App-SilverSplash
view release on metacpan or search on metacpan
lib/App/SilverSplash/IPTables.pm view on Meta::CPAN
our $Blocked_mark = '0x100';
our $Trusted_mark = '0x200';
our $Paid_mark = '0x400';
our $Ads_mark = '0x500';
sub load_allows {
my ( $class, $file ) = @_;
my $fh;
open( $fh, '<', $Config->sl_root . "/conf/$file" ) or die $!;
my $ct = do { local $/; <$fh> };
close($fh) or die $!;
my @lines = split( /\n/, $ct );
@lines = grep { $_ =~ m/\S/ }
grep { $_ !~ /#/ } # skip comments
grep { defined $_ } @lines; # skip undef
return \@lines;
}
sub init_firewall {
my $class = shift;
`echo 1 > /proc/sys/net/ipv4/ip_forward`;
# flush the existing firewall
$class->clear_firewall();
# create the chains
foreach my $table ( sort keys %tables_chains ) {
foreach my $chain ( @{ $tables_chains{$table} } ) {
iptables("-t $table -N $chain");
}
}
# walled garden exceptions
my $hosts_allow = $class->load_allows('cp_hosts_allow.txt');
my $sslhosts_allow = $class->load_allows('cp_sslhosts_allow.txt');
my $accept = "slNET -d %s -p tcp -m tcp --dport %d -j ACCEPT";
my $slout = "slOUT -d %s -p tcp -m tcp --dport %d -j ACCEPT";
my $hosts_accept =
join( "\n", map { sprintf( $accept, $_, 80 ) } @{$hosts_allow} );
my $sslhosts_accept =
join( "\n", map { sprintf( $accept, $_, 443 ) } @{$sslhosts_allow} );
my $hosts_slout =
join( "\n", map { sprintf( $slout, $_, 80 ) } @{$hosts_allow} );
my $sslhosts_slout =
join( "\n", map { sprintf( $slout, $_, 443 ) } @{$sslhosts_allow} );
##############################
# add the filter default chains
my $filters = <<"FILTERS";
INPUT -i $Lan_if -j slRTR
FORWARD -i $Lan_if -j slNET
slAUT --protocol tcp --source-port ! 25 -j ACCEPT
slAUTads -m state --state RELATED,ESTABLISHED -j ACCEPT
slAUTads -p tcp -m tcp --dport 22 -j ACCEPT
slAUTads -p tcp -m tcp --dport 80 -j ACCEPT
slAUTads -p tcp -m tcp --dport 110 -j ACCEPT
slAUTads -p tcp -m tcp --dport 143 -j ACCEPT
slAUTads -p tcp -m tcp --dport 443 -j ACCEPT
slAUTads -p tcp -m tcp --dport 465 -j ACCEPT
slAUTads -p udp -m udp --dport 500 -j ACCEPT
slAUTads -p tcp -m tcp --dport 587 -j ACCEPT
slAUTads -p tcp -m tcp --dport 993 -j ACCEPT
slAUTads -p tcp -m tcp --dport 995 -j ACCEPT
slAUTads -p tcp -m tcp --dport 1723 -j ACCEPT
slAUTads -p udp -m udp --dport 1701 -j ACCEPT
slAUTads -p tcp -m tcp --dport 3389 -j ACCEPT
slAUTads -p tcp -m tcp --dport 5050 -j ACCEPT
slAUTads -p tcp -m tcp --dport 5190 -j ACCEPT
slAUTads -p tcp -m tcp --dport 5222 -j ACCEPT
slAUTads -p tcp -m tcp --dport 5223 -j ACCEPT
slNET -m mark --mark $Blocked_mark/0x700 -j DROP
slNET -m state --state INVALID -j DROP
slNET -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
slNET -m mark --mark $Trusted_mark/0x700 -j ACCEPT
slNET -m mark --mark $Paid_mark/0x700 -j slAUT
slNET -m mark --mark $Ads_mark/0x700 -j slAUTads
slNET -p icmp -j REJECT --reject-with icmp-port-unreachable
$hosts_accept
$sslhosts_accept
slNET -j DROP
slRTR -m mark --mark $Blocked_mark/0x700 -j DROP
slRTR -m state --state INVALID -j DROP
slRTR -m state --state RELATED,ESTABLISHED -j ACCEPT
slRTR -p tcp -m tcp ! --tcp-option 2 --tcp-flags SYN SYN -j DROP
slRTR -p tcp -m tcp --dport $Perlbal_port -j ACCEPT
slRTR -m mark --mark $Trusted_mark/0x700 -j ACCEPT
slRTR -p udp -m udp -s 10.69.0.1/16 --dport 53 -j ACCEPT
slRTR -p udp -m udp -s 10.69.0.1/16 --dport 67 -j ACCEPT
slRTR -p udp -m udp -s 10.69.0.1/16 --dport 68 -j ACCEPT
slRTR -p tcp -m tcp -s 10.69.0.1/16 --dport 20022 -j ACCEPT
slRTR -p icmp -s 10.69.0.1/16 -j ACCEPT
FILTERS
add_rules( 'filter', $filters );
#############################
# default mangle chains
my $mangles = <<"MANGLES";
PREROUTING -i $Lan_if -j slOUT
PREROUTING -i $Lan_if -j slBLK
PREROUTING -i $Lan_if -j slTRU
POSTROUTING -o $Lan_if -j slINC
MANGLES
add_rules( 'mangle', $mangles );
( run in 0.528 second using v1.01-cache-2.11-cpan-39bf76dae61 )