -p udp -m ipp2p --ipp2p -j MARK --set-mark 0x62
fi
iptables -A POSTROUTING -t mangle -m mark --mark 0x62 -j RETURN
fi
#oznaczenie ruchu serwera-routera
iptables -A POSTROUTING -t mangle -s $INTERNET_IP -j MARK --set-mark 0x61
iptables -A POSTROUTING -t mangle -s $INTERNET_IP -j RETURN
#oznaczenie klientow w LAN
#zamiana spacji na przecinek (dla multiport, gdy sa 2 kolejki)
if [ "$USER_CL" == "2" ] ; then PR1TP=`echo $PR1_TCPPORT | awk '{gsub(/ /, ","); print}'` ; fi
if [ "$P2P_CS_ON" == "yes" ] ; then
iptables -N p2p_cs_limit
iptables -I FORWARD -m ipp2p --ipp2p -j p2p_cs_limit
if [ "$P2P_L7" == "yes" ] && [ ! "$P2P_L7_PROTO" == "" ] && [ "$P2P_CS_L7_ON" == "yes" ] ; then
for x in $P2P_L7_PROTO ; do
iptables -I FORWARD -m layer7 --l7proto $x -j p2p_cs_limit
done
fi
fi
NR=65
cat $CLIENT_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $1 }' | while read IP ; do
if [ "$P2P_CS_ON" == "yes" ] ; then
iptables -A p2p_cs_limit -p tcp -s $IP -m connlimit --connlimit-above $P2P_C_LIMIT -j DROP
iptables -A p2p_cs_limit -p tcp -d $IP -m limit --limit ${P2P_S_LIMIT}/s -j ACCEPT
fi
if [ "$USER_CL" == "2" ] ; then
if [ "$CL_MPORT_ON" == "yes" ] ; then
iptables -A POSTROUTING -t mangle -p tcp -s $IP -m multiport --dport $PR1TP -j MARK --set-mark 0x${NR}1
iptables -A POSTROUTING -t mangle -p tcp -s $IP -m multiport --dport $PR1TP -j RETURN
else
for x in $PR1_TCPPORT ; do
iptables -A POSTROUTING -t mangle -p tcp -s $IP --dport $x -j MARK --set-mark 0x${NR}1
iptables -A POSTROUTING -t mangle -p tcp -s $IP --dport $x -j RETURN
done
fi
iptables -A POSTROUTING -t mangle -s $IP -d 0/0 -j MARK --set-mark 0x${NR}2
iptables -A POSTROUTING -t mangle -s $IP -d 0/0 -j RETURN
else
iptables -A POSTROUTING -t mangle -s $IP -d 0/0 -j MARK --set-mark 0x${NR}
iptables -A POSTROUTING -t mangle -s $IP -d 0/0 -j RETURN
fi
NR=$[$NR+1]
done
fi
}
# Funkcje QoS
stop_qos() {
tc qdisc del root dev imq1 &> /dev/null
tc qdisc del root dev imq0 &> /dev/null
ip link set imq0 down &> /dev/null
ip link set imq1 down &> /dev/null
rmmod imq &> /dev/null
echo -e "Stop QoS ($QOS_ALG)"
}
start_qos() {
if [ "$QOS_ON" == "yes" ] ; then
echo -e "Start QoS ($QOS_ALG)"
#skroty...
TQDISC="tc qdisc add dev"
TCLASS="tc class add dev"
TFILTR="tc filter add dev"
#zaladowanie modulow i podnoszenie interfejsow imq
modprobe imq numdevs=2 &> /dev/null
ip link set imq0 up &> /dev/null
ip link set imq1 up &> /dev/null
#obliczenie wartosci dla kolejki PR2
PR1="$PR1_P"
PR2=$[100-$PR1]
#liczenie wartosci dla klas
#download
#download - obliczenie wartosci dla rate
DL_RATE_P=$[$DOWNLOAD*$RATE_P/100]
Q_DL_RATE_P=$[$DL_RATE_P*10/100]
#download - wartosc dla kolejki priorytetowej
DL_PRIO=`echo $QOS_PRIO | cut -d';' -f1`
Q_DL_PRIO=$[$DL_PRIO*10/100]
if [ "$Q_DL_PRIO" -le 1 ] ; then Q_DL_PRIO="1" ; fi
#download - wartosc dla szybkiej kolejki fast
DL_FAST=`echo $QOS_FAST | cut -d';' -f1`
Q_DL_FAST=$[$DL_FAST*10/100]
if [ "$Q_DL_FAST" -le 1 ] ; then Q_DL_FAST="1" ; fi
#download - wartosc rate dla kolejki normalnej
DL_NORM=$[$DL_RATE_P-$DL_FAST]
Q_DL_NORM=$[$DL_NORM*10/100]
if [ "$Q_DL_NORM" -le 1 ] ; then Q_DL_NORM="1" ; fi
#download - obliczenie wartosci kolejki normalnej zaleznie od wagi kolejki fast
if [ ! `echo $QOS_FAST | cut -d';' -f3` == "1" ] ; then
DL_FAST_N=$DOWNLOAD ; DL_NORM_N=$DOWNLOAD
else
DL_FAST_N=`echo $QOS_FAST | cut -d';' -f1`
DL_NORM_N=$[$DOWNLOAD-$DL_FAST_N]
fi
#download - obliczenia pomocnicze dla kolejki fast (hfsc)
if [ "$DL_FAST" -ge "$[$DL_RATE_P/2]" ] ; then
DL_FAST_M1=$[$DL_RATE_P*75/100]
else
DL_FAST_M1=$[2*$DL_FAST*85/100]
fi
#download - wartosci ceil i rate dla ruchu routera
DL_ROUTER=`echo $QOS_ROUTER | cut -d';' -f1`
Q_DL_ROUTER=$[$DL_ROUTER*10/100]
if [ "$Q_DL_ROUTER" -le 1 ] ; then Q_DL_ROUTER="1" ; fi
if [ ! `echo $QOS_ROUTER | cut -d';' -f2` == "auto" ] ; then
DL_ROUTER_N=`echo $QOS_ROUTER | cut -d';' -f2`
else
DL_ROUTER_N=$DL_NORM_N
fi
#upload
#upload - obliczenie wartosci dla rate
UL_RATE_P=$[$UPLOAD*$RATE_P/100]
Q_UL_RATE_P=$[$UL_RATE_P*10/100]
#upload - wartosc dla kolejki priorytetowej
UL_PRIO=`echo $QOS_PRIO | cut -d';' -f2`
Q_UL_PRIO=$[$UL_PRIO*10/100]
if [ "$Q_UL_PRIO" -le 1 ] ; then Q_UL_PRIO="1" ; fi
#upload - wartosc dla szybkiej kolejki fast
UL_FAST=`echo $QOS_FAST | cut -d';' -f2`
Q_UL_FAST=$[$UL_FAST*10/100]
if [ "$Q_UL_FAST" -le 1 ] ; then Q_UL_FAST="1" ; fi
#upload - wartosc rate dla kolejki normalnej
UL_NORM=$[$UL_RATE_P-$UL_FAST]
Q_UL_NORM=$[$UL_NORM*10/100]
if [ "$Q_UL_NORM" -le 1 ] ; then Q_UL_NORM="1" ; fi
#upload - obliczenie wartosci kolejki normalnej zaleznie od wagi kolejki fast
if [ ! `echo $QOS_FAST | cut -d';' -f3` == "1" ] ; then
UL_FAST_N=$UPLOAD ; UL_NORM_N=$UPLOAD
else
UL_FAST_N=`echo $QOS_FAST | cut -d';' -f2`
UL_NORM_N=$[$UPLOAD-$UL_FAST_N]
fi
#upload - obliczenia pomocnicze dla kolejki fast (hfsc)
if [ "$UL_FAST" -ge "$[$UL_RATE_P/2]" ] ; then
UL_FAST_M1=$[$UL_RATE_P*75/100]
else
UL_FAST_M1=$[2*$UL_FAST*85/100]
fi
#upload - wartosci ceil i rate dla ruchu routera
UL_ROUTER=`echo $QOS_ROUTER | cut -d';' -f3`
Q_UL_ROUTER=$[$UL_ROUTER*10/100]
if [ "$Q_UL_ROUTER" -le 1 ] ; then Q_UL_ROUTER="1" ; fi
if [ ! `echo $QOS_ROUTER | cut -d';' -f4` == "auto" ] ; then
UL_ROUTER_N=`echo $QOS_ROUTER | cut -d';' -f4`
else
UL_ROUTER_N=$UL_NORM_N
fi
#liczniki pomocnicze
LICZ_USER_DL=0 ; LICZ_USER_UL=0 ; LICZ_RATE_DL=0 ; LICZ_RATE_UL=0
#wartosci dla ruchu p2p
if [ ! "$P2P_LIMIT" == "" ] ; then
DL_P2P=`echo $P2P_LIMIT | cut -d';' -f1`
UL_P2P=`echo $P2P_LIMIT | cut -d';' -f2`
LICZ_USER_DL=1 ; LICZ_USER_UL=1
fi
#obliczenia pomocnicze dla userow
rm -f ${WKDIR}.tmp &> /dev/null
cat $CLIENT_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $2, $4 }' | while read CLD CLU ; do
echo "${CLD}-${CLU}" >> ${WKDIR}.tmp
done
TMPF=`cat ${WKDIR}.tmp`
for x in $TMPF ; do
if [ ! `echo $x | cut -d'-' -f1` == "auto" ] ; then
RU=`echo $x | cut -d'-' -f1` ; LICZ_RATE_DL=$[$LICZ_RATE_DL+$RU]
else LICZ_USER_DL=$[$LICZ_USER_DL+1] ; fi
if [ ! `echo $x | cut -d'-' -f2` == "auto" ] ; then
RU=`echo $x | cut -d'-' -f2` ; LICZ_RATE_UL=$[$LICZ_RATE_UL+$RU]
else LICZ_USER_UL=$[$LICZ_USER_UL+1] ; fi
done
rm -f ${WKDIR}.tmp &> /dev/null
#obliczenie wartosci rate dla klientow z auto
if [ ! "$LICZ_USER_DL" == "0" ] ; then
DL_USER_RATE=$[($DL_NORM-$DL_PRIO-$DL_ROUTER-$LICZ_RATE_DL)/$LICZ_USER_DL]
if [ "$DL_USER_RATE" -le 1 ] ; then DL_USER_RATE="1" ; Q_DL_USER_RATE="1"
else
if [ "$DL_USER_RATE" -ge 20 ] ; then
Q_DL_USER_RATE=$[$DL_USER_RATE*10/100]
else Q_DL_USER_RATE="2"
fi
fi
fi
if [ ! "$LICZ_USER_UL" == "0" ] ; then
UL_USER_RATE=$[($UL_NORM-$UL_PRIO-$UL_ROUTER-$LICZ_RATE_UL)/$LICZ_USER_UL]
if [ "$UL_USER_RATE" -le 1 ] ; then UL_USER_RATE="1" ; Q_UL_USER_RATE="1"
else
if [ "$UL_USER_RATE" -ge 20 ] ; then
Q_UL_USER_RATE=$[$UL_USER_RATE*10/100]
else Q_UL_USER_RATE="2"
fi
fi
fi
#info
if [ "$QOS_INFO" == "yes" ] ; then
echo " LICZ_RATE_DL = $LICZ_RATE_DL LICZ_USER_DL = $LICZ_USER_DL"
echo " LICZ_RATE_UL = $LICZ_RATE_UL LICZ_USER_UL = $LICZ_USER_UL"
echo " DL_USER_RATE = $DL_USER_RATE UL_USER_RATE = $UL_USER_RATE"
echo " DL_NORM = $DL_NORM DL_NORM_N = $DL_NORM_N"
echo " UL_NORM = $UL_NORM UL_NORM_N = $UL_NORM_N"
fi
#kolejki
# 1:
# /\
# / \
# / \
# 1:2 1:6
# fast |
# |------1:60 prio (dns,ack)
# |
# |------1:61 router
# |
# |------1:62 p2p (opcja) <-okresla zmienna P2P_LIMIT
# |
# |------1:65 klient 1
# | /\
# | / \ (opcja) <-gdy zmienna USER_CL=2
# | / \
# | 1:651 1:652
# |
# |------1:66 klient 2
# | /\
# | / \
# | / \
# | 1:661 1:662
# |
# |------1:67 klient 3
# | /\
# itd.
#interfejsy
DL_VDEV="imq0"
UL_VDEV="imq1"
#tworzenie kolejek - sciaganie (download), imq0
#korzen kolejek
if [ "$QOS_ALG" == "hfsc" ] ; then
$TQDISC $DL_VDEV root handle 1: hfsc default 61
$TCLASS $DL_VDEV parent 1:0 classid 1:1 hfsc ls m2 ${DL_RATE_P}kbit ul m2 ${DOWNLOAD}kbit
else
$TQDISC $DL_VDEV root handle 1: htb
$TCLASS $DL_VDEV parent 1:0 classid 1:1 htb rate ${DL_RATE_P}kbit ceil ${DOWNLOAD}kbit quantum $Q_DL_RATE_P
fi
#ruch fast
if [ "$QOS_ALG" == "hfsc" ] ; then
$TCLASS $DL_VDEV parent 1:1 classid 1:2 hfsc rt m1 ${DL_FAST_M1}kbit d 1s m2 ${DL_FAST}kbit ls m2 ${DL_FAST}kbit ul m2 ${DL_FAST_N}kbit
else
$TCLASS $DL_VDEV parent 1:1 classid 1:2 htb rate ${DL_FAST}kbit ceil ${DL_FAST_N}kbit prio 1 quantum $Q_DL_FAST burst 15k
fi
if [ "$QOS_METHOD" == "esfq" ] ; then
$TQDISC $DL_VDEV parent 1:2 handle 2:0 esfq perturb 5 hash dst
else
$TQDISC $DL_VDEV parent 1:2 handle 2:0 sfq perturb 5
fi
$TFILTR $DL_VDEV parent 1:0 prio 2 protocol ip handle 0x1 fw flowid 1:2
#ruch normalny (priorytetowy, routera, p2p i klientow)
if [ "$QOS_ALG" == "hfsc" ] ; then
$TCLASS $DL_VDEV parent 1:1 classid 1:6 hfsc ls m2 ${DL_NORM}kbit ul m2 ${DL_NORM_N}kbit
else
$TCLASS $DL_VDEV parent 1:1 classid 1:6 htb rate ${DL_NORM}kbit ceil ${DL_NORM_N}kbit quantum $Q_DL_NORM
fi
#ruch priorytetowy
if [ "$QOS_ALG" == "hfsc" ] ; then
$TCLASS $DL_VDEV parent 1:6 classid 1:60 hfsc ls m2 ${DL_PRIO}kbit ul m2 ${DL_NORM_N}kbit
else
$TCLASS $DL_VDEV parent 1:6 classid 1:60 htb rate ${DL_PRIO}kbit ceil ${DL_NORM_N}kbit prio 2 quantum $Q_DL_PRIO burst 10k
fi
if [ "$QOS_METHOD" == "esfq" ] ; then
$TQDISC $DL_VDEV parent 1:60 handle 60:0 esfq perturb 5 hash dst
else
$TQDISC $DL_VDEV parent 1:60 handle 60:0 sfq perturb 5
fi
#dns
$TFILTR $DL_VDEV parent 1:0 prio 3 protocol ip u32 match ip protocol 17 0xff match ip sport 53 0xffff flowid 1:60
#ruch routera
if [ "$QOS_ALG" == "hfsc" ] ; then
$TCLASS $DL_VDEV parent 1:6 classid 1:61 hfsc ls m2 ${DL_ROUTER}kbit ul m2 ${DL_ROUTER_N}kbit
else
$TCLASS $DL_VDEV parent 1:6 classid 1:61 htb rate ${DL_ROUTER}kbit ceil ${DL_ROUTER_N}kbit prio 4 quantum $Q_DL_ROUTER
fi
if [ "$QOS_METHOD" == "esfq" ] ; then
$TQDISC $DL_VDEV parent 1:61 handle 61:0 esfq perturb 10 hash dst
else
$TQDISC $DL_VDEV parent 1:61 handle 61:0 sfq perturb 10
fi
$TFILTR $DL_VDEV parent 1:0 prio 4 protocol ip u32 match ip dst $INTERNET_IP flowid 1:61
#ruch p2p
if [ ! "$P2P_LIMIT" == "" ] ; then
if [ "$QOS_ALG" == "hfsc" ] ; then
$TCLASS $DL_VDEV parent 1:6 classid 1:62 hfsc ls m2 ${DL_USER_RATE}kbit ul m2 ${DL_P2P}kbit
else
$TCLASS $DL_VDEV parent 1:6 classid 1:62 htb rate ${DL_USER_RATE}kbit ceil ${DL_P2P}kbit prio 8 quantum $Q_DL_USER_RATE
fi
if [ "$QOS_METHOD" == "esfq" ] ; then
$TQDISC $DL_VDEV parent 1:62 handle 62:0 esfq perturb 10 hash dst
else
$TQDISC $DL_VDEV parent 1:62 handle 62:0 sfq perturb 10
fi
$TFILTR $DL_VDEV parent 1:0 prio 1 protocol ip handle 0x62 fw flowid 1:62
fi
#ruch klientow
NR=65
if [ "$QOS_INFO" == "yes" ] ; then echo "Download" ; fi
cat $CLIENT_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $1, $2, $3 }' | while read IP CL_DLR CL_DLC ; do
DO_USER_RATE="$DL_USER_RATE"
DO_USER_CEIL="$DL_NORM_N"
if [ ! "$CL_DLR" == "auto" ] ; then DO_USER_RATE="$CL_DLR" ; fi
if [ ! "$CL_DLC" == "auto" ] ; then DO_USER_CEIL="$CL_DLC" ; fi
if [ "$DO_USER_RATE" -ge "$DO_USER_CEIL" ] ; then DO_USER_RATE="$DO_USER_CEIL" ; fi
R_PR1="1" ; R_PR2="1"
if [ ! "$DO_USER_RATE" == "1" ] ; then R_PR1=$[$DO_USER_RATE*$PR1/100] ; fi
if [ ! "$DO_USER_RATE" == "1" ] ; then R_PR2=$[$DO_USER_RATE*$PR2/100] ; fi
if [ "$R_PR1" -le 1 ] ; then R_PR1="1" ; fi
if [ "$R_PR2" -le 1 ] ; then R_PR2="1" ; fi
Q_DO_USER_RATE=$[$DO_USER_RATE*10/100]
if [ "$Q_DO_USER_RATE" -le 1 ] ; then Q_DO_USER_RATE="1" ; fi
#info
if [ "$QOS_INFO" == "yes" ] ; then
if [ "$USER_CL" == "2" ] ; then
echo " MARK = $NR IP = $IP DL_RATE = ${DO_USER_RATE}kbit (${R_PR1}:${R_PR2}) DL_CEIL = ${DO_USER_CEIL}kbit"
else
echo " MARK = $NR IP = $IP DL_RATE = ${DO_USER_RATE}kbit DL_CEIL = ${DO_USER_CEIL}kbit"
fi
fi
if [ "$QOS_ALG" == "hfsc" ] ; then
$TCLASS $DL_VDEV parent 1:6 classid 1:${NR} hfsc ls m2 ${DO_USER_RATE}kbit ul m2 ${DO_USER_CEIL}kbit
if [ "$USER_CL" == "2" ] ; then
$TCLASS $DL_VDEV parent 1:${NR} classid 1:${NR}1 hfsc ls m2 ${R_PR1}kbit ul m2 ${DO_USER_CEIL}kbit
$TCLASS $DL_VDEV parent 1:${NR} classid 1:${NR}2 hfsc ls m2 ${R_PR2}kbit ul m2 ${DO_USER_CEIL}kbit
fi
else
$TCLASS $DL_VDEV parent 1:6 classid 1:${NR} htb rate ${DO_USER_RATE}kbit ceil ${DO_USER_CEIL}kbit quantum $Q_DO_USER_RATE
if [ "$USER_CL" == "2" ] ; then
$TCLASS $DL_VDEV parent 1:${NR} classid 1:${NR}1 htb rate ${R_PR1}kbit ceil ${DO_USER_CEIL}kbit prio 5 quantum $Q_DO_USER_RATE
$TCLASS $DL_VDEV parent 1:${NR} classid 1:${NR}2 htb rate ${R_PR2}kbit ceil ${DO_USER_CEIL}kbit prio 6 quantum $Q_DO_USER_RATE
fi
fi
if [ "$QOS_USER_METHOD" == "esfq" ] ; then
if [ "$USER_CL" == "2" ] ; then
$TQDISC $DL_VDEV parent 1:${NR}1 handle ${NR}1:0 esfq perturb 10 hash dst
$TQDISC $DL_VDEV parent 1:${NR}2 handle ${NR}2:0 esfq perturb 10 hash dst
else
$TQDISC $DL_VDEV parent 1:${NR} handle ${NR}:0 esfq perturb 10 hash dst
fi
else
if [ "$USER_CL" == "2" ] ; then
$TQDISC $DL_VDEV parent 1:${NR}1 handle ${NR}1:0 sfq perturb 10
$TQDISC $DL_VDEV parent 1:${NR}2 handle ${NR}2:0 sfq perturb 10
else
$TQDISC $DL_VDEV parent 1:${NR} handle ${NR}:0 sfq perturb 10
fi
fi
if [ "$USER_CL" == "2" ] ; then
for z in $PR1_TCPPORT ; do
$TFILTR $DL_VDEV parent 1:0 prio 5 protocol ip u32 match ip dst $IP match ip protocol 6 0xff match ip sport $z 0xffff flowid 1:${NR}1
done
$TFILTR $DL_VDEV parent 1:0 prio 6 protocol ip u32 match ip dst $IP flowid 1:${NR}2
else
$TFILTR $DL_VDEV parent 1:0 prio 5 protocol ip u32 match ip dst $IP flowid 1:${NR}
fi
NR=$[$NR+1]
done
#tworzenie kolejek - wysylanie (upload), imq1
#korzen kolejek
if [ "$QOS_ALG" == "hfsc" ] ; then
$TQDISC $UL_VDEV root handle 1: hfsc default 61
$TCLASS $UL_VDEV parent 1:0 classid 1:1 hfsc ls m2 ${UL_RATE_P}kbit ul m2 ${UPLOAD}kbit
else
$TQDISC $UL_VDEV root handle 1: htb
$TCLASS $UL_VDEV parent 1:0 classid 1:1 htb rate ${UL_RATE_P}kbit ceil ${UPLOAD}kbit quantum $Q_UL_RATE_P
fi
#ruch fast
if [ "$QOS_ALG" == "hfsc" ] ; then
$TCLASS $UL_VDEV parent 1:1 classid 1:2 hfsc rt m1 ${UL_FAST_M1}kbit d 1s m2 ${UL_FAST}kbit ls m2 ${UL_FAST}kbit ul m2 ${UL_FAST_N}kbit
else
$TCLASS $UL_VDEV parent 1:1 classid 1:2 htb rate ${UL_FAST}kbit ceil ${UL_FAST_N}kbit prio 1 quantum $Q_UL_FAST burst 10k
fi
if [ "$QOS_METHOD" == "esfq" ] ; then
$TQDISC $UL_VDEV parent 1:2 handle 2:0 esfq perturb 5 hash src
else
$TQDISC $UL_VDEV parent 1:2 handle 2:0 sfq perturb 5
fi
$TFILTR $UL_VDEV parent 1:0 prio 2 protocol ip handle 0x1 fw flowid 1:2
#ruch normalny (priorytetowy, routera, p2p i klientow)
if [ "$QOS_ALG" == "hfsc" ] ; then
$TCLASS $UL_VDEV parent 1:1 classid 1:6 hfsc ls m2 ${UL_NORM}kbit ul m2 ${UL_NORM_N}kbit
else
$TCLASS $UL_VDEV parent 1:1 classid 1:6 htb rate ${UL_NORM}kbit ceil ${UL_NORM_N}kbit quantum $Q_UL_NORM
fi
#ruch priorytetowy
if [ "$QOS_ALG" == "hfsc" ] ; then
$TCLASS $UL_VDEV parent 1:6 classid 1:60 hfsc ls m2 ${UL_PRIO}kbit ul m2 ${UL_NORM_N}kbit
else
$TCLASS $UL_VDEV parent 1:6 classid 1:60 htb rate ${UL_PRIO}kbit ceil ${UL_NORM_N}kbit prio 2 quantum $Q_UL_PRIO burst 5k
fi
if [ "$QOS_METHOD" == "esfq" ] ; then
$TQDISC $UL_VDEV parent 1:60 handle 60:0 esfq perturb 5 hash src
else
$TQDISC $UL_VDEV parent 1:60 handle 60:0 sfq perturb 5
fi
#dns
$TFILTR $UL_VDEV parent 1:0 prio 3 protocol ip u32 match ip protocol 17 0xff match ip dport 53 0xffff flowid 1:60
#ack
$TFILTR $UL_VDEV parent 1:0 prio 3 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:60
#ruch routera
if [ "$QOS_ALG" == "hfsc" ] ; then
$TCLASS $UL_VDEV parent 1:6 classid 1:61 hfsc ls m2 ${UL_ROUTER}kbit ul m2 ${UL_ROUTER_N}kbit
else
$TCLASS $UL_VDEV parent 1:6 classid 1:61 htb rate ${UL_ROUTER}kbit ceil ${UL_ROUTER_N}kbit prio 4 quantum $Q_UL_ROUTER
fi
if [ "$QOS_METHOD" == "esfq" ] ; then
$TQDISC $UL_VDEV parent 1:61 handle 61:0 esfq perturb 10 hash src
else
$TQDISC $UL_VDEV parent 1:61 handle 61:0 sfq perturb 10
fi
$TFILTR $UL_VDEV parent 1:0 prio 4 protocol ip handle 0x61 fw flowid 1:61
#ruch p2p
if [ ! "$P2P_LIMIT" == "" ] ; then
if [ "$QOS_ALG" == "hfsc" ] ; then
$TCLASS $UL_VDEV parent 1:6 classid 1:62 hfsc ls m2 ${UL_USER_RATE}kbit ul m2 ${UL_P2P}kbit
else
$TCLASS $UL_VDEV parent 1:6 classid 1:62 htb rate ${UL_USER_RATE}kbit ceil ${UL_P2P}kbit prio 8 quantum $Q_UL_USER_RATE
fi
if [ "$QOS_METHOD" == "esfq" ] ; then
$TQDISC $UL_VDEV parent 1:62 handle 62:0 esfq perturb 10 hash src
else
$TQDISC $UL_VDEV parent 1:62 handle 62:0 sfq perturb 10
fi
$TFILTR $UL_VDEV parent 1:0 prio 1 protocol ip handle 0x62 fw flowid 1:62
fi
#ruch klientow
NR=65
if [ "$QOS_INFO" == "yes" ] ; then echo "Upload" ; fi
cat $CLIENT_FILE | grep -v "#" | sed -e '/^$/d' | awk '{ print $4, $5 }' | while read CL_ULR CL_ULC ; do
UP_USER_RATE=$UL_USER_RATE
UP_USER_CEIL=$UL_NORM_N
if [ ! "$CL_ULR" == "auto" ] ; then UP_USER_RATE="$CL_ULR" ; fi
if [ ! "$CL_ULC" == "auto" ] ; then UP_USER_CEIL="$CL_ULC" ; fi
if [ "$UP_USER_RATE" -ge "$UP_USER_CEIL" ] ; then UP_USER_RATE="$UP_USER_CEIL" ; fi
R_PR1="1" ; R_PR2="1"
if [ ! "$UP_USER_RATE" == "1" ] ; then R_PR1=$[$UP_USER_RATE*$PR1/100] ; fi
if [ ! "$UP_USER_RATE" == "1" ] ; then R_PR2=$[$UP_USER_RATE*$PR2/100] ; fi
if [ "$R_PR1" -le 1 ] ; then R_PR1="1" ; fi
if [ "$R_PR2" -le 1 ] ; then R_PR2="1" ; fi
Q_UP_USER_RATE=$[$UP_USER_RATE*10/100]
if [ "$Q_UP_USER_RATE" -le 1 ] ; then Q_UP_USER_RATE="1" ; fi
#info
if [ "$QOS_INFO" == "yes" ] ; then
if [ "$USER_CL" == "2" ] ; then
echo " MARK = $NR UL_RATE = ${UP_USER_RATE}kbit (${R_PR1}:${R_PR2}) UL_CEIL = ${UP_USER_CEIL}kbit"
else
echo " MARK = $NR UL_RATE = ${UP_USER_RATE}kbit UL_CEIL = ${UP_USER_CEIL}kbit"
fi
fi
if [ "$QOS_ALG" == "hfsc" ] ; then
$TCLASS $UL_VDEV parent 1:6 classid 1:${NR} hfsc ls m2 ${UP_USER_RATE}kbit ul m2 ${UP_USER_CEIL}kbit
if [ "$USER_CL" == "2" ] ; then
$TCLASS $UL_VDEV parent 1:${NR} classid 1:${NR}1 hfsc ls m2 ${R_PR1}kbit ul m2 ${UP_USER_CEIL}kbit
$TCLASS $UL_VDEV parent 1:${NR} classid 1:${NR}2 hfsc ls m2 ${R_PR2}kbit ul m2 ${UP_USER_CEIL}kbit
fi
else
$TCLASS $UL_VDEV parent 1:6 classid 1:${NR} htb rate ${UP_USER_RATE}kbit ceil ${UP_USER_CEIL}kbit quantum $Q_UP_USER_RATE
if [ "$USER_CL" == "2" ] ; then
$TCLASS $UL_VDEV parent 1:${NR} classid 1:${NR}1 htb rate ${R_PR1}kbit ceil ${UP_USER_CEIL}kbit prio 5 quantum $Q_UP_USER_RATE
$TCLASS $UL_VDEV parent 1:${NR} classid 1:${NR}2 htb rate ${R_PR2}kbit ceil ${UP_USER_CEIL}kbit prio 6 quantum $Q_UP_USER_RATE
fi
fi
if [ "$QOS_USER_METHOD" == "esfq" ] ; then
if [ "$USER_CL" == "2" ] ; then
$TQDISC $UL_VDEV parent 1:${NR}1 handle ${NR}1:0 esfq perturb 10 hash src
$TQDISC $UL_VDEV parent 1:${NR}2 handle ${NR}2:0 esfq perturb 10 hash src
else
$TQDISC $UL_VDEV parent 1:${NR} handle ${NR}:0 esfq perturb 10 hash src
fi
else
if [ "$USER_CL" == "2" ] ; then
$TQDISC $UL_VDEV parent 1:${NR}1 handle ${NR}1:0 sfq perturb 10
$TQDISC $UL_VDEV parent 1:${NR}2 handle ${NR}2:0 sfq perturb 10
else
$TQDISC $UL_VDEV parent 1:${NR} handle ${NR}:0 sfq perturb 10
fi
fi
if [ "$USER_CL" == "2" ] ; then
$TFILTR $UL_VDEV parent 1:0 prio 5 protocol ip handle 0x${NR}1 fw flowid 1:${NR}1
$TFILTR $UL_VDEV parent 1:0 prio 6 protocol ip handle 0x${NR}2 fw flowid 1:${NR}2
else
$TFILTR $UL_VDEV parent 1:0 prio 5 protocol ip handle 0x${NR} fw flowid 1:${NR}
fi
NR=$[$NR+1]
done
fi
}
# Funkcje pomocnicze
startuj() {
echo "INTERNET IP: $INTERNET_IP"
echo "DOWNLOAD: $DOWNLOAD kbit"
echo "UPLOAD: $UPLOAD kbit"
echo -e "Start firewall..."
echo -e "FiQs "$V" (C) by \033[1;41mINTRUX\033[0m"
clear_table
set_lo
echo -e " clear table OK"
if [ ! "$ADMIN_HOST_IP" == "" ] ; then
for a in $ADMIN_HOST_IP ; do
iptables -I INPUT -s $a -j ACCEPT
iptables -I OUTPUT -d $a -j ACCEPT
done
echo -e " admin ip OK"
fi
ssh_allow
echo -e " ssh OK"
set_drop
echo -e " set drop OK"
modules
echo -e " modules OK"
kernel_secure
set_secure
set_misc_mtu
echo -e " secure OK"
set_p2p
echo -e " p2p OK"
limit_log
echo -e " limit&log OK"
output
server
echo -e " server OK"
set_proxy
set_nat
echo -e " nat OK"
set_ttl
set_tos
echo -e " ttl&tos OK"
mark_qos
if [ "$QOS_ON" == "yes" ] ; then
echo -e " mark qos OK"
fi
echo -e "...firewall OK"
}
# { start | stop | restart }
case "$1" in
start)
startuj
start_qos
if [ "$USER_ACL_ON" == "yes" ] ; then
NatACL &> /dev/null
fi
;;
stop)
killall NatACL &> /dev/null
#zapisanie stanu licznikow account
if [ -f /proc/net/ipt_account/mynetwork ] ; then
cat /proc/net/ipt_account/mynetwork > ${WKDIR}.mynetwork.save
fi
stop_qos
clear_table
set_accept
echo -e "Stop FIREWALL"
;;
restart)
killall NatACL &> /dev/null
#zapisanie stanu licznikow account
if [ -f /proc/net/ipt_account/mynetwork ] ; then
cat /proc/net/ipt_account/mynetwork > ${WKDIR}.mynetwork.save
fi
stop_qos
clear_table
set_accept
echo -e "Stop FIREWALL"
sleep 1
startuj
start_qos
if [ "$USER_ACL_ON" == "yes" ] ; then
NatACL &> /dev/null
fi
;;
reset)
killall NatACL &> /dev/null
#usuniecie zapisanych licznikow account
if [ -f ${WKDIR}.mynetwork.save ] ; then
rm -f ${WKDIR}.mynetwork.save
fi
stop_qos
clear_table
set_accept
echo -e "Stop FIREWALL"
sleep 1
startuj
start_qos
if [ "$USER_ACL_ON" == "yes" ] ; then
NatACL &> /dev/null
fi
;;
*)
echo "Wymagany parametr: { start | stop | restart | reset }"
exit 1
;;
esac
exit 0
)
