#!/bin/sh # # ufw-init-functions: functions used by ufw-init and distribution initscripts # # Copyright 2008-2010 Canonical Ltd. # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License version 3, # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # set -e PATH="/sbin:/bin:/usr/sbin:/usr/bin" for s in "/etc/default/ufw" "/etc/ufw/ufw.conf" ; do if [ -s "$s" ]; then . "$s" else echo "Could not find $s (aborting)" exit 1 fi done RULES_PATH="/etc/ufw" USER_PATH="/lib/ufw" flush_builtins() { error="" execs="iptables" if ip6tables -L INPUT -n >/dev/null 2>&1; then execs="$execs ip6tables" fi for exe in $execs do $exe -F || error="yes" $exe -X || error="yes" $exe -P INPUT ACCEPT || error="yes" $exe -P OUTPUT ACCEPT || error="yes" $exe -P FORWARD ACCEPT || error="yes" # now handle the mangle table if $exe -t mangle -L -n >/dev/null 2>&1; then for i in INPUT OUTPUT FORWARD PREROUTING POSTROUTING ; do $exe -t mangle -F $i || error="yes" $exe -t mangle -P $i ACCEPT || error="yes" done fi done # now handle the nat table if iptables -t nat -L -n >/dev/null 2>&1; then for i in OUTPUT PREROUTING POSTROUTING ; do iptables -t nat -F $i || error="yes" iptables -t nat -P $i ACCEPT || error="yes" done fi if [ "$error" = "yes" ]; then return 1 fi } chains_command() { flag="$1" type="" exe="iptables" if [ "$2" = "6" ]; then type="$2" exe="ip6tables" fi for c in ufw$type-logging-deny ufw$type-logging-allow ufw$type-not-local ufw$type-user-logging-input ufw$type-user-limit-accept ufw$type-user-limit ufw$type-skip-to-policy-input ufw$type-reject-input ufw$type-after-logging-input ufw$type-after-input ufw$type-user-input ufw$type-before-input ufw$type-before-logging-input ufw$type-skip-to-policy-forward ufw$type-reject-forward ufw$type-after-logging-forward ufw$type-after-forward ufw$type-user-logging-forward ufw$type-user-forward ufw$type-before-forward ufw$type-before-logging-forward ufw$type-track-output ufw$type-track-input ufw$type-skip-to-policy-output ufw$type-reject-output ufw$type-after-logging-output ufw$type-after-output ufw$type-user-logging-output ufw$type-user-output ufw$type-before-output ufw$type-before-logging-output; do if [ "$UFW_INIT_DEBUG" = "yes" ]; then echo "$exe $flag $c" >&2 $exe $flag $c || true else $exe $flag $c 2>/dev/null || true fi done } delete_chains() { chains_command -F $1 chains_command -Z $1 # Delete the secondary chains to reduce clutter, but keep the primary ones # so that the primary chains don't leave the built-in chains just to come # back later in a different place. This means that some (empty) chains will # linger until the next boot after disabling ufw. for c in ufw$type-logging-deny ufw$type-logging-allow ufw$type-not-local ufw$type-user-logging-input ufw$type-user-logging-output ufw$type-user-logging-forward ufw$type-user-limit-accept ufw$type-user-limit ufw$type-user-input ufw$type-user-forward ufw$type-user-output ufw$type-skip-to-policy-input ufw$type-skip-to-policy-output ufw$type-skip-to-policy-forward ; do if [ "$UFW_INIT_DEBUG" = "yes" ]; then echo "$exe $flag $c" >&2 $exe -X $c || true else $exe -X $c 2>/dev/null || true fi done } ufw_start() { out="" if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then if iptables -L ufw-user-input -n >/dev/null 2>&1 ; then echo "Firewall already started, use 'force-reload'" return 0 fi for m in $IPT_MODULES do modprobe $m || true done if [ "$MANAGE_BUILTINS" = "yes" ]; then flush_builtins fi execs="iptables" # IPv6 setup if [ "$IPV6" = "yes" ] || [ "$IPV6" = "YES" ]; then if ip6tables -L INPUT -n >/dev/null 2>&1; then execs="$execs ip6tables" else out="${out}\nProblem loading ipv6 (skipping)" fi else if ip6tables -L INPUT -n >/dev/null 2>&1; then # IPv6 support disabled but available in the kernel, so # default DROP and accept all on loopback delete_chains 6 || error="yes" printf "*filter\n"\ ":INPUT DROP [0:0]\n"\ ":FORWARD DROP [0:0]\n"\ ":OUTPUT DROP [0:0]\n"\ "-A INPUT -i lo -j ACCEPT\n"\ "-A OUTPUT -o lo -j ACCEPT\n"\ "COMMIT\n" | ip6tables-restore || error="yes" if [ "$error" = "yes" ]; then out="${out}\nProblem loading ipv6 (skipping)" fi fi fi for exe in $execs do type="" if [ "$exe" = "ip6tables" ]; then type="6" fi BEFORE_RULES="$RULES_PATH/before${type}.rules" AFTER_RULES="$RULES_PATH/after${type}.rules" USER_RULES="$USER_PATH/user${type}.rules" # set the default policy input_pol="$DEFAULT_INPUT_POLICY" if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then input_pol="DROP" fi output_pol="$DEFAULT_OUTPUT_POLICY" if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then output_pol="DROP" fi forward_pol="$DEFAULT_FORWARD_POLICY" if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then forward_pol="DROP" fi # TODO: filter policies printf "*filter\n"\ "# builtin chains\n"\ ":INPUT $input_pol [0:0]\n"\ ":FORWARD $forward_pol [0:0]\n"\ ":OUTPUT $output_pol [0:0]\n"\ "COMMIT\n" | $exe-restore -n || error="yes" # flush the chains (if they exist) if $exe -L ufw${type}-before-logging-input -n >/dev/null 2>&1 ; then delete_chains $type || error="yes" else # setup all the primary chains printf "*filter\n"\ "# primary chains\n"\ ":ufw${type}-before-logging-input - [0:0]\n"\ ":ufw${type}-before-logging-output - [0:0]\n"\ ":ufw${type}-before-logging-forward - [0:0]\n"\ ":ufw${type}-before-input - [0:0]\n"\ ":ufw${type}-before-output - [0:0]\n"\ ":ufw${type}-before-forward - [0:0]\n"\ ":ufw${type}-after-input - [0:0]\n"\ ":ufw${type}-after-output - [0:0]\n"\ ":ufw${type}-after-forward - [0:0]\n"\ ":ufw${type}-after-logging-input - [0:0]\n"\ ":ufw${type}-after-logging-output - [0:0]\n"\ ":ufw${type}-after-logging-forward - [0:0]\n"\ ":ufw${type}-reject-input - [0:0]\n"\ ":ufw${type}-reject-output - [0:0]\n"\ ":ufw${type}-reject-forward - [0:0]\n"\ ":ufw${type}-track-input - [0:0]\n"\ ":ufw${type}-track-output - [0:0]\n"\ "\n"\ "-A INPUT -j ufw${type}-before-logging-input\n"\ "-A INPUT -j ufw${type}-before-input\n"\ "-A INPUT -j ufw${type}-after-input\n"\ "-A INPUT -j ufw${type}-after-logging-input\n"\ "-A INPUT -j ufw${type}-reject-input\n"\ "-A INPUT -j ufw${type}-track-input\n"\ "\n"\ "-A OUTPUT -j ufw${type}-before-logging-output\n"\ "-A OUTPUT -j ufw${type}-before-output\n"\ "-A OUTPUT -j ufw${type}-after-output\n"\ "-A OUTPUT -j ufw${type}-after-logging-output\n"\ "-A OUTPUT -j ufw${type}-reject-output\n"\ "-A OUTPUT -j ufw${type}-track-output\n"\ "\n"\ "-A FORWARD -j ufw${type}-before-logging-forward\n"\ "-A FORWARD -j ufw${type}-before-forward\n"\ "-A FORWARD -j ufw${type}-after-forward\n"\ "-A FORWARD -j ufw${type}-after-logging-forward\n"\ "-A FORWARD -j ufw${type}-reject-forward\n"\ "COMMIT\n" | $exe-restore -n || error="yes" fi # add reject policy if [ "$DEFAULT_INPUT_POLICY" = "REJECT" ]; then printf "*filter\n"\ "-A ufw${type}-reject-input -j REJECT\n"\ "COMMIT\n" | $exe-restore -n || error="yes" fi if [ "$DEFAULT_OUTPUT_POLICY" = "REJECT" ]; then printf "*filter\n"\ "-A ufw${type}-reject-output -j REJECT\n"\ "COMMIT\n" | $exe-restore -n || error="yes" fi if [ "$DEFAULT_FORWARD_POLICY" = "REJECT" ]; then printf "*filter\n"\ "-A ufw${type}-reject-forward -j REJECT\n"\ "COMMIT\n" | $exe-restore -n || error="yes" fi # add tracking policy if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then printf "*filter\n"\ "-A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT\n"\ "-A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT\n"\ "COMMIT\n" | $exe-restore -n || error="yes" fi if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then printf "*filter\n"\ "-A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT\n"\ "-A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT\n"\ "COMMIT\n" | $exe-restore -n || error="yes" fi # now setup the secondary 'logging-deny' chains if ! $exe -L ufw${type}-logging-deny -n >/dev/null 2>&1 ; then printf "*filter\n"\ ":ufw${type}-logging-deny - [0:0]\n"\ ":ufw${type}-logging-allow - [0:0]\n"\ "COMMIT\n" | $exe-restore -n || error="yes" fi # now setup the secondary 'skip to policy' chains if ! $exe -L ufw${type}-skip-to-policy-input -n >/dev/null 2>&1 ; then printf "*filter\n"\ ":ufw${type}-skip-to-policy-input - [0:0]\n"\ ":ufw${type}-skip-to-policy-output - [0:0]\n"\ ":ufw${type}-skip-to-policy-forward - [0:0]\n"\ "-A ufw${type}-skip-to-policy-input -j "$DEFAULT_INPUT_POLICY"\n"\ "-A ufw${type}-skip-to-policy-output -j "$DEFAULT_OUTPUT_POLICY"\n"\ "-A ufw${type}-skip-to-policy-forward -j "$DEFAULT_FORWARD_POLICY"\n"\ "COMMIT\n" | $exe-restore -n || error="yes" fi # now ip[6]tables-restore before*.rules. This resets the following # chains: # ufw-before-input # ufw-before-output # ufw-before-forward # # and sets the following: # ufw-not-local if [ -s "$BEFORE_RULES" ]; then if ! $exe-restore -n < "$BEFORE_RULES" ; then out="${out}\nProblem running '$BEFORE_RULES'" error="yes" fi else out="${out}\nCouldn't find '$BEFORE_RULES'" error="yes" fi # now ip[6]tables-restore after*.rules. This resets the following # chains: # ufw-after-input # ufw-after-output # ufw-after-forward if [ -s "$AFTER_RULES" ]; then if ! $exe-restore -n < "$AFTER_RULES" ; then out="${out}\nProblem running '$AFTER_RULES'" error="yes" fi else out="${out}\nCouldn't find '$AFTER_RULES'" error="yes" fi # user chains if [ -s "$USER_RULES" ]; then # setup the secondary 'user' chains if ! $exe -L ufw${type}-user-input -n >/dev/null 2>&1 ; then printf "*filter\n"\ ":ufw${type}-user-input - [0:0]\n"\ ":ufw${type}-user-output - [0:0]\n"\ ":ufw${type}-user-forward - [0:0]\n"\ ":ufw${type}-user-logging-input - [0:0]\n"\ ":ufw${type}-user-logging-output - [0:0]\n"\ ":ufw${type}-user-logging-forward - [0:0]\n"\ ":ufw${type}-user-limit - [0:0]\n"\ ":ufw${type}-user-limit-accept - [0:0]\n"\ "COMMIT\n" | $exe-restore -n || error="yes" fi # now ip[6]tables-restore user*.rules. This resets the following # chains: # ufw-before-logging-input # ufw-before-logging-output # ufw-before-logging-forward # ufw-after-logging-input # ufw-after-logging-output # ufw-after-logging-forward # ufw-logging-deny # ufw-logging-allow # ufw-after-input # ufw-after-output # ufw-after-forward # ufw-user-limit # ufw-user-limit-accept if ! $exe-restore -n < "$USER_RULES" ; then out="${out}\nProblem running '$USER_RULES'" error="yes" fi # now hooks these into the primary chains printf "*filter\n"\ "-A ufw${type}-before-input -j ufw${type}-user-input\n"\ "-A ufw${type}-before-output -j ufw${type}-user-output\n"\ "-A ufw${type}-before-forward -j ufw${type}-user-forward\n"\ "COMMIT\n" | $exe-restore -n || error="yes" else out="${out}\nCouldn't find '$USER_RULES'" error="yes" fi done if [ ! -z "$IPT_SYSCTL" ] && [ -s "$IPT_SYSCTL" ]; then sysctl -e -q -p $IPT_SYSCTL || true fi if [ "$error" = "yes" ]; then /bin/echo -e "$out" return 1 fi else out="Skip starting firewall: ufw (not enabled)" fi if [ ! -z "$out" ]; then /bin/echo -e "$out" fi } ufw_stop() { if [ "$1" != "--force" ] && [ "$ENABLED" != "yes" ] && [ "$ENABLED" != "YES" ]; then echo "Skip stopping firewall: ufw (not enabled)" return 0 fi # If we manage the builtins, just return if [ "$MANAGE_BUILTINS" = "yes" ]; then flush_builtins || return 1 return 0 fi error="" execs="iptables" if ip6tables -L INPUT -n >/dev/null 2>&1; then execs="$execs ip6tables" fi for exe in $execs do type="" if [ "$exe" = "ip6tables" ]; then type="6" fi delete_chains $type || error="yes" $exe -P INPUT ACCEPT || error="yes" $exe -P OUTPUT ACCEPT || error="yes" $exe -P FORWARD ACCEPT || error="yes" done if [ "$error" = "yes" ]; then return 1 fi return 0 } ufw_reload() { if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then ufw_stop || return "$?" ufw_start || return "$?" else echo "Skipping $1 (not enabled)" fi return 0 } ufw_status() { err="" iptables -L ufw-user-input -n >/dev/null 2>&1 || { echo "Firewall is not running" return 3 } if [ "$IPV6" = "yes" ] || [ "$IPV6" = "YES" ]; then ip6tables -L ufw6-user-input -n >/dev/null 2>&1 || { # unknown state: ipv4 ok, but ipv6 isn't echo "Firewall in inconsistent state (IPv6 enabled but not running)" return 4 } fi echo "Firewall is running" return 0 }