3
# check-requirements: verify all the required iptables functionality is
6
# Copyright 2008-2013 Canonical Ltd.
8
# This program is free software: you can redistribute it and/or modify
9
# it under the terms of the GNU General Public License version 3,
10
# as published by the Free Software Foundation.
12
# This program is distributed in the hope that it will be useful,
13
# but WITHOUT ANY WARRANTY; without even the implied warranty of
14
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
# GNU General Public License for more details.
17
# You should have received a copy of the GNU General Public License
18
# along with this program. If not, see <http://www.gnu.org/licenses/>.
22
chain="ufw-check-requirements"
28
if [ "$1" = "runtime" ]; then
33
# make sure to always return success below because of set -e
34
output=$( "$@" 2>&1 ) || ret=$?
35
if [ $ret -eq 0 ]; then
38
if [ "$runtime" = "yes" ]; then
39
echo "FAIL (no runtime support)"
40
echo "error was: $output"
44
echo "error was: $output"
52
echo -n "Has python: "
53
for exe in python2.7 python2.6 python2.5 python3.2 python; do
54
if ! which $exe >/dev/null 2>&1; then
57
v=`$exe --version 2>&1 | cut -f 2 -d ' '`
58
if echo "$v" | grep -q "^2.[567]"; then
59
echo "pass (binary: $exe, version: $v, py2)"
62
elif echo "$v" | grep -q "^3.[2]"; then
63
echo "pass (binary: $exe, version: $v, py3)"
68
if [ "$found_python" != "yes" ]; then
69
echo "ERROR: could not find valid python" >&2
77
if [ "$i" = "6" ]; then
82
if ! which $exe >/dev/null 2>&1; then
83
echo "ERROR: could not find '$exe'" >&2
90
if [ -n "$error" ]; then
96
for i in /proc/net/dev /proc/net/if_inet6; do
98
if [ ! -e "$i" ]; then
105
if [ -n "$error" ]; then
110
echo "This script will now attempt to create various rules using the iptables"
111
echo "and ip6tables commands. This may result in module autoloading (eg, for"
113
if [ "$1" != "-f" ]; then
114
echo -n "Proceed with checks (Y/n)? "
116
if [ "$ans" = "n" ] || [ "$ans" = "N" ] || [ "$ans" = "no" ]; then
127
if [ "$i" = "6" ]; then
133
if [ "$i" = "6" ]; then
139
echo -n "Creating '$c'... "
141
echo "ERROR: could not create '$c'. Aborting" >&2
147
# set up a RETURN rule right at the top, so we don't open anything up when
148
# running the script. Isn't attached to INPUT, but better safe than sorry.
149
echo -n "Inserting RETURN at top of '$c'... "
150
$exe -I "$c" -j RETURN || {
151
echo "ERROR: could insert RETURN rule into '$c'. Aborting" >&2
158
runcmd $exe -A $c -p tcp -j ACCEPT
161
runcmd $exe -A $c -p udp -j ACCEPT
163
echo -n "destination port: "
164
runcmd $exe -A $c -p tcp --dport 22 -j ACCEPT
166
echo -n "source port: "
167
runcmd $exe -A $c -p tcp --sport 22 -j ACCEPT
169
for j in ACCEPT DROP REJECT LOG; do
171
runcmd $exe -A $c -p tcp --sport 23 -j $j
174
echo -n "hashlimit: "
175
runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m conntrack --ctstate NEW -j ACCEPT
178
runcmd $exe -A $c -m limit --limit 3/min --limit-burst 10 -j ACCEPT
180
for j in NEW RELATED ESTABLISHED INVALID; do
181
echo -n "ctstate ($j): "
182
runcmd $exe -A $c -m conntrack --ctstate $j
185
echo -n "ctstate (new, recent set): "
186
runcmd runtime $exe -A $c -m conntrack --ctstate NEW -m recent --set
188
echo -n "ctstate (new, recent update): "
189
runcmd runtime $exe -A $c -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT
191
echo -n "ctstate (new, limit): "
192
runcmd $exe -A $c -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT
194
echo -n "interface (input): "
195
runcmd $exe -A $c -i eth0 -j ACCEPT
197
echo -n "interface (output): "
198
runcmd $exe -A $c -o eth0 -j ACCEPT
200
echo -n "multiport: "
201
runcmd $exe -A $c -p tcp -m multiport --dports 80,443,8080:8090 -j ACCEPT
204
runcmd $exe -A $c -m comment --comment 'dapp_Samba'
207
for j in LOCAL MULTICAST BROADCAST; do
208
echo -n "addrtype ($j): "
209
runcmd $exe -A $c -m addrtype --dst-type $j -j RETURN
212
for j in destination-unreachable source-quench time-exceeded parameter-problem echo-request; do
213
echo -n "icmp ($j): "
214
runcmd $exe -A $c -p icmp --icmp-type $j -j ACCEPT
217
for j in destination-unreachable packet-too-big time-exceeded parameter-problem echo-request; do
218
echo -n "icmpv6 ($j): "
219
runcmd $exe -A $c -p icmpv6 --icmpv6-type $j -j ACCEPT
222
for j in neighbor-solicitation neighbor-advertisement router-solicitation router-advertisement; do
223
echo -n "icmpv6 with hl ($j): "
224
runcmd $exe -A $c -p icmpv6 --icmpv6-type $j -m hl --hl-eq 255 -j ACCEPT
228
runcmd $exe -A $c -m rt --rt-type 0 -j ACCEPT
238
if [ "$i" = "6" ]; then
242
$exe -F $c >/dev/null 2>&1 || {
243
if [ -z "$error" ]; then
244
echo "ERROR: could not flush '$c'" >&2
248
$exe -X $c >/dev/null 2>&1 || {
249
if [ -z "$error" ]; then
251
echo "ERROR: could not remove '$c'" >&2
256
if [ -n "$error" ] || [ -n "$error_runtime" ]; then
257
if [ -n "$error" ]; then
258
echo "FAIL: check your kernel and that you have iptables >= 1.4.0"
260
if [ -n "$error_runtime" ]; then
261
echo "FAIL: check your kernel and iptables for additional runtime support"
265
echo "All tests passed"