"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/configure.sh" (16 Sep 2020, 11128 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "configure.sh": 2.1.0_vs_2.1.1.

    1 #!/bin/bash
    2 
    3 MY_VERSION="1.04"
    4 
    5 # ------------------------------------------------------------------------------------------
    6 #                         -= Arno's Iptables Firewall(AIF) =-
    7 #              Single- & multi-homed firewall script with DSL/ADSL support
    8 #
    9 #                           ~ In memory of my dear father ~
   10 #
   11 # (C) Copyright 2001-2019 by Arno van Amersfoort
   12 # Homepage              : https://rocky.eld.leidenuniv.nl/
   13 # Email                 : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
   14 #                         (note: you must remove all spaces and substitute the @ and the .
   15 #                         at the proper locations!)
   16 # ------------------------------------------------------------------------------------------
   17 # This program is free software; you can redistribute it and/or
   18 # modify it under the terms of the GNU General Public License
   19 # version 2 as published by the Free Software Foundation.
   20 
   21 # This program is distributed in the hope that it will be useful,
   22 # but WITHOUT ANY WARRANTY; without even the implied warranty of
   23 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   24 # GNU General Public License for more details.
   25 
   26 # You should have received a copy of the GNU General Public License
   27 # along with this program; if not, write to the Free Software
   28 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
   29 # ------------------------------------------------------------------------------------------
   30 
   31 # Check if the environment file exists and if so, load it
   32 #########################################################
   33 if [ -f ./share/arno-iptables-firewall/environment ]; then
   34   . ./share/arno-iptables-firewall/environment
   35 else
   36   printf "\033[40m\033[1;31mERROR: Could not read environment file ./share/arno-iptables-firewall/environment!\033[0m\n\n" >&2
   37   exit 2
   38 fi
   39 
   40 # Allow user to override firewall.conf location (undocumented)
   41 FIREWALL_CONF=${1:-/etc/arno-iptables-firewall/firewall.conf}
   42 
   43 
   44 sanity_check()
   45 {
   46   # root check
   47   if [ "$(id -u)" != "0" ]; then
   48     printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n\n" >&2
   49     exit 1
   50   fi
   51 
   52   if [ ! -f "/etc/arno-iptables-firewall/firewall.conf" ]; then
   53     printf "\033[40m\033[1;31mERROR: It looks like arno-iptables-firewall is not installed on this system (yet)! Quitting...\033[0m\n\n" >&2
   54     exit 1
   55   fi
   56 
   57   check_command_error sed
   58   check_command_error chmod
   59   check_command_error chown
   60   check_command_error cp
   61   check_command_error ln
   62   check_command_error rm
   63   check_command_error ip
   64   check_command_error ifconfig
   65   check_command_error cut
   66   check_command_error diff
   67   check_command_error sed
   68 }
   69 
   70 
   71 change_conf_var()
   72 {
   73   if ! grep -E -q "^#?$2=" "$1"; then
   74     printf "\033[40m\033[1;31mERROR: Variable \"$2\" not found in \"$1\". File is probably outdated!\033[0m\n\n" >&2
   75   elif [ -n "$3" ]; then
   76     sed -i -e "s~^#\?$2=.*$~$2=\"$3\"~" "$1"
   77   fi
   78 }
   79 
   80 
   81 get_conf_var()
   82 {
   83   printf "$1 "
   84 
   85   read answer
   86 
   87   if [ -z "$answer" ]; then
   88     if [ -n "$4" ]; then
   89 #      echo "$4"
   90       change_conf_var "$2" "$3" "$4"
   91 #    else
   92 #      echo "(None)"
   93     fi
   94   else
   95     change_conf_var "$2" "$3" "$answer"
   96   fi
   97 
   98   return 0
   99 }
  100 
  101 
  102 get_user_yn()
  103 {
  104   if [ "$2" = "y" ]; then
  105     printf "$1 (Y/n)? "
  106   else
  107     printf "$1 (y/N)? "
  108   fi
  109 
  110   read answer_with_case
  111 
  112   ANSWER=`echo "$answer_with_case" |tr A-Z a-z`
  113 
  114   if [ "$ANSWER" = "y" -o "$ANSWER" = "yes" ]; then
  115     return 0
  116   fi
  117 
  118   if [ "$ANSWER" = "n" -o "$ANSWER" = "no" ]; then
  119     return 1
  120   fi
  121 
  122   # Fallback to default
  123   if [ "$2" = "y" ]; then
  124     return 0
  125   else
  126     return 1
  127   fi
  128 }
  129 
  130 
  131 verify_interfaces()
  132 {
  133   if [ -z "$1" ]; then
  134     if ! get_user_yn "No interface(s) specified. These are required! Continue anyway" "n"; then
  135       return 1
  136     fi
  137   fi
  138 
  139   IFS=' ,'
  140   for interface in $1; do
  141     if ! check_interface $interface; then
  142       if ! get_user_yn "Interface \"$interface\" does not exist (yet). Continue anyway" "n"; then
  143         return 1
  144       fi
  145     fi
  146   done
  147 
  148   return 0
  149 }
  150 
  151 
  152 list_interfaces()
  153 {
  154   IFS=$EOL
  155   local CUR_IF=""
  156   ifconfig -a 2>/dev/null |while read LINE; do
  157     if echo "$LINE" |grep -q -e '^[a-z]'; then
  158       if ! echo "$LINE" |grep -q -e '^dummy[0-9]' -e '^bond[0-9]' -e '^lo[[:blank:]]'; then
  159         CUR_IF="$(echo "$LINE" |awk '{ print $1 }')"
  160       else
  161         CUR_IF=""
  162       fi
  163     fi
  164 
  165     if [ -z "$LINE" -a -n "$CUR_IF" ]; then
  166       CUR_IF=""
  167       echo ""
  168     fi
  169 
  170     if [ -n "$CUR_IF" ] && echo "$LINE" |grep -q -E -i -e ' hwaddr ' -e ' ether ' -e '[[:blank:]]inet6? addr'; then
  171       echo "$LINE"
  172     fi
  173   done
  174 }
  175 
  176 
  177 setup_conf_file()
  178 {
  179   # Create backup of old config
  180   cp -fvb "$FIREWALL_CONF" "${FIREWALL_CONF}.bak"
  181 
  182   echo ""
  183   echo "Listing available interfaces:"
  184   echo "-----------------------------"
  185   list_interfaces; 
  186   echo "-----------------------------"
  187 
  188   printf "We will now setup the most basic settings of the firewall\n\n"
  189 
  190   while true; do
  191     printf "What is your external (aka. internet) interface (multiple interfaces should be comma separated)? "
  192     read EXT_IF
  193 
  194     if verify_interfaces $EXT_IF; then
  195       change_conf_var "$FIREWALL_CONF" "EXT_IF" "$EXT_IF"
  196 
  197       break
  198     fi
  199   done
  200 
  201   if get_user_yn "Does your external interface get its IP through DHCP" "n"; then
  202     change_conf_var "$FIREWALL_CONF" "EXT_IF_DHCP_IP" "1"
  203   else
  204     change_conf_var "$FIREWALL_CONF" "EXT_IF_DHCP_IP" "0"
  205   fi
  206 
  207   if get_user_yn "Do you want to enable IPv6 support" "y"; then
  208     change_conf_var "$FIREWALL_CONF" "IPV6_SUPPORT" "1"
  209   else
  210     change_conf_var "$FIREWALL_CONF" "IPV6_SUPPORT" "0"
  211   fi
  212 
  213   if get_user_yn "Do you want to be pingable from the internet" "n"; then
  214     change_conf_var "$FIREWALL_CONF" "OPEN_ICMP" "1"
  215   else
  216     change_conf_var "$FIREWALL_CONF" "OPEN_ICMP" "0"
  217   fi
  218 
  219   get_conf_var "Which TCP ports do you want to allow from the internet? (eg. 22=SSH, 80=HTTP, etc.) (comma separate multiple ports)?" "$FIREWALL_CONF" "OPEN_TCP" ""
  220   get_conf_var "Which UDP ports do you want to allow from the internet? (eg. 53=DNS, etc.) (comma separate multiple ports)?" "$FIREWALL_CONF" "OPEN_UDP" ""
  221 
  222   if get_user_yn "Do you have an internal(aka LAN) interface that you want to setup" "n"; then
  223     while true; do
  224       printf "What is your internal (aka. LAN) interface (multiple interfaces should be comma separated)? "
  225       read INT_IF
  226 
  227       if verify_interfaces $INT_IF; then
  228         change_conf_var "$FIREWALL_CONF" "INT_IF" "$INT_IF"
  229 
  230         local INTERNAL_NET=""
  231         local INT_NET_BCAST_ADDRESS=""
  232         IFS=' ,'
  233         for interface in $INT_IF; do
  234           INTERNAL_NET="$INTERNAL_NET${INTERNAL_NET:+ }$(get_network_ipv4_address_mask $interface)"
  235           INT_NET_BCAST_ADDRESS="$INT_NET_BCAST_ADDRESS${INT_NET_BCAST_ADDRESS:+ }$(get_network_ipv4_broadcast $interface)"
  236         done
  237 
  238         if [ -n "$INTERNAL_NET" ] && [ -n "$INT_NET_BCAST_ADDRESS" ]; then
  239           echo "* Auto-detected internal IPv4 net(s): $INTERNAL_NET"
  240           echo "* Auto-detected internal IPv4 broadcast address(es): $INT_NET_BCAST_ADDRESS"
  241 
  242           change_conf_var "$FIREWALL_CONF" "INTERNAL_NET" "$INTERNAL_NET"
  243           change_conf_var "$FIREWALL_CONF" "INT_NET_BCAST_ADDRESS" "$INT_NET_BCAST_ADDRESS"
  244 
  245           if get_user_yn "Do you want to enable NAT/masquerading for your internal subnet" "n"; then
  246             change_conf_var "$FIREWALL_CONF" "NAT" "1"
  247             change_conf_var "$FIREWALL_CONF" "NAT_INTERNAL_NET" '\$INTERNAL_NET'
  248           else
  249             change_conf_var "$FIREWALL_CONF" "NAT" "0"
  250           fi
  251         fi
  252 
  253         break
  254       fi
  255     done
  256   fi
  257 
  258   # Make sure init script is executable and root owned
  259   if [ -f /etc/init.d/arno-iptables-firewall ]; then
  260     chown 0:0 /etc/init.d/arno-iptables-firewall
  261     chmod 755 /etc/init.d/arno-iptables-firewall
  262   fi
  263 
  264   # Set the correct permissions on the config file
  265   chown 0:0 "$FIREWALL_CONF"
  266   chmod 600 "$FIREWALL_CONF"
  267 }
  268 
  269 
  270 # main line:
  271 AIF_VERSION="$(grep "MY_VERSION=" ./bin/arno-iptables-firewall |sed -e "s/^MY_VERSION=\"//" -e "s/\"$//")"
  272 
  273 printf "\033[40m\033[1;32mArno's Iptables Firewall(AIF) v$AIF_VERSION\033[0m\n"
  274 printf "Configure Script v$MY_VERSION\n"
  275 echo "-------------------------------------------------------------------------------"
  276 
  277 sanity_check
  278 
  279 RC_PATH="/etc"
  280 # Check for Redhat/SUSE rc.d
  281 if [ -d "/etc/rc.d" ]; then
  282   RC_PATH="/etc/rc.d"
  283 fi
  284 
  285 # Remove any symlinks in rc*.d out of the way
  286 rm -f $RC_PATH/rc0.d/*arno-iptables-firewall
  287 rm -f $RC_PATH/rc1.d/*arno-iptables-firewall
  288 rm -f $RC_PATH/rc2.d/*arno-iptables-firewall
  289 rm -f $RC_PATH/rc3.d/*arno-iptables-firewall
  290 rm -f $RC_PATH/rc4.d/*arno-iptables-firewall
  291 rm -f $RC_PATH/rc5.d/*arno-iptables-firewall
  292 rm -f $RC_PATH/rc6.d/*arno-iptables-firewall
  293 rm -f $RC_PATH/rcS.d/*arno-iptables-firewall
  294 
  295 if get_user_yn "Do you want to start the firewall at boot" "y"; then
  296   DONE=0
  297 
  298   if check_command systemctl; then
  299     if systemctl enable arno-iptables-firewall; then
  300       echo "* Successfully enabled service with systemctl"
  301       DONE=1
  302     fi
  303   elif check_command update-rc.d; then
  304     # Note: Currently update-rc.d doesn't seem to properly use the init script's LSB header, so specify explicitly
  305     if update-rc.d -f arno-iptables-firewall start 11 S . stop 10 0 6 .; then
  306       echo "* Successfully enabled service with update-rc.d"
  307       DONE=1
  308     fi
  309   elif check_command chkconfig; then
  310     if chkconfig --add arno-iptables-firewall && chkconfig arno-iptables-firewall on; then
  311       echo "* Successfully enabled service with chkconfig"
  312       DONE=1
  313     fi
  314   else
  315     if [ -d "$RC_PATH/rcS.d" ]; then
  316       if ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rcS.d/S11arno-iptables-firewall" &&
  317          ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc0.d/K10arno-iptables-firewall" &&
  318          ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc6.d/K10arno-iptables-firewall"; then
  319         echo "* Successfully enabled service through $RC_PATH/rcS.d/ symlink"
  320         DONE=1
  321       fi
  322     elif [ -d "$RC_PATH/rc2.d" ]; then
  323       if ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc2.d/S09arno-iptables-firewall" &&
  324          ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc0.d/K91arno-iptables-firewall" &&
  325          ln -sv /etc/init.d/arno-iptables-firewall "$RC_PATH/rc6.d/K91arno-iptables-firewall"; then
  326         echo "* Successfully enabled service through $RC_PATH/rc2.d/ symlink"
  327         DONE=1
  328       fi
  329     else
  330       echo "WARNING: Unable to detect /rc2.d or /rcS.d directories. Skipping runlevel symlinks" >&2
  331     fi
  332   fi
  333 
  334   if [ $DONE -eq 0 ]; then
  335     echo "ERROR: Unable to setup automatic start at boot. Please investigate" >&2
  336   fi
  337 fi
  338 
  339 if diff ./etc/arno-iptables-firewall/firewall.conf "$FIREWALL_CONF" >/dev/null; then
  340   if get_user_yn "Your firewall.conf is not configured yet.\nDo you want me to help you setup a basic configuration" "y"; then
  341     setup_conf_file
  342   else
  343     echo "* Skipped"
  344   fi
  345 else
  346   if get_user_yn "Your firewall.conf looks already customized.\nModify configuration" "n"; then
  347     setup_conf_file
  348   else
  349     echo "* Skipped"
  350   fi
  351 fi
  352 
  353 echo ""
  354 echo "** Configuration done **"
  355 echo ""
  356 
  357 exit 0