Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Release 5.3

  • Loading branch information...
commit d62691b71b49579d4bb904a6e5c7e6ee1e79a09d 0 parents
@hsleisink authored
1  AUTHORS
@@ -0,0 +1 @@
+Firetable has been written by Hugo Leisink <hugo@leisink.net>.
220 ChangeLog
@@ -0,0 +1,220 @@
+firetable (5.3) stable; urgency=low
+
+ * Default IPv6 configuration added.
+ * Bugfix: incorrect IPv6 address detection.
+
+ -- Hugo Leisink <hugo@leisink.net> Sat, 9 Jun 2012 17:45:41 +0200
+
+firetable (5.2) stable; urgency=low
+
+ * Source reorganized.
+ * Added script to create a Debian package.
+ * Bugfix: typo in Debian init script.
+
+ -- Hugo Leisink <hugo@leisink.net> Fri, 3 Feb 2012 12:04:18 +0100
+
+firetable (5.1) stable; urgency=low
+
+ * ICMP type added to forward, snat and dnat rule.
+ * Script rewritten in PHP.
+
+ -- Hugo Leisink <hugo@leisink.net> Thu, 23 Dec 2010 19:24:10 +0100
+
+firetable (5.0) stable; urgency=low
+
+ * IPv6 support.
+
+ -- Hugo Leisink <hugo@leisink.net> Thu, 23 Sep 2010 12:21:29 +0200
+
+firetable (4.9) stable; urgency=low
+
+ * Bugfix: better handling of spaces inside a set.
+
+ -- Hugo Leisink <hugo@leisink.net> Wed, 7 Feb 2007 10:28:54 +0100
+
+firetable (4.8) stable; urgency=low
+
+ * Improved search-and-replace for variables.
+ * Variables can now be included from another file.
+ * Configurationfile 'settings' renamed to 'firetable.conf'.
+ * No need to give full path for 'include'.
+ * More detailed 'status' output.
+
+ -- Hugo Leisink <hugo@leisink.net> Wed, 30 Aug 2006 17:08:40 +0200
+
+firetable (4.7) stable; urgency=low
+
+ * Combine multiple lines by using sets.
+ * Usage of variables.
+ * Small improvements
+
+ -- Hugo Leisink <hugo@leisink.net> Mon, 15 May 2006 18:35:24 +0200
+
+firetable (4.6) stable; urgency=low
+
+ * log_priority setting added.
+
+ -- Hugo Leisink <hugo@leisink.net> Sat, 26 Nov 2005 16:10:39 +0100
+
+firetable (4.5) stable; urgency=low
+
+ * 'iptables' option added.
+ * Filter traffic based on a user's groupname or groupid.
+ * Use both usernames and userids for usertraffic filtering.
+ * Extra settings via /etc/firetable/settings.
+ * Removal of /etc/default/firetable. See start_on_boot in the settings file.
+ * 'firetable start' starts all available interfaces.
+
+ -- Hugo Leisink <hugo@leisink.net> Wed, 31 Aug 2005 23:03:11 +0200
+
+firetable (4.4) stable; urgency=low
+
+ * Improved SNAT rules.
+
+ -- Hugo Leisink <hugo@leisink.net> Thu, 25 Aug 2005 09:53:41 +0200
+
+firetable (4.3) stable; urgency=low
+
+ * Removed automatic forwarding for DNAT rules.
+
+ -- Hugo Leisink <hugo@leisink.net> Fri, 5 Aug 2005 00:49:24 +0200
+
+firetable (4.2) stable; urgency=high
+
+ * Specify ports in forward rule.
+ * Improved error-reporting.
+ * Bugfix: double 'to <subnet>[:<port>]' for user-rule in manualpage.
+ * Bugfix: 'include' closed the input chain.
+
+ -- Hugo Leisink <hugo@leisink.net> Fri, 15 Jul 2005 21:58:29 +0200
+
+firetable (4.1) stable; urgency=low
+
+ * 'dont' option for forward, SNAT and DNAT.
+ * Improved flush function.
+ * Manualpage added.
+ * Bugfix: UDP and ICMP also forwarded in case of an established connection.
+
+ -- Hugo Leisink <hugo@leisink.net> Thu, 17 Jun 2005 16:49:24 +0200
+
+firetable (4.0) stable; urgency=low
+
+ * Complete syntax redesign
+
+ -- Hugo Leisink <hugo@leisink.net> Wed, 8 Jun 2005 18:41:47 +0200
+
+firetable (3.4) stable; urgency=low
+
+ * FORWARDING_RULE option added.
+ * DENY_USER_RULE option added.
+ * DNAT rules made more secure.
+
+ -- Hugo Leisink <hugo@leisink.net> Sat, 28 May 2005 19:27:32 +0200
+
+firetable (3.3) stable; urgency=low
+
+ * Policy set to ACCEPT on flush.
+
+ -- Hugo Leisink <hugo@leisink.net> Sat, 18 Sep 2004 15:48:04 +0200
+
+firetable (3.2) stable; urgency=low
+
+ * Bugfix: <CR> removed from $conf{LOCAL_IP}.
+
+ -- Hugo Leisink <hugo@leisink.net> Mon, 29 Dec 2003 15:21:17 +0100
+
+firetable (3.1) stable; urgency=low
+
+ * config_to_interface() fixed.
+
+ -- Hugo Leisink <hugo@leisink.net> Fri, 14 Nov 2003 10:37:14 +0100
+
+firetable (3.0) stable; urgency=low
+
+ * Splitted firewallscript (/usr/sbin/firetable and /etc/init.d/firetable).
+ * /etc/firetable/interfaces removed.
+ * /etc/default/firetable added.
+
+ -- Hugo Leisink <hugo@leisink.net> Sat, 17 Sep 2003 12:37:12 +0200
+
+firetable (2.7) stable; urgency=low
+
+ * flush option.
+ * DENY_SERVICE_LIST option added.
+ * Quicker TCP handling.
+
+ -- Hugo Leisink <hugo@leisink.net> Wed, 2 Sep 2003 14:14:02 +0200
+
+firetable (2.6) stable; urgency=low
+
+ * Support for my own VPN package.
+
+ -- Hugo Leisink <hugo@leisink.net> Wed, 12 Mar 2003 21:29:43 +0100
+
+firetable (2.5) stable; urgency=low
+
+ * UDP support for DENY_SERVICE_RULE.
+ * Source IP address option for DNAT_RULE.
+
+ -- Hugo Leisink <hugo@leisink.net> Wed, 12 Mar 2003 21:29:43 +0100
+
+firetable (2.4) stable; urgency=low
+
+ * SHIELD_RULE and DENY_SERVICE_RULE improved.
+
+ -- Hugo Leisink <hugo@leisink.net> Fri, 7 Feb 2003 18:04:20 +0100
+
+firetable (2.3) stable; urgency=low
+
+ * BLOCK_RULE --> DENY_SERVICE_RULE.
+ * Abilty to drop all traffic from a certain host/domain with 1 rule.
+
+ -- Hugo Leisink <hugo@leisink.net> Tue, 13 Nov 2002 14:31:12 +0100
+
+firetable (2.2) stable; urgency=low
+
+ * MASQUERADE_RULE --> SNAT_RULE.
+ * REDIRECT_RULE --> DNAT_RULE.
+ * Ability to block certain remote services, like telnet or KaZaA.
+
+ -- Hugo Leisink <hugo@leisink.net> Tue, 20 Aug 2002 11:17:36 +0200
+
+firetable (2.1) stable; urgency=low
+
+ * Portforwarding with different destination port than source port.
+ * Ability to stop firewall for an inactive interface.
+ * Extra rule: reject.
+
+ -- Hugo Leisink <hugo@leisink.net> Wed, 14 Aug 2002 12:09:23 +0200
+
+firetable (2.0) stable; urgency=low
+
+ * Advanced configuration.
+
+ -- Hugo Leisink <hugo@leisink.net> Mon, 5 Aug 2002 23:52:10 +0200
+
+firetable (1.3) stable; urgency=low
+
+ * Protection against SYN-flood.
+ * Dropped hack-packets are logged.
+
+ -- Hugo Leisink <hugo@leisink.net> Sun, 28 Jul 2002 00:26:46 +0200
+
+firetable (1.2) stable; urgency=low
+
+ * Support for more than one device.
+
+ -- Hugo Leisink <hugo@leisink.net> Fri, 26 Jul 2002 18:35:54 +0200
+
+firetable (1.1) stable; urgency=low
+
+ * Removed: the anti-syn-flood rule gave problems with FTP.
+ * Bugfix: forwarding enabled for udp and icmp.
+
+ -- Hugo Leisink <hugo@leisink.net> Thu, 5 Jul 2002 23:59:14 +0200
+
+firetable (1.0) stable; urgency=low
+
+ * Created from Firechain package (ipchains firewall package).
+
+ -- Hugo Leisink <hugo@leisink.net> Wed, 4 Jul 2002 15:06:56 +0200
8 INSTALL
@@ -0,0 +1,8 @@
+Installation
+=============
+To install Firetable, run 'make install'. This will install the Firetable script in /usr/sbin and the Firetable configuration in /etc/firetable. Use the DESTDIR parameter to install Firetable in a different location. In that case, also change the CONFIG_DIR setting inside the Firetable script.
+
+
+Debian (based) operating systems
+=================================
+To create a Firetable Debian package, execute the script 'extra/make_debian_package'.
339 LICENSE
@@ -0,0 +1,339 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
21 Makefile
@@ -0,0 +1,21 @@
+.PHONY: clean install dist deb
+
+all:
+ @echo "Nothing to compile. Use 'make install' to install Firetable."
+
+clean:
+ @rm -rf build
+ @rm -f firetable-*.tar.gz
+ @rm -f firetable_*.deb
+
+install:
+ install -D -m 0755 src/firetable ${DESTDIR}/usr/sbin/firetable
+ install -d -m 0755 ${DESTDIR}/etc/firetable
+ install -m 0644 config/* ${DESTDIR}/etc/firetable
+ install -D -m 0644 man/firetable.1 ${DESTDIR}/usr/share/man/man1/firetable.1
+
+dist:
+ extra/make_source_package
+
+deb:
+ extra/make_debian_package
19 config/firetable.conf
@@ -0,0 +1,19 @@
+# Settings for Firetable.
+
+# Enable firetable for IP protocols
+enable_ipv4 = yes
+enable_ipv6 = no
+
+# If you've disabled NAT in the kernel, also disable it in Firetable.
+#
+enable_nat = no
+
+# Space-seperated list of interfaces Firetable will use at boottime.
+# When using 'all', Firetable will use all available interfaces.
+#
+enable_on_boot = all
+
+# Syslog's log priority. One of the following keywords: debug, info,
+# notice, warning, error, crit, alert or panic.
+#
+log_priority = info
18 config/ipv4_eth0
@@ -0,0 +1,18 @@
+# Firetable configuration for IPv4
+
+
+# Settings
+#
+set subnetmask 32
+
+
+# Incoming traffic
+#
+accept incoming tcp to server:{22, 25, 80, 443, 993, 995}
+accept incoming udp to server:53
+accept incoming icmp type 11 from anywhere to server # Traceroute
+
+
+# Outgoing traffic
+#
+accept outgoing ip
17 config/ipv6_eth0
@@ -0,0 +1,17 @@
+# Firetable configuration for IPv6
+
+
+# Settings
+#
+set subnetmask 48
+
+
+# Incoming traffic
+#
+accept incoming tcp to server.{22, 25, 80, 443, 993, 995}
+accept incoming icmp type {1,2,3,4,133,134,135,136,137} to server
+
+
+# Outgoing traffic
+#
+accept outgoing ip
5 extra/debian/README.debian
@@ -0,0 +1,5 @@
+Iptables firewall management script
+
+See http://projects.leisink.org/firetable for more information.
+
+Hugo Leisink <hugo@leisink.net>, Mon, 6 Jun 2005 10:34:56 +0100
1  extra/debian/compat
@@ -0,0 +1 @@
+5
13 extra/debian/control
@@ -0,0 +1,13 @@
+Source: firetable
+Section: net
+Priority: optional
+Maintainer: Hugo Leisink <hugo@leisink.net>
+Homepage: http://projects.leisink.net/firetable
+Standards-Version: 3.6.2
+
+Package: firetable
+Architecture: any
+Depends: netbase, iptables, php5-cli
+Conflicts:
+Description: IPtables firewall management script
+ Script to maintain an IPtables firewall
10 extra/debian/copyright
@@ -0,0 +1,10 @@
+Firetable is written by Hugo Leisink <hugo@leisink.net>.
+
+It was downloaded from http://projects.leisink.org/firetable.
+
+Copyright (C) 2012 by Hugo Leisink <hugo@leisink.net>
+
+You are free to distribute this software under the terms of
+the GNU General Public License.
+On Debian systems, the complete text of the GNU General Public
+License can be found in the file '/usr/share/common-licenses/GPL-2'.
3  extra/debian/firetable.dirs
@@ -0,0 +1,3 @@
+usr/sbin
+etc/firetable
+etc/init.d
17 extra/debian/firetable.dsc
@@ -0,0 +1,17 @@
+Format: 3.0 (native)
+Source: firetable
+Binary: firetable
+Architecture: any
+Version: <VERSION>
+Maintainer: Hugo Leisink <hugo@leisink.net>
+Homepage: http://projects.leisink.net/firetable
+Standards-Version: 3.6.2
+Build-Depends:<DEPENDS>
+Package-List:
+ firetable deb net optional
+Checksums-Sha1:
+ <SHA1> <SIZE> firetable_<VERSION>.tar.gz
+Checksums-Sha256:
+ <SHA256> <SIZE> firetable_<VERSION>.tar.gz
+Files:
+ <MD5> <SIZE> firetable_<VERSION>.tar.gz
4 extra/debian/firetable.postrm
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+set -e
+#DEBHELPER#
4 extra/debian/firetable.prerm
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+set -e
+#DEBHELPER#
15 extra/debian/info
@@ -0,0 +1,15 @@
+# This is a configuration files for installing a .info menu
+# The Description to be placed into the directory
+DESCR="iptables firewall management script"
+
+# The section this info file should be placed in (Regexp) followed by
+# the new section name to be created if the Regexp does not match
+# (Optional. If not given the .info will be appended to the directory)
+#SECTION_MATCH="Regexp"
+#SECTION_NAME="New Section Name"
+
+# The file referred to from the Info directory
+#FILE=firewall.info
+
+# Optional. The files to be copied to /usr/share/info
+#FILES=*.info
38 extra/debian/init.d
@@ -0,0 +1,38 @@
+#!/bin/bash
+#
+# Firetable start/stop script for Linux
+#
+### BEGIN INIT INFO
+# Provides: firetable
+# Required-Start: $syslog $network $remote_fs
+# Required-Stop: $syslog $network $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: IPtables firewall script
+# Description: Firetable, a script for IPtable firewalls
+### END INIT INFO
+
+
+# Defaults
+if [ -r /etc/firetable/firetable.conf ]; then
+ INTERFACES=`grep "^enable_on_boot" /etc/firetable/firetable.conf | cut -f2 -d"=" | sed "s/^ *//"`
+fi
+
+function firetable
+
+case "$1" in
+ start|stop)
+ if [ "${INTERFACES}" = "all" ]; then
+ /usr/sbin/firetable $1
+ elif [ "${INTERFACES}" != "" ]; then
+ /usr/sbin/firetable $1 ${INTERFACES}
+ fi
+ ;;
+ restart|force-reload)
+ ;;
+ *)
+ echo "Usage: /etc/init.d/firetable {start|stop}"
+ exit 1
+esac
+
+exit 0
52 extra/make_debian_extra
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+if [ ! -f /etc/debian_version ]; then
+ echo "Debian (clone) required."
+ exit
+fi
+
+# Make Debian package
+#
+cd `dirname $0`/..
+extra/make_debian_package -b
+version=`grep VERSION src/firetable | head -1 | cut -f4 -d'"'`
+if [ ! -f firetable_${version}_amd64.deb ]; then
+ exit
+fi
+
+# Generate .dsc file
+#
+if [ -f firetable-${version}.tar.gz ]; then
+ cp firetable-${version}.tar.gz firetable_${version}.tar.gz
+fi
+if [ ! -f firetable_${version}.tar.gz ]; then
+ mv firetable_*.deb build_debian_package
+ extra/make_source_package
+ mv firetable-${version}.tar.gz firetable_${version}.tar.gz
+ mv build_debian_package/firetable_*.deb .
+fi
+
+size=`stat firetable_${version}.tar.gz -c%s`
+md5=`md5sum firetable_${version}.tar.gz | cut -f1 -d' '`
+sha1=`sha1sum firetable_${version}.tar.gz | cut -f1 -d' '`
+sha256=`sha256sum firetable_${version}.tar.gz | cut -f1 -d' '`
+depends=`cat extra/debian/control | grep Build-Depends | cut -f2 -d:`
+
+sed "s/<VERSION>/${version}/" extra/debian/firetable.dsc | sed "s/<SIZE>/${size}/" | sed "s/<DEPENDS>/${depends}/" | \
+ sed "s/<MD5>/${md5}/" | sed "s/<SHA1>/${sha1}/" | sed "s/<SHA256>/${sha256}/" > firetable_${version}.dsc
+gpg --clearsign firetable_${version}.dsc
+mv firetable_${version}.dsc.asc firetable_${version}.dsc
+
+# Generate .changes file
+#
+cd build_debian_package
+dpkg-genchanges > ../firetable_${version}.changes
+cd ..
+gpg --clearsign firetable_${version}.changes
+mv firetable_${version}.changes.asc firetable_${version}.changes
+
+# Done
+#
+if [ "$1" != "-b" ]; then
+ rm -rf build_debian_package
+fi
66 extra/make_debian_package
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+if [ ! -f /etc/debian_version ]; then
+ echo "Debian (clone) required."
+ exit
+fi
+
+# Checking for packages required for building a Debian package
+#
+echo "-- Checking for required packages"
+packages="dpkg-dev debhelper fakeroot"
+missing=""
+for package in ${packages}; do
+ installed=`dpkg -l ${package} | tail -1 | cut -b1-2`
+ if [ "$installed" != "ii" ]; then
+ missing="${missing} ${package}"
+ fi
+done
+if [ "${missing}" != "" ]; then
+ echo "The following packages are missing:${missing}"
+ exit
+fi
+
+# Setup build directory
+#
+cd `dirname $0`/..
+if [ -d build_debian_package ]; then
+ rm -rf build_debian_package
+fi
+mkdir build_debian_package
+cd build_debian_package
+cp -r ../extra/debian .
+
+# Make Debian package
+#
+dh_testdir
+fakeroot dh_testroot
+if [ -f /usr/bin/dh_prep ]; then
+ dh_prep
+else
+ dh_clean -k
+fi
+dh_installdirs
+echo "-- Building package"
+dh_strip
+cp ../src/firetable debian/firetable/usr/sbin
+cp ../config/* debian/firetable/etc/firetable
+fakeroot dh_installman ../man/firetable.1
+fakeroot dh_installinit -n
+fakeroot dh_installdocs
+cp ../ChangeLog debian/changelog
+fakeroot dh_installchangelogs
+gzip -9 debian/firetable/usr/share/doc/firetable/changelog*
+gzip -9 debian/firetable/usr/share/man/man1/*
+dh_installinit -o
+fakeroot dh_installdeb
+fakeroot dh_gencontrol
+fakeroot dh_md5sums
+fakeroot dh_builddeb
+
+# Done
+#
+cd ..
+if [ "$1" != "-b" ]; then
+ rm -rf build_debian_package
+fi
9 extra/make_source_package
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+echo "-- Building source package"
+VERSION=`head -1 ChangeLog | cut -f2 -d"(" | cut -f1 -d")"`
+touch firetable-${VERSION}.tar.gz
+cd ..
+ln -s firetable firetable-${VERSION}
+tar --exclude=*.tar.gz --exclude=*.deb -czhf firetable/firetable-${VERSION}.tar.gz firetable-${VERSION}
+rm firetable-${VERSION}
178 man/firetable.1
@@ -0,0 +1,178 @@
+.TH FIRETABLE 1
+
+.SH NAME
+firetable \- IPtables firewall script
+
+.SH SYNOPSIS
+.B firetable
+{start|stop|restart|status|flush|debug}
+
+.SH CONFIG
+Place the configuration for each interface in a seperate file: /etc/firetable/ipv[46]_<interface>
+
+.SH FORMAT
+include <filename>
+
+set subnetmask 0..32
+.br
+set <variable> <value> usage: $<variable>
+
+(accept|drop|reject) (incoming|outgoing) ip [from <subnet>] [to <subnet>]
+.br
+(accept|drop|reject) (incoming|outgoing) (tcp|udp) [from <subnet>[:<port>]] [to <host>[:<port>]]
+.br
+(accept|drop|reject) (incoming|outgoing) icmp [type <icmp-type>] [from <subnet>] [to <subnet>]
+.br
+(accept|drop|reject) user <username|userid> [to <subnet>[:<port>]]
+.br
+(accept|drop|reject) group <groupname|groupid> [to <subnet>[:<port>]]
+
+[dont] forward ip [from <subnet>] [to <subnet>]
+.br
+[dont] forward (tcp|udp) [from <subnet>[:<port>]] [to <subnet>[:<port>]]
+.br
+[dont] forward icmp [type <icmp-type>] [from <subnet>] [to <subnet>]
+.br
+snat (tcp|udp) [from <subnet>[:<port>]] [to <subnet>[:<port>]] [-> <host>]
+.br
+snat (icmp|ip) [from <subnet>] [to <subnet>] [-> <host>]
+.br
+dont snat (tcp|udp) [from <subnet>[:<port>]] [to <subnet>[:<port>]]
+.br
+dont snat (icmp|ip) [from <subnet>] [to <subnet>]
+.br
+dnat (tcp|udp) [from <subnet>[:<port>]] to <subnet>:<port> -> <host>[:<port>]
+.br
+dont dnat (tcp|udp) [from <subnet>[:<port>]] to <subnet>:<port>
+
+iptables <iptables commandline options>
+
+.SH TYPES
+<host> : <ip_address>
+.br
+<subnet>: <ip_address>[/<subnetmask>]
+.br
+<port> : (1..65535)[-(1..65535)]
+.br
+<userid>: (0..65535)
+
+.SH ALIASES
+ 'server' will be translated to the IP address of the interface
+.br
+ 'domain' will be translated to the IP address if the interface with $subnetmask as the subnetmask
+.br
+ 'anywhere' will be translated to '0.0.0.0/0' for IPv4 or '::/0' for IPv6
+
+.SH SETS
+You can combine multiple lines by using sets. The elements in a set are seperated by commas and the set starts and ends with an accolade. For example, the configuration line
+.br
+
+ accept incoming {tcp, udp} to server:{100, 200}
+.br
+
+expands to:
+.br
+
+ accept incoming tcp to server:100
+.br
+ accept incoming tcp to server:200
+.br
+ accept incoming udp to server:100
+.br
+ accept incoming udp to server:200
+
+.SH EXAMPLE
+In the following example, a server connects a LAN (eth1) to the Internet (eth0).
+.TP
+.B Configuration file for the Internet interface (ipv4_eth0):
+# Firetable configurationfile for eth0
+.br
+#
+.br
+set subnetmask 32
+.br
+set ntp_server ntp.xs4all.nl
+.br
+set web_server 192.168.0.5
+
+# Allowed traffic
+.br
+#
+.br
+accept incoming tcp to server:{21-22, 25, 80, 443, 993, 995}
+.br
+accept incoming udp from anywhere:53
+.br
+accept incoming udp from $ntp_server to server:123
+.br
+drop outgoing tcp to anywhere:23
+
+# SNAT LAN traffic
+.br
+#
+.br
+# Don't forget to forward the traffic coming from the LAN.
+.br
+#
+.br
+snat ip from 192.168.0.0/16
+
+# DNAT (port forwarding)
+.br
+#
+.br
+dnat tcp to server:1022 -> server:22
+
+dnat tcp to server:{80, 443} -> $web_server
+.br
+forward tcp from anywhere to $web_server:{80, 443} # other machine, so forward
+
+accept outgoing ip from server
+
+.TP
+.B Configuration file for the LAN interface (ipv4_eth1):
+# Firetable configurationfile for eth1
+.br
+#
+.br
+set subnetmask 32
+
+# Allowed traffic
+.br
+#
+.br
+accept incoming ip to anywhere
+.br
+forward ip from 192.168.0.0/16
+.br
+
+accept outgoing ip from anywhere
+
+.SH SETTINGS
+Place the following settings in /etc/firetable/firetable.conf
+.TP
+.B enable_nat = yes|no
+If you've disabled NAT in the kernel, also disable it in Firetable.
+.TP
+.B use_colors = yes|no
+Allow Firetable to use colors.
+.TP
+.B enable_on_boot = [<interface> [<interface>] ...]
+Space-seperated list of interfaces Firetable will use at boottime. When empty, Firetable will use all available interfaces.
+.TP
+.B log_priority = (debug|info|notice|warning|error|crit|alert|panic)
+Syslog's log priority for Firetable
+
+.SH FILES
+.B /usr/sbin/firetable
+.br
+.B /etc/init.d/firetable
+.br
+.B /etc/firetable/ipv[46]_<interface>
+.br
+.B /etc/firetable/firetable.conf
+
+.SH AUTHOR
+Firetable is written by Hugo Leisink <hugo@leisink.net> in PHP. More info about Firetable at website:
+.br
+\fIhttp://projects.leisink.org/\fP
1,186 src/firetable
@@ -0,0 +1,1186 @@
+#!/usr/bin/php5
+<?php
+ /* Firetable, Copyright (C) by Hugo Leisink <hugo@leisink.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License. For a copy,
+ * see http://www.gnu.org/licenses/gpl-2.0.html.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+ define("VERSION", "5.3");
+ define("CONFIG_DIR", "/etc/firetable");
+
+ define("NORMAL", "\x1b[0m");
+ define("RED", "\x1b[31m");
+ define("YELLOW", "\x1b[33m");
+ define("GREEN", "\x1b[32m");
+
+ /* IPtables class
+ */
+ class iptables {
+ private $binary = null;
+ private $commands = array();
+ private $debug = false;
+
+ /* Constructor
+ *
+ * INPUT: string binary
+ * OUTPUT: -
+ * ERROR: -
+ */
+ public function __construct($binary) {
+ $this->binary = $binary;
+ }
+
+ /* Destructor
+ *
+ * INPUT: -
+ * OUTPUT: -
+ * ERROR: -
+ */
+ public function __destruct() {
+ $this->execute_queued();
+ }
+
+ /* Magic method set
+ *
+ * INPUT: string key, string value
+ * OUTPUT: -
+ * ERROR: -
+ */
+ public function __set($key, $value) {
+ switch ($key) {
+ case "debug": $this->debug = $value; break;
+ }
+ }
+
+ /* Execute iptables command
+ *
+ * INPUT: string iptables command
+ * OUTPUT: true
+ * ERROR: false
+ */
+ public function execute($command, &$output = null, $force = false) {
+ $command = preg_replace('/ +/', " ", $command);
+ if (($this->debug == false) || $force) {
+ $output = null;
+ $return_var = null;
+ exec($this->binary." ".$command, $output, $return_value);
+
+ return $return_value;
+ } else {
+ print $this->binary." ".$command."\n";
+
+ return 0;
+ }
+ }
+
+ /* Execute queued iptables commands
+ *
+ * INPUT: -
+ * OUTPUT: true
+ * ERROR: false
+ */
+ public function execute_queued() {
+ foreach ($this->commands as $command) {
+ if ($this->execute($command) !== 0) {
+ return false;
+ }
+ }
+
+ $this->flush_queue();
+
+ return true;
+ }
+
+ /* Queue iptables command
+ *
+ * INPUT: string iptables command
+ * OUTPUT: -
+ * ERROR: -
+ */
+ public function queue($command) {
+ array_push($this->commands, $command);
+ }
+
+ /* Flush command queue
+ *
+ * INPUT: -
+ * OUTPUT: -
+ * ERROR: -
+ */
+ public function flush_queue() {
+ $this->commands = array();
+ }
+ }
+
+ /* Firetable class
+ */
+ abstract class firetable {
+ private $iptables = null;
+ private $debug = false;
+ private $script = null;
+ private $server = null;
+ protected $ip_version = 4;
+ protected $digit_separator = ":";
+ protected $anywhere = "0.0.0.0/0";
+ protected $icmp = "icmp";
+ private $settings = array(
+ "iptables4" => "/sbin/iptables",
+ "iptables6" => "/sbin/ip6tables",
+ "enable_ipv4" => false,
+ "enable_ipv6" => false,
+ "enable_nat" => false,
+ "log_priority" => "info");
+ private $aliases = null;
+ private $protocols = array();
+
+ /* Constructor
+ *
+ * INPUT: -
+ * OUTPUT: -
+ * ERROR: -
+ */
+ public function __construct() {
+ /* Firetable configuration
+ */
+ if (($config = $this->read_file(CONFIG_DIR."/firetable.conf")) === false) {
+ exit("Can't find firetable configuration file.\n");
+ }
+
+ foreach ($config as $line) {
+ list($key, $value) = explode("=", $line);
+ $value = trim($value);
+
+ if (in_array($value, array("true", "yes"))) {
+ $value = true;
+ } else if (in_array($value, array("false", "no"))) {
+ $value = false;
+ }
+ $this->settings[trim($key)] = $value;
+ }
+
+ /* Disable NAT for IPv6
+ */
+ if ($this->ip_version == 6) {
+ $this->settings["enable_nat"] = false;
+ }
+
+ /* iptables object
+ */
+ $this->iptables = new iptables($this->settings["iptables".$this->ip_version]);
+ $this->iptables->debug = $this->debug;
+ }
+
+ /* Read file without comments
+ *
+ * INPUT: string filename
+ * OUTPUT: array file content
+ * ERROR: false
+ */
+ private function read_file($file) {
+ if (($fp = @fopen($file, "r")) === false) {
+ return false;
+ }
+
+ $content = array();
+ while (($line = fgets($fp)) !== false) {
+ $line = trim(preg_replace('/#.*/', "", $line));
+ if ($line == "") {
+ continue;
+ }
+ $line = str_replace("\t", " ", $line);
+ $line = preg_replace('/ +/', " ", $line);
+
+ array_push($content, $line);
+ }
+
+ fclose($fp);
+
+ return $content;
+ }
+
+ /* Read firetable rules file
+ *
+ * INPUT: string filename
+ * OUTPUT: array rules
+ * ERROR: false
+ */
+ private function read_rules_file($file) {
+ if (($content = $this->read_file(CONFIG_DIR."/".$file)) === false) {
+ printf("Error reading file '%s/%s'.\n", CONFIG_DIR, $file);
+ return false;
+ }
+
+ $config = array();
+ foreach ($content as $line) {
+ if (substr($line, 0, 8) == "include ") {
+ $file = trim(substr($line, 8));
+ if (($include = $this->read_rules_file($file)) === false) {
+ return false;
+ }
+ $config = array_merge($config, $include);
+ } else {
+ array_push($config, $line);
+ }
+ }
+
+ return $config;
+ }
+
+ /* Replace aliases
+ *
+ * INPUT: string line
+ * OUTPUT: string line
+ * ERROR: -
+ */
+ private function replace_aliases($line) {
+ foreach ($this->aliases as $match => $alias) {
+ $line = str_replace("$".$match, $alias, $line);
+ }
+
+ return $line;
+ }
+
+ /* Expand sets in firewall rule
+ *
+ * INPUT: string rule
+ * OUTPUT: array expanded rules
+ * ERROR: -
+ */
+ private function expand_sets($rule) {
+ if (($begin = strrpos($rule, "{")) === false) {
+ return array($rule);
+ } else if (($end = strpos($rule, "}", $begin + 1)) === false) {
+ return array($rule);
+ }
+
+ $head = substr($rule, 0, $begin);
+ $set = substr($rule, $begin + 1, $end - $begin - 1);
+ $tail = substr($rule, $end + 1);
+ $items = explode(",", $set);
+
+ $rules = array();
+ foreach ($items as &$item) {
+ $expanded = $this->expand_sets($head.trim($item).$tail);
+ foreach ($expanded as $item) {
+ array_push($rules, $item);
+ }
+ }
+
+ return $rules;
+ }
+
+ /* Count interfaces with active firewall
+ *
+ * INPUT: -
+ * OUTPUT: int active firewalls
+ * ERROR: -
+ */
+ private function count_firewalls() {
+ $this->iptables->execute("-L OUTPUT -n", $output, true);
+ array_shift($output);
+ array_shift($output);
+ array_shift($output);
+
+ return count($output);
+ }
+
+ /* Firewall active?
+ *
+ * INPUT: string interface
+ * OUTPUT: bool active
+ * ERROR: -
+ */
+ private function firewall_active($interface) {
+ $this->iptables->execute("-L OUTPUT -n", $output, true);
+ array_shift($output);
+ array_shift($output);
+
+ $len = strlen($interface) + 1;
+ foreach ($output as $line) {
+ if (substr($line, 0, $len) == $interface."_") {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ /* Support tables active?
+ *
+ * INPUT: string interface
+ * OUTPUT: bool active
+ * ERROR: -
+ */
+ private function support_tables_active() {
+ $this->iptables->execute("-L OUTPUT -n", $output, true);
+
+ return count($output) > 2;
+ }
+
+ /* Support tables active?
+ *
+ * INPUT: string interface, string filename
+ * OUTPUT: bool active
+ * ERROR: -
+ */
+ private function get_id($name, $filename) {
+ if (($file = file($filename)) === false) {
+ return false;
+ }
+
+ foreach ($file as $line) {
+ list($key, , $id) = explode(":", $line, 4);
+
+ if ($key == $name) {
+ return $id;
+ }
+ }
+
+ return null;
+ }
+
+ /* Filter rule
+ *
+ * INPUT: string command, array rule
+ * OUTPUT: -
+ * ERROR: -
+ */
+ private function filter($interface, $command, $rule) {
+ $target = "-j ".strtoupper($command);
+ $user = null;
+
+ $i = 0;
+ switch ($rule[$i]) {
+ case "incoming":
+ $table = "-A ".$interface."_in";
+ $from_host = $this->anywhere;
+ $to_host = $this->server."/".$this->aliases["subnetmask"];
+ break;
+ case "outgoing":
+ $table = "-A ".$interface."_out";
+ $from_host = $this->server."/".$this->aliases["subnetmask"];
+ $to_host = $this->anywhere;
+ break;
+ case "user":
+ $table = "-A ".$interface."_out";
+ $protocol = "-p tcp";
+ if (ctype_digit($rule[++$i]) == false) {
+ if (($user = $this->get_id($rule[$i], "/etc/passwd")) == false) {
+ printf("unknown user '%s'\n", $rule[$i]);
+ return false;
+ }
+ }
+ $user = "-m owner --uid-owner ".$rule[$i];
+ $to_host = $anywhere;
+ break;
+ case "group":
+ $table = "-A ".$interface."_out";
+ $protocol = "-p tcp";
+ if (ctype_digit($rule[++$i]) == false) {
+ if (($user = $this->get_id($rule[$i], "/etc/group")) == false) {
+ printf("unknown group '%s'\n", $rule[$i]);
+ return false;
+ }
+ }
+ $user = "-m owner --gid-owner ".$rule[$i];
+ $to_host = $anywhere;
+ break;
+ default:
+ printf("unknown command '%s'\n", $rule[$i]);
+ return false;
+ }
+ $i++;
+
+ $ports_allowed = false;
+
+ if ($user == null) {
+ /* Blocking user traffic
+ */
+ if ($rule[$i] != "ip") {
+ $protocol = "-p ".$rule[$i];
+ if ($rule[$i] == "tcp") {
+ $protocol .= " --syn";
+ $ports_allowed = true;
+ } else if ($rule[$i] == "udp") {
+ $ports_allowed = true;
+ } else if (($rule[$i] == $this->icmp) && ($rule[$i+1] == "type")) {
+ $i += 2;
+ $protocol .= " --".$this->icmp."-type ".$rule[$i];
+ }
+ }
+ $i++;
+
+ if ($rule[$i] == "from") {
+ list($from_host, $from_port) = explode($this->digit_separator, $rule[++$i]);
+ if ($from_port != "") {
+ if ($ports_allowed == false) {
+ print "ports are only allowed for tcp or udp.\n";
+ return false;
+ }
+ $from_port = "--sport ".str_replace("-", ":", $from_port);
+ }
+ $i++;
+ }
+ $from_host = "-s ".$from_host;
+ }
+
+ if ($rule[$i] == "to") {
+ list($to_host, $to_port) = explode($this->digit_separator, $rule[++$i]);
+ if ($to_port != "") {
+ if ($ports_allowed == false) {
+ print "ports are only allowed for tcp or udp.\n";
+ return false;
+ }
+ $to_port = "--dport ".str_replace("-", ":", $to_port);
+ }
+ $i++;
+ }
+ $to_host = "-d ".$to_host;
+
+ if (count($rule) != $i) {
+ printf("unknown option '%s'\n", $rule[$i]);
+ return false;
+ }
+
+ return implode(" ", array($table, $protocol, $from_host, $from_port, $to_host, $to_port, $user, $target));
+ }
+
+ /* Forward rule
+ *
+ * INPUT: bool dont, array rule
+ * OUTPUT: -
+ * ERROR: -
+ */
+ private function forward($interface, $dont, $rule) {
+ $i = 0;
+ $ports_allowed = false;
+
+ if ($rule[$i] != "ip") {
+ $protocol = "-p ".$rule[$i];
+ if ($rule[$i] == "tcp") {
+ $protocol .= " --syn";
+ $ports_allowed = true;
+ } else if ($rule[$i] == "udp") {
+ $ports_allowed = true;
+ } else if (($rule[$i] == $this->icmp) && ($rule[$i+1] == "type")) {
+ $i += 2;
+ $protocol .= " --".$this->icmp."-type ".$rule[$i];
+ }
+ }
+ $i++;
+
+ if ($rule[$i] == "from") {
+ list($from_host, $from_port) = explode($this->digit_separator, $rule[++$i]);
+ if ($from_port != "") {
+ if ($ports_allowed == false) {
+ print "ports are only allowed for tcp or udp.\n";
+ return false;
+ }
+ $from_port = "--sport ".str_replace("-", ":", $from_port);
+ }
+ $i++;
+ $from_host = "-s ".$from_host;
+ }
+
+ if ($rule[$i] == "to") {
+ list($to_host, $to_port) = explode($this->digit_separator, $rule[++$i]);
+ if ($to_port != "") {
+ if ($ports_allowed == false) {
+ print "ports are only allowed for tcp or udp.\n";
+ return false;
+ }
+ $to_port = "--dport ".str_replace("-", ":", $to_port);
+ }
+ $i++;
+ $to_host = "-d ".$to_host;
+ }
+
+ if (count($rule) != $i) {
+ printf("unknown option '%s'\n", $rule[$i]);
+ return false;
+ }
+
+ $target = "-j ".($dont ? "RETURN" : "ACCEPT");
+
+ return implode(" ", array("-A ".$interface."_forw", $protocol, $from_host, $from_port, $to_host, $to_port, $target));
+ }
+
+ /* SNAT rule
+ *
+ * INPUT: bool dont, array rule
+ * OUTPUT: -
+ * ERROR: -
+ */
+ private function snat($interface, $dont, $rule) {
+ $i = 0;
+ $ports_allowed = false;
+
+ if ($rule[$i] != "ip") {
+ $protocol = "-p ".$rule[$i];
+ if ($rule[$i] == "tcp") {
+ $protocol .= " --syn";
+ $ports_allowed = true;
+ } else if ($rule[$i] == "udp") {
+ $ports_allowed = true;
+ } else if (($rule[$i] == $this->icmp) && ($rule[$i+1] == "type")) {
+ $i += 2;
+ $protocol .= " --".$this->icmp."-type ".$rule[$i];
+ }
+ }
+ $i++;
+
+ if ($rule[$i] == "from") {
+ list($from_host, $from_port) = explode($this->digit_separator, $rule[++$i]);
+ if ($from_port != "") {
+ if ($ports_allowed == false) {
+ print "ports are only allowed for tcp or udp.\n";
+ return false;
+ }
+ $from_port = "--sport ".str_replace("-", ":", $from_port);
+ }
+ $i++;
+ $from_host = "-s ".$from_host;
+ }
+
+ if ($rule[$i] == "to") {
+ list($to_host, $to_port) = explode($this->digit_separator, $rule[++$i]);
+ if ($to_port != "") {
+ if ($ports_allowed == false) {
+ print "ports are only allowed for tcp or udp.\n";
+ return false;
+ }
+ $to_port = "--dport ".str_replace("-", ":", $to_port);
+ }
+ $i++;
+ $to_host = "-d ".$to_host;
+ }
+
+ if ($dont == false) {
+ if ($rule[$i] == "->") {
+ $snat_host = $rule[++$i];
+ $i++;
+ } else {
+ $snat_host = $this->server;
+ }
+
+ $target = "-j SNAT --to-source ".$snat_host;
+ } else {
+ $target = "-j RETURN";
+ }
+
+ if (count($rule) != $i) {
+ printf("unknown option '%s'\n", $rule[$i]);
+ return false;
+ }
+
+ return implode(" ", array("-A ".$interface."_snat -t nat", $protocol, $from_host, $from_port, $to_host, $to_port, $target));
+ }
+
+ /* DNAT rule
+ *
+ * INPUT: bool dont, array rule
+ * OUTPUT: -
+ * ERROR: -
+ */
+ private function dnat($interface, $dont, $rule) {
+ $i = 0;
+ $ports_allowed = false;
+
+ if ($rule[$i] != "ip") {
+ $protocol = "-p ".$rule[$i];
+ if ($rule[$i] == "tcp") {
+ $protocol .= " --syn";
+ $ports_allowed = true;
+ } else if ($rule[$i] == "udp") {
+ $ports_allowed = true;
+ } else if (($rule[$i] == $this->icmp) && ($rule[$i+1] == "type")) {
+ $i += 2;
+ $protocol .= " --".$this->icmp."-type ".$rule[$i];
+ }
+ }
+ $i++;
+
+ if ($rule[$i] == "from") {
+ list($from_host, $from_port) = explode($this->digit_separator, $rule[++$i]);
+ if ($from_port != "") {
+ if ($ports_allowed == false) {
+ print "ports are only allowed for tcp or udp.\n";
+ return false;
+ }
+ $from_port = "--sport ".str_replace("-", ":", $from_port);
+ }
+ $i++;
+ $from_host = "-s ".$from_host;
+ }
+
+ if ($rule[$i] == "to") {
+ list($to_host, $target_port) = explode($this->digit_separator, $rule[++$i]);
+ if ($target_port != "") {
+ if ($ports_allowed == false) {
+ print "ports are only allowed for tcp or udp.\n";
+ return false;
+ }
+ $to_port = "--dport ".str_replace("-", ":", $target_port);
+ }
+ $i++;
+ } else {
+ $to_host = $this->server."/".$this->aliases["subnetmask"];
+ }
+ $to_host = "-d ".$to_host;
+
+ if ($dont == false) {
+ if ($rule[$i] != "->") {
+ print "specify the new destination\n";
+ return false;
+ }
+
+ $dnat = "--to ".$rule[++$i];
+ list($dnat_host, $dnat_port) = explode($this->digit_separator, $rule[$i++]);
+ if ($dnat_port == "") {
+ $dnat_port = $target_port;
+ }
+ $dnat_host = "-d ".$dnat_host;
+ $dnat_port = "--dport ".$dnat_port;
+
+ $target = "-j DNAT";
+ } else {
+ $target = "-j RETURN";
+ }
+
+ if (count($rule) != $i) {
+ printf("unknown option '%s'\n", $rule[$i]);
+ return false;
+ }
+
+ return implode(" ", array("-A ".$interface."_dnat -t nat", $protocol, $from_host, $from_port, $to_host, $to_port, $target, $dnat));
+ }
+
+ /* Start firewall
+ *
+ * INPUT: array interfaces
+ * OUTPUT: true
+ * ERROR: false
+ */
+ private function start($interfaces) {
+ /* Load protocols list
+ */
+ if (($protocols = $this->read_file("/etc/protocols")) !== false) {
+ foreach ($protocols as $protocol) {
+ list($protocol) = explode(" ", $protocol);
+ array_push($this->protocols, $protocol);
+ }
+ }
+
+ if (($this->ip_version == 4) && ($this->debug == false)) {
+ /* Kernelconfig
+ */
+ system("echo 1 > /proc/sys/net/ipv4/ip_forward");
+ system("echo 1 > /proc/sys/net/ipv4/tcp_syncookies");
+ system("echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts");
+ system("echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route");
+ system("echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects");
+ }
+
+ if (($this->support_tables_active() == false) || $this->debug) {
+ if ($this->debug) {
+ printf("IPv%d iptables commands for support tables:\n", $this->ip_version);
+ }
+
+ $this->iptables->execute("-Z");
+
+ /* Log and drop
+ */
+ $this->iptables->execute("-N log_drop");
+ $this->iptables->execute("-A log_drop -j LOG --log-level ".$this->settings["log_priority"]." --log-prefix 'FIRETABLE".$this->ip_version.": '");
+ $this->iptables->execute("-A log_drop -j DROP");
+
+ /* TCP packet belongs to a known stream
+ */
+ $this->iptables->execute("-N est_rel");
+ $this->iptables->execute("-A INPUT -j est_rel");
+ $this->iptables->execute("-A OUTPUT -j est_rel");
+ $this->iptables->execute("-A FORWARD -j est_rel");
+ $this->iptables->execute("-A est_rel -m state --state ESTABLISHED -j ACCEPT");
+ $this->iptables->execute("-A est_rel -p tcp --syn -m state --state RELATED -j ACCEPT");
+
+ /* Anti-hack
+ */
+ $this->iptables->execute("-N anti-hack");
+ $this->iptables->execute("-A INPUT -p tcp -j anti-hack");
+ $this->iptables->execute("-A FORWARD -p tcp -j anti-hack");
+ # Reject fragments
+ if ($this->ip_version == 4) {
+ $this->iptables->execute("-A anti-hack -f -j log_drop");
+ }
+ # X-Mas TCP packets
+ $this->iptables->execute("-A anti-hack -p tcp --tcp-flags ALL ALL -j log_drop");
+ # Null TCP packets
+ $this->iptables->execute("-A anti-hack -p tcp --tcp-flags ALL NONE -j log_drop");
+ # Other weird stuff
+ $this->iptables->execute("-A anti-hack -p tcp --tcp-flags SYN,RST SYN,RST -j log_drop");
+ $this->iptables->execute("-A anti-hack -p tcp --tcp-flags SYN,FIN SYN,FIN -j log_drop");
+ # IP spoofing
+ #$this->iptables("-A anti-hack -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset");
+ # SYN flood
+ #$this->iptables("-A anti-hack -p tcp --syn -m limit ! --limit 2/s --limit-burst 8 -j log_drop");
+
+ if ($this->debug) {
+ print "\n";
+ }
+ }
+
+ if ($this->debug == false) {
+ printf("Starting IPv%d firewall for interface:", $this->ip_version);
+ }
+
+ foreach ($interfaces as $interface) {
+ if ($this->ip_version == 4) {
+ $this->server = trim(exec("/sbin/ifconfig ".$interface." | grep 'inet addr' | cut -f2 -d':' | cut -f1 -d' '"));
+ } else {
+ $this->server = trim(exec("/sbin/ifconfig ".$interface." | grep 'inet6 addr' | grep 'Scope:Global' | head -1 | cut -f2- -d':' | cut -f2 -d' ' | cut -f1 -d'/'"));
+ }
+
+ if ($this->server == "") {
+ if ($this->debug == false) {
+ print " ".RED.$interface.NORMAL;
+ }
+ continue;
+ }
+
+ $config_file = "ipv".$this->ip_version."_".$interface;
+
+ if (($this->debug == false) && $this->firewall_active($interface)) {
+ print " ".YELLOW.$interface.NORMAL;
+ continue;
+ } else if (($rules = $this->read_rules_file($config_file)) === false) {
+ if ($this->debug == false) {
+ print " ".RED.$interface.NORMAL;
+ }
+ continue;
+ }
+
+ $this->aliases = array(
+ "subnetmask" => "32");
+
+ if (($this->ip_version == 4) && ($this->debug == false)) {
+ system("echo 1 > /proc/sys/net/ipv4/conf/".$interface."/rp_filter");
+ }
+
+ /* Input table
+ */
+ $this->iptables->queue("-N ".$interface."_in");
+ $this->iptables->queue("-A INPUT -i ".$interface." -j ".$interface."_in");
+
+ /* Output table
+ */
+ $this->iptables->queue("-N ".$interface."_out");
+ $this->iptables->queue("-A OUTPUT -o $interface -j ".$interface."_out");
+
+ /* Forwarding table
+ */
+ $this->iptables->queue("-N ".$interface."_forw");
+ $this->iptables->queue("-A FORWARD -i $interface -j ".$interface."_forw");
+
+ if ($this->settings["enable_nat"]) {
+ /* SNAT table
+ */
+ $this->iptables->queue("-N ".$interface."_snat -t nat");
+ $this->iptables->queue("-A POSTROUTING -t nat -o $interface -j ".$interface."_snat");
+
+ /* DNAT table
+ */
+ $this->iptables->queue("-N ".$interface."_dnat -t nat");
+ $this->iptables->queue("-A PREROUTING -t nat -i $interface -j ".$interface."_dnat");
+ }
+
+ foreach ($rules as $rule) {
+ $rule = $this->replace_aliases($rule);
+
+ if (substr($rule, 0, 4) == "set ") {
+ list(, $key, $value) = explode(" ", $rule, 3);
+ $this->aliases[$key] = $value;
+ continue;
+ }
+
+ /* Change aliases
+ */
+ $rule = str_replace("anywhere", $this->anywhere, $rule);
+ $rule = str_replace("server", $this->server, $rule);
+ $rule = str_replace("domain", $this->server."/".$this->aliases["subnetmask"], $rule);
+ if ($this->ip_version == 6) {
+ $rule = str_replace("icmp", "icmpv6", $rule);
+ }
+
+ /* Expand sets
+ */
+ $expanded = $this->expand_sets($rule);
+
+ foreach ($expanded as $rule) {
+ $parts = explode(" ", $rule);
+ $command = array_shift($parts);
+
+ switch ($command) {
+ case "accept":
+ case "drop":
+ case "reject":
+ $result = $this->filter($interface, $command, $parts);
+ break;
+ case "snat":
+ $result = $this->snat($interface, false, $parts);
+ break;
+ case "dnat":
+ $result = $this->dnat($interface, false, $parts);
+ break;
+ case "forward":
+ $result = $this->forward($interface, false, $parts);
+ break;
+ case "dont":
+ $command = array_shift($parts);
+ switch ($command) {
+ case "snat":
+ $result = $this->snat($interface, true, $parts);
+ break;
+ case "dnat":
+ $result = $this->dnat($interface, true, $parts);
+ break;
+ case "forward":
+ $result = $this->forward($interface, true, $parts);
+ break;
+ default:
+ printf("Unknown command '%s'\n", $command);
+ $result = false;
+ }
+ break;
+ case "iptables":
+ $result = implode(" ", $parts);
+ break;
+ default:
+ printf("Unknown command '%s'\n", $command);
+ $result = false;
+ }
+
+ if ($result === false) {
+ $this->iptables->flush_queue();
+ print " ".RED.$interface.NORMAL;
+ continue 3;
+ } else {
+ $this->iptables->queue($result);
+ }
+ }
+ }
+
+ $this->iptables->queue("-A ".$interface."_in -j log_drop");
+ $this->iptables->queue("-A ".$interface."_out -j log_drop");
+
+ if ($this->debug) {
+ printf("IPv%d iptables commands for ".GREEN.$interface.NORMAL.":\n", $this->ip_version);
+ }
+
+ if ($this->iptables->execute_queued() == false) {
+ $this->stop(array($interface));
+ if ($this->debug == false) {
+ print " ".RED.$interface.NORMAL;
+ }
+ } else if ($this->debug == false) {
+ print " ".GREEN.$interface.NORMAL;
+ } else {
+ print "\n";
+ }
+ }
+
+ if ($this->debug == false) {
+ print "\n";
+ }
+
+ return true;
+ }
+
+ /* Stop firewall
+ *
+ * INPUT: array interfaces
+ * OUTPUT: true
+ * ERROR: false
+ */
+ private function stop($interfaces) {
+ printf("Stopping IPv%d firewall for interface:", $this->ip_version);
+
+ foreach ($interfaces as $interface) {
+ $config_file = CONFIG_DIR."/ipv".$this->ip_version."_".$interface;
+
+ if ($this->firewall_active($interface) == false) {
+ if (file_exists($config_file) == false) {
+ print " ".YELLOW.$interface.NORMAL;
+ continue;
+ } else {
+ print " ".RED.$interface.NORMAL;
+ continue;
+ }
+ }
+
+ if ($this->settings["enable_nat"]) {
+ /* DNAT table
+ */
+ $this->iptables->execute("-F ".$interface."_dnat -t nat");
+ $this->iptables->execute("-D PREROUTING -t nat -i ".$interface." -j ".$interface."_dnat");
+ $this->iptables->execute("-X ".$interface."_dnat -t nat");
+
+ /* SNAT table
+ */
+ $this->iptables->execute("-F ".$interface."_snat -t nat");
+ $this->iptables->execute("-D POSTROUTING -t nat -o ".$interface." -j ".$interface."_snat");
+ $this->iptables->execute("-X ".$interface."_snat -t nat");
+ }
+
+ /* Forwarding table
+ */
+ $this->iptables->execute("-F ".$interface."_forw");
+ $this->iptables->execute("-D FORWARD -i ".$interface." -j ".$interface."_forw");
+ $this->iptables->execute("-X ".$interface."_forw");
+
+ /* Output table
+ */
+ $this->iptables->execute("-F ".$interface."_out");
+ $this->iptables->execute("-D OUTPUT -o ".$interface." -j ".$interface."_out");
+ $this->iptables->execute("-X ".$interface."_out");
+
+ /* Input table
+ */
+ $this->iptables->execute("-F ".$interface."_in");
+ $this->iptables->execute("-D INPUT -i ".$interface." -j ".$interface."_in");
+ $this->iptables->execute("-X ".$interface."_in");
+
+ /* Support tables
+ */
+ if ($this->count_firewalls() == 0) {
+ $this->iptables->execute("-D INPUT -p tcp -j anti-hack");
+ $this->iptables->execute("-D FORWARD -p tcp -j anti-hack");
+ $this->iptables->execute("-F anti-hack");
+ $this->iptables->execute("-X anti-hack");
+
+ $this->iptables->execute("-D INPUT -j est_rel");
+ $this->iptables->execute("-D OUTPUT -j est_rel");
+ $this->iptables->execute("-D FORWARD -j est_rel");
+ $this->iptables->execute("-F est_rel");
+ $this->iptables->execute("-X est_rel");
+
+ $this->iptables->execute("-F log_drop");
+ $this->iptables->execute("-X log_drop");
+ }
+
+ print " ".GREEN.$interface.NORMAL;
+ }
+
+ print "\n";
+
+ return true;
+ }
+
+ /* Flush firewall
+ *
+ * INPUT: -
+ * OUTPUT: -
+ * ERROR: -
+ */
+ private function flush() {
+ $tables = array("");
+ if ($this->settings["enable_nat"]) {
+ array_push($tables, " -t nat");
+ }
+
+ foreach ($tables as $table) {
+ $this->iptables->execute("-L -n".$table, $output);
+
+ foreach ($output as $line) {
+ if (substr($line, 0, 5) == "Chain") {
+ $field = explode(" (", substr($line, 6), 2);
+ $this->iptables->execute("-F ".$field[0].$table);
+ }
+ }
+ foreach ($output as $line) {
+ if ((substr($line, 0, 5) == "Chain") && (strpos($line, "(policy") === false)) {
+ $field = explode(" (", substr($line, 6), 2);
+ $this->iptables->execute("-X ".$field[0].$table);
+ }
+ }
+ }
+
+ $this->iptables->execute("-Z");
+ $this->iptables->execute("-P INPUT ACCEPT");
+ $this->iptables->execute("-P OUTPUT ACCEPT");
+ $this->iptables->execute("-P FORWARD DROP");
+ }
+
+ /* Show firewall status
+ *
+ * INPUT: -
+ * OUTPUT: true
+ * ERROR: -
+ */
+ private function status() {
+ $this->iptables->execute("-L OUTPUT", $output, true);
+ array_shift($output);
+ array_shift($output);
+ array_shift($output);
+
+ $interfaces = array();
+ foreach ($output as $line) {
+ list($interface) = explode("_", $line, 2);
+ array_push($interfaces, $interface);
+ }
+
+ print "IPv".$this->ip_version." firewall active for: ".GREEN.implode(" ", $interfaces).NORMAL."\n";
+
+ $this->iptables->execute("-L -nv", $output, true);
+ print implode("\n", $output)."\n";
+ if ($this->settings["enable_nat"]) {
+ print "\n";
+ $this->iptables->execute("-L -nvt nat", $output, true);
+ print implode("\n", $output)."\n";
+ }
+
+ print "\n";
+ }
+
+ /* Show firetable usage
+ *
+ * INPUT: -
+ * OUTPUT: -
+ * ERROR: -
+ */
+ private function show_usage() {
+ print "Usage: ".$this->script." [-4|-6] {start|stop|restart|debug} [<interface>...]\n";
+ print " ".$this->script." {flush|status}\n";
+ }
+
+ /* Main firetable routine
+ *
+ * INPUT: -
+ * OUTPUT: -
+ * ERROR: -
+ */
+ public function execute($args) {
+ if ($this->settings["enable_ipv".$this->ip_version] == false) {
+ return;
+ }
+
+ $this->script = array_shift($args);
+ $command = array_shift($args);
+
+ if (count($args) == 0) {
+ if (($dp = opendir(CONFIG_DIR)) == false) {
+ print "Error reading configuration directory.\n";
+ return;
+ }
+
+ while (($file = readdir($dp)) != false) {
+ list($interface, $rest) = explode(".", $file, 2);
+ list($protocol, $interface) = explode("_", $interface, 2);
+
+ if (($interface == null) || ($rest != null)) {
+ continue;
+ } else if ($protocol != "ipv".$this->ip_version) {
+ continue;
+ }
+
+ array_push($args, $interface);
+ }
+ sort($args);
+
+ closedir($dp);
+ }
+
+ switch ($command) {
+ case "restart":
+ if ($this->stop($args) == false) {
+ return false;
+ } else {
+ return $this->start($args);
+ }
+ case "start":
+ return $this->start($args);
+ case "stop":
+ return $this->stop($args);
+ case "flush":
+ $this->flush();
+ return true;
+ case "status":
+ $this->status();
+ return true;
+ case "debug":
+ $this->debug = true;
+ $this->iptables->debug = true;
+ return $this->start($args);
+ default:
+ $this->show_usage();
+ return false;
+ }
+
+ return true;
+ }
+ }
+
+ /* Firetable for IPv4
+ */
+ class firetable4 extends firetable {
+ protected $ip_version = 4;
+ protected $digit_separator = ":";
+ protected $anywhere = "0.0.0.0/0";
+ protected $icmp = "icmp";
+ }
+
+ /* Firetable for IPv6
+ */
+ class firetable6 extends firetable {
+ protected $ip_version = 6;
+ protected $digit_separator = ".";
+ protected $anywhere = "::/0";
+ protected $icmp = "icmpv6";
+ }
+
+ /* Main
+ */
+ error_reporting(E_ALL & ~E_NOTICE);
+
+ if ($argv[1] == "-v") {
+ printf("Firetable v%s (iptables firewall management tool)\n", VERSION);
+ printf("Copyright (C) by Hugo Leisink <hugo@leisink.net>\n");
+ return;
+ }
+
+ if (posix_getuid() !== 0) {
+ exit("You must be root.\n");
+ }
+
+ if ($argv[1] == "-4") {
+ array_shift($argv);
+ $use_ipv4 = true;
+ $use_ipv6 = false;
+ } else if ($argv[1] == "-6") {
+ array_shift($argv);
+ $use_ipv4 = false;
+ $use_ipv6 = true;
+ } else {
+ $use_ipv4 = true;
+ $use_ipv6 = true;
+ }
+
+ if ($use_ipv4) {
+ $firetable = new firetable4;
+ if ($firetable->execute($argv) == false) {
+ return;
+ }
+ }
+
+ if ($use_ipv6) {
+ $firetable = new firetable6;
+ $firetable->execute($argv);
+ }
+?>
Please sign in to comment.
Something went wrong with that request. Please try again.