diff options
author | Christian Pointner <equinox@spreadspace.org> | 2013-09-15 03:43:41 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2013-09-15 03:43:41 +0200 |
commit | abc736dd0ee0d4ca0006e350f4be91cf6c7732a8 (patch) | |
tree | 5e2b606ef0705e4d181a67c7496ea2a147527d8a /saswall |
initial release
Diffstat (limited to 'saswall')
-rwxr-xr-x | saswall | 144 |
1 files changed, 144 insertions, 0 deletions
@@ -0,0 +1,144 @@ +#!/bin/bash -e +# +# saswall +# +# saswall is a simple and safe firewall loader. After reloading a +# new ruleset it ask for a confirmation and reverts all changes if +# this confirmation times out. +# +# Copyright (C) 2013 Christian Pointner <equinox@spreadspace.org> +# +# This file is part of saswall. +# +# saswall is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# any later version. +# +# saswall is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with saswall. If not, see <http://www.gnu.org/licenses/>. +# +## +## !! Don't add any firewall rules here !! +## edit /etc/saswall/rules.sh instead +## +## + +trap saswall_signal INT TERM +trap saswall_exit EXIT + +SASWALL_CONFIRM_TIMEOUT=20 # may get overwritten by rules.sh!! + +. /etc/saswall/rules.sh + +saswall_signal() +{ + echo "" + echo "saswall terminates after signal" + saswall_restore + exit 1 +} + +saswall_exit() +{ + if [ -n "$SASWALL_BACKUP" ] || [ -n "$SASWALL_BACKUP6" ]; then + echo "" + echo "saswall terminates after error" + saswall_restore + exit 1 + fi +} + +saswall_up() +{ + echo -n "IPv4(" + ipv4_up + echo -n ") " + echo -n "IPv6(" + ipv6_up + echo -n ") " +} + +saswall_down() +{ + echo -n "IPv4(" + ipv4_down + echo -n ") " + echo -n "IPv6(" + ipv6_down + echo -n ") " +} + +saswall_backup() +{ + SASWALL_BACKUP=`/bin/mktemp /tmp/saswall-rules.XXXXXXXXXX` + echo "storing current IPv4 ruleset to $SASWALL_BACKUP" + /sbin/iptables-save -c > $SASWALL_BACKUP + + SASWALL_BACKUP6=`/bin/mktemp /tmp/saswall-rules.XXXXXXXXXX` + echo "storing current IPv6 ruleset to $SASWALL_BACKUP6" + /sbin/ip6tables-save -c > $SASWALL_BACKUP6 +} + +saswall_restore() +{ + if [ -n "$SASWALL_BACKUP" ]; then + echo "restoring IPv4 ruleset from $SASWALL_BACKUP" + /sbin/iptables-restore -c < $SASWALL_BACKUP + rm -f $SASWALL_BACKUP + SASWALL_BACKUP="" + fi + if [ -n "$SASWALL_BACKUP6" ]; then + echo "restoring IPv6 ruleset from $SASWALL_BACKUP6" + /sbin/ip6tables-restore -c < $SASWALL_BACKUP6 + rm -f $SASWALL_BACKUP6 + SASWALL_BACKUP6="" + fi +} + +saswall_check_or_fallback() +{ + set +e + read -t $SASWALL_CONFIRM_TIMEOUT -p "To confirm changes type yes [ENTER]: " saswall_confirmation + if [ "$saswall_confirmation" != "yes" ]; then + echo "no or wrong confirmation received" + saswall_restore + exit 1 + else + echo "ruleset reloaded successfully" + rm -f $SASWALL_BACKUP + SASWALL_BACKUP="" + rm -f $SASWALL_BACKUP6 + SASWALL_BACKUP6="" + fi +} + +case "$1" in +up) + saswall_up + ;; +down) + saswall_down + ;; +reload) + saswall_backup + echo -n "down: " + saswall_down + echo -n " ... up: " + saswall_up + echo "" + saswall_check_or_fallback + ;; +*) + echo "Usage: $0 {up|down|reload}" + exit 1 + ;; +esac + +exit 0 + |