3 # Setup an initial save file
5 require './firewall-lib.pl';
7 $access{'setup'} || &error($text{'setup_ecannot'});
9 &lock_file($iptables_save_file);
12 foreach $t ("filter", "nat", "mangle") {
13 &system_logged("iptables -t $t -P INPUT ACCEPT >/dev/null 2>&1");
14 &system_logged("iptables -t $t -P OUTPUT ACCEPT >/dev/null 2>&1");
15 &system_logged("iptables -t $t -P FORWARD ACCEPT >/dev/null 2>&1");
16 &system_logged("iptables -t $t -P PREROUTING ACCEPT >/dev/null 2>&1");
17 &system_logged("iptables -t $t -P POSTROUTING ACCEPT >/dev/null 2>&1");
18 &system_logged("iptables -t $t -F >/dev/null 2>&1");
19 &system_logged("iptables -t $t -X >/dev/null 2>&1");
23 # Save all existing active rules
24 if (defined(&unapply_iptables)) {
28 &backquote_logged("iptables-save >$iptables_save_file 2>&1");
31 # Get important variable ports
32 &get_miniserv_config(\%miniserv);
33 $webmin_port = $miniserv{'port'} || 10000;
34 $webmin_port2 = $webmin_port + 10;
35 $usermin_port = undef;
36 if (&foreign_installed("usermin")) {
37 &foreign_require("usermin", "usermin-lib.pl");
38 &usermin::get_usermin_miniserv_config(\%uminiserv);
39 $usermin_port = $uminiserv{'port'};
41 $usermin_port ||= 20000;
43 if (&foreign_installed("sshd")) {
44 &foreign_require("sshd", "sshd-lib.pl");
45 $conf = &sshd::get_sshd_config();
46 $ssh_port = &sshd::find_value("Port", $conf);
51 @tables = &get_iptables_save();
52 if ($in{'auto'} == 1) {
53 # Add a single rule to the nat table for masquerading
54 $iface = $in{'iface1'} eq 'other' ? $in{'iface1_other'}
56 $iface || &error($text{'setup_eiface'});
57 ($table) = grep { $_->{'name'} eq 'nat' } @tables;
58 push(@{$table->{'rules'}},
59 { 'chain' => 'POSTROUTING',
60 'o' => [ "", $iface ],
61 'j' => [ "", 'MASQUERADE' ] } );
63 elsif ($in{'auto'} >= 2) {
64 # Block all incoming traffic, except for established
65 # connections, DNS replies and safe ICMP types
66 # In mode 3 allow ssh and ident too
67 # In mode 4 allow ftp, echo-request and high ports too
68 $iface = $in{'iface'.$in{'auto'}} eq 'other' ?
69 $in{'iface'.$in{'auto'}.'_other'} :
70 $in{'iface'.$in{'auto'}};
71 $iface || &error($text{'setup_eiface'});
72 ($table) = grep { $_->{'name'} eq 'filter' } @tables;
73 $table->{'defaults'}->{'INPUT'} = 'DROP';
74 push(@{$table->{'rules'}},
76 'i' => [ "!", $iface ],
77 'j' => [ "", 'ACCEPT' ],
78 'cmt' => 'Accept traffic from internal interfaces' },
80 'm' => [ [ "", "tcp" ] ],
82 'tcp-flags' => [ "", "ACK", "ACK" ],
83 'j' => [ "", 'ACCEPT' ],
84 'cmt' => 'Accept traffic with the ACK flag set' },
86 'm' => [ [ "", "state" ] ],
87 'state' => [ "", "ESTABLISHED" ],
88 'j' => [ "", 'ACCEPT' ],
89 'cmt' => 'Allow incoming data that is part of a connection we established' },
91 'm' => [ [ "", "state" ] ],
92 'state' => [ "", "RELATED" ],
93 'j' => [ "", 'ACCEPT' ],
94 'cmt' => 'Allow data that is related to existing connections' },
96 'm' => [ [ "", "udp" ] ],
98 'sport' => [ "", 53 ],
99 'dport' => [ "", "1024:65535" ],
100 'j' => [ "", 'ACCEPT' ],
101 'cmt' => 'Accept responses to DNS queries' },
102 { 'chain' => 'INPUT',
103 'm' => [ [ "", "icmp" ] ],
104 'p' => [ [ "", "icmp" ] ],
105 'icmp-type' => [ "", "echo-reply" ],
106 'j' => [ "", 'ACCEPT' ],
107 'cmt' => 'Accept responses to our pings' },
108 { 'chain' => 'INPUT',
109 'm' => [ [ "", "icmp" ] ],
110 'p' => [ [ "", "icmp" ] ],
111 'icmp-type' => [ "", "destination-unreachable" ],
112 'j' => [ "", 'ACCEPT' ],
113 'cmt' => 'Accept notifications of unreachable hosts' },
114 { 'chain' => 'INPUT',
115 'm' => [ [ "", "icmp" ] ],
116 'p' => [ [ "", "icmp" ] ],
117 'icmp-type' => [ "", "source-quench" ],
118 'j' => [ "", 'ACCEPT' ],
119 'cmt' => 'Accept notifications to reduce sending speed' },
120 { 'chain' => 'INPUT',
121 'm' => [ [ "", "icmp" ] ],
122 'p' => [ [ "", "icmp" ] ],
123 'icmp-type' => [ "", "time-exceeded" ],
124 'j' => [ "", 'ACCEPT' ],
125 'cmt' => 'Accept notifications of lost packets' },
126 { 'chain' => 'INPUT',
127 'm' => [ [ "", "icmp" ] ],
128 'p' => [ [ "", "icmp" ] ],
129 'icmp-type' => [ "", "parameter-problem" ],
130 'j' => [ "", 'ACCEPT' ],
131 'cmt' => 'Accept notifications of protocol problems' }
133 if ($in{'auto'} >= 3) {
134 # Allow ssh and ident
135 push(@{$table->{'rules'}},
136 { 'chain' => 'INPUT',
137 'm' => [ [ "", "tcp" ] ],
138 'p' => [ "", "tcp" ],
139 'dport' => [ "", $ssh_port ],
140 'j' => [ "", 'ACCEPT' ],
141 'cmt' => 'Allow connections to our SSH server' },
142 { 'chain' => 'INPUT',
143 'm' => [ [ "", "tcp" ] ],
144 'p' => [ "", "tcp" ],
145 'dport' => [ "", "auth" ],
146 'j' => [ "", 'ACCEPT' ],
147 'cmt' => 'Allow connections to our IDENT server'}
150 if ($in{'auto'} >= 4) {
152 push(@{$table->{'rules'}},
153 { 'chain' => 'INPUT',
154 'm' => [ [ "", "icmp" ] ],
155 'p' => [ [ "", "icmp" ] ],
156 'icmp-type' => [ "", "echo-request" ],
157 'j' => [ "", 'ACCEPT' ],
158 'cmt' => 'Respond to pings' }, );
160 if ($in{'auto'} == 4) {
161 # Allow pings and most high ports
162 push(@{$table->{'rules'}},
163 { 'chain' => 'INPUT',
164 'm' => [ [ "", "tcp" ] ],
165 'p' => [ "", "tcp" ],
166 'dport' => [ "", "2049:2050" ],
167 'j' => [ "", 'DROP' ],
168 'cmt' => 'Protect our NFS server' },
169 { 'chain' => 'INPUT',
170 'm' => [ [ "", "tcp" ] ],
171 'p' => [ "", "tcp" ],
172 'dport' => [ "", "6000:6063" ],
173 'j' => [ "", 'DROP' ],
174 'cmt' => 'Protect our X11 display server' },
175 { 'chain' => 'INPUT',
176 'm' => [ [ "", "tcp" ] ],
177 'p' => [ "", "tcp" ],
178 'dport' => [ "", "7000:7010" ],
179 'j' => [ "", 'DROP' ],
180 'cmt' => 'Protect our X font server' },
181 { 'chain' => 'INPUT',
182 'm' => [ [ "", "tcp" ] ],
183 'p' => [ "", "tcp" ],
184 'dport' => [ "", "1024:65535" ],
185 'j' => [ "", 'ACCEPT' ],
186 'cmt' => 'Allow connections to unprivileged ports' },
189 if ($in{'auto'} == 5) {
190 # Allow typical hosting server ports
191 push(@{$table->{'rules'}},
192 { 'chain' => 'INPUT',
193 'm' => [ [ "", "tcp" ] ],
194 'p' => [ "", "tcp" ],
195 'dport' => [ "", "53" ],
196 'j' => [ "", 'ACCEPT' ],
197 'cmt' => 'Allow DNS zone transfers' },
198 { 'chain' => 'INPUT',
199 'm' => [ [ "", "udp" ] ],
200 'p' => [ "", "udp" ],
201 'dport' => [ "", "53" ],
202 'j' => [ "", 'ACCEPT' ],
203 'cmt' => 'Allow DNS queries' },
204 { 'chain' => 'INPUT',
205 'm' => [ [ "", "tcp" ] ],
206 'p' => [ "", "tcp" ],
207 'dport' => [ "", "80" ],
208 'j' => [ "", 'ACCEPT' ],
209 'cmt' => 'Allow connections to webserver' },
210 { 'chain' => 'INPUT',
211 'm' => [ [ "", "tcp" ] ],
212 'p' => [ "", "tcp" ],
213 'dport' => [ "", "443" ],
214 'j' => [ "", 'ACCEPT' ],
215 'cmt' => 'Allow SSL connections to webserver' },
216 { 'chain' => 'INPUT',
217 'm' => [ [ "", "tcp" ], [ "", "multiport" ] ],
218 'p' => [ "", "tcp" ],
219 'dports' => [ "", "25,587" ],
220 'j' => [ "", 'ACCEPT' ],
221 'cmt' => 'Allow connections to mail server' },
222 { 'chain' => 'INPUT',
223 'm' => [ [ "", "tcp" ] ],
224 'p' => [ "", "tcp" ],
225 'dport' => [ "", "20:21" ],
226 'j' => [ "", 'ACCEPT' ],
227 'cmt' => 'Allow connections to FTP server' },
228 { 'chain' => 'INPUT',
229 'm' => [ [ "", "tcp" ], [ "", "multiport" ] ],
230 'p' => [ "", "tcp" ],
231 'dports' => [ "", "110,995" ],
232 'j' => [ "", 'ACCEPT' ],
233 'cmt' => 'Allow connections to POP3 server' },
234 { 'chain' => 'INPUT',
235 'm' => [ [ "", "tcp" ], [ "", "multiport" ] ],
236 'p' => [ "", "tcp" ],
237 'dports' => [ "", "143,220,993" ],
238 'j' => [ "", 'ACCEPT' ],
239 'cmt' => 'Allow connections to IMAP server' },
240 { 'chain' => 'INPUT',
241 'm' => [ [ "", "tcp" ] ],
242 'p' => [ "", "tcp" ],
243 'dport' => [ "",$webmin_port.":".$webmin_port2 ],
244 'j' => [ "", 'ACCEPT' ],
245 'cmt' => 'Allow connections to Webmin' },
246 { 'chain' => 'INPUT',
247 'm' => [ [ "", "tcp" ] ],
248 'p' => [ "", "tcp" ],
249 'dport' => [ "", $usermin_port ],
250 'j' => [ "", 'ACCEPT' ],
251 'cmt' => 'Allow connections to Usermin' },
255 &run_before_command();
257 &run_after_command();
262 &create_firewall_init();
264 &unlock_file($iptables_save_file);
266 &webmin_log("setup");