164
162
AFTER_RULES="$RULES_PATH/after${type}.rules"
165
163
USER_RULES="$USER_PATH/user${type}.rules"
168
delete_chains $type || error="yes"
170
# setup built-in chains' default policy
171
if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then
172
$exe -P INPUT DROP || error="yes"
174
$exe -P INPUT $DEFAULT_INPUT_POLICY || error="yes"
176
if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then
177
$exe -P OUTPUT DROP || error="yes"
178
elif [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT_NO_TRACK" ]; then
179
$exe -P OUTPUT ACCEPT || error="yes"
181
$exe -P OUTPUT $DEFAULT_OUTPUT_POLICY || error="yes"
183
if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then
184
$exe -P FORWARD DROP || error="yes"
186
$exe -P FORWARD $DEFAULT_FORWARD_POLICY || error="yes"
189
# setup some other chains that can be used later
190
if [ "$type" != "6" ]; then
191
$exe -N ufw${type}-not-local || error="yes"
194
# setup ufw${type}-logging-* chains
165
# set the default policy
166
input_pol="$DEFAULT_INPUT_POLICY"
167
if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then
171
output_pol="$DEFAULT_OUTPUT_POLICY"
172
if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then
176
forward_pol="$DEFAULT_FORWARD_POLICY"
177
if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then
180
cat <<EOM | $exe-restore -n || error="yes"
183
:INPUT $input_pol [0:0]
184
:FORWARD $forward_pol [0:0]
185
:OUTPUT $output_pol [0:0]
189
# flush the chains (if they exist)
190
if $exe -L ufw${type}-before-logging-input -n >/dev/null 2>&1 ; then
191
delete_chains $type || error="yes"
193
# setup all the primary chains
194
cat <<EOM | $exe-restore -n || error="yes"
197
:ufw${type}-before-logging-input - [0:0]
198
:ufw${type}-before-logging-output - [0:0]
199
:ufw${type}-before-logging-forward - [0:0]
200
:ufw${type}-before-input - [0:0]
201
:ufw${type}-before-output - [0:0]
202
:ufw${type}-before-forward - [0:0]
203
:ufw${type}-after-input - [0:0]
204
:ufw${type}-after-output - [0:0]
205
:ufw${type}-after-forward - [0:0]
206
:ufw${type}-after-logging-input - [0:0]
207
:ufw${type}-after-logging-output - [0:0]
208
:ufw${type}-after-logging-forward - [0:0]
209
:ufw${type}-reject-input - [0:0]
210
:ufw${type}-reject-output - [0:0]
211
:ufw${type}-reject-forward - [0:0]
212
:ufw${type}-track-input - [0:0]
213
:ufw${type}-track-output - [0:0]
215
-A INPUT -j ufw${type}-before-logging-input
216
-A INPUT -j ufw${type}-before-input
217
-A INPUT -j ufw${type}-after-input
218
-A INPUT -j ufw${type}-after-logging-input
219
-A INPUT -j ufw${type}-reject-input
220
-A INPUT -j ufw${type}-track-input
222
-A OUTPUT -j ufw${type}-before-logging-output
223
-A OUTPUT -j ufw${type}-before-output
224
-A OUTPUT -j ufw${type}-after-output
225
-A OUTPUT -j ufw${type}-after-logging-output
226
-A OUTPUT -j ufw${type}-reject-output
227
-A OUTPUT -j ufw${type}-track-output
229
-A FORWARD -j ufw${type}-before-logging-forward
230
-A FORWARD -j ufw${type}-before-forward
231
-A FORWARD -j ufw${type}-after-forward
232
-A FORWARD -j ufw${type}-after-logging-forward
233
-A FORWARD -j ufw${type}-reject-forward
239
if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then
240
cat <<EOM | $exe-restore -n || error="yes"
242
-A ufw${type}-reject-input -j REJECT
246
if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then
247
cat <<EOM | $exe-restore -n || error="yes"
249
-A ufw${type}-reject-output -j REJECT
253
if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then
254
cat <<EOM | $exe-restore -n || error="yes"
256
-A ufw${type}-reject-forward -j REJECT || error="yes"
261
# add tracking policy
262
if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then
263
cat <<EOM | $exe-restore -n || error="yes"
265
-A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT
266
-A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT
271
if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then
272
cat <<EOM | $exe-restore -n || error="yes"
274
-A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT
275
-A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT
280
# now setup the secondary 'logging-deny' chains
195
281
if ! $exe -L ufw${type}-logging-deny -n >/dev/null 2>&1 ; then
196
$exe -N ufw${type}-logging-deny || error="yes"
197
$exe -N ufw${type}-logging-allow || error="yes"
200
# setup ufw${type}-user-logging-* chains
201
if ! $exe -L ufw${type}-user-logging-input -n >/dev/null 2>&1 ; then
202
$exe -N ufw${type}-user-logging-input || error="yes"
203
$exe -N ufw${type}-user-logging-output || error="yes"
204
$exe -N ufw${type}-user-logging-forward || error="yes"
207
# setup ufw${type}-before-logging-* chains
208
if ! $exe -L ufw${type}-before-logging-input -n >/dev/null 2>&1 ; then
209
$exe -N ufw${type}-before-logging-input || error="yes"
210
$exe -N ufw${type}-before-logging-output || error="yes"
211
$exe -N ufw${type}-before-logging-forward || error="yes"
212
$exe -A INPUT -j ufw${type}-before-logging-input || error="yes"
213
$exe -A OUTPUT -j ufw${type}-before-logging-output || error="yes"
214
$exe -A FORWARD -j ufw${type}-before-logging-forward || error="yes"
217
# setup ufw${type}-before-* chains
218
if ! $exe -L ufw${type}-before-input -n >/dev/null 2>&1 ; then
219
$exe -N ufw${type}-before-input || error="yes"
220
$exe -N ufw${type}-before-output || error="yes"
221
$exe -N ufw${type}-before-forward || error="yes"
222
$exe -A INPUT -j ufw${type}-before-input || error="yes"
223
$exe -A OUTPUT -j ufw${type}-before-output || error="yes"
224
$exe -A FORWARD -j ufw${type}-before-forward || error="yes"
226
if [ -s "$RULES_PATH" ]; then
227
if ! $exe-restore -n < $BEFORE_RULES ; then
282
cat <<EOM | $exe-restore -n || error="yes"
284
:ufw${type}-logging-deny - [0:0]
285
:ufw${type}-logging-allow - [0:0]
290
# now setup the secondary 'skip to policy' chains
291
if ! $exe -L ufw${type}-skip-to-policy-input -n >/dev/null 2>&1 ; then
292
cat <<EOM | $exe-restore -n || error="yes"
294
:ufw${type}-skip-to-policy-input - [0:0]
295
:ufw${type}-skip-to-policy-output - [0:0]
296
:ufw${type}-skip-to-policy-forward - [0:0]
297
-A ufw${type}-skip-to-policy-input -j "$DEFAULT_INPUT_POLICY"
298
-A ufw${type}-skip-to-policy-output -j "$DEFAULT_OUTPUT_POLICY"
299
-A ufw${type}-skip-to-policy-forward -j "$DEFAULT_FORWARD_POLICY"
304
# now ip[6]tables-restore before*.rules. This resets the following
310
# and sets the following:
312
if [ -s "$BEFORE_RULES" ]; then
313
if ! $exe-restore -n < "$BEFORE_RULES" ; then
228
314
out="${out}\nProblem running '$BEFORE_RULES'"
232
318
out="${out}\nCouldn't find '$BEFORE_RULES'"
235
# setup ufw${type}-user chain
236
if [ -s "$USER_PATH" ]; then
237
$exe -N ufw${type}-user-input || error="yes"
238
$exe -N ufw${type}-user-output || error="yes"
239
$exe -N ufw${type}-user-forward || error="yes"
240
$exe -A ufw${type}-before-input -j ufw${type}-user-input || error="yes"
241
$exe -A ufw${type}-before-output -j ufw${type}-user-output || error="yes"
242
$exe -A ufw${type}-before-forward -j ufw${type}-user-forward || error="yes"
243
if ! $exe-restore -n < $USER_RULES ; then
244
out="${out}\nProblem running '$USER_RULES'"
247
# don't include the RETURN lines here, as they will
248
# be in the USER_PATH file
251
# setup ufw${type}-after-* chains
252
if ! $exe -L ufw${type}-after-input -n >/dev/null 2>&1 ; then
253
$exe -N ufw${type}-after-input || error="yes"
254
$exe -N ufw${type}-after-output || error="yes"
255
$exe -N ufw${type}-after-forward || error="yes"
256
$exe -A INPUT -j ufw${type}-after-input || error="yes"
257
$exe -A OUTPUT -j ufw${type}-after-output || error="yes"
258
$exe -A FORWARD -j ufw${type}-after-forward || error="yes"
322
# now ip[6]tables-restore after*.rules. This resets the following
260
327
if [ -s "$AFTER_RULES" ]; then
261
if ! $exe-restore -n < $AFTER_RULES ; then
328
if ! $exe-restore -n < "$AFTER_RULES" ; then
262
329
out="${out}\nProblem running '$AFTER_RULES'"
266
333
out="${out}\nCouldn't find '$AFTER_RULES'"
269
# setup ufw${type}-after-logging-* chains
270
if ! $exe -L ufw${type}-after-logging-input -n >/dev/null 2>&1 ; then
271
$exe -N ufw${type}-after-logging-input || error="yes"
272
$exe -N ufw${type}-after-logging-output || error="yes"
273
$exe -N ufw${type}-after-logging-forward || error="yes"
274
$exe -A INPUT -j ufw${type}-after-logging-input || error="yes"
275
$exe -A OUTPUT -j ufw${type}-after-logging-output || error="yes"
276
$exe -A FORWARD -j ufw${type}-after-logging-forward || error="yes"
279
# now setup the REJECT chains
280
if ! $exe -L ufw${type}-reject-input -n >/dev/null 2>&1 ; then
281
$exe -N ufw${type}-reject-input || error="yes"
282
$exe -N ufw${type}-reject-output || error="yes"
283
$exe -N ufw${type}-reject-forward || error="yes"
284
$exe -A INPUT -j ufw${type}-reject-input || error="yes"
285
$exe -A OUTPUT -j ufw${type}-reject-output || error="yes"
286
$exe -A FORWARD -j ufw${type}-reject-forward || error="yes"
289
if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then
290
$exe -A ufw${type}-reject-input -j REJECT || error="yes"
292
if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then
293
$exe -A ufw${type}-reject-output -j REJECT || error="yes"
295
if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then
296
$exe -A ufw${type}-reject-forward -j REJECT || error="yes"
299
# now setup the incoming state tracking chains
300
if ! $exe -L ufw${type}-track-input -n >/dev/null 2>&1 ; then
301
$exe -N ufw${type}-track-input || error="yes"
302
$exe -A INPUT -j ufw${type}-track-input || error="yes"
305
if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then
306
$exe -A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT || error="yes"
307
$exe -A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT || error="yes"
310
# now setup the outgoing state tracking chains
311
if ! $exe -L ufw${type}-track-output -n >/dev/null 2>&1 ; then
312
$exe -N ufw${type}-track-output || error="yes"
313
$exe -A OUTPUT -j ufw${type}-track-output || error="yes"
316
if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then
317
$exe -A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT || error="yes"
318
$exe -A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT || error="yes"
338
if [ -s "$USER_RULES" ]; then
339
# setup the secondary 'user' chains
340
if ! $exe -L ufw${type}-user-input -n >/dev/null 2>&1 ; then
341
cat <<EOM | $exe-restore -n || error="yes"
343
:ufw${type}-user-input - [0:0]
344
:ufw${type}-user-output - [0:0]
345
:ufw${type}-user-forward - [0:0]
346
:ufw${type}-user-logging-input - [0:0]
347
:ufw${type}-user-logging-output - [0:0]
348
:ufw${type}-user-logging-forward - [0:0]
349
:ufw${type}-user-limit - [0:0]
350
:ufw${type}-user-limit-accept - [0:0]
355
# now ip[6]tables-restore user*.rules. This resets the following
357
# ufw-before-logging-input
358
# ufw-before-logging-output
359
# ufw-before-logging-forward
360
# ufw-after-logging-input
361
# ufw-after-logging-output
362
# ufw-after-logging-forward
369
# ufw-user-limit-accept
370
if ! $exe-restore -n < "$USER_RULES" ; then
371
out="${out}\nProblem running '$USER_RULES'"
375
# now hooks these into the primary chains
376
cat <<EOM | $exe-restore -n || error="yes"
378
-A ufw${type}-before-input -j ufw${type}-user-input
379
-A ufw${type}-before-output -j ufw${type}-user-output
380
-A ufw${type}-before-forward -j ufw${type}-user-forward
384
out="${out}\nCouldn't find '$USER_RULES'"