summaryrefslogtreecommitdiff
path: root/saswall
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2013-09-15 03:43:41 +0200
committerChristian Pointner <equinox@spreadspace.org>2013-09-15 03:43:41 +0200
commitabc736dd0ee0d4ca0006e350f4be91cf6c7732a8 (patch)
tree5e2b606ef0705e4d181a67c7496ea2a147527d8a /saswall
initial release
Diffstat (limited to 'saswall')
-rwxr-xr-xsaswall144
1 files changed, 144 insertions, 0 deletions
diff --git a/saswall b/saswall
new file mode 100755
index 0000000..5f182ab
--- /dev/null
+++ b/saswall
@@ -0,0 +1,144 @@
+#!/bin/bash -e
+#
+# saswall
+#
+# saswall is a simple and safe firewall loader. After reloading a
+# new ruleset it ask for a confirmation and reverts all changes if
+# this confirmation times out.
+#
+# Copyright (C) 2013 Christian Pointner <equinox@spreadspace.org>
+#
+# This file is part of saswall.
+#
+# saswall is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# any later version.
+#
+# saswall is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with saswall. If not, see <http://www.gnu.org/licenses/>.
+#
+##
+## !! Don't add any firewall rules here !!
+## edit /etc/saswall/rules.sh instead
+##
+##
+
+trap saswall_signal INT TERM
+trap saswall_exit EXIT
+
+SASWALL_CONFIRM_TIMEOUT=20 # may get overwritten by rules.sh!!
+
+. /etc/saswall/rules.sh
+
+saswall_signal()
+{
+ echo ""
+ echo "saswall terminates after signal"
+ saswall_restore
+ exit 1
+}
+
+saswall_exit()
+{
+ if [ -n "$SASWALL_BACKUP" ] || [ -n "$SASWALL_BACKUP6" ]; then
+ echo ""
+ echo "saswall terminates after error"
+ saswall_restore
+ exit 1
+ fi
+}
+
+saswall_up()
+{
+ echo -n "IPv4("
+ ipv4_up
+ echo -n ") "
+ echo -n "IPv6("
+ ipv6_up
+ echo -n ") "
+}
+
+saswall_down()
+{
+ echo -n "IPv4("
+ ipv4_down
+ echo -n ") "
+ echo -n "IPv6("
+ ipv6_down
+ echo -n ") "
+}
+
+saswall_backup()
+{
+ SASWALL_BACKUP=`/bin/mktemp /tmp/saswall-rules.XXXXXXXXXX`
+ echo "storing current IPv4 ruleset to $SASWALL_BACKUP"
+ /sbin/iptables-save -c > $SASWALL_BACKUP
+
+ SASWALL_BACKUP6=`/bin/mktemp /tmp/saswall-rules.XXXXXXXXXX`
+ echo "storing current IPv6 ruleset to $SASWALL_BACKUP6"
+ /sbin/ip6tables-save -c > $SASWALL_BACKUP6
+}
+
+saswall_restore()
+{
+ if [ -n "$SASWALL_BACKUP" ]; then
+ echo "restoring IPv4 ruleset from $SASWALL_BACKUP"
+ /sbin/iptables-restore -c < $SASWALL_BACKUP
+ rm -f $SASWALL_BACKUP
+ SASWALL_BACKUP=""
+ fi
+ if [ -n "$SASWALL_BACKUP6" ]; then
+ echo "restoring IPv6 ruleset from $SASWALL_BACKUP6"
+ /sbin/ip6tables-restore -c < $SASWALL_BACKUP6
+ rm -f $SASWALL_BACKUP6
+ SASWALL_BACKUP6=""
+ fi
+}
+
+saswall_check_or_fallback()
+{
+ set +e
+ read -t $SASWALL_CONFIRM_TIMEOUT -p "To confirm changes type yes [ENTER]: " saswall_confirmation
+ if [ "$saswall_confirmation" != "yes" ]; then
+ echo "no or wrong confirmation received"
+ saswall_restore
+ exit 1
+ else
+ echo "ruleset reloaded successfully"
+ rm -f $SASWALL_BACKUP
+ SASWALL_BACKUP=""
+ rm -f $SASWALL_BACKUP6
+ SASWALL_BACKUP6=""
+ fi
+}
+
+case "$1" in
+up)
+ saswall_up
+ ;;
+down)
+ saswall_down
+ ;;
+reload)
+ saswall_backup
+ echo -n "down: "
+ saswall_down
+ echo -n " ... up: "
+ saswall_up
+ echo ""
+ saswall_check_or_fallback
+ ;;
+*)
+ echo "Usage: $0 {up|down|reload}"
+ exit 1
+ ;;
+esac
+
+exit 0
+