?? netfilter-script.c
字號:
/*---[ netfilter-script.c ]------------------------------------------- * Copyright (C) 2000-2004 Tomas Junnonen (majix@sci.fi) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * Functions to write the netfilter shell scripts *--------------------------------------------------------------------*/#include <sys/types.h>#include <sys/stat.h>#include <fcntl.h>#include <stdio.h> #include <errno.h>#include <time.h>#include "wizard.h"#include "netfilter-script.h"#include "util.h"#include "preferences.h"#include "policyview.h"#include "scriptwriter.h"static voidwrite_outbound_script (){ gchar *scriptpath = POLICY_OUT_DIR "/setup"; FILE *script = fopen (scriptpath, "w"); if (script == NULL) { perror(scriptpath); g_printerr("Script not written!"); return; } chmod (scriptpath, 00440); fprintf (script, "# Initialize\n"); fprintf (script, "$IPT -N OUTBOUND 2> /dev/null\n" "$IPT -F OUTBOUND\n\n"); fprintf (script, "# Allow ICMP packets out\n"); fprintf (script, "$IPT -A OUTBOUND -p icmp -j ACCEPT\n\n"); fprintf (script, "# Temoporarily set the field separator for CSV format\n" "OLDIFS=$IFS\n" "IFS=','\n\n"); fprintf (script, "# Allow response traffic\n" "$IPT -A OUTBOUND -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT\n" "$IPT -A OUTBOUND -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT\n\n"); fprintf (script, "if [ \"$OUTBOUND_POLICY\" == \"permissive\" ]; then\n"); fprintf (script, " # Hosts to which traffic is denied\n" " while read host garbage\n" " do\n" " $IPT -A OUTBOUND -d $host -j LSO\n" " done < "POLICY_OUT_DENY_TO"\n\n"); fprintf (script, " # Hosts from which traffic is denied\n" " while read host garbage\n" " do\n" " $IPT -A OUTBOUND -s $host -j LSO\n" " done < "POLICY_OUT_DENY_FROM"\n\n"); fprintf (script, " # Services denied\n" " while read service ports target garbage\n" " do\n" " IFS=' '\n" " for port in `echo $ports`; do\n" " scrub_parameters\n" " $IPT -A OUTBOUND -p tcp -s $target --dport $port -j LSO\n" " $IPT -A OUTBOUND -p udp -s $target --dport $port -j LSO\n" " done\n" " IFS=','\n" " done < "POLICY_OUT_DENY_SERVICE"\n\n"); fprintf (script, " $IPT -A OUTBOUND -j ACCEPT # Default permissive policy \n"); fprintf (script, "else\n"); fprintf (script, " # Hosts to which traffic is allowed\n" " while read host garbage\n" " do\n" " $IPT -A OUTBOUND -d $host -j ACCEPT\n" " done < "POLICY_OUT_ALLOW_TO"\n\n"); fprintf (script, " # Hosts from which traffic is allowed\n" " while read host garbage\n" " do\n" " $IPT -A OUTBOUND -s $host -j ACCEPT\n" " done < "POLICY_OUT_ALLOW_FROM"\n\n"); fprintf (script, " # Services allowed\n" " while read service ports target garbage\n" " do\n" " IFS=' '\n" " for port in `echo $ports`; do\n" " scrub_parameters\n" " $IPT -A OUTBOUND -p tcp -s $target --dport $port -j ACCEPT\n" " $IPT -A OUTBOUND -p udp -s $target --dport $port -j ACCEPT\n" " done\n" " IFS=','\n" " done < "POLICY_OUT_ALLOW_SERVICE"\n\n"); fprintf (script, " $IPT -A OUTBOUND -j LSO # Default restrictive policy\n"); fprintf (script, "fi\n\n"); fprintf (script, "# Restore system field separator\n" "IFS=$OLDIFS\n\n"); fclose (script);}static voidwrite_inbound_script (){ gchar *scriptpath = POLICY_IN_DIR "/setup"; FILE *script = fopen (scriptpath, "w"); if (script == NULL) { perror(scriptpath); g_printerr("Script not written!"); return; } chmod (scriptpath, 00440); fprintf (script, "# Initialize\n"); fprintf (script, "$IPT -N INBOUND 2> /dev/null\n" "$IPT -F INBOUND\n\n"); fprintf (script, "# Temoporarily set the field separator for CSV format\n" "OLDIFS=$IFS\n" "IFS=','\n\n"); fprintf (script, "# Allow response traffic\n" "$IPT -A INBOUND -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT\n" "$IPT -A INBOUND -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT\n\n"); fprintf (script, "# Hosts from which connections are always allowed\n" "while read host garbage\n" " do\n" " $IPT -A INBOUND -s $host -j ACCEPT\n" " done < "POLICY_IN_ALLOW_FROM"\n\n"); fprintf (script, "# Services allowed\n" "while read service ports target garbage\n" " do\n" " IFS=' '\n" " for port in `echo $ports`; do\n" " scrub_parameters\n" " case \"$port\" in\n" " # Override broadcast blocking for Samba share discovery\n" " \"1900\" ) $IPT -I INPUT -p tcp -s $target --dport 1900 -j ACCEPT\n" " $IPT -I INPUT -p udp -s $target --dport 1900 -j ACCEPT;;\n" " # Default service handler\n" " * ) $IPT -A INBOUND -p tcp -s $target --dport $port -j ACCEPT\n" " $IPT -A INBOUND -p udp -s $target --dport $port -j ACCEPT;;\n" " esac\n" " done\n" " IFS=','\n" " done < "POLICY_IN_ALLOW_SERVICE"\n\n"); fprintf (script, "$IPT -A INBOUND -j LSI\n"); fprintf (script, "# Restore system field separator\n" "IFS=$OLDIFS\n\n"); fclose (script);}static voidwrite_sysctl_tuning_script (){ gchar *scriptpath = FIRESTARTER_SYSCTL_SCRIPT; FILE *script = fopen (scriptpath, "w"); if (script == NULL) { perror(scriptpath); g_printerr("Script not written!"); return; } chmod (scriptpath, 00440); fprintf (script, "# --------( Sysctl Tuning - Recommended Parameters )--------\n\n"); fprintf (script, "# Turn off IP forwarding by default\n"); fprintf (script, "# (this will be enabled if you require masquerading)\n\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/ip_forward ]; then\n" " echo 0 > /proc/sys/net/ipv4/ip_forward\nfi\n\n"); fprintf (script, "# Do not log 'odd' IP addresses (excludes 0.0.0.0 & 255.255.255.255)\n\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then\n" " echo 0 > /proc/sys/net/ipv4/conf/all/log_martians\nfi\n\n"); fprintf (script, "\n# --------( Sysctl Tuning - TCP Parameters )--------\n\n"); fprintf (script, "# Turn off TCP Timestamping in kernel\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/tcp_timestamps ]; then\n" " echo 0 > /proc/sys/net/ipv4/tcp_timestamps\nfi\n\n"); fprintf (script, "# Set TCP Re-Ordering value in kernel to '5'\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/tcp_reordering ]; then\n" " echo 5 > /proc/sys/net/ipv4/tcp_reordering\nfi\n\n"); fprintf (script, "# Turn off TCP ACK in kernel\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/tcp_sack ]; then\n" " echo 0 > /proc/sys/net/ipv4/tcp_sack\nfi\n\n"); fprintf (script, "#Turn off TCP Window Scaling in kernel\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then\n" " echo 0 > /proc/sys/net/ipv4/tcp_window_scaling\nfi\n\n"); fprintf (script, "#Set Keepalive timeout to 1800 seconds\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]; then\n" " echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time\nfi\n\n"); fprintf (script, "#Set FIN timeout to 30 seconds\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]; then\n" " echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout\nfi\n\n"); fprintf (script, "# Set TCP retry count to 3\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/tcp_retries1 ]; then\n" " echo 3 > /proc/sys/net/ipv4/tcp_retries1\nfi\n\n"); /* note: ECN is now actually an RFC - this is just a stopgap measure until certain OS'es get their act together */ fprintf (script, "#Turn off ECN notification in kernel\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then\n" " echo 0 > /proc/sys/net/ipv4/tcp_ecn\nfi\n\n"); fprintf (script, "\n# --------( Sysctl Tuning - SYN Parameters )--------\n\n"); fprintf (script, "# Turn on SYN cookies protection in kernel\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then\n" " echo 1 > /proc/sys/net/ipv4/tcp_syncookies\nfi\n\n"); fprintf (script, "# Set SYN ACK retry attempts to '3'\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/tcp_synack_retries ]; then\n" " echo 3 > /proc/sys/net/ipv4/tcp_synack_retries\nfi\n\n"); fprintf (script, "# Set SYN backlog buffer to '64'\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/tcp_max_syn_backlog ]; then\n" " echo 64 > /proc/sys/net/ipv4/tcp_max_syn_backlog\nfi\n\n"); fprintf (script, "# Set SYN retry attempts to '6'\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/tcp_syn_retries ]; then\n" " echo 6 > /proc/sys/net/ipv4/tcp_syn_retries\nfi\n\n"); fprintf (script, "\n# --------( Sysctl Tuning - Routing / Redirection Parameters )--------\n\n");/* under 2.4 - source route verification only has 0 (off) and 1 (RFC compliant) */ fprintf (script, "# Turn on source address verification in kernel\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then\n" " for f in /proc/sys/net/ipv4/conf/*/rp_filter\n do\n echo 1 > $f\n done\nfi\n\n"); fprintf (script, "# Turn off source routes in kernel\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then\n" " for f in /proc/sys/net/ipv4/conf/*/accept_source_route\n do\n echo 0 > $f\n done\nfi\n\n"); fprintf (script, "# Do not respond to 'redirected' packets\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/secure_redirects ]; then\n" " echo 0 > /proc/sys/net/ipv4/secure_redirects\nfi\n\n"); fprintf (script, "# Do not reply to 'redirected' packets if requested\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/send_redirects ]; then\n" " echo 0 > /proc/sys/net/ipv4/send_redirects\nfi\n\n"); fprintf (script, "# Do not reply to 'proxyarp' packets\n");?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -