#!/bin/bash -e # # saswall # # saswall is a simple and safe firewall loader. After reloading a # new ruleset it asks for a confirmation and reverts all changes if # this confirmation times out. # # Copyright (C) 2013 Christian Pointner # # This file is part of saswall. # # saswall is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 2 of the License, or # any later version. # # saswall is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with saswall. If not, see . # ## ## !! Don't add any firewall rules here !! ## edit /etc/saswall/rules.sh instead ## ## SASWALL_CONFIRM_TIMEOUT=20 # may get overwritten by rules.sh!! if [ ! -x /etc/saswall/rules.sh ]; then echo "no rules file found or script is not executeable - firewall is disabled!!" exit 0 fi trap saswall_signal INT TERM trap saswall_exit EXIT . /etc/saswall/rules.sh saswall_signal() { echo "" echo "saswall terminates after signal" saswall_restore exit 1 } saswall_exit() { if [ -n "$SASWALL_BACKUP" ] || [ -n "$SASWALL_BACKUP6" ]; then echo "" echo "saswall terminates after error" saswall_restore exit 1 fi } saswall_up() { echo -n "IPv4(" ipv4_up echo -n ") " echo -n "IPv6(" ipv6_up echo -n ") " } saswall_down() { echo -n "IPv4(" ipv4_down echo -n ") " echo -n "IPv6(" ipv6_down echo -n ") " } saswall_backup() { SASWALL_BACKUP=`/bin/mktemp /tmp/saswall-rules.XXXXXXXXXX` echo "storing current IPv4 ruleset to $SASWALL_BACKUP" /sbin/iptables-save -c > $SASWALL_BACKUP SASWALL_BACKUP6=`/bin/mktemp /tmp/saswall-rules.XXXXXXXXXX` echo "storing current IPv6 ruleset to $SASWALL_BACKUP6" /sbin/ip6tables-save -c > $SASWALL_BACKUP6 } saswall_restore() { if [ -n "$SASWALL_BACKUP" ]; then echo "restoring IPv4 ruleset from $SASWALL_BACKUP" /sbin/iptables-restore -c < $SASWALL_BACKUP rm -f $SASWALL_BACKUP SASWALL_BACKUP="" fi if [ -n "$SASWALL_BACKUP6" ]; then echo "restoring IPv6 ruleset from $SASWALL_BACKUP6" /sbin/ip6tables-restore -c < $SASWALL_BACKUP6 rm -f $SASWALL_BACKUP6 SASWALL_BACKUP6="" fi } saswall_check_or_fallback() { set +e if [ -z "$SASWALL_USE_SYSTEM_ASK_PASSWD" ]; then read -t $SASWALL_CONFIRM_TIMEOUT -p "To confirm changes type yes [ENTER]: " saswall_confirmation else saswall_confirmation=`systemd-ask-password --timeout=$SASWALL_CONFIRM_TIMEOUT "To confirm saswall changes type yes [ENTER]: "` fi if [ "$saswall_confirmation" != "yes" ]; then echo "no or wrong confirmation received" saswall_restore exit 1 else echo "ruleset reloaded successfully" rm -f $SASWALL_BACKUP SASWALL_BACKUP="" rm -f $SASWALL_BACKUP6 SASWALL_BACKUP6="" fi } case "$1" in up) saswall_up ;; down) saswall_down ;; reload) saswall_backup echo -n "down: " saswall_down echo -n " ... up: " saswall_up echo "" saswall_check_or_fallback ;; *) echo "Usage: $0 {up|down|reload}" exit 1 ;; esac exit 0